To be or not to be a data protection officer – this is indeed the question on many a company officer’s mind as the deadline for Phase One Registration under the Philippine Data Privacy Act of 2012 (DPA) – September 9, 2017 – draws near.
The DPA requires personal information controllers (PICs) and processors (PIPs) to appoint a data protection officer or DPO, the person charged with the task of ensuring that the PIC/PIP is compliant with DPA regulations. One of those requirements (under certain conditions) is registration of a PIC’s (or PIP’s) data processing system with the National Privacy Commission of the Philippines. The aforesaid Phase One does not seem to be too painful: it just requires the submission of a completed registration form together with some basic corporate documents.
But the form needs to provide information about, and should be signed by, the DPO and there’s the rub. While some would-be registrants have immediately found candidates, others are scrambling to appoint theirs.
What does it take to be a data protection officer?
In an advisory focused on the qualifications of a data protection officer (NPC Advisory No. 2017-01), the National Privacy Commission noted that a data protection officer must be a full-time or organic employee of the PIC or PIP, although exceptions are contemplated — where “otherwise allowed by law” or allowed by the commission. For example, a group of related companies may lawfully appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies. This, however, must be approved by the commission, and if so allowed, the other group members must still have a compliance officer for privacy (COP) – essentially the DPO’s side-kick. The advisory also informed organizations that the commission can approve the appointment of a COP rather than a DPO in “analogous cases”.
The National Privacy Commission also has noted that the data protection officer ideally should be a regular employee, and “[w]here the employment… is based on a contract, the term or duration thereof should at least be two years.” However, based on the commission’s advisory, it appears that the commission will not accept as a DPO, consultants and project employees. This seems to leave, as an alternative to a regular employee, a fixed-term employee.
Do DPOs have to be Filipinos? There is no requirement at present, unless the PIC or PIP is subject to a nationality restriction that may prohibit officers or employees from being foreign nationals.
Do they have to be Philippine residents? Again, there is no requirement at present, although having a foreign-based employee may present practical difficulties, among them that the commission may nevertheless require the PIC or PIP to have a locally based COP.
Double duty – Conflict of interest for DPOs
PICs and PIPs have been searching closer to home for data protection officers, with the plan of having a current employee act as DPO while discharging that person’s current functions. But this triggers another common challenge. While a DPO is not prohibited from occupying another post or discharging other functions, that post or those functions should not conflict with the privacy law mandate of the DPO. The advisory states that there is a conflict of interest when the other functions of the DPO “leads him to determine the purposes and the means of the processing of personal data.” Thus, PICs/PIPs who had naturally turned to IT heads and HR officers have had to re-think their initial choices.