Data Privacy Law applies to Government Agencies, particularly for the security of sensitive personal information. Summary: 1) Data Privacy Law applies to Government Offices. 2) Heads of Agencies are the ones primarily responsible for compliance. 3) Security clearance is required for Government Employees who are accessing sensitive personal information. 4) A request approved by the Head of the Agency is required prior to transportation or access off-site of sensitive personal information. 5) NPC registration is required for Government Contractors for contracts involving access or requiring senstive personal information from at least 1,000 individuals.

1. Security of Sensitive
Personal Information in Government
Basics of Philippine Data Privacy Law
for Non-Lawyers

2. Applicability to Government
The Data Privacy Law expressly and specifically provides for the applicability
of the provisions to Government Agencies.
Accordingly, heads of agencies are made primarily responsible for ensuring
that their offices are compliant with the security of sensitive personal
information that are in their control or custody.
Reference: Section 22, R.A. 10173

3. Responsibility: Heads of Agencies
All sensitive personal information maintained by the government, its agencies and instrumentalities shall
be secured, as far as practicable, with the use of the most appropriate standard recognized by the
information and communications technology industry, and as recommended by the Commission. The head
of each government agency or instrumentality shall be responsible for complying with the security
requirements mentioned herein while the Commission shall monitor the compliance and may recommend
the necessary action in order to satisfy the minimum standards.
The heads of agencies are made primarily responsible for compliance with
the security requirements set by the Data Privacy Law.
The NPC has the authority to monitory compliance and recommend to the
agency the necessary to action to comply with the minimum standards.
Reference: Section 23, R.A. 10173

4. Responsibility: Heads of Agencies
(a) On-site and Online Access – Except as may be allowed through guidelines to be issued by the
Commission, no employee of the government shall have access to sensitive personal information on
government property or through online facilities unless the employee has received a security clearance
from the head of the source agency.
Sensitive personal information with the Government is required to be
maintained as strictly confidential and only for those authorized to access
them.
Accordingly, security clearance is required before a Government employee
may be able to access these sensitive personal information.
Reference: Section 23, R.A. 10173

5. Responsibility: Heads of Agencies
(b) Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive
personal information maintained by an agency may not be transported or accessed from a location off
government property unless a request for such transportation or access is submitted and approved by the
head of the agency in accordance with the following guidelines:
(1) Deadline for Approval or Disapproval – In the case of any request submitted to the head of an
agency, such head of the agency shall approve or disapprove the request within two (2) business
days after the date of submission of the request. In case there is no action by the head of the agency,
then such request is considered disapproved;
Reference: Section 23, R.A. 10173

6. Responsibility: Heads of Agencies
(2) Limitation to One thousand (1,000) Records – If a request is approved, the head of the agency
shall limit the access to not more than one thousand (1,000) records at a time; and
(3) Encryption – Any technology used to store, transport or access sensitive personal information
for purposes of off-site access approved under this subsection shall be secured by the use of the most
secure encryption standard recognized by the Commission.
Transportation or access off-site of sensitive personal information with the
Government requires an approved request by the head of agency. Further,
a 1,000 records at a time limitation is imposed.
Most secure encryption standard is required of the technology to be used.
Reference: Section 23, R.A. 10173

7. Government Contractors
In entering into any contract that may involve accessing or requiring sensitive personal information from
one thousand (1,000) or more individuals, an agency shall require a contractor and its employees to
register their personal information processing system with the Commission in accordance with this Act
and to comply with the other provisions of this Act including the immediately preceding section, in the
same manner as agencies and government employees comply with such requirements.
Government contractors and their employees have to register their Personal
Information Processing System with the National Privacy Commission – if their
contracts involve accessing or requiring sensitive personal information from
1,000 or more individuals.
Reference: Section 24, R.A. 10173

8. Summary
1) Data Privacy Law applies to Government Offices.
2) Heads of Agencies are the ones primarily responsible for compliance.
3) Security clearance is required for Government Employees who are
accessing sensitive personal information.
4) A request approved by the Head of the Agency is required prior to
transportation or access off-site of sensitive personal information.
5) NPC registration is required for Government Contractors for contracts
involving access or requiring senstive personal information from at least
1,000 individuals.

9. Basics of Philippine Data Privacy Law
for Non-Lawyers
Atty. Jericho B. Del Puerto
SME Business Lawyer
For inquiries, comment, or permission to use slides, send us an email : info@jdpconsulting.ph.
Security of Sensitive
Personal Information in Government