Download as PDF, PPTX
Uploaded byJay Castillo
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
The document outlines the Data Privacy Act (DPA), focusing on its purpose to protect individual privacy rights while promoting data flow for development. It details the responsibilities of data handlers, underscores the importance of data protection measures, and describes penalties for violations, including imprisonment and fines for unauthorized processing or disclosure of personal information. Compliance requirements are established, with a deadline set for September 2017, mandating agencies to implement data protection policies and practices.
Law◦
More Related Content
Similar to Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
- 1. * March 16, 2017 Atty.Jay C. Castillo
- 2. * 1. An Overviewof DPA a. Purpose & Scope b. Key Concepts c. General Obligations & Accountability d. Offenses/Penalties 2. The DP Committee a. Functions b. Timelines & Deliverables 2
- 3. * PURPOSE *To safeguard theright of every individual to privacy while ensuring free flow of information for innovation, growth and national development. 3
- 4. * SCOPE *Defines rights ofdata subjects *Provides parameters for securing, processing and providing access to personal information, by any natural and juridical person in the government or private sector. *Imposes penal and pecuniary sanctions for unlawful use or disclosure of information. 4
- 5. * Any information fromwhich the identity of an individual is apparent or can be ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual. 5
- 6. • race, ethnicorigin, marital status, age, color, and religious, philosophical or political affiliations • health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by a person, the disposal of such proceeding, or the sentence of any court in such proceedings SENSITIVE PERSONAL INFORMATION 6
- 7. SENSITIVE PERSONAL INFORMATION •Issued by government agencies peculiar to an individual, e.g. social security numbers, previous or current health records, licenses or its denials, suspension or revocation, tax returns • Specifically established by an executive order or an act of Congress to be kept classified 7
- 8. PROCESSING collection, recording, organization,storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data 8
- 9. GENERAL PRINCIPLES • Collectionmust be for a declared, specified, and legitimate purpose • Personal information shall be processed fairly and lawfully • Processing should ensure data quality • Personal information shall not be retained longer than necessary • Any authorized further processing shall have adequate safeguards 9
- 10. ACCESS TO PERSONALINFORMATION • Must be strictly regulated by agency head thru security clearance • Access rights and identity authentication required for online access by agency personnel • Allocated network drive to prevent saving files to local machine 10
- 11. ACCESS TO PERSONALINFORMATION • Only known devices, properly configured to the agency’s standards can be used • Remote disconnection or deletion of data from lost devices • Access log for paper files or any physical media 11
- 12. TRANSFER OF PERSONALINFORMATION • Encrypt data sent thru email or use secure facility • Access controls must be in place for printing or copying personal information • Manual transfer of personal information through removable physical media, (e.g. compact discs) not allowed • If unavoidable or necessary, personal information must be encrypted if stored in portable media • Facsimile technology not allowed 12
- 13. TRANSFER OF PERSONALINFORMATION • Transmittal of data by mail or post shall use registered mail delivered only to the addressee. • Similar safeguards shall be adopted for documents transmitted between offices or personnel within the agency. 13
- 14. * *A process undertakenand used by a government agency to evaluate and manage privacy impacts. 14
- 15. * The Privacy ImpactAssessment shall include the following: A. A data inventory identifying: 1.) the types of personal data held by the agency, including records of its own employees; 2.) list of all information repositories holding personal data, including their location; 3.) types of media used for storing the personal data; and 4.) risks associated with the processing of the personal data. 15
- 16. * B. a systematicdescription of the processing operations anticipated and the purposes of the processing, including, where applicable, the legitimate interest pursued by the agency; C. an assessment of the necessity and proportionality of the processing in relation to the purposes of the processing; and D. an assessment of the risks to the rights and freedoms of data subjects. 16
- 17. * “xxx a comprehensiveenumeration of the measures intended to address the risks, including organizational, physical and technical measures to maintain the availability, integrity and confidentiality of personal data and to protect the personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. Xxx” 17
- 18. * 1. Designate aData Protection Officer 2. Conduct a Privacy Impact Assessment 3. Create privacy and data protection policies 4. Conduct a mandatory, agency-wide training on privacy and data protection policies once a year 18
- 19. * 5. Register itsdata processing systems with the Commission. 6. Cooperate with the NPC when the agency’s privacy and data protection policies are subjected to review and assessment. 19
- 20. *Should be compliedwith by September 2017 *Penalties/ Liabilites: *compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines, in accordance with a schedule to be published by the Commission. *administrative and disciplinary sanctions against any erring public officer or employee in accordance with existing laws or regulations. 20
- 21. * *Head of agencies/DPOs shall be accountable for complying with the requirements of the Act. (Secs. 21/22, RA 10173; Secs. 50/51, IRR) 21
- 22. ACTS PUNISHABLE PENALTY Unauthorizedprocessing of personal information Imprisonment-1 to 3 years Fine- P500K to P2M Unauthorized processing of sensitive personal information Imprisonment- 3 to 6 years Fine- P500K to P4M Accessing personal information due to negligence Imprisonment-1 to 3 years Fine- P500K to P2M Accessing sensitive personal information due to negligence Imprisonment- 3 to 6 years Fine- P500K to P4M Improper disposal of personal information Imprisonment-6 months to 2 years Fine- P100K to P500k Improper disposal of sensitive personal information Imprisonment-1 to 3 years Fine- P100K to P1M What acts are punishable under the DPA? 22
- 23. ACTS PUNISHABLE PENALTY Processingof personal information for unauthorized purposes Imprisonment-1 year & 6 mos. to 5 years Fine- P500K to P1M Processing of sensitive personal information for unauthorized purposes Imprisonment- 2 to 7 years Fine- P500K to P2M Unauthorized access or intentional breach Imprisonment-1 to 3 years Fine- P500K to P1M Malicious disclosure Imprisonment- 1 yr. & 6 months to 5 yrs. Fine- P500K to P1M Unauthorized disclosure of personal information Imprisonment-1 to 3 years Fine- P500K to P1M What acts are punishable under the DPA? 23
- 24. ACTS PUNISHABLE PENALTY Unauthorizeddisclosure of sensitive personal information Imprisonment-3 to 5 years Fine- P500K to P2M Combination or series of acts Imprisonment-3 to 6 years Fine- P1M to P5M What acts are punishable under the DPA? Perpetual or temporary absolute disqualification from office in addition to the above penalties. 24
- 25. 25 THANK YOU! 25 For questionsor comments, you may email me at [email protected]