The Philippines Data Privacy Act (RA 10173) was enacted in 2012 but the Implementing Rules and Regulations (IRR) were only issued in 2016 and became enforceable on September 9, 2016. The majority of the provisions are actually based on the European Union (EU) directive including the reform initiatives which led to the EU General Data Protection Regulation (GDPR). All references to the Philippines Data Privacy Act (RA 10173) in this article includes the IRR and other relevant issuances.
The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include rule-making, advisory, public education, compliance and monitoring, investigations and complaints, and enforcement.
In general, the Philippines Data Privacy Act (RA 10173) applies to the processing of personal data by any natural or juridical person in the government or private sector. The Philippines Data Privacy Act (RA 10173) would apply to an act done or practice engaged in and outside of the Philippines in the instances described below.
First, the natural or juridical person involved in the processing of personal data is found or established in the Philippines.
Secondly, the Philippines Data Privacy Act (RA 10173) would affect an entity if the processing of personal data is done or engaged by an entity with links to the Philippines. This can include, among others, organisations that have equipment located in the Philippines that is used to process personal data or entities who have branches or subsidiaries, affiliates and even affiliates in the country which has access to that personal data.
The third instance is if the processing of personal data is done in the Philippines. Lastly, if the processing relates to personal data about a Philippine citizen or Philippine resident.
Definitions – Philippines Data Privacy Act (RA 10173)
The Philippines Data Privacy Act (RA 10173) contains some important definitions. You have the data subject, the data processing system, data sharing, personal information controller and processor, among others. Personal data which includes personal information, where the identity of the individual is apparent, as well as sensitive personal information, which includes, among others, information issued by government agencies such as tax identification numbers, social security numbers, and other related information. The Philippines Data Privacy Act (RA 10173) likewise describes the general data privacy principles of transparency, legitimate purpose, and proportionality.
There are also some general principles regarding collection, processing and retention. One of the most important revolves around consent. Consent must be time-bound in relation to the declared, specified and legitimate purpose. What does this mean? You can’t get consent in perpetuity or if it’s for a use that has not yet been determined at the time consent is obtained. Another requirement is that consent given can be withdrawn by the data subject.
The general principles also state that data sharing shall be allowed in the private sector if the subject consents to the data sharing. Importantly, consent for data sharing shall be required even if the data to be shared will be shared with an affiliate or mother company.
Security measures for personal data
As far as security measures are concerned, there are basically three types. The organisational security measures, the physical security measures and the technical security measures. The NPC can actually determine the appropriate level of security based on the following criteria:
- Nature of the personal data that requires protection;
- Risks posed by the processing;
- Size of your organisation and complexity of its operations;
- Current data privacy best practices; and
- Cost of implementation of the security measures.
The Philippines Data Privacy Act (RA 10173) also outlines the rights of the data subject. They have the rights to be informed, object, access, rectification, erasure or blocking, lodging a complaint, damages and data portability.
Organisations are supposed to register their personal data processing system with the NPC, which basically is the structure and procedure by which personal data is collected and further processed.
The IRR mentions four instances where registration is required:
- If the personal information controller or processor employs at least 250 persons;
- If less than 250 persons are employed but the processing is not occasional;
- If less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject; and
- If sensitive personal information of at least 1,000 individuals is processed.
Data breach reporting
One of the requirements under the IRR is that the organisation keeps records of all security incidents and data breaches. At the end of the year, a report with a summary of these security incidents and data breaches should be submitted to the NPC.
A security incident management policy is also required, which basically refers to policies and procedures implemented to govern the actions to be taken in case of a security incident or personal data breach. This includes, among others, the creation of a data breach response team and the implementation of an incident response procedure.
With regard to reporting of data breach, the personal information controller is responsible even if the processing is outsourced or subcontracted to a third party. As to who is to be notified – it would be the NPC and the affected data subjects. Notification must take place within 72 hours from knowledge of the personal data breach. Notification of the breach shall be required when sensitive personal information or any other information that may be used for identity fraud are reasonably believed to have been acquired by an unauthorised person, and the personal information controller or the NPC believes that it will give rise to a real risk of serious harm to the affected data subject.
Appointment of Data Protection Officer
Another requirement under the Philippines Data Privacy Act (RA 10173) is for the company to appoint a data protection officer (DPO), who must be an organic employee of the personal information controller or processor. In addition, a compliance officer for privacy (COP), which is an individual who performs some of the functions of a DPO in a related entity or agency, can likewise be designated. Although the DPO is required to be an organic employee of the company, its functions may be outsourced to a third party service provider, subject to the DPO overseeing the outsourced functions and remaining to be the contact person for the personal information controller or processor.
Other things to note
The organisation should also have data protection policies, which includes security measures. The Philippines Data Privacy Act (RA 10173) also stipulates that outsourcing agreements, data transfer agreements or data sharing agreements should also be in place in relation to disclosure or transfer of personal data to third parties. Lastly, personnel must be trained regarding the Philippines Data Privacy Act (RA 10173).
The NPC has likewise issued rules of procedure in relation to complaints that may be filed by affected parties and the process of the proceedings that may be conducted. Either on its own or because of a complaint, the NPC may conduct an investigation, and then it can impose administrative fines and penalties. Advisory opinions may likewise be issued by the NPC in relation to data privacy or personal data protection.
In addition, they can also recommend criminal prosecution to the Department of Justice. The penalties may include fines plus imprisonment. Thus, the organisation can be liable twice, both for the administrative fines and the criminal prosecution.
Culture of privacy
Admittedly, the IRR is new. Therefore, the implementation and the enforcement of the rules have not yet been tested in the courts. There’s no reported case yet but we understand that the NPC is currently investigating several complaints and has, in fact, released their findings on some of them. One of the main goals of the NPC, which they have emphasized from the beginning, is that they want to develop a culture of privacy in the Philippines.
In 2011, she left private practice and joined the Securities and Exchange Commission, where she was Securities Counsel of the Company Registration and Monitoring Department, and later Chief Counsel of the Market Regulation Department and Member of the Special Hearing Panel. Her practice in the agency covered the processing of various applications of domestic and foreign companies and the review and formulation of regulations and policies of entities involved in securities.
Thel joined C&G Law in 2013 where her practice covers corporate and commercial matters including energy, banking, financing, securities, insurance and data protection.