The National Privacy Commission (NPC) has issued the implementing rules and regulations of the Data Privacy Act of 2012. The rules, promulgated on August 24, 2016, will take effect 15 days from publication in the Official Gazette. (As of the writing of this bulletin, the rules have not yet been published.)
The rules reiterate the provisions of the statute but:
- provides that the NPC may be given access to personal data that is subject of any complaint. When the personal data is claimed to be privileged, the personal information controller shall prove the nature of the communication in an executive session.
- provides additional provisions on data privacy principles, which are generally in line with expositions of the same principles as found in other data privacy regimes. For example, the rules confirm the importance of ensuring that consent, use, retention and other processing of data is specific, proportional and confined to purposes that have been advised to the data subject. If the controller's or processor's activities will include data sharing (transfer of data to a third party by the controller or processer) or profiling (any form of automated processing of personal data to evaluate or predict aspects relating to natural persons such as their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements), this needs to be clearly advised to data subjects. Consent given may be withdrawn.
- provides for specific clauses in respect of data sharing and profiling. Data subjects need to be provided with specific information regarding purpose and extent of processing for the purpose of profiling. Data subjects have the right to be informed of the existence of automated decision-making and profiling. Consent for data sharing is required even if the data is shared by the controller with an affiliate. Data sharing for commercial purposes, including direct marketing, must be covered by a data sharing agreement which is subject to the review of the NPC on its own initiative or a complaint of a data subject.
- provides that a personal information controller subcontracting or outsourcing the processing of personal data must do so under the cover of a contract or some other legal act to ensure that the requirements under the law for the processing of personal data are met. Such contract is subject to the review of the NPC at its own initiative or a complaint of a data subject.
- expounds on the required security measures that covered persons need to put in place. These measures include the data protection policies and procedures and physical and technical security measures that a processor must have or adopt. The rules require the keeping of records that describe the processor's data processing system and identify those with access to personal data. The rules also require privacy training or orientation for employees and agents. The NPC can monitor compliance. Security measures supposed to be adopted are subject to regular review and evaluation. The rules reiterate the need for the appointment of a data privacy officer.
- provides more detail on the notification process (to the NPC and the data subject) for data breaches. The law already requires notification of a breach when sensitive personal information or any other information may be used to enable identity fraud and the controller or the NPC believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to the affected data subject. Apart from compliance with the notification process, the rules require the maintenance of breach reports, which should record security incidents and breaches whether or not covered by the notification requirement. These reports can be reviewed by the NPC as requested, and a general summary submitted to the NPC annually.
- requires certain persons to register their personal data processing systems with the NPC. For example, those that access and process the sensitive personal information of at least 1,000 individuals need to comply with this registration requirement. The rules also require notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject.
Corporates that have already been mindful of data privacy or already subject to another data privacy regime, should review the rules to confirm compliance with the more generally worded "principle-based" requirements (e.g., ensuring that a criteria for lawful processing is present). But covered persons will need to focus on the specific action items noted in the rules, such as the data processing system registration, reporting requirements, and ensuring that it can comply with notification and similar procedures. Controllers and processors have one year from the effectivity of the rules to register their data processing systems or automated processing operations.
Specific compliance requirements will be a challenge for non-resident entities that have a "Philippine link" and therefore may trigger extra territorial application of the statute and rules.
In this regard, the DPA provided an exception to extra-territorial application for entities controlling and processing personal information collected from non-residents, and which are being processed by Philippine BPOs. However, the rules state that "non-applicability of the Act or [the IRR] [does] not extend to personal information controllers or personal information processors who remain subject to the requirements of implementing security measures for personal data protection... [the personal information controller or personal information processor] must uphold the rights of data subjects and adhere to the general data privacy principles and the requirements of lawful processing."