Upload
ricardo-jesus-gutierrez
View
219
Download
0
Embed Size (px)
Citation preview
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
1/21
A Primer on the DATA PRIVACY ACTRepublic Act No. 10173
Data Privac an! the Public "ector
Intro!uctionIn the Data Privacy Act (henceforth DPA), the public sector aspect involvesthree areas:
1. Government as Data Sub ect!. Government as Personal Information "ontrollers an#$or Processors%. Government as &e'ulatin' o#y (i.e., as ational Privacy
"ommission (henceforth P"))
In this primer, these three areas *ill be #iscusse# separately to sho* the#i+erin' roles of Government vis - vis Data Privacy.
#overnment a$ Data "ub%ect1. &ir$t' (hat i$ a !ata $ub%ect)
A #ata sub ect/ refers to an in#ivi#ual *hose personal information isprocesse#. 1
*. +hat i$ per$onal in,ormation)Personal information/ refers to any information *hether recor#e# in amaterial form or not, from *hich the i#entity of an in#ivi#ual is apparent orcan be reasonably an# #irectly ascertaine# by the entity hol#in' theinformation, or *hen put to'ether *ith other information *oul# #irectly an#
certainly i#entify an in#ivi#ual. !
0rom the #e nition, it can be sai# that the tests in #eterminin' *hetherinformation is personal, an# therefore protecte# by the DPA, are:1. 2hether or not, from the information, the i#entity of an in#ivi#ual isapparent3!. 2hether or not, from the information, the i#entity of an in#ivi#ual can bereasonably an# #irectly ascertaine# by the entity hol#in' the information3or %. 2hether or not the information *hen put to'ether *ith other information*oul# #irectly an# certainly i#entify an in#ivi#ual.
4he 5ey, therefore, is *hether from the information, stan#in' alone orcombine# *ith other information, an in#ivi#ual can be i#enti e#.
1 Section 3(c)2 Section 3(g)
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
2/21
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
3/21
. Doe$ the DPA protect all per$onal in,ormation relatin- to-overnment)o. Section of the DPA provi#es for information e9clu#e# from its
application. 4he follo*in' 'overnment information are e9clu#e# from the
DPA:1. Information about an in#ivi#ual *ho is or *as an o+icer or employee of a'overnment institution that relates to the position or functions of thein#ivi#ual3!. Information about an in#ivi#ual *ho is or *as performin' service un#ercontract for a 'overnment institution that relates to the services performed ,inclu#in' the terms of the contract, an# the name of the in#ivi#ual 'iven inthe course of the performance of those services3%. Information relatin' to any discretionary bene t of a nancial naturesuch as the 'rantin' of a license or permit 'iven by the 'overnment to anin#ivi#ual, inclu#in' the name of the in#ivi#ual an# the e9act nature of the
bene t3. Information necessary in order to carry out the functions of publicauthority *hich inclu#es the processin' of personal #ata for theperformance by the in#epen#ent, central monetary authority an# la*enforcement an# re'ulatory a'encies of their constitutionally an#statutorily man#ate# functions3 an#=. Personal information ori'inally collecte# from residents of foreign
jurisdictions in accor#ance *ith the la*s of those forei'n uris#ictions,inclu#in' any applicable #ata privacy la*s, *hich is bein' processe# in thePhilippines (emphasis supplie#).
7. +hen i$ there la(,ul proce$$in- o, per$onal in,ormation)>a*ful processin' involves a t*o step process. 0irst, before any personalinformation can be processe#, the personal information controller must rstcomply *ith Section 11: General Data Privacy Principles. An# secon#, thepersonal information controller or the personal information processor , asthe case may be, shall #etermine *hether the information is merelypersonal information, *hich re6uires compliance of Section 1!, or sensitivepersonal information, in *hich case Section 1% must be complie# *ith.
. +ho i$ a per$onal in,ormation controller)Personal information controller/ refers to a person or or'ani;ation *hocontrols the collection, hol#in', processin' or use of personal information,inclu#in' a person or or'ani;ation *ho instructs another person oror'ani;ation to collect, hol#, process, use, transfer or #isclose personalinformation on his or her behalf. =
4he term, ho*ever, e9clu#es the follo*in':
5 Section 3(h)
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
4/21
(1) A person or or'ani;ation *ho performs such functions as instructe# byanother person or or'ani;ation3 an#(!) An in#ivi#ual *ho collects, hol#s, processes or uses personal informationin connection *ith the in#ivi#ual8s personal, family or househol# a+airs.
2. +ho i$ a per$onal in,ormation proce$$or)Personal information processor/ refers to any natural or uri#ical person6uali e# to act as such un#er this Act to *hom a personal informationcontroller may outsource the processin' of personal #ata pertainin' to a#ata sub ect. ?
10. +hat are the #eneral Privac Principle$ 7 )Personal information must, be:1. "ollecte# for speci ed and legitimate purposes #etermine# an# #eclare#before, or as soon as reasonably practicable after collection, an# laterprocesse# in a *ay compatible *ith such #eclare#, speci e# an# le'itimate
purposes only3!. Processe# fairly and lawfully 3%. Accurate, relevant an#, *here necessary for purposes for *hich it is to beuse# the processin' of personal information, 5ept up to #ate3 inaccurate orincomplete #ata must be recti e#, supplemente#, #estroye# or their furtherprocessin' restricte#3. Adequate and not excessive in relation to the purposes for *hich they arecollecte# an# processe#3=. etained only for as long as necessary for the ful llment of the purposesfor *hich the #ata *as obtaine# or for the establishment, e9ercise or#efense of le'al claims, or for le'itimate business purposes, or as provi#e#
by la*3 an#?. @ept in a form *hich permits i#enti cation of #ata sub ects for no longer than is necessary for the purposes for *hich the #ata *ere collecte# an#processe# !
A. ut, personal information collecte# for other purposes may lieprocesse# for historical, statistical or scienti c purposes , an# in caseslai# #o*n in law may be stored for longer periods" an#
! A#e6uate safe'uar#s are 'uarantee# by sai# la*s authori;in' theirprocessin'.
11. I, (hat i$ proce$$e! i$ merel per$onal in,ormation' (hat othercon!ition$' apart ,rom the -eneral privac principle$' mu$t becomplie! be,ore there can be la(,ul proce$$in-)
6 Section 3(i)7 Section 11
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
5/21
>a*ful Processin' of Personal Information is 'overne# by Section 1! . 4hissection allo*s the processin' of personal information if:1. It is not prohibite# by la*3 and!. 2hen at least one of the con#itions e9ists:
A. "onsent from the #ata sub ect3
. Processin' is necessary an# relate# to the ful llment of a contract*ith the #ata sub ect3". Processin' is necessary for compliance *ith a le'al obli'ation to*hich the controller is sub ect3D. Processin' is necessary to protect vitally important interests of the#ata sub ect, inclu#in' life an# health3B. Processin' is necessary to respon# to national emer'ency, publicor#er, safety, an# ful llment of public functions3 or 0. Processin' is necessary for the le'itimate interest pursue# by thecontroller or a thir# party e9cept *here such interest is overri##en byfun#amental ri'hts an# free#om of the #ata sub ect.
1*. +hat i$ con$ent)"onsent of the #ata sub ect/ refers to any freely 'iven, speci c, informe#in#ication of *ill, *hereby the #ata sub ect a'rees to the collection an#processin' of personal information about an#$or relatin' to him or her."onsent shall be evi#ence# by *ritten, electronic or recor#e# means. It mayalso be 'iven on behalf of the #ata sub ect by an a'ent speci callyauthori;e# by the #ata sub ect to #o so. C
13. I, (hat i$ proce$$e! are $en$itive per$onal in,ormation' (hat arethe con!ition$ ,or la(,ul proce$$in- other than compliance (ith the
-eneral privac principle$)4he processin' of sensitive personal information is 'overne# by Section 1%of the Act, *hich covers not only sensitive personal information, but alsoprivile'e# information, *hich is not #e ne# in the DPA but in some otherstatute or rule. 4he rule is that processin' of these 5in#s of informationshall be prohibite#, e9cept in the follo*in' cases:
8 SEC. 12 Criteria for Lawful Processing of Personal Information – The processing of personal information shall bepermitte onl! if not other"ise prohibite b! la"# an "hen at least one of the follo"ing con itions e$ists% (a) The atas&bject has gi'en his or her consent(b) The processing of personal information is necessar! an is relate to the f&lfillment of a contract "ith the atas&bject or in or er to ta e steps at the re*&est of the ata s&bject prior to entering into a contract(c) The processing is necessar! for compliance "ith a legal obligation to "hich the personal information controller iss&bject( ) The processing is necessar! to protect 'itall! important interests of the ata s&bject# incl& ing life an health(e) The processing is necessar! in or er to respon to national emergenc!# to compl! "ith the re*&irements of p&blicor er an safet!# or to f&lfill f&nctions of p&blic a&thorit! "hich necessaril! incl& es the processing of personal atafor the f&lfillment of its man ate or(f) The processing is necessar! for the p&rposes of the legitimate interests p&rs&e b! the personal informationcontroller or b! a thir part! or parties to "hom the ata is isclose # e$cept "here s&ch interests are o'erri en b!f&n amental rights an free oms of the ata s&bject "hich re*&ire protection &n er the +hilippine Constit&tion.
9 Section 3(b)
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
6/21
1. 4he #ata sub ect has 'iven his or her consent, speci c to the purposeprior to the processin', or in the case of privile'e# information, all partiesto the e9chan'e have 'iven their consent prior to processin'3!. 4he processin' of the same is provi#e# for by e9istin' la*s an#re'ulations. ut, such re'ulatory enactments must 'uarantee the protection
of the sensitive personal information an# the privile'e# information.
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
7/21
&ir$t "etRi-ht to be In,orme!
1/. +hat the !ata $ub%ect4$ ri-ht to be in,orme!)4he #ata sub ect has the ri'ht to be informe# of the follo*in':1. 2hether personal information pertainin' to him or her shall be, are bein'or have been processe#3 1F!. e furnishe# the information in#icate# hereun#er before the entry of hisor her personal information into the processin' system of the personalinformation controller, or at the ne9t practical opportunity:
A. Description of the personal information to be entere# into the
system3. Purposes for *hich they are bein' or are to be processe#3". Scope an# metho# of the personal information processin'3D. 4he recipients or classes of recipients to *hom they are or may be
#isclose#3B.
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
8/21
!. Sources from *hich personal information *ere obtaine#3%. ames an# a##resses of recipients of the personal information3.
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
9/21
information controller may notify thir# parties *ho have previously receive#such processe# personal information. 1?
Ri-ht to In!emnit *1. +hen i$ the !ata $ub%ect entitle! to in!emnit )
4he #ata sub ect is entitle# to be in#emni e# for any #ama'es sustaine##ue to such inaccurate, incomplete, out#ate#, false, unla*fully obtaine#, orunauthori;e# use of personal information. 1E
Ri-ht to Data Portabilit **. +hat i$ the !ata $ub%ect4$ ri-ht to !ata portabilit )4he #ata sub ect shall have the ri'ht, *here personal information isprocesse# by electronic means an# in a structure# an# commonly use#format, to obtain from the personal information controller a copy of #ataun#er'oin' processin' in an electronic or structure# format, *hich iscommonly use# an# allo*s for further use by the #ata sub ect. 4he
"ommission may specify the electronic format referre# to above, as *ell asthe technical stan#ar#s, mo#alities an# proce#ures for their transfer. 1
8ception to the &ir$t "et o, Ri-ht$*3. +hen are the ri-ht$ un!er "ection$ 1 an! 1 not applicable) 12n#er Section 1C, the ri'hts 'rante# to the #ata sub ect un#er "hapter IJ (Sections 1? an# 1 ) are not applicable if:1. 4he processe# personal information are use# only for the nee#s of scienti c an# statistical research
A. n the basis of such research, no activities are carrie# out an# no#ecisions are ta5en re'ar#in' the #ata sub ect. 4he personal information shall be hel# un#er strict con #entialityan# use# only for the #eclare# purpose
!. 4he processin' of personal information 'athere# for the purpose of investi'ations in relation to any criminal, a#ministrative, or ta9 liabilities of a #ata sub ect.
"econ! "etRi-ht to 9o!-e a Complaint be,ore the Commi$$ion
* . +hat i$ the le-al ba$i$ ,or thi$ ri-ht)4his ri'ht can be inferre# from the #uty of the P", as the implementin'bo#y of the DPA, to receive complaints, institute investi'ations, facilitate or
16 Section 1, (e)17 Section 1, (f)18 Section 1819 Section 1-
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
10/21
enable settlement of complaints throu'h the use of alternative #isputeresolution processes, a# u#icate, a*ar# in#emnity on matters a+ectin' anypersonal information, prepare reports on #isposition of complaints an#resolution of any investi'ation it initiates, an#, in cases it #eemsappropriate, publici;e any such report. !F
Ri-ht to :no( the I!entit o, Accountable In!ivi!ual$*/. +hat i$ the !ata $ub%ect4$ ri-ht to ;no( the i!entit o,accountable in!ivi!ual$)4he personal information controller shall #esi'nate an in#ivi#ual orin#ivi#uals *ho are accountable for the or'ani;ation8s compliance *ith this
Act. 4he i#entity of the in#ivi#ual(s) so #esi'nate# shall be ma#e 5no*n toany #ata sub ect upon re6uest. !1
* . +hat are the reme!ie$ o, a !ata $ub%ect in ca$e o, breach)1. Administrative remedy ##
>o#'e a complaint before the ational Privacy "ommission, *hich *illresolve the complaint as a colle'ial bo#y, e9cept *here amicable settlementis reach by the parties.
!. $udicial emedy A. In#emnity un#er Section 1?(f) 7 See ue$tion *1 above
. &estitution un#er Section %E". "riminal Action for "rimes #e ne# un#er "hapter JIII
*7.
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
11/21
!. 4he entity has a lin5 *ith the Philippines, an# the entity is processin'personal information in the Philippines or even if the processin' is outsi#ethe Philippines as lon' as it is about Philippine citi;ens or resi#ents such as,but not limite# to, the follo*in':
A. A contract is entere# in the Philippines3
. A uri#ical entity unincorporate# in the Philippines but has centralmana'ement an# control in the country3 an#". An entity that has a branch, a'ency, o+ice or subsi#iary in thePhilippines an# the parent or a+iliate of the Philippine entity hasaccess to personal information3 an#
%. 4he entity has other lin5s in the Philippines such as, but not limite# to: A. 4he entity carries on business in the Philippines3 an#
. 4he personal information *as collecte# or hel# by an entity in thePhilippines.
30. +hen i$ it not applicable)
4he cross bor#er application of the DPA #oes not apply to personalinformation ori'inally collecte# from resi#ents of forei'n uris#ictions inaccor#ance *ith the la*s of those forei'n uris#ictions, inclu#in' anyapplicable #ata privacy la*s, *hich is bein' processe# in the Philippines. !=
31.
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
12/21
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
13/21
>a*ful processin' involves a t*o step process. 0irst, before any personalinformation can be processe#, the personal information controller must rstcomply *ith Section 11: General Data Privacy Principles %%. An# secon#, thepersonal information controller or the personal information processor, asthe case may be, shall #etermine *hether the information is merely
personal information, *hich re6uires compliance of Section 1!%
, orsensitive personal information, in *hich case Section 1% %= must be complie#*ith.
3/. Can the -overnment proce$$ per$onal in,ormation (ithoutcompl in- (ith the con!ition$ ,or la(,ul proce$$in-)
Hes, Section speci cally e9clu#es Information necessary in order to carry out the functions of public authority *hich inclu#es the processin' of personal #ata for the performance by the in#epen#ent, central monetaryauthority an# la* enforcement an# re'ulatory a'encies of their
constitutionally an# statutorily man#ate# functions/ from the applicabilityof the DPA. 4herefore, processin' of such information nee# not comply *iththe speci c provisions of the DPA, sub ect, ho*ever, to other la*s an#re'ulations.
3 . +hat are the obli-ation$ o, the per$onal in,ormation controller) Asi#e from the complyin' *ith the con#itions for la*ful processin' of personal information, the personal information controller has otherobli'ations. As a correlative of the ri'hts that can be e9ercise# by the #atasub ect, the personal information controller has the follo*in' obli'ation:1. bli'ation to Inform the Data Sub ect *hen his or her Personal
Information is processe#!. bli'ation to otify the Data Sub ect before the entry of his or herPersonal Information into the Processin' System of the PersonalInformation "ontroller %?%. bli'ation to Allo* Access to Personal Information pertainin' to the DataSub ect, upon #eman#. bli'ation to "orrect any Inaccuracy or Brror %E =. bli'ation to &emove Personal Information from its 0ilin' System, upon#eman# an# proof %?. bli'ation to In#emnify Data Sub ect for reach
33 See Question 10 abo'e34 See Question 11 abo'e35 See Question 13 abo'e36 S&bject to an e$ception% See Question 1637 S&bject to an e$ception% See Question 1938 +roof that personal information are incomplete# o&t ate # false# &nla"f&ll! obtaine # &se for &na&thori0ep&rposes or are no longer necessar! for the p&rposes for "hich the! "ere collecte .
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
14/21
E. bli'ation to 0urnish the Data Sub ect a "opy of Data un#er'oin'processin' in an Blectronic or Structure# 0ormat. bli'ation to Inform the Data Sub ect of the I#entity of Accountable
In#ivi#uals, upon re6uest
37. A$ re-ar!$ $ecurit o, per$onal in,ormation' (hat mea$ure$ mu$tthe per$onal in,ormation controller ta;e)Section !F provi#es for the follo*in' measures:1. 4o implement reasonable an# appropriate or'ani;ational, physical an#technical measures inten#e# for the protection of personal informationa'ainst any acci#ental or unla*ful #estruction, alteration an# #isclosure3!. 4o implement reasonable an# appropriate measures to protect personalinformation a'ainst natural #an'ers3%. 4o inclu#e in the measures implemente#:
A. Safe'uar#s to protect its computer net*or5 a'ainst acci#ental,unla*ful or unauthori;e# usa'e or interference *ith or hin#erin' of their functionin' or availability3. A security policy *ith respect to the processin' of personal
information3". A process for i#entifyin' an# accessin' reasonably foreseeable
vulnerabilities in its computer net*or5s, an# for ta5in' preventive,corrective an# miti'atin' action a'ainst security inci#ents that canlea# to a security breach3 an#D. &e'ular monitorin' for security breaches an# a process for ta5in'preventive, corrective an# miti'atin' action a'ainst security inci#entsthat can lea# to a security breach3
. 4o ensure that thir# parties processin' personal information on its behalf shall implement the security measures re6uire# by this provision3=. 4o operate an# hol# personal information un#er strict con #entiality if the personal information are not inten#e# for public #isclosure3
A. B9ten#s to all employees, a'ents, an# representatives of thepersonal information controller. B9ten#s even after leavin' public service, upon transferrin' to
another position, an# even upon termination of the employmentcontract
?. 4o notify the "ommission an# a+ecte# #ata sub ects *hen informationmay be use# to enable i#entity frau# are reasonably believe# to have beenac6uire# by an unauthori;e# person, an# the personal informationcontroller or the "ommission believes that such unauthori;e# ac6uisition isli5ely to 'ive rise to a real ris5 of serious harm to any a+ecte# #ata sub ect.
3 . +hat are the ,un!amental re$pon$ibilitie$ o, a per$onalin,ormation controller in relation to the in,ormation it maintain$) To
(hat e8tent mu$t it per,orm the$e re$pon$ibilitie$)
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
15/21
Section !1 provi#es for the 'eneral principle of accountability. It provi#esthat the personal information controller is responsible for the personalinformation un#er its control an# custo#y. Its responsibility e9ten#s toinformation transferre# to a thir# party for processin' (or personalinformation processor), *hether #omestic or international.
4he responsibilities of a personal information controller are to:1. "omply *ith the re6uirements of the DPA3!. se contractual or other reasonable means to provi#e a comparable levelof protection *hile the information are bein' processe# by a thir# party3an#%. Desi'nate an in#ivi#ual or in#ivi#uals *ho are accountable for thepersonal information controller8s compliance *ith the DPA.
32. Doe$ the -overnment' a$ per$onal in,ormation controller' have$pecial obli-ation$ vi$=@=vi$ the $en$itive per$onal in,ormation it
maintain$) Hes, "hapter JII of the DPA #eals *ith the responsibilities of the heads of agencies, requirements relating to access, and its applicability togovernment contractors . 4his "hapter #eals speci cally *ith the security of sensitive personal information maintaine# by 'overnment, its a'encies an#instrumentalities.
0. +hat are the re$pon$ibilitie$ o, hea!$ o, a-encie$' (hich act a$per$onal in,ormation controller$)Section !! of the DPA states that all sensitive personal informationmaintaine# by 'overnment shall be secure#, as far as practicable, *ith the
use of the most appropriate stan#ar# reco'ni;e# by the information an#communications technolo'y in#ustry, an# as recommen#e# by the P".
4he hea# of each 'overnment a'ency or instrumentality shall be responsiblefor complyin' *ith the security re6uirements3 *hile the P" shall monitorthe compliance an# may recommen# the necessary action in or#er to satisfythe minimum stan#ar#s.
1. +hat are the re uirement$ 32 relatin- to acce$$ to $en$itiveper$onal in,ormation b a-enc per$onnel)0or n site an# nline access, employees of 'overnment are re6uire# tohave a security clearance from the hea# of the source a'ency before theycan access to sensitive personal information on 'overnment property orthrou'h online facilities.
39 Section 23
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
16/21
0or + site Access, sensitive personal information maintaine# by an a'encymay only be transporte# or accesse# from a location o+ 'overnmentproperty if a request for such transportation or access is submitte# an#approved by the hea# of the a'ency, sub ect to the follo*in' 'ui#elines:
A. 4he hea# of the a'ency shall approve or #isapprove the re6uest
*ithin ! business #ays after submission. In case no action *as ma#eby the hea#, the re6uest is consi#ere# #isapprove#. If re6uest is approve#, the hea# shall limit access to not more than1, FFF recor#s at a time". Any technolo'y use# to store, transport or access sensitivepersonal information for purposes of o+ site access approve# un#erthis subsection shall be secure# by the use of the most secureencryption standard reco'ni;e# by the "ommission.
*. +hat i$ the $pecial rule ,or -overnment contractor$)n#er Section ! of the DPA, *hen the 'overnment enters into a contractthat may involve accessin' or re6uirin' sensitive personal information from1,FFF or more in#ivi#uals, the contractin' a'ency shall re6uire thecontractor an# latter8s employees:1. 4o re'ister their personal information system *ith the P"!. 4o comply *ith the other provisions of the DPA inclu#in' there6uirements relatin' to access by its personnel to sensitive personalinformation.
3. +hat are the prohibite! act$ un!er the DPA)See Anne8 A for the 4able of "rimes
. I$ there a uali, in- circum$tance that (oul! increa$e thepenaltie$ pre$cribe! in the $peci6c crime$ provi!e! un!er Chapter
VIII) Hes, it is the 6ualifyin' circumstance of lar'e scale./ Section %= of
the DPA provi#es that the ma9imum penalty in the scale of penaltiesrespectively provi#e# for the prece#in' o+enses shall be impose# *hen thepersonal information of at least one hun#re# (1FF) persons is harme#,a+ecte# or involve# as the result of the above mentione# actions.
/. In ca$e o, breach o, the obli-ation$ above' inclu!in- the
commi$$ion o, the prohibite! act$' (hat i$ the e8tent o, liabilit o, each participant)4he e9tent of liability is provi#e# in Sections % , %?, an# C of the DPA.>iability #i+ers #epen#in' on the classi cation of the o+en#er. ence, if theo+en#er is a:1. %orporation, partnership or juridical person , penalty shall be impose#upon the responsible o+icers, as the case may be, *ho:
A. Participate# in, or
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
17/21
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
18/21
#overnment a$ Re-ulatin- Bo! . +hat -overnment a-enc (ill a!mini$ter an! implement the
provi$ion$ o, the DPA)Section E provi#es for the creation of an in#epen#ent bo#y *hich shall be5no*n as the ational Privacy "ommission. Its purpose is to a#minister an#implement the provisions of the DPA, an# to monitor an# ensure complianceof the country *ith international stan#ar#s set for #ata protection.
7. +hat i$ it$ or-ani ational $tructure)4he P" shall be an attache# a'ency of the Department of Information an#"ommunications 4echnolo'y. It shall be compose# of % members 7 a Privacy"ommissioner an# ! Deputy Privacy "ommissioners 7 *ho shall beappointe# by the Presi#ent an# shall en oy a term of % years, *hich can bereappointe# thereafter for another % years.
. +hat are the uali6cation$ o, it$ o icer$)4he Privacy "ommissioner must be at least thirty ve (%=) years of a'e an#of 'oo# moral character, un6uestionable inte'rity an# 5no*n probity, an# areco'ni;e# e9pert in the el# of information technolo'y an# #ata privacy.
4he Deputy Privacy "ommissioners must be reco'ni;e# e9perts in the el#of information an# communications technolo'y an# #ata privacy.
2. Doe$ it have a "ecretariat)Section 1F provi#es that MtNhe "ommission is hereby authori;e# toestablish a Secretariat.
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
19/21
4he 'overnment a'encies liste# in Section 1F is not e9haustive. Publico+icers an# employees *ho serve in 'overnment a'encies involve# in theprocessin' of personal information, other than those enumerate#, can alsobe members of the Secretariat provi#e# that ma ority of the members have
serve# at least = years in such a'ency. Also, since only ma ority of the members are re6uire# to have serve# in'overnment a'encies involve# in the processin' of personal information,there is room for appointment of members outsi#e 'overnment service, e.'.,aca#eme, le'al profession, etc.
/0. +hat are the ba$ic ,unction$ o, the NPC)4he speci c functions of the P" are provi#e# in Section E of the DPA. utin 'eneral, the P" is a re'ulatory bo#y that *ill a#minister an# implementthe provisions of the DPA. It shall ensure that actors *ithin the frame*or5
of the DPA comply *ith its provisions. It also performs 6uasi u#icialfunctions in #isputes relatin' to personal information. It also has aninternational #imension in that it is empo*ere# to ne'otiate an# contract*ith other #ata privacy authorities of other countries from cross bor#erapplication an# implementation of respective privacy la*s.
Apart from the functions in Section E, Section also re6uires the P" toensure at all times the con #entiality of any personal information thatcomes to its 5no*le#'e an# possession.
/1. Doe$ the NPC have the po(er to promul-ate rule$ ,or the
implementation o, the provi$ion$ o, the DPA) Hes, in fact, the DPA provi#es that the "ommission shall promul'ate therules an# re'ulations to e+ectively implement the provisions of this Act*ithin CF #ays from the e+ectivity of the Act, *hich is 1= #ays after itspublication in at least ! national ne*spapers of 'eneral circulation(Sections %C, =).
/*. Doe$ the NPC have reportorial obli-ation$ to the people) Hes, un#er Section F, the P" is obli'e# to ma5e an annual report to thePresi#ent an# "on'ress an# to ma5e necessary e+orts to inform an#e#ucate# the public about #ata privacy.
/3. In ca$e o, breach' (hat i$ the e8tent o, liabilit o, the o icer$an! a-ent$ o, the NPC)If the o+en#er is the Privacy %ommissioner, 'eputy Privacy %ommissioner,or Agent , he shall not be civilly liable for acts #one in 'oo# faith in theperformance of their #uties. o*ever, he or she shall be liable for *illful orne'li'ent acts #one by him or her *hich are contrary to la*, morals, public
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
20/21
policy an# 'oo# customs even if he or she acte# un#er or#ers orinstructions of superiors. F
Anne8 A. Table o, Crime$
Penalized Acts
Penalties
Prison Term Fine 41
Sec.25
Unauthorized Processing of Personal nfor!ation 1"3 #ears 500$000 to 2!illionUnauthorized Processing of Sensiti%e Personalnfor!ation 3"6 #ears
500$000 to 4!illion
Sec.26
&ccessing Personal nfor!ation due to 'egligence 1"3 #ears 500$000 to 2!illion&ccessing Sensiti%e Personal nfor!ation due to
'egligence3"6 #ears 500$000 to 4
!illionSec.27
!(ro(er )is(osal of Personal nfor!ation 6 !os " 2 #ears 100$000 to 500$00
!(ro(er )is(osal of Sensiti%e Personal nfor!ation 1"3 #ears 100$000 to 1!illionSec.28
Processing of Personal nfor!ation for UnauthorizedPur(oses
1 #r and 6!os to 5#ears
500$000 to 1!illion
40 Section -41 n +hilippine +esos
8/9/2019 Privacy_Data Privacy and the Public Sector (RJEG)
21/21