Businesses, in the course of delivering their goods and services, may need to collect, process, store, and transmit personal information, such as employee or buyer details. If your organization receives, stores, or otherwise processes personal information, the data should be secured in compliance with the standards set forth in the Data Privacy Act. Failure to do so may result in penalties such as fines or even imprisonment for responsible company officers.
That said, data security should be every company’s priority. But where exactly do companies stand when it comes to data privacy?
According to the United Nations Conference on Trade and Development, 71% of countries have data privacy laws in place. This includes the Philippines, which enacted RA 10173 or the Data Privacy Act (DPA) in 2012.
What is the Data Privacy Act?
The individual’s right to privacy is enshrined in the Constitution, particularly Article III, Section 3, as well as in the Civil Code, particularly Article 26, and reinforced in landmark cases, most notably the case of Ople vs. Torres and recently, Disini vs. Secretary of Justice. The Data Privacy Act (Republic Act No. 10173), in conjunction with the E-Commerce Law and the Cybercrime Prevention Act (Republic Act No. 10175) collectively brings the Philippines into the 21st century and squarely into the realm of digital transactions.
The DPA, its implementing rules and regulations, and various circulars issued by the National Privacy Commission provides a framework that governs the collection, recording, storage, retrieval, and other forms of processing of personal information. The DPA also created the National Privacy Commission, a quasi-judicial and quasi-legislative body with original jurisdiction on violations of the DPA.
When does the DPA apply?
In general, the DPA applies whenever an individual, company, or government agency collects, uses, stores, or processes personal information. Subject to exceptions provided for in law, the general rule is that the DPA covers any entity that processes personal information.
Key Definitions in the DPA
A very important aspect of the DPA is its definition of personal information (PI) and sensitive personal information (SPI).
PI refers to information from which the individual identity is apparent or can be reasonably ascertained.
Meanwhile, SPI is explicitly enumerated as follows:
- Information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliation;
- Information about an individual’s health, education, genetic, or sexual life;
- Information issued by government agencies such as social security numbers, health records, licenses or denials, suspensions, revocations, and tax returns;
- Any information specifically established by an Executive Order or an act of Congress to be kept classified.
Lawful Processing of Information
The overarching theme of processing PI or SPI is primarily consent of the data subject. Organizations may process PI whenever it is necessary to fulfill a contract or a legal obligation, or necessary to protect the interests of the data subject such as health and safety, or in cases of national emergencies. An example would be using contact tracing forms because of the ongoing COVID-19 pandemic, and other legitimate interests.
On the other hand, SPI may be processed in more limited situations such as for organizations and associations with respect to their members and with consent, in the pursuit of law enforcement activities. For example, it is applicable when it is necessary to protect the life and health of a person where the data subject is unable to provide physical or legal consent, and in cases of medical treatments.
How Can You Comply with the Data Privacy Act?
The National Privacy Commission promulgated a compliance framework called the Five Pillars. These are:
- Appoint a Data Privacy Officer
- Conduct a Privacy Impact Assessment (PIA)
- Create a Privacy Management Program (PMP)
- Implement Data Privacy and Information Security Measures
- Be ready in case of data breach
What Happens to Violators of RA 10173?
Penalties for violations of the DPA may be imprisonment from one year up to seven years, as well as fines ranging from PHP 500,000 up to PHP 5,000,000.
Keep Personal Data Secure at All Times
The Data Privacy Act upholds a person’s right to privacy. Do your part in protecting that privacy by keeping customer and client data secure from unauthorized access.
Looking for more updates on employment laws and rights? Get the latest HR and employment news from our blog today.