Data Privacy Act of 2012 Flashcards
Who does the Commission report to annually regarding its activities?
The President and Congress.
Who is required to maintain the confidentiality of personal data?
Members, employees, and consultants of the Commission.
How long does the duty of confidentiality last
Even after their term, employment, or contract has ended.
What must members, employees, and consultants ensure at all times?
The confidentiality of any personal data that comes to their knowledge and possession.
What government department is the Commission attached to for policy and program coordination?
Department of Information and Communications Technology (DICT)
Does the Commission remain independent despite being attached to the DICT?
Yes, it remains completely independent in performing its functions.
Who heads the Commission, and what is their title?
The Privacy Commissioner, who acts as Chairman of the Commission.
What benefits, privileges, and emoluments does the Privacy Commissioner receive?
Equivalent to the rank of Secretary.
What are the qualifications for the Privacy Commissioner?
At least 35 years old, of good moral character, unquestionable integrity, known probity, and a recognized expert in information technology and data privacy.
How many Deputy Privacy Commissioners assist the Privacy Commissioner?
Two (2) Deputy Privacy Commissioners.
What are the areas of responsibility for each Deputy Privacy Commissioner?
One is responsible for Data Processing Systems, and the other for Policies and Planning.
What are the qualifications for the Deputy Privacy Commissioners?
They must be recognized experts in information and communications technology and data privacy.
What benefits, privileges, and emoluments do the Deputy Privacy Commissioners receive?
Equivalent to the rank of Undersecretary.
What is magna carta?
No one is above the law
Are the Privacy Commissioner, Deputy Commissioners, and their subordinates civilly liable for acts done in good faith while performing their duties?
No, they are not civilly liable for acts done in good faith.
When can the Privacy Commissioner, Deputy Commissioners, or their subordinates be held liable for their actions?
When they commit willful or negligent acts contrary to law, morals, public policy, and good customs.
Does liability apply even if they acted under orders or instructions of superiors?
Yes, they can still be held liable.
What happens if a lawsuit is filed against them for acts done lawfully in the performance of their duties?
The Commission shall reimburse them for reasonable litigation costs.
Who is responsible for implementing security measures to protect personal data?
Personal information controllers and personal information processors.
What type of security measures must be implemented for personal data protection?
Reasonable and appropriate organizational, physical, and technical security measures.
Who is responsible for securing sensitive personal information maintained by the government?
The head of each government agency or instrumentality.
Who monitors government agency compliance with security requirements?
The Commission.
Can a government employee access sensitive personal information without authorization?
No, they must have a security clearance from the head of the source agency.
What is a source agency?
The government agency that originally collected the personal data.
When can a government employee be granted security clearance to access sensitive personal data?
Only when the performance of their official functions or provision of a public service directly depends on it and cannot be done otherwise.
Can government employees or agents access sensitive personal information from outside government property?
Yes, but only if the head of the agency ensures the implementation of privacy policies and appropriate security measures.
What must be submitted and approved before transporting or accessing sensitive personal information off-site?
A request that includes proper accountability mechanisms in data processing.
What is the maximum number of records that can be accessed off-site at a time
One thousand (1,000) records.
How long does the head of the agency have to approve or disapprove an off-site access request?
Two (2) business days; if no action is taken, the request is considered disapproved.
What security measure must be applied to sensitive personal information stored, transported, or accessed off-site?
The most secure encryption standard recognized by the Commission.
What must a data-sharing agreement between a source agency and another government agency undergo?
Review by the Commission, either on its own initiative or upon complaint of a data subject.
When must a government agency require a private service provider to register its personal data processing system?
If the contract involves accessing or requiring sensitive personal information from 1,000 or more individuals.
Who can invoke the rights of a deceased or incapacitated data subject?
The lawful heirs and assigns of the data subject.
When can the heirs or assigns exercise the rights of the data subject?
After the data subject’s death or when they are incapacitated or incapable of exercising their rights.
Within how many hours must a personal information controller notify the Commission and affected data subjects of a data breach?
Within seventy-two (72) hours upon knowledge or reasonable belief that a breach requiring notification has occurred.
When is notification of a personal data breach required?
When sensitive personal information or other data that may enable identity fraud is reasonably believed to have been acquired by an unauthorized person and there is a real risk of serious harm to the affected data subject.
Who must notify the Commission and affected data subjects of a data breach?
The personal information controller.
What may the Commission do if there is a delay or failure to notify about a personal data breach?
The Commission may investigate the circumstances surrounding the breach.
What key details must be included in a data breach notification?
A description of the nature of the breach, the personal data possibly involved, and the measures taken to address the breach.
What additional measures should be included in the notification?
Measures taken to reduce harm or negative consequences of the breach.
What contact information must be provided in the notification?
The representatives of the personal information controller, including their contact details.
When can the notification of a data breach be delayed?
Only to the extent necessary to determine the scope of the breach, prevent further disclosures, or restore system integrity.
What factors may the Commission consider when evaluating if notification is unwarranted?
Compliance by the personal information controller with this section and existence of good faith in acquiring personal data.
When can the Commission exempt a personal information controller from notification?
If the Commission determines that notification would not be in the public interest or not in the interest of the affected data subjects.
Under what circumstance can the Commission authorize postponement of notification?
If notification would hinder the progress of a criminal investigation related to a serious breach.
What must a breach report include in case of a personal data breach?
The facts surrounding the incident, its effects, and the remedial actions taken by the personal information controller.
What is required for documenting security incidents that do not involve personal data?
A report containing aggregated data shall be sufficient.
How often must a general summary of security incident reports be submitted to the Commission?
Annually
When is a personal information controller or processor required to register its data processing system?
When the processing poses a risk to the rights and freedoms of data subjects, is not occasional, or involves sensitive personal information of at least 1,000 individuals.
Is a personal information controller or processor with fewer than 250 employees always required to register?
No, unless it meets the conditions for risk, frequency, or volume of sensitive personal information.
What is the minimum number of individuals whose sensitive personal information triggers mandatory registration?
1,000 individuals.
What is the penalty for unauthorized processing of personal information?
Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php2,000,000.00.
What is the penalty for accessing personal information due to negligence without being authorized?
Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php2,000,000.00.
What are the two conditions under which processing of personal or sensitive personal information is considered unauthorized?
Without the consent of the data subject or without authorization under the law.
What is the penalty for unauthorized processing of sensitive personal information?
Imprisonment of 3 to 6 years and a fine of Php500,000.00 to Php4,000,000.00.
What is the penalty for improper disposal of personal information?
Imprisonment of 6 months to 2 years and a fine of Php100,000.00 to Php500,000.00.
What is the penalty for accessing sensitive information due to negligence without being authorized?
Imprisonment of 3 to 6 years and a fine of Php500,000.00 to Php4,000,000.00.
What is the penalty for improper disposal of sensitive personal information?
Imprisonment of 1 to 3 years and a fine of Php100,000.00 to Php1,000,000.00.
What is the penalty on processing of sensitive information for unauthorized purposes?
Imprisonment of 2 to 7 years and a fine of Php500,000.00 to Php2,000,000.00.
What constitutes improper disposal of personal or sensitive personal information under Section 54?
Knowingly or negligently disposing personal or sensitive personal information in a publicly accessible area or placing it in a trash container.
What is the penalty on processing of personal information for unauthorized purposes?
Imprisonment of 1 year and 6 months to 5 years and a fine of Php500,000.00 to Php1,000,000.00.
What constitutes processing of personal and sensitive personal information for unauthorized purposes?
Processing personal or sensitive personal information without the authorization of the data subject or without legal authorization under the Data Privacy Act or other existing law
What are the penalties for unauthorized access or intentional breach?
Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php2,000,000.00.
What constitutes an unauthorized access or intentional breach under Section 56?
Knowingly and unlawfully breaking into a system where personal or sensitive personal information is stored, violating data confidentiality and security systems.
What are the penalties for concealing a security breach involving sensitive personal information
Imprisonment of 1 year and 6 months to 5 years and a fine of Php500,000.00 to Php1,000,000.00.
What act is penalized under Section 57?
Intentional or negligent concealment of a security breach after knowing about it and failing to notify the Commission as required by law.
What are the penalties for malicious disclosure?
Imprisonment of 1 year and 6 months to 5 years and a fine of Php500,000.00 to Php1,000,000.00.
What are the penalties for unauthorized disclosure of sensitive personal information?
Imprisonment of 3 to 5 years and a fine of Php500,000.00 to Php2,000,000.00.
Who can be penalized for malicious disclosure of personal or sensitive personal information?
Personal information controllers, processors, officials, employees, or agents who disclose information with malice or bad faith.
What are the penalties for unauthorized disclosure of personal information?
Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php1,000,000.00.
Who can be penalized for unauthorized disclosure?
Personal information controllers, processors, their officials, employees, or agents.
What constitutes unauthorized disclosure under Section 59?
Disclosing personal or sensitive personal information to a third party without the consent of the data subject and not covered by the previous section (malicious disclosure).
What happens if a person commits a combination or series of acts under Sections 52 to 59?
They shall be subject to imprisonment of 3 to 6 years and a fine of Php1,000,000.00 to Php5,000,000.00.
Who is liable if the offender is a corporation, partnership, or juridical person?
The responsible officers who participated in or allowed the crime due to gross negligence.
What additional penalty applies if the offender is a public official or employee?
Perpetual or temporary absolute disqualification from office if guilty of acts under Sections 54 and 55.
What additional penalty applies if the offender is an alien?
Deportation after serving the penalties.
When is the maximum penalty imposed for offenses under Sections 52 to 59?
When the personal data of at least 100 persons are harmed, affected, or involve
What is the additional penalty if a public officer commits an offense under these sections?
Disqualification to occupy public office for a term double the criminal penalty imposed.
What is Restitution?
Restitution is the act of restoring something to its rightful owner or compensating for a loss, damage, or injury caused to another party.