Philippines Republic Act 10173

Who is excluded from Republic Act 10173 compliance? 

• Just like with other data protection laws, Republic Act 10173 exempts certain types of data, such as: 

  • Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
    • The fact that the individual is or was an officer or employee of the government institution;
    • The title, business address and office telephone number of the individual;
    • The classification, salary range and responsibilities of the position held by the individual; and
    • The name of the individual on a document prepared by the individual in the course of employment with the government;
  • Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
  • Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
  • Personal information processed for journalistic, artistic, literary or research purposes;
  • Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
  • Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
  • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

How can I keep my organization Republic Act 10173 compliant? 

Both the text of the law and the IRR document list a series of obligations for covered entities that relate to processing of personal data. 

According to the IRR, data controllers and data processors who have 250 or more employees or who process the sensitive personal information of 1,000 or more data subjects have an obligation to register their data processing systems on the NPC’s Registration System. Additionally, data controllers and processors have to notify the NPC “of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject” and to provide an “annual report of the summary of documented security incidents and personal data breaches.”

Section 11 of the law lists the general data privacy principles that apply to the processing of personal data, namely transparency, legitimate purpose, and proportionality. Section 21 adds to this the principle of accountability, according to which, controllers are “responsible for personal information under [their] control or custody, including information that has been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.” 

  As such, personal information must, be:

• Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
• Processed fairly and lawfully;
• Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
• Adequate and not excessive in relation to the purposes for which they are collected and processed;
• Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed.

Within Section 12 covered entities can find the criteria for lawful processing of personal information, such as:

• consent given by the data subject; 
• the necessity of processing for any of the following:
  • the fulfillment of a contract;
  • for compliance with a legal obligation;
  • to protect vitally important interests of the data subject, including life and health;
  • in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
  • for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed.

As regards the processing of sensitive personal information, Section 13 states that  the processing of sensitive personal information and privileged information shall be prohibited, except certain cases apply, such as when:

• the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
• the processing is provided for by existing laws and regulations where such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information and the consent of the data subjects is not required by law or regulation, thus permitting the processing of the sensitive personal information or the privileged information;
• the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
• the processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, where the processing is restricted to the bona fide members of these organizations or their associations, no sensitive personal information is transmitted to any third party, and consent has been obtained prior to processing;
• the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
• the processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

Republic Act 10173 mandates in Section 20 that controllers have an obligation to ensure the security of personal information through “reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing, [...] natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.” The appropriate level of security will have to take into account “the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation.” 

According to Section 20 (f) in the event of a data breach, “the personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.” The IRR clarifies this further by stating that “the Commission and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of the data breach.” However, the law grants that “notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.”

The notification will have to contain several details such as:

• the nature of the breach, 
• the sensitive personal information possibly involved, and
• the measures taken by the entity to address the breach. 

What data access rights does Republic Act 10173 grant? 

According to the official text, and as clarified by the IRR, data subjects have the following access rights: 

• Right to be informed

• Right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling 

• Right to Access

• Right to Rectification (Right to Correct)

• Right to Erasure or Blocking (Right to Delete)

• Right to Data Portability - where a data subject’s personal data is processed by electronic means and in a structured and commonly used format, the data subject has the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject.
• Right to damages - where the data subject stood to suffer due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.
• Right to transmit data subject rights - where one data subject is nominated as heir or is what the law calls an ‘assignee,’ on behalf of another data subject, they can invoke the rights of the individual “at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights.”

How should organizations address data subject access requests under Republic Act 10173?

Neither the Republic Act 10173, nor the IRR offer any guideline on how data subject requests should be answered and what the deadline for these requests is. The only mention is in relation to the Right to Correct, where controllers have to “correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.”

Enforcement and penalties

The enforcing authority is the National Privacy Commission (NPC) whose duties include: ensuring compliance, handling complaints, recommending penalties to the Department of Justice. Regarding penalties, Sections 25 through 36 list the various types of violations and the associated penalties which consist of both criminal and financial sanctions. Imprisonment can be between 6 months and 7 years, coupled with a financial sanction ranging between Php100,000.00 (approx. $ 1765) and Php4,000,000.00 (approx. $ 70,500). Any combination of violations listed in Sections 25 through 36 can result in a sanction consisting of imprisonment for a period between  3 and 6 years and a fine between Php100,000.00 (approx. $ 17650) and Php5,000,000.00 (approx. $ 88,000). 

Data Subject Rights - GDPR vs. Republic Act 10173