Download Data Privacy Act Implementing Rules and Roles of the National Privacy Commission and more Exams Law in PDF only on Docsity!
Republic of the Philippines NATIONAL PRIVACY COMMISSION Metro Manila
Implementing Rules and Regulations of Republic Act No.
10173, known as the “Data Privacy Act of 2012”
Pursuant to the mandate of the National Privacy Commission to administer and implement the provisions of the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection, the following rules and regulations are hereby promulgated to effectively implement the provisions of the Act: Rule I. Preliminary Provisions
- Title
- Policy
- Definitions Rule II. Scope of Application
- Scope
- Non-applicability
- Protection afforded to journalists and their sources
- Protection afforded to data subjects Rule III. National Privacy Commission
- Mandate
- Functions
- Administrative Issuances
- Reports and Public Information
- Confidentiality of Personal Data
- Organizational Structure
- Secretariat
- Effect of Lawful Performance of Duty
- Magna Carta for Science and Technology Personnel Rule IV. Data Privacy Principles
- General Principles
- Principles of Transparency, Legitimate Purpose and Proportionality
- Principles in Collection, Processing and Retention a. Collection must be for a specified and legitimate purpose b. Personal Data shall be processed fairly and lawfully c. Processing should ensure data quality d. Personal data shall not be retained longer than necessary e. Any authorized further processing shall have adequate safeguards
- Principles for Data Sharing Rule V. Lawful Processing of Personal Data
- Lawful Processing of Personal Information
- Lawful Processing of Sensitive Personal Information and Privileged Information
- Extension of Privileged Communication
- Surveillance of Subjects and Interception of Recording of Communications
Rule VI. Security Measures for Data Protection
- Data Privacy and Security
- Organizational Security
- Physical Security
- Technical Security
- Appropriate Level of Security Rule VII. Data Privacy and Security in Government.
- Responsibility of Heads of Agencies
- Requirements Relating to Access by Agency Personnel to Sensitive Personal Information
- Implementation of Security Requirements
- Applicability to Government Contractors Rule VIII. Rights of Data Subject
- Rights of the Data Subject a. Right to be informed b. Right to object c. Right to access d. Right to correct e. Right to rectification, erasure or blocking
- Transmissibility of Rights of the Data Subject
- Right to Data Portability
- Limitation on Rights Rule IX. Data Breach Notification.
- Data Breach Notification
- Contents of Notification
- Delay of Notification
- Breach Report
- Procedure for Notification Rule X. Outsourcing and Subcontracting Agreements.
- Subcontract of Personal Data
- Agreements for Outsourcing
- Duty of Personal Information Processor Rule XI. Registration and Compliance Requirements
- Enforcement of the Data Privacy Act
- Registration of Data Processing Systems
- Notification for Automatic Processing Operations
- Approval of Data Sharing Agreements
- Review by the Commission Rule XII. Rules on Accountability
- Accountability for Transfer of Personal Information
- Accountability for Violation of the Act, these Rules and other issuances Rule XIII. Penalties
- Unauthorized Processing of Personal Information and Sensitive Personal Information
- Accessing Personal Information and Sensitive Personal Information Due to Negligence
- Improper Disposal of Personal Information and Sensitive Personal Information
- Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes
- Unauthorized Access or Intentional Breach
- Concealment of Security Breaches Involving Sensitive Personal Information
- Malicious Disclosure
- Unauthorized Disclosure
the collection and processing of his or her personal, sensitive or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so. e. Data subject refers to an individual whose personal, sensitive or privileged information is processed. f. Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals. g. Filing system refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible. h. Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document. i. Personal data refers to personal information, sensitive information or privileged information, collectively, which are in an information and communications system, or relevant filing system, or intended to form part of the same. j. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. k. Personal information controller refers to a natural or juridical person or any other body who controls the processing of personal data or instructs another to process personal data on his or her behalf. The term excludes:
- A natural or juridical person or any other body who performs such functions on behalf of another; or
- A natural person who processes personal data in connection with his or her personal, family or household affairs. There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of processing. l. Personal information processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject. m. Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. n. Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. o. Sensitive personal information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified. Rule II. Scope of Application Section 4. Scope. The Data Privacy Act and these Rules apply to the processing of personal, sensitive or privileged information, in the government or private sector, under any of the following conditions: a. The natural or juridical person involved in the processing of personal data is found or established in the Philippines.
