DATA PRIVACY ACT OF

2012
Republic Act No. 10173

AT T Y. ANGELINE P. ROGEL
D E PA R T M E N T O F T R A N S P O R TAT I O N – P H I L I P P I N E S
I N T E G R AT E D B A R O F T H E P H I L I P P I N E S ( PA M PA N G A C H A P T E R )
Background
REPUBLIC ACT NO. 10173
“AN ACT PROTECTING INDIVIDUAL
PERSONAL INFORMATION IN INFORMATION
AND COMMUNICATIONS SYSTEMS IN THE
GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER
PURPOSES”
Background
Section 1. Short Title. – This Act shall be
known as the "Data Privacy Act of 2012″.
August 15, 2012 – Approved and signed
into law by President Benigno S. Aquino III
Scope and Application
Section 4. Scope. – This Act applies to the
processing of all types of personal
information and to any natural and juridical
person involved in personal information
processing including those personal
information controllers and processors who,
although not found or established in the
Philippines, use equipment that are located in
the Philippines, or those who maintain an
office, branch or agency in the Philippines… xxx
Data Privacy Act of 2012
Protection of individuals from
unauthorized processing of personal
information.
Scope of Protection
Personal Information
Sensitive Personal Information
Personal Information
Personal Information:
(1) private, not publicly available; and
(2) identifiable, where the identity of the
individual is apparent either through
direct attribution or when put together
with other valuable information.
Sensitive Personal Information
Information about the following:
(a) Individual’s race, ethnic origin, marital
status, age, color and religious,
philosophical or political affiliations;
(b) Individual’s health, education, genetic or
sexual life of a person, or to any
proceeding for any offense committed or
alleged to have been committed by such
person, the disposal of such proceedings, or
the sentence of any court in such
proceedings;
Sensitive Personal Information
Information about the following:
(c) Issued by government agencies peculiar
to the individual (e.g. Social security
numbers, licenses, tax returns, etc.);
(d) Those information classified by law as
sensitive and personal
Salient Features of the Law
Creation of the NATIONAL PRIVACY
COMMISSION;
Procedures to be followed in the
COLLECTION, PROCESSING and HANDLING
of personal information;
The rights of DATA SUBJECTS
The National Privacy Commission
Section 7 of RA 10173 creates the National
Privacy Commission
Functions: (1) Administer and implement
the provisions of this Act; (2) Monitor and
ensure compliance of the country with
international standards set for data
protection
Processing of Personal Information
Section 11, RA 10173
Personal information must, be:
(a) Collected for specified and legitimate
purposes determined and declared before,
or as soon as reasonably practicable after
collection, and later processed in a way
compatible with such declared, specified
and legitimate purposes only;
Processing of Personal Information
Section 11, RA 10173
Personal information must, be:
(b) Processed fairly and lawfully;
(c) Accurate, relevant and, where necessary
for purposes for which it is to be used the
processing of personal information, kept up
to date; inaccurate or incomplete data must
be rectified, supplemented, destroyed or
their further processing restricted;
Processing of Personal Information
Section 11, RA 10173
Personal information must, be:
(d) Adequate and not excessive in relation to
the purposes for which they are collected and
processed;
(e) Retained only for as long as necessary for
the fulfilment of the purposes for which the
data was obtained or for the establishment,
exercise or defense of legal claims, or for
legitimate business purposes, or as provided by
law; and
Processing of Personal Information
Section 11, RA 10173
Personal information must, be:
(f) Kept in a form which permits
identification of data subjects for no longer
than is necessary for the purposes for which
the data were collected and processed:
Provided, That personal information collected
for other purposes may lie processed for
historical, statistical or scientific purposes, and
in cases laid down in law may be stored for
longer periods: Provided, further, That adequate
safeguards are guaranteed by said laws
authorizing their processing.
 Lawful Processing of Personal
Information
The processing of personal information shall be permitted only if not
prohibited by law; or when at least one (1) of the following conditions
exists:
(a) The data subject has given his consent;
(b) When necessary and is related to the fulfilment of a contract with
the data subject;
(c) When necessary for compliance with a legal obligation to which the
personal information controller is subject;
(d) When necessary to protect vitally important interests of the data
subject, including life and health;
(e) When necessary in order to respond to national emergency;
(f) For purposes of the legitimate interests pursued by the personal
information controller or by a third party or parties to whom the
data is disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which require
protection under the Philippine Constitution.
Rights of the Data Subject (Section
16)
Be informed whether personal information pertaining
to him or her shall be, are being or have been processed;
Be furnished information before the entry of the
same into the processing system of the personal
information controller;
Reasonable access to, upon demand, the following:
(1) Contents of his or her personal information that were
processed;
(2) Sources from which personal information were
obtained;
(3) Names and addresses of recipients of the personal
information; xxx
Rights of the Data Subject (Section
16)
Dispute the inaccuracy or error in the personal
information and have the personal information
controller correct it immediately and accordingly;
Suspend, withdraw or order the blocking,
removal or destruction of his or her personal
information upon discovery and substantial proof
that the personal information are incomplete,
outdated, false, unlawfully obtained, used for
unauthorized purposes or are no longer
necessary for the purposes for which they were
collected; and
Be indemnified for any damages sustained due
to such inaccurate, incomplete, outdated, false,
unlawfully obtained or unauthorized use of personal
information.
Security of Sensitive Personal
Information in Government
Section 22. Responsibility of Heads of Agencies. –
All sensitive personal information maintained by
the government, its agencies and instrumentalities
shall be secured, as far as practicable, with the use
of the most appropriate standard recognized by
the information and communications technology
industry, and as recommended by the Commission.
The head of each government agency or
instrumentality shall be responsible for
complying with the security requirements
mentioned herein while the Commission shall
monitor the compliance and may recommend
the necessary action in order to satisfy the
minimum standards.
How to comply with the Data Privacy
Act of 2012
Appoint a Data Protection Officer (DPO);
Conduct a Privacy Impact Assessment (PIA);
Create a privacy knowledge management
program;
Implement a privacy and data protection
policy;
Exercise a breach reporting procedure.
Data Privacy Act of 2012 and the
Department of Education
Data Privacy Act of 2012 and the
Department of Education
Data Privacy Act of 2012 and the Department of
Education
Penalties
Section 25. Unauthorized Processing of
Personal Information and Sensitive Personal
Information. – (a) The unauthorized
processing of personal information shall be
penalized by imprisonment ranging from
one (1) year to three (3) years and a fine of
not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be
imposed on persons who process personal
information without the consent of the data
subject, or without being authorized under this
Act or any existing law. xxx