A A A

Amicus Curiae

The September 2017 deadline for the registration of Data Protection Officers

Noelle Jenina Francesca E. Buan

September 19, 2017

Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA) was enacted in 2012 to regulate the processing of personal data by any natural and juridical person in the government or private sector. These data include personal information, sensitive personal information, and privileged information.
 
Under the law, personal information controllers and personal information processors must register their data processing systems and automated processing operations with the National Privacy Commission (NPC).  The NPC Circular No. 17-01 mentions two (2) phases of the registration process and their respective deadlines: 
 
1. Phase I – the registration of a Data Protection Officer (DPO) on or before Sept. 9; and 
 
2. Phase II – the registration of data processing systems and automated processing operations on or before March 8, 2018.
 
For the Sept. 9 deadline, a personal information controller or personal information processor in the private sector, through its DPO, must accomplish the prescribed application form and submit it to the NPC with the following supporting documents:
 
1. Duly-notarized Secretary’s Certificate or any other document authorizing the appointment of the DPO;
 
2. Certificate of Registration (SEC Certificate, DTI Certification of Business Name or Sole Proprietorship) or any similar document; and/or
 
3. Franchise, license to operate, or any similar document.
 
(For a copy of the prescribed application form and for more details on the supporting documents, please visit the NPC Web site at https://register.privacy.gov.ph/Registry)
 
The DPO shall be accountable for ensuring compliance by the company of data privacy laws and regulations. He or she must be a full-time, organic employee of the personal information controller or personal information processor and should ideally be holding a regular or permanent position. Where the employment of the DPO is based on a contract, the term or duration thereof should at least be two (2) years to ensure stability.  
 
The DPO should have expertise in relevant privacy or data protection policies and practices. He or she should have sufficient understanding of the processing operations being carried out by the personal information controller or personal information processor including the latter’s information systems, data security, and data protection needs. The DPO must have useful knowledge of the sector or field of the personal information controller or personal information processor, and the latter’s internal structure, policies, and processes. 
 
The DPO must discharge his or her function with a degree of independence and autonomy. While it appears that a DPO may hold such position concurrently with another position, it should not be in a conflict of interest situation in performing his or her functions as the DPO. Moreover, the DPO shall be bound by secrecy or confidentiality in the performance of his or her functions.
 
After registering the DPO, personal information controllers and personal information processors can now continue with their compliance with the DPA according to the road map suggested by the NPC by carrying out the following:
 
Conducting a Privacy Impact Assessment;
Creating a Privacy Management Program and developing a Privacy Manual;
Implementing Privacy and Data Protection Measures; and
Regularly exercising Breach Protection Measures.
The abovementioned steps will, in turn, facilitate their compliance with the next phase of the registration process, which is the registration of data processing systems and automated processing operations, the deadline for which is March 8, 2018.
 
The foregoing exercises are for the purpose of protecting the rights of individuals from the unauthorized processing, access, disposal, or other form of unlawful use of personal data whether it be regular personal information, sensitive personal information, or privileged information. The DPA enumerates these rights of data subjects which include: the right to be informed; the right to object; the right to access; the right to rectification; the right to erasure or blocking; and the right to damages.
 
Complying with the DPA will, ultimately, uphold the State policy declared by the DPA which is the protection of the right to privacy and communication while ensuring the free flow of information to promote innovation and growth.