Republic Act 10173 “Data Privacy Act of 2012” [1] which is intended to protect the integrity and security of personal data in the public and private individuals, was signed by President Benigno Aquino on August 15, 2012.  What is Data Privacy? Privacy is a fundamental human right. It has become one of the most important human rights of the modern society today. Data Privacy is not just, the intellectual property or information belonging to an organization that is covered by information security requirements. The information needing protection is about your sensitive personal information and privileged information. All information that is linked to your identity as who you are, your race, class, health, bank security, address, phone number, religion, etc. 

            The data privacy act has incorporated the guidelines issued by Department of Trade and Industry (DTI) in year 2006. DTI guidelines followed the basic principles of personal data processing laid down in the European Union’s Data Protection Directive (95/46/EC) for the purpose of transparency and – proportionality [2] and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

The act is intended to protect the privacy of individuals in relation to personal data and the regulation of the collections processing, storing, use and disclosure of certain information relating to Individuals and public sector.

 In order to understand the scope of the Act there are several key terms or concept that need to understood. [3]

 Personal Data means information about a living individual that is processed automatically or held within a relevant filing system or recorded with the intention of processing or filing it, and which enables the individual to be identified or identifiable. Personal data include photographs or images, in digital or analogue.

Sensitive Personal Data is a personal data that consists of information on someone’s racial or ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health condition, sex life, offences.

 Processing is the operation of obtaining, recording, or holding data as well as specific activities such as organizing, adapting, alternating, retrieving, consulting, using, disclosing, disseminating, aligning, combining, blocking, erasing or destroying information.

 Data Subject is the person who is the subject of the personal data. As they must be a living individual, a data subject cannot be an organization or company. 

Personal Information Controller defines as the person who controls how the personal data is processed.

 SITUATIONAL GRAY AREAS

“Sec.3 (d) [4] Direct Marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.”

The law should be more specific on the advertising or marketing materials as it violates the privacy of private individual. According to Bill of Rights, Art III, “Sec. 3(1) the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.” [5] For example, those who are in the enterprise companies can collect personal information (eg. Name, Emails, contact number, address) to be used in marketing sales campaign and sell out the information to a third party vendor. The act itself is a violation of our enjoyment to private life and the information given was made public against our will. The right to opt out of direct marketing. If you receive a written request to stop using personal data for direct marketing, you must stop within the reasonable time. The constitutional right to privacy in the Philippine context was first recognized in the 1968 ruling of Morfe v Mutuc, [6] where the right to privacy is accorded independently of its identification with liberty.

Below is an example of digital document: [7]

 

 ImageImage

Sec. 3 (b) Consent of the data subject [8] Consent shall be evidenced by written, electronic or recorded means. 

Is there a necessary form in case of written consent? It is not stipulated in the provision on how the document can be measured as to the verification of consent made by the actual data subject. It also applies to electronic or recorded means. The government has to expressly declare before giving the data sheet that the person signing is really him and not a fraud.

Sec.4 (4d) Personal information processed to journalistic, artistic, literary or research purposes;

In order to reserve the essence of artistic way of capturing someone’s photographic images for the purpose of journalistic material even if there no consent given is quite broad for the exemption of this act.  Nowadays, the concept of journalism is that anyone with access to the internet can engage in journalism at no cost. There is no clear definition of journalism as what and who are covered of this act.  An amateur blogger can invoke this exemption if they claim that the purpose of their blog was journalism. For example, revealing corruption or incompetence in public office is likely the same as discussing misbehavior of celebrities, even though both cases are in public interest.

Sec. 9 Organizational Structure of the Commission [9] the provision states that the privacy commissioner must be recognized expert in the field of information technology and data privacy. The law did not provide for a specific qualification for one to be considered an “expert” or term of practice.

Furthermore, it is stated on Sec.11 (f) [10] kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of which the data were collected and processed. The law did not specify the definition of “No longer than necessary”. This creates the situation wherein once the purpose of the data collection has been archived, then the data processors and collectors must then properly dispose the data but until when is necessary. The observation of that period must be clearly stated.

