To be or not to be a data protection officer – this is indeed the question on many a company officer’s mind as the deadline for Phase One Registration under the Philippine Data Privacy Act of 2012 (DPA) – September 9, 2017 – draws near.
The DPA requires personal information controllers (PICs) and processors (PIPs) to appoint a data protection officer or DPO, the person charged with the task of ensuring that the PIC/PIP is compliant with DPA regulations. One of those requirements (under certain conditions) is registration of a PIC’s (or PIP’s) data processing system with the National Privacy Commission of the Philippines. The aforesaid Phase One does not seem to be too painful: it just requires the submission of a completed registration form together with some basic corporate documents.
But the form needs to provide information about, and should be signed by, the DPO and there’s the rub. While some would-be registrants have immediately found candidates, others are scrambling to appoint theirs.
What does it take to be a data protection officer?
In an advisory focused on the qualifications of a data protection officer (NPC Advisory No. 2017-01), the National Privacy Commission noted that a data protection officer must be a full-time or organic employee of the PIC or PIP, although exceptions are contemplated — where “otherwise allowed by law” or allowed by the commission. For example, a group of related companies may lawfully appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies. This, however, must be approved by the commission, and if so allowed, the other group members must still have a compliance officer for privacy (COP) – essentially the DPO’s side-kick. The advisory also informed organizations that the commission can approve the appointment of a COP rather than a DPO in “analogous cases”.
The National Privacy Commission also has noted that the data protection officer ideally should be a regular employee, and “[w]here the employment… is based on a contract, the term or duration thereof should at least be two years.” However, based on the commission’s advisory, it appears that the commission will not accept as a DPO, consultants and project employees. This seems to leave, as an alternative to a regular employee, a fixed-term employee.
Do DPOs have to be Filipinos? There is no requirement at present, unless the PIC or PIP is subject to a nationality restriction that may prohibit officers or employees from being foreign nationals.
Do they have to be Philippine residents? Again, there is no requirement at present, although having a foreign-based employee may present practical difficulties, among them that the commission may nevertheless require the PIC or PIP to have a locally based COP.
Double duty – Conflict of interest for DPOs
PICs and PIPs have been searching closer to home for data protection officers, with the plan of having a current employee act as DPO while discharging that person’s current functions. But this triggers another common challenge. While a DPO is not prohibited from occupying another post or discharging other functions, that post or those functions should not conflict with the privacy law mandate of the DPO. The advisory states that there is a conflict of interest when the other functions of the DPO “leads him to determine the purposes and the means of the processing of personal data.” Thus, PICs/PIPs who had naturally turned to IT heads and HR officers have had to re-think their initial choices.
Specialized knowledge for data protection officers
DPO candidates need to have data privacy expertise as well as sufficient understanding of the processing operations being carried out by the PIC or PIP. This requirement has thrown off some companies; the Philippines does not exactly have a deep pool of privacy professionals, and for good reason – the law and its rules are fairly new. Meanwhile, the “conflict of interest” prohibition boxes out persons who already handle data and would likely be looking after its security as part of their functions.
Persons who understand systems management or have information security backgrounds with a focus on protecting data should be able to understand the new privacy law regime, and the advisory clearly allows data protection officers to outsource audit and recommendatory functions especially in identifying technical and practical security measures.
Slings and arrows – DPO liabilities
The DPA and its rules are clear that the responsibility for complying with the law rests with the PIC or PIP (as relevant), but are equally clear that where the offender is a corporation or any other juridical person, responsible officers who participated in, or by their gross negligence, allowed the occurrence of a breach would be held liable and may suffer penalties. The DPO could be one of those officers. In its advisory on DPO appointment, the National Privacy Commission noted that “malfeasance, misfeasance, or nonfeasance on the part of the DPO or COP relative to his designated functions may still be a ground for administrative, civil or criminal liability, in accordance with all applicable laws.”
Who’s the boss?
Would-be DPOs may take comfort that the National Privacy Commission advisory seeks to equalize the burden with “protections” – a directive to PICs/PIPs to accord DPOs with “a significant degree of autonomy” to enable the DPO to do his or her job with independence. In this connection, employers are not supposed to “directly or indirectly penalize or dismiss” or “threaten” DPOs or COPs for, we assume doing their jobs. To prevent management from having conniptions, the advisory does say that this does not preclude the legitimate application of labor laws. Essentially, PICs and PIPs cannot fire DPOs who, for example, insist on advising the commission of reportable data security breaches.
New frontier for would-be DPOs
DPO candidates seem to be almost uniformly anxious about taking on the new job, but this is probably mostly due to the newness of the field. This nascent profession (at least for the Philippines) already promises to be an interesting and rewarding one, and those considering the post would do well to ditch Hamlet for Sheryl Sandberg and just lean in.
Appointed your IT head and HR officer as the #dataprotection officer? #Philippines #privacy law may not allow that.
Click to Tweet