Data Privacy Act of 2012
With the advances in information technology, privacy in personal data has become illusory. For the right price or with good connections, private information disclosed in confidence to companies or government offices can be made available to or accessed by interested parties.
This is the problem that is sought to be minimized, if not eliminated, by Republic Act 10173, otherwise known as the Data Privacy Act of 2012, which President Aquino recently signed into law.
In its declaration of policy, the law states that, although the free flow of information promotes innovation and growth, it is essential that personal information in the government’s and private sector’s information and communications systems are secured and protected.
Personal information is defined as “any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information.”
It includes facts and figures about a person’s race, ethnic origin, marital status, age, color and religious, philosophical and political affiliations. Or practically his life story.
Requirements
Article continues after this advertisementThe most significant aspects of the law are: the procedures to be followed in the collection, processing and handling of personal information; the rights of data subjects; and the creation of a National Privacy Commission.
Article continues after this advertisementThe law requires information collectors, holders and processors to follow strict rules on transparency, legitimacy and proportionality in the conduct of their activities.
Among others, the collection should be conducted for “specific and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.”
Accuracy, relevance and essentiality of purpose must likewise be observed during the collection stage.
Inaccurate or incomplete data should be corrected, supplemented, destroyed or their further processing restricted.
The information can be stored only as long as needed for the purpose for which it was obtained, or “for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.”
Once collected, the information can be processed or used only if it is not prohibited by law and the person who provided the information (or data subject) has given his consent; if no such consent is given, the processing can still go on provided it meets the “necessity” test.
Necessary
The data subject’s lack of consent will not bar the processing if it is related to the fulfillment of a contract with him or in order to take the steps he requested prior to entering into the contract.
It may also be conducted in the following instances: to comply with a legal obligation that the information collector has to obey; to protect the data subject’s vital interests, such as life and health; to respond to the exigencies of a national emergency or public order and security; and to serve the legitimate interests of the entity to which the information has been disclosed as long as no constitutional rights are violated.
In the latter cases, the processing is allowed to continue even in the face of the data subject’s opposition due to legal considerations (either on the part of the data subject or the party that collects the information) or in order to serve the greater interests of the public.
Such liberality, however, is tempered by the rights that the law gives to data subjects to protect their privacy.
They have the right to know whether their personal information “shall be, are being or have been processed.”
Before any such data are included in the collector’s information system, or at the next practical opportunity, they can demand information about, among others, the purpose for which it is processed, the scope and methodology of the process, the length of information storage, and the identity of the people to whom their personal information shall be disclosed.
Commission
In case the data subject finds that the information stored in the information system is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary, he can demand its withdrawal, blocking or removal of the subject information.
And if the harm caused to him is grave, he can sue the erring parties for whatever damages he may have sustained as a consequence of the mishandling or misuse of his information.
The law lists nine violations that can give rise to fines and prison terms. In what appears to be a concession to inflationary times, except for two offenses, the average fine imposable is a minimum of P500,000 and a maximum of P2,000,000.
The task of administering and implementing this law has been assigned to a still to be created National Privacy Commission, which shall consist of three members: a Privacy Commissioner who shall act as its chair and two Deputy Privacy Commissioners.
They shall be appointed by the president for a term of three years and may be reappointed for another term of three years. The members of the commission have to be experts in information and communications technology and data privacy.
Although the law is complete in all respects, its implementation will have to await the promulgation by the commission of its implementing rules and regulations.
(For feedback, write to [email protected].)