Data Privacy Act

Question 1

Commission created by virtue of the data privacy act

Answer 1

national privacy commission

Question 2

It refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and or or relating to him or her

Answer 2

consent

Question 3

It refers to an individual whose personal information is processed

Answer 3

data subject

Question 4

It refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals

Answer 4

direct marketing

Question 5

It refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, is there by reference to individuals or by reference to criteria relating to individuals in such a way that is specific information relating to a particular person is readily accessible

Answer 5

filing system

Question 6

It refers to a system for generating, sending, receiving, storing or otherwise processing electronic data message and includes the computer system or other similar device by for which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data

Answer 6

information and communications system

Question 7

It refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to do the same on his or her behalf

Answer 7

personal information controller

Question 8

The term personal information controller includes the person or organization who was instructed to perform or who performs the processing of personal information. True or false

Answer 8

False. The term only includes two person who controls or who instructs on other person to do so

Question 9

It refers to any natural or juridical person qualified to act as such under the data privacy act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject

Answer 9

personal information processor

Question 10

Determine whether or not the following are part of the scope of the data privacy act

1. Processing of all types of personal information
2. Any natural and juridical person involved in personal information processing
3. Information about an individual who is or was an officer or employee of a government, related to his function
4. Information about an individual who is or was performing service on their contract for government institution that relates to the services performed, including the terms of the contract, the name of the individual given in the course of the performance of the services
5. Information relating to any discretionary benefit of a financial nature (e.g. License given by the government, name of the individual, and the exact nature of the benefit)
6. Personal information processed for journalistic, artistic, literary or research purposes
7. Information necessary in order to carry out the functions of public authority
8. Emission necessary for banks and other financial institutions
9. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions

Answer 10

1 and 2 only

Question 11

These persons or afforded protection from being compelled to reveal the source of their information appearing in publications

Answer 11

publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation

Question 12

The data privacy act applies to an act done or practice engaged in and outside of the philippines by an entity if

1. The act, practice or process relates to personal information about ___________________
2. The entity has a link with the philippines and the entity is processing personal information in the philippines or even if the processing is outside of the philippines as long as it is about philippine citizens or residents such as but not limited to
   a. _________ entered in the philippines
   b. a ____________________ unincorporated in the philippines but has central management and control in the country
   c. An entity that has a ____________________ in the philippines and the parent or affiliate of the philippine entity has access to personal information
3. The entity has other links in the philippines such as
   a. The entity carries on business in the philippines
   b. The personal information was collected or held by an entity in the philippines

Answer 12

philippine citizen or resident; contract; juridical entity; branch agency or subsidiary

Question 13

Functions of the national privacy commission

1. Compliance of personal information controllers
2. Process complaints and investigate
3. Issues cease and desist to orders; impose bans on processing
4. Compare any entity to abide by its borders
5. Monitor compliance of other agencies
6. Coordinate with other agencies and the private sector to implement policies to strengthen the protection of personal information
7. Publish on a regular basis a guide to all laws relating to data protection
8. Publish a compilation of agency system of records and notices
9. Recommend to the doj the prosecution and imposition of penalties under this act
10. Review privacy codes voluntarily adhered to by personal information controllers
11. Provide assistance on matters relating to privacy or data protection
12. Comment on the implication on data privacy of proposed national or local statutes
13. Legislation to laws on privacy or data protection
14. Coordination with data privacy regulators in other countries
15. Negotiate and contract with other data privacy authorities
16. Assist philippine companies doing business abroad to respond to foreign privacy or data protection laws
17. Facilitate cross-border enforcement of data privacy protection

Question 14

The commission shall be attached to the department of __________________ and shall be headed by a _________________ who shall also act as _____________ of the commission

Answer 14

information and technology; privacy commissioner; chairman

Question 15

The privacy commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of ______________

Answer 15

secretary

Question 16

The privacy commissioner shall be assisted by __________________

Answer 16

2 deputy privacy commissioners

Question 17

One deputy privacy commissioner shall be responsible for _________________; the other is responsible for _______________

Answer 17

data processing systems; policies and planning

Question 18

The deputy privacy commissioners shall and joy the benefits, privileges and emoluments equivalent to the rank of __________

Answer 18

undersecretary

Question 19

Qualifications of the privacy commissioner

1. At least ______ years of age
2. A good moral character, unquestionable integrity and known probity
3. A recognized expert in the field of information technology and data privacy

Answer 19

35

Question 20

True or false. The deputy privacy commissioners must be recognized experts in the field of information and communications technology and data privacy

Answer 20

true

Question 21

The privacy commissioner and the two deputy commissioners shall be appointed by the president of the philippines for a term of ______ and maybe reappointed for another term of _____

Answer 21

3 years; 3 years

Question 22

True or false. Vacancies in the commission shall be filled in the same manner and which the original appointment was made

Answer 22

true

Question 23

The commissioners or any person acting on behalf of them shall not be criminally liable for acts done in good faith in the performance of their duties. True or false

Answer 23

false. Civilly

Question 24

True or false. Persons acting under the privacy commissioners shall be liable for willful or negligent acts done by him or witch or contrary to law, morals, public policy and good customs even if he or she acted on their orders or instructions of superiors

Answer 24

true

Question 25

True or false. In case a lawsuit is filed against an official on the subject of the performance of his or her duties for such performance is lawful, he or she shall shoulder the cost of the litigation

Answer 25

false, he or she shall be reimbursed by the commission for reasonable costs of litigation

Question 26

Majority of the members of the secretariat must have served for atleast ________ in any agency of the government that is involved in the processing of personal information

Answer 26

5 years

Question 27

The processing of personal data shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. Personal data shall be processed by the company only if the purpose of the processing could not reasonably be fulfilled by other means. Principle of ______________

Answer 27

proportionality

Question 28

The processing of personal data by the company shall be compatible with a declared and specified purpose which must not be contrary to law, morals or public policy. Principle of _________________

Answer 28

legitimate purpose

Question 29

The data subject must be aware of the nature purpose and extent of the processing of his or her personal data by the company including the risks and safeguards involved, the identity of persons and entities involved in processing his or her personal data, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. Principle of ________________

Answer 29

transparency

Question 30

These are information, whether recorded in a material form or not, from which the identity of an individual is apparent, or can be reasonably and directly asserted by the entity holding the information, or when put together with other information put directly and certainly identify an individual

Answer 30

personal information

Question 31

Criteria for lawful processing of personal information

1. The data subject has given his or her _________
2. The processing of personal information is necessary and is _________________________ with the data subject or in order to take steps at the request of the data subject prior to entering into a contract
3. The processing is necessary for compliance with ________________ to which the personal information controller is subject
4. The processing is necessary to protect vitally important interests of the data subject, including life and health
5. The processing is necessary in order to respond to __________________, to comply with the requirements of ______________ or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
6. The processing is necessary for the purposes of the ______________ pursued by the personal information controller or by a third party or parties to whom the data is disclosed

Answer 31

consent; related to the fulfillment of a contract; legal obligation; national emergency; public order and safety; legitimate interests

Question 32

It refers to any and all forms of data which under the rules of court and other pertinent laws constitute privileged communication

Answer 32

privileged information

Question 33

Sensitive personal information refers to personal information

1. About an individual’s race ethnic origin marital status age color religion philosophical or political affiliations
2. About an individual’s health education genetic or sexual life of a person or to any proceeding for any offense committed or alleged to have been committed by such person
3. Issued by government agencies peculiar to an individual which includes sss members health records licenses tax returns
4. Specifically established by an executive order or an act of congress to be kept classified

Question 34

The processing of sensitive personal information and privileged information shall be prohibited except

1. The data subject has given his or her __________
2. The processing of the same as provided for by ____________
3. The processing is necessary to protect _____________ off the data subject or another person
4. The processing is necessary to achieve the lawful and ___________ objectives of public organizations and their associations
5. The processing is necessary for purposes of ____________
6. The processing concerns such personal information as is necessary for the protection of law full rights and interests of natural or legal persons in court proceedings or the establishment exercise or defence of legal claims or provided to government or public authority

Answer 34

consent; law or regulation; life and health; noncommercial; medical treatment

Question 35

True or false. A personal information controller may subcontract the processing of personal information

Answer 35

true

Question 36

The personal information controller shall be responsible for ensuring the proper safeguards are in place to ensure

1. The ____________ of the personal information processed
2. Prevent its use for ___________ purposes, and generally,
3. Comply with the requirements of the data privacy act and other laws for processing of personal information

Answer 36

confidentiality; unauthorized

Question 37

True or false. Personal information controller may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is admissible

Answer 37

false. Inadmissible

Question 38

This is the right of the data subject to be informed whether personal information pertaining to him or her shall be, or being or have been processed

Answer 38

right to informed consent

Question 39

The following information must be provided before the entry of the personal information into the processing system or at the next practical opportunity

1. _________ of the personal information to be entered into the system
2. _________ for which they are being or are to be processed
3. _________________ of the personal information processing
4. The _________ to whom they are or may be disclosed
5. _________ utilized for automated access, if the same is allowed by the data subject and the extent to which such access is authorized
6. The ____________________ of the personal information controller or its representative
7. The __________ for which they or stored
8. the ______________ to access information as well as the right to lodge a complaint before the commission

Answer 39

1. Description; 2. Purposes; 3. Scope and method;4. Recipients or classes of recipients; 5. Methods; 6. Identity and contact details; 7. Period; 8. Existence of their right

Question 40

The right of the data subject to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling

Answer 40

right to object

Question 41

The data subject shall be notified and given an opportunity to ______________ to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph

Answer 41

withhold consent

Question 42

Any information supplied or declaration made to the data subject on these matters shall not be amended without prior ____________ of data subject. Accept the notification shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing or for office purposes including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship between the collector and the subject data or when the information is being collected and processed as a result of legal obligation

Answer 42

notification

Question 43

The data subject has reasonable access to, upon demand, the following

1. _________ of his or her personal information that were processed
2. _________ from which personal information were obtained
3. __________________ recipients of the personal information
4. _________ by which the information were processed
5. ___________________ where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject
6. _______ when his or her personal information concerning the data subject were last accessed and modified
7. The _____________________ of the personal information controller
8. _________ for the disclosure of the personal information to the recipients

Answer 43

1. Contents; 2. Sources; 3. And addresses; 4. manner; 5. Information on automated processes; 6. Date; 7. Designation or name or identity and address; 8. Reasons

Question 44

It is the right of the data subject to dispute the inaccuracies or errors in the personal information and how the personal information controller correct it immediately and accordingly on the request is vexatious or otherwise unreasonable

Answer 44

right to correction

Question 45

If the personal information has been corrected, the personal information controller shall ensure that the accessibility of only the new information provide that that the third parties who have previously received such process personal information shall be informed of its in accuracy and its rectification upon reasonable request of the data subject. True or false

Answer 45

false. Both the new and retracted information

Question 46

The data subject shall have the right to suspend, withdraw or order ___________________________ of his or her personal information from the personal information controller finding system upon discovery and substantial proof that the personal information or incomplete, outdated, false, unluckily obtained, used for unauthorized purposes or or no longer necessary for the purposes for which they are collected

Answer 46

blocking removal or destruction; erasure

Question 47

The data subject shall be indemnified for any damages sustained to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information

Answer 47

right to damages

Question 48

It is the right of the data subject to obtain from the personal information controller a copy of data, where personal information is processed

a. By electronic means

b. In a structured and commonly used format

Answer 48

right to data portability

Question 49

True or false. The lawful heirs and assigns of the data subject may invoke the rights of the data subject for which he or she is an heir or assignee at anytime after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rice as enumerated.

Answer 49

True

Question 50

True or false. The rights of the data subject enumerated shall be applicable the processing of personal information used only for the needs of scientific and statistical research

Answer 50

false. Not applicable

Question 51

The enumerated rights of the data subject shall not be applicable the processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject

Answer 51

true

Question 52

If there is likelihood of risk to individuals, the data processor must report data breaches within _______

Answer 52

72 hours

Question 53

A principle by which each personal information controller is responsible for personal information under its control or custody including information that have been transferred to a third party for processing weather domestically or internationally subject to cross-border arrangement and cooperation

Answer 53

principle of accountability

Question 54

The _______ of each government agency or instrumentality shall be responsible for complying with the security requirements mansion while the commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards

Answer 54

head

Question 55

Except as may be allowed through guidelines to be issued by the commission, no employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a _________________ from the head of the source agency

Answer 55

security clearance

Question 56

Unless otherwise provided in guidelines to be issued by the commission, sensitive personal information maintained by an agency may be transported or accessed from a location off government property. True or false

Answer 56

false. May not be transported unless a request for such transportation or access is submitted and approved by the head of the agency in accordance with the guidance

Question 57

In case of any requests submitted to the head of an agency for the transportation or access of a sensitive personal information from a location off government property, search head of the agency shall approve or disapprove the request within ____________ after the date of the submission of the request.
In case there is no action by the head of the agency then such request is considered ___________

Answer 57

2 business days; Disapproved

Question 58

If a request for the transportation or access from the location off government property is approved, the head of the agency should limit the access to not more than _____________ at a time

Answer 58

1,000 records

Question 59

Any technology used to store, transport or access sensitive personal information for purposes of offsite access approved shall be secured by the use of the most secure _________________ by the commission

Answer 59

encryption standard

Question 60

In entering into any contract that may involve accessing or requiring sensitive personal information from ___________ individuals, an agency shall require a contractor and its employees to register their personal information processing system with the commission in accordance with the data privacy act and to comply with the other provisions of setup in the same manner as agencies and government employees comply with such requirements

Answer 60

1,000 or more

Question 61

Any person who process personal information without the consent of the data subject or without being authorized under the data privacy act or any existing law shall be imprisoned for ________ and shall pay a fine of ___________

Answer 61

1 to 3 years; 500,000 to 2 million

Question 62

Any person who processes sensitive personal information without the consent of the data subject or without being authorized under the data privacy act or any existing law shall be imprisoned for ________ and she’ll be a fine of _____________

Answer 62

3 to 6 years; 500,000 to 4 million

Question 63

Any person who, due to negligence, provided access to personal information without being authorized under the data privacy after any existing law shall be imprisoned for ________ and pay a fine of ________________; what if sensitive personal information

Answer 63

1 to 3 years; 500,000 to 2 million

3 to 6 years; 500,000 to 4 million

Question 64

Any person who knowingly or negligently dispose the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection should be imprisoned for __________ and pay a fine of ____________; what if sensitive information

Answer 64

6 months to 2 years; 100,000 to 500,000

1 to 3 years; 100,000 to 1 million

Question 65

The penalty for processing personal information for purposes not authorized by the data subject or otherwise authorized under this act or under existing laws shall be imprisoned for ____________ and shall pay a fine of __________; what if sensitive information

Answer 65

1 year and 6 months to 5 years; 500,000 to 1 million

2 to 7 years; 500,000 to 2 million

Question 66

Any person who knowingly and unlawfully or violating data confidentiality and security data systems, breaks in any way into any system for personal and sensitive personal information is stored shall be imprisoned for _______________ and pay a fine of _____________

Answer 66

1 to 3 years; 500,000 to 2 million

Question 67

Any personal information controller or personal information processor or any of its officials and employees or agents who with malice or in bad faith discloses and warranted or false information relative to any personal information or personally sensitive information obtained by him or her shall be imprisoned for ____________ and pay a fine of ____________

Answer 67

1 year and 6 months to 5 years; 500,000 to 1 million

Question 68

Any person who, after having knowledge of a security breach and off the obligation to notify the commission intentionally or by omission conceals the fact of such security breach shall be imprisoned for _____________ and shall pay a fine of ___________

Answer 68

1 year and 6 months to 5 years; 500,000 to 1 million

Question 69

Any personal information controller or personal information processor or any of its officials and employees or agents who discloses to third-party personal not covered by malicious disclosure shall be imprisoned for _____________ and shall pay a fine of _____________; what is sensitive personal information

Answer 69

1 to 3 years; 500,000 to 1 million

three to five years; 500,000 to 2 million

Question 70

Any combination or series of acts in violation of the data privacy act make the persons subject to imprisonment of _________ and shall pay a fine of ______________

Answer 70

3 to 6 years; 1 million to 5 million

Question 71

Who should be responsible if the offender is a juridical person

Answer 71

the responsible officers

Question 72

If the offender is an alien, in addition to the penalties for violation of the data privacy act, he or she shall be deported without further proceedings after serving the penalties prescribe

true or false

Answer 72

true true

Question 73

The maximum penalty in the scale of penalties respectively provided shall be imposed when the personal information of at least _________ persons is harmed, affected or involved as the result of the violations

Answer 73

100

Question 74

If the offender is a public official or employee and he or she is found guilty of improper disposal of personal information and sensitive personal information and processing of personal information and sensitive personal information for unauthorized persons, he or she shall in addition to the penalties prescribe suffer _________________ from office as the case may be

Answer 74

perpetual or temporary absolute disqualification

Question 75

When the offender or the person responsible for the offense is a public officer as defined in the administrative code of the philippines in the exercise of his or her duties, an accessory penalty consisting _______________ for a term ______________ imposed shall be applied

Answer 75

in the disqualification to occupy public office; double the term of criminal penalty

Question 76

True or false. Restitution for any aggrieved party shall be governed by the provisions of the data privacy act

Answer 76

false. Provisions of the new civil code