The National Privacy Commission recently released the implementing rules and regulations of Republic Act No. 10173, or the Data Privacy Act of 2012.
The law aims to “safeguard the fundamental human right of every individual to privacy while ensuring free flow of information for innovation, growth, and national development.”
It applies only to the processing of personal data by natural or juridical persons in the government or private sector in the country. It shall have extraterritorial application if some elements of the act are performed in the Philippines.
The need to maintain the confidentiality and security of personal information has become critical in this age of social media when, at the flick of a finger, facts and figures (both true and fake) can be sent to their intended recipients with practically no liability or accountability.
Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
The law recognizes that the collection and processing of personal data is essential in the conduct of business in government and the private sector. The manner by which they should be handled, however, depends on their nature and relation to public interest.
Thus, for example, information about bank deposits can be disclosed by the banks to third parties only with the written consent of the depositor or under the circumstances cited in the Secrecy of Bank Deposits Act.
To ensure the confidentiality and security of personal data, the rules require the parties tasked with the collection, processing and retention of personal data to observer the following principles: (a) collection must be for a declared, specified and legitimate purpose; (b) personal data shall be processed fairly and lawfully; (c) processing should ensure data quality; (d) personal data shall not be retained longer than necessary, and (e) any authorized further processing shall have adequate safeguards.
The rationale behind these principles is, personal data is an essential element of human rights and should therefore be treated with utmost care and security by whoever is given the authority to collect and process them.
A related issue to the collection and processing of information is data sharing or the disclosure or transfer to a third party of personal data under the custody of the person who processes or controls them.
The unauthorized sharing of data has resulted in, for example, people getting solicitations or advertisements in their smartphones, e-mail addresses, offices or residences from business entities or organizations that they never heard of or dealt with before.
Under the rules, data sharing in the private sector shall be allowed only if the concerned person agrees to it, a data sharing agreement is entered into by the sharing entities and the subject is informed prior to the sharing of, among others, its purpose and intended recipients.
The sharing of sensitive personal and privileged information is prohibited unless (a) the concerned person consents to it, (b) its processing is required by law, (c) it is necessary to protect the life and health of that person or other persons, or (d) it is essential to the protection of lawful rights and interests in legal proceedings.
The party authorized to collect and process personal data is obliged to implement all reasonable security measures to maintain their integrity and confidentiality, and prevent any accidental or unlawful destruction, alteration and disclosure.
The law imposes stiff penalties for violation of the rules on confidentiality and security of personal data.
Aside from a minimum fine of P500,000, violators may be imprisoned from six months to three years depending on the nature or gravity of the offense committed.