Data Privacy Act of 2012 (Republic Act No. 10173) | CpE Laws and Professional Practice Lesson 2

The Data Privacy Act of 2012 is a comprehensive privacy law that governs the processing of personal information in the Philippines. It is important because it protects the privacy rights of individuals and ensures that organizations properly handle personal information.

The law applies to both government agencies and private organizations that collect, use, and process personal information. It requires these organizations to implement measures to protect personal information from unauthorized access, disclosure, or use. These measures include physical, technical, and organizational safeguards that ensure the confidentiality, integrity, and availability of personal information.

The Data Privacy Act also grants individuals certain rights with respect to their personal information. For example, individuals have the right to know what personal information organizations collect about them, how it is used, and who it is shared with. They also have the right to request that organizations correct inaccurate information or stop using their information altogether.

The National Privacy Commission (NPC) is the regulatory body responsible for enforcing the Data Privacy Act. It has the power to investigate complaints, conduct audits, and impose fines and penalties on organizations that violate the law. The NPC also provides guidance and assistance to organizations to help them comply with the law.

Overall, the Data Privacy Act of 2012 is a very important law that helps protect people’s privacy and encourages the responsible use of personal information in the Philippines. It is part of a global trend toward stricter privacy laws and regulations, and it is a step in the right direction toward increasing trust between individuals and the organizations that handle their personal information.

How is the Data Privacy Act of 2012 related to the practice of Computer Engineering?

The Data Privacy Act of 2012 is highly relevant to the practice of Computer Engineering. Computer Engineering involves the design, development, and implementation of computer systems and networks, and as such, it plays a crucial role in ensuring that these systems are secure and protect the privacy of personal information.

Computer engineers are responsible for designing and implementing security measures, such as encryption and access controls, to protect personal information from unauthorized access or disclosure. They also play a key role in building robust and secure systems that comply with the Data Privacy Act’s requirements for the protection of personal information.

Computer engineers are also responsible for implementing data protection measures, such as data backup and disaster recovery plans, to ensure the availability of personal information in the event of a system failure or disaster.

In addition, computer engineers must be knowledgeable about the Data Privacy Act’s requirements and work closely with legal and compliance teams to ensure that systems and processes comply with the law’s requirements.

Overall, the Data Privacy Act of 2012 is an essential consideration for computer engineers in designing, developing, and implementing computer systems and networks that protect the privacy of personal information. By incorporating the requirements of the law into their work, computer engineers can help ensure that the systems they build are secure, reliable, and compliant with the law.

What does RA10173 specify?

  1. Personal Information: The law defines personal information as any information that can identify a person, such as name, address, contact number, email address, and biometric data, among others.
  2. Data Subject Rights: The law provides individuals with certain rights with respect to their personal information, including the right to be informed, to access their personal information, to correct inaccurate data, and to object to processing or sharing of their personal information.
  3. Data Privacy Commission: The National Privacy Commission (NPC) is the regulatory body responsible for enforcing the Data Privacy Act. It has the power to investigate complaints, conduct audits, and impose fines and penalties on organizations that violate the law.
  4. Data Protection Measures: The law requires organizations to implement measures to safeguard the confidentiality, integrity, and availability of personal information, and to notify the NPC and affected individuals in case of a data breach.
  5. Cross-Border Data Transfers: The law provides specific requirements for the cross-border transfer of personal information outside the Philippines.
  6. Penalties and Sanctions: Violations of the Data Privacy Act may result in penalties, including fines and imprisonment, depending on the severity of the offense.

The summary of the law

The Data Privacy Act of 2012, also known as Republic Act No. 10173, is composed of 18 sections. The following is a brief summary of each section:

Section 1 – Short Title: This section provides the short title of the law, which is the “Data Privacy Act of 2012.”

Section 2 – Declaration of Policy: This section sets out the policy of the State to protect the privacy of personal information while ensuring the free flow of information for innovation, growth, and national development.

Section 3 – Definition of Terms: This section defines the key terms used in the law, such as personal information, processing, data subject, and consent.

Section 4 – Scope: This section establishes the scope of the law, which applies to the processing of personal information in both the public and private sectors.

Section 5 – Principles of Data Protection: This section sets out the principles of data protection, which include transparency, legitimate purpose, and proportionality.

Section 6 – Sensitive Personal Information: This section provides additional protection for sensitive personal information, such as race, ethnicity, religious beliefs, and health.

Section 7 – Data Privacy Commission: This section establishes the National Privacy Commission (NPC) as the regulatory body responsible for implementing and enforcing the law.

Section 8 – Powers and Functions of the NPC: This section outlines the powers and functions of the NPC, which include receiving complaints, conducting investigations, and imposing fines and penalties for violations of the law.

Section 9 – Appointment and Qualifications of the Commissioner and Members of the Commission: This section sets out the qualifications and appointment process for the Commissioner and members of the NPC.

Section 10 – Term of Office and Tenure of the Commissioner and Members of the Commission: This section establishes the term of office and tenure of the Commissioner and members of the NPC.

Section 11 – Removal and Discipline of the Commissioner and Members of the Commission: This section outlines the grounds for removal and discipline of the Commissioner and members of the NPC.

Section 12 – Office and Personnel: This section provides for the creation of the office of the NPC and the appointment of its personnel.

Section 13 – Funding: This section sets out the funding sources for the NPC.

Section 14 – Relationship with Other Agencies: This section establishes the relationship between the NPC and other government agencies.

Section 15 – Separability Clause: This section provides that if any provision of the law is declared invalid, the remaining provisions shall remain in full force and effect.

Section 16 – Repealing Clause: This section repeals any laws or parts of laws inconsistent with the Data Privacy Act.

Section 17 – Effectivity: This section provides for the effectivity of the law, which took effect on September 8, 2012.

Section 18 – Implementing Rules and Regulations: This section directs the NPC to promulgate the implementing rules and regulations of the law.

Click this link for the complete law – https://www.privacy.gov.ph/data-privacy-act/

Case Study

One example of a case study related to the Data Privacy Act of 2012 involves a data breach that occurred in a Philippine company. In this case, the company had collected and stored personal information, including names, addresses, phone numbers, and email addresses, of its customers in an unsecured database.

Unknown to the company, a hacker gained access to the database and stole the personal information of thousands of customers. The company only discovered the data breach several weeks later when some of the affected customers reported receiving spam emails and phishing attempts.

Upon learning of the data breach, the company immediately reported the incident to the National Privacy Commission (NPC) and notified the affected customers. The company also implemented additional security measures to prevent future data breaches.

The NPC conducted an investigation and found that the company had violated several provisions of the Data Privacy Act, including failing to implement appropriate technical and organizational measures to protect personal information and failing to notify the NPC and affected individuals of the data breach within the required timeframe.

As a result of the violation, the NPC imposed fines and penalties on the company, as well as required them to implement additional data protection measures and submit regular compliance reports to the NPC.

This case study highlights the importance of complying with the Data Privacy Act of 2012 and taking appropriate measures to protect personal information from data breaches. It also demonstrates the role of the NPC in enforcing the law and promoting the responsible handling of personal information by organizations.

Reviewer:

References:

National Privacy Commission. (n.d.). Data Privacy Act of 2012. Retrieved March 1, 2023, from https://www.privacy.gov.ph/data-privacy-act/

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *