On 15 August 2012 President Benigno Aquino, Jr. signed into law Republic Act (RA) 10173 or the Data Privacy Act of 2012. This law aims to protect the fundamental right of privacy of communication while ensuring the free flow of information to promote innovation and growth. (Sec 2, RA10173)
One of the important goals of the aforementioned law is to protect an individual’s personal information from unauthorized processing by any natural or juridical person.
The following are the salient portion of RA10173.
WHAT KIND OF INFORMATION DOES THE DATA PRIVACY ACT OF 2012 PROTECT?
Personal Information – which refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual. (Ibid, Sec. 3[g])
Sensitive personal information – which refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified. (Ibid, Sec. 3[l]) WHAT BODY DID THE DATA PRIVACY ACT OF 2012 ESTABLISHED
TO IMPLEMENT THE LAW?
RA 10173 established the National Privacy Commission (NPC) which is tasked to administer and implement the provisions of the said law, and to monitor and ensure compliance of the Philippines with international standards set for data protection.
The NPC’s responsibilities, among others, are to ensure compliance of personal information controllers with the law, receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on the disposition of complaints and resolution of any investigation it initiates.
Further, the NPC can issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest. Also, the NPC can compel or petition any entity, government agency, or instrumentality to abide by its orders or take action on a matter affecting data privacy (Ibid, Sec. 7)
UNDER DATA PRIVACY ACT WHAT ARE THE CRITERIA FOR LAWFUL PROCESSING OF PERSONAL INFORMATION
Section 13 of RA 10173 provides the criteria for lawful processing of personal information, including the following:
- The data subject has given his or her consent;
- The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
- The processing is necessary to protect vitally important interests of the data subject, including life and health;
- The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
- The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
WHAT ARE THE EXEMPTIONS TO PROCESSING OF PERSONAL INFORMATION AND PRIVILEGED INFORMATION?
- The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
- The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
- The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
- The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
- The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
- The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.(Ibid, Sec. 13)
DOES THE PERSONAL INFORMATION CONTROLLER ALLOWED TO CONTRACT THE PROCESSING OF PERSONAL INFORMATION TO A THIRD PARTY?
Yes, a personal information controller is allowed to subcontract the processing of personal information. However, the personal information controller shall be responsible for ensuring the proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with all the requirements of this Act and other applicable laws. (Ibid, Sec. 14)