Republic Act 10173

Data Privacy Act of 2012

Prepared by
Julie Estares February 12, 2024
 Data Privacy Act of 2012
Overview
The Data Privacy Act of 2012 is a law in the Philippines that aims to protect the personal
information of individuals while ensuring the free flow of information for innovation and
growth. It recognizes the importance of privacy in the digital age and sets guidelines for how
organizations should handle personal data responsibly.

Under the law, personal data refers to any information that can identify an individual, such
as their name, address, contact details, or government-issued ID numbers. Sensitive
personal information, on the other hand, includes more private details like race, ethnicity,
religious beliefs, health records, and financial information.

The law requires organizations, known as data controllers, to implement security measures
to protect personal data from unauthorized access, disclosure, alteration, or destruction.
They must also obtain consent from individuals before collecting, processing, or using their
personal information.

To ensure compliance with the law, organizations are required to appoint a Data Privacy
Officer (DPO) responsible for implementing and enforcing data protection policies. The DPO
serves as a point of contact for individuals to raise privacy concerns and oversees the
organization's data processing activities.

The law also grants individuals certain rights over their personal data, including the right to
access, correct, or delete their information. Individuals have the right to know how their data
is being used and to request its removal if it's no longer necessary or if they withdraw their
consent.

In addition to the Data Privacy Act itself, there are implementing rules and regulations (IRR)
that provide detailed guidelines on how organizations should comply with the law. The IRR
covers various aspects of data protection, including data security measures, data breach
notification requirements, and the registration of data processing systems.

Overall, the Data Privacy Act and its IRR aim to strike a balance between protecting
individuals' privacy rights and promoting the responsible use of personal data for legitimate
purposes. By complying with these regulations, organizations can build trust with their
customers and stakeholders while fostering innovation and growth in the digital economy.
 Definition of Terms
a. Act: Refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012. It's a
law that aims to protect the personal information of individuals.

b. Commission: Refers to the National Privacy Commission, a government agency

responsible for enforcing the Data Privacy Act and ensuring compliance with its provisions.

c. Consent of the data subject: Means that individuals freely agree to the collection and
processing of their personal information. Consent can be given in writing, electronically, or
verbally, and can also be given by a representative authorized by the individual.

d. Data subject: An individual whose personal, sensitive personal, or privileged information

is being processed.

e. Data processing systems: Refers to the structure and procedures used to collect and
process personal data in computer systems or filing systems. It includes how data is
collected, stored, and used.

f. Data sharing: Involves disclosing or transferring personal data to a third party. It

excludes outsourcing, where a third party processes data on behalf of another
organization.

g. Direct marketing: Refers to any advertising or marketing material directed at specific

individuals.

h. Filing system: Any organized set of information related to individuals that allows specific
information about a person to be easily accessed.

i. Information and communications system: Refers to systems used for generating,

sending, receiving, storing, or processing electronic data messages or documents.

j. Personal data: All types of information that can identify an individual, such as names,
addresses, or contact details.

k. Personal data breach: Occurs when personal data is accidentally or unlawfully accessed,
altered, disclosed, or lost.

l. Personal information: Any information that can identify an individual directly or

indirectly, including when combined with other information.
 Definition of Terms
m. Personal information controller: A person or organization that determines the purposes
and means of processing personal data.

n. Personal information processor: A person or organization that processes personal data

on behalf of a personal information controller.

o. Processing: Any operation performed on personal data, such as collection, storage, or

use.

p. Profiling: Involves using personal data to analyze or predict aspects of a person's life,
such as their behavior or interests.

q. Privileged information: Data that is protected under the Rules of Court and other laws,
such as attorney-client communications.

r. Public authority: Any government entity with law enforcement or regulatory authority.

s. Security incident: An event that affects data protection or compromises the availability,
integrity, and confidentiality of personal data.

t. Sensitive personal information: Personal data that is considered sensitive, such as

information about an individual's race, health, or religious beliefs.
 Data Privacy Act of 2012
Scope & Special Cases
Scope:
The Data Privacy Act (DPA) and its Rules apply to anyone, whether a natural person or a
company, in both the government and private sectors, who processes personal data. This
includes activities done within and outside the Philippines, as long as they involve:

a. A person or entity located in the Philippines;

b. Personal data about a Philippine citizen or resident;
c. Processing of personal data happening in the Philippines; or
d. An entity with connections to the Philippines, such as having offices, branches, or
equipment here.

Special Cases:
There are certain situations where the DPA and its Rules don't fully apply. These include:

a. Information related to government employees, contractors, or benefits granted by the

government, as long as it's necessary for public access to information;
b. Personal information used for journalistic, artistic, or literary purposes to protect freedom
of speech and expression;
c. Personal information used for research intended for public benefit;
d. Information necessary for law enforcement or regulatory functions, subject to specific
legal restrictions;
e. Information required for compliance with banking and financial regulations, anti-money
laundering laws, and credit information systems;
f. Personal information collected from foreign residents and processed in the Philippines,
subject to the laws of their country of residence;
g. Protection for journalists and their sources, ensuring they're not forced to reveal
confidential information unless required by law.

Data Subject Protection:

Regardless of these exemptions, personal information controllers and processors must still
protect the rights of data subjects and follow general data privacy principles and lawful
processing requirements. Any exemptions must be interpreted favorably towards the rights
of the data subject.

Protection for Journalists and Sources:

Journalists, publishers, editors, and reporters are protected under the DPA, allowing them to
keep their sources confidential. However, they must still comply with the DPA's provisions
regarding the processing of personal data and uphold the rights of data subjects.
 Data Privacy Act of 2012
Principles
Principles of Transparency, Legitimate Purpose, and Proportionality:

Transparency: Data subjects must be informed about how their personal data will be used
in clear and easy-to-understand language.
Legitimate Purpose: Personal data should only be processed for lawful and specified
purposes.
Proportionality: The collection and processing of personal data should be relevant,
necessary, and not excessive for the intended purpose.

General Principles in Collection, Processing, and Retention:

Collection must have a declared, specified, and legitimate purpose, with consent obtained
when required.
Processing must be fair, lawful, and transparent, respecting the rights of data subjects and
ensuring data accuracy.
Personal data should not be retained longer than necessary and must be disposed of
securely.
Further processing should have adequate safeguards and be done for historical,
statistical, or scientific purposes.

General Principles for Data Sharing:

Data sharing is allowed when authorized by law or with the consent of the data subject.
Data sharing agreements must establish safeguards for privacy and security and provide
information to data subjects about the purpose and recipients of the shared data.
Research involving shared data must have safeguards in place, and decisions affecting
data subjects must respect their rights.
Government agencies sharing data must comply with the Act and ensure adequate
safeguards are in place.
These principles aim to balance the need for data processing with protecting the privacy
and rights of individuals.
 Data Privacy Act of 2012
Processing of
Personal Information
Criteria for Lawful Processing of Personal Information:

Personal information can be processed unless it's forbidden by law.

Processing is lawful if:
- The data subject gives consent.
- It's necessary to fulfill a contract.
- It's required by law.
- It's necessary to protect the data subject's vital interests, respond to
emergencies, or fulfill a legal mandate.
- It's for the legitimate interests of the controller, unless overridden by
the data subject's rights.

Sensitive Personal Information and Privileged Information:

Processing of sensitive and privileged information is generally prohibited unless:

- Consent is given.
- It's required by law.
- It's necessary to protect life and health, achieve lawful noncommercial
objectives of public organizations, for medical treatment, or for legal
proceedings.
Privileged communication is protected, and evidence gathered from it is usually
inadmissible unless permitted by law.

Surveillance and Recording of Communications:

Surveillance or recording of communications must comply with the Data Privacy Act,
including transparency, proportionality, and legitimate purpose principles.
Amendments to the Human Security Act ensure that surveillance respects data
privacy laws.
 Data Privacy Act of 2012
Security Measures for the
Protection of Personal Data
Data Privacy and Security:
Organizations handling personal data must put in place reasonable and suitable
security measures to protect it.
Anyone with access to personal data must only process it as instructed or required by
law.

Organizational Security Measures:

Designate a person to ensure compliance with data protection laws.
Implement policies for data protection and security, considering the nature of the data
and potential risks.
Keep records of data processing activities.
Train employees on privacy and security policies.
Have procedures for data collection, processing, access management, and data
retention.
Ensure that contracts with third-party processors include security measures.

Physical Security Measures:

Control and monitor access to areas where personal data is processed.
Arrange workspaces to ensure privacy.
Clearly define responsibilities and schedules of personnel.
Implement policies for the transfer, disposal, and reuse of electronic media.
Protect against natural disasters, power disruptions, and unauthorized access.

Technical Security Measures:

Establish a security policy for data processing.
Safeguard computer networks against unauthorized access and interference.
Ensure confidentiality, integrity, availability, and resilience of processing systems.
Monitor for security breaches and vulnerabilities.
Have processes for restoring data after incidents.
Regularly test and evaluate security measures.
Encrypt personal data during storage and transmission.

Appropriate Level of Security:

The National Privacy Commission oversees compliance with security guidelines.
The level of security should match the sensitivity of the data, potential risks,
organization size, and industry standards.
Security measures are regularly reviewed and updated as needed.
 Data Privacy Act of 2012
Security of Sensitive Personal Information
in Government
Responsibility of Heads of Agencies:

Government agencies must protect sensitive personal information using industry-

standard security measures.
The head of each government agency is responsible for ensuring compliance with
these security requirements.
The National Privacy Commission oversees government agency compliance and may
recommend actions to meet minimum standards.

Requirements for Access to Sensitive Personal Information by Agency Personnel:

On-site and online access to sensitive personal information is only allowed for
government employees who have received security clearance from the head of the
agency that collected the data.
Access to sensitive information online is tightly regulated and subject to conditions
such as implementing security measures and limiting access to necessary data.
Off-site access to sensitive information must be approved by the agency head, with
limits on the number of records accessed and encryption of data for security.

Implementation of Security Requirements:

Security requirements must be in place before approving any requests for off-site or
online access to sensitive information.

Applicability to Government Contractors:

Government agencies hiring private service providers to handle sensitive information

must ensure compliance with data protection laws and require registration of their
data processing systems with the National Privacy Commission.
 Data Privacy Act of 2012
Rights of Data Subjects
1. Right to be Informed:
The data subject has the right to know if their personal data is being processed and for what
purposes.
They should be informed before their data is collected about who will process it, why, and how
long it will be stored.
They should also know their rights, including how to access, correct, and complain about their
data.

2. Right to Object:
The data subject can object to their data being processed, especially for marketing or automated
decision-making.
They can refuse consent or object to changes in how their data is used.

3. Right to Access:
The data subject can request access to their personal data, including where it came from, who
has seen it, and why it was used.
They can also find out if automated processes were used to make decisions about them.

4. Right to Rectification:
The data subject can correct any inaccuracies in their personal data held by the controller.

5. Right to Erasure or Blocking:

The data subject can request to have their personal data deleted or blocked under certain
conditions, such as if it's no longer needed or was unlawfully obtained.

6. Right to Damages:
The data subject can claim compensation for any harm caused by inaccurate, incomplete, or
unauthorized use of their personal data.

7. Transmissibility of Rights:
The rights of the data subject can be invoked by their heirs or assigns after their death or if they
are unable to exercise them.

8. Right to Data Portability:

The data subject can request a copy of their personal data in a commonly used electronic format
for further use.

