DATA PRIVACY ACT (DPA) QUICK GUIDE

WHAT IS THE DPA? WHAT ARE A PIC OR PIP’S PRIMARY OBLIGATIONS?

Fully titled, “An Act Protecting Individual Personal Adhere to data privacy principles
Information in Information and Communications
Transparency Legitimate purpose Proportionality
Systems in the Government and the Private Sector,
Creating for this Purpose a National Privacy
Uphold data subject rights
Commission, and for Other Purposes” the DPA aims
to protect the fundamental human right of privacy, Information Erasure or blocking
of communication while ensuring the free flow of
information to promote innovation and growth. Access To object
Data Portability To file a complaint
Rectification To damages
KEY DPA ACTORS Implement security measures

Organizational Physical Technical

National Privacy Commission NPC
independent body mandated to implement the DPA

Data subject 5 PILLARS OF DATA PRIVACY ACCOUNTABILITY & COMPLIANCE

an individual whose personal data is processed
Pillar Reference

Personal information controller PIC 1. Appoint a Data Protection Officer NPC Advisory 2017-01
a natural or juridical person, or any other body who controls
2. Conduct a Privacy Impact Assessment NPC Advisory 2017-03
the processing of personal data
3. Have a Privacy Management Program & PMP Guide in NPC Privacy
codify it into a Privacy Manual Toolkit
Personal information processor PIP
4. Implement data privacy & protection NPC Circular 2016-01; DPAC in
a natural or juridical person, or any other body to whom a PIC
may outsource or instruct the processing of personal data measures NPC Privacy Toolkit

5. Exercise Breach Reporting Procedures NPC Circular 2016-03

WHAT IS PERSONAL INFORMATION (PI)? WHAT IS SENSITIVE PERSONAL INFORMATION (SPI)?

SPI refers to info about an individual’s:
PI refers to any information from which the identity of an • Race sexual life
individual is apparent or can be reasonably and directly • Ethnic origin • Proceeding for any offense
ascertained, or when put together with other information • Marital status committed or alleged to have
would directly and certainly identify an individual • Age been committed by an individual
• Color • Government-issued IDs
• Religious, philosophical or • Those established by an
CRITERIA FOR LAWFUL PROCESSING OF PI political affiliations executive order or an act of
• Consent • Health, education, genetic or Congress to be kept classified

• Contract with the individual

CRITERIA FOR LAWFUL PROCESSING OF SPI
• Vital interests/Life & health
• Legal obligation • Consent • Medical treatment
• National emergency / public order & safety, as prescribed by • Existing laws & regulations • Lawful rights & interests
law • Life & health in court proceedings/legal
• Processing by non-stock, claims
• Constitutional or statutory mandate of a public authority
• Legitimate interests of the PIC or third parties non-profit orgs

PENALTIES EXEMPTIONS
Violation Imprisonment Fine
PI SPI PI SPI Applies not to the PIC/PIP but only to personal data relating to:
Unauthorized 3–6 P500,000 – P500,000 –
Processing 1 – 3 years years P2,000,000 P4,000,000 • Matters of public concern
Accessing
Due to 1 – 3 years 3–6 P500,000 – P500,000 – • Journalistic, artistic or literary purposes
years P2,000,000 P4,000,000
Negligence
• Research purposes, intended for a public benefit
Improper 6 months 1–3 P100,000 – P100,000 –
Disposal – 2 years years P500,000 P1,000,000 • Performance of law enforcement or rgulatory functions of
public authority (e.g. Secrecy of Bank Deposits Act, Foreign
Processing for 1 year and Currency Deposit Act, CISA)
2–7 P500,000 – P500,000 –
Unauthorized 6 months years P1,000,000 P2,000,000
Purposes – 5 years
• Compliance of BSP-regulated banks & financial institutions
Unauthorized 3–5 P500,000 – P1,000,000 – with the CISA, AMLA & other applicable laws
1 – 3 years
Disclosure years P1,000,000 P5,000,000
• Residents of foreign jurisdictions w/ applicable data privacy
1 year
Concealment and 6 P500,000 – laws
of Security months P1,000,000
Breaches Exemptions are only allowed to the minimum extent needed
– 5 years
Unauthorized to achieve purpose, w/ consideration to requirements of other
Access or 1 – 3 years P500,000 – P2,000,000 regulations.
Intentional
Breach
Malicious 1 year and 6 months – P500,000 - P1,000,000
Disclosure 5 years
Combination
or Series of 3 – 6 years P1,000,000 – P5,000,000
Acts