The question that often comes to my mind every time I provide my personal information, especially through internet, is that, am I secured? Will it be used for legitimate purpose? Or will it not violate my right to privacy?
With the advent of RA 10173 or also known as the Data Privacy Act, these queries of mine became clear. I am, indeed, secured. The purpose of the Legislative in passing this law is to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
But before I go any further, let me just discuss the basis for the passing of RA 10173. It is anchored on the Constitutional guarantee of the right to privacy. Article III, Section 3 of the Philippine Constitution provides that:
(1) “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”
RA 10173 is also based on European Council No. 45/2001 in which, it protects the fundamental rights and freedoms of naturalpersons, and in particular their right to privacy with respect to the processing of personal data and shall neither restrict nor prohibit the free flow of personal data between themselves or to recipients.
Scope of application
RA 10173 applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
On the other hand, this Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
Likewise, section 6 of said law provides for the extraterritorial application of RA 10173. However, it seems that debates will likely arise on this matter because of jurisdictional issues. I wonder if the Implementing Rules and Regulations of this law will somehow address such question.
What are the benefits under RA 10173?
Section 5 of the law provides that: “Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.”
This provision affords great protection in favor of the media men, such as publishers, editors and reporters, against unreasonable harassments of being compelled to reveal the source of any news report or information. It likewise provides peace of mind in favor of the source regarding their personal information being disclosed. In this case, the right of the people to information on matters of public concern will not be abridged.
Section 16 of the law enumerated the rights of the data subject. These enumerations point to one thing, there must be consent and notice before an information can be process. Violation of these rights will sanction penalty, which will be discussed later. Noteworthy to point out is subsection (e) of section 16. It provides that:
“Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information”
Whenever the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purpose, the data subject has the right to order such information to be suspended, withdrawn, blocked, removed or destroyed by the information controller. The data privacy has also the right to demand indemnity for the injury caused by such information which is incomplete, outdated, false or unlawfully obtained.
Section 20 ensures security of personal information. It provides:
“The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.”
This provision guarantees that the personal information of the data subject will be protected and secured. This way, it will be easy to disclose your personal information, even privileged information, because you know that it is safe. The law puts a heavy burden on the information controller to ensure that the information obtained will only be used for lawful purposes.
This law, as what Senator Anggara said, will not only boost the confidence of potential investors in the country’s IT-BPO industry, but also the trust of ordinary citizens in e-government initiatives.
What are the contentious provisions of RA 10173?
There are provisions in the law that I find interesting, if not contentious. First, is section 5 of the law which provides that:
” Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.”
It may readily appear that this is a benefit under RA 10173. However, if you read it carefully, such provision will likely invite abuse of right on the part of the media men. The provision may be used as a cloak to protect their evil intent in reporting libelous, false or fraudulent information. As the law states, media men may not be compelled to disclose the personal information of their source. What I am afraid of is that, media men may report libelous, false or fraudulent information, claiming that they gathered it through a reliable source, where in fact such source does not exist. They may not be compelled to disclose it and may easily invoke this provision of law.
Another provision that is noteworthy of mentioning is section 7 which provides that: To administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission, xxxx”
This provision caught my attention and I find it very interesting. It is provided in this section that there shall be an INDEPENDENT BODY that will monitor and ensure compliance of the law. It means that it is not under the direct supervision or control of the President. The commission, being an independent body, has a wide discretion regarding its obligation as mandated by the law. It means that the President or any other government official, for that matter, may not use their powers in influencing the commission in order to achieve their fraudulent and evil intent. As what happened during the impeachment of Chief Justice Corona, wherein the government used its machinery to obtain information, regardless if it is in violation of the right of CJ Corona. With this provision, we may safely say that we are more secured now compared to what happened to CJ Corona.
The law enumerated different kinds of penalties for violation of the RA 10173. the acts punishable under this law are the following:
- The unauthorized processing of personal information or personal sensitive information – penalties are imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
- Accessing Personal Information and Sensitive Personal Information Due to Negligence – penalties are imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
- Improper Disposal of Personal Information and Sensitive Personal Information – penalties are imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
- Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes – penalties are imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
- Unauthorized Access or Intentional Breach – penalties are imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
- Concealment of Security Breaches Involving Sensitive Personal Information – penalties are imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach.
- Malicious disclosure – penalties are imposed on any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her.
- Unauthorized disclosure – penalties are imposed on any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject.
Having these penal provisions of the law, the data subject is well protected with regard to his personal information.
It is in my humblest opinion that this law will tend not just to increase confidence of the potential investors, especially IT-BPO industry, but also it boost the assurance of the general public that their personal information will not be used to unlawful purposes. It also bolsters the constitutional guaranteed right to privacy. The challenge now to the legislative and the government officials, who have the obligation of ensuring compliance of this law, is with regard to its Implementing Rules and Regulations and the long-term administration of this law. They must craft the IRR carefully in order to attain the significant objective of this law.
The 1987 Constitution of the Philippines