Orientation on RA 10173
Data Privacy Act (DPA) of 2012
November 29, 2018
Speaker: Reynaldo U. Agranzamedez, AB, LIB, LLM
Agranzamendez, Liceralde, Gallardo &Associates
” AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES”
Around 2.5 quintillion bytes of data are created daily. We now live in an age where digital data is part of our daily lives — part of our personalities and identities. Given this fact, there is a real need to change the way organizations handle data and workflows to ensure the protection of private information.
All companies handle some form of personal information — from employee to client to end-user data — therefore all companies are now responsible to protect the confidentiality, preserve the integrity, and promote the availability of data for authorized use.
The law aspires to protect the fundamental human right of privacy while ensuring the free flow of information. The declaration raises the bar on what the Filipino’s concept of data privacy should be. It does not end with the protection of information, but balances the right to free flow of information by integrating its responsible use.
How is it implemented?
RA 10173 protects and maintains the right of customers to confidentiality by setting a legal list of rules for companies to regulate the collection, handling, and disposal of all personal information.
Companies legally responsible for keeping their customers’ data protected from third parties or any form of misuse, internally or externally.
What does that mean for data collectors/companies?
The Act applies to any process of personal data by anyone in government or private sectors.
All personal data must have legitimate reasons for collection as well as should be clear to both parties giving and receiving information. With that being said, all collection must be done with the customer the customers’ proper consent.
All personal information used must also be relevant solely used for its intended and state purposes. Companies must protect customer information from collection to proper disposal, avoiding access from unauthorized parties.
What is “personal information?”
“‘Personal information’” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual” (Republic Act. No. 10173, Ch. 1, Sec. 3).
What is “sensitive personal information?”
“(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.”
(Republic Act. No. 10173, Ch. 1, Sec. ).
What is “consent?”
Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so (Republic Act. No. 10173, Ch. 1, Sec. 1).
What are the rights of the data subject?
The data subject or the individual sharing his/her personal information has to be fully informed of several factors of the data collecting process. This list includes, but isn’t limited to:
(1) the reason for use
(2) methods for access
(3) the identity and contact details of the personal information controller
(4) how long the information will be stored for
(5) access to their rights.
What steps do I need to take in compliance with the Act?
Companies essentially have to ensure that their data collection methods are flawless as well as consistently share the entire process with data subjects, including a breach of security, should there be any.
To do this, companies should appoint a Data Protection Officer and create privacy knowledge programs and privacy and data policies to regulate the handling of information, as well as routine assessments to ensure quality data protection.
In addition, companies must also have a proper procedure for breach notification to its customers.
What happens if I do not comply?
Improper/unauthorized processing, handling or disposal of personal information can be penalized by imprisonment up to six years and a fine of not less than Five hundred thousand pesos (PHP 500,000).
Speaker: Mr. Krisante B. Hipol
The continuous self-growing nature of social networks makes it hard to define a line of safety around these networks. Users in social networks are not interacting with the web only, but also with trusted groups that may contain enemies. There are different kinds of attacks on these networks including causing damage to the computer systems and steeling information about users. These attacks are not affecting individuals only, but also the organizations they are belonging to. Protection from these attacks should be performed by the users and security experts of the network. Advices should be provided to users of these social networks. Also security-experts should be sure that the contents transmitted through the network do not contain malicious or harmful data. This chapter shows the security risks and the tasks applied to minimize those risks. Explain the most famous ways that attackers and malicious use. Then show the security measures for each way. Also present a security guide and a social network security and privacy made in 2011, and finally a case study about the list of Foreign Terrorist Network dataset.