Different laws. Different purposes. Different interpretations.

Data Privacy Act of 2012. Are all Filipinos aware that this law is existing? If yes, do they all have the same interpretation and understanding? Or at the back of their minds there are still things they want to clarify? Grey areas. Something doubtful. Something indefinite. Something debatable. All of us have different queries in our minds, the WH questions (What, When, Where, Why) and How. The State provides protection for their citizens and Republic Act 10173 is one of the said laws which aims to give importance to an individual’s privacy. Scrutinizing the provisions of this act can help us to understand it from different aspects.

It is stated in the 1987 Constitution of the Philippines, Article III, Section 3 (1) that:

  1. The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.[1]

It is clearly said that there is really no other way where the privacy of communication can be accessed or intervene with without seeking for a court order or if it not detrimental to the safety of the public. Thus, this same provision can be associated to the Data Privacy Act. Will a person who is capable of accessing the said flow of communication be held liable if the only thing he did is to monitor the in-out activity of someone? There are really a lot of things to be consider to weigh someone’s liability.

First Grey Area

In connection with the Section 3, paragraph (g), (h) and (i) of the Data Privacy Act

(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.[2]

(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

(1) A person or organization who performs such functions as instructed by another person or organization; and

(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.[3]

(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.[4]

In an ordinary setting in the Human Resource Department of a company, there is someone who has all the access in the personal information of all the employees of the company. And here comes someone who is not part of the company and went to the HR Department to inquire about an employee working in that company who happens to have a debt on him. The HRD employee since he was asked to give away contact details of a certain employee gave all the possible contact details written on the employees’ company file to the one inquiring. Here comes the question, Is that HRD employee can be held liable for giving away personal information?

The answer would be yes. First of all, the personal information of anyone working in that company should be confidential and should be only accessible to some people who were also acting in behalf of their connection in the company itself. Personal matters like in the case given where the reason for getting the information is just to be able to collect sum of money due to a loan made by the employee should not be entertained. As someone who could be able to access the information must strictly follow the confidentiality code being promulgated in your company.

Second Grey Area

We all know that in the world of medicine, a doctor-patient relationship is strictly respected. Is inquiring for one’s own health can be violative to the part of the patient? Data Privacy Act of 2012, Section 3, paragraph l (2) can give us a view.

(l) Sensitive personal information refers to personal information:

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;[5]

A health of a person is a sensitive information. Inquiring for it can be only obtained if there is a direct order from the court where the physician may be invited during hearing or trials to testify or give clarification and knowledge about the health condition of someone. The reason behind this is to give the court plain but detailed information about the condition of the party involved. But if suddenly someone called a doctor and ask for every details of the condition of his patient in exchange for an amount of money, can the physician be held liable?

Well, the answer would be a yes. Why? First, the doctor did not respect the doctor-patient relationship by not keeping all the medical information confidential. Second, he accepted money in exchange for the information and Lastly, the one who inquires and offered the money including the doctor acted in bad faith by talking about the sensitive information without getting consent to the aggrieved party. If the information will be only use to damage or malign the reputation of someone who is suffering from illness, that person should be held liable.

Lawful Processing of Personal Information: Processing of personal information is permitted when at least one of the following conditions exist:

  1. the data subject has given consent;

  2. the processing is necessary and is related to the fulfillment of a contract with the data subject;

  3. the processing in necessary to comply with a legal obligation;

  4. the processing is necessary to protect vitally important interests of the data subject, including life and health;

  5. the processing is necessary to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority; or

  6. the processing is necessary for purposes of legitimate interests pursued by the personal information controller.[6]

All of us want to maintain our private life. There are things which we avoid others to know and the primary reason for it is probably for security. If we would give away information about other people, we should also consider the pros and cons of our action. We must seek first for their consent before giving their personal information to others. It is like putting ourselves in their shoes. What we would feel if others will just transfer or share our personal information to other people without even notifying us if we are willing to share those stuffs to others.

Third Grey Area

Let us connect the data privacy act on a scenario at school, wherein a student seeks help from the guidance counselor. Then here comes another student who happens to be his enemy and at the same time a student assistant of the guidance counselor. Upon the said session, the guidance counselor handed over a detailed assessment including the personal information of the student to the student assistant for the latter to encode and be recorded. To seek for revenge or other bad motives, he photocopied the said documents and used it to get even by circulating the assessment including the information about the parents, educational standing and even the psychiatric assessment. Now, the question would be who can be held liable? Can the guidance counselor be also held liable?

The guidance counselor is the one who made the assessment with the consent of the student who sought for her professional help. Therefore, she has the responsibility to keep that information. There is a presumption that due diligence must be observe at all times. Knowing a regular school scenario about bullying and different relationship among the students, a strict method in keeping everything private must always be a top priority. The interest of the alleged aggrieved party must be put into consideration and intentions and motives of the alleged offender must be assessed based on the extent of the damage of the actions they chose to perform.

Responsibilities of a Personal Information Controller: A personal information controller refers to a person or organization that controls the collection, holding or processing of personal information (as opposed to a service provider, referred to in the Act as a “personal information processor”). Personal information controllers are required to implement the fair information principles. Personal information controllers are further required to notify the Commission and affected data subjects upon reasonable belief that personal information which may be used to enable identity fraud have been acquired by an unauthorized person. [7]

Unauthorized acquisition of information may be considered as fraud since it is a dishonest method to take something important like the personal information from another person. If a data controller finds out there was an unauthorized obtaining of information, he or she must immediately inform the commission. The commission in this act refers to the National Privacy Commission. To understand further the function of the said commission, we should have to take a look at Section 7 of Republic Act 10173.

SEC. 7. Functions of the National Privacy Commission. – To administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission, winch shall have the following functions:

(a) Ensure compliance of personal information controllers with the provisions of this Act;

(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;

(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest;

(d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;

(e) Monitor the compliance of other government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to this Act;

(f) Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;

(g) Publish on a regular basis a guide to all laws relating to data protection;

(h) Publish a compilation of agency system of records and notices, including index and other finding aids;

(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act;

(j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers: Provided, That the privacy codes shall adhere to the underlying data privacy principles embodied in this Act: Provided, further, That such privacy codes may include private dispute resolution mechanisms for complaints against any participating personal information controller. For this purpose, the Commission shall consult with relevant regulatory agencies in the formulation and administration of privacy codes applying the standards set out in this Act, with respect to the persons, entities, business activities and business sectors that said regulatory bodies are authorized to principally regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and require changes thereto for purposes of complying with this Act;

(k) Provide assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person;

(l) Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;

(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as may be necessary;

(n) Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;

(o) Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;

(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and

(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection. [8]

By scrutinizing the said provision of the Data Privacy Act, the citizens would be able to understand and determine when to consult or seek help from the National Privacy Commission. Grey areas can somehow be avoided since the said commission is present to analyze and determine whether there is/are a violated right or rights and who are among the persons involved can be held liable. Nevertheless, all are expected to become not just a responsible citizen but also a respectable and dignified citizen of our country.

To end this, a simple quotation from Benjamin Franklin can help us realize the real essence of privacy “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” [9]




[3] Ibid.

[4] Ibid.

[5] Ibid.


[7] Ibid.




One thought on “DATA PRIVACY ACT OF 2012: GREY AREAS

  1. Pingback: Students’ Take: MCPIF (SB 53), Data Privacy Act (RA 10173) | Berne Guerrero

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s