Title
Implementing Rules of Data Privacy Act 2012
Law
Irr Of Republic Act No. 10173
Decision Date
Aug 24, 2016
The Implementing Rules and Regulations (IRR) of the Data Privacy Act of 2012 in the Philippines establishes responsibilities and penalties for the processing and protection of personal data, holding personal information controllers accountable and imposing fines and imprisonment for non-compliance.
implementing rules and regulations
personal data
processing of personal data

Core Definitions Used

  • “Act” refers to Republic Act No. 10173 (Data Privacy Act of 2012). (Section 3(a))
  • “Commission” refers to the National Privacy Commission. (Section 3(b))
  • “Consent of the data subject” is any freely given, specific, informed indication of will, evidenced by written, electronic or recorded means, given by the data subject or by a lawful representative or an agent specifically authorized. (Section 3(c))
  • “Data subject” is the individual whose personal, sensitive personal, or privileged information is processed. (Section 3(d))
  • “Data processing systems” refer to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including purpose and intended output. (Section 3(e))
  • “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of a controller; when the recipient is a processor, the disclosure or transfer must be upon the instructions of the controller; data sharing excludes outsourcing. (Section 3(f))
  • “Personal data” refers to all types of personal information. (Section 3(g))
  • “Personal data breach” is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (Section 3(h))
  • “Personal information” is information from which identity of an individual is apparent or can be reasonably and directly ascertained, or when put together would directly and certainly identify an individual. (Section 3(i))
  • “Personal information controller” is one who controls processing or instructs another to process on its behalf, excluding (1) a person who only performs functions instructed by another, and (2) a natural person processing personal data in connection with personal, family, or household affairs; control exists when the entity decides what information is collected or the purpose or extent of processing. (Section 3(j))
  • “Personal information processor” is any person to whom a controller may outsource or instruct processing. (Section 3(k))
  • “Processing” includes any operation or set of operations on personal data, such as collection, recording, organization, storage, updating, retrieval, consultation, use, consolidation, blocking, erasure, or destruction, whether automated or manual if in a filing system. (Section 3(l))
  • “Profiling” is any form of automated processing using personal data to evaluate personal aspects relating to a natural person, including performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements. (Section 3(m))
  • “Privileged information” is data that constitutes privileged communication under the Rules of Court and other pertinent laws. (Section 3(n))
  • “Public authority” refers to a government entity created by the Constitution or law and vested with law enforcement or regulatory authority and functions. (Section 3(o))
  • “Security incident” is an event affecting or tending to affect data protection, or compromising availability, integrity, and confidentiality of personal data, including incidents that would result in a breach if safeguards were not in place. (Section 3(p))
  • “Sensitive personal information” includes personal information on specified attributes (race, ethnicity, marital status, age, color, religious/philosophical/political affiliations), health/education/genetic or sexual life and related proceedings, government-issued identifiers and tax returns, and information classified as confidential by executive order or act of Congress. (Section 3(q))

General Policy and Data-Subject Protection

  • The Rules enforce the Act and require adherence to generally accepted international principles and standards for personal data protection. (Section 2)
  • Controllers and processors must uphold data subject rights and adhere to general data privacy principles and requirements of lawful processing unless directly incompatible or inconsistent with exemption sections. (Section 6)
  • The burden of proving non-applicability of the Act and these Rules to a particular processing falls on those involved in the processing or the party claiming non-applicability. (Section 6)
  • Exemptions must be liberally interpreted in favor of the rights and interests of the data subject. (Section 6)

Exemptions and Special Cases

  • The Act and these Rules apply only to the minimum extent necessary to the purpose, function, or activity in specified categories of information. (Section 5)
  • The following are processed for the purpose of allowing public access to information of public concern, including for government officers/employees: the fact of employment, title, office address and telephone number, classification/salary range/responsibilities, and the name on documents prepared in the course of government employment. (Section 5)
  • Information on individuals performing services under contract for a government institution is covered only as it relates to such service, including the name of the individual and the terms of the contract. (Section 5)
  • Personal information processed for benefits of a financial nature conferred on an individual at government discretion (e.g., granting of licenses or permits) is exempt, including the name of the individual and the exact nature of the benefit, but not benefits given in the course of ordinary transactions or as a matter of right. (Section 5)
  • Personal information processed for journalistic, artistic, or literary purpose is exempt in order to uphold freedom of speech, of expression, or of the press, subject to requirements of other applicable law or regulations. (Section 5)
  • Personal information processed for research purpose intended for public benefit is exempt, subject to applicable laws, regulations, or ethical standards. (Section 5)
  • Personal information necessary to carry out constitutionally or statutorily mandated functions of a public authority in law enforcement or regulatory functions is exempt, including functions of the independent, central monetary authority, subject to restrictions provided by law. (Section 5)
  • Nothing in the Act and these Rules shall be construed as having amended or repealed Republic Act No. 1405 (Secrecy of Bank Deposits Act), Republic Act No. 6426 (Foreign Currency Deposit Act), and Republic Act No. 9510 (Credit Information System Act (CISA)). (Section 5)
  • Information necessary for banks and other financial institutions under the independent, central monetary authority or Bangko Sentral ng Pilipinas and other bodies authorized by law is exempt to the extent necessary to comply with Republic Act No. 9510 (CISA), Republic Act No. 9160 (Anti-Money Laundering Act), and other applicable laws. (Section 5)
  • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions is exempt; the burden of proving the foreign jurisdiction law falls on the person or body seeking exemption, and in the absence of proof, the applicable law is presumed to be the Act and these Rules. (Section 5)
  • Exemptions do not extend to controllers or processors who remain subject to requirements of implementing security measures; exemptions apply only to the minimum extent necessary to achieve the specific purpose, function, or activity. (Section 5)

Special Protection for Journalists

  • Publishers, editors, or duly accredited reporters of any newspaper, magazine, or periodical of general circulation cannot be compelled to reveal the source of any news report or information that was related in confidence to them. (Section 7)
  • Even if publishers/editors/reporters are controllers or processors, they remain bound to follow the Act and related issuances, uphold rights of data subjects, and maintain compliance with provisions not incompatible with the protection afforded by Republic Act No. 53. (Section 7)

National Privacy Commission Mandate and Powers

  • The National Privacy Commission is an independent body mandated to administer and implement the Act and to monitor and ensure compliance with international standards for personal data protection. (Section 8)
  • The Commission promulgates rules and regulations for effective implementation of the Act, including recommending organizational, physical and technical security measures, encryption, and access standards for sensitive personal information maintained by government agencies. (Section 9)
  • The Commission specifies electronic formats and technical standards, modalities, and procedures for data portability when necessary. (Section 9)
  • The Commission issues guidelines for organizational, physical, and technical security measures, taking into account nature of data, risks, size and complexity of operations, best practices, cost of security, and recognized industry standards. (Section 9)
  • The Commission coordinates with regulatory agencies in formulating, reviewing, amending, and administering privacy codes for sectors primarily regulated by those agencies. (Section 9)
  • The Commission proposes legislation, amendments, or modifications to Philippine privacy or data protection laws when necessary. (Section 9)
  • The Commission engages in coordination and international/regional initiatives for cross-border enforcement and compatibility with other privacy regulators and private accountability agents. (Section 9)
  • The Commission adjudicates complaints and investigations; in resolving any complaint or investigation (except amicable settlement), it acts as a collegial body. (Section 9)
  • The Commission can receive complaints, investigate, summon witnesses, and require evidence through subpoena duces tecum, and it may be given access to personal data subject of a complaint. (Section 9)
  • The Commission performs compliance and monitoring, including ensuring compliance by controllers and monitoring government agencies’ security and technical measures against minimum standards. (Section 9)
  • The Commission enforces the Act through compliance or enforcement orders, cease and desist orders, temporary or permanent bans on processing detrimental to national security or public interest, recommending prosecution to the Department of Justice, compelling government/institutions to comply, and imposing administrative fines. (Section 9)
  • The Commission publishes or issues official directives and administrative issuances, including rules of procedure for its quasi-judicial functions (with suppletory application of the Rules of Court), schedule of administrative fines and penalties, and procedures for registration and notification. (Section 10)
  • The Commission reports annually to the President and Congress regarding its activities, and undertakes public information and education efforts. (Section 11)
  • Commission members, employees, and consultants must ensure confidentiality of personal data they learn or possess, and this duty remains even after term/employment/contract ends. (Section 12)

Commission Structure and Officers

  • The Commission is attached to the Department of Information and Communications Technology for policy and program coordination under Section 38(3) of Executive Order No. 292 (Administrative Code of 1987), while remaining completely independent in performing its functions. (Section 13)
  • The Commission is headed by a Privacy Commissioner who acts as Chairman; the Privacy Commissioner must be at least thirty-five (35) years of age, of good moral character, with unquestionable integrity and known probity, and a recognized expert in IT and data privacy. (Section 13)
  • The Privacy Commissioner has benefits and emoluments equivalent to the rank of Secretary. (Section 13)
  • Two Deputy Privacy Commissioners assist the Privacy Commissioner: one for Data Processing Systems and one for Policies and Planning; each must be recognized experts in IT and data privacy and receive emoluments equivalent to the rank of Undersecretary. (Section 13)
  • The Commission establishes a Secretariat headed by an Executive Director, organized into Data Security and Compliance Office, Legal and Enforcement Office, Finance and Administrative Office, Privacy Policy Office, and Public Information and Assistance Office. (Section 14)
  • The Secretariat must have, as far as practicable, a majority of members who have served at least five (5) years in government agencies involved in personal data processing, including SSS, GSIS, LTO, BIR, PhilHealth, COMELEC, DFA, DOJ, and Philpost. (Section 14)
  • The Commission may review and modify its organizational structure, including creating new divisions and units it deems necessary. (Section 14)
  • The Privacy Commissioner and Deputies are not civilly liable for acts done in good faith in lawful performance of duties, but are liable for willful or negligent acts contrary to law, morals, public policy, or good customs, even if done under orders. (Section 15)
  • If a lawful-performance lawsuit is filed, the Commission reimburses reasonable costs of litigation. (Section 15)
  • Qualified Commission employees are covered by Republic Act No. 8349 (Magna Carta for Science and Technology Personnel). (Section 16)

Data Privacy Principles

  • Processing of personal data is allowed if the Act and other laws allowing disclosure to the public are complied with, and the principles of transparency, legitimate purpose, and proportionality are followed. (Section 17–18)
  • Transparency requires that data subjects be aware of the nature, purpose, and extent of processing, risks and safeguards, controller identity, their rights, how to exercise them, and that information be easy to access and understand using clear and plain language. (Section 18)
  • Legitimate purpose requires that processing be compatible with a declared and specified purpose that must not be contrary to law, morals, or public policy. (Section 18)
  • Proportionality requires adequacy, relevance, suitability, necessity, and non-excessiveness relative to the declared and specified purpose, and that personal data be processed only if the purpose could not reasonably be fulfilled by other means. (Section 18)
  • Collection must be for a declared, specified, and legitimate purpose. (Section 19)
  • Consent must be obtained prior to collection and processing, subject to exemptions; when consent is required, it must be time-bound to the declared, specified, and legitimate purpose; consent may be withdrawn. (Section 19)
  • Data subjects must be provided specific information on purpose and extent of processing, including automated processing for profiling and processing for direct marketing, and data sharing where applicable. (Section 19)
  • Purpose must be determined and declared before, or as soon as reasonably practicable, after collection. (Section 19)
  • Only personal data necessary and compatible with the declared, specified, and legitimate purpose may be collected. (Section 19)
  • Processing must be fair and lawful and must uphold data subject rights, including the right to refuse, withdraw consent, or object, with transparency and sufficient information about the nature and extent of processing. (Section 19)
  • Information to data subjects must always be in clear and plain language. (Section 19)
  • Processing must be compatible with declared, specified, and legitimate purpose. (Section 19)
  • Processed personal data must be adequate, relevant, and limited to what is necessary for the purposes of processing. (Section 19)
  • Processing must ensure appropriate privacy and security safeguards. (Section 19)
  • Processing must ensure data quality, including accuracy and up-to-date status; inaccurate or incomplete data must be rectified, supplemented, destroyed, or restricted from further processing. (Section 19)
  • Personal data must not be retained longer than necessary. (Section 19)
  • Retention is permitted only for the fulfillment of declared, specified, and legitimate purpose (or when processing relevant to that purpose has been terminated), for establishment/exercise/defense of legal claims, or for legitimate business purposes consistent with applicable industry standards or approved by the appropriate government agency. (Section 19)
  • Personal data retention is allowed in cases provided by law. (Section 19)
  • Personal data must be disposed or discarded in a secure manner that prevents further processing, unauthorized access or disclosure, or prejudice to data subjects’ interests. (Section 19)
  • Authorized further processing requires adequate safeguards. (Section 19)
  • Personal data collected for declared, specified, or legitimate purpose may be further processed for historical, statistical, or scientific purposes, and may be stored longer in cases laid down in law, subject to organizational, physical, and technical security measures required by the Act. (Section 19)
  • Aggregated or non-identifiable personal data may be kept longer than necessary for the declared, specified, and legitimate purpose. (Section 19)
  • Personal data must not be retained in perpetuity in contemplation of a possible future use yet to be determined. (Section 19)

Data Sharing Rules

  • Further processing of personal data collected from a party other than the data subject is allowed under specified conditions. (Section 20)
  • Data sharing is allowed when expressly authorized by law, provided adequate safeguards exist and processing adheres to transparency, legitimate purpose, and proportionality. (Section 20)
  • In the private sector, data sharing requires data subject consent and compliance with additional conditions including requiring consent even when sharing is with an affiliate or mother company. (Section 20)
  • Data sharing for commercial purposes, including direct marketing, must be covered by a data sharing agreement. (Section 20)
  • The data sharing agreement must establish adequate safeguards and uphold data subject rights, and it is subject to Commission review on its own initiative or upon complaint of the data subject. (Section 20)
  • Prior to data sharing (or prior to collection before sharing), the data subject must be informed of: controller/processor identities that will be given access; purpose; categories of personal data; intended recipients or categories; existence of data subject rights including access and correction and the right to object; and other information sufficiently notifying the nature and extent of sharing and the manner of processing. (Section 20)
  • Further processing of shared data must adhere to the data privacy principles in the Act, these Rules, and other Commission issuances. (Section 20)
  • Data sharing for research purposes is allowed when personal data is publicly available or has data subject consent, provided adequate safeguards exist and no decision directly affecting the data subject is made based on the collected/processed data, while upholding data subject rights without compromising research integrity. (Section 20)
  • Data sharing between government agencies for a public function or public service must be covered by a data sharing agreement, and each agency must comply with the Act and these Rules, including adequate safeguards. (Section 20)
  • Government agency data sharing agreements are subject to Commission review on its own initiative or upon complaint of the data subject. (Section 20)

Lawful Processing of Personal Data

  • Processing of personal information is allowed unless prohibited by law, and is lawful only when at least one enumerated condition is satisfied. (Section 21)
  • Lawful processing includes when consent is given prior to collection or as soon as practicable and reasonable. (Section 21)
  • Lawful processing includes when processing is necessary for a contractual agreement: to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the agreement. (Section 21)
  • Lawful processing includes when processing is necessary for compliance with a legal obligation of the controller. (Section 21)
  • Lawful processing includes when necessary to protect vitally important interests of the data subject (life and health). (Section 21)
  • Lawful processing includes when necessary to respond to national emergency or comply with public order and safety requirements prescribed by law. (Section 21)
  • Lawful processing includes when necessary for the fulfillment of the constitutional or statutory mandate of a public authority. (Section 21)
  • Lawful processing includes pursuing legitimate interests of the controller or a third party disclosed to, except where such interests are overridden by the data subject’s fundamental rights and freedoms requiring protection under the Philippine Constitution. (Section 21)

Processing of Sensitive and Privileged Information

  • Processing of sensitive personal and privileged information is prohibited except in enumerated cases. (Section 22)
  • Processing is allowed when consent is given by the data subject (or by parties to the exchange of privileged information) prior to processing, which must be pursued under a declared, specified, and legitimate purpose. (Section 22)
  • Processing is allowed when provided by existing laws and regulations, provided those laws and regulations do not require the data subject’s consent and guarantee personal data protection. (Section 22)
  • Processing is allowed when necessary to protect life and health of the data subject or another person, and the data subject is not legally or physically able to express consent prior to processing. (Section 22)
  • Processing is allowed when necessary to achieve lawful and noncommercial objectives of public organizations and associations, limited to bona fide members, with sensitive personal information not transferred to third parties, and consent obtained prior to processing. (Section 22)
  • Processing is allowed for medical treatment when carried out by a medical practitioner or medical treatment institution and an adequate level of personal data protection is ensured. (Section 22)
  • Processing is allowed when sensitive personal information or privileged information is necessary to protect lawful rights and interests of natural or legal persons in court proceedings, to establish/exercise/defend legal claims, or is provided to government or public authority pursuant to constitutional or statutory mandate. (Section 22)
  • Personal information controllers may invoke privileged communication over privileged information they lawfully control or process, and evidence gathered from privileged information is inadmissible subject to existing laws and regulations. (Section 23)
  • When the Commission inquires upon a communication claimed to be privileged, the controller must prove the nature of the communication in an executive session. (Section 23)
  • If determined privileged, the communication is excluded from evidence and its contents do not form part of case records. (Section 23)
  • If the privileged communication itself is the subject of a breach, privacy concern, or investigation, it may be disclosed to the Commission to the extent necessary for investigation, without including its contents in case records. (Section 23)

