REPUBLIC ACT

NO. 10173
CICERO V. MALATE, O.D.
CITY PROSECUTOR
City Prosecution Office
Iriga City
 “DATA PRIVACY
ACT OF 2012”
AN ACT PROTECTING
INDIVIDUAL PERSONAL
INFORMATION IN INFORMATION
AND COMMUNICATIONS SYSTEMS
IN THE GOVERNMENT AND THE
PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR
OTHER PURPOSES.
 Declaration of Policy
a. Recognition of the vital role of information and
communications technology in nation-building;
b. Inherent obligation to ensure that personal
information in information and communications
systems in the government and in the private
sector are secured and protected.

It is the policy of the state to protect the

fundamental human rights of privacy of
communication while ensuring free flow of
information *****
 TERMINOLOGIE
sensitive Spersonal
(a) Data Subject – refer to an individual whose
personal, or privileged
information is processed. (IRR)
(b) Consent Data Subject - individual whose
personal information is processed.
- refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to
the collection and processing of personal information
about and/or relating to him or her.
- Consent shall be evidenced by written,
electronic or recorded means. It may also be
given on behalf of the data subject by an agent
specifically authorized by the data subject to do so.
(c) Personal Data- refers to all types of
personal information's (IRR).
(d) Personal Information- refers to any
information whether recorded in a material form
or not, from which the identity of an individual is
apparent or can be personally and directly
ascertained by the entity holding the
information, or when put together with other
information would directly and certainly identify
an individual (IRR).
(e) Data Sharing -in the disclosure or transfer
to a third party of a personal data under the
custody of PIC/PIP.
- PIC to PIC = NO EXCLUDED
(f) Data Processing
System -
Structure/Procedure by
which personal data is
collected and further
processed in an
information and
communication systems,
or relevant filing systems
including the purpose and
intended output (IRR)
(g) Personal Data Breach -
refers to a breach of security
leading to the accidental or
unlawful destruction, loss,
alteration, unauthorized disclosure
of, or access to, personal data
transmitted, stored or otherwise
processed.(IRR)
(h) Sensitive personal
information - refers to personal
information:
(1) About an individual’s race, ethnic
origin, marital status, age, color, and religious,
philosophical or political affiliations;
(2) About an individual’s health, education,
genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged
to have been committed by such person, the
disposal of such proceedings, or the sentence of
any court in such proceedings;
 (3) Issued by government
agencies peculiar to an individual
which includes, but not limited
to, social security numbers,
previous or current health
records, licenses or its denials,
suspension or revocation, and
tax returns; and

(4) Specifically established

by an executive order or an act
of Congress to be kept classified.
(i) Privileged information - any
and all forms of data under the Rules
of Court and other pertinent laws
constitute privileged communication.
 (j) Personal
information controller -
person or organization who
controls the collection, holding,
processing or use of personal
information, including a person or
organization who instructs
another person or organization to
collect, hold, process, use,
transfer or disclose personal
information on his or her behalf.
The term excludes:

(1) A person or organization who performs

such functions as instructed by another
person or organization; and
(2) An individual who collects, holds,
processes or uses personal information in
connection with the individual’s personal, family
or household affairs.
(k) Personal information
processor - natural or
juridical person to whom a
personal information
controller may outsource the
processing of personal data
pertaining to a data subject.
(l) Processing -
any operation or any
set of operations
performed upon
personal but not limited
to, the collection,
recording, organization,
storage, updating or
modification, retrieval,
consultation, use,
consolidation, blocking,
erasure or destruction
of data.
(m) Profiling – refers to any form of
annotated processing of personal data
consisting of the use of personal data to
evaluate certain personal aspects
concerning that natural person’s
performance at work economic, situation,
health, personal preferences, interest,
(n) Information and
Communications
System - a system for
generating, sending, receiving,
storing or otherwise
processing electronic data
messages or electronic
documents by or which data is
recorded, transmitted or
stored and any procedure
related to the recording,
transmission or storage of
electronic data, electronic
 (o) Public Authority -
refers to any government entity
created by the constitution or
law and violated with law
enforcement or regulatory
authority and functions.
(o) Commission - shall refer to the
National Privacy Commission created by
virtue of this Act.
 COVERAGE

- Process of ALL types of personal

information.
- Natural/juridical persons involved
in personal information processing,
personal information controllers
and processors.
 EXCEPTIONS
Information relating to an officer or
employee of a government institution
regarding his position or functions, including:
- Fact of employment
- Title, business address and office
telephone number;
- Classification, salary range and
responsibilities of the position; and
- Name on a document prepared by
the individual in the course of employment;
 Information relating to an individual
performing service under contract for a
government institution:
- Services performed
- Terms of Contract
- Name given in the course of the performance of
the services.

Information relating to any discretionary

benefit of a financial nature:

- Grant of a license or permit from the government

- Name of individual
- Exact nature of benefit
 Personal information processed
for journalistic, artistic, literary or
research purposes;
Information necessary in order
to carry out the functions of
public authority including the
processing of personal data for the
performance by independent, central
monetary authority and law
enforcement and regulatory agencies
of their constitutionally and statutorily
 Information
necessary for banks
and other financial
institutions to comply
with Anti-Money
Laundering Act

Personal information
originally collected from
residents of foreign
jurisdictions.
 Protection Afforded to
Journalists and Their Sources

Protection from being compelled to

reveal the source of any news report or
information appearing in said publication
which was related in any confidence to such
publisher, editor, or reporter.
 Extraterritorial Application

Applies to an acts done or practice engaged in

and outside of the Philippines.
IF:
(a) Personal information about a Philippine
citizen or a resident;
 (b) Entity has link in the Philippines
processing personal information or even
outside the Philippines as long as it is about
Philippine citizens or residents such as:
- Contract is entered in the Philippines;
- A juridical entity unincorporated in the
Philippines but has central management
and control in the country; and
- An entity that has a branch, agency,
office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity
has access to personal information; and
(c) Entity has other links in the
Philippines:

- The entity carries business in

the Philippines; and
- The personal information
was collected or held by an entity
in the Philippines.
 THE NATIONAL PRIVACY COMMISSION

Independent body to :
1. Administer and Implement the
provisions of the law
2. To monitor and ensure
compliance of the country with
international standards set for data
protection
- Attached AGENCY of the Department
of Information and Communication
 COMPOSITION
- Privacy Commissioner or Chairman of the Commission
- Deputy Privacy Commissioner for Data Processing System
- Deputy Commissioner for Policies and Planning

SECRETARIAT
Majority of the members must have served for at least five
(5) years in government agencies in processing of personal
information but not limited to:
SSS, GSIS, LTO, BIR, PHILHEALTH, COMELEC, DFA, DOJ,
 FUNCTIONS OF THE COMMISSION
(a) Ensure compliance of personal information
controllers with the provisions of this Act;
(b) Receive complaints;
- Institute investigations;
- Facilitate or enable settlement of
complaints through the use of alternative dispute
resolution processes;
- Adjudicate, award indemnity on matters
affecting any personal information,
prepare reports on disposition of complaints and
resolution of any investigation it initiates;
- Publicize any such report
 FUNCTIONS OF THE COMMISSION

(c) Publicize any such report

- Issue cease and desist orders;
- Impose a temporary or permanent ban on
the processing of personal information,
detrimental to national security and public
interest;
(d) Compel or petition any entity, government
agency or instrumentality to abide by its
orders or take action on a matter affecting
data privacy;
 FUNCTIONS OF THE
COMMISSION

(e) Monitor the compliance of

other government agencies or
instrumentalities on their security
and technical measures and
recommend the necessary action
in order to meet minimum
standards for protection of
personal information pursuant to
 FUNCTIONS OF THE COMMISSION
(f) Coordinate with other government agencies
and the private sector on efforts to formulate and
implement plans and policies to strengthen the
protection of personal information in the country;
(g) Publish on a regular basis a guide to all laws
relating to data protection;
(h) Publish a compilation of agency system of
records and notices, including index and other
finding aids;
(i) Recommend to the Department of Justice
(DOJ) the prosecution and imposition of penalties
specified in Sections 25 to 29 of this Act;
 FUNCTIONS OF THE COMMISSION
(j) Review, approve, reject or require
modification of privacy codes voluntarily adhered
to by personal information controllers
(k) Provide assistance on matters relating to
privacy or data protection at the request of a national
or local agency, a private entity or any person;
(l) Comment on the implication on data privacy
of proposed national or local statutes, regulations
or procedures, issue advisory opinions and interpret
the provisions of this Act and other data privacy laws;
(m) Propose legislation, amendments or
modifications to Philippine laws on privacy or data
protection as may be necessary;
 FUNCTIONS OF THE COMMISSION
(n) Ensure proper and effective coordination with
data privacy regulators in other countries and private
accountability agents, participate in international and
regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy
authorities of other countries for cross-border application
and implementation of respective privacy laws;
(p) Assist Philippine companies doing business
abroad to respond to foreign privacy or data protection
laws and regulations; and
(q) Generally perform such acts as may be necessary to
facilitate cross-border enforcement of data privacy
protection.
 CONFIDENTIALITY

The commission shall ensure AT ALL TIMES

the confidentiality of any personal information
that come to its knowledge and possession.

GENERAL DATA PRIVACY PRINCIPLES

The processing of personal information shall

be allowed subject to the compliance of the
requirements under the law and other law
allowing disclosure of information to the public
and adherence to the principles of
TRANPARANCY, LEGITIMATE PURPOSE AND
PRIORITY.
 PROCESSING OF PERSONAL INFORMATION
Personal information must, be:,
(a) Collected for SPECIFIED and LEGITIMATE
purposes
(b) Processed fairly and lawfully;
(c) Accurate, relevant and, kept up to date;
(d) Adequate and not excessive
(e) Retained only for as long as necessary for the
fulfilment of the purposes for which the data was
obtained
(f) Kept in a form which permits identification of
data subjects
- stored for longer periods in cases laid
down in laws
 CONDITIONS FOR PROCESSING OF
PERSONAL INFORMATION

(a) The data subject has given consent;

(b) Necessary and related to the
fulfilment of a contract with the data
subject
(c) necessary for compliance with a
legal obligation
(d) necessary to protect vitally
important interests of the data
CONDITIONS FOR PROCESSING OF
PERSONAL INFORMATION

(e) necessary in order to respond to

national emergency, to comply with the
requirements of public order and safety or to
fulfil functions of public authority
(includes the processing of personal data)
(f) necessary for the purposes of the
legitimate interests pursued by the personal
information controller or by a third party or
parties to whom the data is disclosed
 PROCESSING OF SENSITIVE PERSONAL
INFORMATION AND PREVILEGED INFORMATION
General Rule: PROHIBITED
EXCEPTIONS:
a.) Sensitive – data subject has given consent
Privileged – all parties give their consent
b.) Provided by existing laws and regulations
c.) necessary to protect the life and health of the
data subject or another person and data subject is not
legally or physically able to express consent
d.) necessary to achieve lawful and non-commercial
objectives of public organization/association among its
members
e.) necessary for medical treatment – medical
practitioner
- medical
institution
(f) necessary for the protection of lawful
rights and interests of natural or legal persons
 court proceedings
 the establishment, exercise or defense of legal
claims
 when provided to government or public
authority.
Subcontracting of the Personal Information by
the personnel information controller, ALLOWED:

 PICresponsible for the safeguards to ensure

the confidentiality

 prevent its use for unauthorized purposes

 comply with the requirements of the law

EXTENSION OF PRIVILEGED
COMMUNICATION

 PIC may invoke the principle of

privileged communication over
privileged information that they lawfully
control or process.

 Subject to existing laws and

regulations, any evidence gathered on
privileged information is INADMISSIBLE.
RIGHTS OF THE DATA SUBJECT
(a) Be informed whether personal
information pertaining to him or her shall be, are
being or have been processed;

(b) Be furnished the information indicated

hereunder before the entry of his or her personal
information into the processing system of
the personal information controller, or at the next
practical opportunity:
(1) Description
(2) Purposes
(3) Scope and method
(4) Recipients or classes of recipients to whom
they are or may be disclosed;
(5) Methods utilized for automated access
(6) The identity and contact details of PIC
(7) The period for which the information will be
stored; and
(8) The existence of their rights to access,
correction and lodge complaint
(c) Reasonable access to, upon demand:
(1) Contents of the personal information
(2) Sources from which personal information
were obtained;
(3) Names and addresses of recipients
(4) Reasons for the disclosure of the personal
information to recipients;
(5) Information on automated processes
(6) Data where personal information were last
accessed and modified
(7) Date when personal information were last
accessed and modified; and
(8) Name, designation, or identity and address of
the PIC
 (d) Dispute the inaccuracy or error and have the
PIC correct it immediately and accordingly

(e) Suspend, withdraw or order the blocking,

removal or destruction of his or her personal
information from the personal information controller’s
filing system upon discovery and substantial proof that:

 personalinformation are INCOMPLETE, OUTDATED,

FALSE, UNLAWFULLY OBTAINED
 used for unauthorized purposes
 no longer necessary for the purposes for which they
were collected. In this case, the personal
information controller
 PIC shall notify third parties thereof;
(f) Be indemnified for any
damages for (e)

