MANILA – October 10, 2013 – Although far less talked about than the 2012 Cybercrime Prevention Act, the Data Privacy Law is also an important measure that netizens should be aware of, as explained by Atty. JJ Disini of Disini and Disini Law Office at the IMMAP Breakfast Series on October 9.
In a nutshell, the law states that one’s personal information cannot be processed without one’s consent. Under the Data Privacy Law, an individual has the right to control information collected about himself, as well as its use and further disclosure.
Violations of the data privacy law can be a preliminary step toward discrimination, Disini explained. For instance, if a prospective employer gains access to an applicant’s health records, the employer may choose not to consider an applicant with a condition that may cost the company.
Approved in August 2012, the Data Privacy Act paved the way for the creation of a National Privacy Commission, to be the implementing arm.
"Generally, the commission will be mandated to enforce policies that balance the right of the private person to privacy with the need to speed up the utilization of the Internet," Senator Edgardo Angara, who authored and sponsored the bill, said in a press release.
Although the commission has not yet been formed, and the implementing rules and regulations are not yet in order, it is already possible to file a criminal case under the data privacy law, also known as Republic Act 10173.
The data subject has the right to be informed about what personal data is being collected, who has access to it, and the right to correct inaccurate data. Furthermore, the data subject has the right to block data that has been misused, as well as sue for damages.
Disini stressed that the law, like intellectual property laws, is enforced by everyone, not just the government. "The rights are given to us, the data subject. if we want to see this law enforced properly, we have to complain," he said.
Meanwhile, companies must identify a data privacy compliance officer who will comply with data privacy principles, both for personal information as well as sensitive personal information. Personal information includes data found on a raffle ticket or on a government form, while sensitive information includes race, ethnic origin, health, marital status, and even age.
Anonymized information is not governed by the law, unless that anonymized information can be de-anonymized when put together with other information.
Other exceptions to the law are when the data is used for journalistic, artistic, literary or research purposes.
When it comes to collecting data from consumers or clients, companies would do well to get unambiguous consent on record.
"There are things that you need to implement in your own organization to comply with the law. It’s a good idea to get ahead of the game and try to build in some Data Privacy Act compliance to the extent that it’s possible… it will make the compliance process later much easier," Disini said.
The first step, according to Disini, is to gain a sensitivity about what data privacy issues are. "What you will realize is across your organization, every person controls personal information. And every person needs to know how to handle that information properly," he said.
"Data privacy is something that I think is a global debate and by no means a closed discussion. It’s something that not just we here in the Philippines are wrestling with, but it’s also something that is being wrestled with in the first world," said Mike Palacios, IMMAP VP in the welcoming remarks at the event.
"It’s really important from a marketing perspective, because if a brand is all about trust, and it’s not just trust anymore that this brand will take care of you in terms of your consumer needs, but also in terms of your consumer safety, that it will responsibly handle your data," he said.