Data Privacy | Mr. Josemaria Carlo Magsino

Data Privacy 

Mr. Josemaria Carlo Magsino

Hi! My name is Carlo. Today, we’ll be discussing about Data Privacy.

For most of us, the notion of privacy would basically mean keeping a secret. Do you remember those times when you have to hide your secrets from your parents? Or those times wherein you just felt like sharing your secrets to your friends? I’m pretty sure that we’ve had our fair share of keeping secrets.

Fast forward to X number of years, we now live in a digitized society. A kind of society which is quite different from what we’ve experienced when we were younger. Now, anything can be done with the touch of your fingertips. 

We can now buy different items effortlessly from overseas. We can now send well-wishes to our relatives from abroad in just a few minutes and even get a reply in a jiffy. Commercial transactions and social activities have never been this easy. 

With these advancements, however, our little secrets may no longer be safe. Since we are required to provide these online platforms with all sorts of information for us to access their services, we begin to lose grip on how we can control the flow of our information. Thus, the need for certain safeguards for our secrets to remain as secrets.

What is the right to privacy?

The term was coined in an 1890 article by Warren and Brandeis. According to them, the right to privacy was the right to be let alone and was contingent to an individual’s right to property. International agreements also have embodied and recognized every individual’s right to privacy. The UDHR and ICCPR provides that no one shall be subjected to arbitrary interference of his privacy and shall have a right to protection under the law against such interferences. 

The Philippine laws are also replete with such protection. The Bill of Rights of the 1987 Constitution provides… 

First, that “no person shall be deprived of life, liberty, or property”. Next, that people have the right to be secure in their persons, houses, papers, and effects. And lastly, that the State also recognizes the privacy of communication and correspondence as inviolable.

Types of Privacy.

There are two main types of privacy, first is Informational Privacy which refers to one’s interest in avoiding disclosures of personal matters. Second is Decisional Privacy which refers to an individual’s right of independence in making decisions.

The Data Privacy Act of 2012.

In response to its international law obligations and as mandated by the Constitution, the Philippines enacted Republic Act No. 10173, or the Data Privacy Act of 2012. Section 2 of the said Act provides that it shall be the policy of the State to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth. It also provides that the State recognizes the vital role of information and communication technology in nation-building and its inherent obligation to ensure that personal information and communication systems in the government and in the private sector are secured and protected.

So the Data Privacy Acts Mechanics, in a nutshell.

Generally, the DPA or the Data Privacy Act applies to the processing of personal information and to those involved in personal information processing. 

First, these [include] the controllers and processors who may or may not be in the Philippines… As long as the data being processed is with regard to a Philippine citizen or resident, or that there are certain links established between the Philippines or the data processor.

As with most rules, there are exceptions. The law does not apply to information about: 

First, government employees. Next, information for journalistic, artistic, or research purposes. And lastly, information to carry-out governmental functions

Who are the main characters in a data privacy transaction? 

There are three. First, there is the Data Subject who is the individual whose personal information is processed. Next, a Personal Information Controller. He is the one who controls the collection, holding, processing or use of personal information. There is also Personal Information Processor. He is one to whom a Personal Information Collector may outsource the processing of personal data pertaining to a Data Subject. And finally, the National Privacy Commission which is an independent body created to administer and implement the provisions of the Data Privacy Act. It also monitors compliance of the Philippines with international standards set for data protection.

What is data processing? 

Basically, there are three steps for Data Processing. 

First is the collection. Data Subject forwards to the Collector certain information whether it be personal or sensitive personal information. 

Personal Information refers to information from which the identity of an

Individual becomes apparent or can reasonably be ascertained by the information holder. Example of such are full name and date of birth. 

Sensitive Personal Information would refer to an individual’s race, ethnic origin, marital status, religion, health, education, or sexual life. It may also refer to information issued by the government, such as social security numbers, licenses, and tax returns.

The Data Privacy Act provides that there must be a specified and legitimate purpose for the collection of data, which are determined and declared before, or as soon as reasonably practicable after collection.

Second Step, Processing.

Certain operations done on the Data Subject’s personal information would include collection, recording, organization and updating. Processing must be done in such a way that is compatible with the declared, specified and legitimate purpose. 

