A A A

Amicus Curiae

Issuances on the Data Privacy Act of 2012

Noelle Jenina Francesca E. Buan

May 24, 2017

Further to the promulgation last August 2016 of the Implementing Rules and Regulations (IRR) of Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), the National Privacy Commission (NPC) has since then, issued four circulars and one advisory to guide personal data controllers, processors, and subjects alike, regarding compliance with the law.


NPC Circular No. 16-01 (issued last 10 October 2016) is addressed to “all heads of government branches, bodies or entities, including national government agencies, bureaus[,] or offices, constitutional commissions, local government units, government-owned and -- controlled corporations, state college[s,] and universities”, and focuses on the government’s obligation to secure personal data in the custody of its various agencies. Apart from citing the various duties of each government office with regard to protection of personal information and requiring the conduct of a privacy impact assessment in every office, the circular provides specific guidelines for government agencies in connection with the storage, access, transfer, and disposal of personal data under their control.

 

Likewise addressed to government agencies is NPC Circular No. 16-02 issued on 10 October 2016, which covers data sharing agreements.

The IRR defines “data sharing” as “the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor.” The term “excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.” It applies to “personal data under the control or custody of a government agency that is being shared with or transferred to a third party, for the purpose of performing a public function, or providing of a public service” and “personal data under the control or custody of a private entity that is being shared with our transferred to a government agency[.]” The circular highlights the requirements of consent of the data subject (unless otherwise required by law) and a written data sharing agreement between the transferor and transferee of personal data. It also provides guidelines on online access, actual transfer of personal data, cross-border transfer, and termination of data sharing agreements.

Meanwhile, on 15 December 2016, the NPC issued circulars on Personal Data Breach Management (NPC Circular No. 16-03) and its Rules of Procedure (NPC Circular No. 16-04), both of which pertain not only to government agencies but also to the private sector. The Personal Data Breach Circular requires the implementation of policies and procedures for managing security incidents, including personal data breaches, and the appointment of a data breach response team. The same circular also provides guidelines for preventing personal data breaches and crafting policies and procedures for incident response in the event of a security incident. The circular’s rule on the procedure for personal data breach notification specifies, among others, the conditions under which notification of an incident or breach is required, the period of time within which notification to the NPC and to the concerned data subjects must be made, the contents and form of such notification, and the exemptions from the notification requirement.

As to the NPC’s Rules of Procedure (Rules), highlighted therein is the NPC’s independence in its mandate to administer and implement provisions of the DPA and to monitor and ensure compliance of the Philippines with international standards set for data protection. The rules cover all complaints filed before the NPC or such other grievances, requests for assistance or advisory opinions, and other matters cognizable by the NPC. The rules provide that the NPC, on its own, or “persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the DPA,” may file complaints for violations thereof.

Moreover, under the Rules, “depending on the nature of the incident, in cases of a possible serious privacy violation or personal data breach, [and] taking into account the risks of harm to a data subject,” the NPC may investigate on its own initiative the circumstances surrounding the possible violation.

Lastly, on 14 March 2017, the NPC issued NPC Advisory No. 2017-01 to guide personal information controllers and any natural or juridical person or other body engaged in the processing of personal data, in their designation of data protection officers or compliance officers.

Under the Advisory, the Data Protection Officer (DPO), who must be independent in the performance of his or her functions, shall be accountable for ensuring compliance by personal data controllers or processors with privacy and data protection laws and regulations. Where a private entity has branches, sub-offices, or any other component units, it may appoint a Compliance Officer for Privacy (COP) for each component unit. The Advisory particularly provides that subject to the approval of the NPC, a group of related companies may appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group. Where this is allowed by the NPC, the other members of the group must still have a COP, as defined under the Advisory. Under the same, the DPO should have expertise in relevant privacy or data protection policies and practices and sufficient understanding of the processing operations being carried out by the controller or processor, including the latter’s information systems, data security, and/or data protection needs.

The advisory also emphasizes that the DPO and the COP must be a full-time or organic employee and should ideally be holding a regular or permanent position. Furthermore, while the functions of a DPO or COP may be outsourced or subcontracted, to the extent possible, the DPO or COP must oversee the performance of his or her functions by the third-party service provider or providers.

Pursuant to Section 67 of the IRR that any issuance of the NPC subsequent thereto shall provide the period for its compliance, the foregoing circulars took effect fifteen (15) days after their respective publications.