Professional Documents
Culture Documents
Ra 10173
Ra 10173
Ra 10173
Lost or stolen laptops, removable storage devices, or paper records containing personal
information
Hard disk drives and other digital storage media (integrated in other devices, for
example, multifunction printers, or otherwise) being disposed of or returned to equipment
lessors without the contents first being erased
Loss of reputation
Legal liabilities
RIGHT TO PRIVACY
The most comprehensive of rights and the right most valued by civilized men.
HIPPOCRATIC OATH
“Whatever I see or hear, whether professionally or privately which ought not to be divulged, I
will keep secret and tell no one.” -Hippocrates
SECTION 1. Short Title. — This Act shall be known as the "Data Privacy Act of 2012".
The National Privacy Commission (NPC) is a body that is mandated to administer and
implement this law. The functions of the NPC include:
rule-making
advisory
public education
enforcement.
Sept. 9, 2016 — IRRs came into effect (comply with all provisions except registration
requirements)
Registration Requirements: All personal data processing systems (DPS) operating in the
Philippines that involve Personally Identifiable Information (PII) concerning at least 1,000
individuals/personal records must be registered with NPC
Doctor-Patient Confidentiality
Full disclosure of information on the part of the patient is a prerequisite to quality care and
better health outcomes.
Communication between doctor and patient is generally considered privileged and should
not be inquired upon even by the Courts. The provision is intended to make sure that
information obtained by physicians in the course of treatment will not be used to blacken the
reputation of a patient (Rules of Court).
Protecting Patients from Harm includes Respect for their Right to Privacy
Health information is valuable and its unauthorized use or disclosure may put patients at risk
for unwanted publicity, discrimination, identity theft and other acts prejudicial to the patient.
The individual's ability to control the flow of information concerning or describing him,
which however legitimate public must be overbalanced by concerns. To deprive an
individual of his power to control or determine whom to share information of his details
would deny him of his right to personal his own personhood.
It is the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and growth.
Data Subjects
Data Privacy Act applies to the processing of personal data by any natural and juridical
person in the government or private sector.
Personal Data
Any information that can be put together with other information to reasonably and directly
identify an individual
Includes sensitive personal information such as your health, education, genetic or sexual life
1. Personal Information
Personal information refers to any information whether recorded in a material form or not,
from which the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.
Refers to personal information about an individual's: race, ethnic origin, marital status, age,
color, religious, philosophical or political affiliations, health, education, genetics, sexual life,
any proceeding for any offense committed or alleged to have been committed, the disposal
of such proceedings, the sentence of any court in such proceedings;
PERSONAL DATA
Personal Information
Name
Address
Place of work
Telephone number
Gender
IP address
Birth date
Birth place
Country of citizenship
Citizenship status
Contact information
Race
Ethnic origin
Marital status
Age
Color
Religious affiliation
Philosophical affiliation
Political affiliation
Health
Education
Genetics
Sexual life
Proceeding for any offense committed or alleged to have been committed, the disposal of
such proceeding, the sentence of any court in such proceedings
Tax returns
Websites visited
Materials downloaded
Grievance information
Discipline information
Data received within the context of a protected relationship - husband and wife
Data received within the context of a protected relationship - attorney and client
Data received within the context of a protected relationship - priest and penitent
Data received within the context of a protected relationship - doctor and patient
1. Acquisition
2. Storage
3. Use
4. Transfer
5. Destruction
1. Law
3. Business Needs
In what form and through which channels? For what purpose do you collect personal data?
How is it used?
DE-IDENTIFICATION
Geographic subdivisions smaller than a state, including street address, city, county, precinct,
ZIP Code, equivalent geocodes, except for the initial three digits of the ZIP code if more
than 20,000 people
Telephone numbers
Fax numbers
Email addresses
Account numbers
Certificate/license numbers
Web URLs
Photos
Individual, Corporation, other body the one who controls the processing of personal
data, the one who decides
There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing.
Individual, Corporation or other body who processes the personal data for a Personal
Information Controller
Personal information processor should not make use of personal data for its own
purpose
Data Subjects
Controls the processing of personal data, or instructs another to process personal data on
its behalf.
Independent body mandated to administer and implement the DPA of 2012, and to
monitor and ensure compliance of the country with international standards set for
personal data protection
Principles of DPA
Transparency
Legitimacy
Proportionality
The data subject must be aware of the nature, purpose, and extent of the processing of his or
her personal data, including the risks and safeguards involved, the identity of the personal
information controller, his or her rights as a data subject, and how these can be exercised.
Any information and communication relating to the processing of personal data should be
easy to access and understand, using clear and plain language.
PRIVACY NOTICE
HOW personal data will be collected, used, accessed and stored, including security measures
in place
Automated processing that will be basis of making decisions that would affect data
subject
The identity and contact details of the personal data controller or its representative
The recipients or classes of recipients to whom the personal data are or may be
disclosed
RIGHTS OF DATA SUBJECTS, including the right to file a complaint before the National
Privacy Commission.
Right to Information
Right to Object
Right to Access
Right to Correct
Right to Erase
Right to Damages
Right to be Informed
Under R.A. 10173, your personal data is treated almost literally in the same way as your
own personal property. Thus, it should never be collected, processed and stored by any
organization without your explicit consent, unless otherwise provided by law. Information
controllers usually solicit your consent through a privacy notice. Aside from protecting you
against unfair means of personal data collection, this right also requires personal information
controllers (PICS) to notify you if your data have been compromised, in a timely manner.
As a data subject, you have the right to be informed that your personal data will be, are
being, or were, collected and processed.
The Right to be Informed is a most basic right as it empowers you as a data subject to
consider other actions to protect your data privacy and assert your other privacy rights.
Right to Object
Your consent is necessary before any organization can LAWFULLY collect and process your
personal data. If without your consent, any such collection and processing of personal
information by any organization can be contested as unlawful or ILLEGAL, and would
therefore be answerable to the Data Privacy Act of 2012.
In case you already gave your consent by agreeing to an organization's privacy notice, you
can withdraw consent if the personal information processor decided to amend said notice. In
fact, the personal information processor has the obligation to notify you of changes to their
privacy notice and must explicitly solicit your consent once again.
Right to Access
This is your right to find out whether an organization holds any personal data about you and
if so, gain "reasonable access” to them. Through this right, you may also ask them to provide
you with a written description of the kind of information they have about you as well as their
purpose/s for holding them.
Under the Data Privacy Act of 2012, you have a right to obtain from an organization a copy
of any information relating to you that they have on their computer database and/or manual
filing system. It should be provided in an easy-to-access format, accompanied with a full
explanation executed in plain language.
Information on automated systems where your data is or may be available, and how it
may affect you.
Under the law, you have the right to suspend, withdraw or order the blocking, removal or
destruction of your personal data. You can exercise this right upon discovery and substantial
proof of the following:
The data is no longer necessary for the purposes for which they were collected.
You decided to withdraw consent, or you object to its processing and there is no overriding
legal ground for its processing.
The data concerns information prejudicial to the data subject - unless justified by freedom of
speech, of expression, or of the press; or otherwise authorized (by court of law)
The personal information controller, or the personal information processor, violated your
rights as a data subject.
Right to Damages
You may claim compensation if you suffered damages due to inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data, considering any
violation of your rights and freedoms as data subject.
You have the right to dispute and have corrected any inaccuracy or error in the data a
personal information controller (PIC) holds about you. The PIC should act on it immediately
and accordingly, unless the request is vexatious or unreasonable. Once corrected, the PIC
should ensure that your access and receipt of both new and retracted information. PICs
should also furnish third parties with said information, should you request it.
IRR, Section 36
This right assures that YOU remain in full control of YOUR data. Data portability allows
you to obtain and electronically move, copy or transfer your data in a secure manner, for
further use. It enables the free flow of your personal information across the internet and
organizations, according to your preference. This is important especially now that several
organizations and services can reuse the same data.
Data portability allows you to manage your personal data in your private device, and to
transmit your data from one personal information controller to another. As such, it promotes
competition that fosters better services for the public.
Transmissibility of Rights
IRR, Section 35
Just like any physical property, such as real estate, you can assign your rights as a data
subject to your legal assignee or lawful heir. Similarly, you may assert another person's
rights as a data subject, provided he or she authorized you as a "legal assignee".
You may also invoke another person's data privacy rights after his or her death if you are his
or her legal heir. This same principle applies to parents of minors, or their legal guardian,
who are responsible for asserting their rights on their behalf.
This right, however, is not applicable in case the processed personal data being contested are
used only for scientific and statistical research.
Limitations on Rights
The provisions of the law regarding transmissibility of rights and the right to data portability
will not apply if the processed personal data are used only for the needs of scientific and
statistical research and, based on such, no activities are carried out and no decisions are
taken regarding the data subject. There should also be an assurance that the personal data
will be held under strict confidentiality and used only for the declared purpose.
They will not also apply to the processing of personal data gathered for investigations in
relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on
the rights of the data subject should only be to the minimum extent necessary to achieve the
purpose of said research or investigation.
Processing of personal data should have the individual's consent, or must be authorized
by the Constitution or by law.
CONSENT — refers to any freely given, specific, informed indication of will, whereby the
data subject agrees to the collection and processing of personal information about and/or
relating to him or her
The complainant attended the accident and emergency department of a public hospital. A
few months later, she was contacted by an organization carrying out research. The
researchers knew when she had attended the hospital and why, and they asked her to answer
some questions.
The Hospital was in fact aware of its obligations under the Data Protection Act, but it
contended that it had met these in two ways:
It listed "personnel engaged in medical research" as disclosed in its entry in the Public
Register of Data Controllers.
It made patients aware of the research project by putting a NOTICE in the waiting area
of the accident and emergency department. This notice told patients that the hospital
intended to disclose their information to the researchers, and invited them to let
the receptionist know if they objected.
On the Noticed Placed in the waiting area: The issue to be decided was whether this was
an adequate way of informing patients that their information would be disclosed to the
researchers.
In different circumstances, it might have been. In this case, however, accounts ought to
have been taken of the particular environment in which patients' data were obtained.
Many patients presenting themselves at the casualty department of a hospital may be
expected to be in a state of some anxiety or discomfort. Consequently, they may not be
expected to be alert to matters not relating directly to their condition. In such
circumstances there is a special need for the data controller to satisfy itself that any uses
of the data which are unlikely to be anticipated by the data subject are fully explained.
Legitimate interests
Law/Regulation
Processing is necessary to protect the life and health of the data subject or another person,
and the data subject is not legally or physically able to express his or her consent prior to the
processing (Emergency, Public Health Emergency)
Johns Hopkins Hospital to pay $190M settlement after gynecologist secretly recorded
patients.
SECURITY MEASURES
Processing operations
Sector or Industry
The DPO should possess specialized knowledge and demonstrate reliability necessary for
the performance of his or her duties and responsibilities.
Security measures
Address risks
Privacy Manual
Overview
Policies and procedures for data subjects to exercise their rights under the Act
Revised Rules of Evidence, Rules of Court, Section 24 (c), Rule 128: Disqualification by
(March 14, 1989) reason of privileged communication. The
following persons cannot testify as to matters
learned in confidence in the following cases:
A person authorized to practice medicine,
surgery or obstetrics cannot in a civil case,
Recommendations for Social Media Use in Hospitals and Health Care Facilities
Social Media is the new avenue for creating connections and sharing of information.
Through social media, one can reach a global community. In recent years, we have seen how
social media has changed the way we do things. Social Media has been extensively utilized
for health education and promotion, proving itself to be an invaluable tool for public health,
professional networking and patient care benefit.
Design of office space and workstations, including the physical arrangement of furniture and
equipment, shall provide privacy to anyone processing personal data, taking into
consideration the environment and accessibility to the public
The room and workstation used in the processing of personal data shall, as far as practicable,
be secured against natural disasters, power disturbances, external access. and other similar
threats.
Record rooms, work stations, and data centers should have limited access.
CRIME PENALTIES
Php500,000 - Php2,000,000
Access to Personal/Sensitive
1-6 years
Information due to Negligence
Php500,000 - Php4,000,000
Php500,000 - Php1,000,000