Oppenheimer Film Discussion for Philosophy and Film
Â
CEU DPA
1. Data Privacy ActData Privacy Act
RA 10173RA 10173
Orientation
Data and Document Custodians
2. What is the purpose of the DPAWhat is the purpose of the DPA
(R.A. 10173)(R.A. 10173)
The DPA compels entities or organizations, including individuals,
engaged in processing personal data to:
ESTABLISH POLICIES &
IMPLEMENT MEASURES AND PROCEDURES
that guarantee the safety and security of personal data under their
control or custody, thereby upholding an individualâs data privacy rights.
Protection against:
ďź NATURAL DANGERS such as accidental loss or destruction
ďź HUMAN DANGERS such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination.
3. What is Protected under the DPA?What is Protected under the DPA?
PERSONAL DATA which
includes
ďźpersonal
information,
ďźsensitive personal
information and
ďźprivileged
information
which are in the hands of
another natural or juridical
person.
4. Basic Terms used in the DPABasic Terms used in the DPA
⢠Data Subject â refers to an individual whose personal,
sensitive personal, or privileged information is processed;
⢠Processing - refers to any operation or any set of operations
performed upon personal data including, but not limited to, the
collection, recording, organization, storage, updating or modification,
retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data;
5. Basic Terms used in the DPABasic Terms used in the DPA
⢠Personal Information Controller (PIC) - refers to a natural or
juridical person, or any other body who controls the processing of
personal data, or instructs another to process personal data on its
behalf. The term excludes:
o a natural or juridical person, or any other body, who performs such functions as instructed by
another person or organization; or
o a natural person who processes personal data in connection with his or her personal, family, or
household affairs;
There is control if the natural or juridical person or any other body
decides on what information is collected, or the purpose or extent of
its processing.
For this purpose, CEU is deemed as a PIC.
6. Basic Terms used in the DPABasic Terms used in the DPA
⢠Security Incident - any event or occurrence that affects or tends
to affect data protection, or may compromise the availability,
integrity, and confidentiality of personal data.
It includes incidents that may result in a personal data breach, if not for
safeguards that have been put in place. A data breach is a kind of
security incident. It happens when there is a breach of security
leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transmitted,
stored, or otherwise processed.
7. 1. Personal Information
refers to any information, whether recorded in a material form or
not, from which the identity of an individual is apparent or can
be reasonably and directly ascertained by the entity holding
the information, or when put together with other information
would directly and certainly identify an individual
Example: Full name, address, phone number, email address
Basic Terms used in the DPABasic Terms used in the DPA
Personal Data refers to:
8. 2. Sensitive Personal Information
refers to personal information:
⢠about an individualâs race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
⢠about an individualâs health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or the sentence of any court
in such proceedings;
⢠issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
⢠specifically established by an executive order or an act of Congress to be kept
classified.
Example : race, marital status, health status, age, birthdate, government
issued ID numbers
Basic Terms used in the DPABasic Terms used in the DPA
9. 3. Privileged Personal Information
refers to all forms of data, which, under the Rules of Court and
other pertinent laws, constitute privileged communication
Example: information revealed to a Priest, Doctor or Lawyer which
are confidential in nature
Basic Terms used in the DPABasic Terms used in the DPA
10. SEC. 4. Scope. â
This Act applies to the processingprocessing of all types of personal informationall types of personal information and to any natural and juridical personnatural and juridical person
involved in personal information processing including those personal information controllers and processors who,
although not found or established in the Philippines, use equipment that are located in the Philippines, or those
who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph:
Provided, That the requirements of Section 5 are complied with.
This Act does not apply to the following:
â˘Information about any individual who is or was an officer or employee of a
government institution ⌠xxx xxx xxx
â˘Information about an individual who is or was performing service under contract for
a government institution⌠xxx xxx xxx
â˘Information relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual ⌠xxx
xxx xxx
â˘Personal information processed for journalistic, artistic, literary or research
purposes;
â˘Information necessary in order to carry out the functions of public authority ⌠xxx
xxx xxx
â˘Information necessary for banks and other financial institutions ⌠xxx xxx
xxx
â˘Personal information originally collected from residents of foreign jurisdictions âŚ
xxx xxx xxx
Data Privacy Act: ScopeData Privacy Act: Scope
11. SEC. 12. Criteria for Lawful Processing of Personal Information.Personal Information. ââ
The processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
(a)The data subject has given his or her consentconsent;
(b)The processing of personal information is necessary and is related to the
fulfillment of a contractfulfillment of a contract ⌠xxx xxx xxx
(c)The processing is necessary for compliance with a legal obligationlegal obligation ⌠xxx
xxx xxx
(d)The processing is necessary to protect vitally important interests of the data
subject, including lifelife and healthhealth;
(e)The processing is necessary in order to respond to national emergencynational emergency, to
comply with the requirements of public order and safetypublic order and safety, or to fulfill functions of
public authoritypublic authority âŚxxx xxx xxx
(f)The processing is necessary for the purposes of the legitimate interestslegitimate interests pursued
by the personal information controller âŚxxx xxx xxx
Data Privacy Act: Lawful Processing of Personal InformationData Privacy Act: Lawful Processing of Personal Information
12. SEC. 13. Sensitive Personal InformationSensitive Personal Information and Privileged InformationPrivileged Information. â The
processing of sensitive personal information and privileged information shall be
prohibited, exceptprohibited, except in the following cases:
(a)The data subject has given his or her consentâŚxxx xxx xxx
(b)The processing of the same is provided for by existing laws and regulations âŚ
xxx xxx xxx
(c)The processing is necessary to protect the life and health of the data subject
or another personâŚxxx xxx xxx
(d)The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associationsâŚxxx xxx xxx
(e)The processing is necessary for purposes of medical treatment, is carried out
by a medical practitioner or a medical treatment institutionâŚxxx xxx xxx
(f)âŚxxx xxx xxx for the protection of lawful rights and interests of natural or legal
persons in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority.
Data Privacy Act: Lawful Processing of Sensitive Personal Information and Privileged InformationData Privacy Act: Lawful Processing of Sensitive Personal Information and Privileged Information
13. CONSENT of the Data Subject is the primary means forCONSENT of the Data Subject is the primary means for
lawful processing of Personal Data Consent:lawful processing of Personal Data Consent:
Section 3 (b)Section 3 (b) Consent of the data subject -Consent of the data subject - refers to anyrefers to any
freely given, specific, informed indication of will, wherebyfreely given, specific, informed indication of will, whereby
the data subject agrees to the collection and processing ofthe data subject agrees to the collection and processing of
personal information about and/or relating to him or her.personal information about and/or relating to him or her.
Consent shall be evidenced byConsent shall be evidenced by writtenwritten,, electronicelectronic oror
recordedrecorded means. It may also be given on behalf of the datameans. It may also be given on behalf of the data
subject by an agent specifically authorized by the datasubject by an agent specifically authorized by the data
subject to do so.subject to do so.
14. In the absence of a written, electronic or recordedIn the absence of a written, electronic or recorded
Consent, processing of Personal Data will still beConsent, processing of Personal Data will still be
lawful if it falls within the circumstances in the DPA:lawful if it falls within the circumstances in the DPA:
Section 12. (b) â (f)Section 12. (b) â (f)
andand
Section 13. (b) â (f)Section 13. (b) â (f)
18. Obligations of the PersonalObligations of the Personal
Information Controller( PIC )Information Controller( PIC )
1. PROTECT the Personal Data of Data Subjects that the
organization is processing
2. AVOID, PREVENT and MANAGE Data Privacy
Breaches
3. ENSURE COMPLIANCE with the Data Privacy Act and
its Internal Rules and Regulations
19. 1. PROTECT the Personal Data of Data Subjects that the
organization is processing
8 Rules of Data Protection
1. Obtain and process information fairly
2. Keep it only for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these purposes
4. Keep it safe and secure
5. Keep it accurate, complete and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary for the purpose or purposes
8. Give a copy of his/her personal data to an individual, on request
https://encrypted-tbn0.gstatic.com/images?
q=tbn:ANd9GcRlSiypeFd1tcdWH4UjviuBB3xC2nLDMB5tKr
CIUt3zHks1NRXy
Obligations of the PICObligations of the PIC
20. 2. AVOID, PREVENT and MANAGE
Data Privacy Breaches
How do Privacy Breaches Occur
⢠LOST OR STOLEN laptops, removable storage devices (usb, external drives), paper
records containing personal information
⢠FAILURE TO ERASE CONTENT of hard disk drives or other digital storage media
when being disposed or returned to equipment lessors
⢠HACKING of databases by individuals outside the agency or organization
⢠UNATHORIZED ACCESS BY EMPLOYEES of personal information outside the
authorization of their employment
⢠IMPROPER ACQUISITION of paper records from unsecure recycling or garbage bins
⢠MISTAKE in providing personal information to the wrong person
⢠IMPERSONATION by an individual deceiving an agency or organization into
improperly releasing the personal information of another
https://d2r9nfiii89r0l.cloudfront.net/article/images/7
40x500/dimg/after-data-breach_1.jpg
Obligations of the PICObligations of the PIC
21. 3. ENSURE COMPLIANCE with the Data Privacy Act and
its Internal Rules and Regulations
How do we comply with the DPA
1. Appoint a Data Privacy Officer (DPO)
2. Conduct Personal Data Inventory
3. Conduct Privacy Impact Assessment
4. Develop a Privacy Notice
5. Create a Privacy Manual
⢠General Policy
⢠Organizational, Physical and Technical Security Measures
⢠Data Breach Protocols
1. Implement the Privacy Management Program embedded in the Privacy Manual
2. Monitor Data Privacy Accountability and Compliance
https://privacy.gov.ph/implementing-privacy-and-data-protection-measures/
Obligations of the PICObligations of the PIC
22. What is your role asWhat is your role as
Document Custodian?Document Custodian?
23. Data and Document CustodianâsData and Document Custodianâs
Role in DPARole in DPA
1.Process Personal Data in accordance with:
1. CEU Policy on Data Processing
2. Data Privacy Act
2.Prevent Security Incidents and Data Breaches
3.Respect the Rights of the Data Subject
24. Role No. 1Role No. 1
LAWFUL PROCESSING
1.COLLECT personal data pursuant to legitimate
purposes only
2.USE personal data according to the legitimate purposes
for which it was collected in accordance with the
Principles of Data Privacy
25. Principles of Data PrivacyPrinciples of Data Privacy
The Data Subject must be aware of the
NATURE, PURPOSE, and EXTENT of
processing of his/her personal data, including the:
⢠Risks and safeguards involved
⢠Identity of the Personal Information Controller (PIC)
⢠Rights as a Data Subject and how these rights can be exercised
After the data subject has been duly informed, his/her CONSENT must be secured,
stating therein that the data subject agrees to the collection and processing of
personal information about and/or relating to him/her.
http://incentiveandmotivation.com/wp-content/uploads/2017/11/How-transparency-can-help-motivate-staff-.jpg
Transparency
26. The processing of information shall be
COMPATIBLE WITH A
DECLARED AND SPECIFIED PURPOSE
which must not be contrary to law, morals or public policy.
http://www.lifeopedia.com/wp-content/uploads/2014/05/164006814-580x324.jpg
Legitimate Purpose
Principles of Data PrivacyPrinciples of Data Privacy
27. Processing of information shall be
ADEQUATE
RELEVANT
SUITABLE
NECESSARY
NOT EXCESSIVE
in relation to a declared and specified purpose.
http://www.essentialbaby.com.au/content/dam/images/2/9/x/d/8/image.related.articleLeadwide.620x349.29xd3.
png/1367891687307.jpg
Proportionality
Principles of Data PrivacyPrinciples of Data Privacy
29. Role No. 2Role No. 2
PREVENT SECURITY AND DATA BREACHES
1.SHARE or DISCLOSE only to those authorized by the
organization or if required by law
2.STORE personal data in accordance with security
policies
3.DISPOSE securely and in accordance to accepted
modes of disposal
30. Role No. 3Role No. 3
RespectRespect Data Subject Rights Under the DPAData Subject Rights Under the DPA
1. The Right to be Informed
The Data Subject has the right to be informed that his/her
personal data shall be, are being or have been
processed.
2. The Right to Access
The Data Subject has the right to gain reasonable
access to his/her personal data.
3. The Right to Correction or Rectification
The Data Subject has the right to dispute any
inaccuracy or error in your personal data and to have
it corrected immediately, provided it is not vexatious
or unreasonable.
Images sourced at: https://privacy.gov.ph/know-your-rights/
31. 4. The Right to Erasure or Blocking
The Data Subject has the right to suspend, withdraw or order the blocking,
removal or destruction of his/her personal data upon discovery and
substantial proof of any of the following:
⢠His/her personal data is incomplete, outdated, false, or unlawfully
obtained;
⢠It is being used for purposes not authorize;
⢠The data is no longer necessary for the purposes for which they
were collected;
⢠The Data Subject decided to withdraw consent, or objected to its
processing, and there is no overriding legal ground for its
processing;
⢠The data concerns personal information prejudicial to the data
subject â unless justified by freedom of speech, of expression, or
of the press; or otherwise authorized;
⢠The processing is unlawful; or
⢠The Personal Information Controller (PIC), or the Personal
Information Processor (PIP), violated the rights of the Data
Subject.
Images sourced at: https://privacy.gov.ph/know-your-rights/
Data Subject Rights Under the DPAData Subject Rights Under the DPA
32. 5. The Right to Object
The Data Subject has the right to object to the processing of his/her personal
data, including processing for direct marketing, automated processing or
profiling. In case of changes or amendment to the information declared to the
Data Subject regarding the processing of his/her information, the Data
Subject has the right to be notified and given an opportunity to withhold
consent.
Once exercised, the Personal Data Controller (PIC) will no longer process the
data, unless:
⢠The personal data is needed pursuant to a subpoena;
⢠The collection and processing are for obvious purposes, including,
when it is necessary to the performance of or in relation to a contract
or service which the data subject is a party, or when necessary or
desirable in the context of an employer-employee relationship
between the collector and the data subject; or
⢠The information is being collected and processed as a result of a
legal obligation.
Images sourced at: https://privacy.gov.ph/know-your-rights/
Data Subject Rights Under the DPAData Subject Rights Under the DPA
33. 6. The Right to Data Portability
For personal information processed by electronic means, the Data
Subject has the right to obtain a copy of his/her personal data in
electronic format that is commonly used and allows for further use.
7. The Right to Damages
The Data Subject may claim compensation if he/she suffered
damages due to inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data, constituting a
violation of his/her rights and freedoms as a data subject.
8. The Right to File a Complaint
The Data Subject may file a complaint with the National Privacy
Commission if he/she is the subject of a privacy violation or personal
data breach, or who are otherwise personally affected by a violation
of the Data Privacy Act.
Images sourced at: https://privacy.gov.ph/know-your-rights/
Data Subject Rights Under the DPAData Subject Rights Under the DPA
34. Penalties under the DPAPenalties under the DPA
Criminal Act Imprisonment AND Fine
Section 25:
(a)Unauthorized processing of Personal Information
(b)Unauthorized processing of Sensitive Personal
Information
Â
Imposed on persons who process PI/SPI without the
consent of the data subject, or without being authorized
under this Act or any existing law.
Â
(a)1 â 3 years
(b)3 â 6 years
(a)P500,000 â P2,000,000
(b)P500,000 â P4,000,000
Section 26:
(a)Accessing Personal Information Due to Negligence
(b)Accessing Sensitive Personal Information Due to
Negligence
Â
Imposed on persons who, due to negligence, provided
access to PI/SPI without being authorized under this Act of
any existing law.
