Data Protection: Philippines | Practical Law

Data Protection: Philippines | Practical Law

A Q&A guide to data protection law in the Philippines. This Q&A is part of the PLC multi-jurisdictional guide to data protection law. For a full list of jurisdictional Q&As visit www.practicallaw.com/dataprotectionhandbook.

Data Protection: Philippines

Practical Law UK Articles 0-503-0761 (Approx. 11 pages)

Data Protection: Philippines

by Aleli Angela G Quirino and John Paul M Gaba, Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW)
Law stated as at 01 Aug 2010Philippines
A Q&A guide to data protection law in the Philippines. This Q&A is part of the PLC multi-jurisdictional guide to data protection law. For a full list of jurisdictional Q&As visit www.practicallaw.com/dataprotectionhandbook.

Regulation

1. What national law(s) regulate the collection and use of personal data? If applicable, has Directive 95/46/EC on data protection (Data Protection Directive) been implemented?
There is no existing comprehensive legislation on personal data protection or information privacy. Privacy rights are generally considered to be connected with the due process clause of the Constitution.
The right to privacy is closely related to constitutional guarantees granted to individuals:
  • Against unreasonable searches and seizures (section 2, Article III, Constitution).
  • For privacy of communications and correspondence (section 3, Article III, Constitution).
These guarantees serve as safeguards for private citizens against the state's actions, and do not limit private transactions and activities undertaken by non-state entities and individuals in relation to private persons.
There are specific statutory provisions that recognise and safeguard an individual's right to privacy providing a cause of action for damages and for other equitable relief if intrusive acts are committed by private persons. These acts include (Articles 26 and 32, Civil Code):
  • Prying into the privacy of an individual's residence.
  • Meddling with or disturbing the private life or family relations of an individual.
  • Causing an individual to be alienated from his friends.
  • Aggravating or humiliating an individual, on account of his religious beliefs, status in life, place of birth, physical defect, or other personal condition.
  • Infringing an individual's right to be secure in his person, house, papers, and effects against unreasonable searches and seizures.
  • Breaching an individual's privacy of communication and correspondence.
The courts have yet to interpret these privacy provisions in relation to personal data. However, the collection, processing, and use of personal information for commercial and non-commercial purposes without an individual's (data subject's) knowledge and consent can be construed as, and can give rise to, a cause of action for violation of privacy rights.
Specific provisions concerning the right to privacy over information are found in the:
  • Republic Act No. 1405, as amended (Secrecy of Bank Deposits Law).
  • National Internal Revenue Code 1997 in relation to the power of the Commissioner of Internal Revenue to obtain information from certain taxpayers.
  • New Social Security Law in relation to information contained in membership applications.
  • AIDS Prevention and Control Act of 1998.
The Electronic Commerce Act (ECA) imposes a confidentiality obligation on any person who gained lawful access to information covered by or contained in an electronic data message or electronic document (section 32, ECA).
Although the Philippines has not yet enacted comprehensive data protection and privacy legislation, the government can set up and impose regulatory measures on activities relating to the collection, processing and use of personal information through its policing powers. Under Executive Order No. 269, the government created the Commission on Information and Communications Technology (CICT) to play a more proactive role in the information and communications technology industry. The CICT is responsible for creating policies that preserve the rights of individuals to the privacy and confidentiality of their personal information.
There are currently efforts to draft legislation for data protection based on the EU Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).
The Department of Trade and Industry (DTI) issued Department Administrative Order No. 8, Series of 2006 (DTI Guidelines) as guidelines for the protection of personally identifiable data in private sector information and communications systems. These guidelines aim to encourage and provide support to private entities in protecting personal data through policies that are legally compliant and driven by choice, individual empowerment and market-led solutions. The DTI Guidelines are closely based on the Data Protection Directive. They also encourage entities to provide options to consumers or data subjects in relation to the control, confidentiality and anonymity of their personal information.
However, the DTI Guidelines do not impose any mandatory compliance obligations on the data controller and/or data processor. They serve only as a best practice guide and therefore there are no penal or administrative sanctions for breach.
As the DTI Guidelines are the only regulatory measure which deals directly with the protection of personally identifiable information, the chapter focuses on these guidelines.
2. To whom do the rules apply (EU: data controller)?
The DTI Guidelines apply to data protection certifiers. A data protection certifier is an independent third party duly accredited by the DTI Accreditation Office to certify a licensee company's privacy programme, and to monitor and oversee the programme's implementation and enforcement (section 3.6, DTI Guidelines).
A licensee company is any data processor duly certified by the DTI-accredited data protection certifier as having a privacy programme that complies with and meets minimum standards under the DTI Guidelines (section 3.11, DTI Guidelines).
The definitions for data controllers and data processors under the DTI Guidelines are similar to those found in the Data Protection Directive. A data controller is any person who (either alone, jointly or in common with other persons) determines the purposes and the manner in which, any personal data is, or is to be, processed (section 3.4, DTI Guidelines). A data processor is any person (other than the data controller's employee(s)) who processes data on behalf of the data controller (section 3.5, DTI Guidelines).
3. What data is regulated (EU: personal data)?
The DTI Guidelines regulate personal data. Personal data is defined as any information relating to an identified or identifiable natural person (section 3.12, DTI Guidelines). The DTI Guidelines apply to the processing of all types of personal data which (section 2.3, DTI Guidelines):
  • Refers to natural or legal persons.
  • Is of local origin or from foreign countries.
4. What acts are regulated (EU: processing)?
The DTI Guidelines set out minimum standards for the following in relation to personal data:
  • Collection.
  • Processing.
  • Disclosure.
  • Storage.
5. What is the jurisdictional scope of the rules?
The DTI Guidelines apply to the following parties situated in the Philippines:
  • Data processors.
  • Data controllers.
  • Data protection certifiers.
  • Licensee companies.
6. What are the main exemptions (if any)?
There are no exemptions to the DTI Guidelines because compliance is not mandatory (see Question 1).
7. Is notification or registration required before processing data? If so, please provide brief details.
Although the DTI Guidelines are not mandatory, they set out criteria which are considered to make the processing of personal data lawful, including that (section 4.2, DTI Guidelines):
  • The data subject has given his unambiguous consent to the processing.
  • The personal data processing results from the data subject's contractual obligations.
  • The data processing is necessary to a data controller for the performance of his lawful obligations. In this case, the processing is only permitted to the extent necessary to fulfil the parties' intentions.
  • The data processing is necessary to protect vitally important interests of the data subject, including life and health.
These criteria are similar to those in Article 7 of the Data Protection Directive.

Main data protection rules and principles

8. What are the main obligations imposed on data controllers to ensure that data is processed properly?
The general principles in relation to protection of personal data are that personal data must be (section 4.1, DTI Guidelines):
  • Collected for specified and legitimate purposes determined before collecting personal data and later processed compatibly with those purposes.
  • Processed accurately, fairly, and lawfully.
  • Accurate, and, where necessary for the processing of personal data, kept up to date. Inaccurate or incomplete data must be rectified, supplemented, destroyed or its further processing restricted.
  • Identical, adequate and not excessive in relation to the purposes for which it is collected and processed.
  • Kept in a form which only allows identification of the data subjects for as long as is necessary for the purposes for which the data was collected and processed.
This provision of the DTI Guidelines is similar to Article 6 of the Data Protection Directive.
9. Is the consent of data subjects required before processing personal data? If so:
  • What rules are there concerning the form and content of consent? Does online consent suffice?
  • Are there any special rules concerning consent by minors?
Consent of the data subjects is generally not an indispensable requirement (see Question 7), provided that both (section 4.2, DTI Guidelines):
  • Consent is not required by other existing laws or regulations.
  • One of the following applies:
    • the personal data processing results from contractual obligations of the data subject;
    • the data processing is necessary to a data controller for the performance of his lawful obligations, but in these cases, the processing is only permitted to the extent necessary to fulfil the parties' intentions; or
    • the data processing is necessary to protect vitally important interests of the data subject, including life and health.
10. If consent is not given, on what other grounds (if any) can processing be justified?
Consent is required before the processing of personal data, provided that certain conditions exist (see Questions 7 and 9).
11. Do special rules apply for certain types of personal data, for example sensitive data? If so, please provide brief details.
Apart from the DTI Guidelines, there are provisions in other local laws which regulate an individual's right to privacy over specific types of information (see Question 1).

Secrecy of Bank Deposits Law

The Secrecy of Bank Deposits Law (SBDL) generally prohibits the unwarranted disclosure and/or use of information in relation to bank depositors. However, the SBDL provides for several exceptions as a result of recent amendments, including in the following circumstances:
  • With the depositor's written permission.
  • In cases of impeachment (section 2, SBDL; Joseph Victor G. Ejercito v Sandiganbayan, G.R. Nos. 157294-95, 30 November 2006).
  • By court order:
    • in cases of bribery and dereliction of duty of public officials (section 2, SBDL; Joseph Victor G. Ejercito v Sandigandayan, G.R. Nos. 157294-95, 30 November 2006);
    • in cases of unexplained wealth under the law against anti-graft and corrupt practices (or Republic Act No. 3019) (Philippine National Bank v Gancayco, G.R. No. L-18343, 30 September 1965, 15 SCRA 91);
    • made on request of the Ombudsman (Marquez v Desierto, G.R. No. 135882, 27 June 2001, 359 SCRA 772);
    • made through a request of the Anti-Money Laundering Council in connection with an investigation of a money laundering transaction (Republic Act No, 9160, as amended by Republic Act No. 9194).
  • When money deposited or invested is the subject matter of litigation (Mellon Bank v Magsino, G.R. No. 71479, 18 October 1990, 190 SCRA 633).
  • By order of the Commission of Internal Revenue:
    • for the purpose of determining the gross estate of a deceased person(Republic Act No. 8424, §6F);
    • in relation to a taxpayer who has filed an application to compromise tax liability by reason of financial incapacity (Republic Act No. 8424, §6F).

National Internal Revenue Code

The National Internal Revenue Code gives the Commissioner of Internal Revenue the power to obtain information to:
  • Review the accuracy of a tax return.
  • Determine tax liability when no return has been filed.
  • Evaluate tax compliance.
The Commissioner can obtain this information by examining any record, book or material relevant to his inquiry, or from any person other than the taxpayer under investigation.

Social Security System Law

Republic Act No. 8282 (the new Social Security System Law (SSS Law)) imposes on the SSS the obligation to keep information given by SSS members or by their employers in their records and reports confidential except in compliance with a court subpoena (section 24(c), SSS Law).

AIDS Prevention and Control Act of 1998

This law was enacted to provide a legal framework to safeguard the rights of persons inflicted with AIDS, particularly their basic human rights and civil liberties, which includes the right to privacy.
The law has established anonymous HIV testing which requires all hospitals, clinics, laboratories, and testing centres for HIV/AIDS to adopt measures that will assure the confidentiality of all relevant medical records and data. In addition, the following parties must strictly observe confidentiality in handling medical records, files or data, particularly the identity and status of persons with HIV/AIDS:
  • All health professionals and workers.
  • Employers.
  • Recruitment agencies.
  • Insurance companies.
  • Data encoders.
  • Other custodians of medical records, files, or data.
Only the following parties are authorised to receive the results of an HIV/AIDS test:
  • The person who submitted himself to the test.
  • Either parent of a minor child who has been tested.
  • A legal guardian in case of persons of mental incapacity or orphans.
  • A person authorised to receive such results in conjunction with the AIDSWATCH program.
  • A justice of the Court of Appeals or the Supreme Court under certain conditions.

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?
The DTI Guidelines are silent concerning the types of information that a data controller should provide to data subjects at the point of collection of the personal data. However, at the point of processing of personal data, the data subject has the right to be informed by the data controller that his personal data is being processed (section 4.5, DTI Guidelines).
13. What other specific rights (such as a right of access to personal data or the right to object to processing) are granted to data subjects?
The DTI Guidelines outline the rights granted to data subjects.

Right to be informed

A data subject also has the right to request the following information (section 4.6, DTI Guidelines):
  • The designation, or name and surname, and address of the data controller.
  • The purpose, scope, and method of the personal data processing.
  • The date when the personal data concerning the data subject was last rectified.
  • The source from which the personal data was obtained unless the disclosure of this information is legally prohibited.
  • The processing methods used for the automated processing systems, concerning the application of which individual automated decisions are taken.

Right to access personal data

Within 30 days from the submission date of the relevant request, the data subject has the right to receive the information details in section 4.6 of the DTI Guidelines from the data controller or data processor (section 4.7, DTI Guidelines).

Right to request rectification, destruction, and restriction of personal data

The data subject can request that his personal data be supplemented or rectified, for its processing to be suspended, or for data to be destroyed, if a data subject's personal data is (section 4.8.1, DTI Guidelines):
  • Incomplete.
  • Outdated.
  • False.
  • Unlawfully obtained.
  • No longer necessary for the purposes for which it was collected.

Right to object

The data subject has the right to object to the processing of his personal information when the data will be used for commercial purposes (section 4.9, DTI Guidelines).

Security requirements

14. What security requirements are imposed in relation to personal data?
The data controller and data processor must implement appropriate organisational and technical measures to protect personal data from (section 8.1, DTI Guidelines):
  • Accidental or unlawful:
    • destruction;
    • alteration;
    • disclosure.
  • Other unlawful processing.
These measures must ensure an appropriate level of security.
The DTI Guidelines do not set out specific security requirements for the protection of personal data.

Processing by third parties

15. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?
The data controller can allow a data processor to process personal data provided that:
  • There is a written contract between the parties.
  • The data processor only processes the personal data within the scope determined in the written contract.
  • Before commencing data processing operations, the data processor performs safety measures determined by the data controller.

International transfer of data

16. What rules regulate the transfer of data outside your jurisdiction?
There are currently no rules that regulate the transfer of data outside the Philippines.
17. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?
There are currently no standard-form data transfer agreements approved by national authorities.
18. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?
There is no legislation or guidance on data transfer agreements legitimising transfer.
19. Does the relevant national regulator need to approve the data transfer agreement? If so, please provide brief details.
There is no legislation or guidance on national regulator approval.

Enforcement and sanctions

20. What are the enforcement powers of the national regulator?
The DTI Guidelines are not mandatory obligations (see Question 1). Therefore the powers granted by the DTI Guidelines to the Accreditation Office do not include sanctions against entities who do not submit themselves to voluntary accreditation. Therefore, the powers of the Accreditation Office are limited to those who sought voluntary accreditation of their respective privacy policies and programmes.
21. What are the sanctions and remedies for non-compliance with data protection laws? To what extent are the laws actively enforced?
See Question 20.

The regulatory authority

Department of Trade & Industry (DTI) Accreditation Office

W www.dti.gov.ph
Main areas of responsibility. The DTI Accreditation Office has the following main areas of responsibility:
  • Receiving and processing applications for voluntary accreditation.
  • Organising the assessment of applicants.
  • Maintaining and publishing a registry of duly accredited bodies, and a list of accredited data protection certifiers.
  • Issuing accreditation certificates.
  • Suspending or revoking accreditation for non-compliance with the accreditation terms and conditions.
  • Establishing and updating criteria for accreditation.
  • Receiving and investigating complaints against licensee companies and data protection certifiers.

Contributor details

Aleli Angela G QuirinoAngara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW)T +632 830 8000F +632 403 7007E [email protected]W www.accralaw.com
Areas of practice/expertise. Ms Quirino obtained her AB and BSE degrees magna cum laude from Assumption College and graduated from the Ateneo de Manila University School of Law with a Bachelor of Laws degree (honors). The main focuses of her practice are in the areas of intellectual property (trade marks and copyright), licensing and franchising, and business law. She is consistently cited as a leading IP lawyer in Asia in various international publications.
John Paul M GabaAngara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW)T +632 830 8000F +632 403 7009E [email protected]W www.accralaw.com
Areas of practice/expertise. Mr Gaba obtained his BA (with a major in Public Administration) (cum laude) and Bachelor of Laws degrees from the University of the Philippines. His practice areas are trade marks, copyright, and cyberspace and IT law. He is actively involved in legislative and regulatory advocacy work with the Supreme Court and other government agencies, particularly with the drafting of rules on electronic filing, electronic notarisation and cybercrime legislation.