Abstract image of a woman sitting on books and studying on a laptop

Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines

REVULN, profile picture
REVULN

The Data Privacy Act of 2012 in the Philippines aims to protect individual personal information in government and private sector systems, establishing the National Privacy Commission to administer and ensure compliance. Key components include definitions and provisions for the rights of data subjects, penalties for violations, and a compliance framework comprising five pillars. Organizations are required to appoint a Data Protection Officer and adhere to specific data protection measures to mitigate risks and prevent breaches.

Law
1 of 41
Downloaded 11 times
1
2
Most read
3
Most read
4
5
6
7
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
The Data Privacy Act of 2012, its Compliance and implementation in the Philippines 15 Mayโ€“16 May ยท Harbour Plaza North Point, Hong Kong . Dr. Rolando R. Lansigan, CEH, CHFI, SySA+ (Former Chief- Compliance and Monitoring Division) National Privacy Commission GDPR Coalition Ambassador
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Do not COLLECT if you cannot PROTECT
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
What is the Data Privacy Act of 2012? โ€ข SECTION 1. Short Title. โ€“ This Act shall be known as the โ€œData Privacy Act of 2012โ€. โ€ข Republic Act 10173, the Data Privacy Act of 2012 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES โ€ข The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include: โ€“ rule-making, โ€“ advisory, โ€“ public education, โ€“ compliance and monitoring, โ€“ investigations and complaints, โ€“ and enforcement.
The DPA applies to the processing of all types of personal information and to any natural and juridical person, in the country and even abroad, subject to certain qualifications. Sec. 4, DPA SCOPE OF THE DPA
Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Structure of RA 10173, the Data Privacy Act Section 22-24. Provisions Specific to Government Section 25-37. Penalties Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors
Philippinesโ€™ DPA vs GDPR Categories Categories Categories Purpose Preventing Harm Principle Integrity and Confidentiality Material Scope Lawfulness, Fairness and Transparency Accountability Territorial Scope Purpose Limitation Access and Correction Personal Data Data Minimization Data Portability Sensitive Personal Data Accuracy Transfer of Personal Data to Another Person or country Data Controller Storage Limitation Breach Definition * Data Processors Notice and Choice Breach Notification * Publicly Available Information Breach Mitigation
The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Timeline of DPA Law and other issuances passed to Organizationโ€™s Compliance 2012 March 2016 August 2016 Sept. 9, 2016 Sept. 9, 2017 Data Privacy Act (DPA) Passed into law National Privacy Commission (NPC) was formed Implementin g rules and Regulations (IRRs) was published IRR came into effect Deadline: DPO Registration 12 months Registration Requirements: All personal data processing systems (DPS) operating in the Philippines that involve Personal Data concerning at least 1,000 individuals/personal records must be registered with NPC March 8, 2018 Deadline: (ANNUAL) Registration of DPS June 30, 2018 Deadline: (ANNUAL) Security Incident Reports
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
