[REPUBLIC ACT NO. 10173] h.

Filing system - any act of information relating to

Section 1 - Title natural or juridical persons to the extent that,
 “Implementing Rules and Regulations of the Data although the information is not processed by
Privacy Act of 2012”, or the “Rules”. equipment operating automatically in response to
 “Data Privacy Act of 2012” instructions given for that purpose, the set is
Section 2 - Policy structured, either by reference to individuals or
These Rules by reference to criteria relating to individuals, in
 further enforce the Data Privacy Act and such a way that specific information relating to a
 adopt generally accepted international principles particular person is readily accessible.
and standards for personal data protection. (A juridical person is a non-human legal entity, in
These Rules & The State other words any organization that is not a single
 safeguard or to protect the fundamental human natural person but is authorized by law with duties
right of privacy, of communication while and rights and is recognized as a legal person and
ensuring free flow of information as having a distinct identity.)
→ to promote innovation, growth & national i. Information and Communications System - a
development system for
 recognizes the  generating,  receiving,
 vital role of ICT in nation-building and its  sending,  storing or processing
 inherent obligation to ensure that PI in ICS in the electronic data messages or electronic documents
government and in the private sector are and includes the computer system or other similar
secured and protected. device by or which data is recorded, transmitted or
Section 3. Definitions stored
a. Act - RA 10173 OR DPA 2012 and any procedure related to the recording,
transmission or storage of electronic data, electronic
b. Commission - National Privacy Commission message, or electronic document.
created by virtue of this Act. j. Personal data - all types of personal information
c. Consent of the data subject k. Personal data breach - a breach of security
 freely given, leading to the:
 specific, indication of will → accidental or personal data
 informed → unlawful destruction, transmitted,
- the data subject agrees to the collection & → loss, stored, or
processing of PI about and/or relating to him/her. → alteration, otherwise
Evidenced → unauthorized disclosure of, processed;
 written  be given on behalf of the data → or access to,
 electronic subject by an agent specifically l. Personal information - any information whether
 recorded means authorized by the data subject to do so.  recorded in a material form or not, from
which the identity of an individual is apparent or
d. Data subject - individual whose personal,
 can be reasonably and directly ascertained by
sensitive personal or privilege information is
the entity holding the information, or
processed.
 when put together with other information
e. Data processing systems - the structure and
would directly and certainly identify an individual.
procedure by which personal data is collected
m. Personal information controller - a person or
and further processed in an ICS or relevant filing
organization who controls the collection, holding,
system, including the purpose and intended
processing or use of PI
output of the processing
Include: a person/organization who instructs
f. Data sharing - is the disclosure or transfer to a
another on his or her behalf.
third party of personal data under the custody of
Excludes:
a PIC/PIP.
(1) A person/organization who performs such
 If PIP- such disclosure /transfer must have been
functions as instructed by another person and
upon the instructions of the PIC concerned.
(2) An individual who collects, holds, processes or
 The term excludes outsourcing, or the disclosure
uses personal information in connection with the
or transfer of personal data by a PIC to a PIC
individual’s personal, family or household affairs.
g. Direct marketing - communication by whatever
*There is control if the natural or juridical person or
means of any advertising or marketing material
any other body decides on
which is directed to particular individuals.
 what information is collected, or
  the purpose or s. Security incident - an event/occurrence that
 extent of its processing; affects(tends)data protection,/may compromise
n. Personal information processor- any natural or the availability, integrity and confidentiality of
juridical person qualified to act as such under personal data.
this Act to whom a PIC may outsource or Includes incidents that’d result to personal data breach,
instruct the processing of personal data if not for safeguards that have been put in place;
pertaining to a data subject. t. Sensitive personal information - to PI
How does a personal information processor differ from (1) About an individual’s
a controller? A personal information processor is any
 race,  health,
individual or legal entity subcontracted by the controller
 ethnic origin,  education,
to process personal data. Personal information processors
are technical partners that are assigned to carry out  marital status,  genetic/sexual life,
specific tasks related to the purposes of the controller’s  age,  any proceeding for any
data processing. While they may possess the methods and  color, offense committed or
technologies to carry out the work, they have no control  Affiliations alleged
over the data or the purpose and means of its processing. (religious,  the disposal/sentence
Why is it important to distinguish between the philosophical or
political)
of such proceedings,
controller and processor roles? so that involved parties
are clearly informed of their roles. The data controller (2) Issued by government agencies peculiar to an
and the data processor each have distinct responsibilities, individual which includes, but not limited to, social
obligations, and limitations when it comes to handling security numbers, previous or current health
personal information. The clear delineation of roles records, licenses or its denials, suspension or
protects all involved parties from liability in problematic
revocation, and tax returns; and
situations, such as a data breach. Individuals and
(3) Specifically established by an executive order or
companies that strictly adhere to their roles as stipulated
in the Data Privacy Act will encounter no legal an act of Congress to be kept classified.
