QuestionsQuestions (Republic Act No. 10173)
It is the State’s policy to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth, recognizing the role of ICT in nation-building and the obligation to secure and protect personal information in government and the private sector.
Personal information is any information, whether recorded in a material form or not, from which identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information; identifiability also includes situations where the information, when put together with other information, would directly and certainly identify the individual.
A personal information controller controls the collection, holding, processing, or use of personal information (including instructing another to process it), but excludes those who only perform functions as instructed and those collecting/processing only for personal/family/household affairs. A processor is the person qualified under the Act to whom a controller outsources processing of personal data.
It includes: (1) data about race/ethnic origin/marital status/age/color/religious-philosophical-political affiliations; (2) health, education, genetic or sexual life, or proceedings/sentences for offenses; (3) government-issued identifiers like SSS numbers, tax returns, licenses and records, and health records; and (4) data specifically established as classified under an executive order or act of Congress.
It applies to processing of all types of personal information, and any natural or juridical person involved as controller or processor, including entities not established in the Philippines if they use equipment located in the Philippines or maintain an office/branch/agency in the Philippines (subject to Section 5 requirements).
The Act does not apply, among others, to: (a) information about government officers/employees relating to position/functions (limited categories); (b) information about individuals performing service under contract for government relating to the services and contract terms; (c) discretionary financial benefits like licenses/permits; (d) personal information processed for journalistic/artistic/literary/research purposes; (e) processing necessary for public authority functions (including monetary authority and law enforcement/regulatory agencies) and without amending the secrecy/bank laws and CISA; (f) processing necessary for banks/financial institutions under BSP jurisdiction to comply with RA 9510/RA 9160; and (g) personal information originally collected from foreign jurisdictions under foreign laws and processed in the Philippines.
It provides that nothing in the Act repeals/amends RA 53, which protects publishers, editors, or duly accredited reporters from being compelled to reveal the source of any news report or information related in confidence to them.
It applies when: (a) processing relates to personal information about a Philippine citizen or resident; (b) the entity has a link with the Philippines and processes personal data in the Philippines or processing abroad is still about Philippine citizens/residents (e.g., contracts entered in the Philippines, central management/control in the country, branch/office/subsidiary in PH with access by parent/affiliate); and (c) other links exist like carrying on business in the Philippines or personal information was collected/held by the entity in the Philippines.
To administer and implement RA 10173 and monitor compliance with international standards; ensure compliance; receive and investigate complaints and adjudicate/award indemnity and facilitate settlement; issue cease and desist orders and ban processing in cases harmful to national security/public interest; compel entities/agencies to comply; monitor government security measures; coordinate with other agencies/private sector; publish guides/compilations of records/notices; review privacy codes; provide assistance, advisory opinions, and interpretation; propose legislation; coordinate internationally and negotiate for cross-border enforcement; and assist PH companies abroad.
Processing is allowed subject to RA 10173 and other disclosure laws and adherence to transparency, legitimate purpose, and proportionality. Personal information must be: collected for specified and legitimate purposes; processed fairly and lawfully; kept accurate and updated; adequate and not excessive; retained only as long as necessary; and kept in a form permitting identification no longer than necessary (with specific allowances for historical/statistical/scientific purposes and laws allowing longer storage with adequate safeguards). The controller must ensure implementation.
Processing is permitted only if not otherwise prohibited by law and when one condition exists: (a) consent; (b) necessary for contract or pre-contract steps at data subject’s request; (c) necessary for compliance with legal obligation of controller; (d) necessary to protect vitally important interests of data subject; (e) necessary for national emergency/public order/safety or public authority functions; or (f) necessary for legitimate interests pursued by controller/third parties, unless overridden by data subject’s fundamental rights/freedoms.
Generally prohibited except for listed cases: (a) data subject consent for sensitive data / all parties’ consent for privileged info; (b) provided for by existing laws and regulations with protections guaranteed (consent not required when allowed); (c) necessary to protect life/health when consent cannot be obtained; (d) for lawful and noncommercial objectives of public organizations, confined to bona fide members, not transferred to third parties, with data subject consent prior to processing; (e) for medical treatment by a practitioner/institution with adequate protection; or (f) for protection of lawful rights and interests in court proceedings or establishment/exercise/defense of legal claims, or provided to government/public authority.
A controller may subcontract processing, but the controller remains responsible for ensuring proper safeguards (confidentiality, preventing unauthorized use) and overall compliance with RA 10173 and other laws. The processor must also comply with the Act and applicable laws.
The data subject is entitled to: (1) be informed whether personal information is being/has been processed; (2) be furnished specified information before entry or at next practical opportunity (purpose, scope/method, recipients, automated access info, controller identity/contact, retention period, and existence of rights and complaint mechanism), with limited exceptions; (3) reasonable access to content, sources, recipients, manner of processing, reasons for disclosure, automated processes making decisions, last accessed/modified, and controller designation; (4) dispute inaccuracy and request immediate correction (including informing prior recipients upon request); (5) suspend/withdraw/block/remove/destroy upon discovery/substantial proof of unlawfully obtained/incomplete/outdated/false/unauthorized/no longer needed data; and (6) be indemnified for damages sustained due to inaccurate/incomplete/outdated/false/unlawfully obtained/unauthorized use.
Where personal information is processed by electronic means in a structured and commonly used format, the data subject may obtain from the controller a copy of data undergoing processing in an electronic/structured format commonly used that allows further use by the data subject; the Commission may set the format and technical standards.
They must implement reasonable and appropriate organizational, physical, and technical measures against accidental/unlawful destruction, alteration, disclosure, and other unlawful processing; consider risks, nature of data, organization size/complexity, best practices, and cost; include safeguards for network protection, a security policy, vulnerability identification and preventive/corrective/mitigating actions, and regular monitoring with incident response; ensure third-party processors apply required security; require employees/agents to hold data in strict confidentiality; and notify the Commission and affected data subjects of certain security breaches involving sensitive data or data that may enable identity fraud, with possible limited exemptions/postponement.
Each controller is responsible for personal information under its control/custody, including transferred data for processing (domestically or internationally). The controller must use contractual or reasonable means to provide comparable protection while processed by third parties and must designate accountable individual(s), whose identity must be disclosed to data subjects upon request.