2. *
1. An Overview of DPA
a. Purpose & Scope
b. Key Concepts
c. General Obligations & Accountability
d. Offenses/Penalties
2. The DP Committee
a. Functions
b. Timelines & Deliverables
2
3. *
PURPOSE
*To safeguard the right of every individual to privacy while
ensuring free flow of information for innovation, growth
and national development.
3
4. *
SCOPE
*Defines rights of data subjects
*Provides parameters for securing, processing and providing
access to personal information, by any natural and juridical
person in the government or private sector.
*Imposes penal and pecuniary sanctions for unlawful use or
disclosure of information.
4
5. *
Any information from which the identity of
an individual is apparent or can be
ascertained by the entity holding the information
or when put together with other information
would directly and certainly identify
an individual.
5
6. • race, ethnic origin, marital status, age, color,
and religious, philosophical or political
affiliations
• health, education, genetic or sexual life, or
to any proceeding for any offense
committed or alleged to have been
committed by a person, the disposal of such
proceeding, or the sentence of any court in
such proceedings
SENSITIVE PERSONAL INFORMATION
6
7. SENSITIVE PERSONAL INFORMATION
• Issued by government agencies peculiar to
an individual, e.g. social security numbers,
previous or current health records, licenses
or its denials, suspension or revocation, tax
returns
• Specifically established by an executive
order or an act of Congress to be kept
classified
7
9. GENERAL PRINCIPLES
• Collection must be for a declared, specified, and
legitimate purpose
• Personal information shall be processed fairly and
lawfully
• Processing should ensure data quality
• Personal information shall not be retained longer than
necessary
• Any authorized further processing shall have adequate
safeguards
9
10. ACCESS TO PERSONAL INFORMATION
• Must be strictly regulated by agency head thru security
clearance
• Access rights and identity authentication required for online
access by agency personnel
• Allocated network drive to prevent saving files to local
machine
10
11. ACCESS TO PERSONAL INFORMATION
• Only known devices, properly configured to the agency’s
standards can be used
• Remote disconnection or deletion of data from lost devices
• Access log for paper files or any physical media
11
12. TRANSFER OF PERSONAL INFORMATION
• Encrypt data sent thru email or use secure facility
• Access controls must be in place for printing or copying
personal information
• Manual transfer of personal information through removable
physical media, (e.g. compact discs) not allowed
• If unavoidable or necessary, personal information must be
encrypted if stored in portable media
• Facsimile technology not allowed
12
13. TRANSFER OF PERSONAL INFORMATION
• Transmittal of data by mail or post shall use registered mail
delivered only to the addressee.
• Similar safeguards shall be adopted for documents
transmitted between offices or personnel within the agency.
13
14. *
*A process undertaken and used by a
government agency to evaluate and manage
privacy impacts.
14
15. *
The Privacy Impact Assessment shall include the following:
A. A data inventory identifying:
1.) the types of personal data held by the agency, including
records of its own employees;
2.) list of all information repositories holding personal data,
including their location;
3.) types of media used for storing the personal data; and
4.) risks associated with the processing of the personal data.
15
16. *
B. a systematic description of the processing
operations anticipated and the purposes of the
processing, including, where applicable, the
legitimate interest pursued by the agency;
C. an assessment of the necessity and
proportionality of the processing in relation to
the purposes of the processing; and
D. an assessment of the risks to the rights and
freedoms of data subjects.
16
17. *
“xxx a comprehensive enumeration of the
measures intended to address the risks, including
organizational, physical and technical measures
to maintain the availability, integrity and
confidentiality of personal data and to protect
the personal data against natural dangers such as
accidental loss or destruction, and human
dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and
contamination. Xxx”
17
18. *
1. Designate a Data Protection Officer
2. Conduct a Privacy Impact Assessment
3. Create privacy and data protection policies
4. Conduct a mandatory, agency-wide training
on privacy and data protection policies once a
year
18
19. *
5. Register its data processing systems with
the Commission.
6. Cooperate with the NPC when the agency’s
privacy and data protection policies are
subjected to review and assessment.
19
20. *Should be complied with by September 2017
*Penalties/ Liabilites:
*compliance and enforcement orders, cease and
desist orders, temporary or permanent ban on
the processing of personal data, or payment of
fines, in accordance with a schedule to be
published by the Commission.
*administrative and disciplinary sanctions
against any erring public officer or employee in
accordance with existing laws or regulations.
20
21. *
*Head of agencies/ DPOs shall be accountable
for complying with the requirements of the
Act. (Secs. 21/22, RA 10173; Secs. 50/51, IRR)
21
22. ACTS PUNISHABLE PENALTY
Unauthorized processing of personal
information
Imprisonment-1 to 3 years
Fine- P500K to P2M
Unauthorized processing of sensitive
personal information
Imprisonment- 3 to 6 years
Fine- P500K to P4M
Accessing personal information due to
negligence
Imprisonment-1 to 3 years
Fine- P500K to P2M
Accessing sensitive personal information
due to negligence
Imprisonment- 3 to 6 years
Fine- P500K to P4M
Improper disposal of personal
information
Imprisonment-6 months to 2 years
Fine- P100K to P500k
Improper disposal of sensitive personal
information
Imprisonment-1 to 3 years
Fine- P100K to P1M
What acts are punishable under the DPA?
22
23. ACTS PUNISHABLE PENALTY
Processing of personal information for
unauthorized purposes
Imprisonment-1 year & 6 mos. to 5
years
Fine- P500K to P1M
Processing of sensitive personal
information for unauthorized purposes
Imprisonment- 2 to 7 years
Fine- P500K to P2M
Unauthorized access or intentional
breach
Imprisonment-1 to 3 years
Fine- P500K to P1M
Malicious disclosure Imprisonment- 1 yr. & 6 months to 5 yrs.
Fine- P500K to P1M
Unauthorized disclosure of personal
information
Imprisonment-1 to 3 years
Fine- P500K to P1M
What acts are punishable under the DPA?
23
24. ACTS PUNISHABLE PENALTY
Unauthorized disclosure of sensitive
personal information
Imprisonment-3 to 5 years
Fine- P500K to P2M
Combination or series of acts Imprisonment-3 to 6 years
Fine- P1M to P5M
What acts are punishable under the DPA?
Perpetual or temporary absolute
disqualification from office in addition to
the above penalties.
24