INSTRUCTIONAL MATERIAL:

DATA PRIVACY INTERVIEW

1. What is the Data Privacy Act of 2012? 

…is a 21st century law to address 21st century crimes and concerns. It (1)
protects the privacy of individuals while ensuring free flow of information to
promote innovation and growth; (2) regulates the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of personal data; and (3) ensures
that the Philippines complies with international standards set for data protection
through National Privacy Commission (NPC).

RA 10173 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN

INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT
AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER PURPOSES

IRR issued by the National Privacy Commission on August 24, 2016

Data Protection Day is an international event celebrated every January 28, the
date on which the Council of Europe’s data protection convention, known as
“Convention 108”, was opened for signature in 2006.

The rights of data subjects  when it comes to personal data processing include

the right to be informed, the right to object, the right to access, the right to
correct, the right to erasure or blocking and the right to damages.

2. What are the possible sanctions? 

6 months up to 6 years of imprisonment and a fine of 100k up to 5m.

Rule XIII. Penalties

52. Unauthorized Processing of Personal Information and Sensitive

Personal Information
53. Accessing Personal Information and Sensitive Personal
Information Due to Negligence
54. Improper Disposal of Personal Information and Sensitive
Personal Information
55. Processing of Personal Information and Sensitive Personal
Information for Unauthorized Purposes
56. Unauthorized Access or Intentional Breach
57. Concealment of Security Breaches Involving Sensitive
Personal Information
58. Malicious Disclosure
59. Unauthorized Disclosure
60. Combination or Series of Acts
61. Extent of Liability
62. Large-Scale
63. Offense Committed by Public Officer
 64. Restitution
65. Fines and Penalties

3. Cases for privacy and data protection:

a. What are different kinds of data intrusion techniques that
hackers use and what are the softwares they use?

- Boiler rooms, credit cards

4. What is the importance and impact of this law to end users? 

IRR, Section 2. Policy. These Rules further enforce the Data Privacy Act and
adopt generally accepted international principles and standards for personal
data protection. They safeguard the fundamental human right of every individual
to privacy while ensuring free flow of information for innovation, growth, and
national development. These Rules also recognize the vital role of information
and communications technology in nation-building and enforce the State’s
inherent obligation to ensure that personal data in information and
communications systems in the government and in the private sector are
secured and protected. 

5. Who are affected by this law? 

SEC. 4. Scope. – This Act applies to the processing of all types of personal
information and to any natural and juridical person involved in personal
information processing including those personal information controllers
and processors who, although not found or established in the Philippines,
use equipment that are located in the Philippines, or those who maintain
an office, branch or agency in the Philippines subject to the immediately
succeeding paragraph: Provided, That the requirements of Section 5 are
complied with.

Rule II. Scope of Application

4. Scope
5. Special Cases
6. Protection afforded to data subjects
7. Protection afforded to journalists and their sources

Rule II. Scope of Application

Section 4. Scope. The Act and these Rules apply to the processing of
personal data by any natural and juridical person in the government or
private sector. They apply to an act done or practice engaged in and
outside of the Philippines if:
a.           The natural or juridical person involved in the processing of
personal data is found or established in the Philippines;

b.          The act, practice or processing relates to personal data about a

Philippine citizen or Philippine resident;

c.            The processing of personal data is being done in the Philippines;

or

d.          The act, practice or processing of personal data is done or

engaged in by an entity with links to the Philippines, with due
consideration to international law and comity, such as, but not limited to,
the following:

1.           Use of equipment located in the country, or maintains an office,

branch or agency in the Philippines for processing of personal data;

2.           A contract is entered in the Philippines;

3.           A juridical entity unincorporated in the Philippines but has central

management and control in the country;

4.           An entity that has a branch, agency, office or subsidiary in the

Philippines and the parent or affiliate of the Philippine entity has access to
personal data;

5.           An entity that carries on business in the Philippines;

6.           An entity that collects or holds personal data in the Philippines.

Section 5. Special Cases. The Act and these Rules shall not apply to the
following specified information, only to the minimum extent of collection,
access, use, disclosure or other processing necessary to the purpose,
function, or activity concerned:
a.           Information processed for purpose of allowing public access to
information that fall within matters of public concern, pertaining to:

1.           Information about any individual who is or was an officer or

employee of government that relates to his or her position or functions,
including:

(a)       The fact that the individual is or was an officer or employee of the
government;

(b)       The title, office address, and office telephone number of the
individual;

(c)        The classification, salary range, and responsibilities of the position

held by the individual; and
(d)      The name of the individual on a document he or she prepared in
the course of his or her employment with the government;

2.           Information about an individual who is or was performing a

service under contract for a government institution, but only in so far as it
relates to such service, including the the name of the individual and the
terms of his or her contract;

3.           Information relating to a benefit of a financial nature conferred on

an individual upon the discretion of the government, such as the granting
of a license or permit,  including the name of the individual and the exact
nature of the benefit: Provided, that they do not include benefits given in
the course of an ordinary transaction or as a matter of right;

b.          Personal information processed for journalistic, artistic or literary

purpose, in order to uphold freedom of speech, of expression, or of the
press, subject to requirements of other applicable law or regulations;

c.            Personal information that will be processed for research purpose,

intended for a public benefit, subject to the requirements of applicable
laws, regulations, or ethical standards;

d.          Information necessary in order to carry out the functions of public

authority, in accordance with a constitutionally or statutorily mandated
function pertaining to law enforcement or regulatory function, including
the performance of the functions of the independent, central monetary
authority, subject to restrictions provided by law. Nothing in this Act shall
be construed as having amended or repealed Republic Act No. 1405,
otherwise known as the Secrecy of Bank Deposits Act; Republic Act No.
6426, otherwise known as the Foreign Currency Deposit Act; and Republic
Act No. 9510, otherwise known as the Credit Information System Act
(CISA);

e.           Information necessary for banks, other financial institutions under

the jurisdiction of the independent, central monetary authority or Bangko
Sentral ng Pilipinas, and other bodies authorized by law, to the extent
necessary to comply with Republic Act No. 9510 (CISA), Republic Act No.
9160, as amended, otherwise known as the Anti-Money Laundering Act,
and other applicable laws;

f.             Personal information originally collected from residents of

foreign jurisdictions in accordance with the laws of those foreign
jurisdictions, including any applicable data privacy laws, which is being
processed in the Philippines.  The burden of proving the law of the foreign
jurisdiction falls on the person or body seeking exemption.  In the absence
of proof, the applicable law shall be presumed to be the Act and these
Rules:
Provided, that the non-applicability of the Act or these Rules do not
extend to personal information controllers or personal information
processors, who remain subject to the requirements of implementing
security measures for personal data protection: Provided further, that the
processing of the information provided in the preceding paragraphs shall
be exempted from the requirements of the Act only to the minimum
extent necessary to achieve the specific purpose, function, or activity.

Section 6. Protection afforded to Data Subjects.

a.           Unless directly incompatible or inconsistent with the preceding
sections in relation to the purpose, function, or activities the non-
applicability concerns, the personal information controller or personal
information processor shall uphold the rights of data subjects, and adhere
to general data privacy principles and the requirements of lawful
processing.

b.           The burden of proving that the Act and these Rules are not
applicable to a particular information falls on those involved in the
processing of personal data or the party claiming the non-applicability.

c.            In all cases, the determination of any exemption shall be liberally

interpreted in favor of the rights and interests of the data subject.

Section 7. Protection Afforded to Journalists and their Sources.

a.     Publishers, editors, or duly accredited reporters of any newspaper,
magazine or periodical of general circulation shall not be compelled to
reveal the source of any news report or information appearing in said
publication if it was related in any confidence to such publisher, editor, or
reporter.

b.    Publishers, editors, or duly accredited reporters who are likewise

personal information controllers or personal information processors within
the meaning of the law are still bound to follow the Data Privacy Act and
related issuances with regard to the processing of personal data,
upholding rights of their data subjects and maintaining compliance with
other provisions that are not incompatible with the protection provided by
Republic Act No. 53.

a. Sino sa mga end users ang kadalasang nagiging biktima ng

pagnanakaw ng data o information? 

b. Bakit sila ang madalas na nabibiktima? 

