Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
2 likes442 views
The Data Privacy Act of 2012 in the Philippines aims to protect individual personal information in government and private sector systems, establishing the National Privacy Commission to administer and ensure compliance. Key components include definitions and provisions for the rights of data subjects, penalties for violations, and a compliance framework comprising five pillars. Organizations are required to appoint a Data Protection Officer and adhere to specific data protection measures to mitigate risks and prevent breaches.
![All PICs and PIPs should designate a Data
Protection Officer
• The personal information controller shall designate an
individual or individuals who are accountable for the
organization’s compliance with this Act. The identity of
the individual(s) so designated shall be made known to
any data subject upon request. (Sec. 21[b])
• xxx The personal information processor shall comply
with all the requirements of this Act and other applicable
laws. (Sec. 14)](https://image.slidesharecdn.com/revuln197-191229101946/85/Dr-Rolando-Rivera-Lansigan-The-Privacy-Act-of-2012-its-compliance-and-implementation-in-the-Philippines-28-320.jpg)
More Related Content
Similar to Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines (20)
![]A Little Legal Fan Fiction For Your Reading Pleasure](https://cdn.slidesharecdn.com/ss_thumbnails/theredistrictingcheatsheet-250830092405-c8e58038-thumbnail.jpg?width=560&fit=bounds)
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and implementation in the Philippines
- 1. The Data Privacy Act of 2012, its Compliance and implementation in the Philippines 15 May–16 May · Harbour Plaza North Point, Hong Kong . Dr. Rolando R. Lansigan, CEH, CHFI, SySA+ (Former Chief- Compliance and Monitoring Division) National Privacy Commission GDPR Coalition Ambassador
- 12. Do not COLLECT if you cannot PROTECT
- 14. What is the Data Privacy Act of 2012? • SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”. • Republic Act 10173, the Data Privacy Act of 2012 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES • The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC include: – rule-making, – advisory, – public education, – compliance and monitoring, – investigations and complaints, – and enforcement.
- 15. The DPA applies to the processing of all types of personal information and to any natural and juridical person, in the country and even abroad, subject to certain qualifications. Sec. 4, DPA SCOPE OF THE DPA
- 16. Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Structure of RA 10173, the Data Privacy Act Section 22-24. Provisions Specific to Government Section 25-37. Penalties Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors
- 17. Philippines’ DPA vs GDPR Categories Categories Categories Purpose Preventing Harm Principle Integrity and Confidentiality Material Scope Lawfulness, Fairness and Transparency Accountability Territorial Scope Purpose Limitation Access and Correction Personal Data Data Minimization Data Portability Sensitive Personal Data Accuracy Transfer of Personal Data to Another Person or country Data Controller Storage Limitation Breach Definition * Data Processors Notice and Choice Breach Notification * Publicly Available Information Breach Mitigation
- 18. The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.
- 20. Timeline of DPA Law and other issuances passed to Organization’s Compliance 2012 March 2016 August 2016 Sept. 9, 2016 Sept. 9, 2017 Data Privacy Act (DPA) Passed into law National Privacy Commission (NPC) was formed Implementin g rules and Regulations (IRRs) was published IRR came into effect Deadline: DPO Registration 12 months Registration Requirements: All personal data processing systems (DPS) operating in the Philippines that involve Personal Data concerning at least 1,000 individuals/personal records must be registered with NPC March 8, 2018 Deadline: (ANNUAL) Registration of DPS June 30, 2018 Deadline: (ANNUAL) Security Incident Reports
- 22. EXAMPLES OF POTENTIAL BREACHES AND SECURITY INCIDENTS INVOLVING PERSONAL INFORMATION • Potential Breaches 1. Bank – Consent form 2. Hospital and School Records – Storage and Disposal Policy 3. Student transferred - Without Consent 4. Clinical record of a student to disclose with her parents - Consent 5. List of top students/passers - Consent 6. Cedula in Malls – Disposal Policy/Improper Disposal 7. Security issues in buildings – logbook 8. Use of re-cycled papers – Disposal Policy / Access due to negligence 9. Hard drives sold online –Disposal Policy 10. Use of CCTV – Privacy Issues 11. Use of USB/CD/Personal laptop – Encryption issue • Access Control and Security Policy 12. Personal Records stolen from home of an employee - Security 13. Viewing of Student Records in Public – Physical Security 14. Raffle stubs – Privacy Notice / Storage and Disposal Policy 15. Universities and Colleges websites with weak authentication 16. Photocopiers re-sold without wiping the hard drives 17. Password hacked/revealed - 18. Accidentally sent an email attachment – Unauthorized Disclosure • Other Violations / Data Privacy Act Principles 19. No Data Sharing Agreement (DSA) 20. No Privacy Notice 21. No Sub-contracting Agreement 22. No Breach Drill 23. Profiling of customers of malls – Targeted Marketing 24. Unjustifiable collection of personal data of a school – Principle of Proportionality
- 23. DPA Section Punishable Act For Personal Information For Sensitive Personal Information Fine (Pesos) JAIL TERM 25 Unauthorized processing 1-3 years 3-6 years 500 k – 4 million 26 Access due to negligence 1-3 years 3-6 years 500 k – 4 million 27 Improper disposal 6 months – 2 years 3-6 years 100 k – 1 million 28 Unauthorized purposes 18 months – 5 years 2-7 years 500 k – 2 million 29 Intentional breach 1-3 years 500 k – 2 million 30 Concealment of breach 18 months – 5 years 500 k – 1 million 31 Malicious disclosure 18 month – 5 years 500 k – 1 million 32 Unauthorized disclosure 1-3 years 3-5 years 500 k – 2 million 33 Combination of acts 1-3 years 1 million – 5 million Potential Penalties listed in the Data Privacy Act
- 24. NPC’s FIVE PILLARS OF COMPLIANCE DPO PIA PMP PDP BRP
- 25. THE FIVE PILLARS OF COMPLIANCE • Commit to Comply: Appoint a Data Protection Officer (DPO) • Know your Risk: Conduct a Privacy Impact Assessment (PIA) • Be Accountable: Create your Privacy Management Program and Privacy Manual (PMP) • Demonstrate your Compliance: Implement your Privacy and Data Protection Measure (PDP) • Be Prepared for Breach: Regularly Exercise your Breach Reporting Procedure (BRP)
- 27. Designating a DPO is the first essential step. You cannot register with the NPC unless you have a DPO.
- 28. All PICs and PIPs should designate a Data Protection Officer • The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request. (Sec. 21[b]) • xxx The personal information processor shall comply with all the requirements of this Act and other applicable laws. (Sec. 14)
- 31. PILLAR 2: KNOW YOUR RISKS “The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation” - Section 20.C of DPA of 2012
- 38. “The PIC shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the PIC or the Commission believes that that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.” Section 20.f “Concealment of Security Breaches Involving Sensitive Personal Information. –– The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach. Section 30
- 39. The 72-hour deadline IRR Section 38 (a) Data Breach Notification. The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred. From https://privacy.gov.ph/memorandum-circulars/
- 40. Keep in touch