Why Companies Must Begin Complying with the Philippine Data Privacy Act

Written by Rudee Mae Carnaje

John Clements Consultants, Inc. was lucky to have Atty. Divina Panganiban, Atty. Neonette Pascual and fellow esteemed lawyers from the Quisumbing Torres’ Law Office, as our resource speakers for Legal Update: Data Privacy Act held last March 8, 2017 at Executive Lounge of the Antel Corporate Center in Makati City.

Atty. Vina started off by giving a brief background of Quisumbing Torres’ Law Office, and introducing other lawyers that are part of their law office’s Intellectual Property Practice Group and Information Technology & Communications Industry Group.

According to Atty. Vina, the Data Privacy Act is a pressing concern for many companies since there is already a regulated agency established by the government that is prepared to charge violators. As such, companies must start complying with the new law. The Data Privacy Act was already passed since 2012 but the rules for implementation were just released late last year.

Atty. Vina linked the topic with the Miss Universe Pageant question about the most significant change in the last 10 years, which is the rise of digital information according to the National Privacy Commission (NPC). She agreed with the NPC and said that for her personally, the Internet was the most significant change.

Data Glitch Management

She then discussed data glitches that happen every day and why companies are considering adding glitch management to their respective offices. She enumerated some of the companies who had the worst data glitches, such as LinkedIn, where 167 million passwords were leaked; MySpace, where an employee hacked a CEO using the site; dating apps, which damaged the reputation of many users; and Yahoo!, where 1 billion accounts were hacked into. The search engine company had to ask their subscribers to change their passwords using a combination of small and large characters, along with numbers in it for good measure.

There were also examples of companies where a chairman was held liable for gross negligence for leakage of employees’ information, including TIN numbers, SSS numbers, compensation and other personal information. Atty. Vina emphasized that hackers do not choose what applications or sites to hack, regardless of the nature, whether business or personal. They steal personal data to get a loan, acquire medical benefits, secure permission from government agencies using others’ identification, and/or apply for a new ID assuming another identity. Data thieves are always waiting for the right time and opportunity.

For these reasons, the government feels that it is about time to enact the Data Privacy Act in order to protect personal information. Atty. Vina called on Atty. Neonette Pascual to further explain the provisions in the Data Privacy Act.

Data Privacy Act

Atty. Neo informed us that data privacy is a right not just for Filipinos, but for foreign individuals as well. Data Privacy Act of 2012 or Republic Act 10173 was passed more than 5 years ago and was defended on September 8, 2012. It was only in August 2016 when NPC released the rules and regulations for implementation. As a result, from 2012 to 2016, nobody had an idea how to comply with the new law, and as of this writing, the government set a deadline on September 9, 2017 for companies to register to the NPC. Non-compliance to this law will be treated as a criminal offense.

Personal vs. Sensitive Personal Information

Atty. Neo also discussed the difference between personal information and sensitive personal information. Personal information refers to any information — whether recorded in material form or not — from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or, when put together with other information, would directly and certainly identify an individual.

Sensitive personal information needs more protection since it can pose greater danger to an individual’s reputation. Sensitive personal information refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual orientation, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

3. Issued by government agencies particular to an individual which includes, but not limited to: social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

4. Specifically established by an executive order or an act of Congress to be kept classified. Anything you do to gathered data, even its deletion, is called processing.

Positions of the New Law

The positions involved in the new law are data subject, personal information controller, personal information processor, and the regulator.

Data subject refers to an individual whose personal information is processed. All of us are considered as a data subject.

Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

Personal information processor refers to any natural or juridical person qualified to act as such under this law to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. Companies are allowed to hire a third party to process the data but personal information controller is still the one who has primary responsibility to comply with the Data Privacy Act.

And the last one is the regulator, which the National Privacy Commission established last March 2016.

Principles of Lawful Processing

The 3 principles of lawful processing of Data Privacy Act was also discussed, namely transparency, legitimate purposes, and proportionality. Transparency is informing the data subject that her personal information is being processed. Legitimate purposes is having consent from the data subject. Proportionality is meeting the purpose of processing the personal information.

Atty. Neo also expounded on important sections of the Data Privacy Act and willingly answered questions from the audience, along with other lawyers from the firm. The questions mostly consisted of the importance of consent and how to properly source, recruit and interview potential employees of the company and our clients.

In my opinion, this is essential training for the employees of John Clements since we are in the recruitment field, and processing data is part of the company’s daily activities. We should know how to properly seek and delete data of our applicants whether in the form of writing or interviewing. We also need to consider having standard consent forms that will be signed by our applicants before we process their personal information. Lastly, it is highly recommended by Atty. Vina and Atty. Neo to have our own personal information controller to ensure that our company abides with the Data Privacy Act.

You may read the full Data Privacy Act of 2012 here: https://privacy.gov.ph/republic-act-no-10173-data-privacy-act-of-2012/

Please visit and join the John Clements Talent Community.

___________________________________________________________________

About the author:

Rudee Mae Carnaje is a Learning and Development Associate of John Clements Consultants, Inc.