Data Privacy Act Flashcards

1
Q

Commission created by virtue of the data privacy act

A

national privacy commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

It refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and or or relating to him or her

A

consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

It refers to an individual whose personal information is processed

A

data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

It refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals

A

direct marketing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

It refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, is there by reference to individuals or by reference to criteria relating to individuals in such a way that is specific information relating to a particular person is readily accessible

A

filing system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

It refers to a system for generating, sending, receiving, storing or otherwise processing electronic data message and includes the computer system or other similar device by for which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data

A

information and communications system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

It refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to do the same on his or her behalf

A

personal information controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The term personal information controller includes the person or organization who was instructed to perform or who performs the processing of personal information. True or false

A

False. The term only includes two person who controls or who instructs on other person to do so

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

It refers to any natural or juridical person qualified to act as such under the data privacy act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject

A

personal information processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Determine whether or not the following are part of the scope of the data privacy act

  1. Processing of all types of personal information
  2. Any natural and juridical person involved in personal information processing
  3. Information about an individual who is or was an officer or employee of a government, related to his function
  4. Information about an individual who is or was performing service on their contract for government institution that relates to the services performed, including the terms of the contract, the name of the individual given in the course of the performance of the services
  5. Information relating to any discretionary benefit of a financial nature (e.g. License given by the government, name of the individual, and the exact nature of the benefit)
  6. Personal information processed for journalistic, artistic, literary or research purposes
  7. Information necessary in order to carry out the functions of public authority
  8. Emission necessary for banks and other financial institutions
  9. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions
A

1 and 2 only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

These persons or afforded protection from being compelled to reveal the source of their information appearing in publications

A

publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The data privacy act applies to an act done or practice engaged in and outside of the philippines by an entity if

  1. The act, practice or process relates to personal information about ___________________
  2. The entity has a link with the philippines and the entity is processing personal information in the philippines or even if the processing is outside of the philippines as long as it is about philippine citizens or residents such as but not limited to
    a. _________ entered in the philippines
    b. a ____________________ unincorporated in the philippines but has central management and control in the country
    c. An entity that has a ____________________ in the philippines and the parent or affiliate of the philippine entity has access to personal information
  3. The entity has other links in the philippines such as
    a. The entity carries on business in the philippines
    b. The personal information was collected or held by an entity in the philippines
A

philippine citizen or resident; contract; juridical entity; branch agency or subsidiary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Functions of the national privacy commission

  1. Compliance of personal information controllers
  2. Process complaints and investigate
  3. Issues cease and desist to orders; impose bans on processing
  4. Compare any entity to abide by its borders
  5. Monitor compliance of other agencies
  6. Coordinate with other agencies and the private sector to implement policies to strengthen the protection of personal information
  7. Publish on a regular basis a guide to all laws relating to data protection
  8. Publish a compilation of agency system of records and notices
  9. Recommend to the doj the prosecution and imposition of penalties under this act
  10. Review privacy codes voluntarily adhered to by personal information controllers
  11. Provide assistance on matters relating to privacy or data protection
  12. Comment on the implication on data privacy of proposed national or local statutes
  13. Legislation to laws on privacy or data protection
  14. Coordination with data privacy regulators in other countries
  15. Negotiate and contract with other data privacy authorities
  16. Assist philippine companies doing business abroad to respond to foreign privacy or data protection laws
  17. Facilitate cross-border enforcement of data privacy protection
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The commission shall be attached to the department of __________________ and shall be headed by a _________________ who shall also act as _____________ of the commission

A

information and technology; privacy commissioner; chairman

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The privacy commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of ______________

A

secretary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The privacy commissioner shall be assisted by __________________

A

2 deputy privacy commissioners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

One deputy privacy commissioner shall be responsible for _________________; the other is responsible for _______________

A

data processing systems; policies and planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The deputy privacy commissioners shall and joy the benefits, privileges and emoluments equivalent to the rank of __________

A

undersecretary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Qualifications of the privacy commissioner

  1. At least ______ years of age
  2. A good moral character, unquestionable integrity and known probity
  3. A recognized expert in the field of information technology and data privacy
A

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

True or false. The deputy privacy commissioners must be recognized experts in the field of information and communications technology and data privacy

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The privacy commissioner and the two deputy commissioners shall be appointed by the president of the philippines for a term of ______ and maybe reappointed for another term of _____

A

3 years; 3 years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

True or false. Vacancies in the commission shall be filled in the same manner and which the original appointment was made

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The commissioners or any person acting on behalf of them shall not be criminally liable for acts done in good faith in the performance of their duties. True or false

A

false. Civilly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

True or false. Persons acting under the privacy commissioners shall be liable for willful or negligent acts done by him or witch or contrary to law, morals, public policy and good customs even if he or she acted on their orders or instructions of superiors

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

True or false. In case a lawsuit is filed against an official on the subject of the performance of his or her duties for such performance is lawful, he or she shall shoulder the cost of the litigation

A

false, he or she shall be reimbursed by the commission for reasonable costs of litigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Majority of the members of the secretariat must have served for atleast ________ in any agency of the government that is involved in the processing of personal information

A

5 years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The processing of personal data shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. Personal data shall be processed by the company only if the purpose of the processing could not reasonably be fulfilled by other means. Principle of ______________

A

proportionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The processing of personal data by the company shall be compatible with a declared and specified purpose which must not be contrary to law, morals or public policy. Principle of _________________

A

legitimate purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The data subject must be aware of the nature purpose and extent of the processing of his or her personal data by the company including the risks and safeguards involved, the identity of persons and entities involved in processing his or her personal data, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. Principle of ________________

A

transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

These are information, whether recorded in a material form or not, from which the identity of an individual is apparent, or can be reasonably and directly asserted by the entity holding the information, or when put together with other information put directly and certainly identify an individual

A

personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Criteria for lawful processing of personal information

  1. The data subject has given his or her _________
  2. The processing of personal information is necessary and is _________________________ with the data subject or in order to take steps at the request of the data subject prior to entering into a contract
  3. The processing is necessary for compliance with ________________ to which the personal information controller is subject
  4. The processing is necessary to protect vitally important interests of the data subject, including life and health
  5. The processing is necessary in order to respond to __________________, to comply with the requirements of ______________ or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
  6. The processing is necessary for the purposes of the ______________ pursued by the personal information controller or by a third party or parties to whom the data is disclosed
A

consent; related to the fulfillment of a contract; legal obligation; national emergency; public order and safety; legitimate interests

32
Q

It refers to any and all forms of data which under the rules of court and other pertinent laws constitute privileged communication

A

privileged information

33
Q

Sensitive personal information refers to personal information

  1. About an individual’s race ethnic origin marital status age color religion philosophical or political affiliations
  2. About an individual’s health education genetic or sexual life of a person or to any proceeding for any offense committed or alleged to have been committed by such person
  3. Issued by government agencies peculiar to an individual which includes sss members health records licenses tax returns
  4. Specifically established by an executive order or an act of congress to be kept classified
A
34
Q

The processing of sensitive personal information and privileged information shall be prohibited except

  1. The data subject has given his or her __________
  2. The processing of the same as provided for by ____________
  3. The processing is necessary to protect _____________ off the data subject or another person
  4. The processing is necessary to achieve the lawful and ___________ objectives of public organizations and their associations
  5. The processing is necessary for purposes of ____________
  6. The processing concerns such personal information as is necessary for the protection of law full rights and interests of natural or legal persons in court proceedings or the establishment exercise or defence of legal claims or provided to government or public authority
A

consent; law or regulation; life and health; noncommercial; medical treatment

35
Q

True or false. A personal information controller may subcontract the processing of personal information

A

true

36
Q

The personal information controller shall be responsible for ensuring the proper safeguards are in place to ensure

  1. The ____________ of the personal information processed
  2. Prevent its use for ___________ purposes, and generally,
  3. Comply with the requirements of the data privacy act and other laws for processing of personal information
A

confidentiality; unauthorized

37
Q

True or false. Personal information controller may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is admissible

A

false. Inadmissible

38
Q

This is the right of the data subject to be informed whether personal information pertaining to him or her shall be, or being or have been processed

A

right to informed consent

39
Q

The following information must be provided before the entry of the personal information into the processing system or at the next practical opportunity

  1. _________ of the personal information to be entered into the system
  2. _________ for which they are being or are to be processed
  3. _________________ of the personal information processing
  4. The _________ to whom they are or may be disclosed
  5. _________ utilized for automated access, if the same is allowed by the data subject and the extent to which such access is authorized
  6. The ____________________ of the personal information controller or its representative
  7. The __________ for which they or stored
  8. the ______________ to access information as well as the right to lodge a complaint before the commission
A
  1. Description; 2. Purposes; 3. Scope and method;4. Recipients or classes of recipients; 5. Methods; 6. Identity and contact details; 7. Period; 8. Existence of their right
40
Q

The right of the data subject to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling

A

right to object

41
Q

The data subject shall be notified and given an opportunity to ______________ to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph

A

withhold consent

42
Q

Any information supplied or declaration made to the data subject on these matters shall not be amended without prior ____________ of data subject. Accept the notification shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing or for office purposes including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship between the collector and the subject data or when the information is being collected and processed as a result of legal obligation

A

notification

43
Q

The data subject has reasonable access to, upon demand, the following

  1. _________ of his or her personal information that were processed
  2. _________ from which personal information were obtained
  3. __________________ recipients of the personal information
  4. _________ by which the information were processed
  5. ___________________ where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject
  6. _______ when his or her personal information concerning the data subject were last accessed and modified
  7. The _____________________ of the personal information controller
  8. _________ for the disclosure of the personal information to the recipients
A
  1. Contents; 2. Sources; 3. And addresses; 4. manner; 5. Information on automated processes; 6. Date; 7. Designation or name or identity and address; 8. Reasons
44
Q

It is the right of the data subject to dispute the inaccuracies or errors in the personal information and how the personal information controller correct it immediately and accordingly on the request is vexatious or otherwise unreasonable

A

right to correction

45
Q

If the personal information has been corrected, the personal information controller shall ensure that the accessibility of only the new information provide that that the third parties who have previously received such process personal information shall be informed of its in accuracy and its rectification upon reasonable request of the data subject. True or false

A

false. Both the new and retracted information

46
Q

The data subject shall have the right to suspend, withdraw or order ___________________________ of his or her personal information from the personal information controller finding system upon discovery and substantial proof that the personal information or incomplete, outdated, false, unluckily obtained, used for unauthorized purposes or or no longer necessary for the purposes for which they are collected

A

blocking removal or destruction; erasure

47
Q

The data subject shall be indemnified for any damages sustained to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information

A

right to damages

48
Q

It is the right of the data subject to obtain from the personal information controller a copy of data, where personal information is processed

a. By electronic means

b. In a structured and commonly used format

A

right to data portability

49
Q

True or false. The lawful heirs and assigns of the data subject may invoke the rights of the data subject for which he or she is an heir or assignee at anytime after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rice as enumerated.

A

True

50
Q

True or false. The rights of the data subject enumerated shall be applicable the processing of personal information used only for the needs of scientific and statistical research

A

false. Not applicable

51
Q

The enumerated rights of the data subject shall not be applicable the processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject

A

true

52
Q

If there is likelihood of risk to individuals, the data processor must report data breaches within _______

A

72 hours

53
Q

A principle by which each personal information controller is responsible for personal information under its control or custody including information that have been transferred to a third party for processing weather domestically or internationally subject to cross-border arrangement and cooperation

A

principle of accountability

54
Q

The _______ of each government agency or instrumentality shall be responsible for complying with the security requirements mansion while the commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards

A

head

55
Q

Except as may be allowed through guidelines to be issued by the commission, no employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a _________________ from the head of the source agency

A

security clearance

56
Q

Unless otherwise provided in guidelines to be issued by the commission, sensitive personal information maintained by an agency may be transported or accessed from a location off government property. True or false

A

false. May not be transported unless a request for such transportation or access is submitted and approved by the head of the agency in accordance with the guidance

57
Q

In case of any requests submitted to the head of an agency for the transportation or access of a sensitive personal information from a location off government property, search head of the agency shall approve or disapprove the request within ____________ after the date of the submission of the request.
In case there is no action by the head of the agency then such request is considered ___________

A

2 business days; Disapproved

58
Q

If a request for the transportation or access from the location off government property is approved, the head of the agency should limit the access to not more than _____________ at a time

