Data Privacy Act of Philippines

MANILA, Philippines – The National Privacy Commission (NPC) yesterday released the implementing
rules and regulations (IRR) for the Data Privacy Act, a law seeking to protect personal information
collected both by the government and the private sector in the Philippines.

The NPC is also tasked to monitor compliance on the provisions of the law and adjudicate complaints
and investigations on matters affecting personal data.

The IRR was released two years after former president Benigno Aquino III signed the measure. The
implementing rules covered data privacy principles, lawful processing of personal data, security measures
for protection of personal data, security of sensitive personal information in the government, rights of data
subject and data breach notification.

Some other notable features of the IRRs include:

 The scope of protected information: The IRRs seek to protect “personal information” meaning “any
information, whether recorded in a material form or not, from which the identity of an individual is apparent or
can be reasonably and directly ascertained by the entity holding the information, or when put together with
other information would directly and certainly identify an individual”.

 Data protection principles: The IRRs recognize transparency, legitimate purpose, and proportionality as the
key principles to be adhered to in the processing of personal information.

 Data sharing: The IRRs require that data subjects consent to any private sector data sharing. Consents must
be accompanied by detailed disclosures to data subjects prior the sharing taking place, including the specific
identities of personal information controllers and personal information processors with whom personal
information will be shared. The IRRs specifically state that consent will be required for intra-group sharing
arrangements. A form of data sharing agreement must be entered into, and these agreements will be reviewable
by the NPC on its own motion or following a complaint by a data subject.

 Data protection officers: The IRRs require any person or body involved in the processing of personal
information to designate an individual as data protection officer, compliance officer or otherwise accountable
for ensuring the protection of data privacy and security.

 Security measures: The IRRs set out the NPC’s expectations on security measures to be adopted in the
processing of personal information, requiring that reasonable and appropriate organizational, physical and
technical measures be put in place. Examples include the need for privacy in the physical design of office
space, the ability to restore personal information in the event of an interruption, and encryption of personal
information during storage, while in transit and during the authentication process.

 Mandatory breach notification: Personal information controllers are required to notify the NPC and affected
data subjects within 72 hours in the event of an acquisition by any unauthorized person of sensitive personal
information; or information that may be used to commit identity fraud.

 Penalties: The IRRs carry significant penalties for breach, demonstrating the seriousness with which instances
of personal data breaches are to be regarded. Examples of such penalties include imprisonment of 1 to 3 years
and a fine of up to Php 1 million for unauthorized disclosure of personal information, and imprisonment for 3
to 6 years and a fine of Php 4 million for processing sensitive personal information without the consent of the
data subject.