Applicable companies in the Philippines that missed the 8 September deadline to register their personal information controller and processor systems with the authorities should do so asap.

Need help to complete this process? Get in touch with the TMF Philippines team today.

Background

In 2012 the Philippines passed the Data Privacy Act, an act protecting individual personal data in information and communications systems in both the government and the private sector (Republic Act. No. 10173). This comprehensive privacy law also established the National Privacy Commission (NPC), which is tasked with implementing the provisions of the Act.

On 9 September 2016, the implementing rules and regulations (IRRs) came into force. The law is intended to bring the Philippines to the next level and ensure compliance with international standards of data protection.

Obligations

Under the implementing rules and regulations (IRR), the PICs and the PIPs are mandated to register their personal data processing systems with the NPC under the following conditions:

  • If sensitive personal information of at least 1,000 individuals is processed
  • If the personal information controller or processor employs at least 250 persons
  • If less than 250 persons are employed but the processing is not occasional

or

  • If less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.

The IRR sets the required security measures for the protection of personal data:

  • assign someone to function as data protection officer, compliance officer or any other officer accountable for ensuring compliance with applicable laws and regulations on data privacy and security
  • implement appropriate data protection policies that provide for organisation, physical, and technical security measures
  • maintain records that sufficiently describe their data processing system and identify the duties and responsibilities of those individuals who will have access to personal data
  • select, train and supervise employees, agents, or representatives who will have access to personal data
  • develop, implement and review policies and procedures for the collection and processing of personal data, for data subjects to exercise their rights under the DPA, access management, system monitoring, protocols for security incidents or technical problems, and data retention
  • ensure through appropriate contractual agreements that their personal information processors shall also implement the security measures required by the law and the IRR
  • comply, where appropriate, with physical security guidelines set forth in the IRR, and
  • adopt and establish technical security measures such as, but not limited to, security policy for the processing of personal data; safeguards to protect their computer network, periodic evaluation of security measures' effectiveness; and personal data encryption.

To monitor the compliance of PICs and PIPs with the law, summaries of documented security incidents and personal data breaches have to be reported by the PICs and PIPs to the NPC. In case of any data breach, the NPC and the affected data subject should be notified by the concerned PIC or PIP within 72 hours from the discovery of the personal data breach.

Application

The Act and these rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:

a. the natural or juridical person involved in the processing of personal data is found or established in the Philippines

b. the act, practice or processing relates to personal data about a Philippine citizen or Philippine resident

c. the processing of personal data is being done in the Philippines, or

d. the act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following:

  1. use of equipment located in the country, or maintains an office, branch or agency in the Philippines for processing of personal data
  2. a contract is entered in the Philippines
  3. a juridical entity unincorporated in the Philippines but has central management and control in the country
  4. an entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal data.

Impact on businesses – local or foreign

The NPC has initially determined the business sectors or institutions processing personal data and operating in the Philippines as PICs and PIPs. To ensure compliance, business entities should conduct assessment and evaluation of their respective organisations.

Penalties

Rule XIII of the IRR specifies the penalties for violations pertaining to personal information and sensitive personal information that include unauthorised processing, access due to negligence, improper disposal, processing for unauthorised purposes, unauthorised access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorised disclosure.

There are corresponding fines and periods of imprisonment for each of these violations, ranging from P100,000 to P5,000,000 and six months to seven years imprisonment.

Actions

The IRRs allowed for a one-year period (ending on 8 September 2017) within which PICs and PIPs had to appoint a Data Protection Officer. This is done by submitting a notarised DPO reporting form with supporting documents. In NPC Advisory No. 2017-01 (Designation of Data Protection Officers), a DPO should have the following qualifications:

  1. Expertise in relevant privacy or data protection policies and practices
  2. Sufficient understanding of their organisation's processing operations, information systems, data security, and/or data protection needs
  3. A full-time or organic employee of the personal information controller or processor, as applicable
  4. A regular or permanent employee of the personal information controller or processor, as applicable, who should hold at least a 2-year employment contract with his or her organisation, and
  5. Independent in the exercise of his or her functions such that the performance of his or her duties will not give rise to a conflict of interest.

Organisations covered by the requirement to register their data processing systems with the NPC should also prepare for the 8 March 2018 deadline for phase two of the registration process. In line with the requirements of the IRR of the Data Privacy Act of 2012, and subject to additional requirements as may be imposed by the NPC, covered entities should prepare the following information and documents:

  1. The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details
  2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement
  3. A description of the category or categories of data subjects, and of the data or categories of data relating to them
  4. The recipients or categories of recipients to whom the data might be disclosed
  5. Proposed transfers of personal data outside the Philippines
  6. A general description of privacy and security measures for data protection
  7. Brief description of the data processing system
  8. Copy of all policies relating to data governance, data privacy, and information security
  9. Attestation to all certifications attained that are related to information and communications processing, and
  10. Name and contact details of the DPO.

Any automated processing operation, where processing is the sole basis of making decisions that would significantly affect the data subject, must also be notified.