News, insights and resources for data protection, privacy and cyber security leaders

Implementing Rules and Regulations of the Philippines Data Privacy Act (RA 10173)

The Philippines Data Privacy Act (RA 10173) was enacted in 2012 but the Implementing Rules and Regulations (IRR) were only issued in 2016 and became enforceable on September 9, 2016. The majority of the provisions are actually based on the European Union (EU) directive including the reform initiatives which led to the EU General Data Protection Regulation (GDPR). All references to the Philippines Data Privacy Act (RA 10173) in this article includes the IRR and other relevant issuances.

The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include rule-making, advisory, public education, compliance and monitoring, investigations and complaints, and enforcement.

In general, the Philippines Data Privacy Act (RA 10173) applies to the processing of personal data by any natural or juridical person in the government or private sector. The Philippines Data Privacy Act (RA 10173) would apply to an act done or practice engaged in and outside of the Philippines in the instances described below.

First, the natural or juridical person involved in the processing of personal data is found or established in the Philippines.

Secondly, the Philippines Data Privacy Act (RA 10173) would affect an entity if the processing of personal data is done or engaged by an entity with links to the Philippines. This can include, among others, organisations that have equipment located in the Philippines that is used to process personal data or entities who have branches or subsidiaries, affiliates and even affiliates in the country which has access to that personal data.

The third instance is if the processing of personal data is done in the Philippines. Lastly, if the processing relates to personal data about a Philippine citizen or Philippine resident.

 

Definitions – Philippines Data Privacy Act (RA 10173)

The Philippines Data Privacy Act (RA 10173) contains some important definitions. You have the data subject, the data processing system, data sharing, personal information controller and processor, among others. Personal data which includes personal information, where the identity of the individual is apparent, as well as sensitive personal information, which includes, among others, information issued by government agencies such as tax identification numbers, social security numbers, and other related information. The Philippines Data Privacy Act (RA 10173) likewise describes the general data privacy principles of transparency, legitimate purpose, and proportionality.

There are also some general principles regarding collection, processing and retention. One of the most important revolves around consent. Consent must be time-bound in relation to the declared, specified and legitimate purpose. What does this mean? You can’t get consent in perpetuity or if it’s for a use that has not yet been determined at the time consent is obtained. Another requirement is that consent given can be withdrawn by the data subject.

The general principles also state that data sharing shall be allowed in the private sector if the subject consents to the data sharing. Importantly, consent for data sharing shall be required even if the data to be shared will be shared with an affiliate or mother company.

 

Security measures for personal data

As far as security measures are concerned, there are basically three types. The organisational security measures, the physical security measures and the technical security measures. The NPC can actually determine the appropriate level of security based on the following criteria:

  1. Nature of the personal data that requires protection;
  2. Risks posed by the processing;
  3. Size of your organisation and complexity of its operations;
  4. Current data privacy best practices; and
  5. Cost of implementation of the security measures.

The Philippines Data Privacy Act (RA 10173) also outlines the rights of the data subject. They have the rights to be informed, object, access, rectification, erasure or blocking, lodging a complaint, damages and data portability.

Organisations are supposed to register their personal data processing system with the NPC, which basically is the structure and procedure by which personal data is collected and further processed.

The IRR mentions four instances where registration is required:

  1. If the personal information controller or processor employs at least 250 persons;
  2. If less than 250 persons are employed but the processing is not occasional;
  3. If less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject; and
  4. If sensitive personal information of at least 1,000 individuals is processed.

Mary Thel Mundin

Partner at C & G Law
Mary Thel Mundin joined C&G Law in 2013 where her practice covers corporate and commercial matters including energy, banking, financing, securities, insurance and data protection. Prior to that, she was with the Securities and Exchange Commission as Securities Counsel of the Company Registration and Monitoring Department, and later Chief Counsel of the Market Regulation Department and Member of the Special Hearing Panel. Thel has also worked for Kelvin Chia Partnership (Singapore) and SyCip Salazar Hernandez & Gatmaitan (Philippines).

Latest posts by Mary Thel Mundin

    Leave A Reply

    Your email address will not be published.

    1 Comment
    1. Anonymous says

      If officers of homeowners association, demand personal information from homeowners, are they covered by Phil Data Privacy Act

    Subscribe and Get 50% Off 6-Hour Workshop Video

    PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

    Thanks for subscribing!

    Pin It on Pinterest

    Share This