THE DATA PRIVACY ACT

OF 2012
(R.A. 10173)
ATTY. KARL JOHN A. BAQUIRAN
 Which is more VALUABLE?

DATA MONEY
https://news.mb.com.ph/2016/11
/20/big-data-defeats-dengue/
http://www.gmanetwork.com/news/scitech/technology/657644/couple-arrested-for-allegedly-hacking-a-travel-
agency-s-fb/story/
http://entertainment.inquirer.net/279469/jeopard
y-winner-get-prison-sneaking-emails
Diverted Payroll Payments of
Faculty & Staff
http://www.gmanetwork.com/news/news/regions/89630/cebu-hospital-apologizes-for-surgery-spectacle/story/
https://www.forbes.com/sites/stevemorgan/2016/05/13/list-of-the-5-most-cyber-attacked-
industries/#1c66467a715e
http://www.darkreading.com/threat-intelligence/healthcare-suffers-estimated-$62-billion-in-data-breaches/d/d-id/1325482

From: presentation of DPC Ivy D. Patdu, NPC

 Voter Precinct-Finder
(75,302,683 records)
 Overseas Voters
(1,376,067 records)
 Firearms Ban (896,992
personal data and 20,485
records of firearms)
 COMELEC Personnel (1,267
records)
Uber Breach: 171,000 Filipinos Affected

BDO Fraudulent
Transactions
WHAT IS PRIVACY?
• the right of an individual
to be let alone.

• “the most comprehensive

of rights and the right most
valued by civilized men”
- Brandeis J, dissenting opinion
in Olmstead v. United States, 277
U.S. 438 (1928)].
Two main forms:
• Physical privacy
• Informational privacy

WHAT IS PRIVACY?
• ability to maintain own
physical space or solitude.

PHYSICAL PRIVACY
• The ability of a person to:
– control
– manage
– delete information
– decide how and to what
extent such information is
communicated to others.

INFORMATIONAL
PRIVACY
THE
DATA PRIVACY ACT
OF 2012
• processing of all types of
personal data
• natural and juridical
person involved in
personal information
• privileged communication

WHAT IS THE SCOPE

OF THE LAW?
NATIONAL
PRIVACY
COMMISSION
• 3 Commissioners
• 4 Offices
• 11 Divisions
KEY DEFINITIONS
• Identity of an individual is apparent
or;
• Can be reasonably and directly
ascertained by the entity holding
the information or;
• When put together with other
information to reasonably and
directly identify an individual.

PERSONAL
INFORMATION
“when put together with other information”

Annie Cruz

#4 Pili St., Makati ?

06/22/1956
ARE THESE PERSONAL
INFORMATION?
SENSITIVE PERSONAL INFORMATION
• race, ethnic origin, marital status,
age, color, and religious,
philosophical or political affiliations;
• health, education, genetic or sexual
life of a person, or to any proceeding
for any offense committed or alleged
to have been committed by such
person, the disposal of such
proceedings, or the sentence of any
court in such proceedings;
• Issued by government agencies
peculiar to an individual
• Specifically established by an
executive order or an act of Congress
to be kept classified.

SENSITIVE PERSONAL
INFORMATION
• Any and all forms of data
which under the Rules of
Court and other pertinent
laws constitute privileged
communication.

PRIVILEGED
INFORMATION
 CRITERIA FOR LAWFUL PROCESSING
Personal Information
(permitted only if not otherwise prohibited by law)
Consent
Necessary and is related to the fulfillment of
a contract
For compliance with a legal obligation
Processing is necessary to protect vitally
important interests of the data subject,
including life and health
National emergency, public order and safety
and functions of public authority
Legitimate interests
Sensitive Personal Information
(prohibited, except)
Consent
Provided for by existing laws and regulations
For compliance with a legal obligation
Necessary to protect the life and health of the data
subject, and the data subject is not legally or
physically able to express his or her consent
Necessary to achieve the lawful and
noncommercial objectives
Necessary for purposes of medical treatment
provided adequate level of protection of personal
information is ensured
For the protection of lawful rights and interests
 any operation or any
set of operations
performed upon
personal information

PROCESSING
PERSONAL INFORMATION
CONTROLLER (PIC)
• person or organization who
controls the processing of
personal data
• also includes those who
instructs another to process
personal data on his or her
behalf.
  Any natural or
juridical person to
whom a PIC may
outsource the
processing of
personal data

PERSONAL INFORMATION PROCESSOR

(PIP)
 An individual whose
personal information is
processed.

