Australia: New tough privacy regime in the Philippines Data Privacy Act signed into law

Last Updated: 27 October 2012
Article by Alec Christie and Arthur Cheuk

INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS

15 August 2012 marked the birth of the Data Privacy Act of 2012 ('Act') – the Philippines' first ever consolidated data privacy legislation, which was significantly influenced by Directive 95/46/EC of the European Union and the Asia Pacific Economic Cooperation ('APEC') Information Privacy Framework. The introduction of the Act follows a series of developments in the expansion of data privacy laws in the Asia Pacific region and adds to an increasingly complex data privacy environment, particularly for organisations using business process outsourcing ('BPO') services based in the region.

The Act aims to substantially raise the profile of the Philippines in the data privacy (and business in the data processing) sphere by mandating that all personal information controllers ('Controller'), being persons who control the collection, holding, processing or use of the personal information of others (defined in the Act as 'Data Subjects'), comply with a raft of requirements before any such collecting, holding, processing or use may take place.

In the Philippines it is hoped that the Act will allay concerns over the security of personal information handled by employees of BPO companies based in the Philippines, which in turn will attract more investors in the information technology and BPO industry in the Philippines. The Philippines Business Processing Association believes that the Act will facilitate the IT – BPO industry expanding from call centers to areas that involve handling sensitive personal data such as in the health care and human resources areas, with projections of revenue in the industry increasing from USD 9 billion in 2011 to USD 25 billion by 2016.

Of particular note: The Act is one of the toughest data privacy legislations in the region, in terms of sanctions imposed on offenders. The Act introduces:

  • Fines and prison sentences for first time breaches of the Act
  • Ongoing liability of Controllers for personal information sent offshore/provided to third party processors
  • Significant rights of Data Subjects, and
  • The fact that companies that breach the Act may be prevented from processing personal information and individual foreigners who breach the Act will be deported.

What the act applies to

The Act regulates the 'processing' of personal information, which is broadly defined to include any operation performed on the information, such as collection, organisation, modification, retrieval, consultation, use, blocking, erasure and destruction. 'Personal information' is defined, as in many other privacy regimes of the region, as any information from which the identity of the Data Subject is apparent or can be reasonably and directly ascertained or that, when put together with other information, will identify the Data Subject.

In accordance with its EU-influenced heritage and similar to the Australian privacy regime, the Act introduces the concept of 'sensitive personal information', a class of personal information which (due to its particular sensitivity) is subject to more stringent requirements for processing. Examples of such information include political affiliations, race, ethnic origin, marital status, age, sexual life, health information (including genetic information), criminal record, social security numbers and tax returns.

The Act also applies to Controllers and entities which are not established in the Philippines if

  • The personal information is about citizens or residents of the Philippines
  • The entity has a 'Philippines link', examples of which include contracts entered into the Philippines, or where a branch, agency or subsidiary of the entity is established in the Philippines, and
  • The entity has "other links" with the Philippines, such as carrying on business there or if the personal information was collected or held in the Philippines.

However, the Act does not apply to personal information which is originally collected from non-Philippine residents in accordance with the applicable foreign law, even if processed in the Philippines. This means that outsourced processing in the Philippines is exempt where data has been collected overseas, in an attempt to protect the Philippines IT – BPO industry. In actual fact, as the applicable foreign laws will continue to apply, outsourcing to the Philippines will remain cumbersome for the EU, Australia and other countries with data export restrictions.

A new national regulator for privacy

An independent privacy regulator, (the National Privacy Commission ('NPC')), will be established to administer and implement the Act. Attached to the Department of Information and Communications Technology and headed by a Privacy Commissioner, the NPC will be responsible for the enforcement and administration of the Act. The NPC's powers include handling privacy-related complaints, conducting investigations, issuing orders for compliance and issuing temporary or permanent bans on data processing by named Controllers.

General principles for the processing of personal information

Similar to many data privacy regimes in the region and globally, the Act sets out general data privacy principles ('Principles') by which all Controllers must abide. In brief, the Principles stipulate that personal information must be:

  • Collected for specified and legitimate purposes, which must be declared to the Data Subject before collection (or as soon as reasonably practicable after collection)
  • Processed (ie used) fairly and lawfully
  • Accurate and not excessive for the purposes for which it is collected and processed
  • Retained only for as long as necessary for the stated purposes, and
  • Anonymised or de-identified as soon as possible, subject to limited exceptions.

Conditions for the lawful processing of personal information

In addition to complying with the Principles, all Controllers must ensure that any processing of personal information (ie not sensitive personal information) must only take place if at least one of the following conditions apply:

  • The Data Subject has given his/her consent, which must be evidenced by written, electronic or recorded means
  • The processing is necessary to fulfil a contract with the Data Subject or to fulfil the Data Subject's requests prior to entering into the contract
  • The processing is necessary for compliance with the legal obligations of the Controller
  • The processing is necessary to protect the vital interests of the Data Subject (such as his/her life or health)
  • The processing is necessary to respond to national emergencies, or
  • The processing is necessary for the purposes of the legitimate interests of the Controller or third party recipients of the personal information, subject to the fundamental rights of the Data Subjects.

The processing of sensitive personal information is generally prohibited under the Act unless:

  • The Data Subject has given his/her consent (though not expressly stated, we expect in writing or by electronic or recorded means)
  • The processing is expressly permitted by law
  • The processing is necessary to protect the life or health of a person or persons or is necessary for the purposes of medical treatment, or
  • The processing is necessary to achieve the lawful and non-commercial objectives of public organisations, subject to the Data Subject's consent, or
  • The processing concerns such personal information as is necessary to protect a person's lawful rights and interests in legal proceedings.

Notification required prior to collection

Following the EU and numerous regional privacy models, the Controller must generally notify the Data Subjects of the particulars of the processing (ie proposed uses of the information) before collecting their personal information and entering it into their processing systems (or as soon as practically possible thereafter). The particulars that the Data Subject must be notified of are:

  • A description of the personal information to be collected/entered into the system
  • The purposes of the processing (ie uses of the information)
  • Scope and method of the processing
  • Possible recipients or classes of recipients to whom the personal information may be disclosed
  • Methods by which the personal information may be accessed automatically
  • Identity and contact details of the Controller, and
  • The Data Subject's rights to access and correct their personal information, as well as his/her right to make complaints to the NPC.

However, notification is not required under certain limited circumstances, including where the processing is for 'obvious purposes'. Examples of such 'obvious purposes' include circumstances where the processing is necessary for the performance of a contract entered into by the Data Subject, in the employment relationship between the Controller and the Data Subject and where the collection and processing are done as a result of a legal obligation.

Transfer of personal information and subcontracting

Unlike some regional jurisdictions, the Act does not prohibit or restrict the overseas transfer of personal information. However, where personal information is sent to a third party for processing, the Controller remains accountable for complying with the Act, irrespective of whether the third party processor is located in the Philippines or overseas.

To the extent that personal information is transferred to third parties for processing, Controllers must impose on third party processors the same security obligations as imposed on the Controller under the Act (see under the heading 'Security Measures' below).

Rights of data subjects

Data Subjects have a number of rights under the Act, many of which could potentially translate to significant administrative costs for Controllers. For example, Data Subjects have the right to demand from the Controller reasonable access to a wide variety of information, including the following:

  • His/her personal information which has been processed
  • Sources from which the personal information has been obtained
  • Names and addresses of the recipients to whom the personal information has been disclosed
  • The manner by which the personal information was processed
  • Reasons for disclosing the personal information
  • Information on any automated processes by which the personal information may be used as the sole basis for decisions which will affect the Data Subject, and
  • The date of last access or modification of the personal information.

This list of information which Data Subjects are entitled to request access to goes beyond the access and correction rights found in the data protection laws of many regional jurisdictions. In particular, the sources of personal information, names and addresses of the recipients and information on automated processes will impose on Controllers a heavy burden of keeping detailed records on their data handling practices. In addition, Data Subjects have the right to dispute inaccuracies in their personal information, request the erasure or destruction of any of their personal information which is found inaccurate or used or collected without their authorisation.

To the extent that a Data Subject suffers damage as a result of any inaccurate information or unauthorised use of his/her personal information, the Controller/organisation is required by the Act to indemnify him/her against all such damage. This places considerable pressure on Controllers to ensure that the personal information they collect and use is collected and processed in accordance with the Act, the Principles and the consent from the Data Subject, as well as kept accurate, up to date and secured.

Security measures

All Controllers must implement reasonable and appropriate organisational, physical and technical measures to protect the personal information in their care, particularly against 'natural dangers' (such as accidental loss or destruction) and 'human dangers' (such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination).

What measures are appropriate will depend on a number of factors including the risks involved in the processing, size of the Controller's organisation, complexity of its operations, current data privacy best practices (implying that Controllers must be kept abreast of developments in the data privacy sphere) and the costs of implementing the measures. Subject to further guidance from the NPC, the Act stipulates specific measures which Controllers must implement, such as computer network safeguards, security policies for processing, processes for identifying and assessing reasonably foreseeable vulnerabilities in computer networks, breach-correction measures and regular monitoring for security breaches.

Breach notification

In the event of a security breach involving sensitive personal information or personal information that may be used to enable identity fraud (if the Controller or the NPC believes is likely to give rise to a real risk of harm to the affected Data Subjects), Controllers are required to notify both the NPC and the affected Data Subjects. Non-compliance with this requirement may result in criminal prosecution and is punishable by imprisonment of between 18 months and 5 years and fines between PHP 500,000 and PHP 1 million (approximately USD 12,000 to USD 24,000).

No second chances (severe sanctions)

Non-compliance with the Act generally can result in serious ramifications. Unlike some regional jurisdictions such as Hong Kong and Australia where non-compliance with most provisions only results in enforcement notices (the breach of which in Hong Kong is then a criminal offence), the Act offers no second chances and breaches of the Act are automatic offences. Depending on the nature of the breach, Controllers may be penalised by imprisonment for between 3 and 6 years and fines between PHP 500,000 and PHP 4 million (approximately USD 12,000 to USD 96,000) for individual breaches.

Multiple breaches of the Act may also be penalised by imprisonment for between 3 and 6 years and fines of between PHP 1 million and PHP 5 million (approximately USD 24,000 to USD 120,000). Furthermore, any breaches where 100 or more persons are harmed or affected will be subject to the maximum penalties.

Any company that is found to have breached the Act (such as to constitute an offence) may also have its right to process personal information revoked. In addition, of note for foreign individuals dealing with personal information in the Philippines, if the person who breaches the Act is an alien he/she shall be deported from the Philippines without further proceedings after serving any prison term and/or paying any penalties levied.

Getting your business ready: what you need to do now!

The NPC will provide further guidance on the Act by promulgating implementing rules and regulations ('IRR'). To allow existing businesses to come to grips with the new legislation there is a transitory period of one year, which will begin to run from the date the IRR come into effect. New businesses will not get the benefit of the transition period.

However, even if the transition period is applicable, given the level of organisational and technical compliance the Act requires from Controllers and the wide scope of the rights given to Data Subjects, a year for transition seems a very short time. Time is therefore of the essence for organisations to take active measures now to prepare their data collection, handling and processing/use practices for compliance with the Act. Examples of key steps to take now include:

  • Reviewing existing data protection and security practices
  • Updating data collection / customer take-on documentation
  • Reviewing processor contracts, and
  • Developing internal data privacy guidelines protocols.

Of course, we are happy to assist you to prepare for this and with any of your regional or global data privacy requirements.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Alec Christie
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.