Member Article

What it’s about

The Data Privacy Act (Republic Act No. 10173) seeks to protect the confidentiality of “personal information.” The latter is defined as “any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.” The law imposes certain obligations on “personal information controllers” and those who “process” personal information. It also provides for penal and monetary sanctions for violations of its provisions. It took effect on 8 September 2012.

Key provisions

· Personal information controllers are persons who control the collection, holding, processing or use of personal information, while processors are those to whom processing has been outsourced. Most companies would be considered a controller. For example, employers gather information about their staff, as do service companies like banks, insurance companies, and utilities. BPOs are personal information processors.

· The law does not apply to the processing of certain types of information, such as particular data about government officers, and information processed for journalistic or research purposes. It also does not apply to personal information collected from residents of foreign jurisdictions in accordance with the laws of those jurisdictions, and which is being processed in the Philippines.

· Collection and processing must be conducted in accordance with general guidelines based on “the principles of transparency, legitimate purpose and proportionality.” Also, processing is permitted only if one of certain specific conditions are present. These conditions include consent, necessity under the contract with the data subject, and necessity for the protection...

Read the rest of the article by downloading the Technology, Media & Telecoms Legal Bulletin (Jan. 2013) from the SyCipLaw website.