Title
Data Privacy Act IRR Summary
Law
Irr Of Republic Act No. 10173
Decision Date
Aug 24, 2016
The Implementing Rules and Regulations of the Data Privacy Act of 2012 establish comprehensive guidelines for the protection of personal data, outlining the responsibilities of the National Privacy Commission, the rights of data subjects, and the security measures required for lawful data processing in both public and private sectors.
data privacy
personal data
data protection

Key Definitions Established

  • “Act” refers to Republic Act No. 10173 (Data Privacy Act of 2012). (Section 3[a])
  • “Commission” refers to the National Privacy Commission. (Section 3[b])
  • “Consent of the data subject” means freely given, specific, informed indication of will agreeing to collection and processing; it must be evidenced by written, electronic or recorded means and may be given by a lawful representative or agent specifically authorized. (Section 3[c])
  • “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed. (Section 3[d])
  • “Data processing systems” refer to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including purpose and intended output. (Section 3[e])
  • “Data sharing” means disclosure or transfer to a third party of personal data under custody of a personal information controller or processor, where such disclosure by the processor must be upon the controller’s instructions; it excludes outsourcing and excludes disclosure/transfer by a controller to a processor. (Section 3[f])
  • “Personal data breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (Section 3[i])
  • “Personal information” is any information, recorded or not, from which identity of an individual is apparent or can be reasonably and directly ascertained, or when put together would directly and certainly identify an individual. (Section 3[h])
  • “Personal information controller” controls processing or instructs another to process on its behalf, excluding (a) persons who perform functions as instructed by another person or organization, and (b) natural persons processing personal data in connection with personal, family, or household affairs; control exists if the person decides what information is collected or the purpose/extent of processing. (Section 3[j])
  • “Personal information processor” means a person/body to whom a controller may outsource or instruct processing. (Section 3[k])
  • “Processing” includes collection, recording, organization, storage, updating/modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction, automated or manual, if the personal data are contained or intended to be contained in a filing system. (Section 3[l])
  • “Profiling” is automated processing using personal data to evaluate personal aspects of a natural person, including performance at work, economic situation, health, preferences/interests, reliability, behavior, location, or movements. (Section 3[m])
  • “Privileged information” means data that under the Rules of Court and other laws constitute privileged communication. (Section 3[n])
  • “Public authority” refers to government entity created by Constitution or law, vested with law enforcement or regulatory authority and functions. (Section 3[o])
  • “Security incident” means an event affecting or tending to affect data protection or compromising availability, integrity, and confidentiality; it includes incidents that would result in a personal data breach if not for safeguards. (Section 3[p])
  • “Sensitive personal information” covers personal information about:
    • race, ethnic origin, marital status, age, color, and religious/philosophical/political affiliations;
    • health, education, genetic or sexual life, or proceedings for any offense committed or alleged, disposal/sentence;
    • issued by government agencies peculiar to an individual, including social security numbers, previous/current health records, licenses (or denials, suspension, revocation), and tax returns;
    • information specifically established by executive order or act of Congress to be kept classified. (Section 3[q])

