Notes On Data Privacy

Data Privacy Act Who are covered: Under the implementing rules and regulations (IRR), the Personal Information Controllers (PICs) and the Personal Information Processors (PIPs) are mandated to register their personal data processing systems with the NPC under the following conditions: •

• • •

If sensitive personal information of at least 1,000 individuals is processed; o Sensitive personal information refers to personal information: § About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; § About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; § Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and § Specifically established by an executive order or an act of Congress to be kept classified. If the personal information controller or processor employs at least 250 persons; If less than 250 persons are employed but the processing is not occasional; or If less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.

Registration A PIC or PIP shall register through the Commission’s official website (https://privacy.gov.ph/) in two (2) phases: A. Phase I. i.

Appoint a Data Protection Officer (DPO), who has: a. Expertise in relevant privacy or data protection policies and practices b. Sufficient understanding of their organisation's processing operations, information systems, data security, and/or data protection needs c. A full-time or organic employee of the personal information controller or processor, as applicable d. A regular or permanent employee of the personal information controller or processor, as applicable, who should hold at least a 2-year employment contract with his or her organisation, and e. Independent in the exercise of his or her functions such that the performance of his or her duties will not give rise to a conflict of interest.

o

By submitting Duly-notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or any other document that demonstrates the validity of the appointment or designation.

ii. A PIC or PIP, through its DPO, shall accomplish the prescribed application form, have it notarized and submit the same to the Commission together with all supporting documents such as: a. Certified true copy of any of the following documents, where applicable: a) Certificate of Registration (SEC Certificate, DTI Certification of Business Name or Sole Proprietorship) or any similar document; and/or b) Franchise, license to operate, or any similar document. Upon review and validation of the submission, the Commission shall provide the PIC or PIP via email an access code, which shall allow it to proceed to Phase II of the registration process * Initial registration has already ended on September 11, 2017. But PICs and PIPs are still allowed to register but will be considered as late registrants and will be a priority in the NPC’s audit. B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall proceed to the online registration platform and provide all relevant information regarding its data processing systems. The Commission shall notify the PIC or PIP via email to confirm the latter’s successful completion of the registration process. Subject to additional requirements as may be imposed by the NPC, covered entities should prepare the following information and documents: 1. The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details 2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement 3. A description of the category or categories of data subjects, and of the data or categories of data relating to them 4. The recipients or categories of recipients to whom the data might be disclosed 5. Proposed transfers of personal data outside the Philippines 6. A general description of privacy and security measures for data protection 7. Brief description of the data processing system 8. Copy of all policies relating to data governance, data privacy, and information security 9. Attestation to all certifications attained that are related to information and communications processing, and 10. Name and contact details of the DPO. Deadline of compliance for Phase 2 is on March 8, 2018. PICs and PIPs are also encouraged to fill out the Privacy Impact Assessment because though this is supposed to be merely an internal matter, the NPC usually asks for this. A template is provided for in this website: https://privacy.gov.ph/wp-content/uploads/NPC-PIA-Template-v2.pdf