Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

FREE Document

advertisement 
Republic Act No. 10173
Data Privacy Act of 2012
GERONIMO L. SY
Assistant Secretary
Department of Justice
R.A. 10173 – Data Privacy Act of 2012
An Act Protecting Individual Personal Information in
Information and Communications Systems in the
Government and the Private Sector Creating for this
Purpose a National Privacy Commission and for
other Purposes

Based on APEC Privacy Framework Principles:









Preventing harm
Notice
Collection limitation
Use of personal information
Choice
Integrity of personal information
Security safeguards
Access and correction
Accountability



Consolidation of Senate Bill No. 2965 and House
Bill No. 4115
Signed into law by the President on 15 August 2012
Mandates all public and private enterprises to
safeguard the confidentiality and integrity of
personal information collected in the course of their
operation.
State Policy
To
protect the fundamental human right of privacy
of communication
Information
and communications technology has a
vital role in nation-building
State
has an inherent obligation to ensure that
personal
information
in
information
and
communications systems in the government and in
the private sector are secured and protected.
Salient Provisions

Definition of Terms (Section 3)
◦ Data subject
 refers to an individual whose personal information is
processed
◦ Personal information
 refers to any information whether recorded in a material
form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly
identify and individual
◦ Personal information controller
 refers to a person or organization who controls the
collection, holding, processing or use of personal
information, including a person or organization who
instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on
his or her behalf
◦ Personal information processor
 refers to any natural or juridical person qualified to act as
such under this Act to whom a personal information
controller may outsource the processing of personal data
pertaining to a data subject
◦ Sensitive personal information
 refers to personal information:
1. About an individual's race, ethnic origin, marital status,
age, color, and religious, philosophical or political
affiliations
2. About an individual's health, education, genetic or
sexual life of a person, or to any proceeding for any
offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or
the sentence of any court in such proceedings
◦ Sensitive personal information
 refers to personal information:
3. Issued by government agencies peculiar to an individual
which includes, but not limited to, social security
numbers, previous or current health records, licenses or
its denials, suspension or revocation, and tax returns
4. Specifically established by an executive order or an act
of Congress to be kept classified.

Scope (Section 4)
◦ All types of personal information
◦ Natural and juridical

Extraterritorial application (Section 6)
◦ Applies to an act done or practice engaged in and
outside of the Philippines

National Privacy Commission (Section 7)
◦
◦
◦
◦
1 Privacy Commissioner
2 Deputy Privacy Commissioners
3-year term, appointed by the President
Promulgate and implement IRR
◦ Attached to Office of the President (OP) (Section 42)
 Department of Information and Communications
Technology (DICT) yet to be created

General data privacy principles (Section 11)
◦ Procedures in the collection, processing and handling
of personal information
◦ Transparency
◦ Legitimate purpose
◦ Proportionality

Personal Information
Collected for
specified and
legitimate purposes
Adequate and not
excessive in
relation to the
purpose
Processed fairly
and lawfully
Accurate, relevant
and kept up to date
Retained as long as
necessary
Kept in a form which
permits
identification of data
subjects for no
longer than is
necessary

a)
b)
c)
d)
Rights of the data subject (Section 16)
To be informed that his/her personal information is or will
be processed
To be informed of the details of his/her personal
information before its entry into the processing system
To have reasonable access to, upon demand to matters
concerning his/her personal information
To dispute inaccuracy or error in the personal information
and have it correted immediately and accordingly

Rights of the data subject (Section 16)
e) To suspend, withdraw or order blocking, removal or
destruction of his/her personal information from system
f)
To be indemnified for any damages

Principle of accountability (Section 21)
◦ Responsibility of personal information controller
◦ Accountability for transfer of personal information
◦ Including information
processing
transferred
◦ Domestic or international
to
third
party
for

Security of personal information (Section 20)
◦ Protection against:
1. Accidental or unlawful destruction, alteration and
disclosure or other unlawful processing
2. Accidental loss or destruction, and human dangers
such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination
◦
Subject to measures to be implemented by the
Commission.

Security of sensitive personal information in
the government (Section 22)
◦ Security clearance on employees to access sensitive
personal information
◦ No off-site access unless with approval by head of
agency and with use of encryption

Penalties (Section 25)
◦ Unauthorized processing of personal information of
data subject: 1-3 years imprisonment and 500K2M fine
◦ Unauthorized processing of sensitive personal
information
of
data
subject:
3-6
years
imprisonment and 500K-4M fine
◦ Accessing personal information due to negligence:
1-3 years imprisonment and 500K-2M fine
◦ Accessing sensitive personal information due to
negligence: 3-6 years imprisonment and 500K-4M
fine
◦ Improper
disposal
of
sensitive
personal
information: 1-3 years imprisonment and 100K-1M
fine
◦ Processing
of
personal
information
for
unauthorized purposes: 1 year, 6 months-5 years
imprisonment and 500K-1M fine
◦ Processing of sensitive personal information for
unauthorized purposes: 2-7 years imprisonment
and 500K-2M fine
◦ Unauthorized access or intentional breach: 1-3
years imprisonment and 500K-2M fine
◦ Concealment of security breaches involving
sensitive personal information: 1 year, 6 months5years and 500K-1M fine
◦ Malicious Disclosure: 1 year, 6 months-5years and
500K-1M fine
◦ Unauthorized disclosure: 1-3 years and 500K-1M
◦ Combination or series of acts: 3-6 years and 1M5M
◦ Large Scale: maximum penalty when at least 100
persons is harmed
Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Instance Based Social Network Representation
Instance Based Social Network Representation
Using Social Media in Research: Privacy, Trust, & Ethics
Using Social Media in Research: Privacy, Trust, & Ethics
DS1 - Claran Mc Mahon CyPsy RCSI
DS1 - Claran Mc Mahon CyPsy RCSI
Document
Document
Word - South Lemhi School District #292
Word - South Lemhi School District #292
imprisonment syllabus web version
imprisonment syllabus web version
Central African Republic
Central African Republic
Law of Torts Summary Intentional Torts
Law of Torts Summary Intentional Torts
Download
advertisement