Introduction

Who are you?  As individuals we are identified based on information that relates to us.  We have our names, date of birth, addresses, photographs, identification cards, educational, employment and health records, and the list goes on. The government maintains databases or filing systems that contain records of our birth, registrations as voters, and many more.  Records containing information about us are likely being stored in a private company whenever we avail of services or products, when we go online, or when we fill in a form. During the pandemic, information on whether we have been infected or vaccinated are recorded, and we have been categorized as a healthcare worker, a senior citizen or a person with comorbidities.

In the digital age, different aspects of data relating to us are being collected, stored and used for various purposes.    Often, these data become basis of decisions.    Our grades in school determine whether we will be graduating or not.  Our medical record will be used in managing our health.   The way we have conducted transactions over the years may be the basis of our credit rating.   

There should be no question that information is important.  Just imagine a world where the collection of personal information is prohibited.  We benefit from the availability of data and the advancements of technology that allow meaningful information to be generated and processed faster and better.  Information is important to make data-driven policies, to monitor programs, to advance knowledge and innovation, to make our interactions with society more effective and convenient, and generally, to make the world a better place. 

At the same time though, we should be aware of the risks of unrestricted processing of information, particularly when it relates to individuals.  What if information about us is used to discriminate against us?  What if our personal data is used to influence and limit our choices and opportunities? What if our every activity is being monitored and recorded?  What if someone uses information about us to steal our identity?  While the free flow of information is  necessary, individuals should also be protected from unauthorized unlawful, and unwarranted processing of information that relates to them. Senator Edgardo Angara, in his sponsorship speech of the Philippine Data Privacy Act, aptly said “In this digital era, information is the currency of power – valuable, coveted, but at a very high risk.”   

People should know about the fact that their information is being collected and should have the ability to exercise control over how their information is used.   This is what data privacy is about.   Data privacy is one of our fundamental rights that should be respected by everyone.  

Data Privacy Act

The full title of the Data Privacy Act of 2012 is “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this purpose a National Privacy Commission, and for Other Purposes” (R.A. No. 10173). From its title, the law makes it clear that it is intended to protect individuals or natural persons through the protection of personal information.  These individuals are referred to as “data subjects” in the Data Privacy Act (DPA).

Implicit also in the “Declaration of Policy” of the Data Privacy Act is the recognition that even as the law protects the right to privacy, it also articulates that free flow of information should be ensured.    The law assures that data protection is not an obstacle for persons to obtain benefits from use of personal data. At the same time, it emphasizes that processing of personal data comes with a responsibility. The rights of individuals or the data subjects should, at all times, be a paramount consideration.

The DPA protects individuals by mandating personal data protection.   Under this law, all those who collect, use or process information that relates to an individual have certain obligations:  they have to adhere to data privacy principles, implement security measures for data protection and uphold the rights of data subjects.  Violation of the Data Privacy Act may lead to sanctions, including possible criminal penalties. 

Scope

In general, the law will apply whenever an individual, company or government agency collects, use, stores or perform any operations on personal information.  For instance, when we are enrolling in a school, the representatives of the school will be collecting personal information, and the collected personal information will be used for many different purposes – assigning of classes, evaluation of students, contacting parents in case of emergency, and maintaining the school records of the students, among others.   Whenever anyone processes personal information in some way, then the general rule (subject to exceptions), is that the Data Privacy Act will apply to them.

The DPA enumerates information outside its scope:

1. information that are matters of public concern
2. personal information processed for journalistic, artistic, or literary purposes, subject to applicable laws
3. personal information processed for research purposes, subject to applicable laws and ethical standards
4. information necessary for public authorities to carry out their functions
5. information necessary for banks and financial institutions to comply with the law
6. personal information collected from residents of a foreign jurisdiction in accordance with the latter’s laws

These information have been placed in a special category under the law to emphasize that data privacy should be balanced with other fundamental freedoms like freedom of expression and the right to information on matters of public concern.   These also recognize the importance of information for research, the economy and the performance of public functions.  We note that the apparent exemption relates to “information” but does not extend to the entities or institutions that process personal information, who will remain subject to their obligations under the DPA, particularly as they relate to implementation of security measures for data protection.  

Definitions

• Personal Information and Sensitive Personal Information

Personal information is information about an identified or identifiable individual.  Any set of information, as long as it can allow identification of an individual will be considered as personal information.  Even if the identity is not immediately apparent, if using other available information is possible, and doing so will lead to the identity of an individual, it will be personal information.  Consider for instance a driver’s license issued by government.  The identity of a person is not evident with only the license number but it is possible to identify the individual that the number refers to.  A personal data sheet may have the name of the individual redacted but all the other information in the record will still allow identification of the individual.  A photograph of a person may not have a name, but the it is still possible that the individual in the photo will be identified.  These are all considered personal information, the processing of which is within the scope of the DPA.

The DPA also distinguished between personal information that is not sensitive and sensitive personal information.  Sensitive Personal Information refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.

There is also privileged information, which are those defined under the Rules of Court as privileged communications.  They are generally placed in the same category of sensitive personal information.  When information is sensitive, this means that their unauthorized or unlawful processing poses a greater risk to individuals.  This means that stronger security measures should be implemented when they are being processed.  At the same time, when a violation of the DPA involves sensitive persona information, the penalty is also higher.  This does not mean that all other personal information (that is not sensitive) no longer needs to be protected.   

In the Implementing Rules of the DPA, the term “personal data” has been used to collectively refer to all types of personal information—personal information that is not sensitive, sensitive personal information and privileged information.

The term “data subject” refers to an individual whose personal information is processed.

• Personal Information Controller and Personal Information Processor

The DPA also introduces the terms Personal Information Controller and Personal Information Processor to refer to those that processes personal information.  Processing refers to any operation or set of operations– collecting, using, storing or disposing–performed on personal data.

Personal Information Controller  refers to an individual, organization, or group that controls the processing of personal data.   There is control if the individual, organization or group decides what information is collected, or the purpose and extent of processing.  An individual who  processes personal data in connection with his or her personal, family, or household affairs is not considered a personal information controller.  The term personal information controller also excludes those Excludes those who process only as instructed by another. 

Personal Information Processor refers to an individual, organization, or group that processes personal data only upon the instructions of another.  They are usually given access to personal data of a personal information controller under a contract or a service provider agreement.  Personal information processor should not make use of personal data for its own purpose but must do so only in accordance with the instructions of a personal information controller.

• National Privacy Commission

The National Privacy Commission is an independent government agency with the mandate to implement the Data Privacy Act through its regulatory and quasi-judicial function.  The Commission is headed by the Privacy Commissioner who is assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems and one to be responsible for Policies and Planning.   The IRR of the DPA defines the functions of the Commission as: Rule making, Public Advisory and Education, Compliance and Monitoring, and Complaints, Investigations and Enforcement.

Compliance and Accountability

Processing personal information, including sensitive and privileged information, entails obligations under the DPA.   Those who process personal information should adhere to data privacy principles, implement security measures and uphold the rights of data subjects.

• Data Privacy Principles

Personal data must be processed fairly and lawfully.  Data quality should be ensured and any authorized further processing must have adequate safeguards.  Under the DPA, the general data privacy principles are:

Transparency

The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised.   Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.

Legitimate Purpose

The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. 

Processing should have a lawful basis.  Consent is just one of the lawful criteria for processing personal information.  The DPA also provides the general criteria for processing of personal and sensitive personal information.    Where consent is the basis of processing, consent must proceed from an informed choice. Consent  should be freely given, specific, and an informed indication of will, where the data subject agrees to the collection and processing of personal information about and/or relating to him or her. The consent shall be evidenced by written, electronic or recorded means. 

Proportionality

The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means. Personal data should not be retained longer than necessary.

• Rights of the Data Subject

Data subjects should be able to exercise their rights under the Data Privacy Act.  This empowers them to participate in the processing of their personal information and to exercise reasonable control over how their information is collected and used.

Data subjects have rights:

1. Right to Information

Data subjects should know that personal information relating to them is being processed and the details and extent of processing.  This means having notice of the general description of the personal information being processed, the purpose, scope and  method of processing,  and the recipients of the personal information. Data subjects should know of the methods used for automated access and the period for storing personal information.  Data subjects should be informed about their rights, how these can be exercised  and how they can contact the personal information controller.

2. Right to Object

Data subjects can object to the personal information processing and should have the opportunity to withdraw consent, particularly if the basis of processing is the data subject’s consent.

3. Right to Access and to Data Portability

Data subjects can access and request for the contents of their personal information processed and other information relevant to the sources of the data, recipients and reasons for disclosures, and any automated decision-making.    

Data subjects have a right to data portability.  This means that if personal information is processed by electronic means and in a structured and commonly used format, they can obtain an electronic copy of the personal information undergoing processing.

4. Right to Correct

Data subjects have rights to the correction of any inaccuracy or error in their personal information and they may also request that those who previously received the information be informed of its inaccuracy. 

5. Right to Erase 

Data subjects have rights to suspend, withdraw, or order the blocking or erasure of their personal information from the personal information controller’s records or filing system on any of the following grounds:

1. personal data is incomplete
2. personal data is outdated
3. personal data is false
4. personal data was unlawfully obtained
5. personal data was used for unauthorized purposes
6. personal data is not necessary to declared purpose
7. withdrawal of consent
8. processing is prejudicial to the data subject
9. processing is unlawful
10. processing violates the rights of the data subject
    

6. Right to File a Complaint and to Damages 

Data subjects have a right to file a complaint for a data privacy violation.  If such violations are established, the data subjects will be entitled to payment of damages. 

• Security Measures
  

Those who process personal information should implement reasonable and appropriate security measures for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.  These Security measures may be organizational, physical and technical measures intended to maintain the confidentiality, integrity and  availability of personal data.

The DPA recommends a risk-based approach.  The determination of the appropriate level of security must consider the following:

1. Nature of the personal data to be protected;
2. Risks represented by the processing;
3. Size of the organization and complexity of its operations;
4. Current data privacy best practices; and
5. Cost of security implementation

Implementing security measures means having a privacy program.  The privacy program should be developed taking into account the processing activities of the government agency, private company or anyt other organization.  It should be implemented, maintained and undergo a regular review for monitoring and improvement.  The next section explains the general components of a privacy program.

Privacy Program Management

Data Protection Unit

The Data Privacy Act implements the principle of accountability and mandates the designation of an individual or individuals who are accountable for the organization’s compliance with the law.  The National Privacy Commission, in implementing the act, requires all those who process personal information to designate a data protection officer (DPO).    It is not simply to identify an individual or individuals who will serve as DPO, but it is important to ensure that they are provided support and resources to fulfill their functions.    The DPO monitors compliance with the DPA and  provides advice on the processing operations of an organization.  They ensure proper data breach management and helps the organization manage data subject concerns.  

Security Incident Management

The Organization must develop a protocol for handling data breaches and other types of security incidents. It must have a unit ready to investigate and resolve such incidents if or when they occur.   A personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

When sensitive personal information or other information that may be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, the personal information controller is mandated to notify both the Commission and the data subjects within 72 hours upon knowledge or reasonable belief that the personal data breach occurred. 

Privacy Impact Assessment

The Organization must develop or adopt its own privacy impact assessment (PIA) program, based on its size, available resources, and other relevant factors.  A PIA is a process that documents the data processing life cycle and determines the categories of data to undergo processing.  It then assesses the risks of the processing activities and identify any possible gaps in compliance.  These risks are then avoided, mitigated, transferred or accepted.  The PIA facilitates the implementation of risk-based security measures from the time of planning to actual implementation of the processing operations.  A privacy impact assessment should ideally be done prior to the implementation of any system, program or processes that represent high risks to the rights of data subjects. Results of an enterprise-level PIA should underpin the entire Privacy Program.  

Transparency and Consent Mechanisms

The Organization must make use of appropriate privacy notices and transparency statements when conducting data processing activities. If necessary, it must also establish proper consent mechanisms in cases where consent is the legal basis of its data processing.  Privacy notices are even more important when the basis of processing is not consent.  In these cases, there is a risk that data subjects may not even know of the fact that their information is being processed if there is no transparency mechanisms in place.  A privacy notice must provide sufficient information, should be easy to understand and should be readily accessible to data subjects.

Third Party Management

The Organization must have clear policies and efficient processes in its engagement or transactions with third parties where personal data processing is involved. The principle of accountability demands that it recognizes its responsibility over the data it collects or generates, even when it shares, transfers, or discloses these to other entities.  The organization must determine the need for outsourcing contracts or data sharing agreements.  They must also  have policies for disclosures of data under their control and custody.

The engagement of a personal information controller by a personal information controller for the processing of personal data requires an outsourcing contract or similar agreement.. The outsourcing contract  will lay down their obligations to each other.  For instance, personal information processors should not process the personal data for their own purposes but must only process in accordance with their agreement with the personal information controller.   On the other hand, sharing of personal data between two or more personal information controllers should ideally be covered by a data sharing agreement.   

Data Subject Engagement

Upholding the rights of data subjects should be every organization’s priority.  It is important to put in place mechanisms through which it can respond to the concerns of data subjects—whether it is a data subject requesting for copies of his or her records, or one who is requesting for correction of erroneous entries in data processing systems.   Organizations should also have an appropriate grievance protocol for addressing complaints that may be filed in relation to its data processing activities.

Regulator Engagement

The Organization must coordinate regularly with data protection authorities and cooperate during investigations of compliance checks. If required by applicable regulations, it must also register its data processing systems and comply with applicable reportorial requirements.

Capacity-building Mechanisms

The Organization must develop and implement capacity-building mechanisms that will foster a culture of privacy among its personnel. The desired end-result is to see data protection fully embedded into the Organization’s day-to-day operations. This element is, by no means, less important than the rest. Under the GDPR, for instance, privacy awareness training is actually mandated. A covered entity must have evidence that all of its affected employees have undergone such a training.

Offenses and Penalties