Filipinos spend an average of 10 hours and 2 minutes each day online, the highest in the world, according to recent data. The Philippines also tops social media use for the fourth straight year. Vast amounts of personal information from the Philippines, including photos of daily activities, are freely circulating the Web.
What has the country done to ensure privacy and data protection?
In 2012, the Philippines passed Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) “to protect the fundamental human right to privacy of communication while ensuring free flow of information to promote innovation and growth [and] the [State’s] inherent obligation to ensure that personal information in information and communications systems in government and in the private sector are secured and protected”.
The DPA was passed in accordance with the Philippines agreements under ASEAN Vision 2020 and at the urging of the growing business process outsourcing industry. The law was modeled after the Data Protection Directive (95/46/EC) with many of its terminologies and provisions similar to privacy laws in other jurisdictions.
What acts are covered by the DPA?
The DPA and its Implementing Rules and Regulations (IRR) apply to all acts done or practices engaged in and outside of the Philippines if:
- If the person, either an individual or an institution, involved in the processing of personal data is located in the Philippines;
- The act or practice involves personal data of a Philippine citizen or Philippine resident;
- The processing of personal data is done in the Philippines; or
- The act, practice or processing of personal data is done by an entity with links to the Philippines, subject to international law and comity.
“Personal data” refers to all types of personal information.
“Processing” is any operation/s performed upon personal data. These operations include, but are not limited to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
Who implements the DPA?
The National Privacy Commission (NPC) is in charge of administering and implementing the DPA. It is also tasked to monitor and ensure compliance of the Philippines with international standards for personal data protection. The major functions of the NPC are as follows:
- Rule making.
- Advisory. The NPC is the advisory body on matters related to personal data protection.
- Public education. – The NPC shall launch initiatives to educate the public about data privacy, data protection and fair information rights and responsibilities.
- Compliance and monitoring. – The body has compliance and monitoring functions to ensure personal information controllers comply with the law. It is also tasked to manage the registration of personal data processing systems.
- Complaints and investigations.
“Personal information controller” is an individual or institution, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.
How to comply with the Data Privacy Act?
If you are a personal information controller, you are required to comply with the following in accordance with the law:
Registration of data processing systems (DPS). An individual or institution employing fewer than 250 employees need not register unless its data processing operations:
involves sensitive personal information of at least 1,000 individuals; likely to pose a risk to the rights and freedoms of data subjects; or the processing is not occasional.
Notification of automated processing operations where the processing becomes the sole basis of making decisions about a data subject and when the decisions would significantly affect the data subject. A “data subject” is an individual whose personal, sensitive personal or privileged information is process.
NOTE: No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the consent of the data subject. The consent may be in written, electronic or recorded form. It may be given by a lawful representative or agent.
Appointment of a Data Protection Officer in charge of ensuring compliance with the DPA;
Creation of a data breach response team that will immediately address security incidents or personal data breach;
Adoption of data protection policies that provide for data security measures and security incident management;
Annual report of the summary of documented security incidents and personal data breaches; and
Compliance with other requirements as may be provided by the NPC.
What should you do in the event of a data breach?
The law requires a data breach notification within 72 hours upon knowledge of the breach or reasonable belief that it has occurred to the NPC and the data subject. The notification is generally required when the breach involves sensitive personal information or any other information that may be used to enable identity fraud; this information has been acquired by an unauthorized person; and the acquisition is likely to give rise to a real risk of serious harm to the affected data subject.
The NPC may investigate the breach, depending on its nature or if there is a delay or failure to notify. Inquiries may include on-site examination of systems and procedures.
The Philippines has a relatively young data privacy regime. The Data Privacy Act , as well as RA No. 10175 or the Cybercrime Prevention Act, was only enacted in 2012, although some countries passed data protection laws as early as the 70s. The Philippines’ regulatory body NPC was formally organized only in 2016, which issued IRRs and circulars in the same year. Nevertheless, the country is on its way to developing a stable framework of privacy protection as technological innovations liberalize information sharing.Need help with your data security? Contact ECCI today!