(Republic Act No. 10173) Notes
(Republic Act No. 10173) Notes
(Republic Act No. 10173) Notes
1.The personal data is needed pursuant to a subpoena; (c)The personal data is no longer necessary for the
purposes for which they were collected;
2.The collection and processing are for obvious (d)The data subject withdraws consent or objects to
purposes, including, when it is necessary for the the processing, and there is no other legal ground or
performance of or in relation to a contract or service to overriding legitimate interest for the processing;
which the data subject is a party, or when necessary or (e)The personal data concerns private information that
desirable in the context of an employer-employee is prejudicial to data subject, unless justified by
relationship between the collector and the data freedom of speech, of expression, or of the press or
subject; or otherwise authorized;
3.The information is being collected and processed as (f)The processing is unlawful;
a result of a legal obligation. (g)The personal information controller or personal
c.Right to Access. The data subject has the right to information processor violated the rights of the data
reasonable access to, upon demand, the following: subject.
1.Contents of his or her personal data that were 2.The personal information controller may notify third
processed; parties who have previously received such processed
2.Sources from which personal data were obtained; personal information.
3.Names and addresses of recipients of the personal f.Right to damages. The data subject shall be
data; indemnified for any damages sustained due to such
4.Manner by which such data were processed; inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data, taking
into account any violation of his or her rights and The security measures shall aim to maintain the
freedoms as data subject. availability, integrity, and confidentiality of personal
Section 35. Transmissibility of Rights of the Data data and are intended for the protection of personal
Subject. The lawful heirs and assigns of the data data against any accidental or unlawful destruction,
subject may invoke the rights of the data subject to alteration, and disclosure, as well as against any other
which he or she is an heir or an assignee, at any time unlawful processing. These measures shall be
after the death of the data subject, or when the data implemented to protect personal data against natural
subject is incapacitated or incapable of exercising the dangers such as accidental loss or destruction, and
rights as enumerated in the immediately preceding human dangers such as unlawful access, fraudulent
section. misuse, unlawful destruction, alteration and
Section 36. Right to Data Portability. Where his or her contamination.
personal data is processed by electronic means and in
a structured and commonly used format, the data Section 26. Organizational Security Measures. Where
subject shall have the right to obtain from the personal appropriate, personal information controllers and
information controller a copy of such data in an personal information processors shall comply with the
electronic or structured format that is commonly used following guidelines for organizational security:
and allows for further use by the data subject. The
exercise of this right shall primarily take into account a.Compliance Officers. Any natural or juridical person
the right of data subject to have control over his or her or other body involved in the processing of personal
personal data being processed based on consent or data shall designate an individual or individuals who
contract, for commercial purpose, or through shall function as data protection officer, compliance
automated means. The Commission may specify the officer or otherwise be accountable for ensuring
electronic format referred to above, as well as the compliance with applicable laws and regulations for
technical standards, modalities, procedures and other the protection of data privacy and security.
rules for their transfer.
b.Data Protection Policies. Any natural or juridical
Section 37. Limitation on Rights. The immediately person or other body involved in the processing of
preceding sections shall not be applicable if the personal data shall implement appropriate data
processed personal data are used only for the needs of protection policies that provide for organization,
scientific and statistical research and, on the basis of physical, and technical security measures, and, for
such, no activities are carried out and no decisions are such purpose, take into account the nature, scope,
taken regarding the data subject: Provided, that the context and purposes of the processing, as well as the
personal data shall be held under strict confidentiality risks posed to the rights and freedoms of data
and shall be used only for the declared purpose. The subjects.
said sections are also not applicable to the processing
of personal data gathered for the purpose of 1.The policies shall implement data protection
investigations in relation to any criminal, principles both at the time of the determination of the
administrative or tax liabilities of a data subject. Any means for processing and at the time of the processing
limitations on the rights of the data subject shall only itself.
be to the minimum extent necessary to achieve the
purpose of said research or investigation. 2.The policies shall implement appropriate security
measures that, by default, ensure only personal data
Section 25. Data Privacy and Security. Personal which is necessary for the specified purpose of the
information controllers and personal information processing are processed. They shall determine the
processors shall implement reasonable and amount of personal data collected, including the
appropriate organizational, physical, and technical extent of processing involved, the period of their
security measures for the protection of personal data. storage, and their accessibility.
The personal information controller and personal 3.The polices shall provide for documentation, regular
information processor shall take steps to ensure that review, evaluation, and updating of the privacy and
any natural person acting under their authority and security policies and practices.
who has access to personal data, does not process
them except upon their instructions, or as required by c.Records of Processing Activities. Any natural or
law. juridical person or other body involved in the
processing of personal data shall maintain records
that sufficiently describe its data processing system, 2.Procedures that limit the processing of data, to
and identify the duties and responsibilities of those ensure that it is only to the extent necessary for the
individuals who will have access to personal data. declared, specified, and legitimate purpose;
Records should include:
3.Policies for access management, system monitoring,
1.Information about the purpose of the processing of and protocols to follow during security incidents or
personal data, including any intended future technical problems;
processing or data sharing;
4.Policies and procedures for data subjects to exercise
2.A description of all categories of data subjects, their rights under the Act;
personal data, and recipients of such personal data
that will be involved in the processing; 5.Data retention schedule, including timeline or
conditions for erasure or disposal of records.
3.General information about the data flow within the
organization, from the time of collection, processing, f.Contracts with Personal Information Processors. The
and retention, including the time limits for disposal or personal information controller, through appropriate
erasure of personal data; contractual agreements, shall ensure that its personal
information processors, where applicable, shall also
4.A general description of the organizational, physical, implement the security measures required by the Act
and technical security measures in place; and these Rules. It shall only engage those personal
information processors that provide sufficient
5.The name and contact details of the personal guarantees to implement appropriate security
information controller and, where applicable, the joint measures specified in the Act and these Rules, and
controller, the its representative, and the compliance ensure the protection of the rights of the data subject.
officer or Data Protection Officer, or any other
individual or individuals accountable for ensuring Section 27. Physical Security Measures. Where
compliance with the applicable laws and regulations appropriate, personal information controllers and
for the protection of data privacy and security. personal information processors shall comply with the
following guidelines for physical security:
d.Management of Human Resources. Any natural or
juridical person or other entity involved in the a.Policies and procedures shall be implemented to
processing of personal data shall be responsible for monitor and limit access to and activities in the room,
selecting and supervising its employees, agents, or workstation or facility, including guidelines that
representatives, particularly those who will have specify the proper use of and access to electronic
access to personal data. media;
The said employees, agents, or representatives shall b.Design of office space and work stations, including
operate and hold personal data under strict the physical arrangement of furniture and equipment,
confidentiality if the personal data are not intended shall provide privacy to anyone processing personal
for public disclosure. This obligation shall continue data, taking into consideration the environment and
even after leaving the public service, transferring to accessibility to the public;
another position, or upon terminating their
employment or contractual relations. There shall be c.The duties, responsibilities and schedule of
capacity building, orientation or training programs for individuals involved in the processing of personal
such employees, agents or representatives, regarding data shall be clearly defined to ensure that only the
privacy or security policies. individuals actually performing official duties shall be
in the room or work station, at any given time;
e.Processing of Personal Data. Any natural or juridical
person or other body involved in the processing of d.Any natural or juridical person or other body
personal data shall develop, implement and review: involved in the processing of personal data shall
implement Policies and procedures regarding the
1.A procedure for the collection of personal data, transfer, removal, disposal, and re-use of electronic
including procedures for obtaining consent, when media, to ensure appropriate protection of personal
applicable; data;
particular personal information controller or personal
e.Policies and procedures that prevent the mechanical information processor, the Commission shall take into
destruction of files and equipment shall be account the nature of the personal data that requires
established. The room and workstation used in the protection, the risks posed by the processing, the size
processing of personal data shall, as far as practicable, of the organization and complexity of its operations,
be secured against natural disasters, power current data privacy best practices, and the cost of
disturbances, external access, and other similar security implementation. The security measures
threats. provided herein shall be subject to regular review and
evaluation, and may be updated as necessary by the
Section 28. Guidelines for Technical Security Commission in separate issuances, taking into account
Measures. Where appropriate, personal information the most appropriate standard recognized by the
controllers and personal information processors shall information and communications technology industry
adopt and establish the following technical security and data privacy best practices.
measures:
Rule VII. Security of Sensitive Personal Information in
a.A security policy with respect to the processing of Government
personal data; Section 30. Responsibility of Heads of Agencies. All
sensitive personal information maintained by the
b.Safeguards to protect their computer network government, its agencies, and instrumentalities shall
against accidental, unlawful or unauthorized usage, be secured, as far as practicable, with the use of the
any interference which will affect data integrity or most appropriate standard recognized by the
hinder the functioning or availability of the system, information and communications technology
and unauthorized access through an electronic industry, subject to these Rules and other issuances of
network; the Commission. The head of each government
agency or instrumentality shall be responsible for
c.The ability to ensure and maintain the complying with the security requirements mentioned
confidentiality, integrity, availability, and resilience of herein. The Commission shall monitor government
their processing systems and services; agency compliance and may recommend the
necessary action in order to satisfy the minimum
d.Regular monitoring for security breaches, and a standards.
process both for identifying and accessing reasonably
foreseeable vulnerabilities in their computer Section 31. Requirements Relating to Access by
networks, and for taking preventive, corrective, and Agency Personnel to Sensitive Personal Information.
mitigating action against security incidents that can
lead to a personal data breach; a.On-site and Online Access.
e.The ability to restore the availability and access to 1.No employee of the government shall have access to
personal data in a timely manner in the event of a sensitive personal information on government
physical or technical incident; property or through online facilities unless he or she
the employee has received a security clearance from
f.A process for regularly testing, assessing, and the head of the source agency. The source agency is
evaluating the effectiveness of security measures; the government agency who originally collected the
personal data.
g.Encryption of personal data during storage and
while in transit, authentication process, and other 2.A source agency shall strictly regulate access to
technical security measures that control and limit sensitive personal information under its custody or
access. control, particularly when it allows online access. An
employee of the government shall only be granted a
Section 29. Appropriate Level of Security. The security clearance when the performance of his or her
Commission shall monitor the compliance of natural official functions or the provision of a public service
or juridical person or other body involved in the directly depends on and cannot otherwise be
processing of personal data, specifically their security performed unless access to the personal data is
measures, with the guidelines provided in these Rules allowed.
and subsequent issuances of the Commission. In
determining the level of security appropriate for a 3.Where allowed under the next preceding sections,
online access to sensitive personal information shall be requirements in the preceding sections shall be
subject to the following conditions: implemented before any off-site or online access
(a)An information technology governance framework request is approved. Any data sharing agreement
has been designed and implemented; between a source agency and another government
agency shall be subject to review of the Commission
(b)Sufficient organizational, physical and technical on its own initiative or upon complaint of data
security measures have been established; subject.
(c)The agency is capable of protecting sensitive Section 33. Applicability to Government Contractors.
personal information in accordance with data privacy In entering into any contract with a private service
practices and standards recognized by the information provider that may involve accessing or requiring
and communication technology industry; sensitive personal information from one thousand
(1,000) or more individuals, a government agency
(d)The employee of the government is only given shall require such service provider and its employees
online access to sensitive personal information to register their personal data processing system with
necessary for the performance of official functions or the Commission in accordance with the Act and these
the provision of a public service. Rules. The service provider, as personal information
processor, shall comply with the other provisions of
b.Off-site access. the Act and these Rules, particularly the immediately
preceding sections, similar to a government agency
1.Sensitive personal information maintained by an and its employees.
agency may not be transported or accessed from a
location off or outside of government property,
whether by its agent or employee, unless the head of
agency has ensured the implementation of privacy
policies and appropriate security measures. A request
for such transportation or access shall be submitted to
and approved by the head of agency. The request
must include proper accountability mechanisms in the
processing of data.