2. Title:
• “An Act Protecting Individual Personal Information
and Communications Systems in the Government
and the Private Sector, Creating for this Purpose
The National Privacy Commission, and for Other
Purposes”
3. Definition of Terms:
Privacy- is the ability of an individual or group to seclude themselves
or information about themselves, and thereby express themselves
selectively. When something is private to a person, it usually means
that something is inherently special or sensitive to them.
-the state or condition of being free from being observed or disturbed by
other people
Privileged information-refers to any and all forms of data which
under the Rules of Court and other pertinent laws constitute
privileged communication.
4. Definition of Terms:
PERSONAL INFORMATION- any information whether recorded in a
material or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding
the information, or when put together with other information would
directly and certainly identify an individual
5. Definition of Terms:
• Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color,
and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence of
any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which
includes, but not limited to, social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to
be kept classified
6. SCOPE
• This Act applies to the processing of all types of personal
information and to any natural and juridical person
involved in personal information processing including
those personal information controllers and processors
who, although not found or established in the
Philippines, use equipment that are located in the
Philippines, or those who maintain an office, branch or
agency in the Philippines
7. EXCLUSIONS
A) Information about any individual who is or was an officer or employee of a
government institution that relates to the position or functions of the
individual, including:
(1) The fact that the individual is or was an officer or employee of the
government institution;
(2) The title, business address and office telephone number of the
individual;
(3) The classification, salary range and responsibilities of the position
held by the individual; and
(4) The name of the individual on a document prepared by the
individual in the course of employment with the government;
8. EXCLUSIONS
(B) Information about an individual who is or was performing service
under contract for a government institution that relates to the
services performed, including the terms of the contract, and the
name of the individual given in the course of the performance of
those services;
(C) Information relating to any discretionary benefit of a financial
nature such as the granting of a license or permit given by the
government to an individual, including the name of the individual
and the exact nature of the benefit;
9. EXCLUSIONS
D. Those necessary for carry out the functions of
public authority;
E. Those necessary for banks and other financial
institutions;
F. Those originally collected from nonresidents in
accordance with the laws of their residence
10. Freedom of Information Vs. Data Privacy Act
Freedom of information is emphasized in both the Data Privacy Act
(RA 10173), and its proposed Implementing Rules and Regulations.
Data Privacy Act should not be used to restrict access to
information that fall within matters of public concern. Primarily,
the Data Privacy Act does not apply to government officers and
employees relating to their functions and positions, personal data
in relation to government contracts and discretionary benefits
given by government.
11. Freedom of Information Vs. Data Privacy Act
A government official who abuses his position or takes undue
advantage of his functions for personal benefit will not be able to
use the Data Privacy Act to restrict access of the people to
information.
The protection of privacy is emphasized in Section 7 of the FOI -
EO. This is not intended to shield government officials. Rather,
this is for the protection of any personal data that may be
contained in government records that is not relevant to the
freedom of information request, particularly when it affects
private citizens.
12. PROCESSING OF PERSONAL INFORMATION
Criteria for Lawful Processing of Personal
Information - the processing shall be permitted
only if not otherwise prohibited by law, and when
at least one of the following conditions exists:
1.) The data subject has given his or her consent;
2.) The processing of personal information is
necessary and is related to the fulfillment of a
contract with the data subject or in order to take
steps at the request of the data subject prior to
entering int a contract;
13. PROCESSING OF PERSONAL INFORMATION
3.) The processing is necessary for compliance
with a legal obligation to which the personal
information controller is subject;
4.) The processing is necessary to protect vitally
important interests of the data subject;
5.) The processing is necessary in order to respond
to national emergency, to comply with the
requirements of public order and safety, or to
fulfill functions of public authority;
14. PROCESSING OF PERSONAL INFORMATION
6.) The processing is necessary for the purposes of
the legitimate interests pursued by the personal
information controller or by a third party or parties
to whom the data is dsclosed, except where such
interests are overridden by fundamental rights and
freedoms of the data subject which require
protection under the Phil. Constitution.
15. PROCESSING OF PERSONAL INFORMATION
General Rule: The processing of sensitive personal
information and privileged information shall be
prohibited.
EXCEPTIONS:
1. The data subject has given his/her consent or
in the case of privileged information, all parties to
the exchange have given their consent prior to
processing
16. PROCESSING OF PERSONAL INFORMATION
2. The processing of the same is provided for by
existing laws and regulations
3. The processing is necessary to protect the life
and health of the data subject or another
person, and the data subject is not legally or
physically able to express his/her consent prior
to the processing;
4. The processing is necessary to achieve the
lawful and noncommercial objectives of public
organizations and their associations.
17. PROCESSING OF PERSONAL INFORMATION
5. The processing is necessary for purposes of
medical treatment
6. The processing concerns such personal
information as is necessary for the protection of
lawful rights and interests of natural or legal
persons in court proceedings, or the
establishment, exercise or defense of legal
claims, or when provided to government or
public authority.
18. SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
• Responsibility of Heads of Agencies- information
must be secured with the most appropriate
standards as recommended by the National
Privacy Commission. Heads are responsible for
complying with the security requirements
19. Requirements of Access by Agency Personnel
a. ONLINE/ONSITE – no employee shall have access
unless the employee has received a security
clearance;
b. OFFSITE – information shall not be transported
or accessed offsite unless a request is approved
20. PERSONAL INFORMATION CONTROLLER
Refers to a a person or organizations who
controls the collection, holding, or processing or
use of personal information, including a person or
org who instructs another person or org to collect,
hold, process, use, transfer or disclose personal
information on his or her behalf.
21. PERSONAL INFORMATION PROCESSOR
• Refers to an any natural or juridical person
qualified to act as such to whom a personal
information controller may outsource the
processing of personal data pertaining to a
data subject
22. Rights of Personal Information Controllers
1. Outsource the processing of personal
information
2. Invoke the defense of privileged communication
23. Obligations of Personal Information Controllers
1. Implement reasonable and appropriate
organization, physical and technical measures
intended for the protection of personal information
against any accidental or unlawful destruction,
alteration and disclosure, as well as against any
other unlawful processing
2. Implement reasonable and appropriate measures
to protect personal information against natural
dangers and human dangers
24. PROHIBITED ACTS
1. Unauthorized Processing
2. Accessing and Providing Access Through Negligence
3. Improper Disposal
4. Processing for Unauthorized Purposes
5. Unauthorized Access or Intentional Breach
6. Concealment of Security Breaches
7. Malicious Disclosure
8. Unauthorized Disclosure