The Data Privacy Act (RA 10173): Here’s What You Need To Know

Around 2.5 quintillion bytes of data are created daily. We now live in an age where digital data is part of our daily lives -- part of our personalities and identities. Given this fact, there is a real need to change the way organizations handle data and workflows to ensure the protection of private information. All companies handle some form of personal information -- from employee to client to end-user data -- therefore all companies are now responsible to protect the confidentiality, preserve the integrity, and promote the availability of data for authorized use.

What is The Data Privacy Act of the Philippines?

The Data Privacy Act (DPA), or Republic Act No. 10173 was passed by the Philippines Congress in 2012 and finally implemented five years later in 2016. RA 10173 assures the "free flow of information to promote innovation and growth"(Republic Act. No. 10173, Ch. 1, Sec. 2) while protecting the users’ fundamental rights to privacy.

How is it implemented?

RA 10173 protects and maintains the right of customers to confidentiality by setting a legal list of rules for companies to regulate the collection, handling, and disposal of all personal information. Companies legally responsible for keeping their customers' data protected from third parties or any form of misuse, internally or externally.

What does that mean for data collectors/companies?

The Act applies to any process of personal data by anyone in government or private sectors. All personal data must have legitimate reasons for collection as well as should be clear to both parties giving and receiving information. With that being said, all collection must be done with the customer the customers’ proper consent.   All personal information used must also be relevant solely used for its intended and state purposes. Companies must protect customer information from collection to proper disposal, avoiding access from unauthorized parties.

What is “personal information?”

“‘Personal information’” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual” (Republic Act. No. 10173, Ch. 1, Sec. 3).

What is “sensitive personal information?”

“(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified.” (Republic Act. No. 10173, Ch. 1, Sec. ).

What is “consent?”

Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so  (Republic Act. No. 10173, Ch. 1, Sec. 1).

What are the rights of the data subject?

The data subject or the individual sharing his/her personal information has to be fully informed of several factors of the data collecting process. This list includes, but isn’t limited to: (1) the reason for use (2) methods for access (3) the identity and contact details of the personal information controller (4) how long the information will be stored for (5) access to their rights.

What steps do I need to take in compliance with the Act?

Companies essentially have to ensure that their data collection methods are flawless as well as consistently share the entire process with data subjects, including a breach of security, should there be any. To do this, companies should appoint a Data Protection Officer and create privacy knowledge programs and privacy and data policies to regulate the handling of information, as well as routine assessments to ensure quality data protection. In addition, companies must also have a proper procedure for breach notification to its customers.

What happens if I do not comply?

Improper/unauthorized processing, handling or disposal of personal information can be penalized by imprisonment up to six years and a fine of not less than Five hundred thousand pesos (PHP 500,000). Sprout Solutions puts data privacy with the utmost priority and takes advanced measures to maintain confidentiality in information handling. We encourage all companies to look through the Data Privacy Act and secure the safety of their own data privacy processes.

Sources:

Republic Act 10173 – Data Privacy Act of 2012. (n.d.). Retrieved April 11, 2018, from https://privacy.gov.ph/data-privacy-act/#3 The Beginner's Guide to RA 10173 (Data Privacy Act of 2012). (n.d.). Retrieved April 11, 2018, from https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/ Privacy Tracker | Summary: Philippines Data Privacy Act and implementing regulations Related reading: Countdown to GDPR: Part 1 - Essential structures for GDPR compliance. (n.d.). Retrieved April 11, 2018, from https://iapp.org/news/a/summary-philippines-data-protection-act-and-implementing-regulations/