Three Types of Information

Personal information

refers to any information whether recorded in a material form or not, from which
the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with
other information would directly and certainly identify an individual.

Privileged information

refers to any and all forms of data which under the Rides of Court and other
pertinent laws constitute privileged communication.

Sensitive personal information

refers to personal information:

(1) About an individual's race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;

(2) About an individual's health, education, genetic or sexual life of a person, or to

any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but

not limited to, social security numbers, previous or cm-rent health records,
licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept

classified.

Personal information controller

refers to a person or organization who controls the collection, holding, processing
or use of personal information, including a person or organization who instructs
another person or organization to collect, hold, process, use, transfer or disclose
personal information on his or her behalf. The term excludes:

(1) A person or organization who performs such functions as instructed by

another person or organization; and

(2) An individual who collects, holds, processes or uses personal information in

connection with the individual's personal, family or household affairs.

Personal information processor

refers to any natural or juridical person qualified to act as such under this Act to
whom a personal information controller may outsource the processing of
personal data pertaining to a data subject.

What are the punishable acts under Data Privacy Act?

Section 25. Unauthorized Processing of Personal Information and Sensitive

Personal Information. (a) The unauthorized processing of personal information
shall be penalized by imprisonment ranging from one (1) year to three (3) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons who
process personal information without the consent of the data subject, or without
being authorized under this Act or any existing law.

(b) The unauthorized processing of personal sensitive information shall be

penalized by imprisonment ranging from three (3) years to six (6) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Four million pesos (Php4,000,000.00) shall be imposed on persons who process
personal information without the consent of the data subject, or without being
authorized under this Act or any existing law.
Section 26. Accessing Personal Information and Sensitive Personal Information
Due to Negligence. (a) Accessing personal information due to negligence shall be
penalized by imprisonment ranging from one (1) year to three (3) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to
negligence, provided access to personal information without being authorized
under this Act or any existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized

by imprisonment ranging from three (3) years to six (6) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Four
million pesos (Php4,000,000.00) shall be imposed on persons who, due to
negligence, provided access to personal information without being authorized
under this Act or any existing law.

Section 27. Improper Disposal of Personal Information and Sensitive Personal

Information. (a) The improper disposal of personal information shall be penalized
by imprisonment ranging from six (6) months to two (2) years and a fine of not
less than One hundred thousand pesos (Php100,000.00) but not more than Five
hundred thousand pesos (Php500,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the personal information of
an individual in an area accessible to the public or has otherwise placed the
personal information of an individual in its container for trash collection.

b) The improper disposal of sensitive personal information shall be penalized by

imprisonment ranging from one (1) year to three (3) years and a fine of not less
than One hundred thousand pesos (Php100,000.00) but not more than One
million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or
negligently dispose, discard or abandon the personal information of an individual
in an area accessible to the public or has otherwise placed the personal
information of an individual in its container for trash collection.
Section 28. Processing of Personal Information and Sensitive Personal
Information for Unauthorized Purposes. The processing of personal information
for unauthorized purposes shall be penalized by imprisonment ranging from one
(1) year and six (6) months to five (5) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00) shall be imposed on persons processing personal information
for purposes not authorized by the data subject, or otherwise authorized under
this Act or under existing laws.

The processing of sensitive personal information for unauthorized purposes shall

be penalized by imprisonment ranging from two (2) years to seven (7) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than Two million pesos (Php2,000,000.00) shall be imposed on persons processing
sensitive personal information for purposes not authorized by the data subject, or
otherwise authorized under this Act or under existing laws.

Section 29. Unauthorized Access or Intentional Breach. The penalty of

imprisonment ranging from one (1) year to three (3) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data systems, breaks in
any way into any system where personal and sensitive personal information is
stored.

Section 30. Concealment of Security Breaches Involving Sensitive Personal

Information.

- The penalty of imprisonment of one (1) year and six (6) months to five (5) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than One million pesos (Php1,000,000.00) shall be imposed on persons
who, after having knowledge of a security breach and of the obligation to notify
the Commission pursuant to Section 20(f), intentionally or by omission conceals
the fact of such security breach.

Section 31. Malicious Disclosure. Any personal information controller or

personal. information processor or any of its officials, employees or agents, who,
with malice or in bad faith, discloses unwarranted or false information relative to
any personal information or personal sensitive information obtained by him or
her, shall be subject to imprisonment ranging from one (1) year and six (6)
months to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00).

What are the security measures for personal information?

Section 20. Security of Personal Information.

(a) The personal information controller must implement reasonable and

appropriate organizational, physical and technical measures intended for the
protection of personal information against any accidental or unlawful destruction,
alteration and disclosure, as well as against any other unlawful processing.

(b) The personal information controller shall implement reasonable and

appropriate measures to protect personal information against natural dangers
such as accidental loss or destruction, and human dangers such as unlawful
access, fraudulent misuse, unlawful destruction, alteration and contamination.

(c) The determination of the appropriate level of security under this section must
take into account the nature of the personal information to be protected, the
risks represented by the processing, the size of the organization and complexity of
its operations, current data privacy best practices and the cost of security
implementation. Subject to guidelines as the Commission may issue from time to
time, the measures implemented must include:

(1) Safeguards to protect its computer network against accidental, unlawful or

unauthorized usage or interference with or hindering of their functioning or
availability;

(2) A security policy with respect to the processing of personal information;

(3) A process for identifying and accessing reasonably foreseeable vulnerabilities

in its computer networks, and for taking preventive, corrective and mitigating
action against security incidents that can lead to a security breach; and

(4) Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach.

(d) The personal information controller must further ensure that third parties
processing personal information on its behalf shall implement the security
measures required by this provision.

(e) The employees, agents or representatives of a personal information controller

who are involved in the processing of personal information shall operate and hold
personal information under strict confidentiality if the personal information are
not intended for public disclosure. This obligation shall continue even after
leaving the public service, transfer to another position or upon termination of
employment or contractual relations.

(f) The personal information controller shall promptly notify the Commission and
affected data subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes (bat such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject. The notification shall at least describe the nature of the
breach, the sensitive personal information possibly involved, and the measures
taken by the entity to address the breach. Notification may be delayed only to the
extent necessary to determine the scope of the breach, to prevent further
disclosures, or to restore reasonable integrity to the information and
communications system.

(1) In evaluating if notification is unwarranted, the Commission may take into

account compliance by the personal information controller with this section and
existence of good faith in the acquisition of personal information.

(2) The Commission may exempt a personal information controller from

notification where, in its reasonable judgment, such notification would not be in
the public interest or in the interests of the affected data subjects.

(3) The Commission may authorize postponement of notification where it may

hinder the progress of a criminal investigation related to a serious breach.

THE NATIONAL PRIVACY COMMISSION

Section 7. Functions of the National Privacy Commission. To administer and

implement the provisions of this Act, and to monitor and ensure compliance of
the country with international standards set for data protection, there is hereby
created an independent body to be known as the National Privacy Commission,
winch shall have the following functions:

(a) Ensure compliance of personal information controllers with the provisions of

this Act;

(b) Receive complaints, institute investigations, facilitate or enable settlement of

complaints through the use of alternative dispute resolution processes,
adjudicate, award indemnity on matters affecting any personal information,
prepare reports on disposition of complaints and resolution of any investigation it
initiates, and, in cases it deems appropriate, publicize any such report: Provided,
That in resolving any complaint or investigation (except where amicable
settlement is reached by the parties), the Commission shall act as a collegial body.
For this purpose, the Commission may be given access to personal information
that is subject of any complaint and to collect the information necessary to
perform its functions under this Act;

(c) Issue cease and desist orders, impose a temporary or permanent ban on the
processing of personal information, upon finding that the processing will be
detrimental to national security and public interest;

(d) Compel or petition any entity, government agency or instrumentality to abide

by its orders or take action on a matter affecting data privacy;

(e) Monitor the compliance of other government agencies or instrumentalities on

their security and technical measures and recommend the necessary action in
order to meet minimum standards for protection of personal information
pursuant to this Act;

(f) Coordinate with other government agencies and the private sector on efforts
to formulate and implement plans and policies to strengthen the protection of
personal information in the country;

(g) Publish on a regular basis a guide to all laws relating to data protection;

(h) Publish a compilation of agency system of records and notices, including index
and other finding aids;

(i) Recommend to the Department of Justice (DOJ) the prosecution and

imposition of penalties specified in Sections 25 to 29 of this Act;

(j) Review, approve, reject or require modification of privacy codes voluntarily

adhered to by personal information controllers: Provided, That the privacy codes
shall adhere to the underlying data privacy principles embodied in this Act:
Provided, further, That such privacy codes may include private dispute resolution
mechanisms for complaints against any participating personal information
controller. For this purpose, the Commission shall consult with relevant regulatory
agencies in the formulation and administration of privacy codes applying the
standards set out in this Act, with respect to the persons, entities, business
activities and business sectors that said regulatory bodies are authorized to
principally regulate pursuant to the law: Provided, finally. That the Commission
may review such privacy codes and require changes thereto for purposes of
complying with this Act;

(k) Provide assistance on matters relating to privacy or data protection at the

request of a national or local agency, a private entity or any person;

(1) Comment on the implication on data privacy of proposed national or local

statutes,

regulations or procedures, issue advisory opinions and interpret the provisions of

this Act and other data privacy laws;

(m) Propose legislation, amendments or modifications to Philippine laws on

privacy or data protection as may be necessary;

(n) Ensure proper and effective coordination with data privacy regulators in other
countries and private accountability agents, participate in international and
regional initiatives for data privacy protection;

(0) Negotiate and contract with other data privacy authorities of other countries
for cross-border application and implementation of respective privacy laws;

(p) Assist Philippine companies doing business abroad to respond to foreign

privacy or data protection laws and regulations; and

(q) Generally perform such acts as may be necessary to facilitate cross-border

enforcement of data privacy protection.
Section 8. Confidentiality. The Commission shall ensure at all times the
confidentiality of any personal information that comes to its knowledge and
possession.

Section 11. General Data Privacy Principles. The processing of personal

information shall be allowed, subject to compliance with the requirements of this
Act and other laws allowing disclosure of information to the public and adherence
to the principles of transparency, legitimate purpose and proportionality.

Section 21. Principle of Accountability. Each personal information controller is

responsible for personal information under its control or custody, including
information that have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and
cooperation.

(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to
provide a comparable level of protection while the information are being
processed by a third party.

(b) The personal information controller shall designate an individual or individuals

who are accountable for the organization's compliance with this Act. The identity
of the individual(s) so designated shall be made known to any data subject upon
request.