6. Ano ang unang dapat gawin ng mga nabiktimang end users kapag
nalaman nilang nanakaw ang kanilang data? Where to go? Who to call?

National Privacy Commission 82342288; info@privacy.gov.ph

5th flr., Delegation Building, PICC Complex, Roxas Boulevard, Manila

a. What are immediate steps to report that you have been hacked?
(Given that most security protocols of websites do not take
immediate actions due to the number of requests and queries)
 
Who may complain?

Under Section 3, the following can file a complaint:

1. The National Privacy Commission (NPC), on its own initiative;

2. Those who have suffered a data privacy violation or personal data breach;
and
3. Persons who are personally affected by a violation of the Data Privacy Act
of 2012 (Republic Act No. 10173).

Persons who are the subject of the data privacy violation or personal data
breach may appoint a duly authorized representative to prosecute the
complaint on their behalf.

Those who are not personally affected by a data privacy violation or

personal data breach may: (a) request for an advisory opinion on data
protection matters; or (b) inform the NPC of a data protection concern.

The NPC may monitor the subject organization or take such further action
as may be necessary.

Those who wish to file a complaint must comply with the rule of
exhaustion of remedies. This rule means that in filing the complaint, a
complainant must be able to show that there was an opportunity offered
in good faith to have the respondent comply with any legal obligations
involving data protection and privacy.

How to file a complaint?

Formal complaints are made by filing a complaint-affidavit, together with

copies of any evidence and affidavits of any witnesses at any NPC office.

Complaints can also be made by electronic filing, by: (a) attaching these
documents in a specific e-mail sent to complaints@privacy.gov.ph; or (b)
submitting a portable electronic data storage device to any NPC office.
Electronic documents must digitally signed in and in .PDF format (if
practicable), on page sizes compliant with the Efficient Use of Paper Rule.
If submitted in this digital format, the NPC may charge fees for printing.

If submitting through a portable electronic data storage device, similar

portable data storage devices containing the same files must also be
given to any opposing party so named. One portable data storage device
is equivalent to one copy.

If the portable data storage device is infected with malware, the

documents will not be considered as having been filed.

How does the NPC deal with complaints?

Once a complaint has been filed, an investigating officer will conduct the
proceedings. The investigating officer shall evaluate the complaint to
determine whether its allegations involve a violation of the Data Privacy
Act or related issuances and if based on its allegations, there is reason to
believe that there is a privacy violation or personal data breach.

The investigating officer shall then recommend to the Commission

whether the complaint shall be: (a) dismissed outright for want of palpable
merit; (b) referred to the respondent for comment and/or subject to
discovery proceedings; (c) subject to further monitoring or investigation;
(d) treated as a request for an advisory opinion; or (e) indorsed to the
proper government agency with jurisdiction over the complaint.

The Commission may dismiss outright any complaint on the following

grounds:

1. The complainant did not give the respondent an opportunity to address

the complaint, unless failure to do so is justified;
2. The complaint is not a violation of the Data Privacy Act or does not involve
a privacy violation or personal data breach;
3. The complaint is filed beyond the period for filing; or
4. There is insufficient information to substantiate the allegations in the
complaint or the parties cannot be identified or traced.

How long does it take the NPC to act on a complaint?

If the subject of the complaint is a data breach that the private

information controller must report to the NPC, the NPC may already be
acting on the matter before you even file the complaint.

From the time complaints are received, the Complaints and Investigation
Division, through its Investigating Officers, shall conduct initial evaluations
on complaints so received within a reasonable time. Feedback may be
expected within a few working days.
From here, the entire process, up to final adjudication, should take four to
six months.

