In mid-2017, UP College of Law Associate Professor Jose Jesus “JJ” M. Disini, Jr., one of the country’s leading experts in information technology and intellectual property, cybercrime and privacy, gave a talk on “Data Privacy Act Compliance: Legal Issues” at the UP Open University.
Some highlights of Disini’s talk were the following:
The Philippine Constitution looks at privacy in three ways:
Privacy in Physical Spaces, or the right against unreasonable searches and seizure.
Decisional Privacy, or the recognition that there are certain decisions that are intimate to us, and that the State has no right to intervene.
Data or Informational Privacy for information called personal information or personally identifiable information—information about ourselves or data that we have rights over. These data belong to us, and we control how they may be collected and used.
Republic Act 10173 or the Data Privacy Act of 2012 is one of the three areas of information that UP has to deal with. The others are the Freedom of Information program and the Open Data policy for research. We engage in many activities involving information, such as compiling lists of customers or suppliers, signing guest books during events, filling up raffle coupons in supermarkets, applying for credit cards, etc. Data subjects are individuals, not institutions.
There is a class of personal information called sensitive personal information, which includes information about an individual: race; ethnic origin; marital status; age; color; religious, philosophical or political affiliations; health; education; genetic or sexual life; any proceeding for any offense committed or alleged to have been committed; and, information issued by government agencies, such as social security numbers, licenses and tax returns. Such information are considered sensitive because there is greater harm in collecting these data (e.g., exposing a data subject to potential discrimination based on the information, for instance), and are therefore protected to a higher degree.
The entities the law regulates are personal data controllers, personal information controllers, or personal information processors:
A data controller is somebody who makes decisions about the personal information, such as what and when to collect and how it will be used.
A data processor is somebody who follows instructions of the data controller and does not make any decisions about the information.
This distinction is important because the Data Privacy Act has penal provisions: imprisonment ranging from one to three years and a fine of not less than Php500,000.00.
Your rights as a data subject in relation to data controllers are:
You have the right to be informed when your data are being collected, how those data will be used, and with whom they will be shared, before you give your consent for your data to be collected and processed.
You have the right to access your personal information.
You have the right to correct your data if they are wrong, and to withdraw your data from the database. You also have the right to sue for damages.
Aside from consent, there is another exception under the law: when personal information is necessary for the performance of a public function. Grades, for example, are necessary for the performance of an educational institution’s functions.
For institutions, the steps in the compliance process are:
Do a gap analysis. Study existing processes to find out what data you are collecting, if you are getting the necessary consent from your data subjects, and how you are processing, storing, transferring and destroying data. Spot the areas where you are not compliant with the law.
Draw a roadmap. Using the information from the gap analysis, plan out the steps you need to undertake to close the gaps and implement these steps. Work with your institution’s IT department to put information security policies and procedures in place, including, for government institutions, the certain levels of encryption required for data.
Implement the solutions in the roadmap. Draft your institution’s explicit data privacy policy informing individuals how they can exercise their rights. Formulate data management policies, including policies on what to do in case of a data breach. Appoint a data privacy officer. The authority of the data privacy officer can be further delegated to a compliance officer for privacy specific to an office.
Audit your processes, policies and procedures. If everything has been found to be compliant, practice maintenance.
Get your FREE copy of the UP Forum magazine now. Please send an email to upforum@up.edu.ph or visit the UP Media and Public Relations Office at Room 6B, Fonacier Hall, Magsaysay Avenue, UP Diliman, Quezon City.
You may access the digital copy here.
