In the Philippines, privacy is a fundamental human right.
The Philippine Data Privacy Act of 2012, also known as Republic Act 10173, was created to protect this fundamental human right and make organisations accountable for the personal data individuals have entrusted to them. This Data Privacy Act applies to the processing of all types of personal information, and covers individuals and organisations involved in the processing of personal information in the Philippines.
The DPA also created the National Privacy Commission (NPC), an independent body that implements the Data Privacy Act to ensure compliance of both the public and private sector. The NPC published the Implementing Rules and Regulations (IRR) for the Philippine Data Privacy Act in 2016, as well as several Circulars, which support the DPA and adopt international standards and practices in data protection.
The Philippine Data Privacy Act is based on four General Data Privacy Principles – Transparency, Legitimate Purpose, Proportionality, and Accountability. These principles should govern the way organisations collect, use, and store personal data.
Transparency entails organisations being clear with data subjects, or an individual whose personal information is being processed, about the purpose of collection and processing of personal data.
Personal information controllers should also have a legitimate purpose for processing. This means that data should be processed fairly and lawfully. The purpose of data processing should fall under one of these criteria to be legitimate – to comply with a legal obligation, to perform a contract obligation, to protect the vital interest of the data subject, to protect public interest, to fulfil a legitimate business interest, or if the data subject has given his consent.
Proportionality, on the other hand, prohibits Personal Information Controllers and Processors (PICs and PIPs) from excessive collection, processing, and storage of data. Personal data must be used only according to the declared purpose.
PICs and PIPs demonstrate accountability for the data entrusted to them by implementing measures to secure the data, by retaining data only for as long as is necessary, and by governing data sharing with third parties and data transfer arrangements.
Aside from these four general principles, the Data Privacy Act also specifies eight rights of data subjects. Organisations should ensure that these rights are upheld as they collect, use, and store the personal data of their customers or employees. These right rights include:
1. The right to be informed
Data subjects should be informed that their personal data will be collected, processed, stored. Consent should be obtained when necessary.
2. The right to access
Data subjects have the right to obtain a copy of the personal information that an organisation may possess about them.
3. The right to object
Data subjects can object to processing if it is based on consent or legitimate business interest.
4. The right to erasure or blocking
Data subjects have the right to withdraw or order the removal of their personal data when their rights are violated.
5. The right to damages
Data subjects can claim compensation for damages due to unlawfully obtained or unauthorised use of personal data.
6. The right to file a complaint
Data subjects can file a complaint with the National Privacy Commission if their personal data was misused.
7. The right to rectify
Data subjects have the right to correct any inaccuracy in the personal data an organisation possesses about them.
8. The right to data portability
Data subjects should be able to electronically move, copy or transfer the data an organisation holds about them, facilitating free flow of information according to the data subject’s preferences.
Download our infographic cheat sheet on the Philippine DPA here.
The NPC adopts the “Five Pillars of Data Privacy Accountability & Compliance” framework to guide organisations in implementing the DPA. The Five Pillars include:
1. Appoint a Data Protection Officer
2. Conduct a Privacy Impact Assessment
3. Create a Privacy Management Program
4. Implement Data Privacy and Security Measures
5. Regularly exercise your Breach Reporting Procedures
Furthermore, the NPC enforces a mandatory registration of the Data Processing System of organisations that meet certain criteria or fall under certain industries. The Data Processing System is the structure and procedure by which personal information is collected and processed.
To learn more on how to operationalise the Philippine DPA in your organisation, sign up for our Data Protection Officer Program course, conducted by Straits Interactive in partnership with the Asian Institute of Management.