HIS FINALS: MODULE 5 (3) Flashcards
The data subject must be aware of the nature, purpose, and extent of the processing of his or her data, including the risks and safeguards involved, the identity of a personal information controller, his or her rights as a data subject, and how these can be exercised.
Transparency
Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and understandable language.
transparency
The processing of information shall be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy.
Legitimate Purpose
The processing of information shall be adequate, relevant, suitable, necessary, and not excessive concerning a declared and specified purpose
Proportionality
Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other mean
Proportionality
data privacy act states that the collection of perconal data:
must be declared, specified and legitimate purpose
When obtaining consent, the ——– is informed about the extent and purpose of processing, and it specifically mentions the “automated processing of his or her data for profiling, or processing for direct marketing, and data sharing.”
data subject
Consent is not required for processing where:
o The data subject is a party to a contractual agreement
o For purposes of fulfilling that contract
o Compliance with a legal obligation upon the data controller
o Protection of the vital interests of the data subject
o Response to a national emergency is also available
when: Processing is necessary to pursue the legitimate interests of the data controller, except where overridden by the fundamental rights and freedoms of the data subject
exception to consent
The law requires that when sharing data, the sharing be covered by an agreement that provides adequate safeguards for the rights of data subjects, and that these agreements are subject to review by the ———
national privacy commission
The law defines sensitive personal information as being:
• About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations.
• About an individual’s health, education, the genetic or sexual life of a person, or to any proceeding or any offense committed or alleged to have committed.
• Issued by government agencies “peculiar” (unique) to an individual, such as social security number.
• Marked as classified by executive order or act of Congress.
All processing of sensitive and personal information is prohibited except in certain circumstances. The exceptions are:
• Consent of the data subject.
• Pursuant to a law that does not require consent.
• Necessity to protect the life and health of a person.
• Necessity for medical treatment.
• Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or regulation.
a major anti-terrorism law that enables surveillance
Human Security Act of 2007
The law further provides that not all “personal data breaches” require notification., which provides several bases for not notifying —————-
data subjects or the data protection authority.
Section 38 of the Implementing Rules and Regulations (IRRs) provides the requirements of breach notification:
• The breached information must be sensitive personal information or information that could be used for identity fraud, and
• There is a reasonable belief that unauthorized acquisition has occurred, and
• The risk to the data subject is real, and
• The potential harm is serious.
