Data Privacy Act of 2012 Flashcards

1
Q

Who does the Commission report to annually regarding its activities?

A

The President and Congress.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who is required to maintain the confidentiality of personal data?

A

Members, employees, and consultants of the Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How long does the duty of confidentiality last

A

Even after their term, employment, or contract has ended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What must members, employees, and consultants ensure at all times?

A

The confidentiality of any personal data that comes to their knowledge and possession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What government department is the Commission attached to for policy and program coordination?

A

Department of Information and Communications Technology (DICT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Does the Commission remain independent despite being attached to the DICT?

A

Yes, it remains completely independent in performing its functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who heads the Commission, and what is their title?

A

The Privacy Commissioner, who acts as Chairman of the Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What benefits, privileges, and emoluments does the Privacy Commissioner receive?

A

Equivalent to the rank of Secretary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the qualifications for the Privacy Commissioner?

A

At least 35 years old, of good moral character, unquestionable integrity, known probity, and a recognized expert in information technology and data privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How many Deputy Privacy Commissioners assist the Privacy Commissioner?

A

Two (2) Deputy Privacy Commissioners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the areas of responsibility for each Deputy Privacy Commissioner?

A

One is responsible for Data Processing Systems, and the other for Policies and Planning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the qualifications for the Deputy Privacy Commissioners?

A

They must be recognized experts in information and communications technology and data privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What benefits, privileges, and emoluments do the Deputy Privacy Commissioners receive?

A

Equivalent to the rank of Undersecretary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is magna carta?

A

No one is above the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Are the Privacy Commissioner, Deputy Commissioners, and their subordinates civilly liable for acts done in good faith while performing their duties?

A

No, they are not civilly liable for acts done in good faith.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When can the Privacy Commissioner, Deputy Commissioners, or their subordinates be held liable for their actions?

A

When they commit willful or negligent acts contrary to law, morals, public policy, and good customs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Does liability apply even if they acted under orders or instructions of superiors?

A

Yes, they can still be held liable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens if a lawsuit is filed against them for acts done lawfully in the performance of their duties?

A

The Commission shall reimburse them for reasonable litigation costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who is responsible for implementing security measures to protect personal data?

A

Personal information controllers and personal information processors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What type of security measures must be implemented for personal data protection?

A

Reasonable and appropriate organizational, physical, and technical security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Who is responsible for securing sensitive personal information maintained by the government?

A

The head of each government agency or instrumentality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Who monitors government agency compliance with security requirements?

A

The Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Can a government employee access sensitive personal information without authorization?

A

No, they must have a security clearance from the head of the source agency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a source agency?

A

The government agency that originally collected the personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When can a government employee be granted security clearance to access sensitive personal data?

A

Only when the performance of their official functions or provision of a public service directly depends on it and cannot be done otherwise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Can government employees or agents access sensitive personal information from outside government property?

A

Yes, but only if the head of the agency ensures the implementation of privacy policies and appropriate security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What must be submitted and approved before transporting or accessing sensitive personal information off-site?

A

A request that includes proper accountability mechanisms in data processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the maximum number of records that can be accessed off-site at a time

A

One thousand (1,000) records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How long does the head of the agency have to approve or disapprove an off-site access request?

A

Two (2) business days; if no action is taken, the request is considered disapproved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What security measure must be applied to sensitive personal information stored, transported, or accessed off-site?

A

The most secure encryption standard recognized by the Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What must a data-sharing agreement between a source agency and another government agency undergo?

A

Review by the Commission, either on its own initiative or upon complaint of a data subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

When must a government agency require a private service provider to register its personal data processing system?

A

If the contract involves accessing or requiring sensitive personal information from 1,000 or more individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Who can invoke the rights of a deceased or incapacitated data subject?

A

The lawful heirs and assigns of the data subject.

30
Q

When can the heirs or assigns exercise the rights of the data subject?

A

After the data subject’s death or when they are incapacitated or incapable of exercising their rights.

31
Q

Within how many hours must a personal information controller notify the Commission and affected data subjects of a data breach?

A

Within seventy-two (72) hours upon knowledge or reasonable belief that a breach requiring notification has occurred.

32
Q

When is notification of a personal data breach required?

A

When sensitive personal information or other data that may enable identity fraud is reasonably believed to have been acquired by an unauthorized person and there is a real risk of serious harm to the affected data subject.

32
Q

Who must notify the Commission and affected data subjects of a data breach?

A

The personal information controller.

32
Q

What may the Commission do if there is a delay or failure to notify about a personal data breach?

A

The Commission may investigate the circumstances surrounding the breach.

33
Q

What key details must be included in a data breach notification?

A

A description of the nature of the breach, the personal data possibly involved, and the measures taken to address the breach.

34
Q

What additional measures should be included in the notification?

A

Measures taken to reduce harm or negative consequences of the breach.

35
Q

What contact information must be provided in the notification?

A

The representatives of the personal information controller, including their contact details.

36
Q

When can the notification of a data breach be delayed?

A

Only to the extent necessary to determine the scope of the breach, prevent further disclosures, or restore system integrity.

37
Q

What factors may the Commission consider when evaluating if notification is unwarranted?

A

Compliance by the personal information controller with this section and existence of good faith in acquiring personal data.

38
Q

When can the Commission exempt a personal information controller from notification?

A

If the Commission determines that notification would not be in the public interest or not in the interest of the affected data subjects.

39
Q

Under what circumstance can the Commission authorize postponement of notification?

A

If notification would hinder the progress of a criminal investigation related to a serious breach.

40
Q

What must a breach report include in case of a personal data breach?

A

The facts surrounding the incident, its effects, and the remedial actions taken by the personal information controller.

41
Q

What is required for documenting security incidents that do not involve personal data?

A

A report containing aggregated data shall be sufficient.

42
Q

How often must a general summary of security incident reports be submitted to the Commission?

43
Q

When is a personal information controller or processor required to register its data processing system?

A

When the processing poses a risk to the rights and freedoms of data subjects, is not occasional, or involves sensitive personal information of at least 1,000 individuals.

43
Q

Is a personal information controller or processor with fewer than 250 employees always required to register?

A

No, unless it meets the conditions for risk, frequency, or volume of sensitive personal information.

44
Q

What is the minimum number of individuals whose sensitive personal information triggers mandatory registration?

A

1,000 individuals.

45
Q

What is the penalty for unauthorized processing of personal information?

A

Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php2,000,000.00.

46
Q

What is the penalty for accessing personal information due to negligence without being authorized?

A

Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php2,000,000.00.

46
Q

What are the two conditions under which processing of personal or sensitive personal information is considered unauthorized?

A

Without the consent of the data subject or without authorization under the law.

46
Q

What is the penalty for unauthorized processing of sensitive personal information?

A

Imprisonment of 3 to 6 years and a fine of Php500,000.00 to Php4,000,000.00.

47
Q

What is the penalty for improper disposal of personal information?

A

Imprisonment of 6 months to 2 years and a fine of Php100,000.00 to Php500,000.00.

47
Q

What is the penalty for accessing sensitive information due to negligence without being authorized?

A

Imprisonment of 3 to 6 years and a fine of Php500,000.00 to Php4,000,000.00.

48
Q

What is the penalty for improper disposal of sensitive personal information?

A

Imprisonment of 1 to 3 years and a fine of Php100,000.00 to Php1,000,000.00.

49
Q

What is the penalty on processing of sensitive information for unauthorized purposes?

A

Imprisonment of 2 to 7 years and a fine of Php500,000.00 to Php2,000,000.00.

49
Q

What constitutes improper disposal of personal or sensitive personal information under Section 54?

A

Knowingly or negligently disposing personal or sensitive personal information in a publicly accessible area or placing it in a trash container.

49
Q

What is the penalty on processing of personal information for unauthorized purposes?

A

Imprisonment of 1 year and 6 months to 5 years and a fine of Php500,000.00 to Php1,000,000.00.

50
Q

What constitutes processing of personal and sensitive personal information for unauthorized purposes?

A

Processing personal or sensitive personal information without the authorization of the data subject or without legal authorization under the Data Privacy Act or other existing law

51
Q

What are the penalties for unauthorized access or intentional breach?

A

Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php2,000,000.00.

51
Q

What constitutes an unauthorized access or intentional breach under Section 56?

A

Knowingly and unlawfully breaking into a system where personal or sensitive personal information is stored, violating data confidentiality and security systems.

51
Q

What are the penalties for concealing a security breach involving sensitive personal information

A

Imprisonment of 1 year and 6 months to 5 years and a fine of Php500,000.00 to Php1,000,000.00.

52
Q

What act is penalized under Section 57?

A

Intentional or negligent concealment of a security breach after knowing about it and failing to notify the Commission as required by law.

53
Q

What are the penalties for malicious disclosure?

A

Imprisonment of 1 year and 6 months to 5 years and a fine of Php500,000.00 to Php1,000,000.00.

54
Q

What are the penalties for unauthorized disclosure of sensitive personal information?

A

Imprisonment of 3 to 5 years and a fine of Php500,000.00 to Php2,000,000.00.

54
Q

Who can be penalized for malicious disclosure of personal or sensitive personal information?

A

Personal information controllers, processors, officials, employees, or agents who disclose information with malice or bad faith.

54
Q

What are the penalties for unauthorized disclosure of personal information?

A

Imprisonment of 1 to 3 years and a fine of Php500,000.00 to Php1,000,000.00.

55
Q

Who can be penalized for unauthorized disclosure?

A

Personal information controllers, processors, their officials, employees, or agents.

55
Q

What constitutes unauthorized disclosure under Section 59?

A

Disclosing personal or sensitive personal information to a third party without the consent of the data subject and not covered by the previous section (malicious disclosure).

56
Q

What happens if a person commits a combination or series of acts under Sections 52 to 59?

A

They shall be subject to imprisonment of 3 to 6 years and a fine of Php1,000,000.00 to Php5,000,000.00.

56
Q

Who is liable if the offender is a corporation, partnership, or juridical person?

A

The responsible officers who participated in or allowed the crime due to gross negligence.

57
Q

What additional penalty applies if the offender is a public official or employee?

A

Perpetual or temporary absolute disqualification from office if guilty of acts under Sections 54 and 55.

57
Q

What additional penalty applies if the offender is an alien?

A

Deportation after serving the penalties.

58
Q

When is the maximum penalty imposed for offenses under Sections 52 to 59?

A

When the personal data of at least 100 persons are harmed, affected, or involve

59
Q

What is the additional penalty if a public officer commits an offense under these sections?

A

Disqualification to occupy public office for a term double the criminal penalty imposed.

60
Q

What is Restitution?

A

Restitution is the act of restoring something to its rightful owner or compensating for a loss, damage, or injury caused to another party.