A

1,000 records

59
Q

Any technology used to store, transport or access sensitive personal information for purposes of offsite access approved shall be secured by the use of the most secure _________________ by the commission

A

encryption standard

60
Q

In entering into any contract that may involve accessing or requiring sensitive personal information from ___________ individuals, an agency shall require a contractor and its employees to register their personal information processing system with the commission in accordance with the data privacy act and to comply with the other provisions of setup in the same manner as agencies and government employees comply with such requirements

A

1,000 or more

61
Q

Any person who process personal information without the consent of the data subject or without being authorized under the data privacy act or any existing law shall be imprisoned for ________ and shall pay a fine of ___________

A

1 to 3 years; 500,000 to 2 million

62
Q

Any person who processes sensitive personal information without the consent of the data subject or without being authorized under the data privacy act or any existing law shall be imprisoned for ________ and she’ll be a fine of _____________

A

3 to 6 years; 500,000 to 4 million

63
Q

Any person who, due to negligence, provided access to personal information without being authorized under the data privacy after any existing law shall be imprisoned for ________ and pay a fine of ________________; what if sensitive personal information

A

1 to 3 years; 500,000 to 2 million

3 to 6 years; 500,000 to 4 million

64
Q

Any person who knowingly or negligently dispose the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection should be imprisoned for __________ and pay a fine of ____________; what if sensitive information

A

6 months to 2 years; 100,000 to 500,000

1 to 3 years; 100,000 to 1 million

65
Q

The penalty for processing personal information for purposes not authorized by the data subject or otherwise authorized under this act or under existing laws shall be imprisoned for ____________ and shall pay a fine of __________; what if sensitive information

A

1 year and 6 months to 5 years; 500,000 to 1 million

2 to 7 years; 500,000 to 2 million

66
Q

Any person who knowingly and unlawfully or violating data confidentiality and security data systems, breaks in any way into any system for personal and sensitive personal information is stored shall be imprisoned for _______________ and pay a fine of _____________

A

1 to 3 years; 500,000 to 2 million

67
Q

Any personal information controller or personal information processor or any of its officials and employees or agents who with malice or in bad faith discloses and warranted or false information relative to any personal information or personally sensitive information obtained by him or her shall be imprisoned for ____________ and pay a fine of ____________

A

1 year and 6 months to 5 years; 500,000 to 1 million

68
Q

Any person who, after having knowledge of a security breach and off the obligation to notify the commission intentionally or by omission conceals the fact of such security breach shall be imprisoned for _____________ and shall pay a fine of ___________

A

1 year and 6 months to 5 years; 500,000 to 1 million

69
Q

Any personal information controller or personal information processor or any of its officials and employees or agents who discloses to third-party personal not covered by malicious disclosure shall be imprisoned for _____________ and shall pay a fine of _____________; what is sensitive personal information

A

1 to 3 years; 500,000 to 1 million

three to five years; 500,000 to 2 million

70
Q

Any combination or series of acts in violation of the data privacy act make the persons subject to imprisonment of _________ and shall pay a fine of ______________

A

3 to 6 years; 1 million to 5 million

71
Q

Who should be responsible if the offender is a juridical person

A

the responsible officers

72
Q

If the offender is an alien, in addition to the penalties for violation of the data privacy act, he or she shall be deported without further proceedings after serving the penalties prescribe

true or false

A

true true

73
Q

The maximum penalty in the scale of penalties respectively provided shall be imposed when the personal information of at least _________ persons is harmed, affected or involved as the result of the violations

A

100

74
Q

If the offender is a public official or employee and he or she is found guilty of improper disposal of personal information and sensitive personal information and processing of personal information and sensitive personal information for unauthorized persons, he or she shall in addition to the penalties prescribe suffer _________________ from office as the case may be

A

perpetual or temporary absolute disqualification

75
Q

When the offender or the person responsible for the offense is a public officer as defined in the administrative code of the philippines in the exercise of his or her duties, an accessory penalty consisting _______________ for a term ______________ imposed shall be applied

A

in the disqualification to occupy public office; double the term of criminal penalty

76
Q

True or false. Restitution for any aggrieved party shall be governed by the provisions of the data privacy act

A

false. Provisions of the new civil code