Introduction

Subject for updates – last updated March 29, 2019

Recently there has been unofficial sources citing the Data Privacy Act
(RA 10173) is now part of the coverage for the 2019 Bar Examinations
as a topic for Commercial Law Review.
Source is now OFFICIAL. Data Privacy Act is now covered under
Mercantile Law for the 2019 Bar Examinations
– http://sc.judiciary.gov.ph/baradmission/2019/MERCANTILE-LAW.pdf
As a disclaimer, this is guide is based from a Privacy professional and
practitioner’s standpoint with experience in privacy law and practice, not
from a lawyer or data privacy attorney.
The coverage for the Data Privacy Act are as follows
1. Personal vs Sensitive Personal Information
2. Scope
3. Processing of Personal Information
4. Rights of a Data Subject

Some important Data Privacy topics, of which we already discussed

(linked below) under the Data Privacy Act and Privacy Law in general
which are not covered but are important to know:
1. Constitutional and Statutory Basis for the Right to Privacy under
Philippine Law (except the Data Privacy Act)
2. The Reasonable Expectation of Privacy Test (Pollo vs Constantino-
David G.R. 181881, Oct. 18, 2011)
3. The Data Protection Officer – Roles, Responsibilities and Rights
4. Data Controller, Data Processor and Data Subjects (Tripartite
privacy relationship)
5. Legal Basis for Processing of Personal Information
6. Cybercrime Warrants
 7. Privacy Torts
8. Writ of Habeas Data
9. Mutual Legal Assistance Treaties and Letters Rogatory (for Public
International Law)

Today we’re going to discuss about the coverage for the Data Privacy
Act specifically for the 2019 Bar Examinations.

Constitutional Basis
Under the most recent 1987 Philippine Constitution, the Right to
Information and Communications Privacy is recognized under Article III,
Sec. 3(1), which states:

The privacy of communication and correspondence shall be

inviolable except upon lawful order of the court, or when public
safety or order requires otherwise, as prescribed by law.

Personal vs Sensitive Personal

Information
Personal Information
Under Sec. 3(g) of the Data Privacy Act, Personal Information is defined
as the following:

Refers to any information whether recorded in a material form or

not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the
information, or when put together with other information would
directly and certainly identify an individual.
Basically personal information is anything that can identify an individual.
Examples are your name, ID number, online usernames, email address,
phone number, stage names, etc.
Sec. 3(g) applies to both paper-based and electronic records.
Personal information may also be pieces of information, when
aggregated with other information can reasonably identify an individual
based on substantial evidence in which a prudent person may
reasonably believe that such information can be identifiable to a unique
individual.
Context is generally important on how an information is displayed or how
it appears, as a general rule, if such information can be reasonably
traced back to an individual, then it is personal information.
Sample Question: Juan Dela Cruz, a Filipino citizen, filled up a survey
form. Such survey form only asked about his favorite coffee flavors and
how much he spends per week for coffee. The survey also asked for his
first name. Is the survey collecting personal information?
Answer: No. First name by itself cannot reasonably identify an individual.
Juan cannot be identified from other persons named “Juan”. Neither
does information about his favorite coffee flavors and how much he
spends for coffee even if taken together with his first name cannot be
said to reasonably identify Juan.
However, if the survey asked for his full name, even if there are more
than one (1) Juan Dela Cruz in the Philippines, it is still considered as
collecting personal information.

Sensitive Personal Information

Sensitive Personal Information are special categories of information and
are classified under Sec. 3(l) of the Data Privacy Act as follows:

Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;
 (2) About an individual’s health, education, genetic or sexual life
of a person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of
such proceedings, or the sentence of any court in such
proceedings;
(3) Issued by government agencies peculiar to an individual
which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of
Congress to be kept classified.
Sensitive personal information must be personal information. This
means that it must be able to identify an individual.
Example, health information such as medical diagnosis or prognosis by
itself is not sensitive personal information unless there is a Patient ID or
name of the patient together with the health information that be used to
trace back to an individual.
BIR, SSS, GSIS, PhilHealth and other government records are also
classified as Sensitive Personal Information.
The confusion of most people is how to distinguish “sensitive personal
information” versus “sensitive information” or “confidential information”.
Sensitive Personal Information (SPI) is enumerated by law, under Sec.
3(l) of the Data Privacy Act. SPIs can be traced back to individuals.
Sensitive Information is any information that may cause harm or
prejudice when disclosed to an individual or the general public. This is
not protected under the Data Privacy Act.
Examples are trade secrets and business related information such as
business records which does not contain any personal information. It can
also be government information such as classified documents and
national security related information.
Confidential information is specifically provided by law under the Rules
of Court (such as doctor-patient or attorney-client privilege) or statute
(such as arbitration proceedings and awards under the Domestic
Arbitration Law). Generally the effect of confidentiality will result to the
information to being inadmissable in any court, in any proceeding.

Scope
Scope is discussed under Sec. 4 of the Data Privacy Act.

x x x Applies to the processing of all types of personal information

and to any natural and juridical person involved in personal
information processing including those personal information
controllers and processors who, although not found or
established in the Philippines, use equipment that are located in
the Philippines, or those who maintain an office, branch or
agency in the Philippines x x x

Requisites
 Must involve any processing of personal information
 By either natural or juridical persons
 Either acting as a controller or processor
 Whether or not found in the Philippines that uses equipment or
maintains an office, branch or agency in the Philippines.

What are the exceptions (Sec. 4)?

 Government employee data relating to their official functions and
position
 Government contractor data
 Licenses or permits and any other discretionary benefit given by
the government
  Processing of information for journalistic, artistic, literary or
research purposes
 Personal information processed by public authorities relating to the
performance of their constitutionally and statutorily mandated
functions.
 Personal information processed for Anti-Money Laundering
purposes
 Personal information originally collected from resident of foreign
jurisdictions even if the personal information is processed in the
Philippines
 Personal information relating to media sources (Sec. 5)

Extraterritorial application (Sec. 6)

Applies to entities within and outside of the Philippines when
 Processing of personal information about a Philippine citizen or
resident
 Processing of personal information when the entity has a link with
the Philippines and such personal information is about a Philippine
citizen or resident.
 Examples:
 Contract entered in the Philippines
 A foreign company with central management and
control in the Philippines
 A Philippine subsidiary of a foreign company where the
latter has access to personal information in the Philippines.
 Entity is doing business in the Philippines
 Personal information is collected by an entity in the
Philippines
Processing of Personal Information
Principles of Transparency, Legitimate Purpose
and Proportionality (Sec. 11)
 Transparency
 The data subject must be aware of the nature, purpose, and
extent of the processing of his or her personal data, including
the risks and safeguards involved, the identity of personal
information controller, his or her rights as a data subject, and
how these can be exercised. Any information and
communication relating to the processing of personal data
should be easy to access and understand, using clear and plain
language.
 Legitimate purpose
 The processing of information shall be compatible with a
declared and specified purpose which must not be contrary to
law, morals, or public policy.
 Proportionality
 The processing of information shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a declared
and specified purpose. Personal data shall be processed only if
the purpose of the processing could not reasonably be fulfilled
by other means.

General principles in collection, processing and

retention of personal information. (Sec. 11)
 Collection must be for a declared, specified, and legitimate
purpose.
 Personal data shall be processed fairly and lawfully.
 Processing should ensure data quality.
 Personal Data shall not be retained longer than necessary.
  Any authorized further processing shall have adequate safeguards.

Legal Basis for Processing of Personal

Information (Sec. 12 and 13)
 Consent (express) – Processing of personal information express
consent of the data subject, implied consent is not allowed. (Sec.
12(a) and 13(a))
 Contractual necessity – Processing in fulfillment of a contractual
obligation (Sec. 12(b))
 Legal obligation – Processing under a legal obligation by the
personal information Controller (Sec. 12(c) and 13(f))
 Vital interest – Processing to protect health and safety of the data
subject (Sec. 12(d) and 13(c) and 13(e))
 Public interest – Processing in the event of a national emergency,
public order and safety (Sec. 12(e))
 Legitimate interest – Processing under legitimate interests
pursued by the Personal Information Controller (Sec. 12(f))

Full details in my separate post here

– https://privacyph.net/2018/11/22/processing-of-personal-information-
data-privacy-act/
General rule – Processing of sensitive Personal Information is prohibited
except those enumerated under Sec. 13.

Rights of a Data Subject

Who is a Data Subject (Sec. 3(c))?
Data subject refers to an individual whose personal information is
processed.
Rights of the Data Subject
 Right to be informed (Sec. 16(a) and Sec. 16(b))
 As a data subject, you have the right to be informed that your
personal data will be, are being, or were, is being collected and
processed. (Sec. 16(a))
 Data subjects also has the right to be furnished information
prior or upon the next practicable opportunity to be informed
about how personal information will be stored, access, shared,
contained, methods, period, contact details of the controller, and
existence of the rights under the Data Privacy Act. (Sec. 16(b))
 Right to Access (Sec. 16(c))
 You have a right to obtain from an organization a copy of any
information relating to you that they have on their computer
database and/or manual filing system. It should be provided in
an easy-to-access format, accompanied with a full explanation
executed in plain language.
 Right to Rectify (Sec. 16(d))
 You have the right to dispute and have corrected any
inaccuracy or error in the data a personal information controller
(PIC) hold about you.
 Right to Erasure/Blocking (Sec. 16(e))
 Right to Suspend, withdraw or order the blocking, removal or
destruction of his or her personal information from the personal
information controller’s filing system upon discovery and
substantial proof that the personal information are incomplete,
outdated, false, unlawfully obtained, used for unauthorized
purposes or are no longer necessary for the purposes for which
they were collected.
 Right to Object (Sec. 16(e))
 You can exercise your right to withdraw or object if the
personal data processing involved is based on consent or on
legitimate interest.
 Right to Damages (Sec. 16(f))
  You may claim compensation if you suffered damages due to
inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data, considering any violation of
your rights and freedoms as data subject.
 Transmissibility Rights (Sec. 17)
 The lawful heirs and assigns of the data subject may invoke
the rights of the data subject upon death or incapacity
 Right to File Complaints (Sec. 7(b))
 The right to file a complaint with the National Privacy
Commission
 Right to Data Portability (Sec. 18)
 Data portability allows you to obtain and electronically move,
copy or transfer your data in a secure manner, for further use.