Professional Documents
Culture Documents
Text File For The Presentation - The Data Privacy Act of 2012
Text File For The Presentation - The Data Privacy Act of 2012
Our right to privacy of communication and correspondence is a human right. It is our private
property, protected by our government. The government may obtain them, only upon a lawful
order of the court, or a valid exercise of its police power.
How do we protect this right? When our communication and correspondence consist only of
hard files or papers documents, to protect them is a matter of stashing them in our attics, or in
rented safety boxes. Fortunately for us, we are rapidly growing digital, and information creation
and transfer are increasingly fast. The methods to protect our right to privacy of communication
and correspondence had to improve digitally and evolve. Thus, our Data Privacy Act of 2012.
In 2012, the Philippines passed the Data Privacy Act of 2012 (DPA), to protect the fundamental
human right of privacy, and of communication, while ensuring free flow of information to
promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2). Two years after, in
2014, it was estimated that 2.5 quintillion — or 2.5 billion bytes of data were created every day.
This includes an unprecedented knowledge about what real individuals are doing, watching,
thinking, and feeling.
https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/
Sometime in 2004, President Gloria Macapagal Arroyo tasked Commissioner Damian “Dondi”
Mapa of the Commission on ICT (Information and Communications Technology), to develop
the growing Philippine BPO industry and make it more competitive. In response, Commissioner
Mapa pursued the strategy on data protection as a competitive differentiator for business
process outsourcing.
If you look closely to our DPA, it is patterned after the European Union’s General Data
Protection Regulation (GDPR). Because of this, our DPA is already 90% compliant with GDPR,
according to Commissioner Mapa. https://eitsc.com/wp-content/uploads/2018/05/Mapping-
the-DPA-and-GDPR.pdf
2
Under the DPA, A Data subject refers to an individual whose personal information is processed.
In this case, all of us, filling and giving our information to another person, are Data Subjects,
and that other person is a Person Information Controller.
All personal information must be collected for reasons that are specified, legitimate, and
reasonable. We should know the reason why our personal data is collected. The kind of data
collected must be specific, the use must be legitimate, and the amount of data collected must
be reasonable.
Our personal information must be kept accurate and relevant, used only for the stated
purposes, and retained only for as long as reasonably needed. Data Collectors must be active
in ensuring that unauthorized parties do not have access to our information.
Collected personal information must be discarded in a way that does not make it visible and
accessible to unauthorized third parties. Unauthorized processing, negligent handling, or
improper disposal of personal information is punishable with up to six (6) years in prison or up
to five million pesos (PHP 5,000,000) depending on the nature and degree of the violation.
https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/
As defined under 3.l of the Implementing Rules and Regulations of our DPA, Personal
Information refers to any information, whether recorded in a material form or not, from which
the identity of an individual is apparent or can be reasonably and directly ascertained by the
entity holding the information, or when put together with other information would directly and
certainly identify an individual.
Examples are our pictures, name, status, age, citizenship, up to our likes, dislikes.
1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such
individual, the disposal of such proceedings, or the sentence of any court in such
proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not
limited to, social security numbers, previous or current health records, licenses or its
denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept
classified.
3
This list is exclusive, which means that those not found therein are only personal information. I
would like to present these types or kinds of information side by side:
PERSONAL
(defined under 3.l of IRR)
SENSITIVE NON-SENSITIVE
(Section 3.t of IRR)
5. About an individual’s race, ethnic origin, Not defined under the law.
marital status, age, color, and religious,
philosophical or political affiliations; It may be interpreted to
6. About an individual’s health, education, cover all other personal
genetic or sexual life of a person, or to any information not considered
proceeding for any offense committed or as sensitive.
alleged to have been committed by such
individual, the disposal of such proceedings,
or the sentence of any court in such
proceedings;
7. Issued by government agencies peculiar to
an individual which includes, but is not
limited to, social security numbers, previous
or current health records, licenses or its
denials, suspension or revocation, and tax
returns; and
8. Specifically established by an executive
order or an act of Congress to be kept
classified.
Sensitive Information
2. About an individual’s health, Under this category are our medical records in the
education, genetic or sexual hospitals, in our insurers, in HR, psychologists, and
life of a person, or to any records of our case in the courts, probation offices,
proceeding for any offense and other offices.
committed or alleged to have
been committed by such This is the reason, why our government uses
individual, the disposal of numbers to identify us, as COVID positive during this
such proceedings, or the time.
sentence of any court in such
proceedings; However, unknowingly, we give these information on
on-line surveys under the promise of freebies or a
chance of winning something. Maybe next time, you
think twice when you give this kind of information.
The above 4 categories are sensitive information. Again, the list is exclusive, any personal
information not found therein, are considered only as ordinary or non-sensitive kind, even
though you might think otherwise. Like who is your boyfriend? Who is your ultimate crush?
Why did the DPA distinguish sensitive information from non-sensitive? They are treated
differently, in terms of obligations, penalties and other effects.
Under the DPA, we have 8 privacy rights, the Right to be Informed, Right to Access, Right to
Object, Right to Erasure and Blocking, Right to Damages, Right to File the Complaint, Right to
Rectify, and Right to Data Portability
The data subject has a right to be informed whether personal data pertaining to him or her shall
be, are being, or have been processed, including the existence of automated decision-making
and profiling. Xxx
Under this provision, as a Data Subject, I have the right to be informed that the personal
information I gave in my credit card application shall be entered into their system, the purpose,
whether my information will be used for direct marketing, profiling, historical, statistical or
scientific purpose. I also have the right to know the recipients of my data, the identity and
contact details of the personal data controller or its representative, and the period for which the
information will be stored.
Let us take for example an application for a credit card, the following personal information a
bank (Personal Information Controller) shall require are, in the order and arrangement of the
Bank:
1. Personal Information - Complete name, Gender, Date of Birth, Place of Birth,
Citizenship, No. of dependents, TIN No., SSS/GSIS No., No. of cars owned,
Mortgaged or owned, civil status, school last attended, Educational attainment,
Mother’s full maiden name, Father’s full name, Spouse full name, Spouse date of
birth;
2. Communication & Delivery Instructions – Home ownership (owned by applicant,
rented, mortgaged /financed, company quarters, living with relatives, boarding,
Present address, permanent address, office address, and their corresponding
telephone, cellphone, fax numbers and email addresses;
3. Employment / Business information – employment, gross monthly income, source
of funds, no. of years in the present job, in the past job, rank when employee (Non-
6
In giving this myriad of information, I have a right to be informed that they shall be entered into
their system, the purpose, whether my information will be used for direct marketing, profiling,
historical, statistical or scientific purpose, the identity of the recipients of my data, the identity
and contact details of the personal data controller or its representative, and the period for which
the information will be stored.
So how does the government enforce or implement this right? Aside from reportorial
requirements and other compliance requirements, a bank or PIC ordinarily requires us to give
our consent, by way informing us of the use of our personal information:
By signing this consent form, you know, you understand, and you consent to the collection, use
and storage of your information by the bank.
In recording a conversation or interview with someone, it is enough to verbally ask for a direct
consent from an individual data subject. If the subject yields, it would be useful to also mention,
that it shall be recorded. Banks involved in phone banking tell their callers that the conversation
with their call center agent would be recorded, and that proceeding with the call, is indication of
their consent (This is considered sufficient notice).
7
Let us end this, by going back to your own recording in your phone, and your pictures. When
you post them in Facebook, either in pubic on “only me”, did you give you any kind of consent
as to its use, processing and storing?
The data subject has the right to reasonable access to, upon demand, the following:
You have a right to obtain from companies or government agencies, your personal information
which they store in their computer database and/or manual filing system. Example is a CCTV
Footage. You must execute a written request to the organization, addressed to its Data
Protection Officer (DPO). In the letter, mention that your request is being made in exercise of
your right to access under the Data Privacy Act of 2012. The DPO is required to respond to
your written request. Be prepared to provide evidence of your identity, which the DPO should
require of you to make sure that personal information is not given to the wrong person.
However, a criminal suspect is not allowed access to the personal data held about him by law
enforcement agencies as it may impede the latter’s investigation. In the same manner, you are
not allowed access information contained in communications between a lawyer and his or her
client, if such communication is subject to a legal privilege in court. Your right to access your
own medical and psychological data may be denied in when it is deemed that your health and
well-being might be negatively affected.
The data subject shall have the right to object to the processing of his or her personal data,
including processing for direct marketing, automated processing or profiling. The data subject
shall also be notified and given an opportunity to withhold consent to the processing in case of
changes or any amendment to the information supplied or declared to the data subject in the
preceding paragraph. xxx
You can exercise your right to object if the personal data processing involved is based on
consent or on legitimate interest. When you object or withhold your consent, the PIC should no
longer process the personal data, unless the processing is pursuant to a subpoena, for obvious
purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation.
The right to object is most specifically applicable when organizations’ or personal information
controllers are processing your data without your consent for the following purposes: Direct
marketing purposes, Profiling purposes, Automated processing purposes.
You may assert your right to object verbally, be it in person or via a phone call. To have it
formally documented, however, you must execute a written request to the organization,
addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that
your request is being made in exercise of your right to object under the DPA. The DPO must
act on your written request. In case you feel your request have not been addressed
satisfactorily, you may file a formal complaint before the NPC, attached therewith your request
letter to the DPO.
8
4. The Right to Erasure and Blocking under rule 34.e of the IRR
The data subject shall have the right to suspend, withdraw or order the blocking, removal or
destruction of his or her personal data from the personal information controller’s filing system.
The data subject shall be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking
into account any violation of his or her rights and freedoms as data subject.
6. The Right to File the Complaint under rule 34. a.2. (1)
The existence of their rights as data subjects, including the right to access, correction, and
object to the processing, as well as the right to lodge a complaint before the Commission.
The data subject has the right to dispute the inaccuracy or error in the personal data and have
the personal information controller correct it immediately and accordingly, unless the request is
vexatious or otherwise unreasonable. xxx
Where his or her personal data is processed by electronic means and in a structured and
commonly used format, the data subject shall have the right to obtain from the personal
information controller a copy of such data in an electronic or structured format that is commonly
used and allows for further use by the data subject. Xxx
Let us go back to my Facebook example? I admit that at first, I used my real name and diligently
fill in several sensitive personal data in my Facebook profile, expecting my friends to recognize
and contact me, after all this a social media platform. When I work with Pag-IBIG Fund, and
started filing criminal complaints against businesses which refuse to comply with the Pag-IBIG
Fund Law, I found myself checking their names in the Facebook to get a profile and a “picture
of a person” in my case. Was it legal? Of course, the name and picture are publicly posted in
Facebook.
Later, I realized that the same access is two-pronged. Like myself, any person who receives a
final demand to pay or to vacate, which I signed in my work, can also check my name, my
status and my profile picture with smiling face. I got the taste of my own medicine. Which led
me to question, as a culture, what kind of data subjects are we? Are we even aware that what
we posted in the Facebook are sensitive personal data of ourselves?
Did you notice, that your sponsored ads are quite tailored for us? For example, for those whose
age are in the 50’s, based on the date of birth in their profile, they are probably targeted with
age defying cosmetics, while those at their twenties may receive ads appropriate in their age.
Do you wonder why these target ads? Who gave them your age? Did you ever give consent to
Facebook to give or to sell you data to advertising corporations? Did you wonder, the price or
the value Facebook has received in exchange of your data?
9
A Social Weather Stations (SWS) survey on data privacy and Internet usage, commissioned
by the National Privacy Commission, conducted from June 17 to 21, 2017, showed the 85% of
Filipino respondents agree that the rights of data subjects are important.
94% want to know more about where the personal information they provide during transactions
or applications will be used.
Meanwhile, in terms of trust in private institutions that collect personal information, schools are
found to be the most trustworthy, getting a +85-net trust rating. It is followed by hospitals and
clinics (+71), banks (+52), telecommunications companies (+35), and credit card companies
(+24).
Through the survey, NPC Commissioner Raymund Liboro confirmed that Filipinos value their
privacy.
The following are examples of cited violations of DPA, as reported by the National Privacy
Commission.
https://privacy.com.ph/dndfeature/personal-information-data-privacy-act-personal-information-
processed/
Sometime in August 2014, a popular blogger Michael Sy Lim of Fashion Pulis, posted
screenshots of what were alleged to be leaked medical records of model Deniece Cornejo from
Healthway Clinic showing her to be suffering from a sexually transmitted disease. At that time,
Cornejo was in the thick of a media storm caused by her allegation that she was raped by
celebrity dancer and host Vhong Navarro. On top of the rape case she had previously filed
against Navarro, she wound up filing another complaint for libel, this time against Lim.
Is there a violation? Of course, medical records of a person, are sensitive personal information.
It cannot be published on-line, unless there is a consent from the data subject. Who is liable for
such leaks? Under the law, it is the blogger who posted the screenshots and the Healthway
Clinic who allowed the exposure or release of such sensitive personal information.
The second case: In November 2017, at the height of the government’s high-stakes crackdown
against illegal drugs, the Philippine Drug Enforcement Agency (PDEA) conducted a raid at the
Seda Hotel in BGC, where 11 men, comprised of models and professionals, were rounded up
for allegedly engaging in a drug-fueled sex orgy. At a press conference following the arrest, the
PDEA announced that one of the men was HIV positive. There was incontrovertible
identification because PDEA officials had asked the said man to raise his hand. The incident
prompted a uniform outcry from HIV and data privacy advocates alike, accusing PDEA of
having overstepped its authority in revealing sensitive personal information that had nothing to
do with the crime for which the suspects were arrested and exposing the victim to ridicule and
discrimination. By the time PDEA owned up to its mistake, the damage had already been done.
In this case, the man’s medical record of being an HIV positive cannot be leaked without his
consent.
Why? What is the danger in an unprotected data? In the past, threats to our data were fire,
viruses, and bandits, now we have hackers and competition. Or worse, identity theft, fraud, and
theft of financial resources from employees and clients.
With this topic, I hope that you appreciate your data, the importance of their privacy. For one,
you don’t really have to use your complete name in the social media, your complete birth date,
and other data. As joked by the police, nowadays, they don’t have to search their databases
for these kind of information, they need only to go to Facebook and skim through public profiles,
unknowingly making their work easier.
10
In the aspect of Human Resource, the HR Manager / employee must ensure that personal and
sensitive personal data of the workers, which were collected from the process of recruitment
and selection down to the discharge of employment relations must be protected.
When a worker is hired, his/her data pertaining to the work performance, statistics on
productivity, activities performed during and outside employment hours, recordings of CCTV
within the vicinity of the employer, access logs, network traffic statistics, biometrics data, among
others, are collected. During the employee’s severance from your company, whether voluntary
(resignation) or involuntary (just or authorized causes of termination), he/she must comply with
various other requirements and his 201 file (a file that keeps documentation of the employment
relationship for the duration of tenure, for a time being, must be stored.
Last year, in April 2019, the National Privacy Commission investigated hacking incidents from
April 1-2, 2019, to Facebook, Twitter, Yahoo, Wattpad, and some websites operated by public
and private organizations. The hacked government websites include the Armed Forces of the
Philippines, the Ateneo de Zamboanga and the Technological University of the Philippines in
Taguig. Initially, NPC identified the local hacker, as the Pinoy LulzSec.
https://www.pna.gov.ph/articles/1066539
This year, data breach of GE Vendor exposes highly sensitive employee information of General
Electric. GE has about 250,000 employees along with hundreds of thousands of former
employees who continue to receive benefits. GE disclosed that its third party, Canon Business
Process Services (Canon BPS) is GE contractor – vendor. Canon BPS is a subdivision of the
camera giant, that specializes in handling outsourced human resources tasks such as
document processing and accounts payable.
The unknown party (hacker), apparently gained access to the workflow routing service of Canon
BPS, thru one compromised email. And from February 3 - 14, 2020, the unknown party gained
access to sensitive documents, like Uploaded documents to GE as part of the process of
obtaining benefits, and possibly those who completed online employment applications as well,
which include bank accounts details. These data, all combined, are the documents one needs
to commit identify fraud and access to accounts. GE, in turn offered a credit monitoring to
protect its employees and former employees against the inevitable fraud attempts.
There are possible causes of data breach, including the possibility that Canon BPS email was
“fished” and all the documents in the inbox were harvested. What really happened? Why the
breach? At the time this incident was reported, GE requires its employees and former staff
upload documents directly to Canon BPS. It is possible that Canon BPS email account phished
by hackers. So, what is phishing?
Phishing - the analogy is of an angler throwing a baited hook out there (the phishing email) and
hoping you bite. Phishing is a cyber-attack that uses disguised email as a weapon. The goal
is to trick the email recipient into believing that the message is something they want or need —
a request from their bank, for instance, or a note from someone in their company — and to click
a link or download an attachment.
https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-
and-how-to-prevent-it.html
11
Skott Ikeda, in his report in CPO magazine on 7 April 2020, entitled “Third Party Data Breach
of GE Vendor Exposes Highly Sensitive Employee Information Appears to Stem from Just One
Compromised Email Account, concluded that:
In terms of securing against a third-party data breach, this incident illustrates the need for
screening of not just the traditional IT countermeasures and posture of contractors but also
the susceptibility of individual employees that have access to sensitive data. Elad Shapira,
Head of Research at Panorays: “This cyber incident underscores why it’s so important for
companies to thoroughly assess their service providers’ cyber posture, and why that
assessment must also take into account the human factor. Specifically, companies should
be sure to check the likelihood of employees to be targeted for an attack based on factors
like social media presence, employee security awareness and the presence of a dedicated
security team.” https://www.cpomagazine.com/cyber-security/third-party-data-breach-of-
ge-vendor-exposes-highly-sensitive-employee-information/
b. CONCLUSION
The DPA has been implemented for 8 years, our government is still improving the systems, by
installing minimum standards for protection of personal information required under the DPA,
regulating the privacy codes used, and regulating Data Protection Officers.
As HR Manager, these are some of your obligations in so far as the 201 files of all the workers
in your company.
1. Ensure that the personal information in your custody, either in hard copies and in digital
form, is protected and safely stored. As a rule, any request for a copy or retrieval of this
information must have a consent of the data subject.
2. As part of human resource development, coordinate with NPC, for any training and
orientation for your company, to build capacity and promote compliance with the data
privacy policy, and to mitigate operational risks,