Since 2012, the Philippines has had a comprehensive law governing personal data privacy – Republic Act No. 10173, or the Philippine Data Privacy Act of 2012. However, its full implementation was not realized until the National Privacy Commission (NPC) was officially constituted in the early part of this year. The Implementing Rules & Regulations (IRR) of the act was promulgated on 24 August, 2016.
This is the comprehensive law that governs data privacy protection in the Philippines. With the release of the IRR and the creation of the NPC – the primary agency tasked to oversee the administration of the act – implementation of personal data privacy protection in the Philippines is coming into full swing.
Under the IRR, compliance with the following registration requirements must be completed within a period of one year from the date of effectivity of the IRR (9 September, 2016):
1. Registration of personal data processing systems (whether automated or non-automated) that involves accessing or requiring sensitive personal information of at least 1,000 individuals; and
2. Registration of automated processing operations subject to notification, where the automated processing becomes the sole basis of making decisions that would significantly affect the data subject.
The Data Privacy Act and the IRR define “sensitive personal information” as personal information about: one’s race; marital status; age; colour; religious, philosophical or political affiliations; health and education; any court proceedings; information issued by government agencies peculiar to an individual (e.g., social security numbers, health records, licences and tax returns); and those specifically declared as classified, by law or regulation.
The period to comply with the above-mentioned may be extended by the NPC upon request, and with good cause shown. Additional registration requirements may be imposed by the NPC through issuances and circulars, including guidelines that will provide for procedures in complying with the current registration requirements mentioned above.
The IRR also fleshes out the act’s provisions on data breach. It is required that notification must be given by the personal information controller to the NPC and the affected data subjects within 72 hours, upon knowledge of, or when there is reasonable belief, that the following have been acquired by an unauthorized person, and that such an unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject:
1. Sensitive personal information; or
2. Any other information that may, under the circumstances, be used to enable identity fraud.
Notification can be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. Failure to comply with this duty of providing data breach notification, if determined to be unjustified, may constitute concealment of security incident/data breach sanctioned under the act (subjected to mandatory fine and imprisonment).
The IRR also regulates outsourcing and subcontracting agreements between personal information controllers and personal information processors. It provides for stipulations that must appear in any outsourcing and subcontracting agreements that involve processing of personal data. The IRR also defines the term “data sharing” to mean any disclosure or transfer to a third party of personal data under the custody of a personal information controller or processor.
Generally, data sharing must require the consent of the data subject, even if the data is to be shared between related companies, affiliates, and other similar relationships. If data sharing will be for commercial purposes (e.g., direct marketing), it must be covered by a data sharing agreement.
The NPC promises to be open to comments/suggestions from industry stakeholders, and responsive to their needs and concerns. Although the NPC will be releasing several official circulars, rules and issuances that will serve as guidelines for proper compliance, it is hoped that the initial stages of implementing the act will be a learning experience, as well as an adjustment stage among the relevant sectors in the Philippines.
JOHN PAUL GABA is a partner at ACCRA Law Offices in Manila.
Manila office: ACCRALAW Tower, 2nd Avenue corner
30th Street, Crescent Park West, Bonifacio Global City
0399, Taguig City, Metro Manila, Philippines
Tel: +632 830 8000; local 8036
Fax: +632 403 7007; +632 403 7009