RA 10173 Data Privacy Act of 2012

SUMMARYRepublic Act No. 10173, also known as the Data Privacy Act of 2012, is an act protecting individual personal information in information and communications systems in the government and the private sector. The Act aims to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. It also aims to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

SCOPEThis Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.

However, this Act does not apply to the following:1. Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual;2. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;3. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;4. Personal information processed for journalistic, artistic, literary or research purposes;5. Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);6. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

PUNISHABLE OFFENSES1. Unauthorized Processing of Personal Information and Sensitive Personal Information2. Accessing Personal Information and Sensitive Personal Information Due to Negligence3. Improper Disposal of Personal Information and Sensitive Personal Information4. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes5. Unauthorized Access or Intentional Breach6. Concealment of Security Breaches Involving Sensitive Personal Information7. Malicious Disclosure8. Unauthorized Disclosure

EXTRATERRITORIAL APPLICATIONThis Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents;(c) The entity has other links in the Philippines

SALIENT FEATURES[footnoteRef:1] [1: http://digitalfilipino.com/salient-features-of-data-privacy-act-of-2012-republic-act-10173/]

1. It applies to processing of personal information and sensitive personal information (Section 3L).2. Created the National Privacy Commission to monitor the implementation of this law. (section 7)3. Gave parameters on when and on what premise can data processing of personal information be allowed. Its basic premise is when a data subject has given direct consent. (section 12 and 13)4. Companies who subcontract processing of personal information to third party shall have full liability and cant pass the accountability of such responsibility. (section 14)5. Data subject has the right to know if their personal information is being processed. The person can demand information such as the source of info, how their personal information is being used, and copy of their information. One has the right to request removal and destruction of ones personal data unless there is a legal obligation that required for it to be kept or processed. (Section 16 and 18)6. If the data subject has already passed away or became incapacitated (for one reason or another), their legal assignee or lawful heirs may invoke their data privacy rights. (Section 17)7. Personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law. (Section 20 and 21)8. In case a personal information controller systems or data got compromised, they must notify the affected data subjects and the National Privacy Commission. (Section 20)9. Heads of government agencies must ensure their system compliance to this law (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner. (Section 22)

EFFECTIVITYThis Act was signed into law on 15 August 2012 and took effect on 8 September 2012.