Issue on Data Privacy Act of 2012
We lived in a fast-paced, technology driven environment where information about anything and anybody comes in handy. One’s privacy can easily be subjected to intrusion by another, either with good intention or with malice. Privacy might become a thing of the past if personal information is open to public scrutiny. If this happens, the provisions on our 1987 Constitution on respect of one’s privacy will be defeated. Our legislatures might have anticipated this, hence the birth of the DATA Privacy Act of 2012.
The law referred to above was approved by President Benigno S. Aquino III on 15 August 2012 titled RA 10173, otherwise known as “Data Privacy Act of 2012. It aimed to protect the integrity and confidentiality of personal data collected by the Government and the private sector, thus creating a National Privacy Commission (“NPC”) to carry out the provisions of the said law. The NPC’s powers include handling privacy-related complaints, conducting investigations, issuing orders for compliance and issuing temporary or permanent bans on data processing by named Controllers.
To better appreciate discussions on the subject, below are the common terms used in RA 10173
- Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
- Sensitive personal information refers to personal information on individual’s race ethnic origin, marital status, age, color, and religious, philosophical or political affiliations health, education, genetic or sexual life or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings or the sentence of any court in such proceedings those information issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation ad tax returns and those specifically established by an executive order of an act of Congress to be kept classified.
- Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
- Data subject refers to an individual whose personal information is processed.
The Law covers “all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines” with exclusions on the following:
- Personal information originally collected from residents of foreign jurisdictions and is processed in the Philippines
- Information on government personnel related to position or function
- Information covered in the Secrecy of Bank Deposits Act (Republic Act No. 1405), the Foreign Currency Deposit Act (Republic Act No. 6426), the Credit Information System Act (Republic Act No. 9510), Anti-Money Laundering Act (Republic Act No. 9510, and Republic Act No. 9160, as amended) and other applicable laws
- Information about an individual who is or was performing service under contract for a government institution that relates to the services performed
- Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual
- Personal information processed for journalistic, artistic, literary or research purposes
Purposes of the law
The Act aims to substantially raise the profile of the Philippines in the data privacy (and business in the data processing) sphere by mandating that all personal information controllers comply with a raft of requirements before any such collecting, holding, processing or use may take place. Relative to that is the leveling of our system to international standards of privacy protection that could boost international investors’ confidence particularly in the booming BPO industry that would eventually create more job opportunities to the inhabitants of our country.
The declaration of policy articulated the importance of our right to be let alone more so in these ever changing time and age; that human right to privacy should be safeguarded and that personal information in Information and Communications Technology (ICT) systems in both the government and private sectors are protected and secured. The Act also ensures that we are protected from the threats of the misuse and abuse of personal and sensitive information.
The Act commands collectors, holders and processors of personal and sensitive information to ensure strict compliance in the conduct of their activities. The information must also be stored only as long as it is needed or “for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.” Lack of consent from the data subject will not stop the processing should it be related to the fulfillment of a contract he has previously entered, to comply with legal obligation, in cases of life and health, and to serve the greater interests of the public. In some cases where the information is found to be incomplete, outdated, false, and/or unlawfully obtained, the data subject can demand for its withdrawal, blocking or removal.
General Data Privacy Principles
In adhering to the principles of transparency, legitimate purpose and proportionality, processing of personal information is allowed subject to the compliance of this Act and other pertinent laws allowing disclosure of information to the public. Following are the criteria for a legit gathering, keeping, storing or processing of personal information:
- Specified and legitimate purpose
- Fair and lawful processing
- Accurate, relevant and up to date processing
- Adequate and not excessive relative to the purpose for which they are collected and processed
- Reasonable time of data retention
- Kept in form to permit identification of data subjects
The Accountability Principle
“[e]ach personal information controller is responsible for personal information under its control or custody, including information that has been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.”