- Information about an individual who is or was performing service under contract for a government institution only in so far as it relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
- Information relating to a benefit of a financial nature conferred on an individual upon the discretion of government, such as the granting of a license or permit, including the name of the individual and the exact nature of the benefit, provided that benefits given in the course of an ordinary transaction or as a matter of right are not discretionary benefits under these Rules. b. The Act and these Rules do not apply to personal information processed for journalistic, artistic or literary purpose, undertaken with view to publication or exhibition, subject to requirements of fair and true reporting and other applicable law or regulations. Any natural or juridical person or other body who shall process the same personal information for any purpose other than journalistic, artistic or literary expression, shall be covered by the Act and these Rules. c. The Act and these Rules do not apply to personal information that will be processed for purpose of scientific and statistical research only within the limits provided by Section 37 of these Rules. Any other research shall be covered by the Act, these Rules and other issuances of the Commission, to the end that research purposes will be supported without compromising privacy and security of personal data. d. The Act and these Rules do not apply to information necessary in order to carry out functions of public authority only to the extent of collection and further processing consistent with a constitutionally or statutorily mandated function pertaining to national security, defense, law enforcement, taxation and other regulatory function, including the performance of the functions of the independent, central monetary authority. The public authority must process the information, mindful of the rights of the individual data subject to privacy and security, and subject to other restrictions provided by law. If processing is by an information processor, the responsibility of the public authority as personal information controller remains. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign
Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA). e. The Act and these Rules do not apply to information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws. Banks and financial institutions involved in processing of personal data shall be covered by the act and these Rules where the information collected and processed to comply with law will be subjected to processing for other purpose. f. The Rules shall not apply to personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines, with regard to its collection. The Act and these Rules shall apply to processing performed in the Philippines. The burden of proving the law of the foreign jurisdiction falls on the person or body seeking exemption. In the absence of proof, the applicable law shall be presumed to be that of the Philippines. Section 6. Protection Afforded to Journalists and their Sources. a. Publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation shall not be compelled to reveal the source of any news report or information appearing in said publication if it was related in any confidence to such publisher, editor, or reporter. b. Publishers, editors and duly accredited reporters who are likewise personal information controllers or processors within the meaning of the law are still bound to follow the Data Privacy Act and related issuances with regard to the processing of personal data, upholding rights of their data subjects and maintaining compliance with other provisions that are not incompatible with the protection provided by Republic Act No.
Section 7. Protection afforded to Data Subjects. a. Unless directly incompatible or inconsistent with the preceding sections, the personal information controller or processor shall use reasonable means to protect the privacy and security of personal data.
procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
- Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers, which may include private dispute resolution mechanisms for complaints against any participating personal information controller. c. Public Education. The Commission shall undertake necessary or appropriate efforts to inform and educate the public of data privacy, data protection and fair information rights and responsibilities. This includes:
- Publish on a regular basis a guide to all laws relating to data protection;
- Publish a compilation of agency system of records and notices, including index and other finding aids;
- Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;
- Document and report on the activities of the Commission in carrying out the provisions of the Act. d. Compliance and Monitoring. The Commission shall perform compliance and monitoring functions to ensure effective implementation of the Act, these Rules and other issuances. This includes:
- Ensure compliance of personal information controllers with the provisions of the Act, including registration of data processing systems in the country, and notification prior to processing of personal data that could adversely affect the rights and freedoms of data subjects, especially in case of automatic processing operations;
- Monitor the compliance of all government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal data pursuant to the Act;
- Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;
- Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws and generally
perform such acts as may be necessary to facilitate cross- border enforcement of data privacy protection;
- Provide assistance on matters relating data protection at the request of a national or local agency, a private entity or any person, including enforcement of rights of data subject;
- Assist Philippine companies doing business abroad to respond to data protection laws and regulations;
- Manage the registration of the personal information processing system of contractors and its employees entering into contracts with government that involves accessing or requiring sensitive personal information from one thousand (1,000) or more individuals. e. Complaints and Investigations. The Commission shall adjudicate on complaints and investigations due to a privacy complaint, security breach, a violation of the rights of data subjects, and failure to comply with the Act, these rules and other issuances of the Commission. This includes:
- Receive complaints and institute investigations regarding a violation of the Act or the rights of data subjects, including reports of a Security Breach; For this purpose, the Commission may compel access to personal data that is subject of any complaint and to collect the information necessary to perform its functions under the Act, including the issuance of subpoena to compel testimony or production of evidence. In resolving any complaint or investigation, except where amicable settlement is reached by the parties, the Commission shall act as a collegial body.
- Facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, and adjudicate on matters affecting any personal data;
- Prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report. f. Enforcement. The Commission shall do all acts as may be necessary to effectively implement the Data Privacy Act, these Rules and other issuances of the Commission, and to enforce its Orders, Resolutions or Decisions, including the imposition of sanctions, fines or penalties. This includes:
- Adjudicate privacy or security complaints and related issues and issue compliance or enforcement orders;
- Award indemnity on matters affecting privacy or security of personal data, or rights of data subjects;
- Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal data, upon
consultants of the Commission, even after their term, employment or contract has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they were given access. Section 13. Organizational Structure. The National Privacy Commission is attached to the Department of Information and Communications Technology for policy and program coordination but the Commission shall remain completely independent in the performance of its functions. The Commission shall be headed by a Privacy Commissioner, who shall act as Chairman of the Commission. The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of Secretary. The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems, and one to be responsible for Policies and Planning. The Deputy Privacy Commissioners must be recognized experts in the field of information and communications technology and data privacy. They shall enjoy the benefits, privileges and emoluments equivalent to the rank of Undersecretary. Section 1 4. Secretariat. The Commission is authorized to establish a Secretariat, which shall assist the Office of the Commissioner in the performance of its functions. The Secretariat shall be headed by an Executive Director and shall be organized according to the following offices: a. Data Security and Compliance Office; b. Legal and Enforcement Office; c. Finance and Administrative Office; d. Privacy Policy Office. Majority of the members of the Secretariat, in so far as practicable, must have served for at least five (5) years in any agency of the government that is involved in the processing of personal information including, but not limited to, the following offices: Social Security System (SSS), Government Service Insurance System (GSIS), Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA),
Department of Justice (DOJ), and Philippine Postal Corporation (Philpost). The organizational structure shall be subject to review and modification of the Commission, including the creation of new divisions and units as it may deem necessary, and shall appoint officers and employees of the Commission in accordance with the civil service law, rules and regulations. Section 15. Effect of Lawful Performance of Duty. The Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf or under their direction, shall not be civilly liable for acts done in good faith in the performance of their duties. However, he or she shall be liable for willful or negligent acts done by him or her which are contrary to law, morals, public policy and good customs even if he or she acted under orders or instructions of superiors: Provided, That in case a lawsuit is filed against such official on the subject of the performance of his or her duties, where such performance is lawful, he or she shall be reimbursed by the Commission for reasonable costs of litigation. Section 1 6. Magna Carta for Science and Technology Personnel. Qualified employees of the Commission shall be covered by Republic Act No. 8349, which provides a magna carta for scientists, engineers, researchers and other science and technology personnel in the government. Rule IV. Data Privacy Principles Section 1 7. General Principles. The processing of personal data shall be allowed, subject to compliance with the requirements of the Data Privacy Act, other laws allowing disclosure of information to the public and these Rules. All natural and juridical persons and other body involved in processing of personal data must ensure implementation of personal data processing principles set out in the Act, these Rules and other issuances of the Commission. Section 18. Principles of Transparency, Legitimate Purpose and Proportionality. The processing of personal data shall adhere to the principles of transparency, legitimate purpose and proportionality. a. Transparency. Processing of personal data shall be known to the data subject, who must be informed about the nature, purpose, method, and extent of processing, his or her rights as data subject and how these can be exercised, and the identity and contact details of the personal information controller.
- Processing must be compatible with declared, specified and legitimate purpose.
- Processed personal data should be adequate, relevant and not excessive in relation to the declared, specified and legitimate purpose.
- Adequate privacy and security safeguards should be in place in the processing of personal data. c. Processing should ensure data quality
- Personal data should be accurate, relevant and complete with respect to the purpose of processing.
- Personal data shall be kept up to date when necessary for the declared, specified and legitimate purpose.
- Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted. d. Personal Data shall not be retained longer than necessary
- Retention of personal data shall only be until the declared, specified and legitimate purpose has been achieved or the processing relevant to the purpose has been terminated.
- Retention of personal data may be allowed when necessary to establish, exercise or defend legal claims, which must be in accordance with a disposition schedule followed by the industry or approved by appropriate government agency, and taking into consideration applicable prescriptive periods.
- Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access or disclosure to any other party or the public, or prejudice to the interests of the data subjects. e. Any authorized further processing shall have adequate safeguards. Personal data originally collected for a declared, specified or legitimate purpose may be retained longer and processed further for historical, statistical or scientific purposes, and other purpose specifically authorized by law when there is adequate safeguards for data privacy and security.
- Personal data kept longer than necessary for the declared, specified and legitimate purpose shall be aggregated or in a form which does not permit identification of data subjects.
- Further processing for historical, statistical, scientific or other legally authorized purpose shall be allowed if there are adequate safeguards for data privacy and security, and:
(a) The data subject consents, or personal data is contained in public documents subject to reasonable requirements for access; (b) The purpose of processing must be sufficiently clarified; (c) The Commission may review the safeguards in place.
- Personal data can not be retained in perpetuity in contemplation of a possible future use still to be determined. Section 20. General principles for Data Sharing. Further Processing of Personal Data collected from a party other than the Data Subject shall be allowed under the following conditions: a. Data sharing is specifically provided by law, where the law authorizing the sharing provides adequate safeguards for data privacy and security. b. Data Sharing in the Private Sector shall be allowed if:
- The data subject consents to data sharing provided that consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships.
- Data sharing for commercial purpose, including direct marketing or marketing research, shall be covered by a data sharing agreement.
- The data subject shall be provided with the following information prior to collection or before data is shared: (a) Identity of all controllers or processors who will be given access to data; (b) Purpose of further processing; (c) Categories of data concerned; (d)Intended recipients or categories of recipients of data; (e) Existence of rights of data subject, including right to access and correction, and right to object; (f) Other information that would sufficiently notify the data subject of the extent of data sharing and manner of processing.
- Further processing of shared data shall adhere to the data protection principles laid down in the Act, these Rules and other issuances of the Commission.
- The data sharing agreement should put in place adequate safeguards for data privacy and security, uphold rights of data subjects and provide a system by which data subject can obtain relief for violations.
- The data sharing agreement shall be subject to review of the Commission.
third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution. The interest is legitimate if it relates to a compelling benefit of both the personal information controller and the public with minimal impact on the rights of data subject. Section 22. Sensitive Personal Information and Privileged Information. The processing of sensitive personal and privileged information is prohibited. It shall be allowed only in the following cases: a. Consent is given pursuant to a declared, specified and legitimate purpose by data subject prior to the processing of sensitive personal information, or by parties to the exchange prior to processing of privileged information. b. The processing of the sensitive or privileged information is in accordance with existing laws and regulations that does not require consent of data subject for processing, and which guarantees the protection of the sensitive personal information and the privileged information. c. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing. d. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations provided that: (1) Processing is confined and related to the bona fide members of these organizations or their associations; (2) The sensitive personal information are not transferred to third parties; and (3) Consent of the data subject was obtained prior to processing. e. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of data is ensured. The use, access to, disclosure and other processing of personal data for purposes other than for medical treatment of the data subject requires consent. f. The processing concerns such sensitive or privileged information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority based on a specific constitutional or statutory provision.
Section 23. Extension of Privileged Communication. Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is inadmissible. When the Commission inquires upon communication claimed to be privileged, the Personal Information Controller should prove the nature of the communication in an executive session. Should the communication be determined as privileged, it shall be excluded from evidence, and the contents of the communication shall not form part of the records of the case. This rule will apply unless the privileged communication is itself the subject of the breach or privacy concern. Section 24. Surveillance of Suspects and Interception of Recording of Communications. The provision of Section 7 of Republic Act No. 9372, otherwise known as the "Human Security Act of 2007”, is hereby amended to include the condition that the processing of personal data for purpose of surveillance and interception of recording of communications must comply with the Data Privacy Act, including adherence to the principles of transparency, proportionality and legitimate purpose. Rule VI. Security Measures for Data Protection Section 2 5. Data Privacy and Security. The personal information controller shall put in place organizational, physical and technical security measures for data protection, including policies for evaluation, monitoring and review of operations and security risks. The same obligation shall be required from personal information processors engaged by the personal information controller to process personal data on its behalf. These measures shall aim to maintain the availability, integrity and confidentiality of personal data, and prevent negligent, unlawful or fraudulent processing, access and other interference, use, disclosure, alteration, loss and destruction of personal data. The guidelines in the succeeding sections shall be implemented by any natural or juridical person involved in the processing of data, which shall also be included in the privacy and security policy of the company.
