The Data Privacy Act of 2012 (hereinafter, DPA or Act) is the Philippines’ first data privacy law. This landmark legislation is instrumental in obtaining the needed investments for the Philippine’s booming information technology-business process outsourcing (IT-BPO) industry.1 The industry involves the heavy processing of confidential and personal information.2 With the DPA, information collected is safeguarded from security incidents.3 In order to protect data privacy, an entity covered by the Act must, among other things, observe the data privacy principles4 and uphold the rights of the data subject5.
I. Data Privacy Principles
There are four general principles with respect to the collection and processing of personal data: transparency, legitimate purpose, proportionality, and data quality. Entities covered by the Act and the Implementing Rules must adhere to these principles.6
Principle of Transparency
The principle of transparency requires that the purpose for processing a person’s data should be determined and disclosed before its collection or as soon as practicable.7 Also, consent of the data subject on the collection and processing of his data should first be obtained, subject to exemptions provided by laws and regulations.8 In obtaining his consent, the data subject must be informed of the nature, purpose, and extent of the processing of such personal data, including the risks and safeguards involved, the identity of the personal information controller, his rights as a data subject as well as how these can be exercised.9 Moreover, information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.10
Principle of Legitimate Purpose
The principle of legitimate purpose requires that the collection and processing of information must also be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy.11 In other words, personal data should be processed fairly and lawfully.12
Principle of Proportionality
The principle of proportionality requires that the processing of personal information must be relevant to, and must not exceed, the declared purpose.13 The personal information may be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise, or defense of legal claims, or as provided by law. It may also not be retained in perpetuity in contemplation of a possible future use yet to be determined.14 However, personal information collected for historical, statistical, scientific purposes, or in other cases laid down by law, as well as, personal information kept in a form which does not permit identification of the individual involved, may be stored for longer periods.15
Data Quality Principle
The data quality principle requires that personal data should be accurate and kept up to date. It also requires that inaccurate or incomplete data be rectified, supplemented, destroyed, or restricted.16
II. Data Privacy Rights
The data subject is entitled to the following rights: the right to be informed, the right to object, the right to access, the right to rectification, erasure or blocking, the right to damages, and the right to data portability.
Right to be Informed
The data subject has a right to be informed whether personal data pertaining to him shall be, are being, or have been, processed. The Act and its IRR also require that the data subject be furnished with certain information before its entry in the system.17
Right to Object
The data subject should also be notified and given an opportunity to withhold consent on the processing of personal information in case of amendments to the information supplied or declared to the data subject. There are, however, instances enumerated under the IRR where personal information may still be processed despite the objection of the data subject.18
Right to Access
The data subject also enjoys the right to access specific details with respect to the processing of his personal information, such as the names and addresses of the recipients of the personal data, the manner by which such data were processed, and the designation or identity of the personal information controller.19
Right to Rectification
The data subject likewise has the right, in case of inaccuracy or error in the personal data, to have the same immediately corrected by the personal information controller, unless the request is vexatious or otherwise unreasonable.
Right to Erasure or Blocking
The data subject has the right to withdraw, remove, block, or order the destruction of his or her personal data from the filing system upon discovery and substantial proof of specified instances enumerated under the IRR.20
Right to Damages
The data subject may be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of his personal data. The determination of damages will take take into account any violation of his rights and freedoms as a data subject.21
Right to Data Portability
The data subject has a right to obtain from the personal information controller a copy of his personal data in an electronic or structured format that allows further use by the data subject.22
1 The Data Privacy Law: Badly Needed to Protect the IT/BPM/KPM Sector. (2015, July 3). Retrieved August 8, 2017, from http://www.philstar.com/cebu-business/2015/07/03/1472785/data-privacy-law-badly-needed-protect-it/bpm/kpm-sector
2 BPAP: Data Privacy Act Will Boost IT-BPO Sector. (2012, July 15). Retrieved November 1, 2017, from http://www.ibpap.org/publications-and-press-statements/ibpap-news/60-bpap-data-privacy-act-will-boost-it-bpo-sector
3 Importance of Data Security Policies in BPO Industry. (2016, August 10). Retriever November 1, 2017, from http://consystentinfo.com/blog/importance-of-data-security-policies-in-bpo-industry/
4 Sec. 11, R.A. 10173
5 Sec. 16, R.A. 10173
6 Sec. 18 and Sec. 19(c), IRR of R.A. 10173.
7 Sec. 19(a)(3), IRR of R.A. 10173.
8 Sec. 19(a)(1), IRR of R.A. 10173.
9 Sec. 18(a) and Sec. 19(a)(2), IRR of R.A. 10173.
10 Sec. 19(b)(2), IRR or R.A. 10173.
11 Sec. 18(b), IRR of R.A. 10173.
12 Sec. 19(b), IRR of R.A. 10173.
13 Sec. 18(c), IRR of R.A. 10173.
14 Sec. 19(e), IRR of R.A. 10173.
15 Sec. 19(e), IRR of R.A. 10173.
16 Sec. 19(c), IRR of R.A. 10173.
17 Sec. 34(a), IRR of R.A. 10173.
18 Sec. 34(b), IRR of R.A. 10173.
19 Sec. 34(c), IRR of R.A. 10173.
20 Sec. 34 (d)(e), IRR of R.A. 10173
21 Sec. 34(f), IRR of R.A. 10173.
22 Sec. 36, IRR of R.A. 10173