R.A. No. 10173: Data Privacy Act of 2012 – Processing of Personal and Sensitive Personal Information; Lawful Basis

The Data Privacy Act of 2012 (R.A. No. 10173) is a comprehensive law in the Philippines that governs the collection, processing, and protection of personal information. Its primary goal is to ensure the security and privacy of individuals’ personal and sensitive personal information while balancing the interests of businesses and government agencies that require access to such data for legitimate purposes.

In the context of Processing of Personal and Sensitive Personal Information, the Data Privacy Act outlines specific lawful bases and requirements that both data controllers (the parties who determine the purpose and manner of processing) and data processors (entities that process personal data on behalf of controllers) must follow. Below is a detailed breakdown of the provisions relating to lawful bases for processing:

1. Definitions of Key Terms

A. Personal Information

Personal Information (PI) refers to any information, regardless of format, from which the identity of an individual can be reasonably and directly ascertained. Examples include, but are not limited to, names, addresses, contact information, and email addresses.

B. Sensitive Personal Information

Sensitive Personal Information (SPI) refers to more sensitive categories of data, including but not limited to:

• Race, ethnic origin, marital status, age, and health information
• Social Security numbers and other government-issued IDs
• Information about a person’s education, finances, and employment
• Information specifically established by law to be kept confidential (e.g., tax returns, banking information)

C. Processing

Processing refers to any operation or set of operations performed upon personal data, whether or not by automatic means. This includes, among others, the collection, recording, organization, storage, alteration, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.

2. Lawful Bases for Processing Personal and Sensitive Personal Information

The Data Privacy Act provides specific lawful bases under which the processing of personal and sensitive personal information is permissible. Without one of these bases, processing may be deemed unlawful.

A. Lawful Basis for Processing Personal Information

Under Section 12 of R.A. No. 10173, personal information may be lawfully processed if at least one of the following conditions is met:

1. Consent of the Data Subject

   • The data subject has given his or her express consent. Consent must be freely given, specific, informed, and an indication of the subject’s wishes by which he or she signifies agreement to the processing of personal information.

2. Contractual Necessity

   • Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject before entering into a contract.

3. Legal Obligation

   • Processing is necessary for compliance with a legal obligation to which the personal information controller (data controller) is subject.

4. Protection of Vital Interests

   • Processing is necessary to protect vitally important interests of the data subject, including life and health.

5. National Emergency, Public Order, and Safety

   • The processing is necessary for the fulfillment of functions of public authority, which includes processing of personal data for purposes of fulfilling constitutional or statutory mandates.

6. Legitimate Interests of the Personal Information Controller (PIC)

   • Processing is necessary to fulfill the legitimate interests of the personal information controller or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.

B. Lawful Basis for Processing Sensitive Personal Information and Privileged Information

Sensitive Personal Information and Privileged Information require stricter safeguards due to their sensitive nature. Under Section 13 of the Data Privacy Act, processing such information is prohibited except in the following circumstances:

1. Consent of the Data Subject

   • The data subject has given his or her specific and informed consent, with the data subject aware of the consequences of such consent.

2. Specific Legal Mandate

   • Processing is required under existing laws and regulations, provided that adequate safeguards are in place to ensure the security and privacy of the information.

3. Protection of Life and Health

   • The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to give consent.

4. Medical Treatment

   • Processing is necessary for medical treatment, and is carried out by a medical practitioner or a medical treatment institution, provided that adequate safeguards are in place.

5. Protection of Lawful Rights and Interests in Court Proceedings

   • Processing is necessary to protect the lawful rights and interests of natural or legal persons in court proceedings, or when establishing, exercising, or defending legal claims.

3. Obligations of Personal Information Controllers (PIC) and Processors (PIP)

Both Personal Information Controllers (PIC) and Personal Information Processors (PIP) have specific obligations under the law to ensure data protection and safeguard individuals' rights. Key obligations include:

1. Data Protection Officer (DPO)

   • All PICs and PIPs must appoint a Data Protection Officer to ensure compliance with the Data Privacy Act, including the oversight of data protection measures and acting as a point of contact for data subjects.

2. Data Security Measures

   • PICs and PIPs are required to implement reasonable and appropriate security measures, which must include organizational, physical, and technical measures to protect personal data from unauthorized access, destruction, alteration, or disclosure.

3. Breach Notification

   • In the event of a data breach that poses a risk to the data subjects, PICs and PIPs must notify both the National Privacy Commission (NPC) and affected data subjects within 72 hours.

4. Data Subject Rights

   • Data subjects have specific rights, including the right to access, rectification, erasure, restriction, portability, and objection. The PICs and PIPs are responsible for ensuring these rights are upheld and for facilitating data subjects' requests as mandated by the law.

5. Retention and Disposal of Data

   • The law mandates that personal data should only be retained for as long as necessary for the purpose of processing. Data no longer necessary should be disposed of securely to prevent unauthorized access or disclosure.

6. Data Sharing Agreements

   • When personal data is shared with third parties, PICs must ensure that these entities adhere to the same level of data protection. This often includes the requirement to establish Data Sharing Agreements to define responsibilities and safeguard data.

4. Penalties for Non-Compliance

Violations of the Data Privacy Act, including unlawful processing of personal information, unauthorized disclosure, and failure to uphold the rights of data subjects, can lead to both civil liabilities and criminal penalties. Penalties may include imprisonment (ranging from one to six years) and substantial fines, depending on the severity and nature of the violation.

5. Role of the National Privacy Commission (NPC)

The National Privacy Commission (NPC) is the governing authority tasked with enforcing the Data Privacy Act. Its duties include:

• Investigating complaints and potential violations of the Act
• Issuing cease-and-desist orders, imposing penalties, and requiring data protection compliance
• Providing advisory opinions and guidance on data privacy and protection practices

The NPC also has the power to issue recommendations for enhancing the Data Privacy Act in response to evolving data protection concerns in the digital age.

6. Conclusion

The Data Privacy Act of 2012 is a fundamental piece of legislation that establishes a rigorous framework for the lawful processing of personal and sensitive personal information in the Philippines. Through detailed provisions on lawful bases for data processing, obligations of data controllers and processors, and stringent penalties for non-compliance, the law serves to protect individuals' privacy rights while balancing the needs of organizations in the digital economy.