Data Privacy Act

Question 1

Commission in the Data Privacy Act

Answer 1

National Privacy Commission

Question 2

Any freely given, specific, informed indication of will.

Answer 2

Consent of data subject

Question 3

Individual whose personal info is processed

Answer 3

Data subject

Question 4

Any act of information relating to natural or judicial persons to the extent that set is structured so that specific information relating to a particular person is readily accessible

Answer 4

Filing system

Question 5

System for generating, receiving, storing or processing electronic data messages or electronic documents

Answer 5

Information and Communication System

Question 6

Person or organization who controls the collection, holding, processing or use of personal information

Answer 6

Personal information controller

Question 7

Person or organization who controls the collection, holding, processing or use of personal information is not a PERSONAL INFORMATION CONTROLLER if:

Answer 7

1. Performs functions as instructed by another person/organization
2. Processes personal info in connection with personal family or household affairs

Question 8

To whom a personal information controller may outsource the processing of personal data

Answer 8

Personal information processor

Question 9

What is the scope of application of the Data Privacy Act?

Answer 9

1. Processing of all types of personal info
2. Any natural or juridical person involved in personal information processing

Question 10

Data Privacy Act does not apply in the following cases:

Answer 10

1. Info about any individual who is/was an officer of a government institution
2. person performing service under contract for a government institution
3. discretionary benefit of a financial nature
4. personal info processed for journalistic, artistic, literary or research purposes
5. info necessary to carry out functions of public authority
6. info necessary for banks and other financial institutions
7. personal info collected from residents of foreign jurisdictions

Question 11

Does the Data Privacy Act have extraterritorial application? Does it apply to an act done or practice engaged in outside the Philippines?

Answer 11

Yes

Question 12

What are the three data privacy principles under which processing of personal information is allowed?

Answer 12

1. Principle of proportionality
2. Principle of legitimate purpose
3. Principle of transparency

Question 13

Information from which the identity of an individual is apparent, can be reasonably or directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual

Answer 13

Personal information

Question 14

Who must ensure implementation of personal information processing principles?

Answer 14

Personal information controller

Question 15

What are considered privileged information?

Answer 15

• Attorney-client privileged info
• Doctor-patient privileged info
• Marital privileged communication
• Priest-confessor privileged info

Question 16

What is included in SENSITIVE PERSONAL INFORMATION?

Answer 16

1. race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations
2. health, education, genetic or sexual life, proceedings for any offenses committed or alleged to have been committed, disposal of any proceedings, or the sentence of any court
3. issued by government agencies peculiar to the individual (social security numbers, previous or current health records, licenses or its denials, suspension or revocation, tax returns)
4. specifically established by an EO or act of Congress to be kept classified

Question 17

Who is responsible for ensuring that proper safeguards are in place to ensure:
1. the confidentiality of the personal information processor
2. prevent its use for unauthorized purposes
3. comply with the requirements of the Data Privacy Act and other laws for the processing of personal information

Answer 17

Personal information controller

Question 18

Identify if personal info, sensitive personal info or privileged info

Gender

Answer 18

Personal info

Question 19

Identify if personal info, sensitive personal info or privileged info

School graduated from and date graduated

Answer 19

Sensitive personal info

Question 20

Identify if personal info, sensitive personal info or privileged info

Laptop’s IP address

Answer 20

Personal info

Question 21

Identify if personal info, sensitive personal info or privileged info

Email address

Answer 21

Personal info

Question 22

Identify if personal info, sensitive personal info or privileged info

Bank account number

Answer 22

Sensitive personal info

Question 23

Identify if personal info, sensitive personal info or privileged info

Home address

Answer 23

Personal info

Question 24

Identify if personal info, sensitive personal info or privileged info

Income tax return

Answer 24

Sensitive personal info

Question 25

Identify if personal info, sensitive personal info or privileged info Location

Answer 25

Personal info

Question 26

Identify if personal info, sensitive personal info or privileged info Court cases filed against the individual

Answer 26

Sensitive personal info

Question 27

Disclosures made to an auditor

Answer 27

Privileged info

Question 28

What are the eight rights of a data subject?

Answer 28

1. Right to Informed Consent 2. Right to Object 3. Right to Withhold Consent 4. Right to Access 5. Right to Correction 6. Right to Erasure 7. Right to Damages 8. Right to Data Portability

Question 29

(T/F) The lawful heirs and assigns of the data subject may invoke the right of the data subject for which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights

Answer 29

TRUE. This pertains to the transmissibility of rights of the data subject

Question 30

(T/F) The rights of the data subject are applicable 100% of time.

Answer 30

FALSE The rights of the data subject are not applicable: 1. Only used for scientific and statistical research. No activities are carried out and no decisions are taken 2. Purpose of investigations in relation to criminal, administrative, or tax liabilities

Question 31

What is the period within which the data processor must report the breach to the National Privacy Commission?

Answer 31

Within 72 hours upon knowledge of or the reasonable belief by the personal information controller or personal information. This can only be delayed to the extent necessary to: -determine scope of breach -secure or restore integrity -prevent further disclosures

Question 32

When is delay in the notification of the breach prohibited?

Answer 32

- Breach involves at least 100 data subjects - Disclosure will harm or adversely affect the data subject Full report is submitted within 5 days

Question 33

When is a personal information controller or personal information processor that employs fewer than 250 people required to register

Answer 33

1. Processing is likely to pose a risk to the rights and freedoms of data subjects 2. Processing is not occasional 3. Processing involves sensitive personal info of at least 1,000 individuals

Question 33

Is the personal information controller responsible for personal information under its control or custody that have been transferred to a third person for processing?

Answer 33

Yes. A personal information controller is responsible for personal information under its control or custody, including info that has been transferred to a third party for processing

Question 33

Individuals designated by the personal information controller who are accountable for the organization's compliance with the Data Privacy Act

Answer 33

Data Protection Officer

Question 34

Penalties for UNAUTHORIZED PROCESSING. Any person who processes personal information without the consent of the data subject or without being authorized

Answer 34

Personal information Imprisonment: 1 to 3 years Fine: 500K to 2M Sensitive personal information Imprisonment: 3 to 6 years Fine: 500K to 4M

Question 35

Penalties for ACCESS Any person who, due to negligence, provided access to personal info without being authorized

Answer 35

Personal information Imprisonment: 1 to 3 years Fine: 500K to 2M Sensitive personal information Imprisonment: 3 to 6 years Fine: 500K to 4M

Question 36

Penalties for CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONAL INFO Any person who after having knowledge of a security breach and of the obligation to notify the Commission, intentionally or by omission conceals the fact of such security breach

Answer 36

Imprisonment: 1.5 years to 5 years Fine: 500K to 1M

Question 37

Penalties for MALICIOUS DISCLOSURE Any personal information controller or personal information processor who with malice and bad faith discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her

Answer 37

Imprisonment: 1.5 years to 5 years Fine: 500K to 1M

Question 38

Penalties for UNAUTHORIZED DISCLOSURE Any personal information controller or personal information processor or any of its officials, employees, or agents, who discloses to a third party personal or sensitive personal information, not covered by Malicious Disclosure, without consent of the data subject

Answer 38

Personal information Imprisonment: 1 to 3 years Fine: 500K to 1M Sensitive personal information Imprisonment: 3 to 5 years Fine: 500K to 2M

Question 39

What is the penalty for an offender who is a public official or employee who is found guilty of Improper Disposal of Personal Information and Sensitive Personal Information and Processing of Personal Information and Sensitive Personal Information for Unauthorized Persons?

Answer 39

In addition to the listed penalties, he will suffer perpetual or temporary absolute disqualification from office