Data Privacy Principles and Sharing Rules

  • Processing of personal data is allowed subject to compliance with the Act and other laws allowing disclosure to the public, and adherence to transparency, legitimate purpose, and proportionality. (Section 17
  • Processing must comply with transparency, legitimate purpose, and proportionality:
    • Transparency: the data subject must be aware of nature, purpose, extent of processing, risks and safeguards, identity of controller, data subject rights, and how they can be exercised, using easy-to-access clear/plain language. (Section 18)
    • Legitimate purpose: processing must be compatible with a declared and specified purpose not contrary to law, morals, or public policy. (Section 18)
    • Proportionality: processing must be adequate, relevant, suitable, necessary, and not excessive relative to the declared and specified purpose; processing is allowed only if purpose cannot reasonably be fulfilled by other means. (Section 18)
  • Processing must follow general principles in collection, processing, and retention, including:
    • collection must be for a declared, specified, and legitimate purpose; (Section 19)
    • consent is required prior to collection and processing, subject to exemptions; consent must be time-bound to the declared, specified purpose and may be withdrawn; (Section 19)
    • the data subject must be provided specific information on purpose and extent, including automated processing for profiling, direct marketing, and data sharing where applicable; (Section 19)
    • purpose must be determined and declared before or as soon as reasonably practicable after collection; (Section 19)
    • only personal data necessary and compatible with the declared purpose may be collected; (Section 19)
    • processing must be fair and lawful and must uphold rights including refusal, withdrawal, or objection, and must be transparent; (Section 19)
    • information must always be clear and plain language; (Section 19)
    • processing must be adequate, relevant, limited to what is necessary, and must ensure privacy and security safeguards; (Section 19)
    • data quality must be ensured: keep accurate and up to date where necessary; rectify/supplement/destroy or restrict further processing for inaccurate or incomplete data; (Section 19)
    • retention must not be longer than necessary, and retention limits apply only for specified purposes including fulfillment of declared purpose, establishment/exercise/defense of legal claims, and legitimate business purposes consistent with industry standards or approved by appropriate government agency; (Section 19)
    • disposal must be secure to prevent further processing, unauthorized access/disclosure, or prejudice to data subjects; (Section 19)
    • authorized further processing requires adequate safeguards; (Section 19)
    • personal data collected for declared purpose may be processed further for historical/statistical/scientific purposes and may be stored longer in cases laid down in law subject to security measures required by the Act; and aggregated personal data may be kept longer so long as it does not permit identification; (Section 19)
    • personal data must not be retained in perpetuity for possible future use yet to be determined. (Section 19)
  • Further processing for data sharing and onward processing is allowed under defined conditions:
    • data sharing is allowed when expressly authorized by law, with adequate safeguards and compliance with transparency, legitimate purpose, and proportionality; (Section 20)
    • data sharing is allowed in the private sector if the data subject consents, including consent required even for affiliate/mother company relationships, and direct marketing requires a data sharing agreement; (Section 20)
    • the data sharing agreement must establish adequate safeguards and uphold rights of data subjects, and is subject to review by the Commission on its own initiative or upon complaint; (Section 20)
    • the data subject must be provided prior to collection or before sharing: identity of controllers/processors given access, purpose, categories, intended recipients/categories, existence of rights (access/correction/object), and other information notifying nature/extent and manner of processing; (Section 20)
    • further processing of shared data must adhere to data privacy principles and Commission issuances; (Section 20)
    • data sharing for research is allowed when personal data is publicly available or the data subject consent is obtained for research, with adequate safeguards and with no decision directly affecting the data subject based solely on the collected/processed data, while upholding data subject rights without compromising research integrity; (Section 20)
    • data sharing between government agencies for public function or provision of public service must be covered by a data sharing agreement, with compliance and safeguards, and subject to Commission review on its own initiative or upon complaint. (Section 20)

Lawful Processing Conditions and Sensitive Data

  • Processing of personal information is allowed unless prohibited by law; lawful processing requires compliance with one of the enumerated conditions:
    • the data subject gives consent prior to collection or as soon as practicable and reasonable; (Section 21)
    • processing is needed for contractual agreements to fulfill obligations or take steps at the data subject’s request prior to entering the agreement; (Section 21)
    • processing is necessary for compliance with a legal obligation of the controller; (Section 21)
    • processing is necessary to protect vitally important interests of the data subject, including life and health; (Section 21)
    • processing is necessary to respond to national emergency or comply with requirements of public order and safety as prescribed by law; (Section 21)
    • processing is necessary for fulfillment of constitutional or statutory mandate of a public authority; (Section 21)
    • processing is necessary to pursue legitimate interests of the controller or a third party to whom data is disclosed, except where overridden by fundamental rights and freedoms of the data subject requiring protection under the Philippine Constitution. (Section 21)
  • Processing of sensitive personal information and privileged information is prohibited except under enumerated cases:
    • the data subject (or parties to the exchange of privileged information) gives prior consent, for a declared, specified, legitimate purpose; (Section 22)
    • processing is provided for by existing laws and regulations, provided those laws/regulations do not require data subject consent and guarantee protection of personal data; (Section 22)
    • processing is necessary to protect life and health where data subject is not legally or physically able to express consent; (Section 22)
    • processing is necessary for lawful and noncommercial objectives of public organizations/associations if confined to bona fide members, not transferred to third parties, and consent was obtained prior to processing; (Section 22)
    • processing is necessary for medical treatment by a medical practitioner or medical treatment institution with adequate protection of personal data ensured; (Section 22)
    • processing concerns sensitive personal information or privileged information necessary to protect lawful rights/interests of natural or legal persons in court proceedings, to establish/exercise/defend legal claims, or when provided to government or public authority under constitutional or statutory mandate. (Section 22)
  • Personal information controllers may invoke privileged communication over privileged information they lawfully control or process; evidence gathered from privileged information is inadmissible subject to existing laws and regulations. (Section 23)
  • If the Commission inquires into communication claimed to be privileged, the controller must prove the nature in an executive session; if privileged, it is excluded from evidence and its contents are not part of the records. (Section 23)
  • Privileged communication may be disclosed to the Commission to the extent necessary if the privileged communication itself is the subject of a breach, privacy concern, or investigation, without including contents in the records. (Section 23)
  • Processing personal data for surveillance, interception, or recording of communications must comply with the Data Privacy Act, including adherence to transparency, proportionality, and legitimate purpose. (Section 24)

Security Measures and Organizational Controls

  • Personal information controllers and processors must implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data. (Section 25)
  • Controllers and processors must ensure that any natural person acting under their authority with access to personal data does not process it except upon their instructions or as required by law. (Section 25)
  • Security measures must maintain availability, integrity, and confidentiality, protecting against accidental or unlawful destruction, alteration, disclosure, and other unlawful processing, including natural dangers (accidental loss/destruction) and human dangers (unlawful access, fraudulent misuse, unlawful destruction, alteration, contamination). (Section 25)
  • Organizational security measures require, where appropriate:
    • designation of a data protection officer/compliance officer or equivalent accountable individual(s); (Section 26)
    • implementation of data protection policies accounting for nature, scope, context, purposes, and risks to rights and freedoms; (Section 26)
    • policies implement data protection principles both in determining the means of processing and during processing itself; (Section 26)
    • policies must implement default measures ensuring only necessary data is processed, and must determine amount collected, processing extent, storage period, and accessibility; (Section 26)
    • policies must provide for documentation, regular review/evaluation, and updating of privacy and security policies and practices; (Section 26)
    • maintaining records of processing activities describing the data processing system and identifying duties/responsibilities of those with access, including purpose and intended future processing/sharing, categories of data subjects/data/recipients, data flow and disposal/erasure time limits, general security measures, and controller contact details and, where applicable, joint controller representative and accountable compliance officer/DPO; (Section 26)
    • responsible selection and supervision of employees/agents/representatives with access, who must hold personal data under strict confidentiality if not intended for public disclosure, continuing after leaving service/ending contractual relations, with training/orientation programs; (Section 26)
    • development/implementation/review of procedures covering personal data collection and consent (when applicable), limiting processing to necessary extent, access management/system monitoring and incident protocols, procedures for data subject rights, and data retention schedule including conditions for erasure or disposal; (Section 26)
    • contractual agreements with personal information processors requiring processors to implement required security measures, engaging only processors providing sufficient guarantees, and ensuring protection of data subject rights. (Section 26)
  • Physical security measures require, where appropriate:
    • policies and procedures to monitor and limit access and activities in rooms/workstations/facilities, including proper use and access to electronic media; (Section 27)
    • workstation/office design providing privacy considering environment and accessibility to the public; (Section 27)
    • clearly defined duties/responsibilities/schedules so only individuals performing official duties are in room/workstation at any given time; (Section 27)
    • policies and procedures for transfer/removal/disposal/reuse of electronic media; (Section 27)
    • preventing mechanical destruction of files/equipment, and securing rooms/workstations against natural disasters, power disturbances, external access, and similar threats as far as practicable. (Section 27)
  • Technical security measures require, where appropriate:
    • a security policy; (Section 28)
    • safeguards to protect networks against accidental, unlawful, unauthorized usage, interference affecting integrity/availability, and unauthorized access through electronic networks; (Section 28)
    • ability to ensure/maintain confidentiality, integrity, availability, and resilience of systems/services; (Section 28)
    • regular monitoring for security breaches; vulnerability identification and preventive/corrective/mitigating action for reasonably foreseeable vulnerabilities and incidents leading to personal data breach; (Section 28)
    • ability to restore availability and access to personal data timely after physical or technical incident; (Section 28)
    • process for regular testing, assessing, and evaluating effectiveness of security measures; (Section 28)
    • encryption of personal data during storage and while in transit, authentication processes, and technical security measures controlling and limiting access. (Section 28)
  • The Commission monitors compliance with security measures and determines appropriate level of security using factors including nature of personal data, risks, organization size/complexity, best practices, and cost of security implementation; security measures are subject to regular review and evaluation and may be updated by the Commission in separate issuances. (Section 29)

Government Sensitive Data Security

  • Sensitive personal information maintained by government agencies and instrumentalities must be secured, as far as practicable, using the most appropriate standard recognized by the information and communications technology industry, subject to Rules and Commission issuances, and the head of the agency is responsible for compliance. (Section 30)
  • The Commission monitors government compliance and may recommend actions to meet minimum standards. (Section 30)
  • No government employee may have access to sensitive personal information on government property or through online facilities unless the employee has received a security clearance from the head of the source agency (the agency that originally collected the data). (Section 31)
  • A source agency must strictly regulate access to sensitive personal information, especially when online access is allowed, and must only grant security clearance when official functions or provision of a public service directly depends on access and cannot otherwise be performed. (Section 31)
  • Where online access is allowed, conditions apply:
    • an information technology governance framework is designed and implemented; (Section 31)
    • sufficient organizational/physical/technical security measures exist; (Section 31)
    • the agency can protect sensitive personal information consistent with data privacy practices and industry-recognized standards; (Section 31)
    • the employee is granted online access only to sensitive personal information necessary for official functions or public service provision. (Section 31)
  • Sensitive personal information may not be transported or accessed off or outside government property unless the head of agency has ensured implementation of privacy policies and appropriate security measures; the agency head must approve the request, which must include proper accountability mechanisms. (Section 31)
  • The head of agency must approve or disapprove an off-site access request within two (2) business days; failure to act within that period results in disapproval. (Section 31)
  • Approved off-site access must be limited to not more than one thousand (1,000) records at a time. (Section 31)
  • Technologies used to store, transport, or access sensitive personal information for approved off-site access must use the most secure encryption standard recognized by the Commission. (Section 31)
  • Off-site or online access approval is required to be preceded by implementation of the preceding security requirements before any request is approved. (Section 32)
  • Any data sharing agreement between a source agency and another government agency is subject to Commission review on its own initiative or upon complaint of data subject. (Section 32)
  • When contracting with a private service provider that may involve accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, a government agency must require the provider and its employees to register their personal data processing system with the Commission under the Act and Rules, and the provider as personal information processor must comply with the Rules, including the government security provisions applicable to agencies and employees. (Section 33)

Rights of the Data Subject

  • The data subject has the right to be informed whether personal data pertaining to them shall be, are being, or have been processed, including existence of automated decision-making and profiling. (Section 34)
  • The data subject must be notified and furnished specified information before personal data enters the processing system, or at the next practical opportunity, including:
    • description of personal data;
    • purposes of processing, including direct marketing, profiling, or historical/statistical/scientific purpose;
    • basis of processing when not based on consent;
    • scope and method of processing;
    • recipients or classes of recipients to whom personal data are or may be disclosed;
    • methods utilized for automated access when allowed by the data subject, including meaningful information about logic involved and significance/envisaged consequences;
    • identity and contact details of the controller or representative;
    • period of storage; and
    • existence of data subject rights including right to access, correction, object, and right to lodge a complaint before the Commission. (Section 34)
  • The data subject has a right to object to processing including for direct marketing, automated processing, or profiling. (Section 34)
  • Upon objection or withholding consent, the personal information controller must stop processing unless the processing is needed pursuant to a subpoena or is for obvious purposes including when necessary for performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employ… (Section 34)

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms