Atty. Rami Hourani
While I do not condone an understanding of the law that is not arrived at after diligent study, I am sympathetic to the needs of businessmen who “just need an idea” of how X or Y law works. The Data Privacy Act (DPA) has raised a lot of questions as to how the law interacts with data and so I am putting together this very condensed overview of the Data Privacy Act and a few questions you can ask yourself to see if you are compliant.
Let me get the biggest hurdle out of the way first, does your business collect information? If no, congratulations you are the proud owner of a sari-sari store. If yes, then you are subject to the data privacy act. (There’s a bonus requirement though that if you process the personal information of more than 1,000 people you have to register with the Data Privacy Commission.) I know it sounds like a joke but data is serious business in this day and age.
I think for a workable understanding of the law, you need to divide the law up into substantive and formal requirements. Omitting a lot of nuance, substantive is what actually occurs in the real world and formal requirements are what paper requirements surround those occurrences. A quick and easy example is taxes, the substantive is the money you earn, the formal is the return you file with the BIR which says how much you earned.
In the case of the Data Privacy Act, let’s begin with the Substantive. There are three aspects of the Data Privacy Act which have to be taken into consideration when checking if you are doing enough with regard the data you process. These are:
- Legitimate Purpose & Proportionality
- Security Measures
- Data Subject Rights
Legitimate Purpose & Proportionality
Legitimate Purpose and Proportionality are 2 of the 3 Data Privacy Principles that underpin the Data Privacy Act. They partake of a substantive nature and thus will be discussed here. The third, Transparency, will be discussed later in the article.
A misconception about the Data Privacy Act is that you always need consent. Consent is just one of the legitimate purposes that authorize the lawful processing of data. If you have a legitimate reason to be collecting the information than you do not need to procure the data subject’s consent to begin the processing of the same. An easy example is if you need his/her information in order to comply with another government requirement.
The utility of consent though is that it is probably your safest justification for processing data at all. People can argue about whether or not you may have actually needed to get this or that piece of information but if they agreed that entire discussion becomes moot.
Proportionality has two components. First, that you have a specified purpose for why you are collecting data. Second, the information that you collect is relevant to your specified purpose. If you collect too much information, you not only run the risk of violating the Data Privacy Act, you also compound the possible damage that could be caused by a data breach.
In order to understand what kind of security measures you need to implement you need to know when you stop being responsible for the data in your possession. As a Personal Information Controller (PIC) or a Personal Information Processor (PIP) you are responsible while you are “processing” the data. Processing the data begins with the collection of the data and ends with its destruction.
I’ll understand if this is not terribly clear or actionable advice. However, let us try and visualize the life cycle of data.
- Creation/Collection – Is the data collected in a manner as to reduce errors?
- Storage/Transmission – Is the data difficult to access?
- Use/Distribution – Do the people who use the data understand its sensitivity?
- Retention – Is the data stored in an encrypted form? Who has admin privileges?
- Disposal/Destruction – Do you periodically wipe the data in your possession?
If you have concrete, sufficient, and actionable plans to implement at each stage to insure the integrity and security of the information in your possession, then it can be said that you have sufficient security measures.
Data Subject Rights
There are certain things that people whose data is being processed are entitled to. These are the ones that you are responsible for:
- Information on the nature and extent of the information processing.
- They must be permitted to object to the manner of the processing.
- They must have access to their data that is being processed.
- They have the right to correct data that misrepresents facts about them.
- They have the right to request that the data you about them be erased.
- They have the right to take/transfer their data.
If you do not make allowances for these rights, you will be held to account by the rights that are not in your control: 1. the right to file a complaint and, 2. the right to damages.
The formal rights are the rights that a lawyer is most capable of helping with because there are tangible requirements that must be complied with/submitted. These are:
- Data Privacy Officer
While Transparency is a general term, it has very specific implications in the context of the Data Privacy Act. These are:
- Privacy Notice – This is an outward facing document that informs data subjects of the nature and extent of processing that will be made upon the data they provide.
Data Privacy Officer
A data privacy officer is a person appointed by the business to ensure that it complies with the provisions of the DPA. This person undergoes training in order to be certified as a Data Privacy Officer. If you have an CTO or an IT Department head, they are likely the person best fitted to assuming this role because they will be the ones most capable of combining technical know how with the requirements they will learn through training.
This person will also be the one to undertake a privacy impact assessment in order to learn about the pain points in the PIC/PIP organization that require improvement in order to adequately safeguard data.
This is the realm of large companies which process data regularly or companies that near exclusively deal with data in their day-to-day operations. The Data Privacy Commission is going to be another regulatory body to submit compliance documents to in the case of such companies. The intervention of a lawyer would be necessary for ongoing compliance concerns.
There are a few places where I see businesses recurrently make the same mistakes over and over again.
1. Not having privacy notices where they have forms.
2. Having their networking infrastructure components in places where they can be easily accessed by non employees.
3. Not using encryption, whether in data storage or for networking.
4. Not having clearly delineated personnel with Administrator Privileges.
These are just a few of the things that jump out to me as clear lapses. You’ll notice that some of these don’t even require legal knowledge to catch.
Because I sought to impart only a working understanding of the law, I consciously departed from the language and enumerations found in the Data Privacy Act itself for brevity. If you have any questions and they are of a general nature, please comment them below so I can incorporate them into the article. If however you have questions that are specific to your case, I encourage you to speak with a lawyer.