Amicus Curiae

National Privacy Commission promulgates IRR of Data Privacy Act of 2012

Noelle Jenina Francesca E. Buan

September 01, 2016

Following a series of public consultations held between June and August 2016, the National Privacy Commission (NPC) promulgated the Implementing Rules and Regulations (IRR) of Republic Act No. 10173 last Aug. 24, 2016. 
Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), was principally authored by former Senator Edgardo J. Angara during his chairmanship of the Senate Committee on Science and Technology, and passed into law in 2012.
Republic Act No. 10173, the full title of which is “An Act Protecting Individual Personal Information in Information and Communications Systems in the 
Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes,” declares as State policy the protection of the right to privacy and communication while ensuring the free flow of information to promote innovation and growth.
The law seeks to protect “personal information” (defined as, “information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”) that undergoes “processing,” which is defined as, “an operation or a set of operations performed upon personal information, such as, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.”
The DPA also covers “privileged information” (“data which under the Rules of Court and other pertinent laws constitute privileged communication,” for example, attorney-client privilege, physician-patient privilege, etc.), and “sensitive personal information,” which is defined as, “information:
• About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliation;
• About an individual’s health, education, genetic, or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
• Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension, or revocation, and tax returns; and
• Specifically established by an executive order or an act of Congress to be kept classified.”
To administer this law, the NPC was created. It is currently headed by its pioneering set of Commissioners who were all appointed in March 2016: Privacy Commissioner and Chairman Raymond Liboro, a former Assistant Secretary at the Department of Science and Technology; Deputy Privacy Commissioner Ivy Patdu, a practicing lawyer and consultant medico-legal physician; and Deputy Commissioner Dondi Mapa, who held the position of National Technology Officer at Microsoft Philippines.
Comprised of fourteen (14) rules and seventy-two (72) sections, the IRR, apart from supplementing the DPA’s provisions, provides for specific rules on the following: Data Privacy Principles; Data Breach Notification; Outsourcing and Subcontracting Agreements; Registration and Compliance Requirements; and Rules on Accountability.
The DPA and its IRR cover the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:
• The natural or juridical person involved in the processing of personal data is found or established in the Philippines;
• The act, practice, or processing relates to personal data about a Philippine citizen or Philippine resident;
• The processing of personal data is being done in the Philippines; or
• The act, practice, or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity.
The IRR specifies additional definitions of key terms such as “data processing systems,” “data sharing,” “personal data,” “personal data breach,” and “security incident.” It also clarifies that “processing” may be performed either through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
Substantively, the IRR expounds on the principles of transparency, legitimate purpose, and proportionality, not only in the processing of personal data per se, but also in the collection and retention thereof. General principles for data sharing are also laid down.
To concretely carry out these principles, the IRR enumerates specific organizational, physical, and technical security measures which personal information controllers and processors are mandated to undertake in relation to the personal data which they process.
The IRR also categorizes the rights of the data subject, as enumerated under the DPA, into the following: the right to be informed; the right to object; the right to access; the right to rectification; the right to erasure or blocking; and the right to damages.
Violations of the DPA are sanctioned with both imprisonment and payment of fines as penalties. Such violations include unauthorized processing, accessing due to negligence, improper disposal, processing for unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure.
The IRR provides that personal information controllers and processors shall register with the NPC their data processing systems and automated processing operations, subject to notification, one (1) year after the effectivity of the IRR.
Promulgated last Aug. 24, 2016, the IRR will take effect fifteen (15) days after its publication. Entities covered by the DPA and its IRR have one (1) year to comply with their provisions from the date of effectivity of the IRR.