research paper on the data privacy law of the philippines

• < Previous

Home > FACULTY_WORKS > FACULTY_RESEARCH > 5993

Faculty Research Work

Data privacy act of 2012: a case study approach to philippine government agencies compliance.

Michelle Renee D. Ching , De La Salle University, Manila Bernie S. Fabito , De La Salle University, Manila Nelson J. Celis , De La Salle University, Manila

College of Computer Studies

Department/Unit

Information Technology

Document Type

Archival Material/Manuscript

Publication Date

The Philippine Data Privacy Act (DPA) of 2012 was enacted to protect the personal information of its citizens from being disclosed without its consent. The National Privacy Commission (NPC) was established in 2015 to promote, regulate, and monitor data privacy compliance of both Government and Private Institutions. This study sought to explore and explain how and why do the Philippine Government agencies comply with the DPA 2012. Additionally, it also tried to determine and understand the determinants of compliance as perceived by the government agencies. The Commission on Higher Education (CHED) and the Commission on Elections (COMELEC) were the focus of the interviews conducted by the researchers. The NPC was also included in the study to determine the status of the government’s compliance with the law. The study was a form of a qualitative case study following the context of (R. K. Yin, Case Study Research (2014)) study of research designs and methods. The case study is the recommended approach as the main question starts with how and why . As a result of the study, it was found out that there are three factors that somehow influence government agencies from hampering their compliance to the DPA 2012. These are (1) lack of awareness, (2) budget, and (3) time constraints. With regards to the determinants of compliance, (1) deterrence, and (2) legitimacy were the concluded causal factors on why they will comply with the DPA 2012. For future works, it is recommended that a follow-up study be conducted after the compliance deadline.

Recommended Citation

Ching, M. D., Fabito, B. S., & Celis, N. J. (2018). Data Privacy Act of 2012: A case study approach to Philippine government agencies compliance. Retrieved from https://animorepository.dlsu.edu.ph/faculty_research/5993

• Disciplines

Civil Rights and Discrimination | Public Administration

Data privacy—Law and legislation—Philippines; Administrative agencies—Philippines—Rules and practice

Upload File

This document is currently not available here.

Since June 01, 2022

Advanced Search

• Notify me via email or RSS
• Collections
• Colleges and Units
• Submission Consent Form
• Animo Repository Policies
• Animo Repository Guide
• AnimoSearch
• DLSU Libraries
• DLSU Website

Home | About | FAQ | My Account | Accessibility Statement

Privacy Copyright

The Philippines’ Data Privacy Act Of 2012

By Laxmi Rosell and Sheilah Marie Tomarong-Cañabano, of Quisumbing Torres, Manila, a member firm of Baker & McKenzie International.

The Philippines recently adopted its first data privacy law. Republic Act No. 10173, or the Data Privacy Act of 2012 1 (the Act), which is intended to protect the integrity and security of personal data in both the private and public sectors, was signed by the President on August 15, 2012 (see report in this issue). It was published on August 24, 2012, and took effect 15 days after its publication, on September 8, 2012. The rules and regulations implementing the Act are expected to be issued within 90 days from the law’s entry into force.

The enactment of the law seeks to bring the Philippines’ data protection policies and measures on par with the international standards of data privacy protection. Government and business leaders also believe that the implementation of the law will help maintain the competitiveness of the Philippines and boost investments in its information technology-business process outsourcing (IT-BPO) sector 2 and support a healthy information and communications technology (ICT) industry.

Previous Legal Landscape

The new legislation fills a void in the Philippine legal system. Prior to the promulgation of the Act, there was no Philippine law dealing specifically with personal data privacy. While the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy, they deal with the protection of personal information in only a general manner.

There were also provisions scattered across several statutes, such as the Civil Code, the Revised Penal Code, the Anti-Wire Tapping Law, and the Electronic Commerce Act, dealing with the right of privacy of an individual. However, these provisions do not squarely address the issue of data privacy and so are inadequate, and, in some instances, inapplicable, in addressing the issue of personal data privacy. There was also no government agency overseeing the protection of personal data.

Guidelines issued by the Department of Trade and Industry (DTI) in connection with the Electronic Commerce Act concerning the protection of personal data in information and communications systems in the private sector (the DTI Guidelines) 3 are the closest thing the Philippines had to a data privacy rule prior to the Act. The DTI Guidelines followed the basic principles of personal data processing laid down in the European Union’s Data Protection Directive (95/46/EC) ( i.e. , legitimate purpose, transparency, and proportionality). However, the DTI Guidelines were generally considered to have no teeth, as they did not provide for any penalties for violations. The DTI Guidelines were also limited in scope in the sense that they did not cover personal data in the public sector.

The data processing principles of legitimate purpose, transparency, and proportionality have been recognized by the Philippine Supreme Court in the case of Ople vs. Torres . 4 In this case, the Supreme Court struck down as unconstitutional, and hence null and void, an administrative order proposing to establish a National Computerized Identification Reference System. In this connection, the administrative order sought to introduce a Population Reference Number (PRN) to establish a linkage among concerned government agencies through the use of biometrics technology ( e.g., finger-scanning, retinal scanning, etc. ). The Supreme Court held that the administrative order was unconstitutional because “facially, it violate[d] the right to privacy.” The Supreme Court noted that the order failed to specify what specific biological characteristics would be used to identify people sought to be covered by the system. The Supreme Court also noted that the purposes for which the data was to be collected and processed were not specified. It noted that the PRN may be used for the generation of other data “for development planning,” creating avenues for potential misuse of the data to be gathered, as well as possible leakage of the information, or manipulation of data. Furthermore, the Supreme Court stated that adequate safeguards must be in place for protection of the data collected.

These data collection and processing principles are now expressly incorporated in the Act.

What the Act Provides

As mentioned above, the Act has incorporated substantially the DTI Guidelines, which are, in turn, based on the EU Data Protection Directive, which basically allows the collection, use, processing, and storage of personal data based on the general principles of legitimate purpose, transparency, and proportionality.

The Act establishes a new government agency, the National Privacy Commission (NPC), tasked, among other things, to:

• ensure the compliance of personal information controllers with the provisions of the Act;
• receive complaints, institute investigations, adjudicate and award indemnity on matters affecting any personal information;
• issue cease and desist orders, and impose a temporary ban on the processing of personal information, upon a finding that the processing will be detrimental to national security and the public interest;
• compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;
• monitor the compliance of other government agencies or instrumentalities with their security and technical measures;
• recommend to the Department of Justice (DOJ) the prosecution and imposition of the criminal penalties specified in Sections 25 to 29 of the Act;
• review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers;
• negotiate and contract with the data privacy authorities of other countries for cross-border application and implementation of respective privacy laws; and
• generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.

The Act also includes additional features not found in the previous DTI Guidelines. It:

• provides for a more comprehensive enumeration of the rights of the data subject, including the express right to be indemnified for any damages sustained due to the use of inaccurate, incomplete, false, unlawfully obtained or unauthorized personal information;
• differentiates between “personal information” and “sensitive personal information”:
• “personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; while
• “sensitive personal information,” on the other hand, refers to personal information: 1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; 2) about an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; 3) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or license denials, suspension or revocation, and tax returns; and 4) specifically established by an executive order or an act of Congress to be kept classified;
• prohibits the processing of “sensitive personal information” except in specific cases enumerated in the Act (which include consent);
• imposes upon information controllers certain notification obligations to the Data Privacy Commission in specific cases of data privacy breach;
• obligates information controllers to designate individual/s within their organizations who are accountable for the organization’s compliance with the Act; and
• provides for criminal penalties (including imprisonment and fines) for specific violations of the Act ( e.g., unauthorized processing, improper disposal, processing for unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches and malicious disclosure of personal information and sensitive personal information).

The Act provides for a wide scope of application, as it applies to the processing of “all types of personal information and to all natural and juridical persons involved in personal information processing,” including personal information controllers and processors that, although not found in the Philippines, use equipment or have offices or branches that are located in the country.

The Act also applies to an act done or practice engaged in outside the Philippines by an entity if:

• the act, practice or processing relates to personal information about a Philippine citizen or a resident;
• the entity has a link with the Philippines, and the entity is processing personal information in the Philippines or, even if the processing is outside the Philippines, it is about Philippine citizens or residents; or
• the entity has other links in the Philippines ( e.g., the entity carries on business in the Philippines, and the personal information was collected or held by an entity in the Philippines).

Notably, however, the Act provides a safe harbor for business process outsourcing entities that process personal information collected from foreign residents in accordance with the laws of such foreign jurisdictions. Section 4(g) of the Act expressly excludes from the coverage of the Act:

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Moreover, the Act also includes a provision that expressly provides protection to journalists and their sources. This provision was included in the law during the deliberations in Congress amidst fears voiced by media groups that the Act may be used to unduly curtail press freedom. Section 5 of the law reads:

Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.

Challenges to Implementation

The coverage of the law is quite expansive and, based on its provisions, could apply to all types of information relating to individuals — even those found in public databases. As a case in point, protected “sensitive personal information” includes information involving any proceeding for any offense committed or alleged to have been committed by a person, the disposal of such proceedings, or the sentence of any court in such proceedings. “Personal information” also includes not only information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, but also information that “ when put together with other information would directly and certainly identify an individual” (emphasis added).

In the absence of further clarification, therefore, it would be prudent to treat all information relating to individuals as protected, and data protection policies need to be re-examined to make sure they are aligned with the Act. Obtaining the data subject’s consent to the processing of any information relating to him or her, prior to collection of the data, appears to be the best practice. The consent must be “specific,” so consent forms need to be crafted to provide as much information about the data to be collected as possible, pending further details that will hopefully be provided in the implementing rules and regulations of the Act.

Learn more about Bloomberg Law or Log In to keep reading:

Learn about bloomberg law.

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.

• Utility Menu

Associate Professor

Department of Philosophy University of the Philippines, Diliman

• Data Privacy Protection and Research Involving Human Participants: A Primer. Social Sciences and Philosophy Research Foundation, Inc.

Recent Publications

• Data Privacy Toolkit for Research Involving Human Participants. DOI: 10.6084/m9.figshare.14815881
• Open educational resources for geographically isolated and disadvantaged areas
• Ethics Guidelines on COVID-19 Crisis-Level Hospital Care. University of the Philippines Manila.
• Addressing Societal Issues Through MOOCs in Southeast Asia
• Ethics in Migration and Global Health Delivery: Issues of Justice and Integrity

• Skip to primary navigation
• Skip to main content
• Skip to primary sidebar
• Skip to footer

Conventus Law

More results...

Philippines – Final Rules and Regulations Implementing the Data Privacy Act Released, Taking Effect on 9 September 2016

September 16, 2016 by Conventus Law

16 September, 2016

On 25 August 2016, The National Privacy Commission ("NPC"), the agency tasked to implement and enforce the Data Privacy Act of 2012 (Republic Act No. 10173)[i], issued the implementing rules and regulations ("Rules") of said law. The Rules are a result of a series of public consultations held by the NPC beginning in June 2016 and of comments on the draft rules and position papers submitted to the NPC by various stakeholders such as representatives from banks, retail, education, research, health informatics, civil society, business process management, the migrant sector and government organizations.[ii] The Rules, which will take effect fifteen (15) days after publication or on 9 September 2016, are currently available at the NPC's website.[iii]

Scope and Application

The Rules reiterate, clarify, and enforce the general policy of the Data Privacy Act to protect the fundamental right of individuals to data privacy while at the same time, ensuring the free flow of information for national development.[iv] The Rules promote the general principles of transparency, legitimacy of purpose, and proportionality in processing personal information, by particularizing the requirements of the Data Privacy Act imposed on both personal information controllers and personal information processors who: (1) process personal information belong to Philippine citizens or residents; (2) established or located in the Philippines; or (3) has commercial links to the Philippines by contract or business

presence. Subject to the burden on an entity to prove the inapplicability of the Data Privacy Act to its processing activities, the processing of personal information originally collected from residents of foreign jurisdictions in accordance with the laws of the latter are exempt from the scope of the Rules. However, it appears that the exemption from the Data Privacy Act only refers to the collection of personal information belonging to foreign residents, while its further processing within the Philippines shall still be subject to the security requirements of the DPA and consequently, the Rules.

Registration and Compliance Requirements

In addition to the more general requirements of the DPA on the processing of personal information, the Rules impose several registration and compliance obligations on covered controllers and processors. The more important of these obligations are as follows:

  Registration of Personal Data Processing Systems. Personal data processing systems operating in the Philippines that involve the processing of personal information belonging to at least 1,000 individuals shall be registered with the NPC.[v] Controllers or processors that employ less than 250 persons are generally exempt from the registration requirement, subject to certain conditions.[vi]

  Reportorial Requirements. Personal information controllers are required to notify the NPC and affected data subjects of a data breach within 72 hours from the discovery thereof.[vii] In addition, covered entities shall also report to the NPC a summary of documented security incidents and data breaches on an annual basis,[viii] and also notify the commission when automated processing becomes the sole basis of making decisions about a data subject.[ix]

  Nature of Consent of Data Subjects. The Rules clarify that in cases not exempt from the consent requirement, the data subject's consent to the personal information processing is time-bound in relation to the purpose of the of the processing.[x]

  Minimum Security Requirements; Contents of Data Transfer Agreements between Controllers and Processors. The Rules enumerate the specific minimum organizational, physical, and technical requirements which controllers and processors are required to implement while processing personal information.[xi] These security standards are subject to periodic evaluation and updating by the NPC via subsequent issuances. The Rules also contain the minimum requirements as to the compliance provisions to be included in any data processing agreement between personal information controllers and its processors.[xii]

Failure to comply with the foregoing registration and compliance requirements, as well as the commission of any of the offenses punishable under the Data Privacy Act and the Rules, shall be meted out with penalties of imprisonment of up to six (6) years and/or fines of up to PhP5,000,000 (approximately US$107k). The NPC is also vested with quasi-judicial powers to adjudicate privacy complaints and award civil damages to private complainants, and with regulatory powers to impose on erring covered entities compliance and enforcement orders, cease and desist orders, ban on personal information processing, or payment of administrative fines.[xiii]

Actions to Consider

Clients are advised to evaluate the applicability and impact of the Rules to their respective organizations, and upon confirmation thereof, commence efforts in complying with the Data Privacy Act, specifically with regard to the Rules' registration and compliance requirements. Covered entities should also assess their respective current security measures vis-à-vis the minimum security standards of the Rules, including but not limited to educating personnel on data privacy legal requirements and best practices, with the ultimate objective of seamlessly complying with the Data Privacy Act and the Rules.

Covered entities are given a period of one (1) year from the effectivity of the Rules, or until 9 September 2017, within which to meet the registration requirement or request the NPC for an extension thereof. The NPC shall, by subsequent issuances, provide for the deadline for covered entities to comply with the minimum security measures enumerated under the Rules.[xiv]

[i] REPUBLIC ACT NO. 10173. AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES. [ii] Privacy Act II Released – NPC to Educate Publci About Privacy, http://privacy.gov.ph/privacy-act-irr-released-npc-to-educate-public-about-privacy/ , last accessed on 5 September 2016.

[iii] Implementing Rules and Regulations of Republic Act No. 10173, known as the " Data Privacy Act of 2012", http://privacy.gov.ph/wp- content/uploads/2016/08/10173-IRR-25-Aug-2016.pdf. [iv] Section 2, Rule 1, Final Rules. [v] Section 46 (a), Rule XI, Final Rules.

[vi] Section 47, Rule XI, Final Rules. [vii] Section 38, Rule IX, Final Rules. [viii] Section 41, Rule IX, Final Rules. [ix] Section 48, Rule XI, Final Rules. [x] Section 19, Rule IV, Final Rules. [xi] Sections 25-29, Rule VI, Final Rules. [xii] Sections 26 (f), Rule VI, Final Rules. [xiii] Section 65, Rule XIII, Final Rules. [xiv] Section 67, Rule XIV, Final Rules. 

For further information, please contact:

Bienvenido Marquez , Partner, Quisumbing Torres

[email protected] 

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

Malaysia – A Brief Overview Of Labuan Business Essentials.

Electrifying The Road Ahead: A Comprehensive Guide To EV Charging Guidelines In Malaysia.

- richard wee - managing partner, richard wee chambers.

Cracking The Code: Legal Hurdles For Integrating AI In Singapore.

- jonathan kok - partner, withersworldwide.com.

CONVENTUS LAW

CONVENTUS DOCS CONVENTUS PEOPLE

3/f, Chinachem Tower 34-37 Connaught Road Central, Central, Hong Kong

[email protected]

REVISED PRIVACY POLICY FOR RESEARCHERS AND RESEARCH SUBJECTS

Other privacy policies:

Rights & responsibilities:

UNIVERSITY OF THE PHILIPPINES DILIMAN

WHEREAS, on 11 March 2018, the UP Diliman Data Protection Office issued the UP Diliman Privacy Policy for Researchers and Research Subjects.

WHEREAS, although processing of personal information for research purposes is exempted from the prohibitions of the Data Privacy Act of 2012, nuances in privacy regulations require a more detailed approach in respecting privacy rights in the conduct of research;

WHEREAS, ethical issues in research require a calibrated and responsible approach to data gathering and processing.

NOW, THEREFORE, in recognition of the constitutional and inherent rights of people to privacy and to uphold respect for privacy in the conduct of research, this Revised Privacy Policy for Researchers and Research Subjects is hereby promulgated.

PART I. SCOPE

This Policy governs UP Diliman Researchers and Research Subjects whose personal information, sensitive personal information and privileged information (“Personal Data”) are processed by the University.

UP Diliman has several researchers who, in the course of their research, collect personal information. Their work and their researches are in line with the mandate of RA 9500 otherwise known as the UP Charter of 2008 which recognizes the role that the “University shall serve as a research university in various fields of expertise and specialization by conducting basic and applied research and development, and promoting research in various colleges and universities, and contributing to the dissemination and application of knowledge.”

UP Diliman is a research university and hence we should foster an environment that realizes the maximum potential of Filipino research within the bounds of privacy regulations and ethical standards under the Data Privacy Act of 2012.

Definition of Terms

For the purpose of this document, the following terms are defined, as follows:

• Research refers to all activities arising from or related to any form of academic study or investigation conducted by any UP Diliman faculty, student, REPS, staff, and all those who aid or facilitate such endeavor;
• Research Data refer to all data gathered and all information processed due to or resulting from any Research;
• Researchers refer to all individuals directly or indirectly involved in a Research;
• Research Subjects refer to all individuals who knowingly or unknowingly participate or in any way become part of a Research from whom data or information is directly or indirectly gathered, observed or processed. “Research subjects” include “data subjects”;
• DPA refers to Republic Act no. 10173, otherwise known as the Data Privacy Act of 2012;
• IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;
• Data Processing System refers to either computerized system or physical records which stores, processes or transmits personal information or sensitive personal information owned or managed by your UP Diliman unit or office;
• NPC refers to the National Privacy Commission of the Philippines as created by the Data Privacy Act of 2012;
• Personal Data refers to personal information, sensitive personal information, and privileged information as defined by the Data Privacy Act of 2012; and
• Privacy Risk refers to the potential loss of control over personal information when a threat exploits vulnerability.

PART II. NON-APPLICABILITY OF DATA PRIVACY ACT TO RESEARCH

The DPA applies to all types of personal information and to any natural and juridical persons including the personal information controllers and processors who, although not found or established in the Philippines, use equipment, system, facilities located in the Philippines. [1] DPA also provide exceptions and exclusions of the coverage of this law such as “personal information processed for journalistic, artistic, literary or research purposes” [2] .

The NPC, in their Advisory Opinion states that, “Note, however, that the law (DPA) does not provide for blanket exemption for research. Such exemption is limited to the minimum extent of collection, access, use, disclosure or other processing necessary to achieve the specific purpose, function or activity” [3] . Thus, Researchers still have an obligation to implement necessary security measures to protect personal information they possess, uphold the rights of data subjects, and adhere to data privacy principles and other provisions of the DPA [4] .

The Data Privacy Act is not applicable to Research if all of the following requisites are present:

• Only data minimally necessary to achieve the research objectives are gathered and processed;
• The data gathered shall be held under strict confidentiality and shall be used only for the specifically declared research purpose/s;
• The data gathered are to be used only for the needs of scientific or statistical research; and
• “The research should be intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards” [5] .

The DPA is not applicable if the processed personal information is used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the research subject. Moreover, the personal information shall be held under strict confidentiality and be used only for the declared purpose.

PART III. PROTECTION OF RESEARCH DATA

Data Life Cycle

Personal information gathered undergoes a cycle which Researchers must keep track of and protect at every stage. In so doing, Researchers must certainlyidentify the duties and responsibilities of the individuals who have current and future access to personal and sensitive personal information.

1.    Creation and Gathering of data

The Researcher who gathers data from Research Subjects should requireconsent, necessary extent of collection, information security, and confidentiality.

2.    Storage and Transmission of data

The data created or gathered must be physically and or electronically stored secure locations. The Researchers must ensure data protection and data quality preservation, with an active data inventory.

As much as practicable, Researchers should store and transmit data using official UP Diliman data processing systems and follow the Communications and Email Policy found in the Information Security Policy of UP Diliman. [6]

The data collected or gathered may include personal information such that its storage in devices must be encrypted and must meet, at least, the Advanced Encryption Standard with a key size of 256 bits (AES-256).

Researchers shall designate location for the storage of printed documents and kept it in locked filing cabinets or any safe storage to keep it secure especially against unauthorized access.

3.    Usage

The application of Research Data, including data gathered from Research Subjects, collected or gathered shall be in accordance with the research objectives which should be clearly and expressly stated to justify the use of Research Data, including data gathered from Research Subjects.

4.    Retention of data

The personal data collected shall only be retained as long as necessary for the fulfillment of the declared, specified, and legitimate purposes from its inception. The Researchers are the custodian of the Research Data, including data gathered from Research Subjects. The following must be considered in a created Research Data, including data gathered from Research Subjects, retention plan:

• Research objectives;
• Legal and regulatory guidelines;
• Sponsor requirements;
• Ethical standards; and
• University Retention Policy

The data to be retained must be classified and protected in compliance with the UP Diliman Data Classification Policy.

5.    Disposal and Destruction of data

The Researchers shall have the Inventory of the Research Data, Appraisal, and creation of Research Data Disposition Schedule. [7]

The Researchers shall maintain records with knowledge of the “general information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data.” [8]

In all stages of the research, Researchers shall comply with UP Diliman Information Security Policy and Records Management Policy in UP Diliman’s Privacy Portal.

Data Privacy Principles

Data gathering and processing in Research should adhere to the principles of transparency, legitimate purpose and proportionality. For each stages of the data life cycle, the following principles below should be observed.

1.    Transparency

The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller (i.e. Researcher), his or her rights as Research Subject, and how  can be exercised to invoke their rights. Any information and communication relating to the processing of personal data should be easily accessibleand understandable in clear and simple language. [9]

Since research is part of the special cases mentioned in the DPA, research subject may or may not be aware of the research purpose, nature and extent but only to the minimum extent of the processing of personal information. [10]

Privacy Notice shall provide the transparency needed by the Researcher and Research Subject. The notice should be simple, straightforward, direct, affirmative and respectful. Sentences must be short and in active voice so it will be easier to understand. When enumerating several items,  bullet points are advised to be used. Each section of the notice should have an informative heading to accurately describe what follows. The notice must include the contact information of the Researcher and UP Diliman Data Protection Officer, Research Subject Rights, and how to exercise those rights.

Researchers should also consider translations of the privacy notice and explaining it verbally if the target Research Subject speaks a different language.

2.    Legitimate Purpose of the Researcher

The Researchers must have a legitimate purpose in processing personal information for every research and hence the following tests must be considered [11] :

• Purpose Test – The existence of a legitimate interest must be clearly established, including a determination of what the particular processing operation seeks to achieve;
• Necessity Test – The processing of personal information must be necessary for the purposes of the legitimate interest pursued by the PIC or third party to whom personal information is disclosed, where such purpose could not be reasonably fulfilled by other means; and
• Balancing Test – The fundamental rights and freedoms of data subjects should not be overridden by the legitimate interests of the PICs, considering the likely impact of the processing on the data subjects.

3.    Proportionality

The processing of Research Data, including data gathered from Research Subjects, shall be adequate, relevant, suitable, necessary, and not excessive in relation to the research objective.

In accordance therewith, this Proportionality Test may be used:

• Examination on whether or not the measure is necessary to meet the objective – that is, less intrusive ways of achieving the same objective.
• Examination on whether or not the measure chosen for the collection of information is effective in achieving the objective – that is, whether or not it is rationally connected to it.
• Balancing of the proportional benefits in collecting information against the harm to the data subject’s privacy. [12]

Security Measures

In general, the research is exempted from DPA. However, the DPA does not provide for blanket exemption of research, in general. Researchers have the obligation to implement essential security measures to protect the personal data they process. [13]

The security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

1.    Organization Security Measures

a. Researchers may attend or request training provided by UP Diliman Data Protection Office.

The Privacy Focal Person of the unit/office, where the Researcher belongs, can initiate trainings and/or seminars relative to their unit/office’s data security. This training/seminar will be presented by UP Diliman Data Protection Office assigned Lecturer.

b. By understanding the Data Life Cycle, the Researchers shall identify privacy risks by conducting privacy impact assessment and proposes measures intended to address the risks. [14]

c. Persons under the Research Team who have access to personal information shall be asked to sign a Non-Disclosure Agreement. This agreement shall hold the person responsible even after the project ended.

2.    Physical Security Measures

a. To determine the necessary size and/or location of the storage, the format of data to be collected must be known. All records with personal information shall be kept in a secured location or locked filing cabinets.

b. Research Data, including data gathered from Research Subjects, includes personal information where only authorized UP Personnel and Researchers are allowed to access. Authorized personnel vary in every unit in UP Diliman. Other personnel may be granted access only through a request stating the purpose of such access subject to the approval of the Researcher.

c. To monitor the data access of all authorized UP Personnel and Researchers in the data room or facility, there must log book of entries in the storage room indicating the date, time, duration and purpose of each entry.

d. Researchers should protect all printed and electronic personal data at all times. The Laptop and Desktop Computers shall be locked upon leaving the workstation/s. Passwords/Passphrases shall not be written on or exposed to others.

e. Proper retention, disposal and destruction of records must also be provided and followed. This must be based on the UP Diliman Records Management Policy.

3.    Technical Security Measures

The Technical Security Measures provide the techniques used for authentication and protection against theft of sensitive data and information. It helps authenticate the users’ login and data such that only verified user applications can read and access data and applications. The following technical security measures will guide researchers to avoid risks and security breaches.

a. Communication of UP students, faculty and staff using UP Mail (@up.edu.ph) or UP Webmail (@upd.edu.ph) for standard encryption

b. Use of Passphrases such as a sentence or a combination of words, instead of word, as passwords.

c. Regular backup of the data on personal information. The more important the data and or the more data change, the more regular the backup should be made.

d. Within two (2) hours from discovery of the Security Incident or Personal Data Breach, any person – whether or not connected with UP Diliman – should report the incident using email subject “Incident/Breach – Name of the Unit” at dpo.updiliman(at)up.edu.ph and or phone call to both the UP Diliman Data Protection Officer and the Privacy Focal Person having jurisdiction over the unit involved following the Security Incident Management Policy [15] .

UP Diliman Data Protection Office provided a guide to protect UP Diliman’s information and information systems to ensure their confidentiality, integrity and availability found in Information Security Policy.

PART IV. PRACTICES IN PROCESSING PERSONAL DATA

Good researchers follow and comply ethical standards and compliance of Research. Failure thereof will increase the privacy risk associated in the processing of personal information. Below are some of the ethical considerations the DPO suggests to be observed [16] .

• The person collecting must Put himself in the Data Subject’s Position

Recognize the Data Subject as an Individual and not merely as a consumer: determine the ethical feasibility of your processing by subjecting yourself to the same procedures: would you consent?

• Engineer Privacy-conscious Designs

Technological and Process design decisions should not dictate our societal interactions and the structure of our communities, but rather should support our values and fundamental rights. Develop and promote engineering techniques and methodologies that fully respect the dignity and rights of the individual.

• Be Accountable for What are Collected

The principle that personal data should be processed only in ways compatible with the specific purpose(s) for which they were collected is essential to respecting individuals’ legitimate expectations.

• Think Beyond Consent

Individuals are not merely passive objects who require protection of the law against exploitation and not all human behavior can be explained by economic principles which assume human beings are entirely rational and sensitive to economic incentives.

• Collect only what Can be Protected

Individuals today are increasingly required to disclose much more personal information in order to participate in social, administrative and commercial affairs, with ever more limited scope for opting out. With this, the notion of free and informed consent is placed under enormous strain and it becomes necessary to limit collection to proportionality and legitimate purpose.

• Treat Personal Information as extension of Physical Individual

The phrase “Once taken, it can never be returned” comes to mind when it comes to assessing risks and opportunity costs. The dignity of the human person is not only a fundamental right in itself but also is a foundation for subsequent freedoms and rights, including the rights to privacy and to the protection of personal data. Privacy is an integral part of human dignity, and the right to data protection was originally conceived to compensate for the potential erosion of privacy and dignity through large scale personal data processing.

• Acknowledge Ownership of Personal Data

Absolute control over personal data is difficult to guarantee as there will be other concerns such as public interest and the rights and freedoms of others. Control is necessary but not alone sufficient since customers or data subjects are often not fairly compensated for the data they trade.

• Safeguarding Human Dignity as Priority

It is necessary to ensure that personally-identifiable information, inclusive of big data, can be easily depersonalized to make it harder or impossible to single out an individual: it is important to evaluate accordingly to the wider societal norms and ethics committees when deciding on a large scope.

• Prioritize Pro-Consumer Processing

The Data Privacy Act mandates that in interpreting the law, any and all policies or procedures must take into account the rights of the Data Subjects—the very same rights held by those who are processing their information. It becomes necessary to remember the purpose of holding, collecting, and processing of the personal information.

• Evaluate the Purpose for Collection

Even with legitimate purpose, it is vital to check and update current processes as to whether the need to collect has become obsolete.

PART V. GUIDELINES IN DATA GATHERING AND PROCESSING

The following are guidelines in gathering and processing data:

• Unless necessary to accomplish the research objectives, do not collect demographics and personal information from respondents and research subjects such as names, age, contact information, sex, health information, educational information, and other information personal to the individual.
• Do not use or process gathered data other than the legitimate purposes of the research expressly communicated to the research subject.

In some cases, the research necessitates that the research subject is not fully aware of the purpose of the observation made to him or her. For example, the research is about subconscious bias and hence the research subject cannot be made aware that his/her subconscious behavior is being observed (otherwise, the research subject will make conscious adjustments). In these cases, the researcher must debrief or fully disclose to the research subject the nature, purpose, and extent of the observation and data gathering as soon as there is no more research need to keep the research subject uninformed. If after being informed, the research subject objects to the debriefed purpose of the research or the intended processing of data, then the research must observe the research subject’s right to object to the processing and right to erasure of gathered data.

• Unless the prior express recorded informed consent of the research subject is obtained, do not reuse or recycle data for other research, even if related to or arising from the original research initiative. Gathered data should only be processed in accordance with the number of research projects the research subject was made aware of.
• Research results and output should only contain anonymized or aggregated data. Identities of respondents and research subjects should not be disclosed unless the prior express recorded informed consent of the research subject was obtained.
• Unless part of the legitimate purpose of the research, there should be no profiling, judgment, or discrimination of the research subject in any manner. This includes psychological, behavioral, medical, physical, financial, racial, sexual, political, social, or any form of profiling, judgment, or discrimination of the research subject.
• Researchers should keep in mind that research subjects are data subjects whose data must be protected from unauthorized or unnecessary gathering or processing. In case of doubt, data gathering and processing should be to the minimum extent necessary to fulfill the legitimate purpose of the research objective with the least intrusion to the privacy of the research subject.
• Researchers must be aware of and adhere to applicable ethical standards for research.

PART VI. ACCESS TO RAW DATA

Research Data, including data gathered from Research Subjects, includes personal information. Only authorized UP Personnel and Researches are allowed to access such information. Authorized personnel may differ in every unit in UP Diliman. Other personnel may be granted access by filing a request with the purpose of the access, but subject to the approval of the Research Creator.

Contractors, Consultants and Service Provides can access the Research Data, including data gathered from Research Subjects, but shall be governed by strict procedures contained in formal contracts, which provisions must comply with the Data Privacy Act of 2012, its IRR, and all applicable issuances by the NPC and UP Diliman. The terms of the contract and undertakings given should be subject to review and audit to ensure compliance. [17]

Authorized users of personal information found in the Research Data, including data gathered from Research Subjects, shall abide with the UP System Policy on Acceptable Use of information assets found in https://upd.edu.ph/aup/ .

For authorized users who access the personal information online, it shall have an authentication of their identity via a secure encrypted link and must use multi-factor authentication.

Raw Research data, including data gathered from Research Subjects, can be shared if it is anonymized or aggregated.

Any information is considered anonymized if there is no possible means to identify the research subject, that is, the PIC and/or any other persona are incapable of singling out an individual in a data set, from connecting two records within a data set (or between two separate data sets) and from any information in such dataset. [18]

It should be noted that shared anonymized data can never be used directly or indirectly to identify a person.

Raw data may not be reused for other researches unless the research subject provided consent for the reuse of such data.

Raw Research Dataset includes data gathered from Research Subjects and personal information of Research Subjects. The processing will not be exempted from DPA and its IRR. Thus, consent from Research Subject is required before processing of said information.

No identity of any individual may be disclosed in any research work or output unless the prior consent of such individual was obtained.

It should be stated in the Privacy Notice, using clear and plain language, the Research Objective and how will the personal information of the Research Subject be processed. Any disclosure or sharing of personal information must be stated and clearly understandable to the Research Subject.

Accuracy and up-to-date Research Data

Researchers should make sure that personal data are, based on DPA of 2012, “accurate, relevant, and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date” [19] because any inaccuracy or incomplete data may result to incorrect decision and interpretation of the data acquired.

The DPA of 2012 further states that “inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted.” [20]

We also note that when updating contact information, careful attention is needed to avoid risks of sending personal information and/or sensitive personal information to unintended recipient/s.

PART VII. INTELLECTUAL PROPERTIES

In general, copyrights to intellectual property remain with their creator, except in the case of institutional or collaborative work, because the University is expected to generate copyrightable ideas and creative work. Patents for inventions, on the other hand, are generally presumed to belong to the University when these inventions are created with substantial use of University resources. [21]

In the case of a work-commissioned by a person other than an employer of the author and who pays for it and the work is made in pursuance of the commission, the person who so commissioned the work shall have ownership of work, but the copyright thereto shall remain with the creator, unless there is a written stipulation to the contrary. [22]

Personal information obtained from the research are owned by the Research Subjects. Moreover, said information shall not be processed other than the purpose stated on the research.

PART VIII. RIGHTS OF RESEARCH SUBJECTS

As data subjects, research have the following rights that must be observed by researchers:

1.    Right to be Informed

This should answer the questions like, “Why you collect and what will you do to my personal data?”, “How will you process my personal data?”, “Who can I contact for questions?”, “How will you protect my personal data?”, and “How can I exercise my rights?”

The Research Subject’s personal data should be treated as their personal property. In the same way that the use of any sort of property must be done with an owner’s consent, personal data should never be collected, processed and stored by the researcher without the individual’s explicit consent, unless otherwise provided by law. [23]

2.    Right to Object

Since the processing of personal information is based on consent, the Research Subject can exercise the right to object. When a Research Subject objects or withholds consent, UP Diliman may not be able to conduct academic, administrative and other functions or services related to the Data Subject. The Researcher should stop processing the personal data as they receive objection unless it is needed pursuant to a subpoena, for an obvious purposes (i.e., employer-employee relationship), or it is a result of a legal obligation. [24]

3.    Right to Access

Research Subjects have the right to demand reasonable access to their personal information. It should be given in a clear and understandable format.

4.    Right to Rectification

Research Data, including data gathered from Research Subjects, should be accurate and up-to-date. The Research Subject have a right to dispute the inaccuracy or error in their personal information and demand that it shall be corrected immediately.

5.    Right to Erasure or Blocking

These rights of erasure and blocking do not apply to Personal Data, documents, records and accounts which are part of UP Diliman’s public records as an instrumentality of the government or as the national university. It may be exercised if there is a substantial proof that the processing of Personal Data is unlawful. [25]

6.    Right to Damages

The Research Subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, taking into account any violation of his or her rights and freedoms as Research Subject.

7.    Right to File a Complaint

The Research Subject have a right to complain when they see that there is a violation of his or her rights as Research Subject and for any injury suffered as a result of the processing of his or her Personal Data. The Research Subject shall be subject to review by the UP Diliman Data Protection Office when there is a complaint filed by the Research Subject.

8.    Right to Data Portability

Where his or her Personal Data is processed by electronic means and in a structured and commonly used format, the Research Subject shall have the right to obtain from UP Diliman a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Research Subject. [26]

[1] Data Privacy Act of 2012, Section 4.

[2] Ibid ., Section 4 (d).

[3] NPC Advisory Opinion No. 2019-017: Research and the data privacy act of 2012, Page 2.

[4] Ibid., Page 2.

[5] Implementing Rules and Regulations of the Data Privacy Act, Section 5 (c).

[6] UP Diliman Information Security Policy, Chapter III, Memorandum Reference No. EBM 20-09 issued 9 June 2020.

[7] UP Diliman Records Management Policy, Part IV, Memorandum Reference No. EBM 20-07 issued 26 May 2020.

[8] Implementing Rules and Regulations of the Data Privacy Act, Section 26 (c) (3).

[9] Ibid ., Section 18 (a)

[10] Ibid ., Section 5.

[11] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/

[12] R vs. Oakes, S.C.R. 103, Supreme Court of Canada, 1986

[13] Data Privacy Act, Section 20.

[14] NPC Advisory Opinion No. 2017-03

[15] See Note 6.

[16] NPC Commissioner Liboro’s Presentation on Accountability, Compliance and Ethics, April 2019, UP Diliman

[17] NPC Circular 16-01 Security of Personal Data in Government Agencies, Section 16.

[18] NPC Advisory Opinion No. 2018-068, Processing of Anonymized Personal Data by Electronic Medical Records Provider.

[19] DPA, Section 11 (c).

[21] UP Research Guidebook version 1.2, March 2016.

[22] Intellectual Property Code of the Philippines R.A. No. 8293, Chapter VI, Sec. 178.4.

[23] Data Privacy Protection and Research Involving Human Participants: A Primer (Draft) by Peter Sy, J.C. Navera, Katrina Tan, Fatima Nicolas

[24] Implementing Rules and Regulations of the Data Privacy Act, Section 34.

[25] UP Diliman Data Subject Rights and Responsibilities

[26] Ibid .

The Research Exception under the Data Privacy Act of 2012

The Data Privacy Act of 2012 (herein after referred to as the “Act” or “DPA”) was enacted to bring the Philippines in line with international data protection standards to encourage investment and reinforce the Philippines’ position as a leading Information Technology and Business Process Outsourcing destination. 1

The Act aims to reconcile the right to privacy with the efficient utilization of information. Under the policy statement of the Act, it is understood that even as the law guarantees the protection of an individual’s fundamental right to privacy, it also ensures the free flow of information for innovation, growth, and national development. 2 The DPA, while upholding the rights of the data subject – a person whose personal information is collected, stored, and processed – does not impede access to information, which may hinder progress and advancement. It does not preclude the processing of personal data for research. In fact, the Act supports initiatives for data sharing, freedom of information and the responsible use and processing of personal data.

Scope and Application

The DPA applies to the processing of all types of personal data – both personal and sensitive information. It does not distinguish between the private and the government sector, as long as the act, practice or processing relates to personal data about a Philippine citizen or Philippine residence, or the processing of personal data is being done in the Philippines or engaged in by an entity with links to the Philippines. 3

Research Exception

The Act enumerates categories of information where it will not apply – such as information that fall within matters of public concern. 4 One such category is that of research purpose . The DPA explicitly exclude the processing of personal information for journalistic, artistic, literary or research purposes from the scope of application of the Act . 5 The Act and its Implementing Rules and Regulations (the “Rules”) are not applicable to personal information that will be processed for research purposes, intended for a public benefit; subject to the requirements of applicable laws, regulations, or ethical standards. 6

Data collected from parties other than the data subject for purpose of research shall be allowed when the personal data is publicly available, or has the consent of the data subject for purpose of research. It must be ensured that adequate safeguards are in place, and no decision directly affecting the data subject shall be made on the basis of the data collected or processed. Through the whole process, the rights of the data subject shall be upheld without compromising research integrity. 7

Under the DPA, the data subject also has the right to data portability. Where a data subject’s personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the personal information controller a copy of such data. The exercise of this right to data portability shall primarily take into account the right of the data subject to have control over his or her personal data being processed. This means that if the data subject requests for the data, the data subject has the right to compel the data processor to transfer such data directly to another organization. The electronic format, as well as the technical standards, modalities, procedures and other rules for their transfer shall subsequently be specified by the National Privacy Commission (hereinafter referred to as the “Commission”). 8

This right to data portability does not apply if the processed personal data are used only for scientific and statistical research, provided that no activities are carried out and no decisions are taken regarding the data subject. However, personal data shall be held under strict confidentiality and shall be used only for the declared purpose. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation. 9

Review by the National Privacy Commission

Although processing of personal data for research purposes is exempted from the scope of the DPA, the Commission is authorized by the Act to review, upon its own initiative or upon the filing of the complaint by a data subject, the processing of personal data for research purposes. As an exception to the general rule, the exemption of processing of personal and sensitive data from the scope of the DPA should be construed strictly. As aforementioned, any limitations on the rights of the data subject shall only be to the least extent necessary to accomplish the purpose of said research. The non-applicability of the Act or its Rules does not extend to personal information controllers or personal information processors, who remain subject to the requirements of implementing security measures for personal data protection. Any doubt in the interpretation of any provision of the DPA shall be liberally interpreted in favor of the rights and interests of the individual whose personal information is being processed. 10

The rights of a data subject must, at all times, be of the highest importance. Any person, natural or juridical, or any other body that deals with a data subjects’ personal details, whereabouts, and preferences, are duty-bound to observe and respect the data subject’s privacy rights. The Commission remains empowered to compel compliance of the parties concerned and to enable the data subject to remain in full control of his or her information. Should any natural or juridical person, or other body involved in the processing of personal data, violate the provisions of the Act, its Implementing Rules, and other issuances of the Commission, it shall be subject to the corresponding sanctions, penalties, or fines, in addition to any civil or criminal liability, as may be applicable. 11

1 http://www.senate.gov.ph/press_release/2012/0308_angara2.asp

2 Section 2, IRR of Republic Act No. 10173

3 Section 5(a) to 5(d), IRR of Republic Act No. 10173

4 Section 4, Republic Act No. 10173; Section 5, IRR of Republic Act No. 10173

5 Section 4(d), Republic Act No. 10173

6 Section 5 (1)(a), IRR of Republic Act No. 10173

7 Section 20, IRR of Republic Act No. 10173

8 Section 36, IRR of Republic Act No. 10173

9 Section 37, IRR of Republic Act 10173.

10 Section 69, IRR of Republic Act No. 10173; Section 38, Republic Act No. 10173

11 Section 51, IRR of Republic Act No. 10173

Disini & Disini Law Office