INTRODUCTION TO INFORMATION SECURITY

Module 5 – Data Protection

Learning Objectives

After completing this module, you are expected to:

▪ learn what data protection is all about
▪ understand why it is important to know the difference between data protection and data
security
▪ know the basics of Republic Act 10173 or the Data Privacy Act of 2012 (DPA)
▪ know the basics of General Data Protection Regulation (GDPR)

5.1 What is Data Protection?

According to Techopedia, “data protection is the process of protecting data and involves the
relationship between the collection and dissemination of data and technology, the public
perception and expectation of privacy and the political and legal underpinnings surrounding that
data. It aims to strike a balance between individual privacy rights while still allowing data to be
used for business purposes.”1

Data protection is also known as data privacy or information privacy.

The National Privacy Commission defines data privacy as the right of an individual not to have
private information about himself disclosed, and to live freely from surveillance and intrusion.2

Data protection or data privacy defines who can have access to the data from a legal
perspective. This means that an organization dealing with personal data (collects, processes,
stores, transmits) provides the owners of the data (and the public as a whole) an assurance that
the personal data is received according to expectations and with the consent of their owners.
The organization informs the people in advance what types of data will be collected, for what
purpose and to whom it will be provided later.

1
https://www.techopedia.com/definition/29406/data-protection
2
https://privacy.gov.ph/
We learned from Module 1 that data protection or data privacy is primarily a legal issue. It
involves compliance with legal or statutory regulations aimed at protecting personal data against
misuse.

5.2 Data Protection vs. Data Security

The term “data protection” is sometimes taken to be synonymous with the term “data security”,
because these terms prevent unauthorized access, use, disclosure, modification, and inspection
of information. Thus, there is an assumption that the same tools can be used to ensure
both data protection" and “data security." If data security is assured, data protection is also
assured.

Study Questions:

Is the assumption above correct? Can data security be a substitute for data protection, and vice
versa? If an organization already has an ISO 27001 certificate or has performed penetration
tests, can it do away with conducting a data protection compliance audit?

The answer to the question above is:

Data protection is NOT the same as data security, and they cannot be the substitute of each
other.
Consider this news from June 2020, as reported by Rappler.

FEU's Kadiwa student coalition, through its Facebook page, alerted students shortly before 1 am
of June 17 to a potential breach and exposure of some 1,000 accounts. A hacker group called
Pinoy Grayhats, Kadiwa said, was allegedly responsible.
Kadiwa added the hacker group had noted FEU's website had been at risk, security wise, but the
school reportedly did not take action.
The FEU Central Student Organization called on students to also change their passwords as soon
as possible.
Meanwhile, a 2 am post from official student publication FEU Advocate meanwhile reported that
someone going by the name DRK publicized the names of 1,000 students, alongside their student
numbers and passwords, shortly before midnight of Tuesday, June 16.
FEU responded at 11 am of June 17, saying its Information Technology Services team was
"investigating the matter thoroughly.“

Source: https://www.rappler.com/technology/feu-cybersecurity-hacking-exposure-student-data-
june-17-2020
At first glance, this case may appear to be just a data security breach; however, it is also a data
protection breach. Why? There was unauthorized access and misuse. Hackers stole AND
publicized personal data – names, student numbers and passwords - which could be used in
other online services where the names and same passwords are used (could be bank
accounts), or sold to third parties for marketing purposes.

Moreover, even though the university might be using SSL to guarantee cipher
communications, login credentials, two-factor authentication, etc., the students’ data protection
could still be breached.

Clearly, in this case data security and data protection are not one and the same thing.

Data protection is a part of data security (and information security), and a legal measure that
relates to the proper handling of data – how data is collected and used - and maintaining
compliance. Data security is about access and protecting data from unauthorized users
through technical measures.

So, data protection and data security are not the same. So, what?

1. If no proper data security measures are in place, the business organization could be at
risk for a data breach. Aside from employees, data is the organization’s most critical
asset. If data becomes compromised, the business will suffer, and the organization may
even close.

2. If there are no proper measures in place to keep employee or customer data private or
protected, the organization could be found in violation of a variety of regulations. For
example, healthcare companies in the US must abide by HIPAA and not share sensitive
patient information; this personal information should also not be sold or redistributed
without consent. Otherwise, the healthcare company could be violating the law, and also
send disgruntled customers running to a competitor. Either scenario could have a
significant impact on the company’s revenue and reputation.
5.3 Data Protection Laws or Regulations - Worldwide

According to the United Nations Conference on Trade and Development (UNCTAD), as of April
2020:
“As more and more social and economic activities have place online, the
importance of privacy and data protection is increasingly recognized. 128 out
of 194 countries had put in place legislation to secure the protection of data and
privacy.”3

3
Source: https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
5.3 Data Protection Laws or Regulations – European Union, Philippines, and India

Country/Region Data Protection Laws or Regulations Regulation

& Enforcement
General Data Protection Regulation (Regulation (EU)
2016/679) (GDPR), a European Union law which
entered into force in 2016 and, following a two-year
transition period, became directly applicable law in all
Member States of the European Union on May 25, 2018,
without requiring implementation by the EU Member HEAVY/ROBUST
States through national law - requires businesses to
protect the personal data and privacy of European Union
(EU) citizens for transactions that occur within EU
member states, as well as the exportation of personal
data outside the EU

Republic Act 10173 or the Data Privacy Act of 2012,

which took effect 8 September 2012, and its
Implementing Rules and Regulations - regulate the
collection and processing of personal data by covered MODERATE
entities in the Philippines; centered on the principle that
data processing should be transparent, proportional, and
based on a legitimate purpose

Information Technology Act, 2000 (“the IT Act”) and its

corresponding Information Technology (Reasonable
Security Practices and Procedures and Sensitive LIMITED
Personal Data or Information) Rules, 2011 (“the IT
Rules”) are India’s regulatory mechanism for data
protection and privacy, as currently India has no specific
legislation enacted primarily for data protection; scope of
the IT Act on data protection is very narrow
5.4 Data Protection Laws or Regulations – European Union

GENERAL DATA PROTECTION REGULATION (GDPR) - requires businesses to protect the

personal data and privacy of European Union (EU) citizens for transactions that occur within
EU member states, AS WELL AS the exportation of personal data outside the EU.

The GDPR extends its application to a data controller or processor who carries out processing
outside of the European Economic Area (EEA) if that processing is carried out in order to offer
goods or services to, or monitor the behavior of individuals within the EEA. Businesses outside
of the EEA (including those in the Philippines) should consider whether the GDPR will apply
to them and global organizations should consider whether to apply standards based on the
GDPR worldwide.

Companies that collect data on citizens in EU countries must have complied with strict new
rules around protecting customer data by May 25, 2018.

The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual
turnover, whichever is higher, for non-compliance. There are NO CRIMINAL PENALTIES,
unlike in the Philippines.

Question:
If you are a Philippine business that collects data on EU citizens, which GDPR requirements will
impact your Philippine company?

The GDPR requirements will force affected companies to change the way they process, store,
and protect customers’ personal data. For example, companies will be allowed to store and
process personal data only when the individual consents and for “no longer than is necessary
for the purposes for which the personal data are processed.” Personal data must also be
portable from one company to another, and companies must erase personal data upon request.

Several requirements will directly affect security teams. For example, companies must be able
to provide a “reasonable” level of data protection and privacy to EU citizens.
There is a requirement that companies must report data breaches to supervisory authorities and
individuals affected by a breach within 72 hours of when the breach was detected.

Another requirement is to perform impact assessments, intended to help mitigate the risk of
breaches by identifying vulnerabilities and how to address them.

5.5 Data Protection Laws or Regulations – Philippines

DATA PRIVACY ACT OF 2012 (DPA)4

Fully titled, “An Act Protecting Individual Personal Information in Information and
Communications Systems in the Government and the Private Sector, Creating for this Purpose
a National Privacy Commission, and for Other Purposes” the DPA aims to protect the
fundamental human right of privacy, of communication while ensuring the free flow of
information to promote innovation and growth.

KEY DPA ACTORS

1. National Privacy Commission (NPC) - independent body mandated to implement the DPA
2. Personal information controller (PIC) - a natural or juridical person, or any other body who
controls the processing of personal data
3. Personal information processor (PIP) - a natural or juridical person, or any other body to
whom a PIC may outsource or instruct the processing of personal data

PRIMARY OBLIGATIONS OF A PIC OR PIP

• Adhere to data privacy principles: Transparency, Legitimate purpose, & Proportionality

• Uphold data subject rights: Information, Access, Data Portability, Rectification, Erasure
or blocking, To object, To file a complaint, To damages
• Implement security measures: Organizational, Physical, Technical

4
Source: https://www.privacy.gov.ph/wp-content/files/quickguide/DPA_QuickGuidefolder_insideonly.pdf
5 PILLARS OF DATA PRIVACY ACCOUNTABILITY & COMPLIANCE
1. Appoint a Data Protection Officer (DPO)
2. Conduct a Privacy Impact Assessment (PIA)
3. Have a Privacy Management Program (PMP) and codify it into a Privacy Manual
4. Implement data privacy and protection measures
5. Exercise Breach Reporting Procedures (BRP)

PERSONAL INFORMATION
Personal information (PI) refers to any information from which the identity of an individual is
apparent or can be reasonably and directly ascertained, or when put together with other
information would directly and certainly identify an individual.

CRITERIA FOR LAWFUL PROCESSING OF PI

• Consent
• Contract with the individual
• Vital interests / Life & health
• Legal obligation
• National emergency / public order & safety, as prescribed by law
• Constitutional or statutory mandate of a public authority
• Legitimate interests of the PIC or third parties

SENSITIVE PERSONAL INFORMATION

Sensitive personal information (SPI) refers to info about an individuals’
• Race
• Ethnic origin
• Marital status
• Age
• Color
• Religious, philosophical or political affiliations
• Health, education, genetic or sexual life
• Proceeding for any offense committed or alleged to have been committed by an
individual
• Government-issued IDs
• Those established by an executive order or an act of Congress to be kept classified
CRITERIA FOR LAWFUL PROCESSING OF SPI
• Consent
• Existing laws and regulations
• Life and health
• Processing by non-stock, non-profit orgs
• Medical treatment
• Lawful rights and interests in court proceedings/legal claims
PENALTIES

EXEMPTIONS
Applies not to the PIC/PIP but only to personal data relating to:
• Matters of public concern
• Journalistic, artistic or literary purposes
• Research purposes, intended for a public benefit
• Performance of law enforcement or regulatory functions of public authority (e.g. Secrecy
of Bank Deposits Act, Foreign Currency Deposit Act, CISA)
• Compliance of BSP-regulated banks & financial institutions with the CISA, AMLA & other
applicable laws
• Residents of foreign jurisdictions w/ applicable data privacy laws

Exemptions are only allowed to the minimum extent needed to achieve purpose, with
consideration to requirements of other regulations.