NOTE: TRANSMISSIBLE to the

lawful heirs and assigns of the
data
(g) Obtain a copy of the data
processed by electronic means
undergoing processing in an
electronic format
 NON-APPLICABILITY OF RIGHTS OF DATA
SUBJECT
used only for the needs OF SCIENTIFIC
AND STATISTICAL RESEARCH
under STRICT CONFIDENTIALITY
Used for the declared purpose
investigations in relation to any
CRIMINAL, ADMINISTRATIVE OR TAX
LIABILITIES
 SECURITY OF PERSONAL
INFORMATION
PIC Shall:
(a) implement measures
intended for protection of personal
information against any
accidental/unlawful destruction,
alteration/disclosure and unlawful
processing.
(b) measures against natural
dangers and human dangers:
unlawful access, fraudulent misuse,
unlawful destruction, alteration and
(c) Determine level of Security
(1) Safeguards to protect its computer
network
(2) A security policy
(3) A process for identifying and accessing
reasonably foreseeable vulnerabilities
(4) Regular monitoring for security breaches
and a process for taking preventive,
corrective and mitigating action
(5) ensure third party implement security
measures
(6) agents, representative and employees of
PIC shall hold adequate under strict confidentiality
 ACCOUNTABILITY FOR TRANSFER OF
PERSONAL INFORMATION
Personal information controller is
(a) accountable for compliance of the law
(b) designate an individual/s accountable
for compliance who shall be made known to any
data subject upon request.

SECURITY OF SENSITIVE
PERSONAL
INFORMATION IN GOVERNMENT
esponsibility: Head of each government agency
REQUIREMENTS FOR ACCESS:
(a) On-site and Online Access –clearance from the head
(b) Off-site Access – Unless a request for access is
approved by the head
(1) Deadline for Approval or Disapproval –(2) business days
after submission of the request.
(2) Limit - (1,000) records at a time; and
(3) Encryption –most secure encryption standard recognized
by the Commission for off-site.

GOVERNMENT CONTRACTORS:
registration of the personal information processing
system with the commission
 PENALTIES
UNAUTHORIZED PROCESSING OF PERSONAL
INFORMATION
 (1) year to three (3) years imprisonment
 fine of not less than Five hundred thousand
pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00)

SENSITIVE PERSONAL INFORMATION

 (3) years to six (6) years
 fine of not less than Five hundred thousand
pesos (Php500,000.00) but not more than Four
million pesos (Php4,000,000.00)
ACCESSING PERSONAL INFORMATION AND
SENSITIVE PERSONAL INFORMATION DUE
TO NEGLIGENCE

PERSONAL INFORMATION
 (1) year to three (3) years imprisonment
 fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million
pesos (Php2,000,000.00)

SENSITIVE PERSONAL INFORMATION

 (3) years to six (6) years
 fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million
 IMPROPER DISPOSAL OF
INFORMATION
PERSONAL INFORMATION
• (6) months to two (2) years imprisonment
• fine of not less than one hundred thousand
pesos (Php100,000.00) but not more than five
hundred thousand pesos (Php500,000.00)

SENSITIVE PERSONAL INFORMATION

• (1) year to three (3) years imprisonment
• fine of not less than One hundred thousand
pesos (Php100,000.00) but not more than
PROCESSING OF INFORMATION WITH
AUTHORITY
PERSONAL INFORMATION
• (1) month to six (6) months – five (5)
years imprisonment
• fine of not less than one hundred thousand pesos
(Php500,000.00) not more than One million pesos
(Php1,000,000.00)
SENSITIVE PERSONAL INFORMATION
• (2) years to seven (7) years imprisonment
• fine of not less than Five hundred thousand pesos
UNAUTHORIZED ACCESS/INTENTIONAL
BREACH
(Violates data confidentiality /Security data systems)

Sensitive/Personal: 1-3 years Imprisonment

500K to 2M
CONCEALMENT OF SECURITY
BREACHES INVOLVING
SENSITIVE PERSONAL
INFORMATION

1-6 months to 5 years Imprisonment

500K to 2M
MALICIOUS DISCLOSURE OR IN BAD FAITH

Sensitive/Personal: 1-6 months to 5 years

Imprisonment
500K to 1M
UNAUTHORIZED DISCLOSURE

Personal: 1-3 years Imprisonment

500K to 1M
Sensitive: 3-5 years Imprisonment
500K to 2M
COMBINATION OF SERIES OF ACTS

3-6 years Imprisonment

1M to 5M
LIABILITY COMMITTED BY CORPORATION,
PARTNERSHIP
OR ANY JURIDICAL PERSON

• responsible officers who participated in, or by

their gross negligence, allowed the
commission of the crime
• juridical person: revocation or suspension of
rights
• Alien: deportation in addition to penalties
PUBLIC OFFICER :
accessory penalty of
disqualification to
occupy public office

COMMITTED IN
LARGE SCALE
2X the penalty
Personal information of
at least 100 persons