Data Privacy Act of 2012

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 5

DATA PRIVACY ACT OF 2012

RA NO. 10173
BASIS:
1987 Constitution
1. The privacy of communication and correspondence shall be inviolable (Bill of
Rights)
2. Declaration of Principles and State Policies (Sec. 24, Art. II)

Declaration of State Policy


- It is the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and
growth.

2-Fold Purpose of the Act


a. Protect the right of privacy and the right of communication; and
b. Ensure the free flow of information to promote innovation and growth.

What are covered?


a. Personal Information
- refers to any info. Whether recorded in a material form or not, from w/c the identity
of an individual is apparent or can be reasonably and directly ascertained by the
entity holding the info., or when put together w/ other info. Would directly and
certainly identify an individual. (Sec.3(g) DPA)
b. Personal Information
- refers to any info. Whether recorded in a material form or not, from w/c the identity
of an individual is apparent or can be reasonably and directly ascertained by the
entity holding the info., or when put together w/ other info. Would directly and
certainly identify an individual. (Sec.3(g) DPA)

Who are covered?


- those who process personal data or are involved in personal info. Processing,
whether natural or juridical persons in both the gov’t and priv. sectors, are covered
by the DPA.
- Personal Info. Controller; a person or org. who controls the collection, holding,
processing or use of personal info., including a person or org. who instructs another
person or org. to collect, hold, process, use, transfer or disclose personal info. On his
or her behalf;
and EXCLUDES:
a. a person or org. who performs such functions as instructed by another person or
org.; and
b. an individual who collects, holds, processes or uses personal info. In connection
with the individual’s personal, family or household affairs. [Sec. 3(h)]
Personal Info. Processor
- a natural or juridical person qualified to act as such under the Act to whom a
personal info. Controller may outsource the processing of personal data pertaining to
a data subject. [Sec. 3(i)]

EXCLUSIONS / SPECIAL CASES:


- only to the minimum extent of collection, access, use, disclosure or other processing
necessary to the purpose, function, or activity concerned.
1. Info. That fall w/in matters of PUB. CONCERN, pertaining to:
a. Info. About a govt. officer/ Ee that relates to his/her position or functions.
b. Info. About an individual who is or was performing a SERVICE under contract for
a govt. institution.
c. Personal Info. For RESEARCH purpose, intended for a public benefit.
d. etcetera

RULE:
A. The processing of PERSONAL INFO. Is permitted if not otherwise prohibited by law
and subject to compliance w/ specific condition/s. (Sec.12, DPA)
B. The processing of SENSITIVE PERSONAL INFO and PRIVILEGED INFO. is prohibited,
except in the cases specified in the DPA (Sec.13, DPA)

PERSONAL INFO.
a. It is any info. From w/c the IDENTITY of an individual is –
- apparent or
- can be reasonably and directly ascertained by the 1 holding the info.; or
- when put together w/ other info. Would directly and certainly identify an individual;
c. The info may or may not be recorded in a material form.

SENSITIVE PERSONAL INFORMATION


- Race, ethnic origin, marital status, age, and religious, political affiliations;
- Health, education, sexual life
PRIVILEGED INFO.
- any and all forms of data w/c under the Rules of Court and other pertinent laws
constitute privileged communication.
- Communications between husband and wife during the marriage.

PROCESSING
- is defined as any operation or set of operations performed upon personal info., w/c
includes the following:
a. Collection
b. Recording
c. storage
d. Consultation
e. use
f. erasure or destruction of data
g. etcetera (Sec. 3 [j)
GENERAL PRINCIPLES:
a. Transparency
- the data subject must be AWARE of the 1) nature, purpose, and extent of the
processing of his/her personal info., 2) the risks and safeguards involved, 3) the
identity of the personal info. Controller, 4) his/her rights, and 5) how the rights may
be exercised.
b. Legitimate Purpose
- compatible w/ a declared and specified purpose
c. Proportionality
- should be adequate, relevant, suitable, necessary, and not excessive in relation to the
declared purpose.

DATA SHARING
- refers to further processing of personal data collected from a party other than the
data subject.

When allowed:
a. Authorized by law
b. in the private sector, if the data subject consents to data sharing
c. for the purpose of research
d. between govt. agencies for the purpose of a public function or provision of a
public service.

DATA BREACH:
- the personal info. Controller shall notify the NPC and the data subjects w/in 72 hours
from knowledge thereof.
- Data breach notification shall likewise be made when there is reasonable belief by
the personal info. controller or processor that a personal data breach requiring
notification has occurred. (Sec. 38, IRR)

RIGHTS OF DATA SUBJECT:

1. To be INFORMED that his/her personal info shall be, are being or have been processed;
2. To be FURNISHED the info. before the entry of his/her info. into the processing system
3. To reasonable ACCESS to the contents, sources, names, manner, reasons etcetera, upon
demand
1. To DISPUTE the inaccuracy or error in the personal info and have the personal info
controller CORRECT it immediately;
2. To order REMOVAL in case the info is incomplete, outdated, or false;
3. To be INDEMNIFIED for damages sustained due to inaccurate, outdated, unlawfully
obtained use of personal info.

WHEN RIGHTS NOT APPLICABLE:


1. The processed info. are used only for the needs of scientific and statistical research,
where no activities are carried out and no decisions are taken regarding the data
subject.
2. the processing of personal info. Is for the purpose of investigations in relation to
criminal, administrative, or tax liabilities of a data subject. (Sec. 19, DPA)

FUNCTIONS OF NPC:
- The DPA created the NPC to administer and implement the provisions of the Act, and to
monitor and ensure compliance of the country w/ International standards set for data
protection (Sec. 7, DPA)
- The NPC is an independent body attached to the Department of Information and
Communications Technology (DICT)[Sec.9, DPA].

You might also like