Data Privacy Act

Atty. Ivy D. Patdu

Right to Privacy

“the right to be let alone - the most

comprehensive of rights and the right
most valued by civilized men”

[Brandeis J, dissenting in Olmstead v.

United States,
277 U.S. 438 (1928)].

The constitutional right to privacy has S

come into its own. So it is likewise in
our jurisdiction. The right to privacy
as such is accorded recognition
A
independently of its identi cation
with liberty; in itself, it is fully
deserving of constitutional protection.
L
[Morfe v. Mutuc, G.R. No. L-20387
(1968)].
N
fi

Informational Privacy
Right to control the collection, maintenance, use, and dissemination of data about oneself.

The individual’s ability to control the ow of information concerning or describing him,

which however must be overbalanced by legitimate public concerns. To deprive an
individual of his power to control or determine whom to share information of his personal
details would deny him of his right to his own personhood.
fl

4th Industrial Revolution

1700 1800 1900s Today

“In this digital era,
information is the
currency of power –
valuable, coveted, but
at a very high risk.”

Senator Edgardo Angara,

sponsorship speech
for the Data Privacy Act




 Data Privacy Act

• Research and • Freedom from

Information Free Flow of
Innovation unwarranted
Privacy Information exploitation

• Freedom of • Individuality and

Information Human Dignity

• Data Driven • Protection against

Policies Financial Harm

Scope and Definitions

 Collection

The Data Privacy Act

Use and
applies to the processing Disposal Personal, Access
of personal data Sensitive
Personal, and
by any natural and
Privileged
juridical person in the Information
government or private
sector.
Storage Sharing
and and
Retention Transfers

 Personal Data
• Any information from which the identity of an individual is apparent
• Any information that can be put together with other information to reasonably and directly
identify an individual
• Includes sensitive personal information such as your health, education, genetic or sexual life
• Includes information that is classi ed or privileged

Identi ed | Identi able

fi

fi
fi

 Not identi able

Identi ed or Identi able Aggregate or Statistical

15 year-old, male, Zip Code 1005, born

11.02% of the population of the
15 year-old on July 4, admitted in a hospital last
Philippines are between 15-19 years old
October 10 of this year

88% of Filipinos are covered by

Philhealth-covered person Philhealth No. 1234567
Philhealth

The Crime Laboratory has more than

Fingerprint
761,000 ngerprint records in its system
fi
fi
fi

fi
 Sensitive Personal Information
refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political a liations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any o ense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to,
social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
4. Speci cally established by an executive order or an act of Congress to be kept classi ed.
fi
ff
ffi

fi
Personal Information v. Sensitive
Personal Information

• Risk of Harm to Data Subjects higher where sensitive personal or privileged

information is involved(Ex. Discrimination, Identity Theft)
• Stronger protection, higher Security measures for SPI
• Mandatory breach noti cation for personal data breaches involving SPI; for
personal information that is not sensitive, generally noti cation required if
information can be used for identity fraud (among other criteria)
• Crimes involving SPI carry higher penalty
fi

fi

The Data Privacy Act Does not Apply:

• When the identity of the individual

1. Is not apparent; or
2. Can not be reasonably and directly ascertained by the entity holding the
information or when put together with other information, still would not directly
and certainly identify an individual.
• If personal data can be anonymized, then data is not covered by the Data Privacy
Act. Aggregate data also not covered.

Data Subjects
“Data subject” refers to an individual
whose personal, sensitive personal, or
privileged information is processed.
 Personal Information Personal Information
Controller (PIC) Processor (PIP)

Agency or other body who controls Agency or other body to whom

processing of personal data processing is OUTSOURCED by PIC

Decides what is collected, purpose Usually given access to personal data

under contract or service provider
or extent of processing agreement

Excludes those who process only Should not use or process personal
as instructed by another data for own purpose

 Outsourcing Contract

Instructions/Terms

Personal Personal
Documents/Files Information
Information
Controller (PIC) /Personal Information Processor (PIP)

Processing/Output

Service Agreement

Personal Information Controller

The term excludes:

• A person or organization who performs such functions as instructed by another
person or organization; and
• An individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household a airs.

ff
Accountability

Section 21. Principle of Accountability. – Each personal information controller is

responsible for personal information under its control or custody, including
information that have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and cooperation.
(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to
provide a comparable level of protection while the information are being processed
by a third party.

Special Cases
The Act does not apply to the following

Information processed for purpose of allowing public access to information that fall
within matters of public concern
• About Government employees or o cials in relation to position or functions
• About individuals performing service under contract with government, as it
relates to service
• Those relating to a bene t of a nancial nature conferred on an individual upon
the discretion of the government, such as the granting of a license or permit

fi
fi

ffi

• A government agency’s database was

hacked and unauthorized persons were
able to extract the personal details of
government employees. 
• Can the government agency claim
exemption from the Data Privacy Act and
insist that it has no obligation to protect
the personal data of its employees?

The Act does not apply to the following

• Personal information processed for journalistic, artistic, literary or research

purposes
• Information necessary in order to carry out the functions of public authority, in
accordance with a constitutional or statutory mandate (central monetary
authority, law enforcement, or regulatory function)
The phrase, “necessary for law enforcement
purposes” is not a weapon that can be
indiscriminately wielded by any agency that
invokes it. The law enforcement agency must
establish its mandate to enforce a particular
law, and more importantly, that they are not
unreasonably infringing on the rights of
individuals guaranteed by the Constitution.
Failure to establish both grounds renders the
processing unnecessary and contrary to law. 

[NPC Advisory Opinion No. 2018-071]

The Act does not apply to the following

• Information necessary for banks and other nancial institutions to comply with
Republic Act No. 9510 (CISA), and Republic Act No. 9160 (AMLA)
• Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines.
fi

 Exemptions are not Absolute

“…the processing of the information provided in the preceding paragraphs shall be

exempted from the requirements of the Act only to the minimum extent necessary
to achieve the speci c purpose, function, or activity.” [DPA IRR, §6]

• Exemption is limited to the speci ed information, processed in relation to

stipulated purpose, function or activity
• Non-applicability do not extend to personal information controllers or personal
information processors
Example:  Reporting of covered transactions under the Anti-money Laundering Act
is not covered by the DPA, but the bank making such a report remains subject to its
obligations under the DPA, including the processing of the personal information of
its clients not included by requirements of CISA or AMLA.

fi

fi

Data Privacy Act, Section 38. Interpretation. – Any doubt in the interpretation of any
provision of this Act shall be liberally interpreted in a manner mindful of the rights
and interests of the individual about whom personal information is processed.
 Data Privacy
Principles

Data
Privacy Security
Measures

Act Uphold Rights

of Data Subject

Data Privacy Principles

General Transparency

Data
Privacy
Legitimate Purpose

Principles Proportionality
Transparency

Transparency. The data subject must be aware of the nature, purpose, and extent of
the processing of his or her personal data, including the risks and safeguards
involved, the identity of personal information controller, his or her rights as a data
subject, and how these can be exercised.

Will the data subjects be unfairly surprised if they nd out

how you are using personal data that relates to them?

fi

CCTV monitoring 24 hours

Images are being recorded

for purpose of crime prevention and public safety.
Recording may be disclosed to law enforcement.
This is operated by ABC Corp.
For further information contact 999-9999






 Privacy Notice

What Description of personal data Whom Classes of recipients of personal data

- Identity and contact details of PIC

Why Purposes and basis of processing Who - Contact details of Data Protection
O cer

- Scope and method of processing

- Information about risks
How - Storage Period, disposal Rights - Data Subjects’ Rights
- Data Security
ffi

 Legitimate Purpose

•Legitimate purpose. The processing of information shall be compatible with a declared

and speci ed purpose which must not be contrary to law, morals, or public policy.
•Processing should have a lawful basis.

What are you How do you use What is the basis

collecting? personal data? of processing?
fi

If it’s not clear, It’s not consent

• CONSENT refers to any freely given, speci c, informed indication of will, whereby
the data subject agrees to the collection and processing of personal information
about and/or relating to him or her
• The consent shall be evidenced by written, electronic or recorded means.

fi
 Criteria for Lawful Processing

Personal Information (Not Sensitive) (Ex.

Sensitive Personal Information (Ex. Health,
Name, Address, Phone Number, e-mail
Education, Government Issued Numbers)
address)

Consent of Data Subject Consent of Data Subject

Public organizations and their associations, limited to

Necessary to the ful llment of a contract
members, with consent

Legal Obligation (Reporting requirements) Laws and regulations, with safeguards

Protect vitally important interests of the data Protect life and health of any person, where data subject
subject, including life and health physically or legally unable to consent

National emergency, to comply with the Protection of lawful rights and interests of natural or
requirements of public order and safety, or to legal persons in court proceedings, legal claims,
ful ll functions of public authority provided to government authority

Legitimate Interest Medical treatment Purpose

fi
fi
Nurses post video of dying patient

•A video of an agitated and critical patient, with blood on his face, body, and
clothes, went viral. He was shown lying down on a stretcher, trying to stand up. He
appeared to be begging for help.  Hospital sta , not seen in the video recorded
him.  It was also hospital sta that posted the video on social media.
•The patient later died. Netizens are criticizing the hospital and its sta for allegedly
abandoning the patient.
ff
ff

ff
Proportionality
•The processing of information shall be adequate, relevant, suitable, necessary, and not
excessive in relation to a declared and speci ed purpose. Personal data shall be processed
only if the purpose of the processing could not reasonably be ful lled by other means.

Do you collect only personal data you Do you limit personal data used or Do you still store personal data even if
need? shared only to that which is necessary you no longer need it?
fi
fi
Data Protection Excellence Network, A Comparative Review of Contact Tracing Apps in ASEAN Countries, available at  https://
www.dpexnetwork.org/articles/comparative-review-contact-tracing-apps-asean-countries/ (last accessed June 19, 2020).
Rights of Data Subjects
 Rights of Data Subjects

1.Right to Information 5.Right to Erase

2.Right to Object 6.Right to Data Portability
3.Right to Access 7.Right to File a Complaint
4.Right to Correct 8.Right to Damages

Transmissibility

•Section 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and
assigns of the data subject may invoke the rights of the data subject for, which he or
she is an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights as enumerated in
the immediately preceding section.
Security Measures
 Security Measures

Organizational Con dentiality Integrity

Physical Technical Availability
fi

 Data Privacy

Privacy Management

Breach Management
Protection Measures
Privacy and Data
Program
DPO

PIA
Data Privact Security Rights of Data
Principles Measures Subjects

Accountability

Data Protection Officer

The personal information controller shall designate an individual or individuals who

are accountable for the organization’s compliance with this Act. [DPA, Section 21(b)]
The DPO should possess specialized knowledge and demonstrate reliability
necessary for the performance of his or her duties and responsibilities

 Privacy
Champion

Compliance • Data Protection O cer

Information
O cer for
Security
Privacy

Data • Privacy Network

Protection
O cer • Clear Reporting Lines
IT Legal
• Resources and Support
Compliance
O cer
ffi
ffi
ffi

ffi

Duties of the DPO

•Monitor compliance
•Ensure conduct of PIAs
•Advise PIC or PIP, develop and review policies and programs, cultivate privacy awareness
•Ensure proper security incident management
•Serve as contact person for data subjects and NPC

Privacy Impact Assessment

• “Privacy Impact Assessment” is a process undertaken and used to evaluate and

manage privacy impacts for each program, process or measure within the agency
that involves personal data
• The conduct of a PIA is part of data privacy best practices.

 Personal Data Flow

• Source and Collection
• Data Inventory

Privacy • Purpose of processing

•
Impact
Personal Data Processing – use,
disclosure, storage, disposal

Assessment
• Security measures
• Transfer outside country
Identify and Assess Privacy Risks
• Privacy Risk Identi cation
• Privacy Risk Analysis
• Privacy Risk Evaluation
Address risks

fi

 What do I
process The determination of the appropriate
and how? level of security for an agency or
organization processing personal
data shall take into account the
When will I Do I nature of the personal information to
comply be protected, the risks represented
re-assess? with law?
Privacy by the processing to the rights and
Impact freedoms of data subjects, the size of
Assessment the organization and complexity of
its operations, current data privacy
best practices and the cost of
security implementation
What can
What are
I do about
the risks? (Section 20(c) of the DPA; Section
it?
29 of its IRR)

Piture from ICRC Safe Access, Context and risk Assessment available at http://saferaccess.icrc.org/practical-toolbox/context-and-risk-assessment/
Privacy Management Program

• A Privacy Management Program is a holistic approach to privacy and data

protection, important for all agencies, companies or other organization involved in
the processing of personal data.  
• It is a process intended to embed privacy and data protection in the strategic
framework and daily operations of a personal information controller or personal
information processor.

