Australia: New tough privacy regime in the Philippines Data Privacy Act signed into law

Last Updated: 27 October 2012
Article by Alec Christie and Arthur Cheuk

INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS

15 August 2012 marked the birth of the Data Privacy Act of 2012 ('Act') – the Philippines' first ever consolidated data privacy legislation, which was significantly influenced by Directive 95/46/EC of the European Union and the Asia Pacific Economic Cooperation ('APEC') Information Privacy Framework. The introduction of the Act follows a series of developments in the expansion of data privacy laws in the Asia Pacific region and adds to an increasingly complex data privacy environment, particularly for organisations using business process outsourcing ('BPO') services based in the region.

The Act aims to substantially raise the profile of the Philippines in the data privacy (and business in the data processing) sphere by mandating that all personal information controllers ('Controller'), being persons who control the collection, holding, processing or use of the personal information of others (defined in the Act as 'Data Subjects'), comply with a raft of requirements before any such collecting, holding, processing or use may take place.

In the Philippines it is hoped that the Act will allay concerns over the security of personal information handled by employees of BPO companies based in the Philippines, which in turn will attract more investors in the information technology and BPO industry in the Philippines. The Philippines Business Processing Association believes that the Act will facilitate the IT – BPO industry expanding from call centers to areas that involve handling sensitive personal data such as in the health care and human resources areas, with projections of revenue in the industry increasing from USD 9 billion in 2011 to USD 25 billion by 2016.

Of particular note: The Act is one of the toughest data privacy legislations in the region, in terms of sanctions imposed on offenders. The Act introduces:

  • Fines and prison sentences for first time breaches of the Act
  • Ongoing liability of Controllers for personal information sent offshore/provided to third party processors
  • Significant rights of Data Subjects, and
  • The fact that companies that breach the Act may be prevented from processing personal information and individual foreigners who breach the Act will be deported.

What the act applies to

The Act regulates the 'processing' of personal information, which is broadly defined to include any operation performed on the information, such as collection, organisation, modification, retrieval, consultation, use, blocking, erasure and destruction. 'Personal information' is defined, as in many other privacy regimes of the region, as any information from which the identity of the Data Subject is apparent or can be reasonably and directly ascertained or that, when put together with other information, will identify the Data Subject.

In accordance with its EU-influenced heritage and similar to the Australian privacy regime, the Act introduces the concept of 'sensitive personal information', a class of personal information which (due to its particular sensitivity) is subject to more stringent requirements for processing. Examples of such information include political affiliations, race, ethnic origin, marital status, age, sexual life, health information (including genetic information), criminal record, social security numbers and tax returns.

The Act also applies to Controllers and entities which are not established in the Philippines if

  • The personal information is about citizens or residents of the Philippines
  • The entity has a 'Philippines link', examples of which include contracts entered into the Philippines, or where a branch, agency or subsidiary of the entity is established in the Philippines, and
  • The entity has "other links" with the Philippines, such as carrying on business there or if the personal information was collected or held in the Philippines.

However, the Act does not apply to personal information which is originally collected from non-Philippine residents in accordance with the applicable foreign law, even if processed in the Philippines. This means that outsourced processing in the Philippines is exempt where data has been collected overseas, in an attempt to protect the Philippines IT – BPO industry. In actual fact, as the applicable foreign laws will continue to apply, outsourcing to the Philippines will remain cumbersome for the EU, Australia and other countries with data export restrictions.

A new national regulator for privacy

An independent privacy regulator, (the National Privacy Commission ('NPC')), will be established to administer and implement the Act. Attached to the Department of Information and Communications Technology and headed by a Privacy Commissioner, the NPC will be responsible for the enforcement and administration of the Act. The NPC's powers include handling privacy-related complaints, conducting investigations, issuing orders for compliance and issuing temporary or permanent bans on data processing by named Controllers.

General principles for the processing of personal information

Similar to many data privacy regimes in the region and globally, the Act sets out general data privacy principles ('Principles') by which all Controllers must abide. In brief, the Principles stipulate that personal information must be:

  • Collected for specified and legitimate purposes, which must be declared to the Data Subject before collection (or as soon as reasonably practicable after collection)
  • Processed (ie used) fairly and lawfully
  • Accurate and not excessive for the purposes for which it is collected and processed
  • Retained only for as long as necessary for the stated purposes, and
  • Anonymised or de-identified as soon as possible, subject to limited exceptions.

Conditions for the lawful processing of personal information

In addition to complying with the Principles, all Controllers must ensure that any processing of personal information (ie not sensitive personal information) must only take place if at least one of the following conditions apply:

  • The Data Subject has given his/her consent, which must be evidenced by written, electronic or recorded means
  • The processing is necessary to fulfil a contract with the Data Subject or to fulfil the Data Subject's requests prior to entering into the contract
  • The processing is necessary for compliance with the legal obligations of the Controller
  • The processing is necessary to protect the vital interests of the Data Subject (such as his/her life or health)
  • The processing is necessary to respond to national emergencies, or
  • The processing is necessary for the purposes of the legitimate interests of the Controller or third party recipients of the personal information, subject to the fundamental rights of the Data Subjects.

The processing of sensitive personal information is generally prohibited under the Act unless:

  • The Data Subject has given his/her consent (though not expressly stated, we expect in writing or by electronic or recorded means)
  • The processing is expressly permitted by law
  • The processing is necessary to protect the life or health of a person or persons or is necessary for the purposes of medical treatment, or
  • The processing is necessary to achieve the lawful and non-commercial objectives of public organisations, subject to the Data Subject's consent, or
  • The processing concerns such personal information as is necessary to protect a person's lawful rights and interests in legal proceedings.

Notification required prior to collection

Following the EU and numerous regional privacy models, the Controller must generally notify the Data Subjects of the particulars of the processing (ie proposed uses of the information) before collecting their personal information and entering it into their processing systems (or as soon as practically possible thereafter). The particulars that the Data Subject must be notified of are:

  • A description of the personal information to be collected/entered into the system
  • The purposes of the processing (ie uses of the information)
  • Scope and method of the processing
  • Possible recipients or classes of recipients to whom the personal information may be disclosed
  • Methods by which the personal information may be accessed automatically
  • Identity and contact details of the Controller, and
  • The Data Subject's rights to access and correct their personal information, as well as his/her right to make complaints to the NPC.

However, notification is not required under certain limited circumstances, including where the processing is for 'obvious purposes'. Examples of such 'obvious purposes' include circumstances where the processing is necessary for the performance of a contract entered into by the Data Subject, in the employment relationship between the Controller and the Data Subject and where the collection and processing are done as a result of a legal obligation.

Transfer of personal information and subcontracting

Unlike some regional jurisdictions, the Act does not prohibit or restrict the overseas transfer of personal information. However, where personal information is sent to a third party for processing, the Controller remains accountable for complying with the Act, irrespective of whether the third party processor is located in the Philippines or overseas.

To the extent that personal information is transferred to third parties for processing, Controllers must impose on third party processors the same security obligations as imposed on the Controller under the Act (see under the heading 'Security Measures' below).

Rights of data subjects

Data Subjects have a number of rights under the Act, many of which could potentially translate to significant administrative costs for Controllers. For example, Data Subjects have the right to demand from the Controller reasonable access to a wide variety of information, including the following:

  • His/her personal information which has been processed
  • Sources from which the personal information has been obtained
  • Names and addresses of the recipients to whom the personal information has been disclosed
  • The manner by which the personal information was processed
  • Reasons for disclosing the personal information
  • Information on any automated processes by which the personal information may be used as the sole basis for decisions which will affect the Data Subject, and
  • The date of last access or modification of the personal information.

This list of information which Data Subjects are entitled to request access to goes beyond the access and correction rights found in the data protection laws of many regional jurisdictions. In particular, the sources of personal information, names and addresses of the recipients and information on automated processes will impose on Controllers a heavy burden of keeping detailed records on their data handling practices. In addition, Data Subjects have the right to dispute inaccuracies in their personal information, request the erasure or destruction of any of their personal information which is found inaccurate or used or collected without their authorisation.

To the extent that a Data Subject suffers damage as a result of any inaccurate information or unauthorised use of his/her personal information, the Controller/organisation is required by the Act to indemnify him/her against all such damage. This places considerable pressure on Controllers to ensure that the personal information they collect and use is collected and processed in accordance with the Act, the Principles and the consent from the Data Subject, as well as kept accurate, up to date and secured.

Security measures

All Controllers must implement reasonable and appropriate organisational, physical and technical measures to protect the personal information in their care, particularly against 'natural dangers' (such as accidental loss or destruction) and 'human dangers' (such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination).

What measures are appropriate will depend on a number of factors including the risks involved in the processing, size of the Controller's organisation, complexity of its operations, current data privacy best practices (implying that Controllers must be kept abreast of developments in the data privacy sphere) and the costs of implementing the measures. Subject to further guidance from the NPC, the Act stipulates specific measures which Controllers must implement, such as computer network safeguards, security policies for processing, processes for identifying and assessing reasonably foreseeable vulnerabilities in computer networks, breach-correction measures and regular monitoring for security breaches.

Breach notification

In the event of a security breach involving sensitive personal information or personal information that may be used to enable identity fraud (if the Controller or the NPC believes is likely to give rise to a real risk of harm to the affected Data Subjects), Controllers are required to notify both the NPC and the affected Data Subjects. Non-compliance with this requirement may result in criminal prosecution and is punishable by imprisonment of between 18 months and 5 years and fines between PHP 500,000 and PHP 1 million (approximately USD 12,000 to USD 24,000).

No second chances (severe sanctions)

Non-compliance with the Act generally can result in serious ramifications. Unlike some regional jurisdictions such as Hong Kong and Australia where non-compliance with most provisions only results in enforcement notices (the breach of which in Hong Kong is then a criminal offence), the Act offers no second chances and breaches of the Act are automatic offences. Depending on the nature of the breach, Controllers may be penalised by imprisonment for between 3 and 6 years and fines between PHP 500,000 and PHP 4 million (approximately USD 12,000 to USD 96,000) for individual breaches.

Multiple breaches of the Act may also be penalised by imprisonment for between 3 and 6 years and fines of between PHP 1 million and PHP 5 million (approximately USD 24,000 to USD 120,000). Furthermore, any breaches where 100 or more persons are harmed or affected will be subject to the maximum penalties.

Any company that is found to have breached the Act (such as to constitute an offence) may also have its right to process personal information revoked. In addition, of note for foreign individuals dealing with personal information in the Philippines, if the person who breaches the Act is an alien he/she shall be deported from the Philippines without further proceedings after serving any prison term and/or paying any penalties levied.

Getting your business ready: what you need to do now!

The NPC will provide further guidance on the Act by promulgating implementing rules and regulations ('IRR'). To allow existing businesses to come to grips with the new legislation there is a transitory period of one year, which will begin to run from the date the IRR come into effect. New businesses will not get the benefit of the transition period.

However, even if the transition period is applicable, given the level of organisational and technical compliance the Act requires from Controllers and the wide scope of the rights given to Data Subjects, a year for transition seems a very short time. Time is therefore of the essence for organisations to take active measures now to prepare their data collection, handling and processing/use practices for compliance with the Act. Examples of key steps to take now include:

  • Reviewing existing data protection and security practices
  • Updating data collection / customer take-on documentation
  • Reviewing processor contracts, and
  • Developing internal data privacy guidelines protocols.

Of course, we are happy to assist you to prepare for this and with any of your regional or global data privacy requirements.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Holding Redlich
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Holding Redlich
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions