Professional Documents
Culture Documents
DPA Hand Out
DPA Hand Out
Informational Privacy
Right to control the collection, maintenance, use, and dissemination of data about oneself.
Personal Data
• Any information from which the identity of an individual is apparent
• Any information that can be put together with other information to reasonably and directly
identify an individual
• Includes sensitive personal information such as your health, education, genetic or sexual life
• Includes information that is classi ed or privileged
fi
fi
fi
Sensitive Personal Information
refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political a liations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any o ense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to,
social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
4. Speci cally established by an executive order or an act of Congress to be kept classi ed.
fi
ff
ffi
fi
Personal Information v. Sensitive
Personal Information
fi
Data Subjects
“Data subject” refers to an individual
whose personal, sensitive personal, or
privileged information is processed.
Personal Information Personal Information
Controller (PIC) Processor (PIP)
Excludes those who process only Should not use or process personal
as instructed by another data for own purpose
Outsourcing Contract
Instructions/Terms
Personal Personal
Documents/Files Information
Information
Controller (PIC) /Personal Information Processor (PIP)
Processing/Output
Service Agreement
ff
Accountability
Special Cases
The Act does not apply to the following
Information processed for purpose of allowing public access to information that fall
within matters of public concern
• About Government employees or o cials in relation to position or functions
• About individuals performing service under contract with government, as it
relates to service
• Those relating to a bene t of a nancial nature conferred on an individual upon
the discretion of the government, such as the granting of a license or permit
fi
fi
ffi
• Information necessary for banks and other nancial institutions to comply with
Republic Act No. 9510 (CISA), and Republic Act No. 9160 (AMLA)
• Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines.
fi
fi
fi
Data Privacy Act, Section 38. Interpretation. – Any doubt in the interpretation of any
provision of this Act shall be liberally interpreted in a manner mindful of the rights
and interests of the individual about whom personal information is processed.
Data Privacy
Principles
Data
Privacy Security
Measures
Data
Privacy
Legitimate Purpose
Principles Proportionality
Transparency
Transparency. The data subject must be aware of the nature, purpose, and extent of
the processing of his or her personal data, including the risks and safeguards
involved, the identity of personal information controller, his or her rights as a data
subject, and how these can be exercised.
fi
Legitimate Purpose
• CONSENT refers to any freely given, speci c, informed indication of will, whereby
the data subject agrees to the collection and processing of personal information
about and/or relating to him or her
• The consent shall be evidenced by written, electronic or recorded means.
fi
Criteria for Lawful Processing
Protect vitally important interests of the data Protect life and health of any person, where data subject
subject, including life and health physically or legally unable to consent
National emergency, to comply with the Protection of lawful rights and interests of natural or
requirements of public order and safety, or to legal persons in court proceedings, legal claims,
ful ll functions of public authority provided to government authority
•A video of an agitated and critical patient, with blood on his face, body, and
clothes, went viral. He was shown lying down on a stretcher, trying to stand up. He
appeared to be begging for help. Hospital sta , not seen in the video recorded
him. It was also hospital sta that posted the video on social media.
•The patient later died. Netizens are criticizing the hospital and its sta for allegedly
abandoning the patient.
ff
ff
ff
Proportionality
•The processing of information shall be adequate, relevant, suitable, necessary, and not
excessive in relation to a declared and speci ed purpose. Personal data shall be processed
only if the purpose of the processing could not reasonably be ful lled by other means.
Do you collect only personal data you Do you limit personal data used or Do you still store personal data even if
need? shared only to that which is necessary you no longer need it?
fi
fi
Data Protection Excellence Network, A Comparative Review of Contact Tracing Apps in ASEAN Countries, available at https://
www.dpexnetwork.org/articles/comparative-review-contact-tracing-apps-asean-countries/ (last accessed June 19, 2020).
Rights of Data Subjects
Rights of Data Subjects
Transmissibility
•Section 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and
assigns of the data subject may invoke the rights of the data subject for, which he or
she is an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights as enumerated in
the immediately preceding section.
Security Measures
Security Measures
Data Privacy
Privacy Management
Breach Management
Protection Measures
Privacy and Data
Program
DPO
PIA
Data Privact Security Rights of Data
Principles Measures Subjects
Accountability
Privacy
Champion
ffi
Assessment
• Security measures
• Transfer outside country
Identify and Assess Privacy Risks
• Privacy Risk Identi cation
• Privacy Risk Analysis
• Privacy Risk Evaluation
Address risks
fi
What do I
process The determination of the appropriate
and how? level of security for an agency or
organization processing personal
data shall take into account the
When will I Do I nature of the personal information to
comply be protected, the risks represented
re-assess? with law?
Privacy by the processing to the rights and
Impact freedoms of data subjects, the size of
Assessment the organization and complexity of
its operations, current data privacy
best practices and the cost of
security implementation
What can
What are
I do about
the risks? (Section 20(c) of the DPA; Section
it?
29 of its IRR)
Piture from ICRC Safe Access, Context and risk Assessment available at http://saferaccess.icrc.org/practical-toolbox/context-and-risk-assessment/
Privacy Management Program
Organizational
Commitment
Privacy
(Governance)
Management Program
Program Controls
• A Privacy Management Program helps
organizations demonstrate compliance
with the DPA
• A practical approach to manage di erent
activities related to data protection. Continuing Assessment and
Development (Continuity &
Privacy Ecosystem)
ff
Management Buy-in
ffi
Q. Organization
A. Choose a DPO B. Register E. Privacy Management G. Privacy Notice
Program R. Physical
C. Records of H-O. Data Subject Rights
F. Privacy Manual S. Technical
processing P. Data Life Cycle
• Data Center
activities
• Encryption
D. Conduct PIA
• Access Control Policy
T. Data Breach Management U. Third Parties V. Trainings & Certi cations X. Continuing Assessment Y. New Technologies and
and Development standards
• Security Policy • Legal Basis for Disclosure W. Security Clearance
• • Regular PIA Z. New Legal Requirements
Data Breach Response Team • Data Sharing Agreements
• Review Contracts
• Incident Response Procedure • Cross Border • Internal Assessment
• Document
• Review PMP
• Breach Noti cation
• Accreditation
fi
fi
-Privacy Notice
-Consent Forms
Collection
Storage Sharing
-Biometric Locks and and -Data sharing agreements
-Vulnerability assessment, Retention Transfers -Encryption at rest and in
penetration testing Transit
ff
The personal information controller, which controls the
Who should notify processing of information, even if processing is outsourced
or subcontracted to a third party.
fi
In general-
1. Nature of the breach
What are the contents of noti cation
2. Sensitive personal information possibly involved
to Commission
3. Measures taken by the entity to the address the breach
4. Details of contact person for more information
fi
fi
fi
ffi
ffi
ffi
ffi
Unauthorized Processing Processing personal data without the consent 1yr – 6 yrs Php500,000 to
of the data subject, or without being Php4,000,000
authorized under DPA or any existing law.
Access to Personal/Sensitive Persons who provide access to personal data 1-6 years Php500,000 to
Information due to Negligence due to negligence, without being authorized Php4,000,000
under DPA or any existing law.
Improper Disposal Negligently dispose, discard or abandon 6 months Php 100,000 to
personal data of an in an area accessible to – 3 years Php 1,000,000
the public or placed in its container for trash
collection.
Processing of Personal/Sensitive Processing personal data for other purposes 1yr 6mos – Php500,000 to
Information for which are no longer authorized by law or 7 years Php2,000,000
Unauthorized Purpose consent
Unauthorized Access or Persons who knowingly and unlawfully, or 1-3 years Php500,000 to
Intentional Breach violating data confidentiality and security Php2,000,000
data systems, breaks in any way into any
system where personal data is stored.
CRIME IMPRISON FINE
MENT
Concealment of Security Breach Persons who, after having knowledge of a 1yr 6mos – Php500,000 to
security breach involving sensitive personal 5 years Php1,000,000
information and of the obligation to notify
the Commission, intentionally or by omission
conceals the fact .[Duty to notify Privacy
Commission in case of breach (within 72
hours)]
Malicious Disclosure Any PIC or PIP or any of its officials, 1yr 6mos – Php 500,000 to
employees or agents, who, with malice or in 5 years Php 1,000,000
bad faith, discloses unwarranted or false
information relative to any personal data
obtained by him or her
Unauthorized Disclosure Any personal information controller or 1 yr – Php 500,000 to
personal information processor or any of its 5 years Php 2,000,000
officials, employees or agents, who discloses
to a third party personal information not
covered by malicious disclosure
Section 34. Extent of Liability
• The maximum penalty in the scale of penalties respectively provided for the
preceding o enses shall be imposed when the personal information of at least
one hundred (100) persons is harmed, a ected or involved as the result of the
above mentioned actions.
ff
ff
Ethical use of Bene ts
Personal Data
Accountability Harms
fi