If there is a request to have the NPC issue a temporary stop processing

order so as to enjoin the processing of any data, the NPC may issue an
Order, after due hearing and the payment of the proper bond. This
process can happen from one to two weeks after the filing of this request.

How long does it take the NPC to act on a complaint?

If the subject of the complaint is a data breach that the private

information controller must report to the NPC, the NPC may already be
acting on the matter before you even file the complaint.

From the time complaints are received, the Complaints and Investigation
Division, through its Investigating Officers, shall conduct initial evaluations
on complaints so received within a reasonable time. Feedback may be
expected within a few working days.

From here, the entire process, up to final adjudication, should take four to
six months.

If there is a request to have the NPC issue a temporary stop processing

order so as to enjoin the processing of any data, the NPC may issue an
Order, after due hearing and the payment of the proper bond. This
process can happen from one to two weeks after the filing of this request.

What happens when my complaint is upheld?

If your complaint is upheld, the case records will be brought to the

Enforcement Division of the Legal and Enforcement Office, NPC for the
enforcement of civil damages, fines, and other administrative sanctions,
when appropriate.

If the NPC decides that the filing of criminal charges is warranted against
certain individuals following the filing and processing of a complaint, the
NPC will forward the case record to the Department of Justice and
recommend their prosecution.

What happens when my complaint is dismissed?

If your complaint is dismissed, and it involves a violation of any other

cybercrime law, the NPC will forward your complaint to the appropriate
law enforcement agency.

If the complaint is not upheld for lack of jurisdiction, and jurisdiction

properly belongs to the dispute settlement mechanism of another
government agency, the NPC will indorse your complaint to that agency
for the conduct of further proceedings.

If the complaint is dismissed for lack of merit, you may file a Motion for
Reconsideration. Please state the grounds for the mistakes of fact or law
that may be present in the NPC’s decision.

In any event, any Decision made on a complaint may be appealed by any

aggrieved party by way of appeal to the Court of Appeals, within the
proper period.

File a report at NPC

7. Why is it that until now there are still a lot of hackers? 

8. How is the Data Privacy act of 2012 effective and ineffective in the
Philippines, since we are still coping up with the world's scientific and
technological advancements, unlike many other developed countries?

When you share or posted online, store or transmit data, make sure it is inscription
measures. Jollibee and Wendys, reported commission driven violations. NPC
investigated. Online delivery platform both were found unsecured kaya nag stop sila
for a time.

The nationwide survey conducted by the Social Weather Stations (SWS) in June
2017 showed that 94% of Filipino adults wanted to know more about how the
personal data they provided during transactions will be used. While 85% of
Filipinos agreed that the rights of data subjects are important.

Depicting a growing awareness among ordinary Filipinos on the

importance of ensuring the privacy of their data, data subjects began
sharing their thoughts on the matter in a social media post by the
National Privacy Commission (NPC) marking the 14th annual celebration
of Data Protection Day.

In a series of Facebook posts themed, “Ano ang kwentong data privacy

mo?” (have you a data privacy anecdote?), the NPC featured testimonials
from privacy advocates and professionals, encouraging page followers to
chime in and even engage in a light, informative debate.
Serving as conversation starters, elicited testimonials tackled concepts
related to safeguarding data, enabling trust, and respect for other
people’s privacy in cyberspace.

Some said that with the implementation of Data Privacy Act of 2012, they
became aware and assertive of their rights as data subjects. Others,
meantime, shared annoying experiences with how certain personal
information controllers allegedly handled their data. One commenter said
he became more “conscious and cautious” when sharing personal
information, even making it a habit to read privacy notices and policies
before agreeing to anything. On the topic of respecting other people’s
data, a commenter even expressed concern that the NPC had better
secured consent for the testimonials before making them public — to
which another commenter responded by explaining the basic concept of
having control over one’s personal data.

Data Protection Day is an international event celebrated every January 28,

the date on which the Council of Europe’s data protection convention,
known as “Convention 108”, was opened for signature in 2006.

Join the NPC in celebrating the #DataProtectionDay by sharing your

thoughts on its Facebook page with the hashtag #AkoAngDataKo.

https://www.privacy.gov.ph/2020/01/npc-marks-data-protection-day-2020/

1st National Data Privacy Conference, the flagship event is set on May 28 –
29, at the Philippine International Convention Center in Pasay City.

With this year’s theme focused on “Protecting the Filipino’s Right to

Data Privacy”, the NPC spearheads the weeklong festivities with a 2-day
summit of data protection officers (DPOs) from various sectors all over the
country. Dubbed as the 1st National Data Privacy Conference, the
flagship event is set on May 28 – 29, at the Philippine International
Convention Center in Pasay City.

Around 2,000 DPOs are expected to join the event, comprising of

delegates from the academe, civil society, top corporations and the
government.

During the conference, the NPC will also launch a year-long social
awareness campaign focusing on responsible digital citizenship among
Filipinos. Called the “Privacy, Safety, Security and Trust (PSST!)
Online” or PSST!, the campaign is aimed at arming Filipinos with the
information and self-help tools they can use to protect themselves and
their loved-ones from the dangers arising from the careless handling of
their own personal data when using online applications and services on
their mobile and desktop devices.
Personal Information Controllers (PICs) and Personal Information
Processors (PIPs) or organizations processing personal data, are also
expected to get into the PAW festivities in their own way, and celebrate
data subject empowerment in a manner that would be meaningful to their
customers, members and employees.

The Privacy Awareness Week or PAW is an annual international effort to draw

public attention towards privacy issues and the importance of protecting
personal information. It is held across territories of the members the Asia Pacific
Privacy Authorities (APPA) Forum, which include Australia, British Columbia,
Canada, Colombia, Hong Kong, Japan, Republic of Korea, Macao, Mexico, New
South Wales, New Zealand, Peru, Queensland, Singapore, FCC – United States,
FTC – United States, Northern Territory -Australia, Victoria – Australia. This year
marks the second time that the Philippines will officially celebrate PAW in
solidarity with other APPA members and other privacy adherents all over the
world.
In the wake of the recent spate of media reports linked to data breaches and
other privacy-related concerns, the National Privacy Commission (NPC) is
urging business, government and civil society organizations to participate in the
upcoming Privacy Awareness Week (PAW) on May 28 to 31 and publicly
commit to the safeguarding of people’s personal data.
PAW is a celebration of people’s data privacy rights along with all the benefits of
data privacy protection, such as better customer trust, greater competitive
advantage and stronger protection of company assets.
“All of us are data subjects so PAW is a community celebration. For
organizations, it means showcasing your sense of responsibility and assuring
your customers and constituents that the personal data they entrusted you is in
good hands. For the rest of us, it’s a reminder that we can assert our data
privacy rights, that we have a personal responsibility to protect it however we
can,” Privacy Commissioner Raymund Enriquez Liboro said.

NPC calls Grab over passenger verification system and in-car audio,
video recording pilot test
January 14, 2020 | 5:23 PM GMT+0800 Last Edit: January 14,
2020

The National Privacy Commission (NPC) has called Grab Philippines to

address the privacy concerns relating to the launch of their new
passenger verification system and in-car audio and video recording pilot
test.

“We understand that Grab designed their new systems as additional

security to both drivers and passengers. But to avoid serious breaches of
privacy, the Commission must ensure that their new system is compliant
with the Data Privacy Act and adhering fully to the principles of
transparency, proportionality, and legitimate purpose,” said Olivia Khane
Raza, Chief of the NPC’s Compliance and Monitoring Division.

The NPC required the data protection officer of Grab Philippines to present
on Wednesday, 15 January 2020, documents demonstrating their
compliance with the law including, among others, their Privacy Manual,
Privacy Impact Assessment reports, and Privacy Notices for the passenger
verification system and in-car audio and video recording pilot test.