Personal data protection in the Philippines is governed by the Data Privacy Act of 2012 (“DPA”), and is implemented by rules, regulations and advisories issued by the National Privacy Commission (“NPC”). The NPC, formed in 2016, has the primary focus of ensuring that rights of Philippine data subjects are protected through strict enforcement of Philippine data privacy laws to ensure compliance of public and private entities alike.
For the purpose of enforcing Philippine data privacy laws, the NPC requires registration of entities, which are deemed to be Personal Information Controller (“PICs”) or Personal Information Processors (“PIPs”).
An entity is deemed to have control of personal information, and will be referred to as a PIC, if it decides on what information is collected, or the purpose or extent of its processing. On the other hand, a person which processes personal data, but does not have control, is referred to as a PIP.
Processing refers to any operation or set of operations performed upon personal information, such as but not limited to collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. A PIC or PIP is required to disclose to its data subjects the specified and legitimate purpose for data collection, which should be processed in a manner that is adequate, relevant, suitable, necessary and not excessive in relation to the purpose of collection.
Sections 46 and 47 of the Implementing Rules and Regulations (“IRR”) of the DPA require a PIC or PIP to register its Data Processing System with the NPC, if:
The registration process involves the designation of a Data Protection Officer (“DPO”) (Phase I) and registration of Data Processing Systems (Phase II).The NPC earlier divided the registration process into 2 phases and extended the deadline for the more rigorous second phase to 8 March 2018. The first phase, however, already lapsed on 9 September 2017.
Nonetheless, the NPC will continue to accept DPO registration papers from information controllers and processors even after the deadline of Phase I but they will be considered late registrants, and included in the list of priority organizations for a compliance check. In this light, covered clients are urged to register with the NPC their duly appointed DPOs, whose qualifications are provided under NPC Advisory No. 2017-01 (Designation of Data Protection Officers), among which include:
With regard to Phase II, covered entities should be made aware of the impending deadline on 8 March 2018 in order to ensure compliance. Subject to changes and additions that may be imposed by the NPC through subsequent advisories, the IRR of the DPA provides the following information and documents necessary for registration for Phase II:
Aside from the registration of Data Processing Systems, PICs are reminded to submit their 2017 Annual Security Incident Report on or before 31 March 2018.The law does not distinguish as to whether or not the PIC is registered; thus, all PICs must comply with this requirement. PICs must document security incidents (including personal data breaches), which are adverse events that have an impact on the availability, integrity, or confidentiality of personal data, even if these adverse events prove unsuccessful. More particularly under NPC Circular No. 16-03 on Personal Data Breach Management, the Annual Report should contain general information on the number of incidents and breaches encountered, classified according to their impact on the availability, integrity, or confidentiality of personal data. Currently, there is no prescribed format by the NPC regarding this document. To submit this 2017 annual report, a PIC may send the Annual Report on or before the deadline via email to *protected email*.
Companies that do not comply with the deadlines may be subject to compliance checks or ultimately, civil or even criminal liability. However, aggressive enforcement is yet to be seen as the NPC cannot prosecute violators of the law for which criminal penalties can be imposed. Under the law, all the NPC can do is to recommend to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties.
Data privacy is a relatively new regulation in the Philippines, which is why compliance and enforcement of data privacy laws are not yet manifest in the country. Given the global trend to enforce data privacy laws, data privacy compliance gives businesses in the Philippines a competitive edge. According to NPC Commissioner Raymund Liboro, “With ASEAN integration coming up soon, companies in the Philippines need to implement their data protection and data privacy obligations not only to keep their existing clients, but also to assure future growth.”
This alert is for general information only and is not a substitute for legal advice.