Arguments from different legal bodies and critics are developing due to the value and articulation of data privacy. For some, privacy violations could simply cause annoyances and inconveniences but data privacy matters a lot more than that. As the information technology advances, privacy in one’s personal data is almost impossible to shelter. In some cases, if a party knows a certain expert and has access to good resources, roughly all the information tagged as private can be made available to anybody.
Republic Act 10173, otherwise known as the Data Privacy Act of 2012 aims to minimize if not eliminate the problem to data privacy. This declaration of policy states and acknowledges that even though the free flow of information stimulates innovation and growth, it is vital that personal information in the government’s and private sector’s information and communications systems are secured and protected.
Now, how do we define personal information? It is defined as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information. It includes facts and figures about a person’s race, ethnic origin, marital status, age, color and religious, philosophical and political affiliations or practically a person’s life story.
It is important to know some of the most significant sections of the law. First is the procedures to be followed in the collection, processing, and handling of personal information; the rights of data subjects; and the creation of a National Privacy Commission. Second is the law requires information collectors, holders, and processors to follow strict rules on transparency, legitimacy, and proportionality in the conduct of their activities.
Part of this is the collection of personal information should be conducted for specific and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only. Accuracy, relevance, and essentiality of purpose must likewise be observed during the collection stage. It is also essential that inaccurate or incomplete data should be corrected, supplemented, destroyed or their further processing restricted.
Any information can be kept as long as needed for the purpose for which it was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law. If the law does not prohibit and the person who provided the information or data subject has given his consent then, the collected information can be then processed and used. If no such consent is given, the processing can still go on provided it meets the necessity test.
If the subject’s lack of consent takes place, this should not bar the processing if it is related to the fulfillment of a contract with him or in order to take the steps he requested prior to entering into the contract.
The law can also be applied in the following instances: to comply with a legal obligation that the information collector has to obey; to protect the data subject’s vital interests, such as life and health; to respond to the exigencies of a national emergency or public order and security; and to serve the legitimate interests of the entity to which the information has been disclosed as long as no constitutional rights are violated.
There are cases that processing should be allowed to continue even in the face of the data subject’s opposition due to legal considerations either on the part of the data subject or the party that collects the information or in order to serve the greater interests of the public.
This freedom will be moderated by the rights that the law gives to data subjects to protect their privacy. They have the right to know whether their personal information shall be, are being or have been processed. Before a collector keep the the information in their system or use the data for their recurring opportunity, they can demand information about, among others, the purpose for which it is processed, the scope and methodology of the process, the length of information storage, and the identity of the people to whom their personal information shall be disclosed.
In the situation that the data subject discovers that the information stored in the information system is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary, he can demand its withdrawal, blocking or removal of the subject information.
If the harm caused demise, the subject can sue the party involved for whatever damages he may have sustained as a consequence of the mishandling or misuse of his information. The law indicates nine violations that can give rise to fines and prison terms. In what appears to be a concession to inflationary times, except for two offenses, the average fine imposable is a minimum of P500,000 and a maximum of P2,000,000.
The National Privacy Commission still administers and implements this law which shall consist of three members: a Privacy Commissioner who shall act as its chair and two Deputy Privacy Commissioners. The members shall be appointed by the president with three years of terms and may be reappointed for another term of three years. The appointed members should be experts in information and communications technology and data privacy.
To know more about the data privacy act, you may contact Infocentric Solutions Inc. Our hotline is +63(2) 626 3205 or email marketing@centricitgroup.com.