Â
(a)1 â 3 years
(b)3 â 6 years
(a)P500,000 â P2,000,000
(b)P500,000 â P4,000,000
35. Penalties under the DPAPenalties under the DPA
Criminal Act Imprisonment AND Fine
Section 27:
(a)Improper Disposal of Personal Information
(b)Improper Disposal of Sensitive Personal Information
Â
Imposed upon persons who knowingly or negligently
dispose, discard, or abandon the personal information of an
individual in an area accessible to the public or has
otherwise placed the personal information of an individual
in its container for trash collection.
Â
(a)6 months â 2 years
(b)1 â 3 years
(a)P100,000 â P500,000
(a)P100,000 â P1,000,000
Section 28:
(a)Processing of Personal Information for Unauthorized
Purposes
(b)Processing of Sensitive Personal Information for
Unauthorized Purposes
Â
Imposed upon persons processing PI/SPI for purposes not
authorized by the data subject, or otherwise authorized
under this Act or under existing laws.
Â
(a)1 year and 6 months â
5 years
(b)2 â 7 years
(a)P500,000 â P1,000,000
(a)P500,000 â P2,000,000
36. Penalties under the DPAPenalties under the DPA
Criminal Act Imprisonment AND Fine
Section 29:
Unauthorized Access of Intentional Breach
Â
Imposed upon persons who knowingly and unlawfully, or
violating data confidentiality and security data systems,
breaks in any way into any system where personal and
sensitive personal information is stored.
Â
1 â 3 years P500,000 â P2,000,000
Section 30:
Concealment of Security Breaches Involving Sensitive
Personal Information
Â
Imposed on persons who, after having knowledge of a
security breach and of the obligation to notify the
Commission pursuant to Section 20(f), intentionally or by
omission, conceal the fact of such security breach.
Â
Â
1 year and 6 months
â five years
P500,000 â P1,000,000
37. Penalties under the DPAPenalties under the DPACriminal Act Imprisonment AND Fine
Section 31:
Malicious Disclosure
Â
Imposed on PICs, PIPs or any of its officials, employees or
agents who, with malice or in bad faith, discloses
unwarranted or false information relative to any PI/SPI
obtained by him or her.
Â
1 year and 6 months
â 5 years
P500,000 â P1,000,000
Section 32:
Â
(a)Unauthorized Disclosure of any Personal Information
(b)Unauthorized Disclosure of any Sensitive Personal
Information
Â
Imposed on PICs, PIPs or any of its officials, employees or
agents who discloses to a third party PI/SPI not covered by
the immediately preceding section without the consent of
the data subject.
Â
(a)1 â 3 years
(b)3 â 5 years
(a)P500,000 â P1,000 000
(b)P500,000 â P2,000,000
38. Penalties under the DPAPenalties under the DPA
Criminal Act Imprisonment AND Fine
Section 33:
Combination or Series of Acts
Â
Any combination or series of acts as defined in
Sections 25 â 32 shall make the person liable for the
increased penalty
Â
3 â 6 years P1,000,000 â P5,000,000
Section 35:
Large Scale
Â
The maximum penalty in the scale of penalties shall be imposed when the Personal Information of at
least One Hundred (100) persons is harmed, affected or involved as the result of the commission of
such criminal acts.
Â
40. CEU Data Privacy StatementCEU Data Privacy Statement
Centro Escolar University is committed to respect andCentro Escolar University is committed to respect and
value the privacy rights of individuals.value the privacy rights of individuals.
We will ensure that all personal data are protected andWe will ensure that all personal data are protected and
processed in accordance with Republic Act No. 10173processed in accordance with Republic Act No. 10173
or the Data Privacy Act of 2012 and its Implementingor the Data Privacy Act of 2012 and its Implementing
Rules and Regulations.Rules and Regulations.
We recognize the confidentiality of personal data andWe recognize the confidentiality of personal data and
adhere to the general principles of transparency,adhere to the general principles of transparency,
legitimate purpose, and proportionality.legitimate purpose, and proportionality.
41. Data Privacy ActData Privacy Act
RA 10173RA 10173
Thank you.
To proceed click the link below:
https://goo.gl/forms/7nv7CYUBAJqOzy0i1
To proceed click the link below:
https://goo.gl/forms/7nv7CYUBAJqOzy0i1