DATA PRIVACY

AWARENESS
Protecting Privacy in the
Digital Age

Presented By:
Rex Pajenado, DPA
UNDERSTANDING THE
PHILIPPINE PRIVACY
FRAMEWORK
 OBJECTIVES:
1.Educate participants on the importance of data privacy
and how it impacts individuals and organizations
2.Provide an overview of the Data Privacy Act of 2012
3.Provide awareness to the employees as to their roles
and responsibilities in maintaining compliance with data
privacy policies and regulations
WHAT IS RIGHT TO PRIVACY?
“The right to be let alone - the
most comprehensive of rights and
the right most valued by civilized
• Fundamental right enshrined in the
men
1987 Constitution and reinforced by
[Brandeis J, dissenting in Olmstead v United States,
277 US. 438 (1928)
various laws
• Protects individual from:
⚬ Unlawful Intrusion
⚬ Misuse of Personal Information
⚬ Unauthorized surveillance
 CONSTITUTIONAL BASIS OF THE
RIGHT TO PRIVACY
Article III, Section 2 –
Protection Against Unreasonable Searches
and Seizures

“The right of the people to be secure in their persons,

houses, papers, and effects against unreasonable
searches and seizures of whatever nature and for
any purpose shall be inviolable...”
 CONSTITUTIONAL BASIS OF THE
RIGHT TO PRIVACY
Article III, Section 3 –
Privacy of Communication and
Correspondence

“(1) The privacy of communication and

correspondence shall be inviolable except upon
lawful order of the court, or when public safety or
order requires otherwise, as prescribed by law.”
 CONSTITUTIONAL BASIS OF THE
RIGHT TO PRIVACY

Article III, Section 1 –

Due Process Clause

“No person shall be deprived of life, liberty,

or property without due process of law...”
DATA PRIVACY
REGULATORY
FRAMEWORK IN THE
PHILIPPINES
Republic Act 10173 or the Issuances from the Other Related Laws and
Data Privacy Act of 2012 National Privacy Regulations
and its IRR Commission
 NPC Circular 16-01

NPC ISSUANCES
Security of Personal Data in Government Agencies

NPC Circular 16-02

Data Sharing Agreements Involving Government Agencies
CIRCULARS:
Issuances prescribing NPC Circular 16-03

• policies Personal Data Breach Management

• rules and regulations, and NPC Circular 16-04

• procedures promulgated Rules of Procedure

pursuant to law NPC Circular 17-01

Registration of Data Processing Systems

NPC Circular 17-01 Appendix 1

Registration of Data Processing Systems Appendix 1
NPC ISSUANCES
NPC Advisory No. 2017-01
ADVISORIES:
Designation of Data Protection Officers
Serve as guidelines to entities and
individuals concerned.
NPC Advisory No. 2017-02
Access to Personal Data Sheets of Government
Personnel

NPC Advisory No. 2017-03

Guidelines of Privacy Impact Assessments
OTHER RELATED LAWS AND
REGULATIONS
Cybercrime Prevention Act of 2012 (RA 10175)

Protects against online crimes such as identity

ADVISORIES: theft and hacking.
Serve as guidelines to entities and
Consumer Act of the Philippines (RA 7394)
individuals concerned. Ensures fair practices in handling consumer data.

E-Commerce Act (RA 8792)

Covers electronic transactions and digital privacy.
THE DATA PRIVACY ACT OF 2012
 DATA PRIVACY ACT OF 2012

SECTION 1-6 SECTION 7-12 SECTION 11-21 SECTION 22-24 SECTION 25-37

DEFINITIONS NATIONAL RIGHTS OF DATA PROVISIONS PENALTIES

SUBJECTS AND
AND GENERAL PRIVACY OBLIGATIONS OF
SPECIFIC TO
PROVISIONS COMMISSION PERSONAL INFORMATION GOVERNMENT
CONTROLLERS AND
PROCESSORS
CONCEPTS IN THE
PERSONAL INFORMATION
“refers to any information whether recorded in a material
form or not, from which the identity of an

Data Privacy Act individual is apparent or can be reasonably and

directly ascertained by the entity holding the
information, or when put together with other information
would directly and certainly identify an individual.”

PERSONAL DATA
Refers to all types of personal
information
CONCEPTS IN THE
PERSONAL INFORMATION
“refers to any information whether recorded in a material

Data Privacy Act

form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly identify
an individual.”