DATA SUBJECT
Must be EXPRESS:
 Freely given
 Informed
 Specific

CONSENT
 SPECIAL CASES
(a) Employees of the government;
(b) For those performing service under contract for
a government institution;
(c) For those relating to any discretionary benefit of
a financial nature;
(d) For journalistic, artistic, literary or research
purposes;
 SPECIAL CASES
(e) To carry out the functions of public authority;
(f) Necessary for banks and other financial
institutions;
(g) Information originally collected from residents of
foreign jurisdictions.
 RIGHT TO:
 Information  Erase
 Object  Damages
 Access  Data Portability
 Rectify  File A Complaint

RIGHTS OF THE DATA SUBJECT

DATA PRIVACY
PRINCIPLES
• nature, purpose, and extent of
the processing
• risks and safeguards involved,
the identity of PIC, rights as a
data subject, and how these
can be exercised.

TRANSPARENCY
The processing of information
shall be compatible with a
declared and specified
purpose

LEGITIMATE
PURPOSE
PROPORTIONALITY

• adequate, relevant,
suitable & necessary
• not excessive in
relation to a declared
and specified purpose.
Are you over-collecting?
DATA SHARING
• disclosure or transfer to a
third party of personal
data

DATA SHARING
DATA SHARING AGREEMENT (DSA)
• CONTRACT, JOINT ISSUANCE
or any similar document that
contains the terms and
conditions of a data sharing
arrangement
• Only applies to PERSONAL
INFORMATION CONTROLLERS
(PIC)
• Purpose
• Identity of PICs
• Term or duration
• Overview of the Operational
Details
• Description of security measures

CONTENTS OF A DSA
 How data subject may access
the DSA
 PIC responsible for addressing
information request
 Identify the method to secure
RETURN, DESTRUCTION or
DISPOSAL
 Other terms and conditions

CONTENTS OF A DSA
OBLIGATIONS OF
PICS & PIPS
ADVISORIES CIRCULARS
ADVISORY Designation of CIRCULAR 17-01 Registration of Data
2017-01 Data Protection Processing Systems &
Officers Notifications Regarding
ADVISORY Access to Automated Decision-
2017-02 Personal Data Making
Sheets of CIRCULAR 16-01 Security of Personal Data
Government in Government Agencies
Personnel CIRCULAR 16-02 Data Sharing Agreements
ADVISORY Privacy Impact Involving Government
2017-03 Assessment Agencies
CIRCULAR 16-03 Personal Data Breach
OBLIGATIONS Management
TO BE CIRCULAR 16-04 Rules of Procedure of the
Commission
COMPLIED
 Recent Advisories

ADVISORY TITLE
ADVISORY 2018-01 Guidelines on Security Incident and
Personal Data Breach

ADVISORY 2018-02 Updated Templates on Security Incident and

Personal Data Breach Reportorial
Requirements
FINES & PENALTIES
 Temporary or
Compliance and
Cease and Desist Permanent Ban on Payment of Fines
Enforcement
Order Order the Processing of and/or Damages
Personal Data

Perpetual or
Temporary
Deportation for
Aliens
Absolute Imprisonment
Disqualification
for Public Officials

CIVIL, ADMINISTRATIVE & CRIMINAL

LIABILITIES
Punishable Acts
Punishable Acts
THE FIVE PILLARS
OF COMPLIANCE
Commit to Comply:

Appoint a
Data Protection
Officer
(DPO)
DATA PROTECTION
OFFICER (DPO)
• an individual designated by
the head of agency or
organization to be
accountable for its
compliance
Know Your Risk:

Conduct a
Privacy Impact
Assessment
(PIA)
• process undertaken to
evaluate and manage the
impact of a program,
process and/or measure
on data privacy.

