Data Privacy Act of 2012 summary

Commission: National Privacy Commission
Consent: Must be freely given, specific, informed; may be written, electronic, or recorded
Data subject: Individual whose personal data is processed
Personal information: Any info identifying an individual directly or indirectly
Sensitive personal information: Race, health, religion, sexual life, government-issued IDs, legal proceedings, etc.
Personal information controller: Person or org controlling personal data processing
Personal information processor: Outsourced entity processing data for controller
Processing: Collection, storage, use, modification, destruction of personal data
Privileged information: Data protected by law or court rules

Applies to all processing of personal info in the Philippines, including entities outside PH using PH equipment or having offices
Exemptions include:
- Info about government officers related to their job
- Contracted service info with government
- Discretionary financial benefits by government
- Journalistic, artistic, literary, and research info
- Info processed for public authority functions
- Foreign data compliant with foreign laws

Independent regulatory body attached to DICT
Functions: enforce compliance, receive complaints, investigate, impose sanctions, coordinate privacy policies, international cooperation, publish guides
Structure: Privacy Commissioner (rank of Secretary), 2 Deputy Commissioners (rank of Undersecretary)
Confidentiality and immunity for good-faith actions
Authorized to establish Secretariat with experienced personnel

Personal data must be collected for specified, legitimate purposes
Processed fairly, lawfully, accurately, and adequately
Data retention only as long as necessary
Processing allowed with consent or specific legal bases (contractual necessity, legal obligation, vital interests, public authority functions, or legitimate interests)
Special rules for processing sensitive and privileged information

Controllers must implement organizational, physical, and technical safeguards
Protect against accidental or unlawful destruction, alteration, or disclosure
Regular monitoring for security breaches required
Third party processors must comply with security measures
Strict confidentiality obligations for employees and agents
Mandatory breach notification to Commission and affected data subjects with conditions for delay or exemption

Government heads responsible for securing sensitive personal information with recognized standards
Employee access to government data limited by security clearances and controls
Off-site access restricted, limited to 1000 records and requiring encryption
Government contractors must register with Commission and comply with law

Personal information controllers accountable for compliance even when data is processed by third parties
Must designate accountable officer(s) whose identities shall be disclosed upon request

Unauthorized processing: 1-3 years imprisonment and fines up to Php 2 million; for sensitive data, higher penalties
Negligent access: same as above, with higher thresholds for sensitive info
Improper disposal: up to 3 years imprisonment and fines up to Php 1 million
Processing for unauthorized purposes: up to 7 years imprisonment and fines up to Php 4 million depending on data sensitivity
Unauthorized access/hacking: 1-3 years imprisonment and fines up to Php 2 million
Concealment of breaches: up to 5 years imprisonment and fines up to Php 1 million
Malicious disclosure: 1.5-5 years imprisonment and fines up to Php 1 million
Unauthorized disclosure: 1-5 years imprisonment and fines up to Php 2 million depending on info sensitivity
Larger penalties for repeated offenses or large-scale breaches affecting 100 or more persons
Corporate and public official liability, including disqualification from office and deportation for aliens