Data Privacy Act of 2012 (Republic Act No. 10173) - Personal vs. Sensitive Personal Information
1. Overview of the Data Privacy Act (R.A. No. 10173)
The Data Privacy Act of 2012 (R.A. No. 10173) is the primary law in the Philippines that safeguards individual privacy rights, regulating how personal information controllers (PICs) and processors (PIPs) handle personal data. This law aims to protect the privacy of individuals while ensuring the free flow of information to promote innovation and growth in digital economy sectors. The law established the National Privacy Commission (NPC) to enforce compliance and oversee all matters relating to data privacy.
2. Definitions and Distinctions: Personal Information vs. Sensitive Personal Information
Under the Data Privacy Act, personal data is broadly categorized into "Personal Information" and "Sensitive Personal Information." Differentiating these categories is crucial as it determines the level of protection, processing requirements, and penalties for mishandling each type of data.
A. Personal Information
Definition: According to Section 3(g) of the Data Privacy Act, "Personal Information" refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can reasonably and directly be ascertained, or when put together with other information would directly and certainly identify an individual.
Examples of Personal Information:
- Full name
- Home address
- Email address (not linked to health, ethnicity, etc.)
- Telephone numbers
- Employment details (not including sensitive personal aspects like health records)
Significance: Personal Information is not inherently sensitive but still requires data protection and lawful processing to ensure an individual’s privacy and prevent identity theft, unauthorized access, or misuse. Although it demands care, handling Personal Information involves fewer restrictions compared to Sensitive Personal Information.
B. Sensitive Personal Information
Definition: Section 3(l) of the Data Privacy Act defines "Sensitive Personal Information" as information about an individual’s:
- Race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
- Health, education, genetic or sexual life, or any proceedings for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Government-issued identifiers (e.g., Social Security Number, tax identification number, and license numbers);
- Information specifically designated by executive order or law as classified;
- Any information issued by government agencies peculiar to an individual, which includes information in records regarding an individual’s application for a government-issued identification (e.g., driver’s licenses or passport).
Examples of Sensitive Personal Information:
- Racial or ethnic origin
- Health information, including medical records or genetic data
- Biometric data, like fingerprints or facial recognition data
- Political and religious affiliations
- Social Security Number (SSN) and Tax Identification Number (TIN)
- Sexual orientation or preferences
Significance: Sensitive Personal Information requires a higher degree of protection due to its inherently private nature and the potential harm that its disclosure could cause an individual. Unauthorized processing of this data could lead to severe penalties.
3. Key Legal Standards and Requirements for Handling Personal and Sensitive Personal Information
A. Processing Requirements
Personal Information: PICs and PIPs must ensure that the processing of personal information is lawful, fair, and transparent, and that it complies with the rights of data subjects under the law. Explicit consent from the data subject is generally required before processing.
Sensitive Personal Information: The processing of Sensitive Personal Information is generally prohibited unless it falls under certain exceptions, including:
- Consent: Explicit and specific consent must be given by the data subject before processing.
- Legal Obligation: Processing is necessary for compliance with a legal mandate.
- Vital Interests: Processing is necessary to protect the life and health of the data subject or another person.
- Medical Purposes: If processed by medical professionals or healthcare institutions, it is allowed under strict confidentiality rules.
- Public Benefit or Legal Claim: Processing is permissible if it is necessary for establishing, exercising, or defending legal claims, or as required by a public authority for the public good.
B. Data Protection Principles
Both Personal Information and Sensitive Personal Information are subject to the following data protection principles:
- Transparency: The data subject should be aware of how their data will be processed.
- Legitimate Purpose: Data should be processed only for purposes that are legal and compatible with its intended use.
- Proportionality: Processing should be limited to what is necessary to accomplish the specified purpose.
4. Rights of Data Subjects
Both Personal Information and Sensitive Personal Information are protected by rights afforded to data subjects under the Data Privacy Act:
- Right to be Informed: Data subjects have the right to know when and how their information is being processed.
- Right to Access: Data subjects can request access to their data to verify its accuracy and lawful use.
- Right to Rectification: Data subjects can request corrections to inaccurate or misleading information.
- Right to Erasure/Blocking: The right to request deletion or blocking of data that is incomplete, outdated, false, or unlawfully obtained.
- Right to Data Portability: The ability to obtain a copy of their data in a structured, commonly used, and machine-readable format.
5. Penalties for Non-compliance
Violations of the Data Privacy Act, especially involving Sensitive Personal Information, are subject to harsher penalties than breaches involving only Personal Information. Penalties include fines, imprisonment, or both, depending on the violation's nature, extent, and impact. The penalties vary as follows:
- Unauthorized Processing: If Sensitive Personal Information is involved, imprisonment may range from 3 to 6 years and a fine of PHP 500,000 to PHP 4,000,000.
- Access Due to Negligence: Imprisonment for 1 to 3 years and a fine of PHP 500,000 to PHP 2,000,000.
- Improper Disposal: Imprisonment of 6 months to 2 years and a fine of PHP 100,000 to PHP 500,000.
Aggravating Circumstances: If violations involve Sensitive Personal Information or affect vulnerable persons (such as minors or the elderly), penalties can be increased by one degree.
6. Jurisdiction and Scope of the Law
The Data Privacy Act applies to both government and private entities within the Philippines. It also extends extraterritorially to cover acts done outside the Philippines if:
- The processing relates to Philippine citizens or residents;
- The entity processing data is established in the Philippines; or
- The entity involved uses equipment located in the Philippines.
Conclusion
The Data Privacy Act (R.A. No. 10173) distinguishes between Personal Information and Sensitive Personal Information to provide data subjects with adequate protections based on the sensitivity of their data. The Act imposes higher standards and stricter penalties for the mishandling of Sensitive Personal Information, acknowledging its potential to cause significant harm to data subjects if improperly handled. Proper compliance with data processing standards, securing informed consent, and safeguarding data rights are all essential to lawful and ethical data handling practices under this law.