The Data Privacy Act of 2012 (hereinafter the “Act”) lays out stringent guidelines designed to safeguard the privacy of both natural and juridical persons. However, the law also admits of certain exceptions, one of which pertains to information processing pursuant to a public function.
Section 4(e) of the Act provides that it does not apply to information necessary in order to carry out the functions of public authority. This includes the processing of personal data by the central monetary authority, as well as information processing by law enforcement and regulatory agencies acting within their mandated functions. The Act also unequivocally states that it does not in any manner amend or repeal the Secrecy of Bank Deposits Act (RA 1405), the Foreign Currency Deposit Act (RA 6426), and the Credit Information System Act (CISA) (RA 9510). Pursuant to Section 4 (f), neither does the Act apply to information required of banks and other financial institutions to comply with the CISA, the Anti-Money Laundering Act (RA 9160), and other applicable laws.
A public function refers to a constitutionally or statutorily mandated task carried out by any government entity created by the Constitution or law.1 The Act’s Implementing Rules and Regulations (IRR) further specifies that public functions involve law enforcement, and other regulatory activities.2 This covers a wide range of governmental acts, including the provision of public services,3 the maintenance of public order and safety,4 even the need to respond to a national emergency.5
Data sharing and security
The Act also provides certain criteria for the lawful processing of personal information such as when information processing is required to respond to a national emergency. Personal information may also be lawfully processed in order to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate.
The Act’s IRR emphasize adherence to the principles of transparency, legitimate purpose, and proportionality.6 The principle of transparency primarily requires that a data subject be aware of the nature, purpose, and extent of the processing of his or her personal data. It also mandates easy access to information related to the processing of personal data. Meanwhile, legitimate purpose refers to a declared and specified basis which must not be contrary to law, morals, or public policy. Lastly, the principle of proportionality requires that information processing must be adequate and not excessive in relation to the declared and specified purpose.7
The Act provides meticulous safeguards for personal data processed in relation to a public function. The National Privacy Commission (NPC) has the power to review the processing of personal data for research purposes, public functions, or commercial activities.8 While the IRR permits data sharing between government agencies, this must be covered by a Data Sharing Agreement which shall in turn be subject to the review of the NPC, either on its own initiative or upon the request of the data subject. Moreover, any or all government agencies party to the Data Sharing Agreement are mandated to place adequate safeguards for data privacy and security.9
Access and accountability
When personal information is processed pursuant to a public function, the Act lays down limits as to how such data may be accessed. The head of each government agency or instrumentality shall be responsible for complying with the security requirements laid down to protect sensitive personal information of data subjects.10 For on-site and online access, the IRR forbids any government employee from accessing sensitive personal information on government property or through online facilities. The only exception is when the employee receives security clearance from the head of the source agency (i.e., the government agency that originally collected the personal data).11 The Act sets a high bar for security clearance applicants. An employee shall only be granted access when the performance of his or her official functions or the provision of a public service directly depends on and cannot otherwise be performed unless access to the personal data is allowed.12
In instances when the employee is allowed online access to sensitive personal information such access is still subject to the following conditions.13 First, an information technology governance framework must have been designed and implemented. Second, there must be sufficient organizational, physical and technical security measures in place. Third, the agency must be capable of protecting sensitive personal information in accordance with data privacy practices and standards recognized by the information and communication technology industry. Lastly, online access shall be limited to personal information necessary for the performance of official functions or the provision of a public service.
The Act prescribes tougher regulations regarding off-site access to such personal information. In general, sensitive personal information maintained by an agency may not be transported or accessed whether by the government employee or its agent from a location off or outside of government property. The exception is allowed only if the head of agency has ensured the implementation of privacy policies and appropriate security measures. The head of agency must approve a request for such transportation or access, and the request must include proper accountability mechanisms in the processing of data.14 The NPC may also review any off-site or online access to sensitive personal data as approved by a head of agency.15
The approval or disapproval of requests for off-site access is regulated by several guidelines.16 First, the head of agency must approve or disapprove the request within two (2) business days after the date of submission of the request. Where no action is taken by the head of agency, the request is considered disapproved.17 Where a request is approved, the head of agency shall limit the access to not more than one thousand (1,000) records at a time.18 Lastly, any technology used to store, transport, or access sensitive personal information for purposes of off-site access, as approved by the head of agency, shall be secured by the use of the most secure encryption standard recognized by the NPC.
In sum, the Act permits government agencies and instrumentalities to process sensitive personal data pursuant to a public function. However, this privilege is narrowly circumscribed by the Act’s IRR to ensure that a data subject’s right to privacy is not breached. The burden thus rests with the government to show that it complies with the Act and other relevant regulations before sensitive personal data may be processed.
1 IRR Rule 1, Sec 1(r)
2 IRR Rule 2, Sec 5(d)
3 IRR Rule IV, Sec 20(d)
4 IRR Rule V, Sec 21(e)
6 IRR Rule IV, Sec 18
8 IRR Rule XI, Sec 49(e)
9 IRR Rule IV, Sec 20(d)
10 IRR Rule VII, Sec 30
11 IRR Rule VII, Sec 31(a)(1)
12 IRR Rule VII Sec 31(a)(2)
13 IRR Rule VII Sec 31(a)(3)
14 IRR Rule VII Sec 31(b)(1)
15 IRR Rule XI Sec 49(d)
16 IRR Rule VII Sec 31(b)(2)
17 IRR Rule VII Sec. 31(b)(2)(a)
18 IRR Rule VII Sec. 31(b)(2)(b)