Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
PERSONAL INFORMATION IN
INFORMATION AND COMMUNICATION
SYSTEMS IN THE GOVERNMENT AND
THE PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL PRIVACY
COMMISSION, AND FOR OTHER
PURPOSES
The Data Privacy
Act was signed
into law on
August 15, 2012
and came into
effect on 8
September 2012.
2
State Policies
(Section 2 of RA 10173)
State policy to protect the fundamental human right of
privacy without hindering free flow of information to
promote innovation and growth
Vital role of information and communications
technology in nation-building
State obligation to ensure security and protection of
personal data in information and communications
systems
3
4
5
Scope and Coverage
(Section 4 of RA 10173)
11
12
13
Rights of the Data Subject
Section 16 subsection (a) [Informed process]
1. Data subject has the right to know that
his/her personal data is being
processed, shall be processed or will be
processed
2. Personal data shall never be processed
/ collected without explicit consent
from the data subject
14
Rights of the Data Subject
Section 16 subsection (b) [Furnished info.]
2. Before entry of personal information into the
processing system or at the next practical
opportunity, afford the data subject the right to
be furnished the following information: (8)
15
Rights of the Data Subject
Section 16 subsection (b) [Furnished info]
e) If allowed by data subject, the methods
utilized for automated access and the extent to
which access is authorized
f) Identity and contact details of the personal
information controller or its representative
g) Period for which the information is stored
h) The existence of their rights such as right to
access, right to correction, and right to lodge a
complaint before the Commission
16
Rights of the Data Subject
Section 16 subsection (b) [Furnished info]
General Rule:
17
Rights of the Data Subject
Section 16 subsection (b) [Furnished info]
Exception: When prior notification is not required
18
19
Rights of the Data Subject
Section 16 subsection (c) [Access]
3. Upon demand, reasonable access to the ff: (8)
a) Contents of personal information
processed
b) Source from which info was obtained
c) Names and addresses of recipients
d)Manner by which the data was processed
e)Reasons for disclosure of personal info
f)Information on automated processes
20
Rights of the Data Subject
Section 16 subsection (c) [Access]
g) Date when the personal information was
last accessed and/or modified
h)Designation, name, or identity and the
address of the personal information
controller
21
22
Rights of the Data Subject
Section 16 subsection (d) [Dispute]
4. Dispute the inaccuracy or error in the personal
information; and
have the personal information controller correct
it immediately and accordingly
23
Rights of the Data Subject
Section 16 subsection (d) [Dispute]
If personal information is corrected, the personal
information controller shall ensure the accessibility
of both the new and retracted information AND the
simultaneous receipt of both by recipients thereof.
24
RIGHT TO REMOVE
25
Rights of the Data Subject
Section 16 subsection (e) [Suspend/Remove]
5. Upon discovery and substantial proof that the personal
information are incomplete, outdated, false,
unlawfully obtained, used for unauthorized
purposes, or are no longer necessary for the purposes
for which they were collected:
Suspend, withdraw or order the blocking, removal or
destruction of the personal information from the
personal information controller’s filing system
The personal information controller may notify third
party recipients of such processed personal
information
26
RIGHT TO DAMAGES
27
Rights of the Data Subject
Section 16 subsection (f) [Damages]
28
Right to Data Portability
Section 18
Where personal information is processed by
electronic means and in a structured and commonly
used format, the data subject shall have the right to
obtain from the personal information controller a
copy of the data undergoing processing in an
electronic or structured format, which is commonly
used and allows for further use by the data subject.
The Commission may specify the electronic format
referred to above, as well as technical standards,
modalities and procedures for their transfer.
29
RIGHT TO FILE A COMPLAINT
if personal information has been misused,
maliciously disclosed or improperly disposed.
30
Functions of the Commission
The National Privacy Commission:
administers and implements the
provisions of this Act
monitors and ensures compliance with
international standards set for data
protection
31
Section 8: Confidentiality
32
WHO MAY FILE A COMPLAINT?
The National Privacy Commission (NPC),
on its own initiative;
Those who have suffered a data privacy
violation or personal data breach; and
Persons who are personally affected by a
violation of the Data Privacy Act of 2012
(Republic Act No. 10173).
33
RULE OF EXHAUSTION OF REMEDIES
This rule means that in filing the complaint,
a complainant must be able to show that
there was an opportunity offered in good
faith to have the respondent comply with
any legal obligations involving data
protection and privacy.
34
HOW TO FILE A COMPLAINT?
File a complaint-affidavit together with copies of any
evidence and witnesses’ affidavit through the
following:
37
Who may invoke rights of data subject
Section 17
1. Data subject; or
38
39
Data Privacy Principles
There are four general
principles with respect to the
collection and processing of
personal data which personal
information controllers are
obliged to follow or adhere to.
40
CHAPTER III
PROCESSING OF PERSONAL
INFORMATION
41
PRINCIPLE OF TRANSPARENCY
42
PRINCIPLE OF TRANSPARENCY
1. Personal Information Controller must
determine and disclose the purpose for
processing a person’s data before its
collection or as soon as practicable.
2. Consent of the data subject on the
collection and processing of his data
should first be obtained, subject to
exemptions provided by laws and
regulations.
43
PRINCIPLE OF TRANSPARENCY
3. In obtaining his consent, the data subject must be
informed of the nature, purpose, and extent of the
processing of such personal data, including the
risks and safeguards involved, the identity of the
personal information controller, his rights as a
data subject as well as how these can be exercised.
45
PRINCIPLE OF LEGITIMATE PURPOSE
Personal Information Controller is obliged to ensure:
46
PRINCIPLE OF PROPORTIONALITY
47
PRINCIPLE OF PROPORTIONALITY
the processing of personal information must be
relevant to, and must not exceed, the declared
purpose.
The personal information may be retained
only for as long as necessary for the fulfillment
of the purposes for which the data was
obtained or for the establishment, exercise, or
defense of legal claims, or as provided by law.
48
DATA QUALITY PRINCIPLE
49
DATA QUALITY PRINCIPLE
The data quality principle requires
that personal data should be
accurate and kept up to date.
51
CHAPTER VIII: PENALTIES
52
Unauthorized Processing
Section 25
Unauthorized Processing – processing of
information without consent of data subject, or
without being authorized by the law.
(a) For personal information – Imprisonment
between 1 to 3 years and fine between P500,000
to P2,000,000.
(b) For sensitive personal information –
Imprisonment between 3 to 6 years and fine
between P500,000 to P4,000,000.
53
Providing Unauthorized Access
Section 26
Providing Unauthorized Access – Due to negligence,
provides access to information without being
authorized by law.
(a) Personal Information – Imprisonment from 1
to 3 years and fine from P500,000 to P2,000,000.
(b) Sensitive Personal Information –
Imprisonment from 3 to 6 years and fine from
P500,000 to P4,000,000.
54
Improper Disposal
Section 27
Improper disposal – knowingly or negligently
dispose, discard, or abandon information in a
public area or in a container for trash collection.
(a) Personal Information – Imprisonment from
6 months to 2 years and fine from P100,000 to
P500,000.
(b) Sensitive Personal Information –
Imprisonment from 1 year to 3 years and fine
from P100,000 to P1,000,000.
55
Unauthorized Access or
Intentional Breach – Section 29
Knowingly and unlawfully (or violating data
confidentiality and security data systems) breaks
into any system where personal and sensitive
personal information are stored.
56
Combination or Series of Acts
Section 33
Any combined violations of Section 25 to 32
57
Extent of Liability
Section 34
If violation is committed by a juridical entity, the
penalty shall be imposed upon the responsible
officers who participated in, or by gross
negligence, allowed the commission of the crime.
58
Offenses by Public Officer
Section 36
59
THANK YOU!
60