DATA PRIVACY ACT WHY DATA PRIVACY ACT IS IMPORTANT? 1. Protects the privacy of individuals while ensuring free flow of information to promote innovation and growth; 2. Regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of personal data; and 3. Ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC) PERSONAL DATA BREACH refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access of personal data. TYPES OF DATA BREACH (1) (2) (3) AVAILABILITY INTEGRITY CONFIDENTIALITY RISK or EXPOSURE Accidental or unlawful destruction and loss Alteration of personal data Unauthorized disclosure or access PROCESSING: (1) (2) (3) TRANSMITTED, STORED, or; otherwise PROCESSED NATIONAL PRIVACY COMMISSION (NPC) in charge of administering and implementing the DPA. It is also tasked to monitor and ensure compliance of the Philippines with international standards for personal data protection. to promulgate the DPA’s implementing rules and regulations. DEFINITIONS DATA SUBJECT individual whose personal information is processed PERSONAL INFORMATION CONTROLLER natural/juridical person who controls the processing of personal data. PERSONAL INFORMATION PROCESSOR natural/juridical person to whom Personal Information Controller (PIC) may outsource data DATA PRIVACY ACT law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information. TYPES OF PERSONAL INFORMATION (1) PERSONAL INFORMATION information that would directly and certainly identify a particular individual Examples: 1.) Full name 2) Gender 3.) Birthdate 4.) Mobile No. 5.) Address 6.) Birthplace 7.) Bank Account number 8.) Parents’ name (2) SENSITIVE PERSONAL INFORMATION Sensitive information is a type of personal information. Unlike some personal information, however, sensitive information may result in discrimination or harm if it is mishandled. Examples: 1.) Marital Status 2.) Race, Color, Age, Ethnic Origin 3.) Health, Education, Genetic or Sexual Life 4.) Criminal Proceeding Information 5.) Religious, Philosophical or Political Affiliations 6.) Government Issued Personal information, Tax returns (3) PRIVILEGED INFORMATION refers to all data classified under the (Philippine) Rules of Court and other laws as “privileged communication” Examples: 1.) any communication shared in confidence between husband and wife; 2.) any communication or advice between an attorney and a client 3.) any advice or treatment given, or any information acquired by a doctor from a patient 4.) any confession made by a person to a minister or priest, as well as any advice subsequently given by the latter to that person 5.) communication made to a public officer in official confidence Personal Data may be contained in: INFORMATION AND COMMUNICATION SYSTEM refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document. FILING SYSTEM refers to any set of information relating to natural or juridical persons to the extent that, although the information is not proceed by equipment operating automatically in response to instructions given for the purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible. Personal Data are processed through: DATA PROCESSING SYSTEM refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing SCOPE OF APPLICATION This act applies to the processing of all types of personal information to any natural and juridical person involved in personal information processing Including those PIC and PIPs who, although not found or established in the Philippines: (1) use equipment that are located in the Philippines, or; (2) those who maintain an office, branch, or agency in the Philippines EXCEPTION: o Officer or government employee as to: the fact that he is an employee of the government title, office address and telephone number classification, salary range, and responsibilities held his or her name in a document prepared during his or her employment o One who performs service under contract for a government institution, only in so far as it relates to such service, including his name and terms of contract. o If a benefit of financial nature is conferred upon the discretion of the government (i.e. granting of license or permit) o Journalistic, artistic or literary purpose o Research intended for public benefit o Information necessary to carry out the functions of public authority o Information necessary for the banks and other financial institutions DATA PRIVACY PRINCIPLE PRINCIPLE OF TRANSPARENCY The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data LEGITIMATE PURPOSE It must not be contrary to law, morals, or public policy PRINCIPLE OF PROPORTIONALITY It must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose