Republic Act No. 10173, or the Philippine Data Privacy Act of 2012 (RA10173), was signed into law on August 15, 2012. This is the comprehensive law that governs data privacy protection in the Philippines.
RA10173 mandates the creation of the National Privacy Commission (NPC) which shall implement the law. To date, however, the NPC has yet to be constituted, hence the lack of implementing rules and regulations that will enforce the provisions of this law. Currently, the ITSO of the Philippine Department of Science & Technology is overseeing, on an ad-hoc basis, the implementation of RA10173.
RA10173 applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing both in the private and government sectors. It covers data controllers and processors not found in the Philippines that either: use equipment that is located in the Philippines; or maintain an office, branch, or agency in the Philippines.
‘Processing’ is defined as any operation or set of operations performed upon personal information (such as, but not limited to, collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, destruction). ‘Personal information controller’ refers to any person or organisation that controls the collection, holding, processing, or use of personal information (except those who perform such functions as instructed by another person or organisation, and an individual who performs the same functions in connection with said individual’s personal, family, or household affairs). Meanwhile, ‘personal information processor’ refers to any natural or juridical person to whom a personal information controller may outsource the processing of personal data.
RA10173 distinguishes ‘personal information’ and ‘sensitive personal information’, as different requirements for lawful processing are prescribed. ‘Personal information’ refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify the individual. ‘Sensitive personal information’ refers to personal information about one’s race, marital status, age, colour, religious, philosophical or political affiliations, health, education, any court proceedings issued by government agencies peculiar to an individual (e.g., social security numbers, health records, licences, tax returns) and those specifically declared as classified by law or regulation.
RA10173 extensively outlines the rights of the data subject with respect to his/her personal information. These rights must be generally observed by data controllers and data processors, except when the personal information shall be used for scientific and statistical research, no activities are carried out and no decisions are taken regarding the data subject or are gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.
Finally, violations of RA10173 are meted by mandatory imprisonment and fine. A higher range of penalties is imposed when sensitive personal information is involved. Maximum penalties are imposed when the personal information of at least 100 persons is affected (large scale).
ACCRA Law Offices
ACCRALAW Tower, 2nd Avenue corner 30th Street
Crescent Park West, Bonifacio Global City, 0399 Taguig
Metro Manila, Philippines
Tel: (632) 8308000
Fax: (632) 4037007 or (632) 4037008