RA 10173 Data Privacy Act of 2012

SUMMARY
Republic Act No. 10173, also known as the Data Privacy Act of 2012, is an act protecting
individual personal information in information and communications systems in the
government and the private sector. The Act aims to protect the fundamental human
right of privacy, of communication while ensuring free flow of information to promote
innovation and growth. It also aims to ensure that personal information in information
and communications systems in the government and in the private sector are secured
and protected.
SCOPE
This Act applies to the processing of all types of personal information and to any natural
and juridical person involved in personal information processing including those
personal information controllers and processors who, although not found or established
in the Philippines, use equipment that are located in the Philippines, or those who
maintain an office, branch or agency in the Philippines.
However, this Act does not apply to the following:
1. Information about any individual who is or was an officer or employee of a
government institution that relates to the position or functions of the individual;
2. Information about an individual who is or was performing service under contract
for a government institution that relates to the services performed, including the
terms of the contract, and the name of the individual given in the course of the
performance of those services;
3. Information relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual,
including the name of the individual and the exact nature of the benefit;
4. Personal information processed for journalistic, artistic, literary or research
purposes;
5. Information necessary in order to carry out the functions of public authority
which includes the processing of personal data for the performance by the
independent, central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functions. Nothing in
this Act shall be construed as to have amended or repealed Republic Act No.
1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No.
6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No.
9510, otherwise known as the Credit Information System Act (CISA);
6. Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other
applicable laws; and
7. Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines.
PUNISHABLE OFFENSES
1. Unauthorized Processing of Personal Information and Sensitive Personal
Information
2. Accessing Personal Information and Sensitive Personal Information Due to
Negligence

3. Improper Disposal of Personal Information and Sensitive Personal Information

4. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes
5. Unauthorized Access or Intentional Breach
6. Concealment of Security Breaches Involving Sensitive Personal Information
7. Malicious Disclosure
8. Unauthorized Disclosure
EXTRATERRITORIAL APPLICATION
This Act applies to an act done or practice engaged in and outside of the Philippines by
an entity if:
(a) The act, practice or processing relates to personal information about a Philippine
citizen or a resident;
(b) The entity has a link with the Philippines, and the entity is processing personal
information in the Philippines or even if the processing is outside the Philippines as long
as it is about Philippine citizens or residents;
(c) The entity has other links in the Philippines
SALIENT FEATURES1
1. It applies to processing of personal information and sensitive personal information
(Section 3L).
2. Created the National Privacy Commission to monitor the implementation of this law.
(section 7)
3. Gave parameters on when and on what premise can data processing of personal
information be allowed. Its basic premise is when a data subject has given direct
consent. (section 12 and 13)
4. Companies who subcontract processing of personal information to third party shall
have full liability and cant pass the accountability of such responsibility. (section 14)
5. Data subject has the right to know if their personal information is being processed.
The person can demand information such as the source of info, how their personal
information is being used, and copy of their information. One has the right to request
removal and destruction of ones personal data unless there is a legal obligation that
required for it to be kept or processed. (Section 16 and 18)
6. If the data subject has already passed away or became incapacitated (for one reason
or another), their legal assignee or lawful heirs may invoke their data privacy rights.
(Section 17)
7. Personal information controllers must ensure security measures are in place to
protect the personal information they process and be compliant with the requirements
of this law. (Section 20 and 21)
8. In case a personal information controller systems or data got compromised, they
must notify the affected data subjects and the National Privacy Commission. (Section
20)
9. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Section 22)
EFFECTIVITY

1 http://digitalfilipino.com/salient-features-of-data-privacy-act-of-2012-republic-act10173/

This Act was signed into law on 15 August 2012 and took effect on 8 September 2012.