Norms for lawful processing of Personal Information
- The Data Subject has given his/her consent, which must be evidenced by written, electronic or recorded means
- The processing is necessary to the execution of a contract with the Data Subject or to fulfill the Data Subject’s requests prior to entering into the contract
- The processing is necessary for compliance with the legal obligations of the Controller
- The processing is necessary to protect the vital interests of the Data Subject (such as his/her life or health)
- The processing is necessary to respond to national emergencies, or
- The processing is necessary for the purposes of the legitimate interests of the Controller or third party recipients of the personal information, subject to the fundamental rights of the Data Subjects
Rights of Data Subject
As the main character in this ACT, data subject enjoys the following concessions relative to the reasonable access of his personal information:
- His/her personal information which has been processed
- Sources from which the personal information has been obtained
- Names and addresses of the recipients to whom the personal information has been disclosed
- The manner by which the personal information was processed
- Reasons for disclosing the personal information
- Information on any automated processes by which the personal information may be used as the sole basis for decisions which will affect the Data Subject, and
- The date of last access or modification of the personal information.
The Controller/organization is required by the Act to indemnify a person against all such damage that a Data Subject suffers as a result of any inaccurate information or unauthorized use of his/her personal information, This places considerable pressure on Controllers to ensure that the personal information they collect and use is collected and processed in accordance with the Act, the Principles and the consent from the Data Subject, as well as kept accurate, up to date and secured. In case the data subject finds that the information stored in the information system is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary, he can demand its withdrawal, blocking or removal of the subject information. And if the harm caused to him is grave, he can sue the erring parties for whatever damages he may have sustained as a consequence of the mishandling or misuse of his information.
To ensure compliance to this act, certain penalties are established. Severe sanctions include criminal prosecution for first time breaches, no second chances are available. Furthermore, any breach where 100 or more persons are harmed or affected will be subject to the maximum penalties. If the person who breaches the Act is an alien, he/she shall be deported from the Philippines without further proceedings after serving any prison term and/or paying any penalties levied. Any combination or series of acts as defined in Sections 25 to 32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00).
Extent of Liabilities
Imposition of penalties varies depending on the kind of perpetrators, to wit:
If the offender:
- is a corporation, partnership or any juridical persons, penalties shall be directed to officers who participated in or through their gross negligence allowed the commission of the crime
- is an alien, he/she shall be deported from the Philippines without further proceedings
- is a public official or employee, aside from the penalties prescribed in this Act, he shall suffer perpetual or temporary absolute disqualification from office, as the case may be
The Implementing body
The law created a National Privacy Commission (“Commission”), an independent body, tasked with the administration of the provisions of this Act and to monitor and ensure compliance against international standards set for data protection. It comprised of a Privacy Commissioner and two Deputy Privacy Commissioners who are vested with broad powers to implement the law and process complaints from the public. They shall be appointed by the President for a term of three years and may be reappointed for another term of three years. The members of the commission have to be experts in information and communications technology and data privacy. The Commission is empowered to approve codes of conduct and issue cease and desist orders. The Commission may recommend that the Department of Justice prosecute cases and impose penalties, which could include up to six years in prison for the unauthorized processing of sensitive personal information. Moreover, the Commission is also mandated to draft the implementing rules and regulations (“IRR”) which is expected to provide clear guidelines on dealing with data breach, the establishment of data breach policies and response plans, and the establishment of safety standards, including the execution of confidentiality agreements. Lastly, the Commission shall ensure that confidentially of collected information is maintained and observed at all times.
Is giving out someone else’s number to a third person without the consent of the said person violative of the Data Privacy Act of 2012?
Author’s Point of View
Having discussed the salient features of this Act, let us now take a glance on the issue at hand. Applying the words of the law, one could easily come up with a logical interpretation in dealing with unauthorized dissemination of personal information.
One’s telephone number, which is peculiar or identifiable to belong to a particular person, falls under the definition of personal information within the purview of this Act. As articulated, anything that when put together with other information would directly and certainly identify a person is regarded as personal information. One who owns a phone number can be identified as the owner of such especially if the subscription is under his name, though we have no hard and fast rule on this proof of ownership as telecommunication companies allow subscription of a number of lines under one customer, not to forget the prepaid facilities available. For purposes of discussing this issue, let us assume that ownership of the phone number is vested on a particular person whom we can refer as the Data subject. Unless due to scarcity of resources or other personal reasons, no two persons own similar or identical phone number. Telecommunications companies structured a distinct and unique phone numbers to each of its subscribers to establish order in the conduct of their businesses so they could provide a systematic process relative to quality product and excellent service to its customers. Just imagine taking a subscriber’s complaint with reference to a particular phone number owned by more than one subscriber, not to mention the possibility of that number to be owned by more than one service provider. What a chaotic and disorderly communications facilities we could have experienced. As a recipient of the said service, no one would like to have his number shared with another person. It is in this context that privacy of information is applicable in this case.