9. Limitation on Rights:
Some rights may not apply if the data is used for scientific research or investigations, but
limitations should be minimal and necessary.
 Data Privacy Act of 2012
Data Breach Notification
1. Notification Timeline:
The personal information controller must notify the Commission and affected data
subjects within 72 hours upon learning of a data breach.

2. Criteria for Notification:

Notification is required when sensitive personal information or data that could lead to
identity theft is believed to have been accessed by unauthorized individuals, and
there's a real risk of serious harm to affected data subjects.

3. Contents of Notification:
The notification should describe the breach, the personal data involved, actions taken
to address it, contact details of the controller's representatives for further
information, and any assistance offered to affected data subjects.

4. Delay of Notification:
Notification can be delayed to assess the breach's scope, prevent further disclosures,
or restore system integrity.
The Commission may consider factors like compliance efforts and good faith in data
acquisition when deciding if notification can be delayed.
In some cases, the Commission may exempt or postpone notification if it's not in the
public interest or if it hinders a criminal investigation.

5. Breach Report:
The controller must submit a report to the Commission detailing the breach, including
a designated representative's contact information.
All security incidents and data breaches, even those not requiring notification, must
be documented.
Reports should include incident details, effects, and remedial actions taken, and
summaries should be provided annually to the Commission.

6. Notification Procedure:
The notification process must follow the guidelines set by the Act, these Rules, and
Commission issuances.
 Data Privacy Act of 2012
Outsourcing and Subcontracting Agreements
Subcontracting Personal Data Processing:
A personal information controller can hire another party (personal information
processor) to handle personal data processing, but they must ensure proper
safeguards are in place.
These safeguards must ensure the confidentiality, integrity, and availability of the
personal data, prevent unauthorized use, and comply with relevant laws and
regulations.

Agreements for Outsourcing:

Processing by a personal information processor must be governed by a contract or
legal agreement with the personal information controller.
The agreement should specify the details of the processing, like its duration, purpose,
types of data involved, and the rights and obligations of both parties.
The personal information processor must agree to:
1. Follow the instructions of the controller, including data transfers, unless authorized by
law.
2. Maintain confidentiality of the data.
3. Implement security measures and comply with relevant laws and regulations.
4. Not subcontract without the controller's approval.
5. Assist the controller in responding to data subject requests.
6. Help the controller comply with laws and regulations.
7. Delete or return data after the service ends.
8. Provide necessary information for compliance audits.
9. Inform the controller if any instruction violates the law.

Duty of Personal Information Processor:

The personal information processor must comply with the Act, relevant laws, and
agreements with the controller, in addition to any contractual obligations.
 Data Privacy Act of 2012
Registration & Compliance Requirements
Requirements by the Commission:
The Commission oversees the implementation of the Data Privacy Act and ensures
compliance by personal information controllers.
The Commission requires:
1. Registration of personal data processing systems, especially those handling sensitive
information of at least 1,000 individuals.
2. Notification of automated processing operations if they solely influence significant
decisions about a person.
3. Annual reporting of security incidents and breaches.
4. Adherence to other requirements set by the Commission.

Registration of Personal Data Processing Systems:

Entities with fewer than 250 employees don't need to register unless their processing
poses risks to individuals' rights, involves sensitive data of at least 1,000 people, or is
not occasional.
Registration includes details like the purpose of processing, data categories, recipients,
security measures, and contact details of the data protection officer.

Notification of Automated Processing Operations:

Controllers must inform the Commission if automated processing solely influences
significant decisions about individuals.
The notification includes details like processing purpose, data categories, consent
procedures, recipients, storage duration, and contact details of the data protection
officer.
Decisions solely based on automated processing cannot be made without the data
subject's consent.

