Republic Act 10173 or The Data Privacy Act of 2012 was approved into law last August 15, 2012.
Attempts to define data privacy started with the E-Commerce Law under Section 32 that states:
SEC. 32. Obligation of Confidentiality. – Except for the purposes authorized under this Act, any person who obtained access to any electronic key, electronic data message, or electronic document, book, register, correspondence, information, or other material pursuant to any powers conferred under this Act, shall not convey to or share the same with any other person.
In 2005-2006, the Department of Trade and Industry crafted a Department Administrative Order #8 that prescribes guidelines for the protection of personal data in information and communication system in the private sector to resolve concerns of the outsourcing sector in assuring overseas clients that we have measures in place to protect data being processed in the Philippines.
It aimed in approving data privacy auditors and seal issuers. The intent then was to make DAO #8 a future mandatory requirement for any business doing e-commerce and any company who wants to do online promotions. That is also the reason why I welcome the passage of Republic Act 10173 or the Data Privacy Act.
Here are its salient features:
1. The law has 3 personas covered. They are:
- Data subject – an individual whose personal information is being processed.
- Personal information controller – a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
- Personal information processor – any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
2. It applies to processing of personal information (section 3g) and sensitive personal information (Section 3L).
3. Created the National Privacy Commission to monitor the implementation of this law. (section 7)
4. Gave parameters on when and on what premise can data processing of personal information be allowed. Its basic premise is when a data subject has given direct consent. (section 12 and 13)
5. Companies who subcontract processing of personal information to 3rd party shall have full liability and can’t pass the accountability of such responsibility. (section 14)
6. Data subject has the right to know if their personal information is being processed. The person can demand information such as the source of info, how their personal information is being used, and copy of their information. One has the right to request removal and destruction of one’s personal data unless there is a legal obligation that required for it to be kept or processed. (Section 16 and 18)
7. If the data subject has already passed away or became incapacitated (for one reason or another), their legal assignee or lawful heirs may invoke their data subject’s data privacy rights. (Section 17)
8. Personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law. (Section 20 and 21)
9. In case a personal information controller systems or data got compromised, they must notify the affected data subjects and the National Privacy Commission. (Section 20)
10. Heads of government agencies must ensure their system compliance to this law (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner. (Section 22)
11. Government contractors who have existing or future deals with the government that involves accessing of 1000 or individuals should register their personal information processing system with the National Privacy Commission. (Section 25)
12. Provided penalties (up to 5 million as per sec. 33) on the processing of personal information and sensitive personal information based on the following acts:
- Unauthorized processing (sec. 25)
- Negligence (sec. 26)
- Improper disposal (sec. 27)
- Unauthorized purposes (sec. 28)
- Unauthorized access or intentional breach (sec. 29)
- Concealment of security breaches (sec. 30)
- Malicious (sec. 31) and unauthorized disclosure (sec. 32)
If at least 100 persons are harmed, the maximum penalty shall apply (section 35).
13. For public officers (working in government), an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied. (sec. 36)