DATA PRIVACY FUNDAMENTALS

Atty. Leandro Angelo Y. Aguirre

➢ In an ongoing study by GWI, a London-based market research agency, Filipinos say they spend
an average of almost 11 hours online each day, which is almost 60% more than the global
average.
➢ JANUARY 2021: Online Privacy and wellbeing
- 29.7% tracked screen time or set time limits for some apps in the past month
- 57.2% expressed concern about what is real or fake on the internet
- 38.2% expressed concern about how companies use personal data
- 45.3% used some form of ad-blocking tool in the past month
- 61.7% deleted cookies from a web browser in the past month
➢ The concept of privacy has evolved. Privacy is no longer just about being secure against
unreasonable searches and seizures within the four corners of our homes and the confidentiality
or our communication, but it now covers even those that we seek to preserve as private, even in a
public area
➢ Data privacy is about:
1. People, not places
2. Personal choice
3. Control, not secrecy
4. The right to be left alone
➢ DATA PROTECTION:
- Confidentiality
- Availability
- Integrity
➢ DATA PRIVACY:
- Accountability
- Assurance
- Compliance
➢ The law upholds the right to privacy by protecting individual personal information
➢ The National Privacy Commission protects individual personal information by regulating the
processing of personal information
➢ SCOPE: Applies to the processing of all types of personal information, in the country and even
abroad, subject to certain qualifications
➢ PROCESSING: Any operation of any set of operations performed upon personal data including,
but not limited to, the collection, recording, organization, storage, updating, or modification,
retrieval, consultation, use, consolidation, blocking, erasure or destruction of data
➢ DATA LIFE CYCLE: Create-Store-Use-Share-Archive-Destroy
➢ PERSONAL INFORMATION- any information whether recorded in a material form of not,
from which the identity of an individual is apparent or can be reasonably and directly ascertained
by the entity holding the information would directly and certainly identify an individual
➢ BASIS FOR PROCESSING PERSONAL INFORMATION:
• CONTRACT- to supply goods or services they have requested, or to fulfill your
obligations under an employment contract. This also includes steps taken at their request
before entering into a contract
• COMPLIANCE WITH A LEGAL OBLIFATION- if you are required by law to
process the data
• VITAL INTERESTS- you can process personal information if it is necessary to protect
the data subject’s life and health
 DATA PRIVACY FUNDAMENTALS
Atty. Leandro Angelo Y. Aguirre
• NATIONAL EMERGENCY- to respond to national emergency or to comply with the
requirements of public order and safety
• PUBLIC TASK- if you need to process personal information to carry out public function
or service and you have a legal basis for the processing
• LEGITIMATE INTERESTS- for the private sector, you can process personal data
without consent if you have a genuine and legitimate reason, unless this is overridden by
fundamental rights and freedom of the data subject
➢ SENSITIVE PERSONAL INFORMATION:
(1) race, ethnic origin, marital status, age, color, and religious, philosophical or political
affiliations
(2) health, education, genetic or sexual life of a person
(3) civil, criminal, or administrative proceedings
(4) unique identifiers issued by government agencies peculiar to an individual
(5) specifically established by law as classified
➢ BASIS FOR PROCESSING SENSITIVE PERSONAL INFORMATION:
• Consent
• EXISTING LAW AND REGULATION- you can process sensitive personal
information (SPI) when there is a regulatory enactment which requires the processing
• PROTECTION OF LIFE AND DEATH- to protect someone’s life-the data subject or
another person, and the data subject is not legally/physically able to express his consent
• PUBLIC ORGANIZATIONS- refers to processing done by non-stock, non-profit
organizations, cooperatives, and the like, where processing is only confined and related to
the bona fide members
• MEDICAL TREATMENT- when processing is carried out by a medical practitioner or
a medical treatment institution, and there is adequate level of protection
• LAWFUL RIGHTS AND INTERESTS- when processing is necessary to protect lawful
rights and interests of in court proceedings, in the establishment/exercise/defense of legal
claims, or when provided to government or public authority
➢ PERSONAL INFORMATION CONTROLLER- a natural or judicial person, or any other
body who controls the processing of personal data or instructs another to process personal data on
its behalf
- It excludes: A natural person who processes personal data in connection with his or her personal,
family, or household affairs
➢ OBLIGATIONS OF PERSONAL INFORMATION CONTROLLERS:
1. The PIC should collect personal information for specified and legitimate purposes determined
and declare before, or as soon as reasonably practicable after collection
2. The PIC should collect and process personal information adequately and not excessively