PRIVACY IMPACT
ASSESSMENT
• Personal Data and Processing
Systems Inventory
• Threshold Analysis
• Risk Identification
• Risk Management
• PIA Report

PRIVACY IMPACT ASSESSMENT

Be Accountable:

Create your
Privacy
Management
Program and
Privacy Manual
 process intended
to embed privacy
and data protection
in the strategic
framework and
daily operations of
a PIC or PIP
 DATA PRIVACY AND ACCOUNTABILITY
FRAMEWORK

GOVERNANCE RISK DATA

ORGANIZATION DAY TO DAY
ASSESSMENT SECURITY

PRIVACY
CONTINUITY MANAGE HR THIRD PARTY BREACHES
ECOSYSTEM
Demonstrate Your Compliance:

Implement your
Privacy & Data
Protection
(PDP) measures.
 Measures
• Physical
• Organizational
• Technical

PDP MEASURES
Physical Measures
1. CCTV
2. Security Guard
3. Building Access Controls / Biometrics
4. Proper Office Desk Arrangement
5. Locked Storage Room
6. Locked Filling Cabinets
7. Enclosed Receiving/Processing Rooms
8. Kensington Locks
9. Screen Filters
10.Secure Disposal
Organizational Measures
1. DPO
2. Training
3. PIA
4. Security Clearance
5. Updated Policies
6. Certifications
7. Updated Consent Forms
8. Privacy Notices
9. Managed Third Parties
10.BYOD / Mobile Phone Policies
Technical Measures
1. Firewall / Anti-Virus / Spam Filters
2. Encryption
3. Strong Passwords / Computer Lock Policy
4. Back ups
5. Access Controls
6. Password Protected Printer/Copier
7. Cloud Storage
8. Updated Software / System Maintenance
9. VPN
10.Tests (Penetration)
Be Prepared for Breach:

Regularly exercise your

Breach Reporting
Procedures
(BRP)
• Security Incident
Management Policy
• Breach Response Team
• Mandatory Notification
• Breach Drills
• Annual Report

BREACH
MANAGEMENT
Finally: REGISTER with the NPC
 WHO IS REQUIRED?
• employs at least two hundred fifty (250) employees
• sensitive personal information of at least one
thousand (1,000) individuals
• pose a risk to the rights and freedoms of data
subjects
• the processing is not occasional
 WHO ELSE ARE REQUIRED?
1. Government branches, bodies or entities, including national
government agencies, bureaus or offices, constitutional commissions,
local government units, and government-owned and controlled
corporations (GOCCs);

2. Banks and non-bank financial institutions, including pawnshops,

non-stock savings and loan associations (NSSLAS);

3. Telecommunications networks, internet service providers and other

entities or organizations providing similar services;

4. Business process outsourcing companies;

 WHO ELSE ARE REQUIRED?
5. Universities, colleges and other institutions of higher learning, all
other schools and training institutions;

6. Hospitals including primary care facilities, multi-specialty clinics,

custodial care facilities, diagnostic or therapeutic facilities,
specialized out-patient facilities and other organizations processing
genetic data;

7. Providers of insurance undertakings, including life and non-life

companies, pre-need companies and insurance brokers;
 WHO ELSE ARE REQUIRED?
8. Business involved mainly in direct marketing, networking, and
companies providing reward cards and loyalty programs;

9. Pharmaceutical companies engaged in research; and

10. Personal information processors (PIPs) processing personal data for

a personal information controller (PIC) included in the preceding items,
and data processing systems involving automated decision-making.
REGISTRATION REQUIREMENTS
A.name and contact details
B.purpose or mandate
C.brief description of DPS:
a.Name
b.Purpose
c.Processing as a PIC, PIP, or both;
d.Outsourced or subcontracted;
e.Description of data subjects, and their personal data;
f. Recipients to whom the personal data might be disclosed; and
g. Cross border data transfer;
D. automated decision-making operation.
When should you comply?

Yesterday. Obligations in the DPA and the IRR.

June 30, 2018. Annual Breach Report

July 2, 2018. Registration of Covered Professionals

  Privacy is a higher valued
right
IN  Compliance a competitive
CONCLUSION advantage.
…  Compliance to the DPA is not
a one-shot initiative but a
process.
ANY
QUESTIONS?

karl.baquiran@protonmail.com
+639175205275