Surveillance and Communication Recording

  • Section 7 of Republic Act No. 9372 (Human Security Act of 2007) is amended to require that processing of personal data for surveillance, interception, or recording of communications must comply with the Data Privacy Act, including adherence to transparency, proportionality, and legitimate purpose. (Section 24)

Security Measures for Personal Data

  • Controllers and processors must implement reasonable and appropriate organizational, physical, and technical security measures for protection of personal data. (Section 25)
  • Controllers and processors must ensure that any natural person acting under their authority and having access to personal data does not process those data except upon their instructions or as required by law. (Section 25)
  • Security measures must aim to maintain availability, integrity, and confidentiality and protect against accidental or unlawful destruction, alteration, and disclosure, and against other unlawful processing. (Section 25)
  • Security measures must protect against natural dangers such as accidental loss or destruction and against human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination. (Section 25)

Organizational, Physical, and Technical Security

  • Where appropriate, controllers and processors must comply with organizational security guidelines, including designation of an individual or individuals to function as data protection officer, compliance officer, or otherwise accountable for compliance with data privacy and security laws and regulations. (Section 26)
  • Controllers and processors must implement appropriate data protection policies that provide organizational, physical, and technical security measures, taking into account nature, scope, context, purposes of processing, and risks to rights and freedoms of data subjects. (Section 26)
  • Policies must implement data protection principles both at the time of determining the means of processing and at the time of processing. (Section 26)
  • Policies must implement security measures by default to ensure only necessary personal data for the specified purpose is processed, including determining amount collected, extent of processing, period of storage, and accessibility. (Section 26)
  • Policies must provide for documentation, regular review, evaluation, and updating of privacy and security policies and practices. (Section 26)
  • Controllers and processors must maintain records describing data processing systems and identifying duties and responsibilities of persons with access; records must include purpose (including future processing or data sharing), categories of data subjects/personal data/recipients, general data flow and disposal/erasure time limits, general security measures, and names and contact details of controller (and joint controller where applicable), its representative, and compliance officer or data protection officer/accountable individuals. (Section 26)
  • Controllers and processors must select and supervise employees, agents, or representatives, especially those with access to personal data; those persons must hold personal data in strict confidentiality if not intended for public disclosure, and confidentiality continues after leaving public service, transferring, or terminating employment or contractual relations. (Section 26)
  • Controllers and processors must provide privacy/security capacity building through orientation or training programs for employees/agents/representatives on privacy and security policies. (Section 26)
  • Controllers and processors must develop, implement, and review procedures for collection (including consent procedures when applicable), procedures that limit processing to the extent necessary, access management and system monitoring with protocols during security incidents/technical problems, procedures enabling data subjects to exercise rights, and a data retention schedule with timeline or conditions for erasure/disposal. (Section 26)
  • Controllers must ensure processors implement the security measures required by the Act and these Rules through appropriate contractual agreements, and must engage only processors providing sufficient guarantees to implement appropriate security measures while ensuring data subject rights. (Section 26)
  • Where appropriate, controllers and processors must implement physical security guidelines, including policies and procedures to monitor and limit access and activities in rooms/workstations/facilities; secure office/workstation design providing privacy; clear definition of duties/responsibilities/schedules to ensure only authorized individuals are in rooms/workstations when processing; and policies on transfer/removal/disposal/reuse of electronic media to protect personal data. (Section 27)
  • Controllers and processors must establish policies and procedures preventing mechanical destruction of files and equipment and must secure the room and workstation against natural disasters, power disturbances, external access, and similar threats as far as practicable. (Section 27)
  • Where appropriate, controllers and processors must adopt technical security measures, including a security policy; network safeguards; confidentiality/integrity/availability/resilience capabilities; regular monitoring and processes for reasonably foreseeable vulnerabilities with preventive/corrective/mitigating actions; ability to restore availability/access in timely manner after incidents; regular testing and evaluation of security effectiveness; and encryption of personal data during storage and in transit, authentication processes, and access-limiting technical security measures. (Section 28)
  • The Commission monitors compliance with security measures and determines the appropriate level of security by considering the nature of personal data, risks, organizational size and complexity, best practices, and cost of security implementation; security measures are subject to regular review and may be updated by the Commission through separate issuances. (Section 29)

Government Security for Sensitive Personal Information

  • Heads of government agencies and instrumentalities must ensure that sensitive personal information maintained by government is secured, as far as practicable, using the most appropriate standard recognized by the ICT industry

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms