March 27, 2012
By Jasmine L. Solivas-Dayacap
Last 20 March 2012, the Senate approved on third and final reading Senate Bill No. 2965 or the “Data Privacy Act of 2011.” The Bill, based in the main on the Directive 95/46/EC of the European Parliament and Council and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, mandates public and private entities to protect and preserve the integrity, security and confidentiality of personal data collected in its operations.
It is hoped that the bill will drive further growth in the information and communication technology (ICT) and business process outsourcing (BPO) industries, as well as provide a policy framework to balance freedom and protection of privacy in the Internet.
Under the general data privacy principles of Senate Bill No. 2965, personal information must be:
(i) collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable, and later processed in a way compatible with such declared, specified and legitimate purpose only;
(ii) processed lawfully;
(iii) accurate, relevant and, where necessary, for purposes for which it is to be used the processing the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
(iv) adequate and not excessive in relation to the purposes for which they are collected and processed;
(v) retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained of for the establishment , exercise or defense of legal claims, or for legitimate business purposes, or as provided by law;
(vi) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it was collected and processed; provided, further, that adequate safeguards are guaranteed by the laws authorizing their processing.
The processing of personal information is permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(i) The data subject has given his or her express or implied consent;
(ii) The processing of personal information is necessary and related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(iii) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(iv) The processing is necessary to protect vitally important interests of the data subject, including life and health; or
(v) The processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate.
(vi) The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Under Senate Bill No. 2965, several acts are made punishable by imprisonment and fines, such as:
(i) processing of personal information and sensitive personal information without the consent of the data subject or without being authorized under the Data Privacy Act or existing laws,
(ii) providing access to personal information and sensitive personal information without being authorized under the Data Privacy Act or any existing laws, due to negligence,
(iii) improper disposal of personal information and sensitive personal information,
(iv) wrongful processing of personal information and sensitive personal information,
(v) processing of personal information and sensitive personal information for unauthorized purposes,
(vi) unauthorized access to or intentional breach of any system where personal and sensitive information is stored,
(vii) concealment of security breaches involving sensitive personally identifiable information
(viii) malicious disclosure,
(ix) unauthorized disclosure, and
(x) breach of confidentiality.
The Bill also mandates the establishment of a National Privacy Commission which will implement and enforce the regulations of the bill. The commission will be attached to the Office of the President and run by a commissioner with two deputies.
Prior to Senate Bill No. 2965 and its counter-part house bill, House Bill No. 4115, there was no data protection law in the country, though the right to privacy is considered a basic right recognized in the Constitution, particularly in Sections 1, 2, 3 and 7, Article III (Bill of Rights). It is also recognized in specific portions of the Philippine Civil Code, such as Articles 26 and 32(11).
There are other laws and regulations that evince privacy in specific sectors and instances. Bank records are protected by The Bank Secrecy Act (Republic Act No.7653) and the Secrecy of Bank Deposits Act (Republic Act No. 1405). Under the Electronic Commerce Act of 2000 (Republic Act No. 8792), only individuals with legal right of possession shall be granted access to electronic files or electronic keys. The said law also imposes an obligation of confidentiality on persons receiving electronic data, keys, messages, or other information not to convey it to any other person. The Anti-Wire Tapping Act (Republic Act No. 4200) requires that all parties to a communication must give permission for a recorded wiretap or intercept and makes it illegal to knowingly possess any recording made in prohibition of this law, unless it is evidence for a trial, civil or criminal. Furthermore, the Rape Victim Assistance and Protection Act of 1998 (Republic Act No. 8505) provides mandates that the right to privacy of the offended party and the accused be recognized.
Even the Supreme Court has been made to balance the right to privacy as against other interests in cases such as Ople vs. Torres, G.R. No. 127685, 23 July 1998; Social Justice Society v. Dangerous Drugs Board and Philippine Drug Enforcement Agency, G.R. Nos. 157870, 158633 and 161658, 3 November 2008.
There are also some regulations issued in pursuit of data privacy. The Philippine Department of Trade and Industry (DTI), pursuant to its mandate under Republic Act No. 8792, or the E-Commerce Law, issued Department Administrative Order No. 08, series of 2006, prescribing Guidelines for the Protection of Personal Data in Information and Communication System in the Private Sector (DTI DAO 08). Further to DTI DAO 08, the National Telecommunications Commission of the Philippine Department of Transportation and Communications (DOTC-NTC) has issued Memorandum Circular No. 05-06-2007 or the Consumer Protection Guidelines.
These regulations were issued precisely to allay concerns over the security of personal data handled by employees in the ICT and BPO industries. House Bill No. 4115 and Senate Bill No. 2965 echo with some modifications the guidelines set forth in these regulations and provide the definitive legal framework for data privacy.