Data Privacy Act Flashcards
Commission created by virtue of the data privacy act
national privacy commission
It refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and or or relating to him or her
consent
It refers to an individual whose personal information is processed
data subject
It refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals
direct marketing
It refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, is there by reference to individuals or by reference to criteria relating to individuals in such a way that is specific information relating to a particular person is readily accessible
filing system
It refers to a system for generating, sending, receiving, storing or otherwise processing electronic data message and includes the computer system or other similar device by for which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data
information and communications system
It refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to do the same on his or her behalf
personal information controller
The term personal information controller includes the person or organization who was instructed to perform or who performs the processing of personal information. True or false
False. The term only includes two person who controls or who instructs on other person to do so
It refers to any natural or juridical person qualified to act as such under the data privacy act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject
personal information processor
Determine whether or not the following are part of the scope of the data privacy act
- Processing of all types of personal information
- Any natural and juridical person involved in personal information processing
- Information about an individual who is or was an officer or employee of a government, related to his function
- Information about an individual who is or was performing service on their contract for government institution that relates to the services performed, including the terms of the contract, the name of the individual given in the course of the performance of the services
- Information relating to any discretionary benefit of a financial nature (e.g. License given by the government, name of the individual, and the exact nature of the benefit)
- Personal information processed for journalistic, artistic, literary or research purposes
- Information necessary in order to carry out the functions of public authority
- Emission necessary for banks and other financial institutions
- Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions
1 and 2 only
These persons or afforded protection from being compelled to reveal the source of their information appearing in publications
publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation
The data privacy act applies to an act done or practice engaged in and outside of the philippines by an entity if
- The act, practice or process relates to personal information about ___________________
- The entity has a link with the philippines and the entity is processing personal information in the philippines or even if the processing is outside of the philippines as long as it is about philippine citizens or residents such as but not limited to
a. _________ entered in the philippines
b. a ____________________ unincorporated in the philippines but has central management and control in the country
c. An entity that has a ____________________ in the philippines and the parent or affiliate of the philippine entity has access to personal information - The entity has other links in the philippines such as
a. The entity carries on business in the philippines
b. The personal information was collected or held by an entity in the philippines
philippine citizen or resident; contract; juridical entity; branch agency or subsidiary
Functions of the national privacy commission
- Compliance of personal information controllers
- Process complaints and investigate
- Issues cease and desist to orders; impose bans on processing
- Compare any entity to abide by its borders
- Monitor compliance of other agencies
- Coordinate with other agencies and the private sector to implement policies to strengthen the protection of personal information
- Publish on a regular basis a guide to all laws relating to data protection
- Publish a compilation of agency system of records and notices
- Recommend to the doj the prosecution and imposition of penalties under this act
- Review privacy codes voluntarily adhered to by personal information controllers
- Provide assistance on matters relating to privacy or data protection
- Comment on the implication on data privacy of proposed national or local statutes
- Legislation to laws on privacy or data protection
- Coordination with data privacy regulators in other countries
- Negotiate and contract with other data privacy authorities
- Assist philippine companies doing business abroad to respond to foreign privacy or data protection laws
- Facilitate cross-border enforcement of data privacy protection
The commission shall be attached to the department of __________________ and shall be headed by a _________________ who shall also act as _____________ of the commission
information and technology; privacy commissioner; chairman
The privacy commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of ______________
secretary
The privacy commissioner shall be assisted by __________________
2 deputy privacy commissioners
One deputy privacy commissioner shall be responsible for _________________; the other is responsible for _______________
data processing systems; policies and planning
The deputy privacy commissioners shall and joy the benefits, privileges and emoluments equivalent to the rank of __________
undersecretary
Qualifications of the privacy commissioner
- At least ______ years of age
- A good moral character, unquestionable integrity and known probity
- A recognized expert in the field of information technology and data privacy
35