Personal information must be fairly and lawfully processed and the data must be accurate and relevant; inaccurate data must be rectified, supplemented and destroyed.

More importantly, the processing of personal information may only be permitted if it is not prohibited by law and certain conditions exist. Such conditions may be in the form of the Data Subject’s consent or that the Personal Information Collector or the third party to which personal information [is] disclosed has a legitimate interest being pursued.

Consent would refer to the Data Subject’s assent to the collection and processing of personal information relating to him or to her. It shall be evidenced by written, electronic, or recorded means.

While on the other hand, legitimate interest would refer to a flexible condition which provides that processing of personal information may be done if such is beneficial to the Data Subject or that there may be a limited privacy impact on the individual. 

And finally, retention.

Controllers and Processors may keep obtained data as long as it is necessary for the fulfillment of the purpose for which data obtained. They may also keep it as for purposes of defense in legal claims or for legitimate business purposes or as provided by law. 

Data Subject’s Rights under the Law.

Data Subjects have eight rights under the Data Privacy Act. 

The first is the “Right to be informed”. Since personal information is considered as one’s right to property, it can never be processed without an individual’s explicit consent through duly accomplished consent forms. Based on the National Privacy Commission, Data Subjects have the right to be informed that their personal data will be, are being, or were collected and processed.

The next is the “Right to access”. This refers to an individual’s right to find out whether an organization has any personal data about the Data Subject and gain access to these data.

Third is the “Right to object”. Although Controllers and Processors obtains consent or has legitimate interest for the processing of data, an individual may still object or withhold their consent for the processing of their information for purposes such as direct marketing or profiling.

The fourth is the “Right to erasure or blocking”. It refers to an individual’s right to suspend, withdraw or order the blocking, removal or destruction of [his or her] personal data. This may be exercised in case personal data is incomplete or outdated, or when it is false or unlawfully obtained. This right is also available in case that the data are being processed for unauthorized purposes.

Fifth, the “Right to damages”. Based on the Data Privacy Act, one may claim compensation for suffering damages due to inaccurate, incomplete, outdated, or unlawfully obtained or unauthorized use of personal information which would violate a Data Subject’s right and freedom.

Sixth, “Right to file a complaint”. For any violation of the Data Subject’s rights under the Data Privacy Act, he or she may file a complaint with the National Privacy Commission.

Seventh, “Right to rectify”. An individual may dispute and have his or her data corrected for any error or inaccuracy.

And lastly, the “Right to data portability”. According to the National Privacy Commission, this right assures that YOU remain in full control of YOUR data. Data portability allows you to obtain and electronically move, copy or transfer your data in a secure manner. It enables the free flow of your personal information across the internet and organizations, according to your preference. 

Data Breach and Identity Theft.

Data breach refers to a security incident in which information is accessed without authorization. While on the other hand, identity theft refers to the intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, without a right.

In case of data breach or when sensitive personal information [is] being used to enable identity fraud [is] reasonably believed to have been acquired by an unauthorized person there are two courses of action which may be availed of.

First, under the Data Privacy Act, the National Privacy Commission must be notified of the nature of the breach, information involved, measures taken, scope of the breach.  Upon finding of liability, the NPC may thereafter impose the necessary penalty commensurate with the unauthorized access or intentional breach.

Second, an individual may prosecute under the Cybercrime Prevention Act of 2012 wherein an individual may be held criminally liable for computer-related identity theft if he or she intentionally acquires, uses, or misuse information belonging to another without the right.

Summary.

The personal information that we provide the different Controllers or Processors [is] like our most treasured secrets. We should be careful whenever we disclose certain information about ourselves and must make sure that we are giving these information to people whom we can trust and that we are giving it for a valid purpose – because…

Consent is key. Consent will provide us with the necessary protection when it comes to our disclosed information. 

Before we give away our data, we must ALWAYS make sure that we know the reason why we are giving it out and we must KNOW the purpose for which our data will be used. 

Finally, under the Data Privacy Act, we have eight recognized rights to control our personal information. Keep in mind that we can always have it corrected, we can always prevent its further disclosure to third parties, and we can also sue for damages.

It is incumbent upon us that we familiarize ourselves with these rights so that we can prevent any untoward incident in relation to our personal data. As they would always say, prevention is better than cure.