The phone number, as the subject of this case is by nature, susceptible to being arbitrarily circulated. It may be likened to a virus that once it hits a particular organ in the body, there is no way of stopping its flow. That’s why, to be classified under personal information, a person’s phone number may be subjected to proper collection, handling, processing, retention and dissemination. As the owner of a particular phone number, a person has the freewill in the disposition of his number, as a matter of right. Should he want to publicize the same, it’s entirely up to him. Should he want to use it to some purposes as long as they are not contrary to law, morals, public order or policy, the choice resides with him and him alone. No policies or laws are allowed to infringe this right, lest one faces grave threats of getting penalized for breach of one’s privacy.
To be a party to an unauthorized dissemination of personal information on the other hand, is another story. In dealing with the current issue, qualification sets in. Applying different scenarios to test if the act is violative of the subject law, one major point to consider is the intent of the party who gives out another person’s number to someone else. If there is an unauthorized disclosure but the intent is good, for instance, in an emergency case where a telephone number is required to deter a crime or to save one’s life, the act of divulging one’s number without the concerned person’s consent maybe justified. It is in this light that intrusion to one’s privacy maybe classified as unintentional. If later on, an adverse event arises, one may raise the defense of protecting the higher good, which is preservation of life. However, if the incident is silent on the intent and unauthorized disclosure is committed without justifiable reasons, one may face the penalties stipulated in Section 32 of this Act. On the contrary, if the end is mind is to maliciously cause damage or injury to the owner of the number or to people who may be collaterally affected by the ill intent, then, it could easily be deduced that a breach of data privacy took place. As such, one may seek redress under the provisions of this ACT and correspondingly the penalties provided by the said Act should apply, depending on the gravity of the offense committed. Again, what is being suppressed in this case is the proliferation of unauthorized sharing of information if it is founded on ill will. Penalties that are imposable in this case are that enshrined in Section 31 of this Act as such offense can be clearly classified as malicious disclosure of personal information.
Indeed, handling of personal information, be it privileged or sensitive, must be done with utmost care, for the very reason that invasion of one’s privacy runs counter to the basic rights that an individual possesses under our Constitution. To avoid getting caught red handed and be subjected to penalties as prescribed by RA 10173, one must uphold the right to be let alone, respect the sanctity of personal information and adhere to policies laid down by our State in the carrying out of its duties to afford protection and general welfare to its people. That goes without saying, sharing of information is good as long as consent of the concerned parties are sought. Remember, negligence in the handling of personal information is made punishable under this Act. Further, personal information handlers should bear in mind that where personal information is concerned, there should be no room for any mistake, intentional or otherwise, that negligence relative to data handling is a grave offense and no amount of reason could stand as a matter of defense.
With the passing of this Act, an individual is vested with rights which he can enforced in case of breach of privacy, i.e. the right to know if his/her personal information is being processed and how it is being used as well as the right to demand removal or destruction of his/her stored personal data from a system unless there is a legal basis for such information to be kept or processed.
I lauded our government for an excellent foresight that paves the way to the existence of a law that protects, not just the interest of its inhabitants but importantly, it breathes life to the mandate of our Constitution on respecting and upholding one’s privacy.
This article is for academic purposes only and is not a substitute for professional advice where the facts and circumstances warrant.
Republic Act 10173- Data Privacy Act of 2012
Philippine Information Agency
Raul J. Palabrica_Philippine Daily Inquirer_Data Privacy Act of 2012
 Hunton & Williams LLP_ Philippines President Aquino Signs Data Protection Legislation
 Janette Toral
 What is RA 10173 of Data Privacy Act of 2012 – Scope and Penalties