QuestionsQuestions (IRR OF Republic Act No. 10173)
The IRR is titled “Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012.” Its policy is to enforce the Data Privacy Act, adopt generally accepted international principles and standards, safeguard the fundamental right to privacy, and ensure secured personal data in ICT systems in both government and the private sector.
Personal information is any information in material form or not from which identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding it, or when combined with other information would directly and certainly identify an individual.
A personal information controller controls the processing or instructs another to process personal data on its behalf, excluding (1) persons or entities that merely perform functions as instructed by another, and (2) natural persons processing personal data for personal/family/household affairs. Control exists if the person decides what information is collected and the purpose/extent of processing.
The controller determines the purposes and means of processing (or instructs processing), while the processor is the entity to whom the controller may outsource or instruct the processing of personal data.
When (1) the processor/controller is found/established in the Philippines; (2) the act relates to personal data of a Philippine citizen/resident; (3) processing is done in the Philippines; or (4) done or engaged by an entity with links to the Philippines (e.g., equipment in PH, office/branch/agency, contract in PH, central management/control in PH, access by PH branch, entity carries on business in PH, or collects/holds personal data in PH).
Exempt only to the minimum extent necessary for the purpose/function/activity, including: public access to info on matters of public concern about government officers (as enumerated), service under contract for government (name and contract terms), certain discretionary financial benefits (not ordinary transactions or as a matter of right), journalistic/artistic/literary purposes, research for public benefit (subject to laws/ethical standards), information necessary for law enforcement/regulatory functions (with bank secrecy/CISA/AML-related laws preserved), information necessary for compliance with CISA/AML (as applicable), and personal information originally collected from foreign jurisdictions processed in PH (with burden of proving foreign law on claimant).
Exemptions must be liberally interpreted in favor of the rights and interests of the data subject, and the burden of proving non-applicability falls on those involved in processing or the party claiming the exemption.
They are not fully exempt. While publishers/editors/duly accredited reporters generally cannot be compelled to reveal their confidential news sources, publishers/editors/reporters that are also controllers/processors remain bound to follow the Data Privacy Act and related issuances regarding processing, rights of data subjects, and other non-incompatible provisions.
Transparency: data subject must be aware of nature/purpose/extent/risks/safeguards, identity of controller, rights, and how to exercise them, in clear plain language. Legitimate purpose: compatible with declared specified purpose not contrary to law/morals/public policy. Proportionality: processing must be adequate, relevant, suitable, necessary, not excessive, and purpose should not be reasonably fulfilled by other means.
Consent is required prior to collection and processing of personal data unless an exemption applies. When consent is required, it must be time-bound in relation to the declared, specified, and legitimate purpose; consent may also be withdrawn.
Personal data shall not be retained longer than necessary. Retention is allowed only for: fulfillment of the declared/specified/legitimate purpose or after processing ends; establishment/exercise/defense of legal claims; or legitimate business purposes consistent with industry/approved standards, and retention is also allowed in cases provided by law.
Personal data must be disposed/discarded in a secure manner to prevent further processing, unauthorized access or disclosure, or prejudice to data subjects’ interests.
Further processing via data sharing is allowed if the data subject consents to data sharing (including affiliate/mother company relationships), and a data sharing agreement exists for commercial purposes (including direct marketing) with adequate safeguards and upholding data subject rights; the agreement is subject to Commission review on its own initiative or upon complaint.
Lawful processing is allowed if: (1) data subject consent prior to collection/as soon as practicable and reasonable; (2) processing for contractual agreement obligations or steps at data subject’s request before entering contract; (3) necessary for legal compliance; (4) necessary to protect vitally important interests; (5) necessary to respond to national emergency or comply with public order/safety as prescribed by law; (6) necessary for constitutional/statutory mandate of a public authority; or (7) necessary for legitimate interests of controller/third party unless overridden by fundamental rights/freedoms of the data subject.
It is generally prohibited unless an exception applies: consent; processing provided for by existing laws/regulations that guarantee protection and may not require consent; processing necessary to protect life/health when consent can’t be obtained; processing for lawful noncommercial objectives of public organizations/associations with restrictions (confined to bona fide members, no transfer to third parties, and consent prior); processing for medical treatment by a practitioner/institution with adequate safeguards; and processing for protection of lawful rights/interests in court proceedings or establishment/exercise/defense of legal claims, or when provided to government/public authority pursuant to constitutional/statutory mandate.
Processing of personal data for surveillance, interception, or recording of communications must comply with the Data Privacy Act, including adherence to transparency, proportionality, and legitimate purpose.