Title
Implementing Rules of Data Privacy Act of 2012
Law
Npc Irr Of Republic Act No. 10173
Decision Date
Aug 24, 2016
The National Privacy Commission establishes comprehensive regulations to enforce the Data Privacy Act of 2012, ensuring the protection of personal data and the rights of individuals while promoting compliance with international data protection standards.
data privacy
personal data
data protection
A

Definitions

  • Defines key terms such as Act, Commission, Consent, Data Subject, Data Processing Systems, Data Sharing, Personal Data, Sensitive Personal Information, and others.
  • Clarifies roles and concepts like Personal Information Controller and Processor, Processing, Profiling, Privileged Information, and Security Incident.
  • Distinguishes various types of personal data and the scope of consent.

Scope of Application

  • Applies to all natural and juridical persons in government and private sectors processing personal data.
  • Covers acts inside and outside the Philippines if connected to Philippine citizens or entities.
  • Includes specific conditions such as use of equipment, contracts in Philippines, business operations, or data collection in the country.

Special Cases and Exemptions

  • Exempts specific information such as publicly allowed government data, journalistic use, personal data for research, and some regulatory functions.
  • Limits exemptions to minimum necessary processing.
  • Burden of proof for exemptions lies with the processor/controller.

Protection of Data Subjects and Journalists

  • Upholds data subject rights consistently even in exempted cases.
  • Provides protections for journalists and their confidential sources, but obliges compliance with the Act where not incompatible.

National Privacy Commission (NPC) Mandate and Functions

  • NPC administers and enforces the Data Privacy Act and ensures compliance with international standards.
  • Functions include rulemaking, advisory services, public education, compliance monitoring, complaints handling, enforcement, and international cooperation.
  • Authorized to issue administrative issuances and reports annually to the President and Congress.
  • Employees bound by confidentiality during and post-employment.

Organizational Structure of NPC

  • Attached to the Department of Information and Communications Technology for coordination but remains independent.
  • Led by a Privacy Commissioner with two Deputies, supported by a Secretariat with specialized offices.
  • Officers must be experts and of high moral character.

Data Privacy Principles

  • Processing of personal data requires adherence to transparency, legitimate purpose, and proportionality.
  • Collection must be lawful, fair, limited to necessities, and with consent where required.
  • Data quality must be maintained; data retention limited to necessary periods.
  • Further processing must include adequate safeguards.
  • Data sharing must comply with laws and data subject consent, with agreements when required.

Lawful Processing of Personal Data

  • Processing allowed when data subject consents or when justified by contract, legal obligation, vital interests, public authority mandate, or legitimate interests balanced against data subject rights.
  • Processing sensitive and privileged information mostly requires consent except in specific lawful circumstances such as medical treatment or court proceedings.
  • Extension of privileged communication safeguards admissibility of evidence and privacy.
  • Processing related to surveillance must conform to the Act’s principles.

Security Measures

  • Controllers and processors must implement reasonable organizational, physical, and technical measures to protect personal data.
  • Organizational measures include appointing compliance officers, establishing data protection policies, recordkeeping, managing human resources, and governing processing.
  • Physical measures regulate access to facilities, prevent unauthorized handling, and secure disposal of media.
  • Technical safeguards cover policies, network protections, monitoring, encryption, and recovery procedures.
  • NPC monitors compliance and prescribes standards.

Security in Government

  • Heads of agencies accountable for securing sensitive information using industry standards.
  • Access to sensitive data requires security clearance, limited by need and under strict conditions.
  • Off-site access regulated and encrypted.
  • Contractors handling large sensitive data must register with NPC and comply with security provisions.

Rights of Data Subjects

  • Right to be informed about processing activities and purposes.
  • Right to object to processing including marketing and profiling.
  • Right to access personal data and related processing information.
  • Right to rectification and erasure or blocking of inaccurate or unauthorized data.
  • Rights transferable to heirs or assigns.
  • Right to data portability in structured electronic format.
  • Certain rights limited in contexts of scientific research and investigations.

Data Breach Notification

  • Notification to NPC and affected subjects required within 72 hours of breach discovery.
  • Content of notification must describe breach nature, affected data, and remedial actions.
  • Notification may be delayed in specific circumstances.
  • NPC may investigate breaches and enforce reporting requirements.

Outsourcing and Subcontracting

  • Subcontracting permitted with contractual safeguards ensuring confidentiality and compliance.
  • Contracts must define processing scope, data categories, and compliance obligations.
  • Processors must assist controllers in complying with data subject rights and NPC requirements.

Registration and Compliance

  • Controllers and processors handling 1,000 or more individuals’ sensitive data must register with NPC.
  • Automated processing with significant decisions requires notification.
  • NPC reviews compliance, data sharing agreements, outsourcing contracts, and government off-site access.

Accountability and Enforcement

  • Controllers responsible for data even when outsourced or transferred, domestically or internationally.
  • Designated compliance officers accountable for adherence to data protection laws.
  • Violations may lead to administrative sanctions, indemnity awards, or prosecution.

Penalties

  • Unauthorized processing and access penalties range from imprisonment (6 months to 7 years) and fines (Php100,000 to Php5,000,000) depending on offense severity.
  • Specific penalties for improper disposal, malicious or unauthorized disclosure, negligence, concealment of breaches.
  • Corporations liable through responsible officers; public officers face additional penalties including disqualification.
  • Larger scale violations involving 100 or more persons attract maximum penalties.

Miscellaneous Provisions

  • Appeals from NPC decisions follow established judicial procedures.
  • Compliance periods and extensions provided.
  • NPC budget included in General Appropriations Act.
  • Interpretation favors protection of individual rights.
  • Contains separability, repealing, and effectivity clauses ensuring validity and application.

This comprehensive outline captures all essential provisions, scope, definitions, procedural mechanisms, rights, accountability standards, security measures, breach notifications, and penalties defined in the NPC IRR of the Data Privacy Act of 2012.


Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms