DATA PRIVACY ACT

OF 2012
UNDER RA 10173
AN ACT PROTECTING INDIVIDUAL PERSONAL
INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE
GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER
PURPOSES
Data Privacy Act
Declaration of Policy.
It is the policy of the State to protect the
fundamental human right of privacy, of
communication while ensuring free flow of
information to promote innovation and
growth. The State recognizes the vital role of
information and communications technology
in nation-building and its inherent obligation
to ensure that personal information in
information and communications systems in
the government and in the private sector are
secured and protected.
Data Privacy Act
What is covered by data privacy act?

 10173, otherwise known as the Data

Privacy Act is a law that seeks to protect
all forms of information, be it private,
personal, or sensitive. It is meant
to cover both natural and juridical persons
involved in the processing of personal
information
Data Privacy Act
What are your rights under RA 10173 or
Data Privacy Act of 2012?
 RA 10173, or the Data Privacy Act,

protects individuals from unauthorized

processing of personal information that is
(1) private, not publicly available; and
(2) identifiable, where the identity
of the individual is apparent either
through direct attribution or when put
together with other available information.
Data Privacy Act
What is the purpose of Data Privacy Act of
2012?

 Republic Act No. 10173 or Data Privacy

Act of 2012 is an act protecting
individual personal information in
information and communications systems
in the government and the private sector,
creating for this purpose a
national privacy commission, and for
other purposes
Data Privacy Act
What are your rights under ra10173 or Data
Privacy Act of 2012?
 The right to access

 Under the Data Privacy Act of 2012, you

have a right to obtain from an organization

a copy of any information relating to you
that they have on their computer database
and/or manual filing system.
 The contents of your personal data that

were processed. 
 The sources from which they were obtained.
Data Privacy Act
What is Personal Data?

Personal Data refers to personal

information, sensitive personal
information, and privileged information.
These are information that can reasonably
identify a particular person.
Data Privacy Act
What is sensitive personal information?

 Sensitive personal information refers to

personal information about an individual’s
race, ethnic origin, marital status, age and
color; religious, philosophical or political
affiliations; health, education, genetic or
sexual life; proceedings for committed or
alleged offenses; issued by government
agencies that are peculiar to an individual; and
specifically established by an executive order
or an act of Congress to be kept classified.
Data Privacy Act
What is processing of personal data?

 Processing refers to any operation or any

set of operations performed on personal
information: collection, recording,
organization, storage, updating, retrieval,
use, consolidation, blocking or destruction
of data, through automated means or
manual processing.
Data Privacy Act
Is processing of personal information prohibited?

All processing of sensitive and personal

information is prohibited except in certain
circumstances. The exceptions are:
 Consent of the data subject;

 Pursuant to law that does not require consent;

 Necessity to protect life and health of a person;

 Necessity for medical treatment;

 Necessity to protect the lawful rights of data

subjects in court proceedings, legal proceedings,

or regulation.
Data Privacy Act
What are your rights as a data subject?

 The Data Privacy Act provides the following rights

in relation to your personal data:
 Right to be informed of the processing of your
personal information.
 Right to object to the processing of your personal
information.
 Right to access the content, sources, names and
addresses of recipients, and reason for disclosure
to the recipients, and name, designation and
address of the personal information controller.
 Right to correct any error in your personal
information.
Data Privacy Act
What are your rights as a data subject? (cont…)

 Right to block/remove your personal information

from PNB’s records.
 Right to data portability or to obtain a copy of the
data being processed in an electronic or structured
format.
 Right to be indemnified for damages sustained due
to inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of your
personal information.
 Right to file complaints for violations of the Act, its
implementing rules, and your rights as data subject.
Data Privacy Act
What does this entail?

 First, all personal information must be collected for

reasons that are specified, legitimate, and reasonable. In
other words, customers must opt in for their data to be
used for specific reasons that are transparent and legal.
 Second, personal information must be handled properly.
Information must be kept accurate and relevant, used
only for the stated purposes, and retained only for as
long as reasonably needed. Customers must be active in
ensuring that other, unauthorized parties do not have
access to their customers’ information.
 Third, personal information must be discarded in a way
that does not make it visible and accessible to
unauthorized third parties.
Data Privacy Act
Who needs to register?

 Companies with at least 250 employees or

access to the personal and identifiable
information of at least 1,000 people are
required to register with the National
Privacy Commission and comply with the
Data Privacy Act of 2012. Some of these
companies are already on their way to
compliance — but many more are unaware
that they are even affected by the law.
Data Privacy Act
Personal information:
refers to any information whether recorded
in a material form or not, from which the
identity of an individual is apparent or can
be reasonably and directly ascertained by
the entity holding the information, or when
put together with other information would
directly and certainly identify an individual.
Data Privacy Act
Personal information controller :
refers to a person or organization who controls the
collection, holding, processing or use of personal
information, including a person or organization who
instructs another person or organization to collect,
hold, process, use, transfer or disclose personal
information on his or her behalf. The term excludes:
(1) A person or organization who performs such
functions as instructed by another person or
organization; and
(2) An individual who collects, holds, processes or
uses personal information in connection with the
individual’s personal, family or household affairs.
Data Privacy Act
Personal information processor:
refers to any natural or juridical person
qualified to act as such under this Act to whom
a personal information controller may
outsource the processing of personal data
pertaining to a data subject.
Processing:
refers to any operation or any set of operations
performed upon personal information including,
but not limited to, the collection, recording,
organization, storage, updating or modification,
retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data.
Data Privacy Act
Sensitive personal information refers to personal
information:

 About an individual’s race, ethnic origin, marital status,

age, color, and religious, philosophical or political
affiliations;
 About an individual’s health, education, genetic or sexual
life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such
person, the disposal of such proceedings, or the sentence
of any court in such proceedings;
 Issued by government agencies peculiar to an individual
which includes, but not limited to, social security numbers,
previous or cm-rent health records, licenses or its denials,
suspension or revocation, and tax returns; and
 Specifically established by an executive order or an act of
Congress to be kept classified
Data Privacy Act
Scope

This Act applies to the processing of all

types of personal information and to any
natural and juridical person involved in
personal information processing including
those personal information controllers and
processors who, although not found or
established in the Philippines, use
equipment that are located in the
Philippines, or those who maintain an office,
branch or agency in the Philippines.
Data Privacy Act
This Act does not apply to the following:

 Information about any individual who is or was an officer

or employee of a government institution that relates to
the position or functions of the individual, including:
(1)The fact that the individual is or was an officer or
employee of the government institution;
(2) The title, business address and office telephone
number of the individual;
(3) The classification, salary range and responsibilities of
the position held by the individual; and
(4) The name of the individual on a document prepared
by the individual in the course of employment with the
government;
Data Privacy Act
This Act does not apply to the following: (cont..)

 Information about an individual who is or was

performing service under contract for a
government institution that relates to the
services performed, including the terms of the
contract, and the name of the individual given in
the course of the performance of those services;
 Information relating to any discretionary benefit
of a financial nature such as the granting of a
license or permit given by the government to an
individual, including the name of the individual
and the exact nature of the benefit;
Data Privacy Act
This Act does not apply to the following: (cont..)

 Personal information processed for journalistic, artistic,

literary or research purposes;
 Information necessary in order to carry out the functions
of public authority which includes the processing of
personal data for the performance by the independent,
central monetary authority and law enforcement and
regulatory agencies of their constitutionally and
statutorily mandated functions. Nothing in this Act shall
be construed as to have amended or repealed Republic
Act No. 1405, otherwise known as the Secrecy of Bank
Deposits Act; Republic Act No. 6426, otherwise known as
the Foreign Currency Deposit Act; and Republic Act No.
9510, otherwise known as the Credit Information System
Act (CISA);
Data Privacy Act
This Act does not apply to the following: (cont..)

 Information necessary for banks and other financial

institutions under the jurisdiction of the
independent, central monetary authority or
BangkoSentral ng Pilipinas to comply with Republic
Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money
Laundering Act and other applicable laws; and
 Personal information originally collected from
residents of foreign jurisdictions in accordance with
the laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being
processed in the Philippines
Data Privacy Act
General Data Privacy Principles

The processing of personal information

shall be allowed, subject to compliance
with the requirements of this Act and other
laws allowing disclosure of information to
the public and adherence to the principles
of transparency, legitimate purpose and
proportionality.
Data Privacy Act
Personal information must be:

 Collected for specified and legitimate

purposes determined and declared before,
or as soon as reasonably practicable after
collection, and later processed in a way
compatible with such declared, specified
and legitimate purposes only;
 Processed fairly and lawfully;
Data Privacy Act
Personal information must be:

 Accurate, relevant and, where necessary for

purposes for which it is to be used the processing of
personal information, kept up to date; inaccurate or
incomplete data must be rectified, supplemented,
destroyed or their further processing restricted;
 Adequate and not excessive in relation to the
purposes for which they are collected and processed;
 Retained only for as long as necessary for the
fulfillment of the purposes for which the data was
obtained or for the establishment, exercise or
defense of legal claims, or for legitimate business
purposes, or as provided by law; and
Data Privacy Act
Personal information must be: (cont…)

 Kept in a form which permits identification of data

subjects for no longer than is necessary for the
purposes for which the data were collected and
processed: Provided, That personal information
collected for other purposes may lie processed for
historical, statistical or scientific purposes, and in cases
laid down in law may be stored for longer periods:
Provided, further, That adequate safeguards are
guaranteed by said laws authorizing their processing.
The personal information controller must ensure
implementation of personal information processing
principles set out herein.
Data Privacy Act
Responsibility of Heads of Agencies

All sensitive personal information maintained by

the government, its agencies and
instrumentalities shall be secured, as far as
practicable, with the use of the most appropriate
standard recognized by the information and
communications technology industry, and as
recommended by the Commission.
The head of each government agency or
instrumentality shall be responsible for complying
with the security requirements mentioned herein
while the Commission shall monitor the
compliance and may recommend the necessary
action in order to satisfy the minimum standards.
Data Privacy Act
Unauthorized Processing of Personal Information
and Sensitive Personal Information.
 The unauthorized processing of personal
information shall be penalized by
imprisonment ranging from one (1) year to
three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but
not more than Two million pesos
(Php2,000,000.00) shall be imposed on
persons who process personal information
without the consent of the data subject, or
without being authorized under this Act or any
existing law.
Data Privacy Act
Unauthorized Processing of Personal Information
and Sensitive Personal Information.
 The unauthorized processing of personal
sensitive information shall be penalized by
imprisonment ranging from three (3) years to
six (6) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but
not more than Four million pesos
(Php4,000,000.00) shall be imposed on
persons who process personal information
without the consent of the data subject, or
without being authorized under this Act or any
existing law.
Data Privacy Act

Thank you for reading and

please be ready
for a short quiz next week.
Keep Safe and See You
Soon!
Data Privacy Act
Data Privacy Act
Data Privacy Act