The Philippines Data Privacy Act (RA 10173) was enacted in 2012 but the Implementing Rules and Regulations (IRR) were only issued in 2016 and became enforceable on September 9, 2016. The majority of the provisions are actually based on the European Union (EU) directive including the reform initiatives which led to the EU General Data Protection Regulation (GDPR). All references to the Philippines Data Privacy Act (RA 10173) in this article includes the IRR and other relevant issuances.
The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include rule-making, advisory, public education, compliance and monitoring, investigations and complaints, and enforcement.
In general, the Philippines Data Privacy Act (RA 10173) applies to the processing of personal data by any natural or juridical person in the government or private sector. The Philippines Data Privacy Act (RA 10173) would apply to an act done or practice engaged in and outside of the Philippines in the instances described below.
First, the natural or juridical person involved in the processing of personal data is found or established in the Philippines.
Secondly, the Philippines Data Privacy Act (RA 10173) would affect an entity if the processing of personal data is done or engaged by an entity with links to the Philippines. This can include, among others, organisations that have equipment located in the Philippines that is used to process personal data or entities who have branches or subsidiaries, affiliates and even affiliates in the country which has access to that personal data.
The third instance is if the processing of personal data is done in the Philippines. Lastly, if the processing relates to personal data about a Philippine citizen or Philippine resident.
Definitions – Philippines Data Privacy Act (RA 10173)
The Philippines Data Privacy Act (RA 10173) contains some important definitions. You have the data subject, the data processing system, data sharing, personal information controller and processor, among others. Personal data which includes personal information, where the identity of the individual is apparent, as well as sensitive personal information, which includes, among others, information issued by government agencies such as tax identification numbers, social security numbers, and other related information. The Philippines Data Privacy Act (RA 10173) likewise describes the general data privacy principles of transparency, legitimate purpose, and proportionality.
There are also some general principles regarding collection, processing and retention. One of the most important revolves around consent. Consent must be time-bound in relation to the declared, specified and legitimate purpose. What does this mean? You can’t get consent in perpetuity or if it’s for a use that has not yet been determined at the time consent is obtained. Another requirement is that consent given can be withdrawn by the data subject.
The general principles also state that data sharing shall be allowed in the private sector if the subject consents to the data sharing. Importantly, consent for data sharing shall be required even if the data to be shared will be shared with an affiliate or mother company.
Security measures for personal data
As far as security measures are concerned, there are basically three types. The organisational security measures, the physical security measures and the technical security measures. The NPC can actually determine the appropriate level of security based on the following criteria:
- Nature of the personal data that requires protection;
- Risks posed by the processing;
- Size of your organisation and complexity of its operations;
- Current data privacy best practices; and
- Cost of implementation of the security measures.
The Philippines Data Privacy Act (RA 10173) also outlines the rights of the data subject. They have the rights to be informed, object, access, rectification, erasure or blocking, lodging a complaint, damages and data portability.
Organisations are supposed to register their personal data processing system with the NPC, which basically is the structure and procedure by which personal data is collected and further processed.
The IRR mentions four instances where registration is required:
- If the personal information controller or processor employs at least 250 persons;
- If less than 250 persons are employed but the processing is not occasional;
- If less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject; and
- If sensitive personal information of at least 1,000 individuals is processed.