RA 10173 DATA PRIVACY ACT

Brief background:
Where it all started: With the advances in information technology, privacy in personal data has
become illusory. For the right price or with good connections, private information disclosed in
confidence to companies or government offices can be made available to or accessed by interested
parties.

This is the problem that is sought to be minimized, if not eliminated by Republic Act 10173, otherwise
known as the Data Privacy Act of 2012, which President Aquino signed into law.

In its declaration of policy, the law states that, although the free flow of information promotes
innovation and growth, it is essential that personal information in the government’s and private
sector’s information and communications systems are secured and protected.

Personal information is defined as “any information whether recorded in material form or not, from
which the identity of the individual is apparent or can be reasonably and directly ascertained by the
entity holding the information.

It includes facts and figures about a person’s race, ethnic origin, marital status, age, color and
religious, philosophical and political affiliations. Or practically his life story.

Legal basis:
The right to privacy is well-entrenched in the 1987 Constitution, particularly in the Bill of Rights and
safeguarded by several provisions of the Civil Code, the Revised Penal Code, and certain laws which
provide penalties for their violation in the form of imprisonment, fines, or damages.

Pertinent provisions of the Bill of Rights provides:

“Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall
any person be denied the equal protection of the laws.”

“Sec. 2. The right of the people to be secure in their persons, houses papers, and effects against
unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and
no search warrant or warrant of arrest shall issue except upon probable cause to be determined
personally by the judge after examination under oath or affirmation of the complainant and the
witnesses he may produce, and particularly describing the place to be searched and the persons or
things to be seized.”

“Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful
order of the court, or when public safety or order requires otherwise as prescribed by law.”
“Sec. 8. The right of the people, including those employed in the public and private sectors, to form
unions, associations, or societies for purposes not contrary to law shall not be abridged.”
Sec. 17. No person shall be compelled to be a witness against himself.”

Similarly, the Civil Code provides that “[e]very person shall respect the dignity, personality, privacy
and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts
by a person of meddling and prying into the privacy of another.1 It also holds a public officer or
employee or any private individual liable for damages for any violation of the rights and liberties of
another person, 2 and recognizes the privacy of letters and other private communications.3

In like manner, the Revised Penal Code makes a crime the violation of secrets by an officer,4 the
revelation of trade and industrial secrets,5 and trespass to dwelling.6 Invasion of privacy is an
offense in special laws like the Anti-Wiretapping Law,7 the Secrecy of Bank Deposits Act8 and the
Intellectual Property Code.9

Also, the Rules of Court on privileged communication likewise recognize the privacy of certain
information.

What is Repubic Act. 10173?

Republic Act No.10173

Long Title: AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION

AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER
PURPOSES

 Governs data processing of personal information in information and communication systems.

SCOPE
DATA PROCESSING- Any operation or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization, storage, updating or modification,
retrieval, consulation, use, consolidation, blocking, erasure or destruction of data.
PERSONAL INFORMATION- Any information whether recorded in a material form or not, from which
the identity of an individual is apparent or can be reasonably and directly ascertained by the entity
holding the information, or when put together with other information would directly and certainly
identify an individual.
INFORMATION AND COMMUNICATION SYSTEMS- A system for generating, sending, receiving
storing or otherwiseprocessing electronic data messagesor electronic documents and includes the
computer systems or other similar device by or which data is recorded, transmitted or stored and any
procedure related to the recording, transmission or storage of electronic data, electronic message or
electronic document.
DATA SUBJECT- An individual whose personal information is processed .

EXCLUSIONS:
The Data Privacy Act does not apply to the following types of personal information:
1. Relating to officers or employees of a government institution relating to the position and function of
said individual.
2. Relating to those performing service under contract for a government institution;
3. Relating to any discretionary benefit of a financial nature such as the granting of a license given by
the government to an individual.
4. Those processed for journalistic, artistic, literary or research purpose;
5. Those necessary for carrying out the functions of public authority;
6. Those necessary for banks and other financial institutions; and
7. Those originally collected from nonresidents in accordance with the laws of their residence,
including any applicable data privacy laws, which is processed in the Philippines.

General Rights of Data Subjects

1. Right to information
2. Right to access
3. Right to correct
4. Right to remove
5. Right to damages
6. Right to data portability

The Rights of the Data Subject are not applicable if;

1. The processed personal information are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are taken regarding
the data subject;
2. The processing of personal information is gathered for the purpose of investigation in relation to
any criminal, administrative or tax liabilities of a data subject.

GERERAL PRINCIPLES: TRANSPARENCY, LEGITIMATE PURPOSE, PROPORTIONALITY

Personal Information must be:

A.) Collected for specified and legitimate purposes;
B.) Processed firly and lawfully;
C.) Accurate, relevant and kept up to date; inaccurate or incomplete data must be rectified,
supplemented, destroyed or their further processing restricted.
D.) Adequate and not excessive;
E.) Retained only for as long as necessary for the fulfillment of the purposes for which the data was
obtained or for the establishmen, exercise or defense of legal claims, or for legitimate busines
purposes, or as provided by the law; and
F.) Kept in a form which permits identification of data subjects for no longer than is necessary for the
purposes for which the data were collected and processed

Criteria for Lawful Processing of Personal Information- The processing of personal information
shall be permitted only if not otherwise rpohibited by law, and when at least one of the following
conditions exist;

A. The data subject has given his or her consent;

B. The processing of personal information is necessary and is related to the fulfillment of a contract
with the data subject or in order to take steps at the request of the data subject prior to entering into a
contract;
C. The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject;
D. The processing is necessary to protect vitally important interests of the data subject, including life
and health;
E. The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and public safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the fulfillment of its mandate; or
F. The processing is necessary for the purposes of the legitimate interests pursued by the personal
informatio controller or by a third party or partie to whom the data is disclosed, except where such
interests are overridden by fundamental rights and freedoms of the data subject which require
protection under the Philippine Constitution.

PRIVILEGED INFORMATION: Refers to any and all forms of data which under the Rules of Court
and other pertinent laws constitute privileged communication.

SENSITIVE PERSONAL INFORMATION: Refers to personal information

1. About an individual’s race, , marital status, origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for
any offense committed or alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to, social
security numbers, previous or cm-rent health records, licenses or its denials, suspension or
revocation, and tax returns; and;
4. Specifically established by an executive order or an act of Congress to be kept classified.

GENERAL RULE: The processing of sensitive information and privilege information shall be
prohibited.
EXCEPTIONS
A. The data subject has given his or her consent, specific to the purpose prior to the processing, or in
the case of privileged information, all parties to the exchange have given their consent prior to
processing
B. The processing of the same is provided for by existing ;aws and regulations
C. The processing is necessary to protect the life and health of the data subject or another person,
and the data subject is not legally or physically able to express his or her consent prior to the
processing;
D. The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations.
E. The processing is necessary for PURPOSES OF MEDICAL TREATMENT
F. The processing concerns such personal information as is necessarynfor the protection of lawful
rightsand interests of natural or legal persons incourt proceedings, or the establishment, exercise or
defense of legal claims, or when provided to government or public authority.
SECURITY OF SENSITIVE PERSONAL INFORMATION GOVERNMENT

 Responsibility of Heads of Agencies- information shall be secured with the most appropriate
standards as recommended by the NPC. Heads of agencies are responsible for complying with
the security requirements.
 Requirements of access by Agency Personnel
A. Online/Onsite- no employee of the govdrnment shall have access unless the employee has
received a security clearance;
B. Offsite- information shall not be transported or accessed offsite unless a request is approved

Personal information controller refers to a person or organization who controls the collection,
holding, processing or use of personal information, including a person or organization who instructs
another person or organization to collect, hold, process, use, transfer or disclosepersonal information
on his/her behalf.

OBLIGATIONS:
1. Implement reasonable and appropriate organizational, physical and technical measures intended
for the protection of personal information against any accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing.
2. Implement reasonable and appropriate measures to protect personal information against natural
dangers such as accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse. Unlawful destruction, alteration and contamination.
3. Ensure that third parties processing personal information on its behalf shall implement the security
measures required.
4. Ensure that employees, agents or representatives of a personal information controller who are
involved in the processing of personal information under strict confidentiality if the personal
information are not intended for public disclosure. This obligation shall continue even after leaving the
public service, transfer to another position or upon termination of employment or contractual relation.
5. Promptly notify the Commission and affected databsubjects when sensitive personal information or
other information that may, under the circumstances, be used to enable to identify fraud are
reasonably believed to have been acquired by an unauthorized person, and the personal information
controller or the Commission believesthat such unauthorized acquisition is likelt to give rise to a real
risk of serious harm to any affected data subject.

Personal information processor refers to any natural or juridical person qualified to act as such to
whom a personal information controller may outsource the processing of personal data pertaining to a
data subject.

OBLIGATIONS:
6. Implement reasonable and appropriate organizational, physical and technical measures intended
for the protection of personal information against any accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing.
7. Implement reasonable and appropriate measures to protect personal information against natural
dangers such as accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse. Unlawful destruction, alteration and contamination.

PENAL PROVISIONS
1. Unauthorized Processing
2. Accessing and Providing Access Through Negligence
3. Improper Disposal
4. Processing for Unauthorized Purpose
5. Unauthorized access or Intentional Breach
6. Concealment of Security Breaches
7. Malicious Disclosure
8. Unauthorized Disclosure

OTHER RULES:
1.Combination or series of crimes enumerated above increases penalty
2. Committed by juridical person; penalty imposed on responsibe officers who committed or allowed
the crime to be committed through negligence
3. Committed by alien: to be deported after serving sentence
4. Public Official or Employee committing Improper Disposal or Processing for Unauthorized
Purposes:include perpetual or temporary disqualification from office
5. 100 or kore records affected: maximum penalty
6. Offender is a public officer; disqualification for a term double the term of the criminal penalty
7. No prejudice to restitution as per Civil Code

THE NPC or THE NATIONAL PRIVACY COMMISSION

An independent body attached to the Department ofInformation and Communications Technology
(DICT) and is tasked with the administration and implementation of the Act as well as with monitoring
and ensuring compliance of the Philippines with International standards for data protection.