The Data Privacy Act of 2012

Leandro Angelo Y. Aguirre

Deputy Privacy Commissioner
National Privacy Commission
 • Matatag
AMBISYON • Maginhawa
2040 • Panatag na buhay
 “By 2040, the Philippines is a prosperous middle
class society where no one is poor. People live long
and healthy lives and are smart and innovative.
The country is a high-trust society where families
thrive in vibrant, culturally diverse, and resilient
communities.”
- 2040.neda.gov.ph
THE DATA PRIVACY ACT FACILITATES
THIS HIGH-TRUST SOCIETY

The law upholds the right to privacy by

protecting individual personal
information.

The National Privacy Commission protects

individual personal information by
regulating the processing of personal
information.
What type of data is
covered?
PERSONAL INFORMATION
Any information whether recorded in a material
form or not, from which the identity of an
individual is apparent or can be reasonably and
directly ascertained by the entity holding the
information, or when put together with other
information would directly and certainly identify
an individual.
 What are the alternatives to consent?
For processing of personal information:

• Contract: to supply goods or services they have • National emergency: to respond to national
requested, or to fulfil your obligations under an emergency or to comply with the requirements of
employment contract. This also includes steps taken public order and safety.
at their request before entering into a contract.

• Public task: if you need to process personal

• Compliance with a legal obligation: if you are information to carry out public function or service and
required by law to process the data. you have a legal basis for the processing.

• Vital interests: you can process personal • Legitimate interests: for the private sector, you can
information if it is necessary to protect the data process personal data without consent if you have a
subject’s life and health. genuine and legitimate reason, unless this is
overridden by fundamental rights and freedoms of
the data subject.
 SENSITIVE PERSONAL
INFORMATION
(1) race, ethnic origin, marital status, age, color,
and religious, philosophical or political affiliations;
(2) health, education, genetic or sexual life of a
person,
(3) civil, criminal or administrative proceedings
(4) Unique identifiers issued by government
agencies peculiar to an individual
(5) Specifically established by law as classified
 What are the alternatives to consent?
For processing of sensitive personal information:

• Existing law and regulation: you can process • Medical treatment: when processing is carried
sensitive personal information (SPI) when there is out by a by a medical practitioner or a medical
a regulatory enactment which requires the treatment institution, and there is adequate level of
processing protection

• Protection of life and health: to protect

• Lawful rights and interests: when processing is
someone’s life – the data subject or another
necessary to protect lawful rights and interests of
person, and the data subject is not
in court proceedings, in the establishment/
legally/physically able to express his consent
exercise/defense of legal claims, or when provided
to government or public authority.
• Public organizations: refers to processing done
by non-stock, non-profit organizations,
cooperatives, and the like, where processing is
only confined and related to the bona fide
members
What are the
obligations of PICs?
 The PIC should collect personal information
1 for specified and legitimate purposes
OBLIGATIONS determined and declared before, or as soon
as reasonably practicable after collection
of PICs
2 The PIC should collect and process personal
information adequately and not excessively.

3 The PIC should process personal

information fairly and lawfully, and in
accordance with the rights of a data subject.
 4 The PIC should process accurate, relevant and up to
date personal information.

OBLIGATIONS
of PICs
The PIC should retain personal information only for as

5
long as necessary for the fulfillment of the purposes for
which the data was obtained. The information should be
kept in a form which permits identification of data
subjects for no longer than is necessary.

The PIC must implement reasonable and appropriate

6 organizational, physical and technical measures
intended for the protection of personal information.
 THE FIVE PILLARS OF COMPLIANCE

1. Commit to Comply: 2. Know Your Risks: 3. Write Your Plan: 4. Be Accountable:

APPOINT A DATA CONDUCT A PRIVACY CREATE A PRIVACY IMPLEMENT YOUR
PROTECTION RISK OR IMPACT MANAGEMENT PRIVACY AND DATA
OFFICER ASSESSMENT PROGRAM PROTECTION MEASURES

5. Be Prepared for
Breach: REGULARLY
EXERCISE YOUR
BREACH REPORTING
PROCEDURE
What are the rights of
a data subject?
RIGHTS OF A DATA SUBJECT
 THE RIGHT TO INFORMATION

What information must be supplied?

1. Description of the personal data
2. Purposes for processing; including: direct marketing, profiling, or
historical, statistical or scientific purpose
3. Basis of processing (legal mandate, contract, etc.)
4. Scope and method of the processing
5. Recipients/classes of recipients to whom the personal data are or
may be disclosed
6. Identity and contact details of the personal information controller
7. Retention period
8. Existence of rights as data subjects.
 THE RIGHT TO INFORMATION

When should information be provided?

• before the entry of

personal data into the
processing system; or
• at the next practical
opportunity
THE RIGHT TO INFORMATION
 THE RIGHT TO OBJECT

If a data subject objects/ withholds consent, the PIC

shall no longer process the personal data, unless the
processing is:

1. Pursuant to a subpoena;
2. For obvious purposes, i.e. contract, employer-
employee relationship, etc.; or
3. Result of a legal obligation.
 THE RIGHT TO ACCESS

Reasonable access to the following:

• Contents of personal data;
• Sources of personal data;
• Names and addresses of recipients of personal data;
• Manner by which such data was processed;
• Reasons for the disclosure of personal data;
• Information on automated processes;
• Date when personal data was last accessed/ modified; and
• Name/ address of the PIC.
THE RIGHT TO ACCESS
Employee’s Right to access employment
records

Advisory Opinion No. 2018-042

1. Can an employee request for a copy of the results of his annual physical exam
conducted by the company for his personal use?
Employee’s Right to access employment
records

Advisory Opinion No. 2018-042

• Even if the company sponsored and shouldered the cost of the APE and the
laboratory procedures, the employee has the right to access and ask for a
copy of the results and related documentation, subject to the existing
company protocol on accessing employee files.
Employee’s Right to access employment
records

Advisory Opinion No. 2018-042

2. Can an employee request for a copy of the 201 file, including the
trainings attended or results of performance evaluation?
Employee’s Right to access employment
records
Advisory Opinion No. 2018-042
• Generally, employees are allowed reasonable access to their files, specially
those they have personally provided the employer during the recruitment
and the application process.
• The trainings attended may also be disclosed since they are part of the
duties, responsibilities and privileges attached to the position.
• A summary of all the ratings given to the employee (without identifying the
source) may also be given to the employee.
Employee’s Right to access employment
records

Advisory Opinion No. 2018-042

3. Can the resigned employee request for a copy of his personal data and
other records retained by the company?
Employee’s Right to access employment
records

Advisory Opinion No. 2018-042

Yes, the employee can request for such if the request falls within the retention
period of the employment records, subject to company policies.
 THE RIGHT TO ERASURE OR BLOCKING

When does the right apply?

a. When personal data is:
• incomplete, outdated, false, or unlawfully obtained
• used for unauthorized purpose
• no longer necessary for the purpose

b. Data subject withdraws consent/objects to the processing, and

there is no other legal ground/legitimate interest for processing

c. Processing is unlawful

d. PIC or PIP violated the rights of the data subject

 THE RIGHT TO RECTIFICATION

• Dispute the inaccuracy or error in the personal

data and have the PIC correct it immediately.
• If personal data was disclosed to third parties: PIC
must inform them of the rectification upon
reasonable request of the data subject.
 THE RIGHT TO DATA PORTABILITY

Right to obtain from the PIC a copy of personal data in an

electronic/ structured format.