Review by the Commission:

The Commission reviews:
1. Compliance with the Data Privacy Act and its rules.
2. Implementation of adequate safeguards for data privacy and security.
3. Contracts involving personal data processing.
4. Government's off-site or online access to sensitive data.
5. Personal data processing for various purposes.
6. Reported violations of data subject rights.
7. Other matters necessary for effective implementation of the Data Privacy Act.
 Data Privacy Act of 2012
Rules on Accountability
Accountability for Transfer of Personal Data:

Personal information controllers are responsible for all personal data they
control, even if it's given to others for processing.
They must follow the rules of the Act and other regulations, ensuring data
protection through contracts or other means.
They must assign individuals responsible for following these rules, and their
identities must be shared with data subjects upon request.

Accountability for Violation of the Data Privacy Act:

Anyone involved in processing personal data who breaks the rules will face
penalties, regardless of whether they're a person, organization, or entity.
If a data subject suffers harm due to a violation, they can file a complaint and
may receive compensation based on civil law.
If there's evidence of criminal activity, the Commission may recommend
prosecution. Responsible individuals within organizations may also be held
accountable if they participated in or allowed the wrongdoing.
 Data Privacy Act of 2012
Penalties
Unauthorized Processing of Personal Information and Sensitive Personal Information:

If someone processes personal information without consent or authorization:

For personal information: 1 to 3 years imprisonment and a fine of Php 500,000 to Php
2,000,000.
For sensitive personal information: 3 to 6 years imprisonment and a fine of Php 500,000
to Php 4,000,000.

Accessing Personal Information and Sensitive Personal Information Due to Negligence:

If someone negligently provides access to personal or sensitive personal information without

authorization:
For personal information: 1 to 3 years imprisonment and a fine of Php 500,000 to Php
2,000,000.
For sensitive personal information: 3 to 6 years imprisonment and a fine of Php 500,000
to Php 4,000,000.

Improper Disposal of Personal Information and Sensitive Personal Information:

If someone knowingly or negligently disposes of personal or sensitive personal information in

an accessible area:
For personal information: 6 months to 2 years imprisonment and a fine of Php 100,000 to
Php 500,000.
For sensitive personal information: 1 to 3 years imprisonment and a fine of Php 100,000 to
Php 1,000,000.

Processing of Personal Information and Sensitive Personal Information for Unauthorized

Purposes:

If someone processes personal or sensitive personal information for unauthorized purposes:

For personal information: 1.5 to 5 years imprisonment and a fine of Php 500,000 to Php
1,000,000.
For sensitive personal information: 2 to 7 years imprisonment and a fine of Php 500,000 to
Php 2,000,000.
 Data Privacy Act of 2012
Penalties
Unauthorized Access or Intentional Breach:

If someone unlawfully accesses personal or sensitive personal information:

1 to 3 years imprisonment and a fine of Php 500,000 to Php 2,000,000.

Concealment of Security Breaches Involving Sensitive Personal Information:

If someone conceals a security breach involving sensitive personal information:

1.5 to 5 years imprisonment and a fine of Php 500,000 to Php 1,000,000.

Malicious Disclosure:

If someone discloses false information about personal or sensitive personal information with
malice:
1.5 to 5 years imprisonment and a fine of Php 500,000 to Php 1,000,000.

Unauthorized Disclosure:

If someone discloses personal or sensitive personal information to a third party without

consent:
For personal information: 1 to 3 years imprisonment and a fine of Php 500,000 to Php
1,000,000.
For sensitive personal information: 3 to 5 years imprisonment and a fine of Php 500,000
to Php 2,000,000.

Combination or Series of Acts:

If someone commits multiple offenses:

3 to 6 years imprisonment and a fine of Php 1,000,000 to Php 5,000,000.

Extent of Liability:
Responsible officers may be held accountable, and corporations may face suspension or
revocation of rights.

Large-Scale Offenses:
Penalties increase if at least 100 persons are affected.
 Data Privacy Act of 2012
Penalties
Offenses Committed by Public Officers:
Public officers face disqualification from office.

Restitution:
The Commission may award indemnity to aggrieved parties based on civil law provisions.

Fines and Penalties:

Violations are subject to various enforcement measures, including fines, as per the
Commission's schedule.
Data Privacy Act of 2012
Data Categories