What is the Data Privacy Act of 2012?

The National Privacy Commission (NPC), formed as a result of the Philippines’ Data Privacy
Act of 2012 (Republic Act 10173), lays forth a set of requirements designed to protect personal
information in both government and private sector organizations. The regulation sets out a data
privacy accountability and compliance framework that covers a wide range of issues such as
governance, data security, training, third party affiliations and breach notification. September 9,
2017 was the Implementation of Rules and Regulation (IRR) deadline by which point
organizations were to register their data processing systems with the NPC. The next
implementation phase’s deadline, during which organizations will need to show progress toward
compliance, is set for March 8, 2018.

What does the Data Privacy Act of 2012 mean?

The Data Privacy Act of 2012 requires organizations to appoint a Data Protection Officer (DPO),
make their data processing transparent to their customers, and maintain the confidentiality,
integrity and availability of their data. ‘Security incidents’ as defined by the law do not require
notification. However, should a data breach occur and the following information applies,
organizations will need to notify the NPC and customers. A breach will require notification if:

1. The breached information must be sensitive personal information, or information that

could be used for identity fraud, and
2. There is a reasonable belief that unauthorized acquisition has occurred, and
3. The risk to the data subject is real, and
4. The potential harm is serious.

How to prepare your organization for the Data Privacy Act

of 2012
Mitigating these 4 points will ensure that, even in the event of a data breach, organizations can
reduce their notification obligations. The surest way to minimize your notification obligations is
to ensure that the breach of customer information does not result in risk to the data subject.
Security controls, such as data encryption and centralized key management, can keep
customer data from external attacks not prevented by perimeter security, and from internal users
capable of abusing their privileged access.

How to apply robust data encryption and key management

to protect your data
To address the Privacy Act’s compliance requirements, organizations may need to employ one or
more encryption method in either their on-premises or cloud environments, to protect the
following:
  Servers, including via file encryption, application encryption, column-level database
encryption, and full disk virtual machine encryption.
 Storage, including through network-attached storage and storage area network
encryption.
 Media, through disk encryption.
 Networks, for example through high-speed network encryption.

Strong key management is necessary to protect encrypted data, so that in the event of a data
breach the encrypted data is safe because the encryption keys are secured.

Organizations will also need a way to verify the legitimacy of user identities and digital
transactions, and to prove compliance. It is critical that the security controls in place be
demonstrable and auditable.

Gemalto offers the only complete data protection portfolio that works together to provide
persistent protection and management of sensitive data, which can be mapped to the Privacy
Act’s framework.

In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known as the Data
Privacy Act (DPA) of 2012. Five years later, the DPA’s Implementing Rules and Regulations
was put in effect on September 9, 2016, thus mandating all companies to comply.

The act is a necessary and important precaution in a world economy that’s swiftly going digital.
In 2014, it was estimated that 2.5 quintillion — or 2.5 billion billion — bytes of data were
created everyday. This includes unprecedented knowledge about what real individuals are doing,
watching, thinking, and feeling.

Companies must be held accountable not only for what they do with customer data — but how
they protect that data from third parties. The past few years of security breaches, system errors,
and ethical scandals within some of the country’s major banks have reminded us that there is
much work to be done.

So, where to begin for institutions who want to comply with RA 10173 and be proactive about
their consumers’ digital privacy?

What is RA 10173?
RA 10173, or the Data Privacy Act, protects individuals from unauthorized processing of
personal information that is (1) private, not publicly available; and (2) identifiable, where the
identity of the individual is apparent either through direct attribution or when put together with
other available information.

What does this entail?

First, all personal information must be collected for reasons that are specified, legitimate, and
reasonable. In other words, customers must opt in for their data to be used for specific reasons
that are transparent and legal.

Second, personal information must be handled properly. Information must be kept accurate and
relevant, used only for the stated purposes, and retained only for as long as reasonably needed.
Customers must be active in ensuring that other, unauthorized parties do not have access to their
customers’ information.

Third, personal information must be discarded in a way that does not make it visible and
accessible to unauthorized third parties.

Unauthorized processing, negligent handling, or improper disposal of personal information is

punishable with up to six (6) years in prison or up to five million pesos (PHP 5,000,000)
depending on the nature and degree of the violation.

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable information of
of at least 1,000 people are required to register with the National Privacy Commission and
comply with the Data Privacy Act of 2012. Some of these companies are already on their way to
compliance — but many more are unaware that they are even affected by the law.

How do I remain in compliance of the Data Privacy Act?

The National Privacy Commission, which was created to enforce RA 10173, will check whether
companies are compliant based on a company having 5 elements:

1. Appointing a Data Protection Officer

2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure

To learn more, schedule a free consultation or read the full text of the Data Privacy Act of 2012
and its Implementing Rules and Regulations.

Salient features of Data Privacy Act of 2012 – Republic Act

10173
By Janette Toral E-Commerce 1 Comment

Republic Act 10173 or The Data Privacy Act of 2012 was approved into law last August 15,
2012. Here are its salient features:
1. It applies to processing of personal information (section 3g) and sensitive personal information
(Section 3L).

2. Created the National Privacy Commission to monitor the implementation of this law. (section
7)

3. Gave parameters on when and on what premise can data processing of personal information be
allowed. Its basic premise is when a data subject has given direct consent. (section 12 and 13)

4. Companies who subcontract processing of personal information to 3rd party shall have full
liability and can’t pass the accountability of such responsibility. (section 14)

5. Data subject has the right to know if their personal information is being processed. The person
can demand information such as the source of info, how their personal information is being used,
and copy of their information. One has the right to request removal and destruction of one’s
personal data unless there is a legal obligation that required for it to be kept or processed.
(Section 16 and 18)

6. If the data subject has already passed away or became incapacitated (for one reason or
another), their legal assignee or lawful heirs may invoke their data privacy rights. (Section 17)

7. Personal information controllers must ensure security measures are in place to protect the
personal information they process and be compliant with the requirements of this law. (Section
20 and 21)

8. In case a personal information controller systems or data got compromised, they must notify
the affected data subjects and the National Privacy Commission. (Section 20)

9. Heads of government agencies must ensure their system compliance to this law (including
security requirements). Personnel can only access sensitive personal information off-site, limited
to 1000 records, in government systems with proper authority and in a secured manner. (Section
22)

10. Government contractors who have existing or future deals with the government that involves
accessing of 1000 or more records of individuals should register their personal information
processing system with the National Privacy Commission. (Section 25)

11. Provided penalties (up to 5 million as per sec. 33) on the processing of personal information
and sensitive personal information based on the following acts:
– Unauthorized processing (sec. 25)
– Negligence (sec. 26)
– Improper disposal (sec. 27)
– Unauthorized purposes (sec. 28)
– Unauthorized access or intentional breach (sec. 29)
– Concealment of security breaches (sec. 30)
– Malicious (sec. 31) and unauthorized disclosure (sec. 32)
If at least 100 persons are harmed, the maximum penalty shall apply (section 35).

12. For public officers (working in government), an accessory penalty consisting in the
disqualification to occupy public office for a term double the term of criminal penalty imposed
shall he applied. (sec. 36)

The Philippines has a growing and important business process management and health
information technology industry. Total IT spending reached $4.4 billion in 2016, and the sector
is expected to more than double by 2020. Filipinos are heavy social media users, 42.1 million are
on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn users. The country is also in
the process of enabling free public Wi-Fi. In the context of the rapid growth of the digital
economy and increasing international trade of data, the Philippines has strengthened its privacy
and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict privacy
legislation “to protect the fundamental human right of privacy, of communication while ensuring
free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1,
Sec. 2). This comprehensive privacy law also established a National Privacy Commission that
enforces and oversees it and is endowed with rulemaking power. On September 9, 2016, the final
implementing rules and regulations came into force, adding specificity to the Privacy Act.

Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that process personal
information, with some exceptions. The law has extraterritorial application, applying not only to
businesses with offices in the Philippines, but when equipment based in the Philippines is used
for processing. The act further applies to the processing of the personal information of
Philippines citizens regardless of where they reside.

One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign jurisdictions
— an exception helpful for Philippines companies that offer cloud services.

Approach

The Philippines law takes the approach that “The processing of personal data shall be allowed
subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and legitimate
purpose” and further provides that consent is required prior to the collection of all personal data.
It requires that when obtaining consent, the data subject be informed about the extent and
purpose of processing, and it specifically mentions the “automated processing of his or her
personal data for profiling, or processing for direct marketing, and data sharing.” Consent is
further required for sharing information with affiliates or even mother companies.
Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However, processing does
not always require consent.

Consent is not required for processing where the data subject is party to a contractual agreement,
for purposes of fulfilling that contract. The exceptions of compliance with a legal obligation
upon the data controller, protection of the vital interests of the data subject, and response to a
national emergency are also available.

An exception to consent is allowed where processing is necessary to pursue the legitimate

interests of the data controller, except where overridden by the fundamental rights and freedoms
of the data subject.

Required agreements

The law requires that when sharing data, the sharing be covered by an agreement that provides
adequate safeguards for the rights of data subjects, and that these agreements are subject to
review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or
political affiliations;
 About an individual’s health, education, genetic or sexual life of a person, or to any proceeding
or any offense committed or alleged to have committed;
 Issued by government agencies “peculiar” (unique) to an individual, such as social security
number;
 Marked as classified by executive order or act of Congress.

All processing of sensitive and personal information is prohibited except in certain

circumstances. The exceptions are:

 Consent of the data subject;

 Pursuant to law that does not require consent;
 Necessity to protect life and health of a person;
 Necessity for medical treatment;
 Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or
regulation.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a major
anti-terrorism law that enables surveillance) must comply with the Privacy Act.
Privacy program required

The law requires that any entity involved in data processing and subject to the act must develop,
implement and review procedures for the collection of personal data, obtaining consent, limiting
processing to defined purposes, access management, providing recourse to data subjects, and
appropriate data retention policies. These requirements necessitate the creation of a privacy
program. Requirements for technical security safeguards in the act also mandate that an entity
have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the principles of
notice, choice, access, accuracy and integrity of data.

The Philippines law appears to contain a “right to be forgotten” in the form of a right to erasure
or blocking, where the data subject may order the removal of his or her personal data from the
filing system of the data controller. Exercising this right requires “substantial proof,” the burden
of producing which is placed on the data subject. This right is expressly limited by the fact that
continued publication may be justified by constitutional rights to freedom of speech, expression
and other rights.

Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.

A right to data portability is also provided.

Mandatory personal information breach notification

The law defines “security incident” and “personal data breach” ensuring that the two are not
confused. A “security incident” is an event or occurrence that affects or tends to affect data
protection, or may compromise availability, integrity or confidentiality. This definition includes
incidents that would result in a personal breach, if not for safeguards that have been put in place.

A “personal data breach,” on the other hand, is a subset of a security breach that actually leads to
“accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed.

Requirement to notify 

The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority. Section 38
of the IRRs provides the requirements of breach notification:

 The breached information must be sensitive personal information, or information that could be
used for identity fraud, and
 There is a reasonable belief that unauthorized acquisition has occurred, and
  The risk to the data subject is real, and
 The potential harm is serious.

The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and whether
the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy Commission as well as
affected data subjects within 72 hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.

It is unclear at present whether the commission would allow a delay in notification of data
subjects to allow the commission to determine whether a notification is unwarranted. By the law,
this would appear to be a gamble.

Notification contents

The contents of the notification must at least:

 Describe the nature of the breach; 

 The personal data possibly involved;
 The measures taken by the entity to address the breach;
 The measures take to reduce the harm or negative consequence of the breach;
 The representatives of the personal information controller, including their contact details;
 Any assistance to be provided to the affected data subjects.

Penalties

The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for unauthorized
purposes, negligent access, improper disposal, unauthorized access or intentional breach,
concealment of breach involving sensitive personal information, unauthorized disclosure, and
malicious disclosure.

Any combination or series of acts may cause the entity to be subject to imprisonment ranging
from three to six years as well as a fine of approximately $20,000 to $100,000.

Notably, there is also the previously mentioned private right of action for damages, which would
apply.

Penalties for failure to notify

Persons having knowledge of a security breach involving sensitive personal information and of
the obligation to notify the commission of same, and who fail to do so, may be subject to penalty
for concealment, including imprisonment for 1 1/2 to five years of imprisonment, and a fine of
approximately $10,000 - $20,000.

Depending upon the circumstances additional violations might apply.