Pursuant to Republic Act No. 10173, otherwise known as the, “Data Privacy Act of 2012” (“Data Privacy Act”), the National Privacy Commission (“NPC”) recently published its Circular No. 1, Series of 2017 (“NPC Circular No. 17-01”) on 25 August 2017. The Circular covers registration of Data Processing Systems and Notifications regarding Automated Decision-Making.
Section 31 of NPC Circular No. 17-01 specifically provides that the deadline for Phase I of the registration process with the NPC, i.e., registration of the companies’ respective Data Protection Officers (“DPOs”), is on 09 September 2017. On the other hand, the deadline for Phase II of the registration process (registration of data processing systems) is on 08 March 2018.
Under Section 9 of NPC Circular No. 17-01, Phase I registration requires that the Personal Information Controller (“PIC”) or Personal Information Processor (“PIP”) accomplish the prescribed application form (which can be downloaded from the NPC’s website) and submit the same to the NPC together with the supporting documents. Section 9 of the same Circular provides that, upon review and validation of the submission, the NPC shall provide the PIC or PIP via email an access code, which shall allow the PIC or PIP to proceed to Phase II of the registration process.
On the other hand, Section 10 of NPC Circular No. 17-01 enumerates the following supporting documents which should accompany the duly completed and notarized registration form, namely the following:
- For government agencies:
- certified true copy of the Special/Office Order, or any similar document, designating or appointing the DPO of the PIC or PIP; and
- where applicable, a copy of the charter of the government entity, or any similar document identifying its mandate, powers, and/or functions.
- For private entities:
- duly-notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or any other document that demonstrates the validity of the appointment or designation
- certified true copy of any of the following documents, where applicable:
- certificate of Registration (SEC Certificate, DTI Certification of Business Name or Sole Proprietorship) or any similar document; and/or
- franchise, license to operate, or any similar document.
The application form and the supporting documents can be delivered personally to the NPC or sent via registered mail to the NPC’s address at 3rd Level Core G, GSIS Headquarters, Financial Center, Pasay City, 5800 Metro Manila on or before the deadline, 09 September 2017.
Pursuant to the Implementing Rules and Regulations of the Data Privacy Act, as well as the recently issued NPC Circular No. 17-01, registration is required for a PIC or PIP if any one of the following conditions is present:
- A PIC of PIP employs at least two hundred fifty (250) individuals;
- the processing is likely to pose a risk to the rights and freedoms of data subjects;
- the processing is not occasional; or
- the processing includes sensitive personal information of at least one thousand (1000) individuals.
Anent the second condition, Section 5(C) of the recently issued NPC Circular No. 17-01 provides that “(p)rocessing operations that pose a risk to data subjects include those that involve:
- information that would likely affect national security, public safety, public order, or public health;
- information required by applicable laws or rules to be confidential;
- vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exits in the relationship between a data subject and a PIC and PIP;
- automated decision-making; or
Appendix I of NPC Circular No. 17-01 likewise lists down sectors or institutions which are considered (for the limited purpose of mandatory registration) as PICs or PIPs involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects and/or where the processing is not occasional, namely:
- Government branches, bodies or entities, including national government agencies, bureaus or offices, constitutional commissions, local government units, government-owned and-controlled corporations;
- Banks and non-bank financial institutions, including pawnshops Non-Stock Savings and Loan Associations (NSSLAS);
- Telecommunications networks, internet service providers and other entities or organizations providing similar services;
- Business process outsourcing companies;
- Universities, colleges and other institutions of higher learning, all other schools and training institutions;
- Hospitals including primary cares facilities, multi-specialty clinics, custodial care facilities, diagnostics or therapeutic facilities, specialized out patient facilities, and other organizations processing genetic data;
- Providers of insurance undertakings, including life and non-life companies, pre need companies and insurance brokers;
- Business involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs;
- Pharmaceutical companies engaged in research; and
- Personal information processors processing personal data for a personal information controller included in the preceding items, and data processing systems involving automated decision-making.
Section 5(D) of NPC Circular No. 17-01, on the other hand, provides that, “processing shall be considered occasional if it is only incidental to the mandate or function of the PIC or PIP, or, it only occurs under specific circumstances and is not regularly performed. Processing that constitutes a core activity of a PIC or PIP, or is integral thereto, will not be considered occasional”.
Finally, anent the fourth condition, under Section 3(l) of the Data Privacy Act, sensitive personal information refers to personal information:
- about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- specifically established by an executive order or an act of Congress to be kept classified.
To repeat, if any of the foregoing conditions [i.e., (1) PIC of PIP employs at least 250 individuals; (2) processing is likely to pose a risk to the rights and freedoms of data subjects; (3) processing is not occasional; or (4) processing includes sensitive personal information of at least 1000 individuals] is present, registration with the NPC becomes mandatory for PICs and PIPs.