THE DATA PRIVACY ACT – BAR

EXAM GUIDE
Introduction
Subject for updates – last updated March 29, 2019
Recently there has been unofficial sources citing the Data Privacy
Act (RA 10173) is now part of the coverage for the 2019 Bar
Examinations as a topic for Commercial Law Review.
Source is now OFFICIAL. Data Privacy Act is now covered under
Mercantile Law for the 2019 Bar Examinations
– http://sc.judiciary.gov.ph/baradmission/2019/MERCANTILE-
LAW.pdf
As a disclaimer, this is guide is based from a Privacy professional
and practitioner’s standpoint with experience in privacy law and
practice, not from a lawyer or data privacy attorney.
The coverage for the Data Privacy Act are as follows:
1. Personal vs Sensitive Personal Information
2. Scope
3. Processing of Personal Information
4. Rights of a Data Subject
Some important Data Privacy topics, of which we already discussed
(linked below) under the Data Privacy Act and Privacy Law in
general which are not covered but are important to know:
1. Constitutional and Statutory Basis for the Right to Privacy
under Philippine Law (except the Data Privacy Act)
2. The Reasonable Expectation of Privacy Test (Pollo vs
Constantino-David G.R. 181881, Oct. 18, 2011)
3. The Data Protection Officer – Roles, Responsibilities and
Rights
 4. Data Controller, Data Processor and Data Subjects (Tripartite
privacy relationship)
5. Legal Basis for Processing of Personal Information
6. Cybercrime Warrants
7. Privacy Torts
8. Writ of Habeas Data
9. Mutual Legal Assistance Treaties and Letters Rogatory (for
Public International Law)

Today we’re going to discuss about the coverage for the Data
Privacy Act specifically for the 2019 Bar Examinations.

Constitutional Basis
Under the most recent 1987 Philippine Constitution, the Right to
Information and Communications Privacy is recognized under
Article III, Sec. 3(1), which states:
The privacy of communication and correspondence shall be
inviolable except upon lawful order of the court, or when
public safety or order requires otherwise, as prescribed by
law.

Personal vs Sensitive Personal

Information
Personal Information
Under Sec. 3(g) of the Data Privacy Act, Personal Information is
defined as the following:
Refers to any information whether recorded in a material form
or not, from which the identity of an individual is apparent or
can be reasonably and directly ascertained by the entity
holding the information, or when put together with other
information would directly and certainly identify an individual.
Basically personal information is anything that can identify an
individual.
Examples are your name, ID number, online usernames, email
address, phone number, stage names, etc.
Sec. 3(g) applies to both paper-based and electronic records.
Personal information may also be pieces of information, when
aggregated with other information can reasonably identify an
individual based on substantial evidence in which a prudent person
may reasonably believe that such information can be identifiable to
a unique individual.
Context is generally important on how an information is displayed or
how it appears, as a general rule, if such information can be
reasonably traced back to an individual, then it is personal
information.
Sample Question: Juan Dela Cruz, a Filipino citizen, filled up a
survey form. Such survey form only asked about his favorite coffee
flavors and how much he spends per week for coffee. The survey
also asked for his first name. Is the survey collecting personal
information?
Answer: No. First name by itself cannot reasonably identify an
individual. Juan cannot be identified from other persons named
“Juan”. Neither does information about his favorite coffee flavors
and how much he spends for coffee even if taken together with his
first name cannot be said to reasonably identify Juan.
However, if the survey asked for his full name, even if there are
more than one (1) Juan Dela Cruz in the Philippines, it is still
considered as collecting personal information.

Sensitive Personal Information

Sensitive Personal Information are special categories of information
and are classified under Sec. 3(l) of the Data Privacy Act as follows:
Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status,
age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual
life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such
person, the disposal of such proceedings, or the sentence of
any court in such proceedings;
(3) Issued by government agencies peculiar to an individual
which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of
Congress to be kept classified.
Sensitive personal information must be personal information. This
means that it must be able to identify an individual.
Example, health information such as medical diagnosis or prognosis
by itself is not sensitive personal information unless there is a
Patient ID or name of the patient together with the health
information that be used to trace back to an individual.
BIR, SSS, GSIS, PhilHealth and other government records are also
classified as Sensitive Personal Information.
The confusion of most people is how to distinguish “sensitive
personal information” versus “sensitive information” or “confidential
information”.
Sensitive Personal Information (SPI) is enumerated by law, under
Sec. 3(l) of the Data Privacy Act. SPIs can be traced back to
individuals.
Sensitive Information is any information that may cause harm or
prejudice when disclosed to an individual or the general public. This
is not protected under the Data Privacy Act.
Examples are trade secrets and business related information such
as business records which does not contain any personal
information. It can also be government information such as
classified documents and national security related information.
Confidential information is specifically provided by law under the
Rules of Court (such as doctor-patient or attorney-client privilege) or
statute (such as arbitration proceedings and awards under the
Domestic Arbitration Law). Generally the effect of confidentiality will
result to the information to being inadmissable in any court, in any
proceeding.

Scope
Scope is discussed under Sec. 4 of the Data Privacy Act.
x x x Applies to the processing of all types of personal
information and to any natural and juridical person involved in
personal information processing including those personal
information controllers and processors who, although not
found or established in the Philippines, use equipment that
are located in the Philippines, or those who maintain an
office, branch or agency in the Philippines x x x
Requisites
 Must involve any processing of personal information
 By either natural or juridical persons
 Either acting as a controller or processor
 Whether or not found in the Philippines that uses equipment or
maintains an office, branch or agency in the Philippines.

What are the exceptions (Sec. 4)?

 Government employee data relating to their official functions
and position
 Government contractor data
 Licenses or permits and any other discretionary benefit given
by the government
 Processing of information for journalistic, artistic, literary or
research purposes
 Personal information processed by public authorities relating to
the performance of their constitutionally and statutorily
mandated functions.
 Personal information processed for Anti-Money Laundering
purposes
 Personal information originally collected from resident of
foreign jurisdictions even if the personal information is
processed in the Philippines
 Personal information relating to media sources (Sec. 5)

Extraterritorial application (Sec. 6)

Applies to entities within and outside of the Philippines when
 Processing of personal information about a Philippine citizen
or resident
  Processing of personal information when the entity has a link
with the Philippines and such personal information is about a
Philippine citizen or resident.
 Examples:
 Contract entered in the Philippines
 A foreign company with central management and
control in the Philippines
 A Philippine subsidiary of a foreign company where
the latter has access to personal information in the
Philippines.
 Entity is doing business in the Philippines
 Personal information is collected by an entity in the
Philippines

Processing of Personal
Information
Principles of Transparency, Legitimate Purpose
and Proportionality (Sec. 11)
 Transparency
 The data subject must be aware of the nature, purpose,
and extent of the processing of his or her personal data,
including the risks and safeguards involved, the identity of
personal information controller, his or her rights as a data
subject, and how these can be exercised. Any information
and communication relating to the processing of personal
data should be easy to access and understand, using clear
and plain language.
  Legitimate purpose
 The processing of information shall be compatible with a
declared and specified purpose which must not be contrary
to law, morals, or public policy.
 Proportionality
 The processing of information shall be adequate,
relevant, suitable, necessary, and not excessive in relation
to a declared and specified purpose. Personal data shall be
processed only if the purpose of the processing could not
reasonably be fulfilled by other means.

General principles in collection, processing and

retention of personal information. (Sec. 11)
 Collection must be for a declared, specified, and legitimate
purpose.
 Personal data shall be processed fairly and lawfully.
 Processing should ensure data quality.
 Personal Data shall not be retained longer than necessary.
 Any authorized further processing shall have adequate
safeguards.

Legal Basis for Processing of Personal

Information (Sec. 12 and 13)
 Consent (express) – Processing of personal information
express consent of the data subject, implied consent is not
allowed. (Sec. 12(a) and 13(a))
 Contractual necessity – Processing in fulfillment of a
contractual obligation (Sec. 12(b))
 Legal obligation – Processing under a legal obligation by the
personal information Controller (Sec. 12(c) and 13(f))
  Vital interest – Processing to protect health and safety of the
data subject (Sec. 12(d) and 13(c) and 13(e))
 Public interest – Processing in the event of a national
emergency, public order and safety (Sec. 12(e))
 Legitimate interest – Processing under legitimate interests
pursued by the Personal Information Controller (Sec. 12(f))

Full details in my separate post here

– https://privacyph.net/2018/11/22/processing-of-personal-
information-data-privacy-act/
General rule – Processing of sensitive Personal Information is
prohibited except those enumerated under Sec. 13.

Rights of a Data Subject

Who is a Data Subject (Sec. 3(c))?
Data subject refers to an individual whose personal information is
processed.

Rights of the Data Subject

 Right to be informed (Sec. 16(a) and Sec. 16(b))
 As a data subject, you have the right to be informed that
your personal data will be, are being, or were, is being
collected and processed. (Sec. 16(a))
 Data subjects also has the right to be furnished
information prior or upon the next practicable opportunity to
be informed about how personal information will be stored,
access, shared, contained, methods, period, contact details
of the controller, and existence of the rights under the Data
Privacy Act. (Sec. 16(b))
 Right to Access (Sec. 16(c))
 You have a right to obtain from an organization a copy of
any information relating to you that they have on their
computer database and/or manual filing system. It should
be provided in an easy-to-access format, accompanied with
a full explanation executed in plain language.
 Right to Rectify (Sec. 16(d))
 You have the right to dispute and have corrected any
inaccuracy or error in the data a personal information
controller (PIC) hold about you.
 Right to Erasure/Blocking (Sec. 16(e))
 Right to Suspend, withdraw or order the blocking,
removal or destruction of his or her personal information
from the personal information controller’s filing system upon
discovery and substantial proof that the personal
information are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are no longer
necessary for the purposes for which they were collected.
 Right to Object (Sec. 16(e))
 You can exercise your right to withdraw or object if the
personal data processing involved is based on consent or
on legitimate interest.
 Right to Damages (Sec. 16(f))
 You may claim compensation if you suffered damages
due to inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data, considering
any violation of your rights and freedoms as data subject.
 Transmissibility Rights (Sec. 17)
  The lawful heirs and assigns of the data subject may
invoke the rights of the data subject upon death or
incapacity
 Right to File Complaints (Sec. 7(b))
 The right to file a complaint with the National Privacy
Commission
 Right to Data Portability (Sec. 18)
 Data portability allows you to obtain and electronically
move, copy or transfer your data in a secure manner, for
further use.

– Ariel Conrad

References:
 Republic Act 10173 – Data Privacy Act
 Implementing Rules and Regulations of RA 10173 – Data
Privacy Act