An overview of Philippine Data Privacy Law

RA10173 applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing both in the private and government sectors. It covers data controllers and processors not found in the Philippines that either: use equipment that is located in the Philippines; or maintain an office, branch, or agency in the Philippines.

‘Processing’ is defined as any operation or set of operations performed upon personal information (such as, but not limited to, collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, destruction). ‘Personal information controller’ refers to any person or organisation that controls the collection, holding, processing, or use of personal information (except those who perform such functions as instructed by another person or organisation, and an individual who performs the same functions in connection with said individual’s personal, family, or household affairs). Meanwhile, ‘personal information processor’ refers to any natural or juridical person to whom a personal information controller may outsource the processing of personal data.
The following types of information are exempt from the coverage of RA10173:

• Information on any current or previous government servant that relates to the position or functions of said individual;
• Information relating to the services performed by an individual under a government contract;
• Information relating to any discretionary financial benefit given by the government to an individual;
• Personal information processed for journalistic, artistic, literary or research purposes;
• Information necessary in order to carry out the functions of public authority;
• Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
• Personal information collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions.

RA10173 distinguishes ‘personal information’ and ‘sensitive personal information’, as different requirements for lawful processing are prescribed. ‘Personal information’ refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify the individual. ‘Sensitive personal information’ refers to personal information about one’s race, marital status, age, colour, religious, philosophical or political affiliations, health, education, any court proceedings issued by government agencies peculiar to an individual (e.g., social security numbers, health records, licences, tax returns) and those specifically declared as classified by law or regulation.

RA10173 extensively outlines the rights of the data subject with respect to his/her personal information. These rights must be generally observed by data controllers and data processors, except when the personal information shall be used for scientific and statistical research, no activities are carried out and no decisions are taken regarding the data subject or are gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.
The law outlines the general principles on security of personal information, as well as accountability with respect to transfer of personal information. Specific provisions are laid down concerning security of sensitive personal information in the government, as well as provisions on data breach.

Finally, violations of RA10173 are meted by mandatory imprisonment and fine. A higher range of penalties is imposed when sensitive personal information is involved. Maximum penalties are imposed when the personal information of at least 100 persons is affected (large scale).