SENSITIVE PERSONAL
PERSONAL DATA INFORMATION
Refers to personal information:
Refers to all types of personal
information (1) About an individual’s race, ethnic origin,
marital status, age, color, and religious,
philosophical or political affiliations;
CONCEPTS IN THE
PERSONAL INFORMATION
“refers to any information whether recorded in a material

Data Privacy Act

form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly identify
an individual.”

SENSITIVE PERSONAL
PERSONAL DATA INFORMATION
(2) About an individual’s health, education,
Refers to all types of personal
genetic or sexual life of a person, or to any
information proceeding for any offense committed or alleged
to have been committed by such person, the
disposal of such proceedings, or the sentence of
any court in such proceedings;
CONCEPTS IN THE
PERSONAL INFORMATION
“refers to any information whether recorded in a material

Data Privacy Act

form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly identify
an individual.”

SENSITIVE PERSONAL
PERSONAL DATA INFORMATION
Refers to all types of personal
(3) Issued by government agencies peculiar to an
information individual which includes, but not limited to,
social security numbers, previous or current
health records, licenses or its denials, suspension
or revocation, and tax returns; and
CONCEPTS IN THE
PERSONAL INFORMATION
“refers to any information whether recorded in a material

Data Privacy Act

form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly identify
an individual.”

SENSITIVE PERSONAL
PERSONAL DATA INFORMATION
(4) Specifically established by an executive order
Refers to all types of personal
or an act of Congress to be kept classified.
information
CONCEPTS IN THE
PERSONAL INFORMATION
“refers to any information whether recorded in a material

Data Privacy Act

form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together
with other information would directly and certainly identify
an individual.”

SENSITIVE PERSONAL
PERSONAL DATA INFORMATION
(4) Specifically established by an executive order or an act
Refers to all types of personal
of Congress to be kept classified.
information

PRIVELEGED INFORMATION
Refers to any and all forms of data which under
the Rules of Court and other pertinent laws
constitute privileged communication.
 DATA SUBJECT

CONCEPTS IN THE an individual whose personal information is processed

Data Privacy Act

PERSONS INVOLVED IN
PROCESSING PERSONAL
DATA
 DATA SUBJECT

CONCEPTS IN THE an individual whose personal information is processed

Data Privacy Act

PERSONAL INFORMATION
CONTROLLER
PERSONS INVOLVED IN “refers to a person or organization who controls the
collection, holding, processing or use of personal
PROCESSING PERSONAL information, including a person or organization who
instructs another person or organization to collect, hold,
DATA process, use, transfer or disclose personal information on
his or her behalf”
 DATA SUBJECT

CONCEPTS IN THE an individual whose personal information is processed

Data Privacy Act

PERSONAL INFORMATION
CONTROLLER
PERSONS INVOLVED IN This excludes:

PROCESSING PERSONAL (1) A person or organization who performs such functions

as instructed by another person or organization; and
DATA
 DATA SUBJECT

CONCEPTS IN THE an individual whose personal information is processed

Data Privacy Act

PERSONAL INFORMATION
CONTROLLER
PERSONS INVOLVED IN (2) An individual who collects, holds, processes or uses

PROCESSING PERSONAL personal information in connection with the individual’s

personal, family or household affairs.

DATA
 DATA SUBJECT

CONCEPTS IN THE an individual whose personal information is processed

Data Privacy Act

PERSONAL INFORMATION
CONTROLLER
PERSONS INVOLVED IN (2) An individual who collects, holds, processes or uses

PROCESSING PERSONAL personal information in connection with the individual’s

personal, family or household affairs.

DATA
PERSONAL INFORMATION
PROCESSOR
refers to any natural or juridical person qualified to act as
such under this Act to whom a personal information
controller may outsource the processing of personal data
pertaining to a data subject.
KEY TERMS
refers to a structure and procedure by
which personal data is collected and

DATA PROCESSING
further processed in an information
and communications system or

SYSTEM
relevant filing system, including the
purpose and intended output of the
processing
KEY TERMS
disclosure or transfer to a third party of
personal data under the control or
custody of a PIC: Provided, that a PIP

DATA SHARING may be allowed to make such

disclosure
or transfer if it is upon the instructions
of the PIC concerned
KEY TERMS

The term excludes outsourcing, or the

DATA SHARING disclosure or transfer of personal data

by a PIC to
a PIP;
SEATWORK
Juan Dela Cruz, married was born on 18 October 1996. One day, An individual filed a case for
Estafa against Juan in the MeTC in the City of Mandaluyong and furnished him a copy of the
verified compliant through his email address, Juan.delacruz@gmail.com and through private
courier at 142 Kanlungan St. Sampaloc,Manila.

Before arraignment, Juan identified himself by presenting his Driver’s License with ID Number
N04-21-000326. During arraignment, Juan’s Legal counsel pleaded not guilty. After arraingnment,
he stated that he is a devoted Roman Catholic and is not capable of doing such acts.
PERSONAL INFORMATION SENSITIVE PERSONAL INFORMATION
ANSWER
PERSONAL INFORMATION SENSITIVE PERSONAL INFORMATION

Name: Juan Dela Cruz Estafa case in METC of City of Mandaluyong

Birthday: October 18, 1996
Email: Juan.delacruz@gmail.com Driver’s License
Address: 142 Kanlungan St. Sampaloc
Manila Roman Catholic
SCOPE
This Act applies to:

• the processing of all types of personal information

• to any natural and juridical person involved in
personal information processing, including those
personal information controllers and processors who
although not found or established in the
Philippines:
⚬ use equipment that are located in the Personal Natural Juridical
Philippines, Information Persons Persons
⚬ or those who maintain an office, branch or
agency in the Philippines
THE NATIONAL
PRIVACY
COMMISSION
• Independent body
• To administer and implement the
provisions of the Data Privacy Act
• To monitor and ensure compliance of
the country with international standards
set for data protection
THE NATIONAL
PRIVACY
COMMISSION
• Attached to the Department of
Information and Communication
Technology
• Privacy Commissioner
⚬ Deputy Privacy Commissioner for
Data Processing Systems
⚬ Deputy Privacy Commissioner for
Policies and Planning
 RIGHTS
Uphold the rights of Data

OBLIGATIONS OF
Subjects

PERSONAL PRINCPLES
Adhere to Data Privacy

INFORMATION
Principles

CONTROLLERS SECURITY
Implement Security
Measures
 DATA SUBJECT RIGHTS

RIGHT TO RIGHT TO RIGHT TO RIGHT TO

INFORMATION OBJECT ACCESS CORRECT
 DATA SUBJECT RIGHTS

RIGHT TO RIGH TO DATA RIGHT TO FILE A RIGHT TO

ERASE PORTABILITY COMPLAINT DAMAGES
DATA SUBJECT RIGHTS

RIGHT TO
The data subject has the right to be
informed whether personal data

INFORMATION
pertaining to him or her shall be, are
being, or have been processed,
including the existence of automated
decision-making and profiling
DATA SUBJECT RIGHTS

RIGHT TO OBJECT
The data subject shall have the right to
object to the processing of his or her
personal data where such processing
is based on consent or legitimate
interest.
DATA SUBJECT RIGHTS

RIGHT TO ACCESS
The right of data subjects to access
information on the processing of their
personal data
DATA SUBJECT RIGHTS

RIGHT TO
The data subject has the right to
dispute the inaccuracy or error in his or

RECTIFICATION
her personal data and have it
correctedwithin a reasonable period of
time.
DATA SUBJECT RIGHTS

RIGHT TO ERASURE
A data subject has the right to request
for the suspension, blocking, removal
or destruction of his or her personal
data from A PIC’S filing system, in
both live and back-up systems.
DATA SUBJECT RIGHTS

RIGHT TO DATA
The data subject shall have the right to
obtain a copy of his or her personal

PORTABILITY
data and/or have the same transmitted
from a PIC to another, in an electronic
or structured format that is commonly
used and allows further use by the
data subject.
DATA SUBJECT RIGHTS

RIGH TO DAMAGES
The data subjects have the right to be
indemnified for any of the damages
sustained due to inaccurate,
incomplete, outdated, false, unlawfully
obtained, or unauthorized use for their
personal data, taking into account any
violation of his or her rights and
freedom as data subject.
DATA SUBJECT RIGHTS

If a person’s data privacy rights are

RIGHT TO FILE A violated, they can file a complaint with

the National Privacy Commission

COMPLAINT (NPC) for investigation and

enforcement.
 1 TRANSPARENCY

GENERAL PRIVACY LEGITIMATE

2 PURPOSE

PRINCIPLES

3 PROPORTIONALITY
 4 FAIRNESS

DATA
5
GENERAL PRIVACY
MINIMIZATION

PRINCIPLES 6 ACCURACY

7 ACCOUNTABILITY
DATA PRIVACY PRINCIPLES

TRANSPARENCY
Data subjects must be fully informed
about how their personal data will be
collected, processed, and used.
DATA PRIVACY PRINCIPLES

LEGITIMATE
Personal data must be collected and
processed for a legitimate and specific

PURPOSE
purpose that is not contrary to law,
morals, or public policy
DATA PRIVACY PRINCIPLES

PROPORTIONALITY
The collection and processing of
personal data must be relevant,
necessary, and not excessive in
relation to the stated purpose.
DATA PRIVACY PRINCIPLES

FAIRNESS
Data processing should be done fairly
and without discrimination, ensuring
that individuals are not harmed or
unfairly treated
DATA PRIVACY PRINCIPLES

DATA
Only the minimum amount of personal
data necessary to fulfill a specific

MINIMIZATION
purpose should be collected.
DATA PRIVACY PRINCIPLES

ACCURACY
Personal data must be accurate,
complete, and up-to-date
DATA PRIVACY PRINCIPLES

ACCOUNTABILITY
Organizations processing personal
data must ensure compliance with
data privacy laws and are responsible
for protecting personal data.
SECURITY MEASURES

ORGANIZATIONAL TECHNOLOGICAL
PHYSICAL SECURITY
SECURITY SECURITY
SECURITY MEASURES

ORGANIZATIONAL
These are policies and procedures that
ensure accountability and proper
management of personal data
Security Measures
SECURITY MEASURES
• Appointment of a Data Protection
Officer (DPO)

• Privacy Policies and Governance

ORGANIZATIONAL
• Data Protection Training
Security Measures
• Conduct of Privacy Impact
Assessments (PIA)

• Breach Reporting Procedures

SECURITY MEASURES

PHYSICAL
These measures prevent unauthorized
access to facilities and devices where
personal data is stored
Security Measures
SECURITY MEASURES

• Restricted Access

PHYSICAL • Security Personnel & Surveillance

• Access Logs
Security Measures
• Proper Disposal of Records
SECURITY MEASURES

TECHNICAL
These safeguards protect digital data
from cyber threats and unauthorized
access
Security Measures
SECURITY MEASURES

• Encryption
TECHNICAL • Access Controls
• Firewalls & Anti-Malware Software
Security Measures • Regular Security Audits
• Data Backup & Recovery
BREACH
MANAGEMENT
WHAT IS A DATA BREACH?
A data breach occurs when personal, sensitive, or
privileged information is accessed, disclosed, or
processed without authorization
WHAT IS A DATA BREACH?
• Malicious attacks (e.g., hacking, malware, ransomware)
• System vulnerabilities (e.g., weak security settings)
• Human error (e.g., accidental sharing, lost devices)
 KEY COMPONENTS OF BREACH MANAGEMENT
Prevention and Preparedness

• Security Measures
• Data Protection Officer (DPO)
• Privacy Impact Assessments
• Data Protection Trainings
 KEY COMPONENTS OF BREACH MANAGEMENT
Data Breach Response and Notification

• DATA BREACH PLAN

⚬ Step 1: Discovery & Containment
⚬ Step 2: Assessment of the Breach
⚬ Step 3: Notification to the National Privacy Commission (NPC) and Affected
Individuals
 KEY COMPONENTS OF BREACH MANAGEMENT
Data Breach Response and Notification

• DATA BREACH PLAN

⚬ Step 4: Mitigation and Remediation
PENALTIES
PENALTIES
PUNISHABLE ACT JAIL TERM FINE (PHP)

Access due to negligence 1y to 3y | 3y to 6y 500k to 4M

Unauthorized processing 1y to 3y | 3y to 6y 500k to 4M

Unauthorized purposes 18mon to 5y | 2y to 7 y 500k to 2M

PENALTIES
PUNISHABLE ACT JAIL TERM FINE (PHP)

Improper Disposal 6m to 2y | 3y to 6y 100k to 1M

Intentional Breach 1y to 3y 500k to 2M

Concealing Breach 18mon to 5y 500k to 1M

PENALTIES
PUNISHABLE ACT JAIL TERM FINE (PHP)

Malicious Disclosure 18m to 5y 500k to 1M

Unauthorized Disclosure 1y to 3y | 3y to 5y 500k to 2M

Combination of Acts 3y to 6y 1M to 5M
THANK YOU
FOR YOUR ATTENTION
 References
• 1987 Constitution of the Philippines
• Consumer Act of the Philippines (RA 7394)
• Cybercrime Prevention Act of 2012 (RA 10175)
• Data Privacy Act of 2012 (RA 10173) and its IRR
• E-Commerce Act (RA 8792)
• Issuances from the National Privacy Commission