DATA PRIVACY AWARENESS

2:30 PM
OBJECTIVES

 Explain key points of data privacy and why it should

matter personally
 Present the impact of DPA in how the company operates
and delivers its services
 Prevent situations that may lead to legal disputes due
to company negligence
OUTLINE

 Rights of the Data Subject

 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
 HISTORY

Mandatory Mandatory
Compliance Registration

Data Privacy Act Implementing Rules

(RA 10173) & Regulations
Privacy & Deputy Privacy National Privacy
Commissioners Commission Gov’t Agencies &
Private Companies

DICT Act of 2015

(RA 10844)

DICT

Sept 2017 –
2012 Mar 2016 May 2016 Aug 2016
Mar 2018

*DICT – Department of Information and Communications Technology

** Deadline of Registration:
Phase I: Registration of DPO – until September 9, 2017
Phase II: Registration of personal data processing systems – until March 8, 2018
PERSONAL DATA HANDLING
Information Life Cycle
Data Collection

Data Retention Data Privacy Data Storage

and Disposal/ Principles & Transmission
Destruction

Disclosure and
Distribution/ Data Data Usage
Sharing
TERMINOLOGIES

Data Subject Personal Personal

Information Information
Controller (PIC) Processor (PIP)

Concept:
Processing
ECOSYSTEM Personal Personal
Information Information
Controller Processor
Data Subject (PIC) (PIP)

provide outsources
personal data the
processing

• Personal Information Third

• Sensitive Personal Parties
Information
• Privilege Information
shares data sub-contracts
 TYPES OF DATA
Personal Sensitive personal Privileged
information information information
► Information, whether recorded ► Personal information whose leakage ► Anyand all forms of data
in a material form or not, from could impact the material well being of which under the Rules of
which the identity of an an individual (EU GDPR). Court or other pertinent laws
individual: constituted privileged
► Race, ethnic origin, marital status,
► is apparent, or communications. (IRR)
age, color, religious, philosophical or
► can be reasonably and political affiliation. ► Attorney-client privileged
directly ascertained by the ► Health, education, genetic or sexual information
entity holding the life, offenses committed or alleged, ► Doctor-patient privileged
information, or disposal of such, or sentences of information
► when put together with any court.
other information would ► Issued by any government agency
directly and certainly peculiar to an individual such as SSS
identify an individual (IRR) numbers, previous and current
► Name health records, licenses, denials,
► Home address suspension or revocation, and tax
returns.
► Phone number
► Specificallyestablished by an
executive order or an act of
Congress to be kept classified. (IRR)
KNOWLEDGE CHECK
DATA PI or SPI or N/A?

Gender (Male or Female) SPI

School graduated from
and year graduated SPI
A company’s contact
number N/A
E-mail addresses that is
only collected by PI
websites

Office or home address PI

OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
RIGHTS OF DATA SUBJECT

Consent Object Access Correct

Erase Damages Data

Portability
RIGHTS OF DATA SUBJECT

Under R.A. 10173, your personal data is treated almost

literally in the same way as your own personal property. Thus,
it should never be collected, processed and stored by any
Consent organization without your explicit consent, unless otherwise
provided by law.

As a data subject, you have the right to be informed that your personal data will
be, are being, or were, collected and processed.

The Right to be Informed is a most basic right as it empowers you as a data

subject to consider other actions to protect your data privacy and assert your
other privacy rights.
RIGHTS OF DATA SUBJECT
Under the Data Privacy Act of 2012, you have a right to obtain from
an organization a copy of any information relating to you that they
have on their computer database and/or manual filing system. It
Access should be provided in an easy-to-access format, accompanied with
a full explanation executed in plain language.
You may demand to access the following:
• The contents of your personal data that were processed.
• The sources from which they were obtained.
• Names and addresses of the recipients of your data.
• Manner by which they were processed.
• Reasons for disclosure to recipients, if there were any.
• Information on automated systems where your data is or may be
available, and how it may affect you.
• Date when your data was last accessed and modified
• The identity and address of the personal information controller.
RIGHTS OF DATA SUBJECT

Your consent is necessary before any organization can

LAWFULLY collect and process your personal data. If without
your consent, any such collection and processing of personal
information by any organization can be contested as unlawful
Object or ILLEGAL, and would therefore be answerable to the Data
Privacy Act of 2012.

The right to object is most specifically applicable when organizations or

personal information controllers are processing your data without your
consent.
RIGHTS OF DATA SUBJECT
Under the law, you have the right to suspend, withdraw or order
the blocking, removal or destruction of your personal data. You
can exercise this right upon discovery and substantial proof of the
Erase or following:
Blocking
1. Your personal data is incomplete, outdated, false, or unlawfully obtained.
2. It is being used for purposes you did not authorize.
3. The data is no longer necessary for the purposes for which they were collected.
4. You decided to withdraw consent, or you object to its processing and there is no
overriding legal ground for its processing.
5. The data concerns information prejudicial to the data subject — unless justified by
freedom of speech, of expression, or of the press; or otherwise authorized (by court
of law)
6. The processing is unlawful.
7. The personal information controller, or the personal information processor, violated
your rights as data subject.
RIGHTS OF DATA SUBJECT
You may claim compensation if you suffered damages due to
inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data, considering any violation of
your rights and freedoms as data subject.
Damages
Write or speak to the organization which mishandled your personal information to see if
you can reach an agreement and claim compensation.

If you feel that your concern has not been satisfactorily addressed, you should write to the
organization and inform them of your intent to take the matter to the court, before you
start court proceedings. Talk to a legal adviser if you want to make a claim in court.

The right to file a complaint with the National Privacy Commission

If you feel that your personal information has been misused, maliciously disclosed, or
improperly disposed, or that any of your data privacy rights have been violated, you have
a right to file a complaint with the NPC.
RIGHTS OF DATA SUBJECT

Data
Portability

Data portability allows you to obtain and electronically move, copy or transfer
your data in a secure manner, for further use. It enables the free flow of your
personal information across the internet and organizations, according to your
preference. This is important especially now that several organizations and
services can reuse the same data.
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
 What can
you do to
protect
your data?
ROLES OF DATA SUBJECT
Physical Security Technical Security
Do’s Do’s

•Secure storage of hardcopy •Do not share passwords with anyone,

documents by locking filing use of highly complex passwords)
cabinets and giving access only •Encrypt sensitive attachments being
to those authorized and sent through e-mail and send the
required to fulfill processing of password in a separate e-mail with a
these documents different subject
•Secure destruction/disposal •Lock the home screen of the
of hardcopy documents workstation when leaving it unattended
•Control over printing of •Beware of phishing attacks
documents containing personal •Always shut down and/or restart the
data computers to keep the operating
•Clear the workstation from systems and anti-virus software up
any documents containing to date
personal data. •Refresh History if you’re using public
computers after accessing accounts
PHISHING
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Duties of PIC/PIP
 Compliance with DPA
 Penalties
 Questions & Answers
DUTIES OF PIC/PIP

Lawful Protection Data Transparency

Processing Integrity
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Duties of PIC/PIP
 Compliance with DPA
 Penalties
 Questions & Answers
COMPLIANCE
5 Pillars of Data Privacy
Commit to Accountability and Compliance
Comply
Appoint and
Register Data Know our
Privacy Officer /
Compliance Officer risks
and personal data Conduct a Privacy
processing Impact
systems
Be
Assessment
accountable
1 Develop Privacy
Management Demonstrate
Program and craft compliance
your Privacy Manual
Implement Privacy
2 and Data Protection
Be prepared for
measures
breach
Regularly exercise your
3 Breach Reporting
Procedures

5
COMPLIANCE Data Breach Notification
Notify data subject/s
(if likely to result in risk to
individuals)
Notify NPC and ► Data processors must report
local authorities
(if likelihood of risk to personal data breaches to FPH
individuals) through its Data Breach Response
Team (DBRT).
► First Balfour must report personal
data breaches to NPC, local
Investigate
breach authorities and in some cases,
affected data subjects.
► First Balfour maintains a personal
data breach tracker.
Awareness of
breach ► Depending on the nature of the
Without incident, or if there is delay or
undue
Without failure to notify, NPC may
delay
undue delay investigate the circumstances
(no later than surrounding the personal data
Breach 72 hrs) breach. Investigations may include
on-site examination of systems and
procedures.

Report ALL personal data breaches to your Data Protection Officer or

designated COP as soon as possible for appropriate attention and action.
 PENALTIES
Violation Fine (Php) Imprisonment
Unauthorized Processing of: 500 thousand to 2
a. Personal Information million 1 year to 3 years
b. Sensitive Personal 500 thousand to 4 3 years to 6 years
Information million
Accessing due to negligence of: 500 thousand to 2
a. Personal Information million 1 year to 3 years
b. Sensitive Personal 500 thousand to 4 3 years to 6 years
Information million
Improper Disposal of :
a. Personal Information 100 thousand to 500 6 months to 2 years
b. Sensitive Personal thousand 1 year to 3 years
Information. 100 thousand to 1
million
 PENALTIES
Violation Fine (Php) Imprisonment
Processing for Unauthorized
Purposes: 500 thousand to 1 18 months to 5 years
a. Personal Information million 2 years to 7 years
b. Sensitive Personal 500 thousand to 2
Information million
Unauthorized Access or
500 thousand to 2
Intentional Breach 1 year to 3 years
million
 PENALTIES
Violation Fine (Php) Imprisonment
Concealment of Security
500 thousand to 1
Breaches Involving Sensitive 18 months to 5 years
million
Personal Information

Malicious Disclosure 500 thousand to 1 18 months to 5 years

million

Unauthorized Disclosure of:

500 thousand to 1 1 year to 3 years
a. Personal Information
million 3 years to 5 years
b. Sensitive Personal
500 thousand to 2
Information
million

Combination or Series of Acts 1 million to 5 million 3 years to 6 years

SCENARIO
Data Collection
Employees Employment Req. Employer
Can the employer collect
both the personal
information and sensitive
personal information?

An employee is required to submit TIN, SSS, and Pag -

IBIG membership certificate, along with other pre-
Yes, it meets the
employment requirements. requirement for lawful
processing
The employer requires these documents in order to
process regulatory requirements of BIR, SSS, Pag-IBIG.
and PhilHealth. The employer obtained consent for these
personal data but has not obtained consent for these
government-issued IDs.

Lawful Processing

The processing involves the personal information of a data subject who is a party to a contractual
agreement and the processing of personal information is necessary for the fulfillment of the
constitutional or statutory mandate of a public authority (e.g., BIR, SSS, Pag-IBIG and PhilHealth).
Meanwhile, the processing of the sensitive personal information is provided for by existing laws and
regulations, thus no consent is needed for the aforementioned government-issued IDs.
SCENARIO

Data Storage
Employee Address System Limitation
Can the Company
continually refuse the
updating request of its
employee?

An employee found out that HR has erroneously entered a

No, due to right to
wrong address in his file. rectification of the data
subject
He called the Company’s hotline to have this updated but
HR refused due to the lack of system functionality.

Right to Rectification

The Company should rightfully update the inaccurate home address of its customer as requested.
SCENARIO
Data Sharing
Fun Run Consent Company
Can the personal data be
used and shared by the
Company to its sister
company?

A Company organizes a fun run and collected contact

details from participants. Consent has been obtain for fun No, personal data must be
used only for specific
run registration purposes only. purpose for which the data
subject consented to
However, since most participants are potential customer,
the Company later on shared the information to a sister
company for direct marketing purposes.

Data Usage

Personal data must be used only for the purpose for which the data subjected consented to. Data
Subject must be informed and explicitly consent the sharing of his/her data to a third party for
direct marketing purposes.
FAQs

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
For more information visit:
www.privacy.gov.ph