Fortuno, Marienell

SY 2012-2013, Second Semester


Republic Act 10173: “Data Privacy Act of 2012”

Republic Act 10173 also known as ‘Data Privacy Act of 2012” was signed into law by President Benigno S. Aquino last August 15, 2012, an act protecting personal information in information and communications systems in the Government and the private sector, creating for this purpose a National Privacy Commission. The said law shall be effective fifteen (15) days after publication in at least two (2) national newspaper of general circulation. Republic Act 10173 is a consolidation of Senate Bill No. 2965 and House Bill No. 4115 which was passed by both houses on June 6, 2012. [1]

The enactment makes the Philippines compliant with international data security standards putting in place measures to protect and preserve the integrity, security, and confidentiality of personal data collected by government and private entities in their operations. The Act is based on Standards set by the European Parliament and is aligned with the Asia Pacific Economic Cooperation (APEC) Information Privacy Framework. [2]

Section two (2) of the act provides that, “(I)t is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. The said declaration of policy is anchored on the constitutional right of each individual to his right of privacy.

As enunciated by RA 10173, it has advantages and disadvantages for ordinary individuals and netizens. The said enactment will largely promote the Information Technology – Business Process Outsourcing (IT-BPO) Industry in our country as it makes our country a compliant with the International Standards. The said law protects the integrity and confidentiality of individual personal information in information and communication systems in the government and the private sector that will encourage more investors to establish their IT-BPO business in our country. With that, it will surely boost the IT-BPO industry and will make more employment for the Filipinos. Economically, it can be beneficial for our country.

Any individual whether he committed any act purposely or negligently may be considered as a violator of RA 10173, except for those expressly excluded by the law itself, as stated in Section 4;

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.

It is good to know that the State is providing means to protect and secure the personal information of an individual to uphold the person’s fundamental human right alongside with the development of technology nowadays. It can be perceived that privacy of personal information is now to be regarded with suspicion because of the new developments in technology and computers. We always have this fear that any information that you have disclosed to any government or private sector can be easily hacked or used abusively. With the enactment of RA 10173, we can be at peace that our personal information are secured and protected and there is the National Privacy Commission who will investigate any complaints regarding the same.

However, what is quite alarming with this new law is the fact that in CHAPTER VIII wherein it provided for the specific penalties for any violation thereto. It penalizes the unauthorized processing or disclosure of personal information of an individual whether purposely or negligently.

PENALTIES

SEC. 25. Unauthorized Processing of Personal Information and Sensitive Personal Information. – (a) The unauthorized processing of personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.

(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.

SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. – (a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.

SEC. 27. Improper Disposal of Personal Information and Sensitive Personal Information. – (a) The improper disposal of personal information shall be penalized by imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.

b) The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.

SEC. 28. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes. – The processing of personal information for unauthorized purposes shall be penalized by imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.

The processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.

SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.

SEC. 30. Concealment of Security Breaches Involving Sensitive Personal Information. – The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach.

SEC. 31. Malicious Disclosure. – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).

SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).

(b) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).

SEC. 33. Combination or Series of Acts. – Any combination or series of acts as defined in Sections 25 to 32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00).

SEC. 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be.

SEC. 35. Large-Scale. – The maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the above mentioned actions.

SEC. 36. Offense Committed by Public Officer. – When the offender or the person responsible for the offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.

The act provided for severe or harsh penalty for any individual who are not excluded by law for any violation thereof whether the commission or omission of an act is intentionally or negligently.

Finally, the evil sought to be avoided by our legislators with the enactment of RA 10173 is worth considering. This would make each and every person be cautious in using information especially personal information gathered or obtained for any legitimate purpose. The person in charge of protecting or securing the personal information of any individual shall zealously protect and secure the information at hand. We must always bear in mind what Article 19 of the New Civil Code provides, “(E)very person must, in the exercise of his rights and in the performance of his duties ,act with justice, give everyone his due, and observe honesty and good faith.” In legal sense, it’s a catch-all provision that encourages us to respect a person’s fundamental right. The enactment of RA 10173 or Data Privacy Act of 2012 is the way of the State to protect further the rights of each citizen.

With the number of Filipinos who are potential victims of this law who does not belong to the exclusions and are exposed to civil and criminal liabilities, the government and/ or other non-government institutions must exert more effort in disseminating the information regarding the said law due to the harsh penalty as imposed by RA 10173.

Personally, I have nothing against the said law. Though it restricts some of our rights but I have considered as more of protecting the innocent individuals who merely provided personal information to government or private entities because of necessity or as required by their transaction with such offices.
Data Privacy Act promotes a growing industry in our country, will provide more jobs to Filipinos, and most importantly protecting the integrity and confidentiality of individual personal information. I don’t see any reason for us to be alarmed and cast doubt into its enactment even if it was not covered by any temporary restraining order (TRO) like RA 10175 or the Cyber crime law.

Endnotes

[1] http://www.gov.ph/2012/08/15/republic-act-no-10173/

[2] http://www.pia.gov.ph/news/;index.php.article=1781346143986

Advertisements
1 comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: