Data Privacy Act Flashcards
Refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.
Consent of the data subject
Individual whose personal information is processed
Data subject
Consent may be evidenced by
written, electronic or recorded means
may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so
Communication by whatever means of any advertising or marketing material which is directed to particular individuals
Direct marketing
Exclusions to PIC
- Person who performs the functions as instructed by another
- Person who collects, holds, and processes or uses personal information in connection with his personal, family or household affairs
A person or organization who controls the collection, holding, processing or use of personal information, including one who instructs another to do so
Personal information controller
Any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structure, either by reference to individuals or to criteria, in such a way that specific information relating to a particular person is readily accessible
Filing system
Any natural or juridical person qualified to act as such to whom a PIC may outsource the processing of personal data pertaining to a data subject
Personal information processor
Data Privacy Act does not apply to?
- Information about any individual who is or was an officer or employee of a government institution that relates to his position or functions (fact, title, address, office tel no, classification, salary range and responsibilities, name on a document)
- Info about an individual who is or was performing service under contract for a government institution that relates to the services performed (terms, name)
- Info relating to any discretionary benefit of financial nature
- Personal information processed for journalistic, artistic, literary, research purposes
- Info necessary to carry out functions of public authority
- Info necessary for banks and other financial inst
- Personal info originally collected from residents of foreign jurisdictions
Extraterritorial Application
- If it relates to a PH citizen or resident
- Entity has a link with the PH - processing in the PH
- Entity has other links in the PH
When shall the processing of personal information be allowed?
- Compliance with DPA and other laws
- Adherence to the 3 principles
What are the three principles?
Proportionality, legitimate purpose, transparency
The processing of personal data shall be relevant and not excessive in relation to a declared and specified purpose
Principle of Proportionality
The processing shall be compatible with a declared and specified purpose which must not be contrary to law
Principle of Legitimate Purpose
The data subject must be aware of the nature, purpose and extent of the processing including the risks and safeguards involved, rights – must be easy to access and understand, using clear and plain language
Principle of transparency
Information from which the identity of an individual is
(1) apparent
(2) can be reasonably and directly ascertained by the entity holding the information
(3) when put together with other info would directly and certainly identify an individual
Name, home address, phone number
Personal information
What are the criteria for lawful processing of personal information?
(at least one should exist)
- Consent is given
- Related to fulfillment of a contract
- Compliance with legal obligation
- Protect vitally important interests of data subject
- Respond to national emergencies
- Purposes of legitimate interests
Any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication
Attorney-client, doctor-patient, marital, priest-confessor
Privileged information
(1) About race, ethnic original, marital status, age, color, affiliations
(2) About health, education, genetic or sexual life, proceedings or offenses committed, sentences
(3) Issued by govt agencies
(4) Specifically established to be kept classified
Sensitive personal information
When shall the processing of SPI and priv information be allowed?
- Consent
- Processing is provided for by existing laws and regulations
- Necessary to protect the life and health of DS or another person
- Achieve the lawful and noncommercial objectives of an org/assoc
- Purposes of medical treatment
- For protection of lawful rights and interests
What are the rights of the data subject?
- Right to informed consent
- Right to object
- Right to withhold consent
- Right to access
- Right to correction
- Right to erasure
- Right to damages
- Right to data portability
What are the information needed for informed consent?
- Description of personal information to be entered into the system
- Purposes
- Scope and method of processing
- Recipients
- Methods
- Identity and contact details of PIC
- Period of storage
- Existence of their rights
Any information supplied or declaration made to the data subject on these matters shall not be amended without prior notification of data subject
EXEMPTION?
When the personal information is pursuant for a subpoena or when it is for obvious purposes, in relation to a contract or service, necessary in an employer-employee relationship, or between the collector and data subject, or as a result of legal obligation
The DS shall have the right to dispute inaccuracy or error and have the PIC correct it, unless the request is vexatious or unreasonable
Right to correction
The DS shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information
Right to erasure
The right of the DS to a copy of the data from the PIC when personal information is processed by electronic means and in a structured and commonly used format
Right to data portability
The lawful heirs and assigns may invoke the rights of the data subject after death or when incapacitated or incapable
Transmissibility of Right of the DS
When are the rights of a DS not applicable
- For scientific and statistical research - no activities are carried out and no decisions are taken regarding the DS
- For investigations - criminal, administrative, tax liabilities
When must notification to the commission be made in case of breach of data?
If there is a likelihood of risk to individuals, within 72 hours
What must be reported to the commission in a breach?
(1) nature of breach
(2) SPI possibly involved
(3) measures taken to address the breach
When may notification be delayed?
Only to the extend necessary to determine the scope of the breach and to prevent any further disclosures or to restore reasonable integrity
When can notification be not required?
If such notification would not be in the public interest or in the interests of the affected data subjects
When may notification be postponed?
When notification may hinder the progress of a criminal investigation related to a serious breach
A designated individual(s) who are accountable for the organization’s compliance with the DPA
Data Protection Officer
If a request for such transportation or access of SPI is approved, the head of agency shall limit the access to not more than 1000 records at a time
Limitation to 1000 records
Penalties for access (negligence, provides unauthorized access)
PI - 1 to 3 years - 500K to 2M
SPI - 3 to 6 years - 500K to 4M
Penalties for unauthorized processing (no consent or unauthorized)
PI - 1 to 3 years - 500K to 2M
SPI - 3 to 6 years - 500K to 4M
Penalties for unauthorized disclosure (not covered by malicious disclosure)
PI - 1 to 3 years - 500K to 1M
SPI - 3 to 5 years - 500K to 2M
Extent of liability for an offense committed by a public officer?
An accessory penalty consisting in the disqualification to occupy public office for a term double the term of the criminal penalty imposed
When is delay in notification is prohibited?
If it involves at least 100 DS or if the disclosure of SPI will harm or adversely affect the data subject
Exemption to not required to register?
Processing likely to pose a risk to the rights and freedom of DS, processing is not occasional and SPI of at least 1000 individual is involved.
PIC not required to register?
When it employs lesser than 250 persons
Each PIC is responsible for personal information under its control including those transferred to a third party for processing, whether domestic or international
Principle of Accountability
Penalty for concealment of security breaches involving SPI
1 year and 6 months to 5 years - 500K to 1M
