Any organization operating in the Philippine jurisdiction and processes personal information of the Filipino citizens for about more than a thousand data subjects and with an employee of more 250 personnel needs to comply with the Data Privacy Act of 2012. The penalties for violating this law are both imprisonment and fine. The imprisonment ranges from six (6) months to maximum of five (5) years and fine of no less than five hundred thousand pesos (Php. 500,000) up to five million pesos (Php. 5, 000,000).
What is the Data Privacy Act of 2012?
The Data Privacy Act of 2012 (R.A. 10173) also known as the DPA has taken effect on August 23, 2012 after the former President, Benigno Simeon Aquino III signed it. The author of the law was the late Senator Edgardo Javier Angara. This act aims to protect personal individual information in the Information and Communications System in the Government and Private Sector. For this purpose the National Privacy Commission (NPC) was created. This is the lead Government Agency in charge of the full implementation and monitoring of compliance with the law. NPC is under the Department of Information and Communications Technology (DICT) but solely dependent on its role and functions. NPC drafted the Implementing Rules and Regulation (IRR) of the DPA.
According to the Data Privacy Act:
SEC. 2. Declaration of Policy. It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected
Basic protection of the personal information collected by the organizations is mandated by the law including the exercise of the data subjects right. Each data subject has eight (8) fundamental rights. These rights include the right to be informed, to object, to access, to rectification, to data portability, to erasure of blocking, to file a complaint and right to damages. (Rights of the data subject will be thoroughly discussed in the next article)
Each organization is mandated to abide with the Five Pillars of compliance in Data privacy. These pillars are:
1. Appointing a Data Protection Officer (DPO)
2. Conducting a Privacy Impact Assessment (PIA)
3. Creation of the Data Privacy Manual
4. Implementation of Data Privacy and Security Measures
5. Being ready in case of data breach
The pillars on the data privacy compliance shall be all complied by the organization because these are the determinants and indicators of compliance to the law. For each pillar, many tasks are to be done. This will be discussed in a separate article on our next issuances.
Considering the NPCs mandate on its enforcement functions, the National Privacy Commission:
A. Issues compliance or enforcement orders;
B. Awards indemnity on matters affecting any personal data, or rights of the data subjects;
C. Issues cease and desist orders, or imposing a temporary or permanent ban on the processing of personal data upon finding that the processing will be detrimental to the national security or the public interest, or if it necessary to preserve and protect the rights of the data subject.
D. Recommends to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties specified in the Act.
E. Compelles or petition any entity, government agency, or instrumentality, to abide by its orders or to take action on the matter affecting the data privacy
F. Imposes administrative fines for violation of the Act, these Rules, and other issuances of the Commission.
To discuss further and to give an example the National Privacy Commission has exercise its enforcement function when it issues a cease and desist order to one of the biggest fast-food chain in the country. Jollibee Foods Corporation (JFC) was ordered to suspend its online delivery system until the sites vulnerability are addressed.
The data of 18 million people in the online delivery database of popular fast-food chain Jollibee Foods Corp. (JFC) are in high risk of being exposed to harm due to vulnerabilities in the system although its database has not been breached, the National Privacy Commission (NPC) said.
When asked about the kind of personal information accessed, Francis Euston Acero, head of NPCs Complaints and Investigations Division (CID), said the government is not revealing this yet. Still, Acero said it is similar to the case of Wendys Philippines, another fast-food chain that faced a similar privacy concern. The main difference is that Wendys database had been breached while JFC only has the potential to be hacked given their systems vulnerabilities. We withheld that information deliberately because giving that information would give potential attackers avenues in, Acero said in a phone interview with the Inquirer. The risk was first discovered in December last year when an uncontracted cybersecurity firm noted a security gap in the online delivery system. While their group was able to exploit the vulnerabilities, their firm insisted that they did not scrape or exfiltrate any data, because they merely demonstrated their ability to access the data in Jollibees database if they so desired, the NPC order read. In February this year, NPC said that the site remains to be vulnerable, that even those with little to moderate technical knowledge and skill could access personal information of Jollibee patrons through the website.
This example could happen to your organization anytime if you do not navigate your compliance. Furthermore the Philippine Data Privacy Law (R.A. 10173) imposes the following penalty.
Chapter VIII, Section 25-33
Unauthorized Processing: 1 to 3Years or 3 to 6years imprisonment and a fine of 500K to 4 Million pesos
Access due to Negligence: 1 to 3Years or 3 to 6Years imprisonment and a fine of 500K to 4 Million pesos
Improper Disposal: 6 Mos to 2Years or 1 to 3Years imprisonment and a fine of 100K to 1 Million pesos
Unauthorized Purposes: 18 Mos to 5Years to 2 to 7Yearsimprisonment and a fine of 500K to 2 Million pesos
Intentional Breach: 1 to 3Yearsimprisonment and a fine of 500K to 2 Million pesos
Concealing of Breach: 18 Mos to 5Yearsimprisonment and a fine of 500K to 1 Million pesos
Mallicious Disclosure: 18 Mos to 5Yearsimprisonment and a fine of 500K to 1 Million pesos
Unauthorized Disclosure: 1 to 3Years to 3 to 5Yearsimprisonment and a fine of 500K to 2 Million
Combination of Acts: 3 to 6Yearsimprisonment and a fine of 1 Million to 5 Million
The penalty for violating the Philippine Data Privacy Law (R.A. 10173) will be an additional cost to your organization. It will surely be a great impact, so I advise you to comply as soon as possible. Right now the National Privacy Commission is on its enforcement activity of the law. Failure to comply could lead to violations of the law and law principles say No one is above the Law and Ignorance of the law excuses no one from compliance therewith.
Watch out for Part 2 of this gripping article entitled "
Our Contributor JOSUE T. OBELIDOR is a registered nurse and a Philippine Government Registered Data Protection Officer. He is currently the Data Protection Officer (DPO) of the Far Eastern University - Dr. Nicanor Reyes Medcal Center (FEU-NRMF). He has been the Quality Mangement Representative (QMR) of different Tertiary Hospitals such as Mother Seton Hospital in Naga (where he practiced Intensive Care Nursing for three years), Daniel O. Mercado Medical Centeri in Batangas City, and World Citi Medical Center of Quezon City.