EXAMPLES OF POTENTIAL BREACHES AND SECURITY INCIDENTS INVOLVING PERSONAL INFORMATION โ€ข Potential Breaches 1. Bank โ€“ Consent form 2. Hospital and School Records โ€“ Storage and Disposal Policy 3. Student transferred - Without Consent 4. Clinical record of a student to disclose with her parents - Consent 5. List of top students/passers - Consent 6. Cedula in Malls โ€“ Disposal Policy/Improper Disposal 7. Security issues in buildings โ€“ logbook 8. Use of re-cycled papers โ€“ Disposal Policy / Access due to negligence 9. Hard drives sold online โ€“Disposal Policy 10. Use of CCTV โ€“ Privacy Issues 11. Use of USB/CD/Personal laptop โ€“ Encryption issue โ€ข Access Control and Security Policy 12. Personal Records stolen from home of an employee - Security 13. Viewing of Student Records in Public โ€“ Physical Security 14. Raffle stubs โ€“ Privacy Notice / Storage and Disposal Policy 15. Universities and Colleges websites with weak authentication 16. Photocopiers re-sold without wiping the hard drives 17. Password hacked/revealed - 18. Accidentally sent an email attachment โ€“ Unauthorized Disclosure โ€ข Other Violations / Data Privacy Act Principles 19. No Data Sharing Agreement (DSA) 20. No Privacy Notice 21. No Sub-contracting Agreement 22. No Breach Drill 23. Profiling of customers of malls โ€“ Targeted Marketing 24. Unjustifiable collection of personal data of a school โ€“ Principle of Proportionality
DPA Section Punishable Act For Personal Information For Sensitive Personal Information Fine (Pesos) JAIL TERM 25 Unauthorized processing 1-3 years 3-6 years 500 k โ€“ 4 million 26 Access due to negligence 1-3 years 3-6 years 500 k โ€“ 4 million 27 Improper disposal 6 months โ€“ 2 years 3-6 years 100 k โ€“ 1 million 28 Unauthorized purposes 18 months โ€“ 5 years 2-7 years 500 k โ€“ 2 million 29 Intentional breach 1-3 years 500 k โ€“ 2 million 30 Concealment of breach 18 months โ€“ 5 years 500 k โ€“ 1 million 31 Malicious disclosure 18 month โ€“ 5 years 500 k โ€“ 1 million 32 Unauthorized disclosure 1-3 years 3-5 years 500 k โ€“ 2 million 33 Combination of acts 1-3 years 1 million โ€“ 5 million Potential Penalties listed in the Data Privacy Act
NPCโ€™s FIVE PILLARS OF COMPLIANCE DPO PIA PMP PDP BRP
THE FIVE PILLARS OF COMPLIANCE โ€ข Commit to Comply: Appoint a Data Protection Officer (DPO) โ€ข Know your Risk: Conduct a Privacy Impact Assessment (PIA) โ€ข Be Accountable: Create your Privacy Management Program and Privacy Manual (PMP) โ€ข Demonstrate your Compliance: Implement your Privacy and Data Protection Measure (PDP) โ€ข Be Prepared for Breach: Regularly Exercise your Breach Reporting Procedure (BRP)
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Designating a DPO is the first essential step. You cannot register with the NPC unless you have a DPO.
All PICs and PIPs should designate a Data Protection Officer โ€ข The personal information controller shall designate an individual or individuals who are accountable for the organizationโ€™s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request. (Sec. 21[b]) โ€ข xxx The personal information processor shall comply with all the requirements of this Act and other applicable laws. (Sec. 14)
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
PILLAR 2: KNOW YOUR RISKS โ€œThe determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementationโ€ - Section 20.C of DPA of 2012
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Technical Organisational โ€“ other measures 1 2
ORGANIZATIONAL PHYSICAL TECHNICAL IMPLEMENT SECURITY MEASURES
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
โ€œThe PIC shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the PIC or the Commission believes that that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.โ€ Section 20.f โ€œConcealment of Security Breaches Involving Sensitive Personal Information. โ€“โ€“ The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach. Section 30
The 72-hour deadline IRR Section 38 (a) Data Breach Notification. The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred. From https://privacy.gov.ph/memorandum-circulars/
Keep in touch
END OF PRESENTATION

More Related Content

PPTX
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
ย 
PPT
Data protection in_india
Altacit Global
ย 
PPTX
Introduction to GDPR
Priyab Satoshi
ย 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
ย 
PPTX
Nursing Informatics
Manilyn Francisco
ย 
PPTX
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
ioannis iglezakis
ย 
PDF
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
ย 
PPTX
Presentation on GDPR
DipanjanDey12
ย 
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
ย 
Data protection in_india
Altacit Global
ย 
Introduction to GDPR
Priyab Satoshi
ย 
General Data Protection Regulation (GDPR)
Extentia Information Technology
ย 
Nursing Informatics
Manilyn Francisco
ย 
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
ioannis iglezakis
ย 
Urgensi RUU Perlindungan Data Pribadi
Eryk Budi Pratama
ย 
Presentation on GDPR
DipanjanDey12
ย 

What's hot (20)

PDF
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
PDF
Data Protection Predictions for 2023.pdf
DarylBallesteros3
ย 
PDF
Personal Data Protection in Indonesia
Eryk Budi Pratama
ย 
PPS
CEU DPA
BERBERGRACEMARJORIE
ย 
PPT
History of Nursing - Intro, Pre Christan Era
Nimmirobins
ย 
PPT
Data Privacy in India and data theft
Amber Gupta
ย 
PDF
Nursing Informatics
Jofred Martinez
ย 
PPTX
How to handle data breach incidents under GDPR
Charlie Pownall
ย 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
ย 
PDF
General Data Protection Regulation (GDPR) and ISO 27001
Owako Rodah
ย 
DOC
Legal and ethical issues in nursing
Mitsunari Yanagisawa
ย 
PPTX
E-Governance
SubhashriDas1
ย 
PDF
Gdpr presentation
Iain Wicks MCIPR
ย 
PPTX
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
ย 
PDF
Data Privacy - Rights of the Data Subject
JDP Consulting
ย 
PPTX
Introduction to Nursing Informatics
jhonee balmeo
ย 
PDF
Melihat RUU Pelindungan Data Pribadi
ICT Watch
ย 
PPTX
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
Vijay Dalmia
ย 
PDF
Clinical Decision Support System
Grace Villareal
ย 
PPTX
Privacy in India: Legal issues
Sagar Rahurkar
ย 
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
Data Protection Predictions for 2023.pdf
DarylBallesteros3
ย 
Personal Data Protection in Indonesia
Eryk Budi Pratama
ย 
CEU DPA
BERBERGRACEMARJORIE
ย 
History of Nursing - Intro, Pre Christan Era
Nimmirobins
ย 
Data Privacy in India and data theft
Amber Gupta
ย 
Nursing Informatics
Jofred Martinez
ย 
How to handle data breach incidents under GDPR
Charlie Pownall
ย 
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
ย 
General Data Protection Regulation (GDPR) and ISO 27001
Owako Rodah
ย 
Legal and ethical issues in nursing
Mitsunari Yanagisawa
ย 
E-Governance
SubhashriDas1
ย 
Gdpr presentation
Iain Wicks MCIPR
ย 
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
ย 
Data Privacy - Rights of the Data Subject
JDP Consulting
ย 
Introduction to Nursing Informatics
jhonee balmeo
ย 
Melihat RUU Pelindungan Data Pribadi
ICT Watch
ย 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
Vijay Dalmia
ย 
Clinical Decision Support System
Grace Villareal
ย 
Privacy in India: Legal issues
Sagar Rahurkar
ย 
Ad

Similar to Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines (20)

PDF
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
ย 
PPTX
DATA-PRIVACY-ACT.pptx
JaeKim165097
ย 
PPT
Data Privacy Act of 2012 implication to cooperatives
jo bitonio
ย 
PDF
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Jay Castillo
ย 
PPTX
Data Privacy Act in the Philippines
Shirley Ingles-Cruz
ย 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
ย 
PPTX
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
UsmanMAmeer
ย 
PDF
Data Security Law and Management.pdf
MeshalALshammari12
ย 
PPTX
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
ย 
PDF
DPIA step by step process approach and methodology
HishamMohammed46
ย 
PDF
Data Privacy Act.pdf
AntonioJarligoCompra
ย 
PDF
2014-04-16 Protection of Personal Information Act Readiness Workshop
Paul Jacobson
ย 
PDF
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
ย 
PPTX
GDPR: Data Breach Notification and Communications
Charlie Pownall
ย 
PPTX
How GDPR will change Personal Data Control and Affect Everyone
Thomas Goubau
ย 
PDF
ISACA Journal Data Protection Act (UK) and GAPP Alignment
Mohammed J. Khan
ย 
PPTX
GDPR: The Regulator's Perspective, Peter Brown, ICO
BCS Data Management Specialist Group
ย 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
ย 
PPTX
EU Data Protection Legislation, Peter Ridley (HPE)
Napier University
ย 
PDF
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Chris Hails
ย 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
ย 
DATA-PRIVACY-ACT.pptx
JaeKim165097
ย 
Data Privacy Act of 2012 implication to cooperatives
jo bitonio
ย 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Jay Castillo
ย 
Data Privacy Act in the Philippines
Shirley Ingles-Cruz
ย 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
ย 
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
UsmanMAmeer
ย 
Data Security Law and Management.pdf
MeshalALshammari12
ย 
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
ย 
DPIA step by step process approach and methodology
HishamMohammed46
ย 
Data Privacy Act.pdf
AntonioJarligoCompra
ย 
2014-04-16 Protection of Personal Information Act Readiness Workshop
Paul Jacobson
ย 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
ย 
GDPR: Data Breach Notification and Communications
Charlie Pownall
ย 
How GDPR will change Personal Data Control and Affect Everyone
Thomas Goubau
ย 
ISACA Journal Data Protection Act (UK) and GAPP Alignment
Mohammed J. Khan
ย 
GDPR: The Regulator's Perspective, Peter Brown, ICO
BCS Data Management Specialist Group
ย 
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
ย 
EU Data Protection Legislation, Peter Ridley (HPE)
Napier University
ย 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Chris Hails
ย 
Ad

More from REVULN (12)

PDF
Yono REKSOPRODJO, Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
REVULN
ย 
PDF
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
REVULN
ย 
PDF
Isao MATSUNAMI - Digital security in japanese journalism
REVULN
ย 
PDF
Chung-Jui LAI - Polarization of Political Opinion by News Media
REVULN
ย 
PDF
Stewart MACKENZIE - The edge of the Internet is becoming the center
REVULN
ย 
PDF
Masayuki HATTA - Debunking toxic "Matome sites" in Japan
REVULN
ย 
PDF
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
REVULN
ย 
PDF
Rachel BLUNDY - Overview of AFP Fact Check
REVULN
ย 
PDF
Dominic WAI - When would using a computer be a crime?
REVULN
ย 
PDF
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
REVULN
ย 
PDF
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
REVULN
ย 
PDF
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
REVULN
ย 
Yono REKSOPRODJO, Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
REVULN
ย 
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
REVULN
ย 
Isao MATSUNAMI - Digital security in japanese journalism
REVULN
ย 
Chung-Jui LAI - Polarization of Political Opinion by News Media
REVULN
ย 
Stewart MACKENZIE - The edge of the Internet is becoming the center
REVULN
ย 
Masayuki HATTA - Debunking toxic "Matome sites" in Japan
REVULN
ย 
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
REVULN
ย 
Rachel BLUNDY - Overview of AFP Fact Check
REVULN
ย 
Dominic WAI - When would using a computer be a crime?
REVULN
ย 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
REVULN
ย 
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
REVULN
ย 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
REVULN
ย 

Recently uploaded (20)

PDF
For-website-Sukumar-Baishya-FT-Order-7-2-2025.pdf
sabranghindi
ย 
PPTX
Introduction_to_ICT_in_Legal_Education.pptx
SharminSathi2
ย 
PPT
Module โ€“ 4 Indirect Tax Regime - II.ppt
Sesha Chalam
ย 
PPTX
Database Management Systems - akash dbms - abar tomake - nitei-hbe - na hle h...
akashsarkar95217
ย 
PPTX
Basis Planning with Gifting and Irrevocable Trusts
P. Haans Mulder, JD, MST, CFPยฎ
ย 
PDF
Invalidation Case Study of Intragastric Device
Wissen Research
ย 
PDF
UNIT- 14 & 15_Applied Ethics_ Combating Unethical Practices in Business.pdf
Dr. Abhijeet Dawle
ย 
PDF
Insolvency and Bankruptcy Code (IBC) Overview and Company Management Insights...
Tarakasish Ghosh
ย 
PPTX
The doctrine of separation of power is known to us by Montesquieu as he gave ...
varalakshmillm
ย 
PDF
UNIT- 13_Applied Ethics_Unethical Practices in Business .pdf
Dr. Abhijeet Dawle
ย 
PPTX
Republic-Act-No.8485.ANIMAL WELFARE ACT IN THE PHILIPINES
PatrickReal1
ย 
PPTX
Law-On-Obligations-Presentation-One-1.pptx
JovelitoSegoviaNool
ย 
PPTX
INGLร‰S 4 - SESSIONES 3 Y 4 - SEMANA DEL 18 DE AGOSTO.pptx
ketycasaverde
ย 
PDF
UNIT- 12_Applied Ethics_Unethical Practices in Business.pdf
Dr. Abhijeet Dawle
ย 
PDF
Choice of Law in Private International Law
Dr. Madhuri Irene
ย 
PPTX
7.Challenging Public Elections. lecture notes
nanakwameat35
ย 
PPTX
LECTURE COPY_WEEK 1-2_Legal Issue or Claim.pptx
vinzutube5
ย 
PPTX
Company Law Shares and Debentures, Members
RiddhiJain732292
ย 
PPTX
HR Compliance Law applicable in India under HR Comp.
jnvinu
ย 
PDF
INCORPORATION OF COMPANIES for company law
Tarakasish Ghosh
ย 
For-website-Sukumar-Baishya-FT-Order-7-2-2025.pdf
sabranghindi
ย 
Introduction_to_ICT_in_Legal_Education.pptx
SharminSathi2
ย 
Module โ€“ 4 Indirect Tax Regime - II.ppt
Sesha Chalam
ย 
Database Management Systems - akash dbms - abar tomake - nitei-hbe - na hle h...
akashsarkar95217
ย 
Basis Planning with Gifting and Irrevocable Trusts
P. Haans Mulder, JD, MST, CFPยฎ
ย 
Invalidation Case Study of Intragastric Device
Wissen Research
ย 
UNIT- 14 & 15_Applied Ethics_ Combating Unethical Practices in Business.pdf
Dr. Abhijeet Dawle
ย 
Insolvency and Bankruptcy Code (IBC) Overview and Company Management Insights...
Tarakasish Ghosh
ย 
The doctrine of separation of power is known to us by Montesquieu as he gave ...
varalakshmillm
ย 
UNIT- 13_Applied Ethics_Unethical Practices in Business .pdf
Dr. Abhijeet Dawle
ย 
Republic-Act-No.8485.ANIMAL WELFARE ACT IN THE PHILIPINES
PatrickReal1
ย 
Law-On-Obligations-Presentation-One-1.pptx
JovelitoSegoviaNool
ย 
INGLร‰S 4 - SESSIONES 3 Y 4 - SEMANA DEL 18 DE AGOSTO.pptx
ketycasaverde
ย 
UNIT- 12_Applied Ethics_Unethical Practices in Business.pdf
Dr. Abhijeet Dawle
ย 
Choice of Law in Private International Law
Dr. Madhuri Irene
ย 
7.Challenging Public Elections. lecture notes
nanakwameat35
ย 
LECTURE COPY_WEEK 1-2_Legal Issue or Claim.pptx
vinzutube5
ย 
Company Law Shares and Debentures, Members
RiddhiJain732292
ย 
HR Compliance Law applicable in India under HR Comp.
jnvinu
ย 
INCORPORATION OF COMPANIES for company law
Tarakasish Ghosh
ย 

Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines

  • 1. The Data Privacy Act of 2012, its Compliance and implementation in the Philippines 15 Mayโ€“16 May ยท Harbour Plaza North Point, Hong Kong . Dr. Rolando R. Lansigan, CEH, CHFI, SySA+ (Former Chief- Compliance and Monitoring Division) National Privacy Commission GDPR Coalition Ambassador
  • 12. Do not COLLECT if you cannot PROTECT
  • 14. What is the Data Privacy Act of 2012? โ€ข SECTION 1. Short Title. โ€“ This Act shall be known as the โ€œData Privacy Act of 2012โ€. โ€ข Republic Act 10173, the Data Privacy Act of 2012 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES โ€ข The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include: โ€“ rule-making, โ€“ advisory, โ€“ public education, โ€“ compliance and monitoring, โ€“ investigations and complaints, โ€“ and enforcement.
  • 15. The DPA applies to the processing of all types of personal information and to any natural and juridical person, in the country and even abroad, subject to certain qualifications. Sec. 4, DPA SCOPE OF THE DPA
  • 16. Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Structure of RA 10173, the Data Privacy Act Section 22-24. Provisions Specific to Government Section 25-37. Penalties Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors
  • 17. Philippinesโ€™ DPA vs GDPR Categories Categories Categories Purpose Preventing Harm Principle Integrity and Confidentiality Material Scope Lawfulness, Fairness and Transparency Accountability Territorial Scope Purpose Limitation Access and Correction Personal Data Data Minimization Data Portability Sensitive Personal Data Accuracy Transfer of Personal Data to Another Person or country Data Controller Storage Limitation Breach Definition * Data Processors Notice and Choice Breach Notification * Publicly Available Information Breach Mitigation
  • 18. The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.
  • 20. Timeline of DPA Law and other issuances passed to Organizationโ€™s Compliance 2012 March 2016 August 2016 Sept. 9, 2016 Sept. 9, 2017 Data Privacy Act (DPA) Passed into law National Privacy Commission (NPC) was formed Implementin g rules and Regulations (IRRs) was published IRR came into effect Deadline: DPO Registration 12 months Registration Requirements: All personal data processing systems (DPS) operating in the Philippines that involve Personal Data concerning at least 1,000 individuals/personal records must be registered with NPC March 8, 2018 Deadline: (ANNUAL) Registration of DPS June 30, 2018 Deadline: (ANNUAL) Security Incident Reports
  • 22. EXAMPLES OF POTENTIAL BREACHES AND SECURITY INCIDENTS INVOLVING PERSONAL INFORMATION โ€ข Potential Breaches 1. Bank โ€“ Consent form 2. Hospital and School Records โ€“ Storage and Disposal Policy 3. Student transferred - Without Consent 4. Clinical record of a student to disclose with her parents - Consent 5. List of top students/passers - Consent 6. Cedula in Malls โ€“ Disposal Policy/Improper Disposal 7. Security issues in buildings โ€“ logbook 8. Use of re-cycled papers โ€“ Disposal Policy / Access due to negligence 9. Hard drives sold online โ€“Disposal Policy 10. Use of CCTV โ€“ Privacy Issues 11. Use of USB/CD/Personal laptop โ€“ Encryption issue โ€ข Access Control and Security Policy 12. Personal Records stolen from home of an employee - Security 13. Viewing of Student Records in Public โ€“ Physical Security 14. Raffle stubs โ€“ Privacy Notice / Storage and Disposal Policy 15. Universities and Colleges websites with weak authentication 16. Photocopiers re-sold without wiping the hard drives 17. Password hacked/revealed - 18. Accidentally sent an email attachment โ€“ Unauthorized Disclosure โ€ข Other Violations / Data Privacy Act Principles 19. No Data Sharing Agreement (DSA) 20. No Privacy Notice 21. No Sub-contracting Agreement 22. No Breach Drill 23. Profiling of customers of malls โ€“ Targeted Marketing 24. Unjustifiable collection of personal data of a school โ€“ Principle of Proportionality
  • 23. DPA Section Punishable Act For Personal Information For Sensitive Personal Information Fine (Pesos) JAIL TERM 25 Unauthorized processing 1-3 years 3-6 years 500 k โ€“ 4 million 26 Access due to negligence 1-3 years 3-6 years 500 k โ€“ 4 million 27 Improper disposal 6 months โ€“ 2 years 3-6 years 100 k โ€“ 1 million 28 Unauthorized purposes 18 months โ€“ 5 years 2-7 years 500 k โ€“ 2 million 29 Intentional breach 1-3 years 500 k โ€“ 2 million 30 Concealment of breach 18 months โ€“ 5 years 500 k โ€“ 1 million 31 Malicious disclosure 18 month โ€“ 5 years 500 k โ€“ 1 million 32 Unauthorized disclosure 1-3 years 3-5 years 500 k โ€“ 2 million 33 Combination of acts 1-3 years 1 million โ€“ 5 million Potential Penalties listed in the Data Privacy Act
  • 24. NPCโ€™s FIVE PILLARS OF COMPLIANCE DPO PIA PMP PDP BRP
  • 25. THE FIVE PILLARS OF COMPLIANCE โ€ข Commit to Comply: Appoint a Data Protection Officer (DPO) โ€ข Know your Risk: Conduct a Privacy Impact Assessment (PIA) โ€ข Be Accountable: Create your Privacy Management Program and Privacy Manual (PMP) โ€ข Demonstrate your Compliance: Implement your Privacy and Data Protection Measure (PDP) โ€ข Be Prepared for Breach: Regularly Exercise your Breach Reporting Procedure (BRP)
  • 27. Designating a DPO is the first essential step. You cannot register with the NPC unless you have a DPO.
  • 28. All PICs and PIPs should designate a Data Protection Officer โ€ข The personal information controller shall designate an individual or individuals who are accountable for the organizationโ€™s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request. (Sec. 21[b]) โ€ข xxx The personal information processor shall comply with all the requirements of this Act and other applicable laws. (Sec. 14)
  • 31. PILLAR 2: KNOW YOUR RISKS โ€œThe determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementationโ€ - Section 20.C of DPA of 2012
  • 38. โ€œThe PIC shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the PIC or the Commission believes that that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.โ€ Section 20.f โ€œConcealment of Security Breaches Involving Sensitive Personal Information. โ€“โ€“ The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach. Section 30
  • 39. The 72-hour deadline IRR Section 38 (a) Data Breach Notification. The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred. From https://privacy.gov.ph/memorandum-circulars/