pexels-photo-90807The Data Privacy Act of 2012 provides for security measures for the protection of personal data. Under Rule VI of the law, personal information controllers and personal information processors, shall, in appropriate cases, designate Data Protection or Compliance Officers as their representatives. These officers shall be held accountable for “ensuring compliance with applicable laws regarding the protection of data privacy and security.” [1]

Data Protection Officers (DPOs), are mandated to ensure that data protection policies providing for organization, physical, and technical security measures are followed. The rights of data subjects are respected when the personal information controllers and processors, represented by the DPOs, allow only personal data which is “necessary for the declared, specific and legitimate purpose of processing” to be collected.

As such, it is essential for the entities involved in processing such data to develop, implement and review policies procedures for obtaining the consent of data subjects and allowing them to exercise their rights under the Data Privacy Act. [2] Some of these rights are the right to be informed of the processing of his or her data, the right to object to and rectify such processing, and the right to reasonable access, upon demand, of the contents of the processed personal data, as well as the reason for its disclosure and the recipients thereof. [3] The DPO serves as the data subject’s contact point for the assertion of these rights. Thus, the DPO’s identity may be requested by data subjects. [4]

The law also provides that the person involved in the processing of such data must keep records of processing activities, which, if applicable, shall include the DPO’s name and contact details.

When the DPO has a reasonable belief that a personal data breach has occurred and will be used to commit identify fraud, he or she must notify the National Privacy Commission (NPC) and the affected data subjects of the breach. [5] The contents of the notification shall include the DPO’s contact details so that the data subject may obtain additional information and assistance from the officer. [6] The personal information controller or processor must also make a breach report, whether written or electronic, to the NPC, which shall reproduce the contents of the notification, including the same contact details.

As one of the officers who are personally held accountable for compliance with the law, DPOs may be held criminally liable for the commission of acts or omissions which violate the law. The NPC may investigate these officers, and they may be imposed administrative liabilities based on substantial evidence. The law provides for the responsible officer’s liability if the offender involved is a corporation, partnership, or any juridical person. [7] Violations of the Data Privacy Act include unauthorized processing of personal and sensitive information [8], accessing such through negligence [9], improper disposal [10] and accessing of the information for unauthorised purposes [11], as well as intentional security breaches [12] and the concealment thereof [13]. These safeguards will ensure that the Data Protection or Compliance Officers will remain accountable for the purposes for which the Act was constituted.

While the law itself does not specify the qualifications for DPOs, NPC Circular 16-01 provides that the individual must be an organic employee of the government agency engaged in the processing of personal data. The DPO may be located offshore as long as he or she is an employee of the company or agency in question [14]. Another detail provided by the circular is that the agency may validly designate more than one DPO [15]. The details above, while expressly applicable only to government agencies under the NPC circular, can nevertheless guide private sectors in their implementation of the law. The DPO serves the same public interest functions whether in government or the private sector, and there is no reason for the NPC to adopt a divergent approach when it comes to the qualifications of the DPO. The law calls for coordination with government agencies and the private sector, and the goal of stronger protections require a consistent approach. [16]

The European Union, in its General Data Protection Regulation, provides another qualification for its DPOs which may be applied by analogy to the Philippines: expert knowledge of data protection law and practices and the ability to fulfil the tasks assigned to it. [17] Such qualifications may also be presumed from the very nature of the DPO, and for the object of the law which he or she seeks to accomplish at the end of the day.

Finally, access to senior management is another implied qualification. The circular requires agencies to develop a control framework for personal data. Such a framework includes organizational measures “to maintain the availability, integrity and confidentiality of personal data and to protect the personal data against natural dangers”. This framework will take into account possible risks to which the organization may be exposed, as well as current data privacy best practices. [18] This means that compliance is not just about procuring technology, but formulating and enforcing policy throughout the organization. This may include as the circular provides, a system of security clearances. Rules regarding access to records would be meaningless if there are no consequences for failing to comply with them. Such organizational measures can only be possible if the policy is set at the highest level of leadership in the agency.

[1] Sec. 26 (a), Rule VI, Rep. Act. No., RA 10173

[2] Sec. 26 (e), Rule VI, IRR, Rep. Act. No. 10173

[3] Sec. 34, Rule VIII, IRR, Rep. Act. No. 10173

[4] Sec. 50(b), Rule XII, IRR, Rep. Act. No. 10173

[5] Sec. 38, Rule VIII, IRR, Rep. Act. No. 10173

[6] Sec. 39, Rule VIII, IRR, Rep. Act. No. 10173

[7] Sec. 51, Rule XII, IRR, Rep. Act. No. 10173

[8] Sec. 52, Rule XIII, IRR, Rep. Act. No. 10173

[9] Sec. 53, Rule XIII, IRR, Rep. Act. No. 10173

[10] Sec. 54, Rule XIII, IRR, Rep. Act. No. 10173

[11] Sec. 55, Rule XIII, IRR, Rep. Act. No. 10173

[12] Sec. 56, Rule XIII, IRR, Rep. Act. No. 10173

[13] Sec. 57, Rule XIII, IRR, Rep. Act. No. 10173

[14] Address by Dondi Mapa, Data Privacy Act Compliance, Dusit Thani Hotel, Makati City, Nov. 3, 2016.

[15] Sec. 3(F), Rule I, NPC Circular 16-01

[16] Sec. 4, NPC Circular 16-01

[17] Art. 37(5), General Data Protection Regulation, Regulation (EU) 2016/679

[18] Sec. 6, Rule I, NPC Circular 16-01

[19] Sec. 7, Rule III, NPC Circular 16-01

Leave a Comment

Your email address will not be published. Required fields are marked *