Data Privacy Act Flashcards
Commission in the Data Privacy Act
National Privacy Commission
Any freely given, specific, informed indication of will.
Consent of data subject
Individual whose personal info is processed
Data subject
Any act of information relating to natural or judicial persons to the extent that set is structured so that specific information relating to a particular person is readily accessible
Filing system
System for generating, receiving, storing or processing electronic data messages or electronic documents
Information and Communication System
Person or organization who controls the collection, holding, processing or use of personal information
Personal information controller
Person or organization who controls the collection, holding, processing or use of personal information is not a PERSONAL INFORMATION CONTROLLER if:
- Performs functions as instructed by another person/organization
- Processes personal info in connection with personal family or household affairs
To whom a personal information controller may outsource the processing of personal data
Personal information processor
What is the scope of application of the Data Privacy Act?
- Processing of all types of personal info
- Any natural or juridical person involved in personal information processing
Data Privacy Act does not apply in the following cases:
- Info about any individual who is/was an officer of a government institution
- person performing service under contract for a government institution
- discretionary benefit of a financial nature
- personal info processed for journalistic, artistic, literary or research purposes
- info necessary to carry out functions of public authority
- info necessary for banks and other financial institutions
- personal info collected from residents of foreign jurisdictions
Does the Data Privacy Act have extraterritorial application? Does it apply to an act done or practice engaged in outside the Philippines?
Yes
What are the three data privacy principles under which processing of personal information is allowed?
- Principle of proportionality
- Principle of legitimate purpose
- Principle of transparency
Information from which the identity of an individual is apparent, can be reasonably or directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual
Personal information
Who must ensure implementation of personal information processing principles?
Personal information controller
What are considered privileged information?
- Attorney-client privileged info
- Doctor-patient privileged info
- Marital privileged communication
- Priest-confessor privileged info
What is included in SENSITIVE PERSONAL INFORMATION?
- race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations
- health, education, genetic or sexual life, proceedings for any offenses committed or alleged to have been committed, disposal of any proceedings, or the sentence of any court
- issued by government agencies peculiar to the individual (social security numbers, previous or current health records, licenses or its denials, suspension or revocation, tax returns)
- specifically established by an EO or act of Congress to be kept classified
Who is responsible for ensuring that proper safeguards are in place to ensure:
1. the confidentiality of the personal information processor
2. prevent its use for unauthorized purposes
3. comply with the requirements of the Data Privacy Act and other laws for the processing of personal information
Personal information controller
Identify if personal info, sensitive personal info or privileged info
Gender
Personal info
Identify if personal info, sensitive personal info or privileged info
School graduated from and date graduated
Sensitive personal info
Identify if personal info, sensitive personal info or privileged info
Laptop’s IP address
Personal info
Identify if personal info, sensitive personal info or privileged info
Email address
Personal info
Identify if personal info, sensitive personal info or privileged info
Bank account number
Sensitive personal info
Identify if personal info, sensitive personal info or privileged info
Home address
Personal info
Identify if personal info, sensitive personal info or privileged info
Income tax return
Sensitive personal info
Identify if personal info, sensitive personal info or privileged info
Location
Personal info
Identify if personal info, sensitive personal info or privileged info
Court cases filed against the individual
Sensitive personal info
Disclosures made to an auditor
Privileged info
What are the eight rights of a data subject?
- Right to Informed Consent
- Right to Object
- Right to Withhold Consent
- Right to Access
- Right to Correction
- Right to Erasure
- Right to Damages
- Right to Data Portability
(T/F) The lawful heirs and assigns of the data subject may invoke the right of the data subject for which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights
TRUE.
This pertains to the transmissibility of rights of the data subject
(T/F) The rights of the data subject are applicable 100% of time.
FALSE
The rights of the data subject are not applicable:
- Only used for scientific and statistical research. No activities are carried out and no decisions are taken
- Purpose of investigations in relation to criminal, administrative, or tax liabilities
What is the period within which the data processor must report the breach to the National Privacy Commission?
Within 72 hours upon knowledge of or the reasonable belief by the personal information controller or personal information.
This can only be delayed to the extent necessary to:
-determine scope of breach
-secure or restore integrity
-prevent further disclosures
When is delay in the notification of the breach prohibited?
- Breach involves at least 100 data subjects
- Disclosure will harm or adversely affect the data subject
Full report is submitted within 5 days
When is a personal information controller or personal information processor that employs fewer than 250 people required to register
- Processing is likely to pose a risk to the rights and freedoms of data subjects
- Processing is not occasional
- Processing involves sensitive personal info of at least 1,000 individuals
Is the personal information controller responsible for personal information under its control or custody that have been transferred to a third person for processing?
Yes.
A personal information controller is responsible for personal information under its control or custody, including info that has been transferred to a third party for processing
Individuals designated by the personal information controller who are accountable for the organization’s compliance with the Data Privacy Act
Data Protection Officer
Penalties for UNAUTHORIZED PROCESSING.
Any person who processes personal information without the consent of the data subject or without being authorized
Personal information
Imprisonment: 1 to 3 years
Fine: 500K to 2M
Sensitive personal information
Imprisonment: 3 to 6 years
Fine: 500K to 4M
Penalties for ACCESS
Any person who, due to negligence, provided access to personal info without being authorized
Personal information
Imprisonment: 1 to 3 years
Fine: 500K to 2M
Sensitive personal information
Imprisonment: 3 to 6 years
Fine: 500K to 4M
Penalties for CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONAL INFO
Any person who after having knowledge of a security breach and of the obligation to notify the Commission, intentionally or by omission conceals the fact of such security breach
Imprisonment: 1.5 years to 5 years
Fine: 500K to 1M
Penalties for MALICIOUS DISCLOSURE
Any personal information controller or personal information processor who with malice and bad faith discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her
Imprisonment: 1.5 years to 5 years
Fine: 500K to 1M
Penalties for UNAUTHORIZED DISCLOSURE
Any personal information controller or personal information processor or any of its officials, employees, or agents, who discloses to a third party personal or sensitive personal information, not covered by Malicious Disclosure, without consent of the data subject
Personal information
Imprisonment: 1 to 3 years
Fine: 500K to 1M
Sensitive personal information
Imprisonment: 3 to 5 years
Fine: 500K to 2M
What is the penalty for an offender who is a public official or employee who is found guilty of Improper Disposal of Personal Information and Sensitive Personal Information and Processing of Personal Information and Sensitive Personal Information for Unauthorized Persons?
In addition to the listed penalties, he will suffer perpetual or temporary absolute disqualification from office