Research on Legal Issue Raised on July 19, 2024 Hearing |

PP v. Casiño

Whether the Court's disclosure of the accused party's

address on court record to the other private
complainant without the accused party's consent
violates the Data Privacy Act of 2012.

I. Definition of Terms
II. Obligations as a Data Collector, Processor, and
Controller
III. Rights of Litigants as Data Subjects
IV. Concept of Legitimate Purpose
V. Discussion on DPA vis-à-vis Rules of Court
VI. Recommendations

I. Definition of Terms

Data Subject refers to an individual whose personal,

sensitive personal, or privileged information is processed.
Data Sharing is the disclosure or transfer to a third party
of personal data under the custody of a personal
information controller or personal information processor. In
the case of the latter, such disclosure or transfer must have
been upon the instructions of the personal information
controller concerned. The term excludes outsourcing, or the
disclosure or transfer of personal data by a personal
information controller to a personal information processor.
Personal Data Breach refers to a breach of security
leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal
data transmitted, stored, or otherwise processed.
Personal Information refers to any information, whether
recorded in a material form or not, from which the identity
of an individual is apparent or can be reasonably and

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

directly ascertained by the entity holding the information,

or when put together with other information would directly
and certainly identify an individual.

Example: Full name, Passport number, Vehicle plate

number, Photograph/Video images of an individual,
Mobile telephone number, Personal email address,
Thumbprint, DNA profile, residential address,
residential telephone number.

Sensitive Information Sensitive refers to personal

information:

a. About an individual’s race, ethnic origin, marital

status, age, color, and religious, philosophical or
political affiliations.

b. About an individual’s health, education, genetic or

sexual life of a person, or to any proceeding for any
offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or
the sentence of any court in such proceedings.

c. Issued by government agencies peculiar to an

individual which includes, but not limited to, social
security numbers, previous or cm-rent health records,
licenses or its denials, suspension or revocation, and
tax returns; and

d. Specifically established by an executive order or an

act of Congress to be kept classified.

Malicious Disclosure involves disclosing false or

unwarranted information with malice or bad faith.

Unauthorized Disclosure is the sharing of personal or

sensitive personal information without consent but without
the malicious intent.

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

Question:

Is exact residential address within the scope of the

definition of personal information as defined by (DPA)
Data Privacy Act?

Yes, the exact residential address is within the

definition provided by the Data Privacy Act of 2012
(Republic Act No. 10173).
Under Section 3 (g) of the DPA, "Personal information"
refers to any information, whether recorded in a material
form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly identify
an individual.
An exact residential address would fall under this
definition of personal information, as it can directly identify
an individual when combined with other information.

II. Obligations as a Data Collector, Controller, and

Processor
Data Collector – obliged to collect personal information for
specified and legitimate purposes determined and
declared before, or as soon as reasonably practicable after
collection, and later processed in a way compatible with
such declared, specified and legitimate purposes only.

The data subject is entitled to:

a. be informed whether personal information pertaining to

him or her shall be, are being or have been processed; and

b. be furnished the information indicated hereunder before

the entry of his or her personal information into the

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

processing system of the personal information controller, or

at the next practical opportunity:

1) Description of the personal information to be

entered into the system.

2) Purposes for which they are being or are to be

processed.

3) Scope and method of the personal information

processing.

4) The recipients or classes of recipients to whom they

are or may be disclosed.

5) Methods utilized for automated access, if the same

is allowed by the data subject, and the extent to which
such access is authorized.

6) The identity and contact details of the personal

information controller or its representative.

7) The period for which the information will be stored;

and

8) The existence of their rights, i.e., to access,

correction, as well as the right to lodge a complaint
before the Commission.

Any information supplied or declaration made to the data

subject on these matters shall not be amended without prior
notification of data subject:

Data Controller - refers to a person or organization who

controls the collection, holding, processing or use of
personal information, including a person or organization
who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

on his or her behalf.

The term EXCLUDES:

a. A person or organization who performs such functions as

instructed by another person or organization; and

b. An individual who collects, holds, processes or uses

personal information in connection with the individual’s
personal, family or household affairs.

Data Processor - refers to any natural or juridical person

qualified to act as such under DPA to whom a personal
information controller may outsource the processing of
personal data pertaining to a data subject.

The processing of personal information shall be permitted

only if not otherwise prohibited by law, and when at least
one of the following conditions exists:

a. The data subject has given his or her consent.

b. The processing of personal information is necessary and

is related to the fulfillment of a contract with the data
subject or in order to take steps at the request of the data
subject prior to entering into a contract.

c. The processing is necessary for compliance with a legal

obligation to which the personal information controller is
subject.

d. The processing is necessary to protect vitally important

interests of the data subject, including life and health.

e. The processing is necessary in order to respond to

national emergency, to comply with the requirements of
public order and safety, or to fulfill functions of public
authority which necessarily includes the processing of

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

personal data for the fulfillment of its mandate; or

f. The processing is necessary for the purposes of the

legitimate interests pursued by the personal information
controller or by a third party or parties to whom the data is
disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

Question:
Are courts considered information collector,
information processor, or information controller
according to of Data Privacy Act of 2012?
Courts, as part of the judicial system, collect,
process, and control personal information necessary to
their official functions and legal proceedings. While courts
have legitimate reasons for collecting, controlling and
processing personal information, including residential
addresses, they also have a responsibility to protect this
information under the DPA.
The issue at hand involves the intersection of court
procedures, privacy rights, and data protection laws.
Courts generally operate on the principle of transparency
and the right of parties to access relevant information for
their case which is fundamental to ensuring due process
and a fair trial.

What are the legal Basis for Processing of Personal

Information (Sec. 12 and 13)

1. Consent - express consent of the data subject;

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

2. Contract- to supply goods or services they have

requested, or to fulfil your obligations under an employment
contract. This also includes steps taken at their request
before entering into a contract;

3. Compliance with a legal obligation - if you are required

by law to process the data;

4. Vital interests - you can process personal information if it

is necessary to protect the data subject’s life and health;

5. National emergency - to respond to national emergency

or to comply with the requirements of public order and
safety;

6. Public task - if you need to process personal information

to carry out public function or service and you have a legal
basis for the processing; or

7. Legitimate interests: for the private sector, you can

process personal data without consent if you have a genuine
and legitimate reason, unless this is overridden by
fundamental rights and freedoms of the data subject

-
Under Section 22 of the DPA, exceptions in the
prohibition to process sensitive personal and privileged
information are the following:

a. Consent is given by data subject, or by the parties to

the exchange of privileged information, prior to the
processing of the sensitive personal information or
privileged information, which shall be undertaken pursuant
to a declared, specified, and legitimate purpose;

b. The processing of the sensitive personal information or

privileged information is provided for by existing laws
and regulations: Provided, that said laws and regulations

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

do not require the consent of the data subject for the

processing, and guarantee the protection of personal data;

c. The processing is necessary to protect the life and

health of the data subject or another person, and the
data subject is not legally or physically able to express his
or her consent prior to the processing;

d. The processing is necessary to achieve the lawful and

noncommercial objectives of public organizations and
their associations provided that:

1. Processing is confined and related to the bona fide

members of these organizations or their associations.

2. The sensitive personal information are not

transferred to third parties.

3. Consent of the data subject was obtained prior to

processing.

e. The processing is necessary for the purpose of medical

treatment: Provided, that it is carried out by a medical
practitioner or a medical treatment institution, and an
adequate level of protection of personal data is ensured; or

f. The processing concerns sensitive personal information or

privileged information necessary for the protection of
lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise, or
defense of legal claims, or when provided to government or
public authority pursuant to a constitutional or statutory
mandate.

III. Rights of Litigants as Data Subjects

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

1. Right to be informed: Litigants have the right to know if

their personal data is being processed, including details
about the processing.

2. Right to object: Litigants can object to the processing of

their personal data, including for direct marketing or
automated processing.

3. Right to access: Litigants can request access to their

processed personal data and related information.

4. Right to rectification: Litigants can request correction of

inaccurate or erroneous personal data.

5. Right to erasure or blocking: Litigants can request the

removal or destruction of their personal data under certain
circumstances.

6. Right to damages: Litigants can claim compensation for

damages resulting from improper use of their personal data.

7. Right to data portability: Litigants can obtain a copy of

their personal data in a commonly used electronic format.

8. Right to file a complaint: Litigants can file complaints

with the National Privacy Commission if their privacy rights
are violated.

IV. Principle of Legitimate Purpose

The processing of information shall be compatible with a

declared and specified purpose, which must not be contrary
to law, morals, or public policy.

1. Consent is required prior to the collection and processing

of personal data, subject to exemptions provided by the Act

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

and other applicable laws and regulations. When consent is

required, it must be time-bound in relation to the declared,
specified and legitimate purpose. Consent given may be
withdrawn.

2. The data subject must be provided specific information

regarding the purpose and extent of processing, including,
where applicable, the automated processing of his or her
personal data for profiling, or processing for direct
marketing, and data sharing.

3. Purpose should be determined and declared before, or as

soon as reasonably practicable, after collection. 4. Only
personal data that is necessary and compatible with
declared, specified, and legitimate purpose shall be
collected.

V. Discussion on DPA vis-à-vis Address

Requirement in Pleadings

The Rules of Court requires that pleadings state the address

of the parties. However, this needs to be balanced with
constitutional right to privacy.
Courts, as government institutions, are bound by the DPA
under Section 4(a).
“Section 4. Scope. The Act and these Rules apply to the
processing of personal data by any natural and
juridical person in the government or private sector.
They apply to an act done or practice engaged in and
outside of the Philippines if:
a. The natural or juridical person involved in the
processing of personal data is found or established in
the Philippines...”

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

Courts have a duty to protect personal information in their

custody. Under Section 20 of the DPA, Courts are required
to implement reasonable and appropriate organizational,
physical, and technical measures for Data Sharing to
protect personal information.

Whether the Court's disclosure of the accused party's

particular address on record to the other private
complainant without the accused party's consent
violates the Data Privacy Act of 2012.

Yes, Court's disclosure of the accused party's

particular address on record to the private complainant,
without a legitimate purpose, would be considered an
unauthorized disclosure under the DPA.
Courts generally have a legitimate purpose for
processing personal information during judicial
proceedings. However, the disclosure must be necessary for
the administration of justice. According to the Principle of
Proportionality under the DPA, the disclosure should be
proportional to the purpose. A general location might suffice
in many cases, rather than disclosing an exact residential
address.
Generally, courts should disclose only the minimum
information necessary for the legitimate purpose.

V. Recommendations:

1. Remove the information sheet from the main case

folder and store it separately, accessible only to
authorized court personnel.

AJDoguiles – CLR Br . 93
Research on Legal Issue Raised on July 19, 2024 Hearing |
PP v. Casiño

2. For future pleadings, advise the Prosecutor’s office to

coordinate with the Public Attorney's Office for
submission rather than requesting the address directly
to private parties.

3. Establish a filing system for handling sensitive

personal data in court records, with strict limitations
on disclosure:

For old case folders containing attached information

sheets with sensitive personal data:

a. Designate a secure area for viewing these

folders.

b. Mandate that a trained court staff member be

present at all times when non-court personnel
are viewing these folders.

c. The court staff member should provide a

verbal reminder about data privacy
regulations before allowing access. Explicitly
prohibit any form of reproduction, including
photographs, photocopies, or manual
transcription of sensitive information.

4. Consider obtaining consent from parties for potential

disclosures of contact information at the start of
proceedings.

AJDoguiles – CLR Br . 93