Question & AnswerQ&A (Republic Act No. 10173)
The official short title of Republic Act No. 10173 is the Data Privacy Act of 2012.
The State's policy is to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth, recognizing the vital role of information and communications technology in nation-building and securing personal information in government and private sector systems.
'Data subject' refers to an individual whose personal information is processed.
Processing is lawful if at least one of the following conditions exists: the data subject has given consent; processing is necessary for a contract; processing is for compliance with legal obligation; protecting vital interests; responding to national emergency or public authority functions; or pursuing legitimate interests not overridden by fundamental rights.
The Act applies to the processing of all types of personal information by natural and juridical persons involved in such processing within the Philippines, including those not found in the Philippines but using equipment or maintaining offices there, with certain exceptions such as information about government officials related to their roles, journalistic purposes, and foreign data governed by foreign laws.
Sensitive personal information includes data about an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations; health, education, genetic or sexual life; government-issued data peculiar to the individual like social security numbers and tax returns; and other classified information established by executive order or law.
The NPC is an independent body responsible for administering and implementing the Act, ensuring compliance, receiving and resolving complaints, issuing orders, coordinating with government and private sectors, publishing guides and reports, recommending prosecution, reviewing privacy codes, and assisting in data privacy matters locally and internationally.
Unauthorized processing of personal information is penalized by imprisonment of 1 to 3 years and fines ranging from Php500,000 to Php2,000,000; unauthorized processing of sensitive personal information has higher penalties, from 3 to 6 years imprisonment and fines from Php500,000 to Php4,000,000.
A data subject has the right to be informed about processing of personal information; to access details about the information processed and its use; to dispute and correct inaccuracies; to suspend or withdraw consent for processing; and to be indemnified for damages due to violations.
They must implement reasonable organizational, physical, and technical measures to protect information against accidental or unlawful destruction, alteration, disclosure or other unlawful processing; ensure safeguards against network interference; adopt security policies; monitor for security breaches; and ensure third parties processing data also comply with these standards.
The Act applies to acts or practices done outside the Philippines if related to personal information about Philippine citizens or residents, the entity has links to the Philippines such as contracts entered, central management, or branches in the Philippines, or the entity carries on business in the Philippines and holds or collected personal information there.
A penalty of imprisonment from 1 year and 6 months to 5 years and fines between Php500,000 to Php1,000,000 applies to persons who knowingly conceal a security breach despite an obligation to notify the Commission.
Personal information controllers must designate an individual or individuals responsible for ensuring the organization's compliance with the Act, whose identity must be made known to data subjects upon request.
Improper disposal of personal information is punishable by 6 months to 2 years imprisonment and fines of Php100,000 to Php500,000; disposal of sensitive personal information carries penalties of 1 to 3 years imprisonment and fines of Php100,000 to Php1,000,000.
Yes, the Act excludes such processing from its scope, provided the information is handled in accordance with the applicable laws and confidentiality is maintained.