DATA PRIVACY ACT OF 2012

Question 1

It refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual
a. Public information
b. Private information
c. Personal information
d. Individual information

Question 2

It refers to an individual whose personal information is processed
a. Data object
b. Data prestation
c. Data subject
d. None of the above

Question 3

It refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her
a. Consent of the data subject
b. Object of the data subject
c. Cause of the data subject
d. None of the above

Question 4

It refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer, or disclose personal information on his or her behalf
a. Private information controller
b. Personal information controller
c. Public information controller
d. Individual information controller

Question 5

It refers to any natural or juridical person qualified to act as such under the Data Privacy Act of 2012 to whom a personal information controller may outsource the processing of personal data pertaining to a data subject
a. Private information controller
b. Public information controller
c. Individual information controller
d. Personal information controller

Question 6

Which of the following is considered a sensitive personal information?
a. Information about an individual’s business, company, business venture and profitable transactions
b. Information about an individual’s Facebook public profile picture and display photo
c. Information about an individual’s Instagram public account and public twitter account
d. Information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations

Question 7

Which of the following is not considered a sensitive personal information?
a. Information about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings
b. Information issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns
c. Information specifically established by an executive order or an act of Congress to be kept classified
d. Information about the platform of a candidate for national elective position that is discussed in a public debate televised in national television network

Question 8

It refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication
a. Confidential information
b. Privileged information
c. Sensitive information
d. Personal information

Question 9

10. Data Privacy Act applies to:
    Statement I: The processing of all types of personal information
    Statement II: To any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines
    a. Only Statement I is true
    b. Only Statement II is true
    c. Both are true
    d. Both are false

Question 10

Data Privacy Act does not apply to
a. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services
b. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit
c. Personal information processed for journalistic, artistic, literary or research purposes
d. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines
e. All of the above

Question 11

Data Privacy Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:
Statement I: The act, practice or processing relates to personal information about a Philippine citizen or a resident
Statement II: The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 12

Under the Data Privacy Act, personal information must be
a. Processed unfairly and illegally
b. Inadequate and excessive in relation to the purposes for which they are collected and processed
c. Retained as long as possible despite the retention period necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law
d. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection and later processed in a way compatible with such declared, specified and legitimate purposes only

Question 13

The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists. Which is not one of the conditions?
a. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject on in order to take steps at the request of the data subject prior to entering into a contract
b. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject
c. The data subject need not necessarily give his or her consent
d. The processing is necessary to protect vitally important interests of the data subject, including life and health

Question 14

The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases
a. The data subject has given his or her consent, specific to the purpose prior to the processing on in the case of privileged information, all parties to the exchange have given their consent prior to processing
b. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing
c. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection f personal information is ensured
d. All of the above

Question 15

The following are the rights of the data subject, except
a. Be informed whether personal information pertaining to him or her shall be, are being or have been processed
b. Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable
c. Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information of the controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected
d. None of the above

Question 16

Statement I: The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated
Statement II: The data subject shall have the right, where personal information is processed by electronic means and in a structured and commonly used format, to obtain from the personal information controller a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 17

Statement I: The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosures, as well as against any other unlawful processing
Statement II: The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 18

Statement I: The employees, agents, or representative of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure
Statement II: The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 19

Statement I: Each personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation
Statement II: The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with the Data Privacy Act. The identify of the individual(s) so designated shall be made known to any data subject upon request
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 20

Statement I: All sensitive personal information maintained by the government, its agencies and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry
Statement II: The head of each government agency or instrumentality shall be responsible for complying with the security requirements
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 21

Statement I: No employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a security clearance from the head of the source agency
Statement II: Sensitive personal information maintained by an agency may not be transported or accessed from a location off government property unless a request for such transportation or access is submitted and approved by the head of the agency
a. Only Statement I is true
b. Only Statement II is true
c. Both are true
d. Both are false

Question 22

Which of the following is not a general data privacy principle?
a. Personal information must be collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only
b. Personal information must be disclosed for commercial purposes even without the consent of data subject
c. Personal information must be processed fairly and lawfully
d. Personal information must be accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted

Question 23

Which of the following is not a general data privacy principle?
a. Personal information must be adequate and not excessive in relation to the purposes for which they are collected and processed
b. Personal information must be processed surreptitiously to achieve the objective of the company
c. Personal information must be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law
d. Personal information must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed

Question 24

Which of the following is not a criterion for lawful processing of personal information?
a. The data subject has given his or her consent
b. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract
c. The processing is necessary in order to take undue advantage on the personal information of the data subject
d. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject

Question 25

Which of the following is not a criterion for lawful processing of personal information?
a. The processing is necessary to protect vitally important interests of the data subject, including life and health
b. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
c. The processing pertains to sensitive personal information of the data subject without the consent of the data subject
d. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution

Question 26

What is the principle about the processing of sensitive personal information and privileged information or communication?
a. As a general rule, the processing of sensitive personal information and privileged information shall be allowed except to those prohibited by Data Privacy Act
b. The processing of sensitive personal information and privileged information shall be absolutely prohibited
c. The processing of sensitive personal information and privileged information shall be absolutely allowed
d. As a general rule, the processing of sensitive personal information and privileged information shall be prohibited except to those allowed by Data Privacy Act

Question 27

Which of the following is not a right of Data Subject under Data Privacy Act?
a. Right to question the decision made by the data controller regarding act of management or act of administration of the corporation
b. Right to be informed whether personal information pertaining to him or her shall be, are being or have been processed
c. Right to be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity
d. Right to have reasonable access to, upon demand, the information being processed by the data controller

Question 28

Which of the following is not a right of Data Subject under Data Privacy Act?
a. Right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable
b. Right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected
c. Right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information
d. Right to inspect or access the personal information of other data subject

Question 29

What is the difference between the data privacy and data protection?
a. Data privacy refers to a person while data protection refers to the technology
b. Data privacy refers to the technical rules and regulations while data protection refers to substantive laws
c. Data privacy refers to technology while data protection refers to legal principles
d. Data privacy refers to the rights of the data subject while data protection refers to the means employed to protects the rights of the data subject

Question 30

This principle means that the data subject shall have the right, where personal information is processed by electronic means and in a structured and commonly used format, to obtain from the personal information controller a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject
a. Transmissibility of rights c. Right to data portability
b. Extraterritorial application of Data Privacy Act d. Confidentiality of personal information

Question 31

What is the obligation of National Privacy Commission regarding any personal information that comes to its knowledge and possession?
a. It shall disclose such personal information without the consent of data subject
b. It shall sell such personal information for commercial purposes
c. It shall at all times ensure the confidentiality of such personal information
d. It shall use such personal information for public persecution

Question 32

Who is National Privacy Commission’s head that shall also act as the National Privacy Commission Chairman?
a. Privacy Chairperson c. Privacy Administrator
b. Privacy Director d. Privacy Commissioner

Question 33

Who shall assist the Privacy Commissioner of National Privacy Commission?
a. Two Assistant Privacy Commissioner, one to be responsible for Data Processing Systems and to be responsible for Policies and Planning
b. Two Deputy Privacy Commissioner, one to be responsible for Data Processing Systems and to be responsible for Policies and Planning
c. Two Vice Privacy Commissioner, one to be responsible for Data Processing Systems and to be responsible for Policies and Planning
d. Two Under Privacy Commissioner, one to be responsible for Data Processing Systems and to be responsible for Policies and Planning

Question 34

Who has the authority to appoint the Privacy Commissioner and the two Deputy Privacy Commissioners?
a. President of the Republic of the Philippines
b. Department of Information and Communication Technology (DICT) Secretary
c. Department of Justice Secretary
d. Commission of Human Rights (CHR) Chairman

Question 35

What is the term of office of Privacy Commissioner and the two Deputy Privacy Commissioner?
a. Term of three (3) years and may be reappointed for another term of three (3) years
b. Term of six (6) years but ineligible for reappointment
c. Term of seven (7) years but ineligible for reappointment
d.Term of four (4) years and may be reappointed for another term of four (4) years

Question 36

Which of the following is not a qualification of Privacy Commissioner?
a.He must be at least 35 years of age
b.He must be of good moral character, unquestionable integrity and known probity
c.He must be a recognized expert in the field of information technology and data privacy
d.He must be a holder of Doctor of Philosophy (PhD) in the field of information technology and data privacy

Question 37

Statement I: The unauthorized processing of personal information shall be penalized by imprisonmentranging from 1 year to 3 years and a fine of not less than P500,000 but not more than P2,000,000 shall beimposed on persons who process personal information without the consent of the data subject, or withoutbeing authorized
Statement II: The unauthorized processing of personal sensitive information shall be penalized byimprisonment ranging from 3 years to 6 years and a fine of not less than P500,000 but not more thanP4,000,000 shall be imposed on persons who process personal information without the consent of the datasubject, or without being authorized
a.Only Statement I is truec.Both are true
b.Only Statement II is trued.Both are false

Question 38

Statement I: The improper disposal of personal information shall be penalized by imprisonment ranging from6 months to 2 years and a fine of not less than P100,000 but not more than P500,000 shall be imposed onpersons who knowingly or negligently dispose, discard or abandon the personal information of an individualin an area accessible to the public or has otherwise placed the personal information of an individual in itscontainer for trash collection
Statement II: The improper disposal of sensitive personal information shall be penalized by imprisonmentranging from 1 year to 3 years and a fine of not less than P100,000 but not more than P1,000,000 shall beimposed on persons who knowingly or negligently dispose, discard or abandon the personal information ofan individual in an area accessible to the public or has otherwise placed the personal information of anindividual in its container for trash collection
a.Only Statement I is truec.Both are true
b.Only Statement II is trued.Both are false

Question 39

Statement I: The processing of personal information for unauthorized purposes shall be penalized byimprisonment ranging from 1 year and 6 months to 5 years and a fine of not less than P500,000 but not morethan P1,000,000 shall be imposed on persons processing personal information for purposes not authorizedby the data subject or otherwise authorized
Statement II: The processing of sensitive personal information for unauthorized purposes shall be penalizedby imprisonment ranging from 2 years to 7 years and a fine of not less than P500,000 but not more thanP2,000,000 shall be imposed on persons processing sensitive personal information for purposes notauthorized by the data subject, or otherwise authorized
a.Only Statement I is truec.Both are true
b.Only Statement II is trued.Both are false