 Organizational
Commitment

Privacy
(Governance)

Management Program
Program Controls
• A Privacy Management Program helps
organizations demonstrate compliance
with the DPA
• A practical approach to manage di erent
activities related to data protection. Continuing Assessment and
Development (Continuity &
Privacy Ecosystem)

ff
 Management Buy-in

Governance/ • Designate a DPO

• Endorse a set of program controls
Organizational • Report to the Board
Commitment • Data Protection O cer
Reporting Mechanisms
Clear communication lines
• Internal and External Reporting

ffi

 The NPC Data Privacy Accountability and Compliance Framework

Governance Risk Assessment Organization Day to Day Data Security

Q. Organization
A. Choose a DPO B. Register E. Privacy Management G. Privacy Notice
Program R. Physical
C. Records of H-O. Data Subject Rights
F. Privacy Manual S. Technical
processing P. Data Life Cycle
• Data Center
activities
• Encryption
D. Conduct PIA
• Access Control Policy

Breaches Third Parties Manage HR Continuity Privacy Ecosystem

T. Data Breach Management U. Third Parties V. Trainings & Certi cations X. Continuing Assessment Y. New Technologies and
and Development standards
• Security Policy • Legal Basis for Disclosure W. Security Clearance
• • Regular PIA Z. New Legal Requirements
Data Breach Response Team • Data Sharing Agreements
• Review Contracts
• Incident Response Procedure • Cross Border • Internal Assessment
• Document
• Review PMP
• Breach Noti cation
• Accreditation

fi

fi

 Continuing Assessment and Development

• Oversight and Review Plan

‣ Develop an Oversight and Review Plan providing procedures for
documentation, regular review and evaluation of program implementation,
including performance measures.
• Assess and Review Program Controls
‣ The e ectiveness of program controls should be monitored, periodically
audited, and where necessary, revised.
ff

 Data Privacy by Design

Proactive Privacy as Privacy Full

End to Visibility and User
Embedded End
not Reactive Default Functionality Transparency Centric
into Design Security

• Data Protection considered from inception, at time of system development, and

embedded into systems
• Anticipate Risks, Privacy as Default Setting, Data Minimization, Data Security,
Respect for User privacy.

 -Privacy Notice
-Consent Forms

Collection

-Records retention policy

Use and -Role-based access
-Paper shredders Disposal Clear Policies, Access -Multi-factor authentication
-Secure deletion Procedure and
Safeguards for
every stage of
Data Life Cycle

Storage Sharing
-Biometric Locks and and -Data sharing agreements
-Vulnerability assessment, Retention Transfers -Encryption at rest and in
penetration testing Transit

 Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
A personal data breach may be in the nature of:
• Availability breach resulting from loss, accidental or unlawful destruction of personal data;
• Integrity breach resulting from alteration of personal data;
• Con dentiality breach resulting from the unauthorized disclosure of or access to personal data.
fi
 When Notification Required
1. The personal data involves sensitive personal information or any other information that
may be used to enable identity fraud.
2. There is reason to believe that the information may have been acquired by an
unauthorized person; and 
3. The personal information controller or the Commission believes that the unauthorized
acquisition is likely to give rise to a real risk of serious harm to any a ected data subject.

Breach Response Incident Response Noti cation

Security Policy Document
Team Procedure & Reporting
fi

ff
 The personal information controller, which controls the
Who should notify processing of information, even if processing is outsourced
or subcontracted to a third party.

Within 72 hours from knowledge (or reasonable belief) of

the personal data breach, based on available information.
When should noti cation of
Follow up report should be submitted within ve (5) days
Commission be done
from knowledge of the breach, unless allowed a longer
period by the Commission.

Within seventy-two (72) hours from knowledge of the

When should data subjects
breach, unless there is a reason to postpone or omit
or individuals be noti ed.
noti cation, subject to approval of the Commission.
fi
fi
fi

fi

 In general-
1. Nature of the breach
What are the contents of noti cation
2. Sensitive personal information possibly involved
to Commission
3. Measures taken by the entity to the address the breach
4. Details of contact person for more information

In general, same contents as noti cation of Commission but

What are the contents of noti cation must include instructions on how data subject will get
to data subject further information and recommendations to minimize risks
resulting from breach.

fi
fi
fi

 Safekeeping of the desktop computer

containing Personal data (NPC 17-02)
COMELEC reported that on 11 January 2017, a desktop computer of the O ce of the
Election O cer of Wao, was stolen by unidenti ed persons. The desktop computer
contained, among other applications, the Voter Registration System and the Voter
Search program that utilize the data stored in the National List of Registered Voters.
The Election O cer denied the allegation of negligence in the safekeeping of the
desktop computer containing personal data of voters.
ffi
ffi
fi
ffi

How can the Election officer establish

that there was no Negligence?
 Safekeeping of the desktop computer
containing Personal data (NPC 17-02)
• The Election O cer claimed to have implemented physical security measures such as
causing the installation of padlocks to every point of ingress and egress of the o ce.
To support his defense, he attached photographs of the whole o ce building where
the COMELEC o ce in Wao is located, and of all doors and windows of the o ce
showing that padlocks were properly installed.
• Moreover, he maintained that he assigned his casual employee, to make sure that all
points of entry and exit, including the windows, are locked before the last person
leaves the o ce. The Election O cer maintains that what took place at the COMELEC
o ce in Wao was a robbery with force upon things, whereby the robber gained entry
by breaking the locks and forcing his way through the back window into the o ce of
the Election O cer. He asserted that said robbery was beyond his control.
ffi
ffi
ffi
ffi
ffi
ffi

ffi
ffi
ffi
ffi

Safekeeping of the desktop computer

containing Personal data (NPC 17-02)
• He also installed a strong password to said desktop computer and only he and his
casual employee knew the said password. Further, COMELEC, in their personal
data breach report to this Commission, maintains that technical security measures
are in place to limit access to the VRS program in the desktop computer and that
the VRS and the NLRV data are encrypted in AES 256. COMELEC reports that the
security feature, encryption in AES 256, of the elds containing personal
information has already been implemented since 17 October 2016.
fi

CRIME IMPRISON FINE

MENT

Unauthorized Processing Processing personal data without the consent 1yr – 6 yrs Php500,000 to
of the data subject, or without being Php4,000,000
authorized under DPA or any existing law.

Access to Personal/Sensitive Persons who provide access to personal data 1-6 years Php500,000 to
Information due to Negligence due to negligence, without being authorized Php4,000,000
under DPA or any existing law.
Improper Disposal Negligently dispose, discard or abandon 6 months Php 100,000 to
personal data of an in an area accessible to – 3 years Php 1,000,000
the public or placed in its container for trash
collection.
Processing of Personal/Sensitive Processing personal data for other purposes 1yr 6mos – Php500,000 to
Information for which are no longer authorized by law or 7 years Php2,000,000
Unauthorized Purpose consent
Unauthorized Access or Persons who knowingly and unlawfully, or 1-3 years Php500,000 to
Intentional Breach violating data confidentiality and security Php2,000,000
data systems, breaks in any way into any
system where personal data is stored.
CRIME
Concealment of Security Breach
Malicious Disclosure
Unauthorized Disclosure
IMPRISON FINE
MENT
Persons who, after having knowledge of a 1yr 6mos – Php500,000 to
security breach involving sensitive personal 5 years Php1,000,000
information and of the obligation to notify
the Commission, intentionally or by omission
conceals the fact .[Duty to notify Privacy
Commission in case of breach (within 72
hours)]
Any PIC or PIP or any of its officials, 1yr 6mos – Php 500,000 to
employees or agents, who, with malice or in 5 years Php 1,000,000
bad faith, discloses unwarranted or false
information relative to any personal data
obtained by him or her
Any personal information controller or 1 yr – Php 500,000 to
personal information processor or any of its 5 years Php 2,000,000
officials, employees or agents, who discloses
to a third party personal information not
covered by malicious disclosure
 Section 34. Extent of Liability

• If the o ender is a corporation, partnership or any juridical person, the penalty

shall be imposed upon the responsible o cers, as the case may be, who
participated in, or by their gross negligence, allowed the commission of the crime.
If the o ender is a juridical person, the court may suspend or revoke any of its
rights under this Act. xxxx
ff
ff
ffi
 Section 35. Large-Scale

• The maximum penalty in the scale of penalties respectively provided for the
preceding o enses shall be imposed when the personal information of at least
one hundred (100) persons is harmed, a ected or involved as the result of the
above mentioned actions.
ff
ff
 Ethical use of Bene ts
Personal Data
Accountability Harms
fi