Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 41

Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines

Dec. 29, 2019
2 likes 196 views

2

Share

Download to read offline

Law

The Data Privacy Act of the Philippines was enacted into law in March of 2012. Thus, the creation of the National Privacy Commission (NPC) last 2016, which is mandated to administer its implementation. After more than two years after its creation, NPC had successfully championed its cause from awareness, compliance and enforcement with the registration of more than 30,000 Data Protection Officers (DPO), accepted more than 1,000 complaints and cases and has made headlines in the Philippines as one of the most popular government because of its strict implementation of the law. Among its most popular implementation is its Five Pillars of Compliance which was regarded as one of the most successful implementation among other countries. Republic Act 10173, otherwise known as the Data Privacy Act (DPA) of 2012 was passed into law last 2012 in the Philippines. The law requires that all Personal Information Controllers (PIC) and Personal Information Processors (PIP) must appoint a Data Protection Officer (DPO) to manage compliance with the DPA and other applicable laws and policies. In addition, having a DPO will ensure the protection of personal data collection and processing in accordance with the requirement of the law.

Having a DPO will also ensure the organization’s competitive advantage in this digital age of data protection.

As a data protection officer, he/she must be must monitor the organization’s compliance with the DPA, its implementing rules and regulations and other issuances by the National Privacy Commission. Including the conduct of Privacy Impact Assessment, creation of a Privacy Management Program and Privacy Manual and the conduct of Breach Reporting Procedure.

In addition, a DPO should cultivate awareness to promote the culture of privacy not only within the organization, but as well as for the entire country.

The presentation will also present some issues surrounding the digital world. Including some potential breaches that may affect each individual and organization. Will also present a compilation of the most common breaches that has happened in the Philippines and how to avoid them. Technical, physical and organization security measures will also be discussed in the presentation.

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
The Common Law Oliver Wendell Holmes, Jr.
(4.5/5)
Free
The Right Wrong Man: John Demjanjuk and the Last Great Nazi War Crimes Trial Lawrence Douglas
(0/5)
Free
Punishment and Modern Society: A Study in Social Theory David Garland
(4/5)
Free
Misdemeanorland: Criminal Courts and Social Control in an Age of Broken Windows Policing Issa Kohler-Hausmann
(0/5)
Free
Caught: The Prison State and the Lockdown of American Politics Marie Gottschalk
(4/5)
Free
Unequal under Law: Race in the War on Drugs Doris Marie Provine
(0/5)
Free
The Condemnation of Blackness: Race, Crime, and the Making of Modern Urban America, With a New Preface Khalil Gibran Muhammad
(3/5)
Free
When Brute Force Fails: How to Have Less Crime and Less Punishment Mark A. R. Kleiman
(5/5)
Free
Smart on Crime Kamala Harris
(3/5)
Free
Manifest Injustice: The True Story of a Convicted Murderer and the Lawyers Who Fought for His Freedom Barry Siegel
(4/5)
Free
Arrest-Proof Yourself Dale C. Carson
(4/5)
Free
The Culture of Control: Crime and Social Order in Contemporary Society David Garland
(0/5)
Free
Pulled Over: How Police Stops Define Race and Citizenship Charles R. Epp
(0/5)
Free
Case of a Lifetime: A Criminal Defense Lawyer's Story Abbe Smith
(0/5)
Free
Witness for the Defense: The Accused, the Eyewitness, and the Expert Who Puts Memory on Trial Dr. Elizabeth Loftus
(4.5/5)
Free
Against Prediction: Profiling, Policing, and Punishing in an Actuarial Age Bernard E. Harcourt
(0/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Innocent Blood: A True Story of Obsession and Serial Murder Terry Ganey
(4/5)
Free
Lady Killers: Deadly Women Throughout History Tori Telfer
(4.5/5)
Free
More Guns, Less Crime: Understanding Crime and Gun Control Laws John R. Lott, Jr.
(4.5/5)
Free
Family Secrets: The Case That Crippled the Chicago Mob Jeff Coen
(5/5)
Free
Illusion of Justice: Inside Making a Murderer and America's Broken System Jerome F. Buting
(4.5/5)
Free
On Treason: A Citizen's Guide to the Law Carlton F. W. Larson
(0/5)
Free
The Unforgiven: The Untold Story of One Woman's Search for Love and Justice Edith Brady-Lunny
(4/5)
Free
The Return of Martin Guerre Natalie Zemon Davis
(4.5/5)
Free
Beyond These Walls: Rethinking Crime and Punishment in the United States Tony Platt
(4.5/5)
Free
Three Felonies A Day: How the Feds Target the Innocent Harvey Silverglate
(4.5/5)
Free
Hunting Whitey: The Inside Story of the Capture & Killing of America's Most Wanted Crime Boss Casey Sherman
(5/5)
Free
Perversion of Justice: The Jeffrey Epstein Story Julie K. Brown
(5/5)
Free
Why the Innocent Plead Guilty and the Guilty Go Free: And Other Paradoxes of Our Broken Legal System Jed S. Rakoff
(4/5)
Free
Courtroom 302: A Year Behind the Scenes in an American Criminal Courthouse Steve Bogira
(4.5/5)
Free
Blind Injustice: A Former Prosecutor Exposes the Psychology and Politics of Wrongful Convictions Mark Godsey
(5/5)
Free
When Should Law Forgive? Martha Minow
(0/5)
Free

Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines

  1. 1. The Data Privacy Act of 2012, its Compliance and implementation in the Philippines 15 May–16 May · Harbour Plaza North Point, Hong Kong . Dr. Rolando R. Lansigan, CEH, CHFI, SySA+ (Former Chief- Compliance and Monitoring Division) National Privacy Commission GDPR Coalition Ambassador
  2. 2. Do not COLLECT if you cannot PROTECT
  3. 3. What is the Data Privacy Act of 2012? • SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”. • Republic Act 10173, the Data Privacy Act of 2012 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES • The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include: – rule-making, – advisory, – public education, – compliance and monitoring, – investigations and complaints, – and enforcement.
  4. 4. The DPA applies to the processing of all types of personal information and to any natural and juridical person, in the country and even abroad, subject to certain qualifications. Sec. 4, DPA SCOPE OF THE DPA
  5. 5. Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Structure of RA 10173, the Data Privacy Act Section 22-24. Provisions Specific to Government Section 25-37. Penalties Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors
  6. 6. Philippines’ DPA vs GDPR Categories Categories Categories Purpose Preventing Harm Principle Integrity and Confidentiality Material Scope Lawfulness, Fairness and Transparency Accountability Territorial Scope Purpose Limitation Access and Correction Personal Data Data Minimization Data Portability Sensitive Personal Data Accuracy Transfer of Personal Data to Another Person or country Data Controller Storage Limitation Breach Definition * Data Processors Notice and Choice Breach Notification * Publicly Available Information Breach Mitigation
  7. 7. The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.
  8. 8. Timeline of DPA Law and other issuances passed to Organization’s Compliance 2012 March 2016 August 2016 Sept. 9, 2016 Sept. 9, 2017 Data Privacy Act (DPA) Passed into law National Privacy Commission (NPC) was formed Implementin g rules and Regulations (IRRs) was published IRR came into effect Deadline: DPO Registration 12 months Registration Requirements: All personal data processing systems (DPS) operating in the Philippines that involve Personal Data concerning at least 1,000 individuals/personal records must be registered with NPC March 8, 2018 Deadline: (ANNUAL) Registration of DPS June 30, 2018 Deadline: (ANNUAL) Security Incident Reports
  9. 9. EXAMPLES OF POTENTIAL BREACHES AND SECURITY INCIDENTS INVOLVING PERSONAL INFORMATION • Potential Breaches 1. Bank – Consent form 2. Hospital and School Records – Storage and Disposal Policy 3. Student transferred - Without Consent 4. Clinical record of a student to disclose with her parents - Consent 5. List of top students/passers - Consent 6. Cedula in Malls – Disposal Policy/Improper Disposal 7. Security issues in buildings – logbook 8. Use of re-cycled papers – Disposal Policy / Access due to negligence 9. Hard drives sold online –Disposal Policy 10. Use of CCTV – Privacy Issues 11. Use of USB/CD/Personal laptop – Encryption issue • Access Control and Security Policy 12. Personal Records stolen from home of an employee - Security 13. Viewing of Student Records in Public – Physical Security 14. Raffle stubs – Privacy Notice / Storage and Disposal Policy 15. Universities and Colleges websites with weak authentication 16. Photocopiers re-sold without wiping the hard drives 17. Password hacked/revealed - 18. Accidentally sent an email attachment – Unauthorized Disclosure • Other Violations / Data Privacy Act Principles 19. No Data Sharing Agreement (DSA) 20. No Privacy Notice 21. No Sub-contracting Agreement 22. No Breach Drill 23. Profiling of customers of malls – Targeted Marketing 24. Unjustifiable collection of personal data of a school – Principle of Proportionality
  10. 10. DPA Section Punishable Act For Personal Information For Sensitive Personal Information Fine (Pesos) JAIL TERM 25 Unauthorized processing 1-3 years 3-6 years 500 k – 4 million 26 Access due to negligence 1-3 years 3-6 years 500 k – 4 million 27 Improper disposal 6 months – 2 years 3-6 years 100 k – 1 million 28 Unauthorized purposes 18 months – 5 years 2-7 years 500 k – 2 million 29 Intentional breach 1-3 years 500 k – 2 million 30 Concealment of breach 18 months – 5 years 500 k – 1 million 31 Malicious disclosure 18 month – 5 years 500 k – 1 million 32 Unauthorized disclosure 1-3 years 3-5 years 500 k – 2 million 33 Combination of acts 1-3 years 1 million – 5 million Potential Penalties listed in the Data Privacy Act
  11. 11. NPC’s FIVE PILLARS OF COMPLIANCE DPO PIA PMP PDP BRP
  12. 12. THE FIVE PILLARS OF COMPLIANCE • Commit to Comply: Appoint a Data Protection Officer (DPO) • Know your Risk: Conduct a Privacy Impact Assessment (PIA) • Be Accountable: Create your Privacy Management Program and Privacy Manual (PMP) • Demonstrate your Compliance: Implement your Privacy and Data Protection Measure (PDP) • Be Prepared for Breach: Regularly Exercise your Breach Reporting Procedure (BRP)
  13. 13. Designating a DPO is the first essential step. You cannot register with the NPC unless you have a DPO.
  14. 14. All PICs and PIPs should designate a Data Protection Officer • The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request. (Sec. 21[b]) • xxx The personal information processor shall comply with all the requirements of this Act and other applicable laws. (Sec. 14)
  15. 15. PILLAR 2: KNOW YOUR RISKS “The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation” - Section 20.C of DPA of 2012
  16. 16. Technical Organisational – other measures 1 2
  17. 17. ORGANIZATIONAL PHYSICAL TECHNICAL IMPLEMENT SECURITY MEASURES
  18. 18. “The PIC shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the PIC or the Commission believes that that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.” Section 20.f “Concealment of Security Breaches Involving Sensitive Personal Information. –– The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach. Section 30
  19. 19. The 72-hour deadline IRR Section 38 (a) Data Breach Notification. The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred. From https://privacy.gov.ph/memorandum-circulars/
  20. 20. Keep in touch
  21. 21. END OF PRESENTATION

×