            The criteria established for the processing of these information requires the data subject’s consent, or without their consent, if it is required by a legal obligation to do so, or for the vital interest of  the data subject himself, or for national emergencies, to comply with the requirements of public safety and order. Sec.12(c) [11] there is no clear definition stated on the provision regarding Public order and Safety.

Section 23 b (3) [12] as to the encryption, There is a cloud on the definition as to the parameter for the stolen encryption as well as the penalty for that crime. It is very challenging for the government to protect the personal data privacy and security of every individual. For example, the stolen encryption code wherein the Witness Protection program is on that list.

Section 14 Companies who subcontract processing of personal information to third party shall have full liability and can’t pass the accountability of such responsibility. In relation to section 3 (d) Data Breach for example on debit and credit cards data. It is very rampant case in our modern society wherein some cases the alien of unknown nationality is located in Nigeria but committing a fraud in our country by sending out letters through emails. Getting the money from the bank account and committing identity theft.  There should be tough penalties for anyone who intentionally and willfully conceals the fact that a data breach has occurred when the breach causes economic damage to consumer.

Image

Sec. 16 (c) “Reasonable access to, upon demand…”

What do you mean by reasonable access? Unlike other countries like United States, Philippines do not have the national identification number where you can check all the personal data in just one click of that number in a computer and it tells you who runs the background check of your personal information. So how can you track those who had an access to your personal information?

Sec. 16(d) “Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately…”

            The law must be certain on the process of changing or correcting personal information because this is a very sensitive issue. Just like in National Statistic Office (NSO) if you wanted to change something in your name, there is a process that you need to follow and payment for the processing. Is it the same procedure, any requirements or you can just ask the data controller to change it for you? How long does it take to change it? Reasonable effort must be made by the personal data controller to prevent loss and also security of the collected information.

Sec 20. (c) Security of Personal Information. [13]

            The safeguard against certain breaches on the privacy of the personal information should be determined on what kind of security level are we referring to. Does that include the company itself on how to enforce the protection and establish the monitoring of the data privacy of the information including its employees? For example, restricting an agent from carrying cell phones in employee workstations and encryption key information should not be seen by employees, only those who are authorized to transact by the company.

Conclusion:

            The rapid changing of the internet based communication of our society nowadays has a large impact in our daily lives and in the business aspect of our economy. In the modern society, there is really a need of response of updating and creating new laws to protect our fundamental rights. The world of cyberspace is far different and can be more challenging at times. There should be limitations on the matter of personal information otherwise these rapidly technology can lead us to a more problems in our community. The improvements of the provision will give us more protection of the laws.

The lack of attention of the congress pertaining to data privacy and protection of information has been a matter of concern. This particular aspect has been an issue in our country today in as far as business process outsourcing companies. We should give more importance on the different angles of the provisions of the data privacy act in order to attain the protection that we are seeking as an individual.

 

Sources:

[1] www.gov.ph/2012/08/15/republic-act-no10173/

[2] www.dti.gov.ph/uploads/…/EU%20Protection%20Directive.pdf

[3] www.jiscdigitalmedia.ac.uk

[4] http://www.gov.ph/2012/08/15/republic-act-no-10173/

SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective meanings hereafter set forth:

      (d) Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.

[5] http://www.chanrobles.com/philsupremelaw2.html

    Article III, Bill of Rights

Section 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.

[6] GR NO. L-20387,22 SCRA 424 January 31, 1968

[7] www14.software.ibm.com/webapp/iwm/web/signup.do?lamg=&S TACT=600BG41E&source=MATemailsuppression&MATTACT=600BG41E7CONT=5612

[8] (b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

[9] SEC. 9. Organizational Structure of the Commission. –

The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of Secretary.

The Deputy Privacy Commissioners must be recognized experts in the field of information and communications technology and data privacy. They shall enjoy the benefits, privileges and emoluments equivalent to the rank of Undersecretary.

[10] SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

[11] SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

[12] SEC. 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information

(b) Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive personal information maintained by an agency may not be transported or accessed from a location off government property unless a request for such transportation or access is submitted and approved by the head of the agency in accordance with the following guidelines:

[13] SEC. 20. Security of Personal Information

(c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:

 

Advertisements

One thought on “SITUATIONAL GRAY AREAS OF DATA PRIVACY ACT 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s