Data Privacy Act
Digital data is an inescapable part of our daily lives. Today, more than ever, we need compel organizations to ensure the confidentiality and integrity of client, end-user or employee data even as it is made available for legitimate and authorized purposes.
The Data Privacy Act (DPA) or Republic Act No. 10173 was passed into law in 2012 “to protect the fundamental human right of privacy while ensuring free flow of information to promote innovation and growth” (RA 10173 Ch. 1, Sec. 2). Its Implementing Rules and Regulations took effect on September 9, 2016.
The National Privacy Commission is tasked to enforce and oversee the Privacy Act. It holds anyone involved in the processing of personal information legally accountable for ensuring that it remains secure and that systems remain free from misuse, security breaches and system errors.
Implications for data collectors and companies
The law applies to both the government and private sector – basically any entity that maintains an office, branch, or agency in the Philippines. It also applies to when the equipment used for processing is located within the Philippines, and anyone involved in processing the personal information of Philippine citizens, regardless of where they reside.
The law allows personal data to be collected and processed for “declared, specified, legitimate and reasonable purposes.” The reasons for data collection should be clear to both the parties giving and receiving information. Individuals must opt in for their data to be used for specific, transparent and legal reasons.
What is considered “sensitive personal information?”
‘Personal information’ is that from which an individual’s identity is apparent or can be reasonably ascertained by the entity holding the information. The law prohibits the use of private information, or that which is not publicly available, without obtaining consent.
This information pertains to:
• Race, ethnicity, color, marital status, age, and religious and political affiliations;
• An individual’s health, genetic or sexual orientation, education, and any offense committed or allegedly committed;
• Information that is unique to an individual, such as a social security number, tax returns, or health records;
• Anything deemed as classified by executive order or act of Congress.
Consent must be given before the personal data is collected. The subject needs to be adequately informed about the extent and purpose of its use, and the consent must be recorded in written or electronic form.
What else does compliance to this Act entail?
Personal information should be accurate and relevant. It should be used for the purpose expressly stated and retained only for as long as reasonably needed.
Data collection methods must be shared with data subjects, and those processing the data must actively work to ensure that no one can gain unauthorized access to the information. Precautions must be taken when discarding personal information to ensure that it is not accessible to unauthorized third parties.
Processing information without the necessary permissions, and irresponsibly handling or improperly disposing of it is punishable with up to six (6) years in prison or not less than five million pesos (PHP 5,000,000).
Business entities with access to the personal and identifiable information of at least 1,000 people must register with the National Privacy Commission and comply with the Data Privacy Act of 2012. The Act also mandates that a security program be put in place.
Polish your knowledge on the proper implementation of this law and learn about the measures you can take to maintain confidentiality in information handling by contacting Duran & Duran-Schulze Law. Call (+632) 478 5826 or email [email protected] for inquiries.