Data Privacy Act of 012: Privacy in Internet Era is Still Possible
With the rapid development in the world of information and communication technology over several years in which almost all the transactions and services offered by private and public entities are done through the help of computers which others are connected to the internet, an individuals personal information is not guaranteed to be safe in hands of the said institutions. Goverment agencies, banking institutions, schools and universities, telecommunication companies, electric companies, cable companies, insurance companies, hospitals and clinics and other private entities, all of them required us to fill up in their information sheets in order for us to avail of their service.
Last August 15, 2012, Philippine President Benigno “Noynoy” Aquino III signed Republic Act No. 10173 or otherwise known as the “Data Privacy Act of 2012”. This Law aims to to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth and to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. It will also create an independent commission to be known as National Privacy Commission which is under the umbrella of the Office of the President.
Being safe most of the time is the best felling that everyone wanted. Protecting any of my personal information whether sensitive or not is very important to me nowadays because who knows what if someone stole my identity and used it in illegal or unlawfull acts and then I will be the one who become liable even if someone committed that crime. I am happy that The Data Privacy Act have been signed into law atleast some of those person using unauthorized personal information will think twice before committing that illegal act. It is not a guarantee that the passing of RA 10173 will absolutely secure and protect an individuals personal information from improper processing because of dishonest and corrupt employee’s or officials who are willing to dispose personal information for the right price and those who use their connection or position in public office.
Data subject refers to an individual whose personal information is processed.
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
The term excludes:
1. A person or organization who performs such functions as instructed by another person or organization; and
2. An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Sensitive personal information refers to personal information about an individual’s race, ethnic origin, marital status , age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life of a person, any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, the sentence of any court in such proceedings, issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or an act of Congress to be kept classified.
I believe that these things should not be made known to public because it can be a cause of descrimination or harm to one person in such a way for example if in the history of one person he has been confined to a mental health hospital or you have a chinese blood in which nowadays China is bullying the Philippines regarding the boundary disputes. All of these information should be keep confidential and should be use only for legitimate purpose
Scope of the law
This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who although not found or established in the Philippines, use equipment that are located in the Philippines, and to those who maintain an office, branch or agency in the Philippines
Excluded are the following:
a. Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
b. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
c. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
d. Personal information processed for journalistic, artistic, literary or research purposes;
e. Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
f. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
g. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.
In connection with the 1987 Philippine Constitution which provides in Section 3 that “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law. Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding” and also Section 4 provides that “ No law shall be passed abridging the freedom of speech, of expression, or of the press, or the right of the people peaceably to assemble and petition the government for redress of grievances”, I think section 5 of RA 10173 does not violate this two constitutional provision in our Constitution but still i am worried that this journalist will be vulnerable in abusing such right granted to them. I want this law to have a clear guidelines to journalists as to the limitations of this protection.
THE NATIONAL PRIVACY COMMISSION
This independent body is created to administer and implement the provisions of this Act and to monitor and ensure compliance of the country with international standards set for data protection. The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession. The Commission shall be attached to the Department of Information and Communications Technology (DICT) and shall be headed by a Privacy Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems and one to be responsible for Policies and Planning. The Privacy Commissioner and the two (2) Deputy Privacy Commissioners shall be appointed by the President of the Philippines for a term of three (3) years, and may be reappointed for another term of three (3) years. The Commission is hereby authorized to establish a Secretariat. Majority of the members of the Secretariat must have served for at least five (5) years in any agency of the government that is involved in the processing of personal information including, but not limited to, the following offices: Social Security System (SSS), Government Service Insurance System (GSIS), Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine Postal Corporation (Philpost).
a. Ensure compliance of personal information controllers with the provisions of this Act;
b. Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;
c. Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest;
d. Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;
e. Monitor the compliance of other government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to this Act;
f. Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;
g. Publish on a regular basis a guide to all laws relating to data protection;
h. Publish a compilation of agency system of records and notices, including index and other finding aids;
i. Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act;
j. Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers: Provided, That the privacy codes shall adhere to the underlying data privacy principles embodied in this Act: Provided, further, That such privacy codes may include private dispute resolution mechanisms for complaints against any participating personal information controller. For this purpose, the Commission shall consult with relevant regulatory agencies in the formulation and administration of privacy codes applying the standards set out in this Act, with respect to the persons, entities, business activities and business sectors that said regulatory bodies are authorized to principally regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and require changes thereto for purposes of complying with this Act;
k. Provide assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person;
l. Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
m. Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as may be necessary;
n. Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;
o. Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
p. Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and
q. Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.
PROCESSING OF PERSONAL INFORMATION
The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must, be:
a. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
b. Processed fairly and lawfully;
c. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
d. Adequate and not excessive in relation to the purposes for which they are collected and processed;
e. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
f. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.
The personal information controller must ensure implementation of personal information processing principles set out herein.
Some of the offenses that is violative of this law are:
1. Unauthorized Processing of Personal Information and Sensitive Personal Information
2. Accessing Personal Information and Sensitive Personal Information Due to Negligence
3. Improper Disposal of Personal Information and Sensitive Personal Information
4. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes
5. Unauthorized Access or Intentional Breach.
6. Concealment of Security Breaches Involving Sensitive Personal Information
7. Malicious Disclosure
8. Unauthorized Disclosure
9. Combination or Series of Acts
Penalties imposed for violation of this code ranges from one (1) year to six (6) years of imprisonment and a fine of not less than Five hundred thousand pesos (P500,000) but not more Five million pesos (P5,000,000).If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be. When the offender or the person responsible for the offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.
The provision of Section 7 of Republic Act No. 9372, otherwise known as the “Human Security Act of 2007″, is hereby amended. Except as otherwise expressly provided in this Act, all other laws, decrees, executive orders, proclamations and administrative regulations or parts thereof inconsistent herewith are hereby repealed or modified accordingly.
I think passing RA 10173 or The Privacy Act of 2012 is a good move on the part of our government in trying to protect and minimize crimes which involves using, stealing and unauthorized access of personal information of any natural or jurical person but I doubt for its effective implementation because at the moment our government has no capability to imposed its good intention for its lack of its financial resources to buy modern equipments and also for lack of skills.