QuestionsQuestions (IRR OF Republic Act No. 10173)
The IRR enforces the Data Privacy Act using generally accepted international principles and standards. It safeguards every individual’s fundamental right to privacy while ensuring the free flow of information for innovation, growth, and national development. It also recognizes ICT’s role in nation-building and stresses the State’s obligation to secure personal data in both government and private information and communications systems.
A personal information controller controls the processing or instructs another to process personal data on its behalf (it decides on what information is collected and the purpose/extent of processing). A personal information processor is the entity to whom the controller may outsource or instruct processing.
Data sharing is the disclosure or transfer of personal data to a third party under the custody of a controller or processor (if processor, disclosure must be upon controller’s instructions). It excludes outsourcing and also excludes disclosure/transfer by a controller to a processor.
It includes personal information about race/ethnic origin/marital status/age/color/religious-philosophical-political affiliations; health, education, genetic or sexual life, or proceedings for offenses; issued government identifiers peculiar to an individual (e.g., SSS numbers, health records, licenses, tax returns); and information specifically established by law/executive order to be kept classified.
It applies if: (1) the entity is found/established in the Philippines; (2) it relates to personal data of a Philippine citizen or resident; (3) processing is done in the Philippines; or (4) processing is engaged by an entity with links to the Philippines (e.g., equipment in the country, office/branch/agency in PH, contract entered in PH, central management and control in PH, PH branch and parent/affiliate access, business in PH, collection/holding in PH), subject to international law and comity.
The Act does not apply only to the minimum extent necessary for the purpose, function, or activity concerned. Even in exemptions, controllers/processors must uphold data subject rights and general principles/lawful processing unless directly incompatible.
Not fully. The IRR recognizes an exemption for journalistic, artistic or literary purposes (subject to other laws/regulations). However, if they are also personal information controllers/processors, they are still bound to comply with the Data Privacy Act with respect to processing and must uphold data subject rights and maintain compliance where not incompatible with the protection of freedom of speech/expression/press.
The burden of proving non-applicability lies with those involved in the processing of personal data or the party claiming the exemption. Exemptions are liberally interpreted in favor of the data subject’s rights and interests.
The NPC is an independent body mandated to administer and implement the Data Privacy Act, and to monitor and ensure compliance with international standards for personal data protection.
(1) Rule-making: developing/promulgating/reviewing/amending implementing rules; recommending security measures; specifying standards for data portability; issuing security guidelines; consulting other regulators on privacy codes; proposing privacy legislation. (2) Complaints and investigations: receiving complaints, instituting investigations, summoning witnesses/subpoena duces tecum, facilitating settlement via ADR, adjudicating matters as a collegial body, preparing reports, and publicizing outcomes if appropriate.
They must ensure confidentiality at all times regarding any personal data that comes to their knowledge/possession, and this duty remains even after their term/employment/contract ends.
Transparency requires the data subject be informed about nature/purpose/extent of processing, risks/safeguards, identity of controller, rights, and how to exercise them using clear language. Legitimate purpose means processing must be compatible with a declared and specified purpose not contrary to law/morals/public policy. Proportionality means processing must be adequate, relevant, suitable, necessary, and not excessive; data should be processed only if the purpose cannot reasonably be fulfilled by other means.
Key points include: collection for declared, specified, legitimate purpose; consent prior to collection/processing subject to exemptions, and consent may be withdrawn; data subject must be informed of purpose/extent and profiling/direct marketing where applicable; purpose determined before/as soon as practicable; collect only necessary and compatible data; process fairly and lawfully; uphold data subject rights (refuse/withdraw/object); clear language; ensure privacy/security safeguards; ensure data quality and keep accurate/up to date; rectify/destroy/restrict inaccurate or incomplete data; retain no longer than necessary (for purpose, legal claims, or legitimate business purposes consistent with standards); secure disposal; further processing allowed only with adequate safeguards; longer retention possible only for specified purposes (historical/statistical/scientific) with security measures; aggregated data may be kept longer; no perpetual retention.
Data sharing is allowed if expressly authorized by law (with safeguards and compliance with transparency/legitimate purpose/proportionality). In the private sector, it is allowed if the data subject consents (including for affiliate/mother company sharing) and relevant conditions are met, including a data sharing agreement with adequate safeguards and rights of data subjects, and potential Commission review.
Processing is lawful if allowed unless prohibited by law and one of the conditions is met: (a) data subject consent prior to/at reasonable practicable time; (b) processing needed for contractual obligations or steps at data subject’s request; (c) necessary for compliance with legal obligation; (d) necessary to protect vitally important interests (life/health); (e) needed for national emergency or public order/safety as prescribed by law; (f) needed for constitutional/statutory mandate of public authority; or (g) necessary for legitimate interests of controller/third party except when overridden by data subject’s fundamental rights/freedoms.
It is prohibited except in specified cases: with data subject consent (or parties to privileged information exchange) for a declared/legitimate purpose; when provided for by existing laws/regulations that guarantee protection; when needed to protect life/health and data subject cannot express consent; for lawful noncommercial objectives of public organizations/associations (confined to bona fide members, no transfer to third parties, consent obtained prior); for medical treatment by a medical practitioner/institution with adequate protection; or for protection of lawful rights in court proceedings/defense of legal claims or when provided to government/public authority under constitutional/statutory mandate.
No government employee shall have access to sensitive personal information in government property or through online facilities unless the employee has received a security clearance from the head of the source agency. Access must be regulated so that it is granted only when official functions/public service directly depends on it and cannot otherwise be performed.