Data Privacy Act

Case Overview and Summary

Summary of the Data Privacy Act of 2012

Definitions and Coverage (Section 3, 4)
- Defines key terms like personal information, sensitive personal information, processing, personal information controller, and personal information processor.
- Covers processing of personal information in government and private sector, including entities outside the Philippines if processing involves Philippine citizens or residents.
- Excludes certain information like those related to public employment, discretionary benefits, journalistic purposes, and foreign jurisdictions.

National Privacy Commission (Sections 7-10)
- Establishes the National Privacy Commission to administer and implement the Act.
- Outlines the functions, organizational structure, and staffing of the Commission.
- The Commission is attached to the Department of Information and Communications Technology (DICT).

Processing of Personal Information (Sections 11-15)
- Lays out general data privacy principles for processing personal information, such as transparency, legitimate purpose, and proportionality. (Section 11)
- Specifies criteria for lawful processing of personal information, including consent, contractual necessity, legal obligation, and legitimate interests. (Section 12)
- Prohibits processing of sensitive personal information and privileged information, except in certain cases like consent, legal provisions, and medical treatment. (Section 13)
- Allows subcontracting of personal information processing, with the controller responsible for ensuring proper safeguards. (Section 14)
- Extends the principle of privileged communication to personal information controllers. (Section 15)

Rights of Data Subjects (Sections 16-19)
- Enumerates the rights of data subjects, including the right to be informed, access personal information, correct inaccuracies, suspend or withdraw personal information, and be indemnified for damages. (Section 16)
- Allows heirs and assigns to invoke the rights of the data subject. (Section 17)
- Grants the right to data portability, allowing data subjects to obtain a copy of their personal information in an electronic format. (Section 18)
- Specifies exceptions for scientific and statistical research, and investigations related to criminal, administrative, or tax liabilities. (Section 19)

Security of Personal Information (Sections 20-24)
- Requires personal information controllers to implement reasonable and appropriate organizational, physical, and technical security measures. (Section 20)
- Mandates notification to the Commission and affected data subjects in case of a security breach involving sensitive personal information. (Section 20)
- Holds heads of government agencies responsible for securing sensitive personal information. (Section 22)
- Imposes requirements for access to sensitive personal information by government personnel, both on-site and off-site. (Section 23)
- Requires government contractors to register their personal information processing systems with the Commission and comply with the Act. (Section 24)

Accountability for Transfer of Personal Information (Section 21)
- Establishes the principle of accountability, where personal information controllers are responsible for personal information under their control or custody, including information transferred to third parties.

Penalties (Sections 25-37)
- Imposes penalties for unauthorized processing, accessing, improper disposal, and unauthorized purposes of personal information and sensitive personal information, ranging from imprisonment of 6 months to 6 years and fines of Php100,000 to Php4,000,000, depending on the offense. (Sections 25-28)
- Penalizes unauthorized access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure, with imprisonment of 1 to 7 years and fines of Php500,000 to Php2,000,000. (Sections 29-32)
- Increases penalties for a combination or series of acts, and for large-scale offenses involving personal information of at least 100 persons. (Sections 33, 35)
- Imposes additional penalties for public officers, such as disqualification from office. (Section 36)
- Allows for restitution for aggrieved parties. (Section 37)

Miscellaneous Provisions (Sections 38-45)
- Provides for liberal interpretation of the Act in favor of individual rights and interests. (Section 38)
- Requires the Commission to promulgate implementing rules and regulations within 90 days of the Act's effectivity. (Section 39)
- Mandates annual reports by the Commission to the President and Congress, and efforts to educate the public on data privacy. (Section 40)
- Appropriates an initial budget of Php20,000,000 and Php10,000,000 per year for 5 years for the Commission. (Section 41)
- Grants a 1-year transitory period for existing industries, businesses, and offices to comply with the Act. (Section 42)
- Contains separability, repealing, and effectivity clauses. (Sections 43-45)