True or false. The deputy privacy commissioners must be recognized experts in the field of information and communications technology and data privacy
true
The privacy commissioner and the two deputy commissioners shall be appointed by the president of the philippines for a term of ______ and maybe reappointed for another term of _____
3 years; 3 years
True or false. Vacancies in the commission shall be filled in the same manner and which the original appointment was made
true
The commissioners or any person acting on behalf of them shall not be criminally liable for acts done in good faith in the performance of their duties. True or false
false. Civilly
True or false. Persons acting under the privacy commissioners shall be liable for willful or negligent acts done by him or witch or contrary to law, morals, public policy and good customs even if he or she acted on their orders or instructions of superiors
true
True or false. In case a lawsuit is filed against an official on the subject of the performance of his or her duties for such performance is lawful, he or she shall shoulder the cost of the litigation
false, he or she shall be reimbursed by the commission for reasonable costs of litigation
Majority of the members of the secretariat must have served for atleast ________ in any agency of the government that is involved in the processing of personal information
5 years
The processing of personal data shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. Personal data shall be processed by the company only if the purpose of the processing could not reasonably be fulfilled by other means. Principle of ______________
proportionality
The processing of personal data by the company shall be compatible with a declared and specified purpose which must not be contrary to law, morals or public policy. Principle of _________________
legitimate purpose
The data subject must be aware of the nature purpose and extent of the processing of his or her personal data by the company including the risks and safeguards involved, the identity of persons and entities involved in processing his or her personal data, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. Principle of ________________
transparency
These are information, whether recorded in a material form or not, from which the identity of an individual is apparent, or can be reasonably and directly asserted by the entity holding the information, or when put together with other information put directly and certainly identify an individual
personal information
Criteria for lawful processing of personal information
- The data subject has given his or her _________
- The processing of personal information is necessary and is _________________________ with the data subject or in order to take steps at the request of the data subject prior to entering into a contract
- The processing is necessary for compliance with ________________ to which the personal information controller is subject
- The processing is necessary to protect vitally important interests of the data subject, including life and health
- The processing is necessary in order to respond to __________________, to comply with the requirements of ______________ or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
- The processing is necessary for the purposes of the ______________ pursued by the personal information controller or by a third party or parties to whom the data is disclosed
consent; related to the fulfillment of a contract; legal obligation; national emergency; public order and safety; legitimate interests
It refers to any and all forms of data which under the rules of court and other pertinent laws constitute privileged communication
privileged information
Sensitive personal information refers to personal information
- About an individual’s race ethnic origin marital status age color religion philosophical or political affiliations
- About an individual’s health education genetic or sexual life of a person or to any proceeding for any offense committed or alleged to have been committed by such person
- Issued by government agencies peculiar to an individual which includes sss members health records licenses tax returns
- Specifically established by an executive order or an act of congress to be kept classified
The processing of sensitive personal information and privileged information shall be prohibited except
- The data subject has given his or her __________
- The processing of the same as provided for by ____________
- The processing is necessary to protect _____________ off the data subject or another person
- The processing is necessary to achieve the lawful and ___________ objectives of public organizations and their associations
- The processing is necessary for purposes of ____________
- The processing concerns such personal information as is necessary for the protection of law full rights and interests of natural or legal persons in court proceedings or the establishment exercise or defence of legal claims or provided to government or public authority
consent; law or regulation; life and health; noncommercial; medical treatment
True or false. A personal information controller may subcontract the processing of personal information
true
The personal information controller shall be responsible for ensuring the proper safeguards are in place to ensure
- The ____________ of the personal information processed
- Prevent its use for ___________ purposes, and generally,
- Comply with the requirements of the data privacy act and other laws for processing of personal information
confidentiality; unauthorized
True or false. Personal information controller may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is admissible
false. Inadmissible
This is the right of the data subject to be informed whether personal information pertaining to him or her shall be, or being or have been processed
right to informed consent
The following information must be provided before the entry of the personal information into the processing system or at the next practical opportunity
- _________ of the personal information to be entered into the system
- _________ for which they are being or are to be processed
- _________________ of the personal information processing
- The _________ to whom they are or may be disclosed
- _________ utilized for automated access, if the same is allowed by the data subject and the extent to which such access is authorized
- The ____________________ of the personal information controller or its representative
- The __________ for which they or stored
- the ______________ to access information as well as the right to lodge a complaint before the commission
- Description; 2. Purposes; 3. Scope and method;4. Recipients or classes of recipients; 5. Methods; 6. Identity and contact details; 7. Period; 8. Existence of their right
The right of the data subject to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling
right to object
The data subject shall be notified and given an opportunity to ______________ to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph
withhold consent
Any information supplied or declaration made to the data subject on these matters shall not be amended without prior ____________ of data subject. Accept the notification shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing or for office purposes including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship between the collector and the subject data or when the information is being collected and processed as a result of legal obligation
notification
The data subject has reasonable access to, upon demand, the following
- _________ of his or her personal information that were processed
- _________ from which personal information were obtained
- __________________ recipients of the personal information
- _________ by which the information were processed
- ___________________ where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject
- _______ when his or her personal information concerning the data subject were last accessed and modified
- The _____________________ of the personal information controller
- _________ for the disclosure of the personal information to the recipients
- Contents; 2. Sources; 3. And addresses; 4. manner; 5. Information on automated processes; 6. Date; 7. Designation or name or identity and address; 8. Reasons
It is the right of the data subject to dispute the inaccuracies or errors in the personal information and how the personal information controller correct it immediately and accordingly on the request is vexatious or otherwise unreasonable
right to correction
If the personal information has been corrected, the personal information controller shall ensure that the accessibility of only the new information provide that that the third parties who have previously received such process personal information shall be informed of its in accuracy and its rectification upon reasonable request of the data subject. True or false
false. Both the new and retracted information
The data subject shall have the right to suspend, withdraw or order ___________________________ of his or her personal information from the personal information controller finding system upon discovery and substantial proof that the personal information or incomplete, outdated, false, unluckily obtained, used for unauthorized purposes or or no longer necessary for the purposes for which they are collected
blocking removal or destruction; erasure
The data subject shall be indemnified for any damages sustained to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information
right to damages
It is the right of the data subject to obtain from the personal information controller a copy of data, where personal information is processed
a. By electronic means
b. In a structured and commonly used format
right to data portability
True or false. The lawful heirs and assigns of the data subject may invoke the rights of the data subject for which he or she is an heir or assignee at anytime after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rice as enumerated.
True
True or false. The rights of the data subject enumerated shall be applicable the processing of personal information used only for the needs of scientific and statistical research
false. Not applicable
The enumerated rights of the data subject shall not be applicable the processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject
true
If there is likelihood of risk to individuals, the data processor must report data breaches within _______
72 hours
A principle by which each personal information controller is responsible for personal information under its control or custody including information that have been transferred to a third party for processing weather domestically or internationally subject to cross-border arrangement and cooperation
principle of accountability
The _______ of each government agency or instrumentality shall be responsible for complying with the security requirements mansion while the commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards
head
Except as may be allowed through guidelines to be issued by the commission, no employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a _________________ from the head of the source agency
security clearance
Unless otherwise provided in guidelines to be issued by the commission, sensitive personal information maintained by an agency may be transported or accessed from a location off government property. True or false
false. May not be transported unless a request for such transportation or access is submitted and approved by the head of the agency in accordance with the guidance
In case of any requests submitted to the head of an agency for the transportation or access of a sensitive personal information from a location off government property, search head of the agency shall approve or disapprove the request within ____________ after the date of the submission of the request.
In case there is no action by the head of the agency then such request is considered ___________
2 business days; Disapproved
If a request for the transportation or access from the location off government property is approved, the head of the agency should limit the access to not more than _____________ at a time
1,000 records
Any technology used to store, transport or access sensitive personal information for purposes of offsite access approved shall be secured by the use of the most secure _________________ by the commission
encryption standard
In entering into any contract that may involve accessing or requiring sensitive personal information from ___________ individuals, an agency shall require a contractor and its employees to register their personal information processing system with the commission in accordance with the data privacy act and to comply with the other provisions of setup in the same manner as agencies and government employees comply with such requirements
1,000 or more
Any person who process personal information without the consent of the data subject or without being authorized under the data privacy act or any existing law shall be imprisoned for ________ and shall pay a fine of ___________
1 to 3 years; 500,000 to 2 million
Any person who processes sensitive personal information without the consent of the data subject or without being authorized under the data privacy act or any existing law shall be imprisoned for ________ and she’ll be a fine of _____________
3 to 6 years; 500,000 to 4 million
Any person who, due to negligence, provided access to personal information without being authorized under the data privacy after any existing law shall be imprisoned for ________ and pay a fine of ________________; what if sensitive personal information
1 to 3 years; 500,000 to 2 million
3 to 6 years; 500,000 to 4 million
Any person who knowingly or negligently dispose the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection should be imprisoned for __________ and pay a fine of ____________; what if sensitive information
6 months to 2 years; 100,000 to 500,000
1 to 3 years; 100,000 to 1 million
The penalty for processing personal information for purposes not authorized by the data subject or otherwise authorized under this act or under existing laws shall be imprisoned for ____________ and shall pay a fine of __________; what if sensitive information
1 year and 6 months to 5 years; 500,000 to 1 million
2 to 7 years; 500,000 to 2 million
Any person who knowingly and unlawfully or violating data confidentiality and security data systems, breaks in any way into any system for personal and sensitive personal information is stored shall be imprisoned for _______________ and pay a fine of _____________
1 to 3 years; 500,000 to 2 million
Any personal information controller or personal information processor or any of its officials and employees or agents who with malice or in bad faith discloses and warranted or false information relative to any personal information or personally sensitive information obtained by him or her shall be imprisoned for ____________ and pay a fine of ____________
1 year and 6 months to 5 years; 500,000 to 1 million
Any person who, after having knowledge of a security breach and off the obligation to notify the commission intentionally or by omission conceals the fact of such security breach shall be imprisoned for _____________ and shall pay a fine of ___________
1 year and 6 months to 5 years; 500,000 to 1 million
Any personal information controller or personal information processor or any of its officials and employees or agents who discloses to third-party personal not covered by malicious disclosure shall be imprisoned for _____________ and shall pay a fine of _____________; what is sensitive personal information
1 to 3 years; 500,000 to 1 million
three to five years; 500,000 to 2 million
Any combination or series of acts in violation of the data privacy act make the persons subject to imprisonment of _________ and shall pay a fine of ______________
3 to 6 years; 1 million to 5 million
Who should be responsible if the offender is a juridical person
the responsible officers
If the offender is an alien, in addition to the penalties for violation of the data privacy act, he or she shall be deported without further proceedings after serving the penalties prescribe
true or false
true true
The maximum penalty in the scale of penalties respectively provided shall be imposed when the personal information of at least _________ persons is harmed, affected or involved as the result of the violations
100
If the offender is a public official or employee and he or she is found guilty of improper disposal of personal information and sensitive personal information and processing of personal information and sensitive personal information for unauthorized persons, he or she shall in addition to the penalties prescribe suffer _________________ from office as the case may be
perpetual or temporary absolute disqualification
When the offender or the person responsible for the offense is a public officer as defined in the administrative code of the philippines in the exercise of his or her duties, an accessory penalty consisting _______________ for a term ______________ imposed shall be applied
in the disqualification to occupy public office; double the term of criminal penalty
True or false. Restitution for any aggrieved party shall be governed by the provisions of the data privacy act
false. Provisions of the new civil code
