Data Privacy Act Webinar

June 30, 2022

What is the Data Privacy Act

• The Data Privacy Act, or R.A No. 10173, is the law that seeks to
protect all forms of information, be it private, personal, or
sensitive. The law applies to natural or juridical persons
involved in the processing of personal information
What is the scope of the Data Privacy Act

• It covers all persons involved in the processing of personal

information, although these persons are not found or established
in the Philippines, provided they use equipment located in the
Philippines or they maintain an office, branch, or agency in the
Philippines
What is personal information

• Personal information refers to any information whether recorded

in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put
together with other information would directly and certainly
identify an individual
What is personal Data

• Personal Data is used when personal information, sensitive

personal information, and privileged information are referred to
collectively. On the other hand, personal information form part
of the broader concept of personal Data
Who is a data subject

• A data subject is an individual whose personal information is

processed
What is processing of personal information

• It refers to any operation or set of operations performed upon

personal information including, but not limited to, the
collection, recording, organization, storage, updating,
modification, retrieval, consultation, use, consolidation,
blocking, ensure, or destruction of dat
What is privileged information?
 • It refers to any and all forms of data which under the Rules of
Court and other pertinent laws constitute privileged
communication
• Examples: Attorney-Client Privilege; Physician-Patient Privilege;
Marital Privilege Rule
Is there a difference between personal information and sensitive
personal information?

• Yes, personal information refers to information that makes

readily identifiable
• On the other hand, sensitive personal information refers to
personal information:
a) About an individual’s race, ethnic origin, marital status,
age, color, as well as religious, philosophical, or
affiliations;
b) About an individual’s health, education, genetic or sexual
life, or any proceeding for any offense committed or
alleged to have been committed by such an individual, the
disposal of such proceedings, or the sentence of any court
in such proceedings.
c) Issued by government agencies peculiar to an individual
which includes, but not limited to, social security
numbers, previous or current health records, licenses or
its denials, suspension or revocation, and tax returns; and
d) Specifically established by an executive order or an act of
Congress to be kept classified.
What are the exceptions to the application of the Data Privacy Act?
A. Information about any individual who is or was an officer of a
government institution that relates to his position or functions;
B. Information about an individual who is or was performing services
under contract for a government institution that relates to the
services performed;
C. Information relating to any discretionary benefit of a financial
nature such as the granting of a license or permit given by the
government to an individual;
D. Personal information processed for journalistic, artistic,
literary, or research purposes
Are institutions required to appoint someone who should be responsible
for ensuring compliance with the law?

• Yes, under the Implementing Rules and Regulations of the Data

Privacy Act, all institutions are required to appoint one or more
than one Data Protection Officer (DPO), who should be accountable
for ensuring compliance with the appropriate data protection laws
and regulations
How is privileged information and sensitive personal information
treated by the Data Privacy Act?
A. The data subject has given consent before the processing. In the
case of privileged information, all parties to the information
have given their consent before the processing;
B. The processing is necessary to protect the life and health of the
data subject or another person; and the data subject is not
legally or physically able to express consent before the
processing
C. The processing is necessary for purpose of medical treatment, is
carried by a medical practitioner or a medical treatment
institution, and an adequate level of protection of personal
information is ensured;
D. The processing concerns such personal information as is necessary
for the protection of lawful rights and interests of persons in
court proceedings or when provided to government or public
authority
What is data privacy?

• Data privacy, also known as information privacy, is the necessity

to preserve and protect any personal information, collected by
any organization, from being accessed by a third party.
What data are included?
Any personal data could be sensitive or can be used maliciously by
someone is included in data privacy. It includes:
A. Online Privacy. It includes all personal data given out during
online interactions
B. Financial Privacy. Any financial information shared online or
offline is sensitive as it can utilize to commit fraud.
C. Medical Privacy. Details of medical treatment and history is
privileged and cannot be disclosed to a third party.
D. Residential and geographic records. Giving of address online can
be a potential risk and needs protection from authorized access.
E. Political Privacy. Political preferences should be privileged
information
The processing of personal data shall be allowed, subject to adherence
to the principles of transparency, legitimate purpose, and
proportionality. What do these principles mean?

• Transparency. The data subject must be aware of the nature,

purpose, and extent of the processing of his or her personal
data, including the risks and safeguards involved, the identity
of personal information controller, his or her rights as a data
subject, and how these can be exercised. Any information and
 communication relating to the processing of personal data should
be easy to access and understand, using clear and plain language
• Legitimate Purpose. The processing of information shall be
compatible with a declared and specified purpose which must not
be contrary to law, morals, or public policy.
• Proportionality. The processing of information shall be adequate,
relevant, suitable, necessary, and not excessive in relation to a
declared and specified purpose. Personal data shall be processed
only if the purpose of the processing could be reasonable by
fulfilled by other means.
The collection, processing, and retention of personal data is said to
be legitimate purpose when:

• Data subject gives consent prior to the collection and processing

of personal data.
• The subject must be provided specific information regarding the
purpose and extent of processing;
• Purpose should be determined and declared before, or as soon as
reasonable practicable, after collection.
• Only personal data that is necessary and compatible with
declared, specified and legitimate purpose shall be collected
(Note: The data subject’s consent should be evidenced by written,
electronic or recorded means)
What are the rights of a data subject?

• Right to be informed – The right to be informed in a timely

manner by the PIC if his data have been compromised
• Right to Access – The right to know if an organization hold his
data, and if so, the right to gain access to them.
• Right to Object – the right to contest any unlawful processing of
data against him
• Right to Rectify – the right to dispute and compel correction of
inaccurate data a PIC has about him
• Right to Erasure and Blocking – the right to withdraw or order
the removal or blocking of his personal data
• Right to Damages – the right to claim compensation arising from
inaccurate or unauthorized use of personal data.