3. The PIC should process personal information fairly and lawfully, and in accordance with the
rights of a data subject
4. The PIC should process accurate, relevant, and up to date personal information
5. The PIC should retain personal information only for as long as necessary for the fulfillment
of the purposes for which the data was obtained. The information should be kept in a form
which permits identification of data subjects for no longer than is necessary
6. The PIC must implement reasonable and appropriate organizational, physical and technical
measures intended for the protection of personal information
 DATA PRIVACY FUNDAMENTALS
Atty. Leandro Angelo Y. Aguirre
➢ GENERAL DATA PRIVACY PRINCIPLES:
• TRANSPARENCY- a data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data, including the risks and safeguards involved, the
identity of personal information controller, his or her rights as a data subject, and how these
can be exercised. Any information and communication relating to the processing or personal
data should be easy to access and understand, using clear and plain language
• LEGITIMATE PURPOSE- the processing of information shall be compatible with a
declared and specified purpose, which must not be contrary to law, morals, or public policy
• PROPORTIONALITY- the processing of information shall be adequate, relevant, suitable,
necessary and not excessive in relation to a declared and specified purpose. Personal data
shall be processed only if the purpose of the processing could not reasonably be fulfilled by
other means
➢ ADVISORY OPINION NO. 2020-046 - the data included in the class roster (student’s school
name, grade level, section and test scores) are considered sensitive personal information as these
are related to the student’s education
➢ ADVISORY OPINION NO 2019-017- the law provides special cases where the processing pf
personal information is excluded from its scope, such as the processing “for research purpose…”
- However, such exemption is limited to the minimum extent of collection, access, use, disclosure
or other processing necessary to achieve the specific purpose, function or activity
- Researchers have concomitant obligations to implement the necessary security measures to
protect the personal data they process, uphold the rights of data subjects, and adhere to data
privacy principles and the other provisions of the DPA
- Apart from the laws and regulations on privacy, any code of ethics or any rules and regulations on
research issued and implemented by institutions involved in research must be complied with by
the researchers
➢ DATA SUBJECT- an individual whose personal, sensitive personal or privileged information is
processed
➢ RIGHTS OF THE DATA SUBJECT:
- Right to information
- Right to data portability
- Right to rectification
- Right to access
- Right to object
- Right to damages
- Right to file a complaint
- Rights to erasure
➢ ADVISORY OPINION 2018-013 – this document is an embodiment of the observance of the
data privacy principle of transparency and upholding the right to information of the data subjects
- Being a mere notice, it is emphasized that the privacy notice is not equivalent to consent
➢ NPC ADVISORY NO, 2021-01 - a data subject may only request to have access to his or her
own personal data and not to the information relating to any other individual
- This would likewise exclude any analysis made by the PIC with respect to a data subject’s
personal data
➢ CONSENT
The data subject agrees to the collection and processing:
✓ Freely given
✓ Specific
 DATA PRIVACY FUNDAMENTALS
Atty. Leandro Angelo Y. Aguirre
✓ Informed
✓ Indication of will
Evidence by written, electronic or recorded means:
✓ Signature
✓ Opt-in box/clicking an icon
✓ Sending a confirmation email
✓ Oral communication
➢ ADVISORY OPINION NO. 2018-058 – “…as long as the purpose, scope, method, and extent
of the processing remain to be the same as that disclosed to the data subject when consent was
given, the consent remains to be valid
➢ EFFECTIVITY OF CONSENT- the data subject must be given a real choice
- Any element of inappropriate pressure or influence which could affect the outcome of that choice
renders the consent invalid
➢ ADVISORY OPINION NO 2018-063 - an enumeration of each and every purpose of the
processing in single paragraph fails to provide the data subject with a genuine choice since he will
still be bound to sign off on the entire provision in to
➢ ADVISORY OPINION NO. 2018-020 – presumably, when an applicant applies for admission,
he/she is aware that the school will process the personal information for purposes that are relevant
to his or her admission
- This means that the applicant could reasonably expect that his or her name may be posted on the
bulletin board of the school if one has successfully hurdled the examinations
UNAUTHORISED PROCESSSING OF PERSONAL INFORMATION ANF SENSITIVE
PERSONAL INFORMATION
PERSONAL INFORMATION SENSTITIVE PERSONAL INFORMATION
Imprisonment ranging from 1 year to 3 years Imprisonment ranging from 3 years to 6 years

Fine of not less than 500,000 but not more than Fine of not less than 500,000 but not more than
2M 4M
ACCESSING PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION
DUE TO NEGLIGENCE
PERSONAL INFORMATION SENSTITIVE PERSONAL INFORMATION
Imprisonment ranging from 1 year to 3 years Imprisonment ranging from 3 years to 6 years

Fine of not less than 500,000 but not more than Fine of not less than 500,000 but not more than
2M 4M
IMPROPER DISPOSAL OF PERSONAL INFORMATION AND SENSITIVE PERSONAL
INFORMATION

PERSONAL INFORMATION SENSTITIVE PERSONAL INFORMATION

Imprisonment ranging from 6 months to 2 years Imprisonment ranging from 1 year to 3 years

A fine of not less than 100k but not more than A fine of not less than 100k but not more than 1M
500k
 DATA PRIVACY FUNDAMENTALS
Atty. Leandro Angelo Y. Aguirre
PROCESSING OF PERSONAL INFORMATION AND SENSITIVE PERSONAL
INFORMATION FOR UNAUTHORIZED PURPOSES
PERSONAL INFORMATION SENSTITIVE PERSONAL INFORMATION
Imprisonment ranging from 1 year and 6 months Imprisonment ranging from 2 years to 7 years
to 5 years

A fine not of not less than 500k but not more than A fine of not less than 500k but not more than 2M
1M

➢ UNAUTHORIZED ACCESS OR INTENTIONAL BREACH- the penalty of imprisonment

ranging from 1 year to 3 years and a fine of not less than 500k but not more than 2M
➢ MALICIOUS DISCLOSURE- the penalty of imprisonment ranging from 1 year and 6 months
to 5 years and a fine of not less than 500k but not more than 1M
➢ CONCEALMENT OF SECURITY BREACHES INVOLVING PERSONAL
INFORMATION- the penalty of imprisonment of 1 year and 6 months to 5 years and a fine of
not less than 500k but not more than 1M
➢ UNAUTHORIZED DISCLOSURE- imprisonment from 1 year to 3 years and a fine of not less
than 500k to 1M
➢ COMBINATION OR SERIS OF ACTS- any combination of series of acts as defined in
Sections 25 to 32 shall make the person subject to imprisonment ranging from 3 years to 6 years
and a fine of not less than 1M but not more than 5M
➢ IARGE-SCALE- the maximum penalty in the scale of penalties respectively provided for the
offenses shall be imposed when the personal information of at least 100 persons is harmed,
affected or involved as the result of the above-mentioned actions
➢ If the offender is a corporation, partnership, or any juridical person, the penalty shall be imposed
upon the responsible officers, as the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime
- If the offender is a juridical person, the court may suspend or revoke any of its rights under this
Act
-