Philippine Data Privacy Act: A Beginner’s Guide

In the Philippines, privacy is a fundamental human right.

The Philippine Data Privacy Act (DPA) of 2012, also known as Republic Act 10173, was created to protect this fundamental human right and make organisations accountable for the personal data individuals have entrusted to them. This Act applies to the processing of all types of personal information, and covers individuals and organisations, including any public authority, involved in the processing of personal information in the Philippines.  

The DPA also created the National Privacy Commission (NPC), an independent body that implements the DPA to ensure compliance of both the public and private sector. The NPC published the Implementing Rules and Regulations (IRR) for the Philippine DPA in 2016, as well as several Circulars, which support the DPA and adopt international standards and practices in data protection.

Data Protection Act of Philippine at a Glance

The Philippine Data Privacy Act (DPA) is based on four General Data Privacy Principles – Transparency, Legitimate Purpose, Proportionality, and Accountability. These principles should govern the way organisations collect, use, and store personal data.

Transparency

Transparency entails organisations being clear with data subjects, or an individual whose personal information is being processed, about the purpose of collection and processing of personal data.

Example: Organisations should have a privacy notice that details the purpose of collecting and processing their personal data.

Legitimate purpose

Personal information controllers should also have a legitimate purpose for processing. This means that data should be processed fairly and lawfully. The purpose of data processing should fall under one of these criteria to be legitimate – to comply with a legal obligation, to perform a contract obligation, to protect the vital interest of the data subject, to protect public interest, to fulfil a legitimate business interest, or if the data subject has given his consent.

Example: An e-commerce site collects emails, credit card details and addresses to process orders and deliver products to customers.

Proportionality

Proportionality, on the other hand, prohibits Personal Information Controllers and Personal Information Processors (PICs and PIPs) from excessive collection, processing, and storage of data. Personal data must be used only according to the declared purpose.

Example: A hospital should only collect the necessary personal data for medical treatment and no more beyond that.

Accountability

PICs and PIPs should demonstrate accountability for the data entrusted to them by implementing measures to secure the data, retaining data only for as long as is necessary, and by governing data sharing with third parties and data transfer arrangements.

Example: An online payment platform encrypts payment information to protect user data from unauthorised access.

The Eight Rights Under the Data Privacy Act (DPA) of the Philippines

Aside from these four general principles, the Data Privacy Act (DPA) also specifies eight rights of data subjects. Organisations should ensure that these rights are upheld as they collect, use, and store the personal data of their customers or employees. The law ensures that individuals have control over their personal information and provides them with specific rights to safeguard their privacy. These rights include:

1.  The right to be informed

Data subjects should be informed that their personal data will be collected, processed, and stored. This includes information about the purpose of data collection, the categories of personal data being collected, the recipients or categories of recipients who may have access to the data, and the period for which the data will be stored. Consent should be obtained when necessary. 

2.  The right to access

Data subjects have the right to obtain a copy of the personal information that an organisation may possess about them. They can request organisations to do this, as well as additional details about how the data is being used or processed. Organisations must respond to these requests within a reasonable timeframe, usually within 30 days, and ensure that the information is provided in a clear and understandable format.

3.  The right to object

Data subjects can object to processing if it is based on consent or legitimate business interest.

4.  The right to erasure or blocking

Data subjects have the right to withdraw or order the removal of their personal data when their rights are violated.

5.  The right to damages

Data subjects can claim compensation for damages due to unlawfully obtained or unauthorised use of personal data.

6.  The right to file a complaint

Data subjects can file a complaint with the National Privacy Commission if their personal data was misused.

7.  The right to rectify

Data subjects have the right to correct any inaccuracy or incompleteness in the personal data an organisation possesses about them. Upon request, organisations must take prompt action to rectify any inaccuracies and ensure the accuracy of the personal data.

8.  The right to data portability

Data subjects should be able to electronically move, copy or transfer the data an organisation holds about them, facilitating free flow of information according to the data subject’s preferences.

Download our infographic cheat sheet on the Philippine DPA here.

Five Pillars of Implementing the Philippines' Data Privacy Act

Generally speaking, organisations or data controllers and processors are required to implement appropriate measures to ensure the security and confidentiality of personal data. This includes adopting organisational, physical, and technical security measures to prevent unauthorised access, disclosure, alteration, or destruction of personal data. Furthermore, they are prohibited from using personal data for purposes that are incompatible with the purpose for which it was collected. As mentioned in the previous section, they must obtain the consent of the data subject before using their personal data for any other purpose, unless such use is authorised by law.

The NPC adopts the “Five Pillars of Data Privacy Accountability & Compliance” framework to guide data controllers and processors in implementing the Data Privacy Act (DPA). The Five Pillars include:

1. Appoint a Data Protection Officer

Appointing a Data Protection Officer (DPO) is a crucial step for organisations in operationalising the DPA) in the Philippines. The DPO serves as the main point of contact for data subjects and the National Privacy Commission (NPC) regarding data privacy matters.

The DPO is responsible for ensuring that the organisation complies with the provisions of the DPA. They are tasked with implementing policies and procedures to protect personal data, conducting privacy impact assessments, and coordinating with relevant departments to address data privacy concerns.

Apart from appointing a DPO, organisations must also provide necessary support and resources to enable them to effectively carry out their duties. The DPO should have access to relevant information and receive appropriate training to stay updated with the latest developments in data privacy.

2. Conduct a Privacy Impact Assessment

A Privacy Impact Assessment (PIA) is an essential tool in ensuring compliance with the Data Privacy Act (DPA) in the Philippines. It involves assessing the risks associated with the processing of personal data and identifying measures to mitigate those risks.

The PIA helps organisations understand the impact of their data processing activities on individuals' privacy rights. It enables them to identify and address any potential privacy risks, ensuring that appropriate safeguards are in place to protect personal data.

During the PIA, organisations should consider various factors, including the nature of the data being processed, the purpose of the processing, the potential harm to data subjects, and any legal obligations that need to be fulfilled. The assessment should also include the evaluation of security measures in place to protect personal data from unauthorised access, loss, or disclosure.

3. Create a Privacy Management Program

Creating a Privacy Management Program is crucial for organisations to ensure compliance with the Data Privacy Act (DPA) in the Philippines. This program outlines the policies, procedures, and guidelines that organisations should follow to protect personal data.

A Management Program encompasses several key elements:

a) Privacy Policy: Organisations should develop and implement a comprehensive privacy policy that clearly states their commitment to protecting personal data. This policy should outline how personal data is collected, used, stored, and shared, as well as the rights of data subjects.

b) Data Mapping: It is important for organisations to conduct a thorough data mapping exercise to identify all personal data collected, processed, and stored. This exercise helps organisations understand the flow of personal data within their systems, identify potential vulnerabilities, and implement appropriate control measures.

c) Data Protection Measures: Organisations should implement robust security measures to protect personal data from unauthorised access, loss, or disclosure. This includes using encryption, access controls, and regular monitoring of systems for any breaches or vulnerabilities.

d) Data Breach Response Plan: A data breach response plan is essential in addressing any incidents of unauthorised access or disclosure of personal data. This plan should outline the steps to be taken in the event of a breach, including notifying affected individuals and the necessary authorities. 

4. Implement Data Privacy and Security Measures

Implementing data privacy and security measures is a crucial aspect of complying with the Data Privacy Act (DPA) in the Philippines. Organisations need to take proactive steps to safeguard personal data throughout its lifecycle.

Implementing strong access controls is essential in preventing unauthorised access to personal data. This involves setting up user accounts with unique usernames and passwords, implementing multi-factor authentication, and regularly reviewing and updating access privileges. By restricting access to only authorised personnel, organisations can minimise the risk of data breaches and ensure that personal data is only accessed by individuals who have a legitimate need for it.

5. Regularly Exercise Your Breach Reporting Procedures

In order to effectively respond to data breaches, organisations need to have robust breach reporting procedures in place. This involves promptly identifying and assessing any incidents that may compromise the security of personal data and taking appropriate action to mitigate the breach.

Regularly exercising breach reporting procedures ensures that organisations are prepared to handle data breaches efficiently. Conducting mock drills or simulated breach scenarios allows staff members to practise their response and familiarise themselves with the necessary steps to be taken. This can help identify any gaps in the breach response plan and enable organisations to fine-tune their procedures accordingly.

When a data breach occurs, time is of the essence. The Data Privacy Act requires organisations to notify affected individuals and the National Privacy Commission (NPC) within 72 hours from the time they become aware of the breach, unless it is unlikely to result in harm to the affected individuals. By regularly exercising breach reporting procedures, organisations can reduce response times and ensure timely compliance with reporting obligations.

Additionally, the NPC enforces a mandatory registration of the Data Processing System of organisations that meet certain criteria or fall under certain industries. The Data Processing System is the structure and procedure by which personal information is collected and processed.

Enforcements and Penalties

To learn more on how to operationalise the Philippine DPA in your organisation, sign up for our Data Protection Officer Executive Certificate Program, conducted by Straits Interactive in partnership with the Asian Institute of Management.