2. DATA PRIVACY ACT OF 2012
It (1) protects the privacy of individuals while ensuring free
flow of information to promote innovation and growth; (2)
regulates the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of personal
data; and (3) ensures that the Philippines complies with
international standards set for data protection through
National Privacy Commission (NPC).
3. PERSONAS COVERED
DATA SUBJECT
Is an individual whose
personal information is
processed.
PERSONAL
INFORMATION
CONTROLLER
Is either a person or
organization who controls the
collection, holding, processing
or use of personal
information, including a
person or organization who
instructs another person or
organization to collect, hold,
process, use, transfer or
disclose personal information
on his or her behalf.
PERSONAL
INFORMATION
PROCESSOR
Is any natural or juridical
person qualified to act as such
under this Act to whom a
personal information
controller may outsource the
processing of personal data
pertaining to a data subject.
• Right to be informed
• Right to Access
• Right to Object
• Right to Rectification
• Right to Erasure or
Blocking
• Right to Damages
• Right to Data
Portability
• Right to File A
Complaint
4. SCOPE OF THE LAW
PERSONAL
INFORMATION
• Refers to any information whether recorded in a material form or not,
from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the
information, or when put together with other information would
directly and certainly identify an individual.
SENSITIVE PERSONAL
INFORMATION
• About an individual’s race, ethnic origin, marital status, age, color,
and religious, philosophical or political affiliations;
• About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged
to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;
• Issued by government agencies peculiar to an individual which
includes, but not limited to, social security numbers, previous or cm-
rent health records, licenses or its denials, suspension or revocation,
and tax returns; and
• Specifically established by an executive order or an act of Congress to
be kept classified.
5. PROCESSING
It refers to any operation
or any set of operations
performed upon
personal information
including, but not limited
to, the collection,
recording, organization,
storage, updating or
modification, retrieval,
consultation, use,
consolidation, blocking,
erasure or destruction of
data.
The
Data Life
Cycle
Create &
Collect
Store &
Transmit
Use &
Distribute
Retain
Dispose &
Destroy
7. CONSENT
The data subject agrees to the collection and
processing that is freely given, specific, and
informed indication of will.
Evidenced by written, electronic or recorded
means through a signature, opt-in box/clicking an
icon, sending a confirmation email or oral
confirmation.
The data subject has genuine choice and control
over how a PIC uses their data.
8. PRINCIPLE OF ACCOUNTABILITY
• Each personal information controller is responsible for personal information under its control
or custody, including information that have been transferred to a third party for processing,
whether domestically or internationally, subject to cross-border arrangement and
cooperation. He must comply with the requirements of this Act and shall use contractual or
other reasonable means to provide a comparable level of protection while the information are
being processed by a third party
• All sensitive personal information maintained by the government, its agencies and
instrumentalities shall be secured, as far as practicable, with the use of the most appropriate
standard recognized by the information and communications technology industry, and as
recommended by the Commission. The head of each government agency or instrumentality
shall be responsible for complying with the security requirements mentioned herein while the
Commission shall monitor the compliance and may recommend the necessary action in order
to satisfy the minimum standards.
9. THE COMPLIANCE REQUIREMENTS
APPOINT A DATA PROTECTION OFFICER.
CREATE A PRIVACY MANAGEMETN PROGRAM.
EXERCISE THE BREACH REPORTING PROCEDURE.
CONDUCT A PRIVACY RISK OR IMPACT ASSESSMENT.
IMPLEMENT PRIVACY AND DATA PROTECTION MEASURES.
10. PUNISHABLE ACTS
• Unauthorized processing of Personal information and Sensitive
Personal Information
• Accessing of Personal information and Sensitive Personal
Information due to negligence
• Improper disposal of Personal information and Sensitive
Personal Information
• Processing for unauthorized purposes of Personal information
and Sensitive Personal Information
• Malicious disclosure, unauthorized disclosure of Personal
information and Sensitive Personal Information
• Concealment of security breaches involving Sensitive Personal
Information
• Unauthorized access or intentional breach