Revisiting the privacy requirements

People, especially the youth, are said to measure their worth based on the number of likes that they get from their posts on social media. It has come to a point that they are willing to post just about anything to get a thumbs-up. Since the scope of what people post about is vast, it is quite difficult to delineate what can be shared with the rest of the world and what should remain private.

To avoid regret and harm, we should think more than twice before sharing any information whether online or through any other medium. Our decisions in sharing and managing our personal information may be guided by the Data Privacy Act of 2012 (DPA).

Thereafter, there have been a number of additional issuances and guidelines from the National Privacy Commission (NPC), the independent government body mandated to administer and to monitor compliance with the DPA.

The DPA covers all personal data from which the identity of an individual can directly or reasonably be ascertained. Under the Act, the personal information controller (PIC), a natural or juridical person who controls the processing of the personal data, and the personal information processor (PIP), a natural or juridical person to whom the processing of the personal data has been outsourced, are obligated to uphold and protect the rights of the data subjects, whose personal data are being processed. Subject to the limitations provided under the DPA, the rights of the data subjects and the obligations of the PIC and PIP arise from the collection of the personal data, including its processing, storage, retention, distribution, and until its proper disposal.

The rights of the data subjects include the right to be informed about the use of personal data, the right to object the use of such data, the right to access information pertaining to his data, the right to withdraw or order the destruction of personal data and the right to file a complaint in case of violations of rights under the DPA.

On the other hand, the PICs and PIPs are required to register their systems with the NPC, appoint a data protection officer (DPO), conduct a privacy impact assessment, create a privacy management program, implement the privacy and protection measures, and exercise breach reporting procedures. The registration of the PICs and PIPs, as well as their respective DPOs should have been done by Sept. 9, 2017. On the other hand, the extended deadline for the registration of the data systems is today, March 8, while the first annual report on whether or not there has been a breach in data privacy last year is due on March 31.

From the seminars being conducted by the NPC, all PICs and PIPs are required to comply with the DPA. In terms of registration with the NPC, those PICs and PIPs with less than 250 persons/employees shall not be required to register except in the following cases: a) the processing they carry out will likely pose a risk to the rights and freedom of the data subjects, b) the processing is not occasional, or c) the processing includes sensitive personal information of at least 1,000 individuals. Notwithstanding, NPC encourages voluntary registration of PICs and PIPs even if they meet the qualifications for non-registration.

While there is no deadline for the other requirements, namely: compliance with the privacy impact assessment, privacy management program, privacy and protection measures, and breach reporting procedures, these should all be readily available during an audit of the NPC. Non-compliance with the foregoing requirements could expose the PICs and PIPs to risk of breach and violation of the DPA.

The NPC may subject the violators to sanctions, which include enforcement orders, cease and desist orders, damages to be awarded to the affected data subject, and administrative fines. The worst possible sanction is a recommendation for criminal prosecution, which entails imprisonment of 6 months to 7 years and fines in the amount of P500,000 to P5,000,000, depending on the violation committed.

Thus, even after the deadlines, the PICs and PIPs should be cautious with the DPA requirements as non-compliance not only puts them at risk of paying steep penalties, but more seriously, introduces the possibility of criminal liability for breach of safety of their data subjects.