Republic Act 10173 or The Data Privacy Act 2012 is a comprehensive and strict privacy

legislation to protect the fundamental human right of every individual to privacy while ensuring
free flow of information to promote innovation, growth and national development. National
Privacy Commission is created to administer and implement the provisions of this Act, and to
monitor and ensure compliance of the country with international standards set for data
protection. On September 9, 2016, the Implementing Rules and Regulations was put in effect
thus mandating all companies to comply.

Scope and Application

The Data Privacy Act is applicable to any natural and juridical person or entity involved in
processing of personal information, with provided exceptions. The act applies to the processing
of the personal information of Philippines citizens regardless of where they reside. The law has
extraterritorial application which is applicable not only to businesses with offices in the
Philippines but also when equipment based in the Philippines is used for the processing of
personal information.

Lawful Processing of Personal information

The processing of personal information shall be allowed subject to adherence to the principles
of transparency, legitimate purpose, and proportionality. Personal information must be collected
and processed for a declared, specified and legitimate purpose only. Personal information must
be kept accurate, relevant, adequate, up to date, and retained only for as long as reasonably
needed.

For processing of personal information be considered as lawful, consent from data subject is
required, subject to the exceptions provided by the Act and other applicable laws. Consent is
given when the data subject agrees to the collection and processing of his or her personal,
sensitive personal or privileged information. Consent must be freely given, specific and with
informed indication of will. Consent shall be evidenced by written, electronic or recorded means.

The processing of sensitive personal and privileged information is prohibited, except in the
cases stated in the Act.

All collected and processed data shall be held under strict confidentiality and shall be used only
for the declared purpose.

Transfer of Personal Information

Data sharing shall be allowed when it is expressly authorized by law provided that there are
adequate safeguards for data privacy and security, and processing adheres to principle of
transparency, legitimate purpose and proportionality. The law also states the responsibility of
the entity for the personal information under its control or custody, including information that
have been transferred to a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation. The entity is accountable for complying
with the requirements of this Act and shall use contractual or other reasonable means to provide
a comparable level of protection while the information is being processed by a third party. The
entity shall designate an individual or individuals who are accountable for the organization’s
compliance with this Act.

Rights of the Data Subject

The personal information controller or personal information processor shall uphold the rights of
data subjects, and adhere to general data privacy principles and the requirements of lawful
processing. The data subject is entitled to the following rights:
 (a) Right to be informed
(b) Right to object
(c) Right to access
(d) Right to rectification
(e) Right to erasure or blocking
(f) Right to damages

The rights shall not be applicable if the processed personal data are used only for the needs of
scientific and statistical research and, on the basis of such, no activities are carried out and no
decisions are taken regarding the data subject. The rights are also not applicable to the
processing of personal data gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject.

Data Privacy and Security

The law requires that any entity involved in data collection and processing must implement
reasonable and appropriate organizational, physical and technical measures intended for the
protection of personal information against any accidental or unlawful destruction, alteration and
disclosure, as well as against any other unlawful processing.

Organizational security measures include:

(a) Appointing Data Protection officers
(b) Implementing Privacy and Data protection policies
(c) Records of processing activities
(d) Management of Human Resource
(e) Processing of Personal Data
(f) Contracts with personal information processors

Physical security measures include:

(a) Policies and procedures to monitor and limit access on different activities
(b) Design of office space and workstations taking into account the environment and
accessibility of the private data to the public
(c) Duties, responsibilities and schedules of the personal information processors
(d) Policies and procedures for the transfer, removal, disposal, and reuse of electronic
media
(e) Policies and procedures that prevent the mechanical destruction of files and equipment

Technical security measures include:

(a) Security policy with respect to the processing of personal
(b) Safeguards to protect computer network against accidental, unlawful or unauthorized
usage, any interference which will affect data integrity or hinder the functioning or
availability of the system, and unauthorized access through an electronic network
(c) The ability to ensure and maintain the confidentiality, integrity, availability, and resilience
of their processing systems and services
(d) Regular monitoring for security breaches
(e) The ability to restore the availability and access to personal data in a timely manner in
the event of a physical or technical incident
(f) A process for regularly testing, assessing, and evaluating the effectiveness of security
measures
(g) Encryption of personal data during storage and while in transit, authentication process,
and other technical security measures that control and limit access
The determination of the appropriate level of security under this section must take into account
the nature of the personal information to be protected, the risks represented by the processing,
the size of the organization and complexity of its operations, current data privacy best practices
and the cost of security implementation.

Data Breach Notification

The entity shall promptly notify the Commission and the affected data subject through a written
or electronic report within 72 hours upon knowledge of that a personal data breach has
occurred. It is when sensitive information may have been acquired by an unauthorized person to
be used for identity fraud and is likely to give rise to a real risk of serious harm to any affected
data subject. The contents of the notification must at least:
(a) Describe the nature of the breach;
(b) The personal data possibly involved;
(c) The measures taken by the entity to address the breach;
(d) The measures take to reduce the harm or negative consequence of the breach;
(e) The representatives of the personal information controller, including their contact details;
(f) Any assistance to be provided to the affected data subjects.

Notification may be delayed only to the extent necessary to determine the scope of the breach,
to prevent further disclosures, or to restore reasonable integrity to the information and
communications system.

Registration and Compliance Requirements

To administer and implement the Act, and to ensure the compliance of personal information
controllers with its obligations under the law, the Commission requires the following:
(a) Companies with at least 250 employees or access to the personal and identifiable
information of at least 1,000 people are required to register with the National Privacy
Commission and comply with the Data Privacy Act of 2012
(b) Notification of automated processing operations where the processing becomes the sole
basis of making decisions that would significantly affect the data subject;
(c) Annual report of the summary of documented security incidents and personal data
breaches;
(d) Compliance with other requirements that may be provided in other issuances of the
Commission.

Penalties
Any natural or juridical person, or other body involved in the processing of personal data, who
fails to comply with the Act, the Implementing Rules and Reguations, and other issuances of the
Commission, shall be liable for such violation, and shall be subject to its corresponding
sanction, penalty, or fine, without prejudice to any civil or criminal liability, as may be applicable.

The law provides penalties for various offenses summarized as follows:

If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed
upon the responsible officers, as the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime.

The maximum penalty in the corresponding scale of penalties provided for the preceding
offenses shall be imposed when the personal data of at least one hundred (100) persons are
harmed, affected, or involved, as the result of any of the above-mentioned offenses

Prepared by: Reviewed and Approved by:

Hossanna Kassandra A. Onilongo Rafael Carlos C. Ariola

Audit Supervisor OIC – Head, Audit and Systems Department