What are the conditions for this right to apply?

personal data requested concerns the data subject making
the request;
personal data is processed electronically; and
processing is based on consent or contract.
THE RIGHT TO DATA PORTABILITY
 THE RIGHT TO DAMAGES

The data subject shall be indemnified for any damages

sustained due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal
data, taking into account any violation of his or her rights
and freedoms as data subject.
 THE RIGHT TO FILE A COMPLAINT

The following may file a complaint:

Persons who are subject of the privacy

violation or personal data breach, or his or
her duly authorized representative

Persons who are personally affected by

a violation of the Data Privacy Act
Data Privacy and Office-Issued
Mobile Devices
Advisory Opinion No. 2018-090
1. Is an employer’s access to an employee’s personal iCloud account using an
office-issued mobile device a violation of the employee’s right to data
privacy?
2. Does it constitute any of the offenses punishable under the DPA?
Data Privacy and Office-Issued
Mobile Devices
Advisory Opinion No. 2018-090
An employer’s ownership of the device does not rule out the right of employees
to privacy of their communications, related location data and correspondence.
Employees have an expectation of privacy in their own personal iCloud accounts
even if they are logged it using their office-issued mobile devices.
Data Privacy and Office-Issued
Mobile Devices
Advisory Opinion No. 2018-090
An iCloud account is considered as personal information under the law.
The act of the employer of accessing your iCloud account without your knowledge
and consent, and without authority under the law may constitute unauthorized
processing of personal information.
Data Privacy and Office-Issued
Mobile Devices
Advisory Opinion No. 2018-090
Elements of Unauthorized Processing:
1. The accused processed the information of the data subject;
2. That the information processed was personal information;
3. That the processing was done without the consent of data subject or without
authority under this Act or any existing law.
RIGHTS OF A DATA SUBJECT
CONSENT
 Refers to any freely given,
specific, informed indication
of will, whereby the data
subject agrees to the collection
and processing of personal
information about and/or relating
to him or her. Consent shall be
CONSENT evidenced by written,
electronic or recorded means.
OF THE DATA SUBJECT
It may also be given on behalf of
the data subject by an agent
specifically authorized by the
data subject to do so.
 Consent
The data subject agrees to the
collection and processing
Freely given
Specific
Informed indication of will

Evidenced by written, electronic or

recorded means:
signature
opt-in box/clicking an icon
sending a confirmation email
oral confirmation
The Time-Bound Element of
Consent
Advisory Opinion No. 2018-058

Is there a need to re-obtain consent when only formal changes were made to the
terms and conditions?
The Time-Bound Element of
Consent
Advisory Opinion No. 2018-058

“… as long as the purpose, scope, method and extent of the processing

remain to be the same as that disclosed to the data subject when consent was
given, the consent remains to be valid.”
Effectivity of Consent

• The data subject must be given a real choice.

• Any element of inappropriate pressure or influence which could affect the

outcome of that choice renders the consent invalid.
Specificity of Consent

Advisory Opinion No. 2018-063

• Consent, where required, should be specific.

• An enumeration of each and every purpose of the processing in single
paragraph fails to provide the data subject with a genuine choice since he
will still be bound to sign off on the entire provision in toto.
Unbundled Consent
Consent for Business
Correspondence
Advisory Opinion No. 2018-046

Is written consent needed when a person offers their contact information?

Consent for Business
Correspondence
Advisory Opinion No. 2018-046
The processing of business contact information on business cards may be based
on the legitimate interest of the PIC to whom such contact information was
provided.
“However, if the personal information will be further processed in a way not
compatible with the original business purpose or beyond the data subject’s
reasonable expectations on the processing of their personal data, consent
may be required."
Consent for Business
Correspondence
Advisory Opinion No. 2018-046

“… legitimate interest could exist for example where there is a relevant and
appropriate relationship between the data subject and the controller in situation
such as where the data subject is a client or in the service of the controller.”
Processing of personal information
for Character Reference
Advisory Opinion No. 2018-061
How does legitimate interest apply when it is used as a basis for the processing of
the name and contact number of the character references that were supplied by
an applicant for a loan, making processing permissible even without the consent
of the said character reference?
Processing of personal information for
Character Reference

