DATA PRIVACY ACT OF 2012

Republic Act 10173 or The Data Privacy Act of 2012 was approved into law last August
15, 2012. Here are its salient features:

1. It applies to processing of personal information (section 3g) and sensitive

personal information (Section 3L).
2. Created the National Privacy Commission to monitor the implementation of this
law. (section 7)
3. Gave parameters on when and on what premise can data processing of personal
information be allowed. Its basic premise is when a data subject has given direct
consent. (section 12 and 13)
4. Companies who subcontract processing of personal information to 3rd party
shall have full liability and can’t pass the accountability of such responsibility.
(section 14)
5. Data subject has the right to know if their personal information is being
processed. The person can demand information such as the source of info, how
their personal information is being used, and copy of their information. One has
the right to request removal and destruction of one’s personal data unless there
is a legal obligation that required for it to be kept or processed. (Section 16 and
18)
6. If the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data
privacy rights. (Section 17)
7. Personal information controllers must ensure security measures are in place to
protect the personal information they process and be compliant with the
requirements of this law. (Section 20 and 21)
8. In case a personal information controller systems or data got compromised, they
must notify the affected data subjects and the National Privacy Commission.
(Section 20)
9. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Section 22)
10. Government contractors who have existing or future deals with the government
that involves accessing of 1000 or more records of individuals should register
their personal information processing system with the National Privacy
Commission. (Section 25)
Provided penalties (up to 5 million as per sec. 33) on the processing of personal
information and sensitive personal information based on the following acts:
 – Unauthorized processing (sec. 25)
– Negligence (sec. 26)
– Improper disposal (sec. 27)
– Unauthorized purposes (sec. 28)
– Unauthorized access or intentional breach (sec. 29)
– Concealment of security breaches (sec. 30)
– Malicious (sec. 31) and unauthorized disclosure (sec. 32)
- If at least 100 persons are harmed, the maximum penalty shall apply (section
35).
11. For public officers (working in government), an accessory penalty consisting in
the disqualification to occupy public office for a term double the term of criminal
penalty imposed shall he applied. (sec. 36)

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable
information of at least 1,000 people are required to register with the National Privacy
Commission and comply with the Data Privacy Act of 2012. Some of these companies
are already on their way to compliance — but many more are unaware that they are
even affected by the law.

HOW TO COMPLY:

FIRST STEP: APPOINTING A DATA PROTECTION OFFICER

Appointing a Data Protection Officer (DPO) is a legal requirement for personal

information controllers (PICs) and personal information processors (PIPs), under the
Data Privacy Act of 2012.

Duties and responsibilities as DPO

You shall, among others:

a. monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the
NPC and other applicable laws and policies. You may:
1. collect information to identify the processing operations, activities,
measures, projects, programs, or systems of the PIC or PIP, and maintain a
record thereof;
2. analyze and check the compliance of processing activities, including the
issuance of security clearances to and compliance by third-party service
providers;
 3. inform, advise, and issue recommendations to the PIC or PIP;
4. ascertain renewal of accreditations or certifications necessary to maintain
the required standards in personal data processing; and
5. advice the PIP or PIP as regards the necessity of executing a Data Sharing
Agreement with third parties, and ensure its compliance with the law;
b. ensure the conduct of Privacy Impact Assessments relative to activities,
measures, projects, programs, or systems of the PIC or PIP;
c. advise the PIC or PIP regarding complaints and/or the exercise by data subjects
of their rights (e.g., requests for information, clarifications, rectification or
deletion of personal data);
d. ensure proper data breach and security incident management by the PIC or PIP,
including the latter’s preparation and submission to the NPC of reports and
other documentation concerning security incidents or data breaches within the
prescribed period;
e. inform and cultivate awareness on privacy and data protection within your
organization, including all relevant laws, rules and regulations and issuances of
the NPC;
f. advocate for the development, review and/or revision of policies, guidelines,
projects and/or programs of the PIC or PIP relating to privacy and data
protection, by adopting a privacy by design approach;
g. serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and
other authorities in all matters concerning data privacy or security issues or
concerns and the PIC or PIP;
h. cooperate, coordinate and seek advice of the NPC regarding matters concerning
data privacy and security; and
i. perform other duties and tasks that may be assigned by the PIC or PIP that will
further the interest of data privacy and security and uphold the rights of the data
subjects.

Except for items (a) to (c), a COP shall perform all other functions of a DPO. Where
appropriate, he or she shall also assist the supervising DPO in the performance of the
latter’s functions.

You must have due regard for the risks associated with the processing operations of the
PIC or PIP, considering the nature, scope, context and purposes of processing.
Accordingly, he or she must prioritize his or her activities and focus his or her efforts on
issues that present higher data protection risks.
SECOND STEP: CONDUCTING PRIVACY IMPACT ASSESSMENT

A Privacy Impact Assessment (PIA) is a process to evaluate and manage privacy

impacts in a PIC or PIP’s planned or existing systems technology, programs, process or
activities. The process takes into account the nature of the personal data to be protected
and evaluates the risks to privacy and security represented by the processing of
personal data. The PIA guides the PIC or PIP through the process of understanding the
personal data flow in the organization, identifying and assessing various privacy risks,
and proposing measures to address these risks. Proposed measures should consider the
size of the organization, complexity of its operations, current data privacy best practices
and the cost of security implementation.

THIRD STEP: CREATING A PRIVACY MANUAL

The Manual serves as a guide or handbook for ensuring the compliance of an

organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and
other relevant issuances of the National Privacy Commission (NPC). It also
encapsulates the privacy and data protection protocols that need to be observed and
carried out within the organization for specific circumstances (e.g., from collection to
destruction), directed toward the fulfillment and realization of the rights of data
subjects.

FOURTH STEP: IMPLEMENTING PRIVACY AND DATA PROTECTION

MEASURES

1. Company must impose a breach management policy for the purpose of

preventing or minimizing the occurrence of a personal data breach and assure
the timely discovery of any security incident. This breach management policy
may be incorporated into the organization’s privacy policy and privacy
management programs that should be set up and properly cascaded amongst the
organization’s employees.

2. Must create a Privacy Notice. A privacy notice aims to empower the public. It is
meant to tell individuals what, how and why personal data is being collected
from them. As such, privacy notices should be highly readable to be usable and
effective.

3. Manage Human Resource Department. The organization/agency maintains a

training/seminar about DPA for their DPOs/CO.
 4. Must implement access control policy that sets requirements of credentials and
identification that specify how access to computers, systems, or applications is
managed and who may access the information in most circumstances.
Authentication, authorization, audit, and access approval are the common
aspects of access control policy.

FIFTH STEP: EXERCISING BREACH REPORTING PROCEDURES:

1. Assessment of security incident

2. Follow the security Incident Management Policy which includes:
- Conduct of a privacy impact assessment
- Data governance policy
- Implementation of appropriate security measures
- Regular monitoring for security breaches
- Capacity building of personnel
- Procedure for the regular review of policies and procedures
- Creation of Security Incident Response Team

3. Submit annual reports to the National Privacy Commission

4. Notify NPC in case of breach

5. Subsequent investigation in case of breach