Republic Act

Data Privacy
10173
Act of 2012
Who’s tHaT ClassmAte ?
 What is Republic Act 10173 ?

• AN ACT PROTECTING INDIVIDUAL PERSONAL

INFORMATION IN INFORMATION AND COMMUNICATIONS
SYSTEMS IN THE GOVERNMENT AND THE PRIVATE
SECTOR, CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER PURPOSES

• The data privacy act , protects individual from

unauthorized processing of personal information that is
private, not publicly available; and identifiable.
 Why it is important
• The act is necessary important precaution in a
world which is moving into digital age.
• “DATA is like a oil in 18th century”
 Terms and definitions
• Personal Information:
refers to any information whether recorded in a
material form or not, from which the identity of
an individual is apparent or can be reasonably
and directly ascertained by the entity holding
the information, or when put together with
other information would directly and certainly
identify an individual.
 Terms and definitions
• Sensitive Personal Information.
Refers to personal information about an individual’s:
1. Race, Ethnic origin, marital status, age and religious,
philosophical or political affiliations
2. Health, education, genetic or sexual life of a
person , or to any proceeding for any offense
committed or alleged to have been committed such
person, the disposal of such proceedings, or the
sentence of any court in such proceedings.
 Terms and definitions
3. Information issued by government agencies
peculiar to an individual which includes, but
not limited to social security numbers,
previous or current health records, licenses or
its denials, suspension revocation and tax
returns.
4. Information specifically by executive order
or an act of congress to be kept classified.
 Terms and definitions
• Processing
refers to any operation or any set of operations
performed upon personal information including,
but not limited to, the collection, recording,
organization, storage, updating or modification,
retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data.
 3 persons involved
• Data subject
refers to an individual whose personal
information is processed.
- It is every one, who’s personal data is being
process, collected and used.
 3 persons involved
•Personal information controller
refers to a person or organization who
controls the collection, holding, processing or
use of personal information, including a
person or organization who instructs another
person or organization to collect, hold,
process, use, transfer or disclose personal
information on his or her behalf.
 3 persons involved
• Personal information processor
refers to any natural or juridical person
qualified to act as such under this Act
to whom a personal information
controller may outsource the
processing of personal data pertaining
to a data subject.
 The National Privacy Commission
•The National Privacy Commission (NPC)
is an independent body created under RA 10173 which mandated
to administer and implement the provision of the act.
•The functions of the NPC include:
rule-making,
advisory,
public education,
compliance and monitoring,
investigations and complaints,
and enforcement.
 It Applies to the Following:
• In general, the Philippines Data Privacy Act (RA
10173) applies to the processing of personal
data by any natural or juridical person in the
government or private sector.
• The Philippines Data Privacy Act (RA 10173)
would apply to an act done or practice
engaged in and outside of the Philippines.
 Sec 5. Protection afforded to journalists
and their Sources
• Nothing in this Act shall be construed as to have
amended or repealed the provisions of Republic
Act No. 53, which affords the publishers, editors or
duly accredited reporters of any newspaper,
magazine or periodical of general circulation
protection from being compelled to reveal the
source of any news report or information
appearing in said publication which was related in
any confidence to such publisher, editor, or
reporter.
 Does NOT apply to the Following:
• Information about any individual who is or
was an officer or employee of government
that relates to his or her position or functions.
• Information about an individual who is or was
performing a service under contract for a
government institution that relates to the
services performed, including the name of the
individual and the terms of his or her contract.
• Information relating to a benefit of a financial nature
conferred on an individual upon the discretion of the
government, such as the granting of a license or permit, 
including the name of the individual and the exact nature
of the benefit.
• Personal information processed for journalistic, artistic or
literary purpose
•  Information necessary in order to carry out the functions
of public authority, in accordance with a constitutionally
or statutorily mandated function pertaining to law
enforcement or regulatory function, including the
performance of the functions of the independent, central
monetary authority, subject to restrictions provided by
law.
• Information necessary for banks, other financial
institutions under the jurisdiction of the independent,
central monetary authority or Bangko Sentral ng
Pilipinas, and other bodies authorized by law, to the
extent necessary to comply with Republic Act No. 9510
(CISA), Republic Act No. 9160, as amended, otherwise
known as the Anti-Money Laundering Act, and other
applicable laws
• Personal information originally collected from
residents of foreign jurisdictions in accordance with the
laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being processed
in the Philippines.
 Criteria for Lawful Processing of Personal
Information (Section 12)
The processing of personal information shall be
permitted only if not otherwise prohibited by
law, and when at least one of the following
conditions exist:
• The data subject has given his or her consent
• The processing of personal information is
necessary and is related to the fulfillment of a
contract with the data subject or in order to
take steps at the request of the data subject
prior to entering into a contract;
Criteria for Lawful Processing of Personal
Information (Section 12)
• The processing is necessary for
compliance with a legal obligation to
which the personal information
controller is subject;
• The processing is necessary to protect
vitally important interests of the data
subject, including life and health;
 Criteria for Lawful Processing of
Personal Information (Section 12)
• The processing is necessary in order to
respond to national emergency, to comply
with the requirements of public order and
safety, or to fulfill functions of public
authority which necessarily includes the
processing of personal data for the fulfillment
of its mandate; or
 Criteria for Lawful Processing of
Personal Information (Section 12)
• The processing is necessary for the purposes
of the legitimate interests pursued by the
personal information controller or by a third
party or parties to whom the data is
disclosed, except where such interests are
overridden by fundamental rights and
freedoms of the data subject which require
protection under the Philippine Constitution.
 Extension of Privileged Communication
(Sec. 15))
• Personal information controllers may invoke
the principles of privileged information that
they lawfully control or process.
• Subject to existing laws and regulations, any
evidence gathered on privileged information
is inadmissible.
Penalties on the Unauthorized Processing of Personal
Information and Sensitive Personal Information:

o Unauthorized and Without the Data Subject’s Content

to Process Personal Information
Penalty- 1 year to 3 years of imprisonment and a fine of
not less that Php500,000.00 but not more than Php2,
000,000.00
o Unauthorized Processing of Sensitive Personal
Information and Without the Data Subject’s Consent to
Process
Penalty- 3 years to 6 years of imprisonment and a fine
of not less than Php500,000.00 but not more than
Php4,000,000.00
o Accessing Personal Information and Sensitive
Personal Information Due to Negligence
 Penalty
(Negligence, provided access to personal
information without being unauthorized under
this Act or any existing law)
1 to 3 years of imprisonment and a fine of not
less than Php500,000.00 but not more than 2
million
3 to 6 years and a fine not less than
Php500,00.00 but not more than 4 million
o Improper Disposal of Personal Information
and Sensitive Personal Information
 Penalty- 6 months to 2 years and a fine of not
less than Php100,000.00 but not more than
Php500,000.00 shall be imposed on persons
who knowingly or negligently disposed,
discard or abandon the personal information
of an individual in an area accessible to the
public or has otherwise placed the personal
information of an individual in its container for
trash collection.
o Improper Disposal of Sensitive Personal
Information
 Penalty- 1 to 3 years of imprisonment and a
fine not less than Php100,000.00 but not more
than 1 million shall be imposed on persons
who knowingly or negligently dispose, discard
or abandon the sensitive the personal
information of an individual in an area
accessible to the public or has otherwise
placed the personal information of an
individual in its container for trash collection.
o Processing of Personal Information and Sensitive Personal
Information for Unauthorized Purposes
Penalty
1 year and 6 months to 5 years of imprisonment and a fine
of not less than Php500,000.00 but not more than 1 million
shall be imposed on persons processing personal
information for purposes not authorized by the data
subject, or otherwise authorized under this Act or any
existing laws.
2 to 7 years of imprisonment and a fine of not less then
Php500,000.00 but not more than 2 million shall be
imposed on persons processing sensitive personal
information for purposes not authorized by the data
subject, or otherwise authorized under this Act or any
existing laws.
o Unauthorized Access of
International Breach
 Penalty- 1 to 3 years of imprisonment and a
fine of not less than Php500,000.00 but not
more than 2 million shall be imposed on
persons who knowingly and unlawfully, or
violating data confidentiality and security data
systems, breaks in any way into any system
where personal and sensitive personal
information is stored.
o Concealment of Security Breaches Involving
Sensitive Personal Information
 Penalty- 1 year and 6 months to 5 years and a
fine of not less than Php500,000.00 but not
more than 1 million pesos shall be imposed on
persons who, after having knowledge of a
security breach and of the obligation to notify
the Commission pursuant to Section 20(f),
intentionally or by omission conceals the fact
of such security breach.
oMalicious Disclosure
Any personal information controller or
personal information processor or any of its
officials, employees or agents, who, with
malice or in bad faith, discloses unwarranted
or false information relative to any personal
information or personal sensitive
information obtained by him or her
Penalty- imprisonment ranging from 1 year
and 6 months to 5 years and a fine of not
less than Php500.
o Unauthorized Disclosure
Any personal information controller or personal
information processor or any of its officials,
employees or agents, who discloses to a third party
personal information not covered by the immediate
preceding section without the consent of the data
subject
Penalty- subject to imprisonment ranging from 1
year to 3 years and a fine not less than
Php500,000.00 but not more than 1 million pesos.
(sensitive personal information)- 3 to 5 years
imprisonment and a fine not less than
Php500,000.00 but not less than 2 million pesos.
o Combination of Series Acts

Any combination or series of acts as

defined in Section 25 to 32 shall make
the person subject to imprisonment
ranging from 3-6 years and a fine of not
less than 1 million pesos but not more
than 5 million pesos.
 Extend of Liability
1. If the offender is a corporation, partnership or
any judicial person, the penalty shall be
imposed upon the responsible officers, as the
case may be, who participated in, or by their
gross negligence, allowed the commission of
the crime.
2. If the offender is a juridical person, the court
may suspend or revoke any of its rights under
this act.
3. If the offender is an alien, he or she shall, in
addition to the penalties herein prescribed,
be deported without further proceedings
after serving the penalties prescribed.

4. If the offender is a public official or employee

and he or she is found guilty of acts penalized
under Section 27 an 28 of this Act, he or she
shall, in addition to the penalties prescribed
herein, suffer perpetual or temporary absolute
disqualification from office, as the case may be.
o Large-scale
The maximum penalty in the scale of penalties
respectively provided for the preceding offenses shall
imposed when the personal information of at least 100
person is harmed, affected or involved as the result of
the above mentioned actions.

o Offense Committed by Public Officer

When the offender or the person responsible for the
offense is a public officer as defined in the Administrative
Code of the Philippines in the exercise of his or her
duties, an accessory penalty consisting in the
disqualification to occupy public office for a term double
the term of criminal penalty imposed shall be applied.
 References
• https://www.privacy.gov.ph/data-privacy-act/
#
3
• https://slideplayer.com/slide/11826098/
• https://amihan.net/2017/07/10/beginners_gu
ide_to_ra_10173
/
• https://
www.youtube.com/watch?v=KjX7CT6M1x8
 References
• https://www.cpomagazine.com/data-privacy/i
mplementing-rules-regulations-philippines-dat
a-privacy-act-ra-10173/