Advisory Opinion No. 2018-061

NPC may evaluate whether the PIC correctly relied on legitimate interest as the
basis for processing and whether the rights of the data subject could be better
protected by other lawful criteria for processing.
It is advised that the company should endeavor to make changes in the
processing of loan applications and the forms necessary for such.
Processing of personal information for
Character Reference

Advisory Opinion No. 2018-061

Consent given by the character reference can be shown in the application form by
having a provision wherein the borrower guarantees and certifies that the
character references have been informed by the borrower that his or her personal
details will be submitted and that he or she consented to the processing of their
personal information.
DATA PRIVACY PRINCIPLES
TRANSPARENCY

A data subject must be aware of the nature,

purpose, and extent of the processing of his or
her personal data, including the risks and
safeguards involved, the identity of personal
information controller, his or her rights as a data
subject, and how these can be exercised. Any
information and communication relating to the
processing of personal data should be easy to
access and understand, using clear and plain
language.
LEGITIMATE PURPOSE

The processing of information shall be

compatible with a declared and specified
purpose, which must not be contrary to law,
morals, or public policy.
Cold Calls and Emails

Advisory Opinion No. 2018-050

Are cold calls and emails legal under the DPA?
Cold Calls and Emails

Advisory Opinion No. 2018-050

“It is a misconception that publicly accessible personal data can be
further used or disclosed for any purpose whatsoever without
regulation.”
Publicly sourced personal data fall under the protection of the DPA.
The reasonable expectation of the data subject on the purpose for
processing of his or her personal information at the time of its collection
becomes a crucial consideration.
Cold Calls and Emails

Advisory Opinion No. 2018-050

Legitimate interests will be applicable where a PIC has a relevant and
appropriate relationship with the data subject.
In the absence of a pre-existing relationship, the PIC must demonstrate that
the processing can be reasonably expected, particularly if the personal
information was collected and obtained from a third party.
PROPORTIONALITY

The processing of information shall be

adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and
specified purpose. Personal data shall be
processed only if the purpose of the processing
could not reasonably be fulfilled by other
means.
Employer’s Access to Employees’
Healthcare Service Usage
Advisory Opinion No. 2017-025
Can a company be provided a detailed summary of its employees’ healthcare
service usage to ensure that an employee does not have a contagious disease
or any illness that could put other employees at risk before they return to work?
Employer’s Access to Employees’
Healthcare Service Usage

Advisory Opinion No. 2017-025

The fact that a company shoulders the premium for HMO coverage is not one of
the conditions under the DPA that would justify access of the employer to the
health information of their employees.
A company must obtain the consent of the data subject so that it can have
access.
Employer’s Access to Employees’
Healthcare Service Usage
Advisory Opinion No. 2017-025
• An employee may be asked to provide medical certificates showing that he
or she is fit to work before being allowed to return to work to ensure that an
employee does not have a contagious disease or any illness that could put
other employees at risk.
Access to Employee 201 Files and
Medical Records
Advisory Opinion No. 2019-010
May internal auditors be refused access to the 201 files of employees, given that
such records are required for the ff. procedures:
a. Review of employees requirements if compliant to company policy;
b. Review of payroll for re-computation and accuracy of payouts;
c. Review of Medical Records if really fit-to-work and does not have any
communicable disease; and
d. Review of other employee benefits provided to employees related to their
home address.
 Access to Employee 201 Files and
Medical Records

Advisory Opinion No. 2019-010

Internal auditors may be allowed access to the 201 files of employees which may
contain personal information, only in so far as may be necessary for their functions,
which may include the inspection and examination of employee requirements,
payroll, and benefits.
Since the employees’ 201 files may contain sensitive personal information, access
to such must be regulated by institutionalized policies on authority to access.
Access to Employee 201 Files and
Medical Records

Advisory Opinion No. 2019-010

The company must establish access controls, particularly granting limited authority
to access such 201 files by the Internal Audit Department. It can be done by
requiring a security clearance.
facebook.com/privacy.gov.ph

twitter.com/privacyPH

[email protected]