R.A.

10173:
Data Privacy Act of 2012

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 1
Purpose
1. Protects the privacy of individuals while ensuring
free flow of information to promote innovation and
growth.
2. Regulates the collection, recording, organization,
storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or
destruction of personal data.
3. Ensures that the Philippines complies with
international standards set for data protection.
Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 2
Definitions
1. Personal Information Controller
◦The individual, corporation, or body who decides what
to do with data.
2. Personal Information Processor
◦One who processes data for a Personal Information
Controller. The PIP does not process information for
the PIP’s own purpose.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 3
Definitions
3. Consent
◦Where the data subject agrees to the collection and
processing of his personal data. The agreement must
inform:
◦purpose, nature, and extent of processing;
◦period of consent/instruction;
◦rights as a data subject

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 4
Definitions
4. Breach
◦A security incident that:
◦Leads to unlawful or unauthorized processing of
personal, sensitive, or privileged information;
◦Compromises the availability, integrity, or
confidentiality of personal data.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 5
PERSONAL INFORMATION
PERSONAL INFORMATION SENSITIVE PERSONAL INFO
Refers to any information or opinion This is a type of personal information
about a particular individual that that may be used to harm or
can be used in identifying a person. discriminate other people when
This includes: mishandled. This include:
◦ name ◦ race or ethnic origin;
◦ address ◦ political opinions
◦ phone number ◦ religious affiliations;
◦ date of birth ◦ criminal record;
◦ E-mail address ◦ biometric information.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 6
Applicability of RA 10173
Applies to:
◦Anyone who processes data. (To process a data is NOT a right.)
Does not apply in the following situations:
◦A PIC cannot say that the consent of a public officer is
necessary before information that falls within matters of public
concern is released.
◦A PIC cannot raise the Data Privacy Act to be exempt from FOI.
◦Personal data in publication or exhibition is subject to established
limits on freedom of press and expression.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 7
Processing Personal Information
The processing of personal information shall be
allowed and shall adhere to the following:
◦Principles of transparency;
◦Legitimate purpose; and
◦Proportionality

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 8
PRINCIPLE OF TRANSPARENCY
The data subject must know:
◦The kind of personal data collected
◦How the personal data will be collected
◦Why personal data will be collected
The data processing policies of the PIC must be known to
the data subject.
The information to be provided to the data subject must be
in clear and plain language.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 9
Legitimate Purpose Principle

Data collected must be always be collected only for the

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 10
PRINCIPLE OF PROPORTIONALITY
The processing of personal data should be limited to
such processing as is adequate, relevant, and not
excessive in relation to the purpose of the data
processing.
Efforts should be made to limit the processed data to
the minimum necessary.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 11
PROCESSING SENSITIVE PERSONAL INFO.
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and
is related to the fulfillment of a contract with the
data subject or in order to take steps at the request of
the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a
legal obligation to which the personal information
controller is subject;

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 12
PROCESSING SENSITIVE PERSONAL INFO.
4. The processing is necessary to protect vitally important
interests of the data subject, including life and health;
5. The processing is necessary in order to respond to
national emergency, to comply with the requirements
of public order and safety, or to fulfill functions of public
authority (…); or
6. The processing is necessary for the purposes of the
legitimate interests pursued by the personal
information controller (…), except where such
interests are overridden by fundamental rights and
freedoms of the data subject (…).
Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 13
Rights of the Data Subject
1. Right to be informed.
2. Right to object.
3. Right to access.
4. Right to rectification.
5. Right to erasure or blocking.
6. Right to damages.
7. Right to data portability.
8. Right to file a complaint.
Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 14
1. Right to be Informed
The right to be informed that personal data shall be,
are being, or have been processed, including the
existence of automated decision-making and profiling
The disclosure must be made before the entry of the
data into the processing system or at the next
practical opportunity

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 15
2. Right to Object
The right to object to the processing of personal data,
including processing for direct marketing,
automated processing, or profiling.
Includes the right to be notified and given an
opportunity to withhold consent to the processing in
case of any changes or any amendment to the
information supplied or declared.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 16
2. Right to Object
Exceptions in the right to object:
◦Personal data is needed pursuant to a subpoena
◦Processing is for obvious purposes
◦Necessary for or related to a contract or service to which the
data subject is a party; or
◦Necessary or desirable in an employer-employee relationship
◦Information is being processed as a result of a legal
obligation.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 17
3. Right to Access
The right to find out whether a PIC holds any personal
data about you.
The right to reasonable access to personal data that were
processed, sources of personal data, names and addresses
of recipients, manner/method of processing, information on
automated process, date when personal data was last
accessed and modified, designation, name or identity, and
address of the PIC

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 18
4. RIGHT TO RECTIFICATION
The right to dispute the inaccuracy or error in
the personal data and have the PIC correct it
immediately.
Includes access to new and retracted information, and
simultaneous receipt thereof.
Recipients previously given erroneous data must be
informed of inaccuracy and rectification upon reasonable
request of the data subject.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 19
5. RIGHT TO ERASURE OR BLOCKING
The right to suspend, withdraw, or order the
blocking, removal, or destruction of his or her
personal information from the personal
information controller’s filing system

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 20
5. RIGHT TO ERASURE OR BLOCKING
Availability of the right to block:
◦Incomplete, outdated, false, or unlawfully obtained.
◦Used for unauthorized purposes.
◦No longer necessary for purposes of collection.
◦Private information prejudicial to data subject, unless
justified by freedom of speech, expression, or of the press.
◦Data subject withdraws consent and objects to the
processing, and there is no other legal ground or overriding
legitimate interest.
◦Processing is unlawful.
◦PIC or PIP violated the rights of the data subject.
Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 21
6. RIGHT TO DAMAGES
The right to be indemnified for any damages
sustained due to inaccurate, incomplete,
outdated, false, unlawfully obtained, or
unauthorized use of personal data.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 22
7. RIGHT TO DATA PORTABILITY
The right to obtain a copy of data undergoing
processing in an electronic or structured format,
commonly used, and allows for further use by the data
subject.
Takes into account the right to have control over
personal data being processed based on consent,
contract, for commercial purposes, or through
automated means.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 23
8. RIGHT TO FILE A COMPLAINT
In circumstances wherein the PIC or the PIP has
breached the privacy of the data subject, a complaint may
be filed through [email protected]
National Privacy Commission – Government agency
responsible for implementing R.A. 10173.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 24
Questions and Cases
Question: May a teacher/professor search the contents
of a student’s cellular phone?
Answer:
NO. Any search through a student’s cellular phone
without justification under a law or regulation is
UNLAWFUL, and may be construed as unauthorized
processing under Section 25 of the DPA.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 25
Questions and Cases
Exceptions:
1. With student’s consent (not applicable if minor)
2. When required by the student’s life and health, or
by national emergency.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 26
Questions and Cases
Question: Is good faith or lack of intent to
violate DPA a valid defense in a criminal case?
Answer:
NO. Although DPA is silent, it is a basic rule
that criminal intent is not necessary to be liable
for violation of a special penal law.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 27
Questions and Cases
Question: Is an implied form of consent valid?
Example:
“By continuing to avail of xxx products and
services:, you explicitly authorize xxx, its employees, duly
authorized representatives, related companies and third-
party service providers, to use, process and share
personal data needed in the administration of your xxx”

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 28
Questions and Cases
Answer:
INVALID. An implied or inferred consent is not
recognized in this jurisdiction. The PIC or PIP must
never assume the data subject’s consent for any
activity involving his or her personal information
unless otherwise allowed by law.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 29
Questions and Cases
Explanation:
Consent under the DPA has three requirements:
1. Freely given.
2. Specific.
3. Informed indication of will.
◦ None of the three requirements were met by the implied
form of consent..
Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 30
Questions and Cases
Question: Are handwritten signatures are
considered sensitive personal information?
Answer:
NO. But they may be considered personal
information when used to identify an individual.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 31
Questions and Cases
Question: Are username, password, IP and MAC
address, location cookies and birthday (month and day
only) are considered personal information?
Answer:
YES, but only when they are combined with other
pieces of information that may allow an individual to be
distinguished from others.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 32
Prohibited Acts
1. Unauthorized processing of personal information and
sensitive personal information.
◦Process (sensitive) personal information without the consent
of the data subject or without being authorized under the
Data Privacy Act or any other law.
2. Accessing personal information and sensitive personal
information due to negligence.
◦Provided access to (sensitive) personal information due to
negligence or was unauthorized under the Data Privacy Act
or any existing law.
Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 33
Prohibited Acts
3. Improper disposal of (sensitive) personal information.
◦Negligently dispose, discard or abandon the (sensitive) personal
information of an individual in an area accessible to the public or
placed the (sensitive) personal information of an individual in a
container for trash collection.
4. Processing of personal information and sensitive
personal information for unauthorized purposes.
◦Process personal information for purposes not authorized by the
data subject or not otherwise authorized by the Data Privacy Act
or under existing laws.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 34
Prohibited Acts
5. Unauthorized access or intentional breach.
◦Knowingly and unlawfully violate data confidentiality and
security data systems where personal and sensitive personal
information is stored.
6. Malicious disclosure.
◦Discloses to a third party unwarranted or false
information with malice or in bad faith relative to any
(sensitive) personal information obtained by such PIC or PIP.

Saint Louis University - SAMCIS Clarenz B. Magsakay Laws on Computer and Data Privacy Saturday, 16 November 2019 35