repercussions. Section 4 - Scope
o. Processing - any operation/s performed upon PI This Act applies to the processing of all types of
including, but not limited to, the personal information to any natural and juridical
 collection,  retrieval, person involved in personal information processing
 recording,  organization, including those PIC & PIP who, although not found
 storage,  updating or modification, or established in the Philippines, use equipment that
 consultation,  use, are located in the Philippines, or those who maintain
 consolidation,  blocking, an office, branch or agency in the Philippines subject
 erasure or destruction of data. to the immediately succeeding paragraph: Provided,
( Whenever your information is, among other things, That the requirements of Section 5 are complied
collected, modified, or used for some purpose, processing with.
already takes place.) This Act does not apply to the following:
p. Profiling - any form of automated processing of (a) Information about any individual who is or was
personal data consisting of the use of personal an officer or employee of a government institution
data to: that relates to the position or functions of the
 evaluate certain personal aspects individual, including:
 analyze/predict aspects of that natural person's (1) The fact that the individual is or was an officer or
 performance at work,  interests, employee of the government institution;
 economic situation,  reliability, (2) The title, business address and office telephone
 health,  behavior, number of the individual;
 personal preferences,  location/movements; (3) The classification, salary range and
q. Privileged information - any & all forms of data responsibilities of the position held by the
which under the Rules of Court &other pertinent individual; and
laws constitute privileged communication. (4) The name of the individual on a document
(One such example would be any information given by a prepared by the individual in the course of
client to his lawyer. Such information would fall under employment with the government;
attorney-client privilege and would, therefore, be (b) Information about an individual who is or was
considered privileged information.)
performing service under contract for a
r. Public authority - any government entity created
government institution that relates to the services
by the Constitution or law, and vested with law
performed, including the terms of the contract, and
enforcement or regulatory authority & functions
the name of the individual given in the course of the
 performance of those services; Rules do not extend to PIC/PIP, who remain subject
(c) Information relating to any discretionary benefit to the requirements of implementing security
of a financial nature such as the granting of a license measures for personal data protection: Provided
or permit given by the government to an individual, further, that the processing of the information
including the name of the individual and the exact provided in the preceding paragraphs shall be
nature of the benefit; exempted from the requirements of the Act only to
Provided, that they do not include benefits given in the minimum extent necessary to achieve the
the course of an ordinary transaction or as a matter of specific purpose, function, or activity.
right;
Protection afforded to Data Subjects.
(d) Personal information processed for journalistic, a. Unless directly incompatible or inconsistent with
artistic, literary the preceding sections in relation to the purpose,
*to uphold freedom of speech, of expression, or of the function, or activities the non-applicability concerns,
press, subject to requirements of other applicable law the PIC/PIP shall:
or regulations;  uphold the rights of data subjects, and
or research purposes; intended for a public benefit  adhere to general data privacy principles and
(e) Information necessary in order to carry out the  the requirements of lawful processing.
functions of public authority which includes the b. The burden of proving that the Act and these
processing of personal data for the performance by Rules are not applicable to a particular information
the independent, central monetary authority and falls on those involved in the processing of personal
law enforcement and regulatory agencies of their data or the party claiming the non-applicability.
constitutionally and statutorily mandated functions. c. In all cases, the determination of any exemption
Nothing in this Act shall be construed as to have shall be liberally interpreted in favor of the rights and
amended or repealed interests of the data subject.
RA 1405- Secrecy of Bank Deposits Act - prohibits (Liberal interpretation-interpretation agreeing to what
the disclosure of, or inquiry into, all deposits in the reader believes the author reasonably intended)
banks and banking institutions in the Philippines SEC. 5. Protection Afforded to Journalists and Their
RA 6426 -Foreign Currency Deposit Act - to protect Sources. – Nothing in this Act shall be construed as to
foreign currency deposits in order to encourage an have amended or repealed the provisions of Republic
inflow of foreign capital necessary for our country's Act No. 53, which affords the publishers, editors or
industries. The law allows foreign currencies to be duly accredited reporters of any newspaper,
incorporated into the national reserve. magazine or periodical of general circulation
RA 9510- Credit Information System Act - to protection from being compelled to reveal the source
receive and consolidate basic credit data, to act as a of any news report or information appearing in said
central registry or central repository of credit publication which was related in any confidence to
information, and to provide access to reliable, such publisher, editor, or reporter.
standardized information on credit history and Publishers, editors, or duly accredited reporters who
financial condition of borrowers are likewise PIC/PIP within the meaning of the law
(f) Information necessary for banks and other are still bound to follow the Data Privacy Act and
financial institutions under the jurisdiction of the related issuances with regard to the processing of
independent, central monetary authority or BSP to personal data, upholding rights of their data subjects
comply with RA 9510, and RA 9160, Anti-Money and maintaining compliance with other provisions
Laundering Act and other applicable laws; that are not incompatible with the protection provided
(g) Personal information originally collected from by Republic Act No. 53.
residents of foreign jurisdictions in accordance SEC. 6. Extraterritorial Application. – This Act
with the laws of those foreign jurisdictions, applies to an act done or practice engaged in and
including any applicable data privacy laws, which outside of the Philippines by an entity if:
is being processed in the Philippines. (a) The act, practice or processing relates to personal
The burden of proving the law of the foreign information about a Philippine citizen or a resident;
jurisdiction falls on the person or body seeking (b) The entity has a link with the Philippines, and
exemption. In the absence of proof, the applicable the entity is processing personal information in
law shall be presumed to be the Act and these the Philippines or even if the processing is outside
Rules: the Philippines as long as it is about Philippine
citizens or residents such as, but not limited to,
Provided, that the non-applicability of the Act or these the following:
 (1) A contract is entered in the Philippines; 6) Ensuring proper and effective coordination with
(2) A juridical entity unincorporated in the data privacy regulators in other countries and
Philippines but has central management and control private accountability agents; (SEC.7n)
in the country; and 7) Participating in international and regional
(3) An entity that has a branch, agency, office or initiatives for data privacy protection. (SEC.7n)
subsidiary in the Philippines and the parent or b. Advisory. The Commission shall be the advisory
affiliate of the Philippine entity has access to body on matters affecting protection of personal data.
personal information; and This includes:
(c) The entity has other links in the Philippines such 1) Commenting on the implication on data privacy
as, but not limited to: of proposed national or local statutes, regulations
(1) The entity carries on business in the Philippines; or procedures, issuing advisory opinions, and
(2) The personal information was collected or held interpreting the provisions of the Act and other
by an entity in the Philippines. data privacy laws; (SEC.7L)
2) Reviewing, approving, rejecting, or requiring
The National Privacy Commission is an independent modification of privacy codes voluntarily adhered
body mandated to administer and implement the Act, to by personal information controllers, which may
and to monitor and ensure compliance of the country include private dispute resolution mechanisms
with international standards set for personal data for complaints against any participating personal
protection. information controller, and which adhere to the
Functions. underlying data privacy principles embodied in
A. Rule Making. The Commission shall develop, the Act and these Rules; (SEC.7j)
promulgate, review or amend rules and regulations 3) Providing assistance on matters relating to
for the effective implementation of the Act. This privacy or data protection at the request of a
includes: national or local agency, a private entity or any
1) Recommending organizational, physical and person, including the enforcement of rights of
technical security measures for personal data data subjects; (SEC.7k)
protection, encryption, and access to sensitive 4) Assisting Philippine companies doing business
personal information maintained by government abroad to respond to data protection laws and
agencies, considering the most appropriate regulations. (SEC.7p)
standard recognized by the information and c. Public Education. The Commission shall undertake
communications technology industry, as may be necessary or appropriate efforts to inform and educate
necessary; (SEC.22) the public of data privacy, data protection, and fair
2) Specifying electronic format and technical information rights and responsibilities. This includes:
standards, modalities and procedures for data Publishing, on a regular basis, a guide to all laws
portability, as may be necessary; (SEC.18) relating to data protection;
3) Issuing guidelines for organizational, physical, 1) Publishing a compilation of agency system of records
and technical security measures for personal data &notices, including index &other finding aids; (SEC.7g)
protection, taking into account the nature of the 2) Coordinating with other government agencies
personal data to be protected, the risks presented and the private sector on efforts to formulate and
by the processing, the size of the organization and implement plans and policies to strengthen the
complexity of its operations, current data privacy protection of personal data in the country; (SEC.7f)
best practices, cost of security implementation,
and the most appropriate standard recognized by d. Compliance and Monitoring. The Commission
the information and communications technology shall perform compliance and monitoring functions to
industry, as may be necessary; (SEC.20) ensure effective implementation of the Act, these
4) Consulting with relevant regulatory agencies in Rules, and other issuances. This includes:
the formulation, review, amendment, and 1) Ensuring compliance by personal information
administration of privacy codes, applying the controllers with the provisions of the Act; (SEC.7a)
standards set out in the Act, with respect to the 2) Monitoring the compliance of all government
persons, entities, business activities, and business agencies or instrumentalities as regards their
sectors that said regulatory bodies are authorized security and technical measures, and
to principally regulate pursuant to law; (SEC.7j) recommending the necessary action in order to
5) Proposing legislation, amendments or meet minimum standards for protection of
modifications to Philippine laws on privacy or personal data pursuant to the Act;(SEC.7e)
data protection, as may be necessary; (SEC.7m) 3) Negotiating and contracting with other data
 privacy authorities of other countries for cross- interest, or if it is necessary to preserve and
border application and implementation of protect the rights of data subjects (SEC.7c)
respective privacy laws;(SEC.7o) 4) Recommending to the Department of Justice
4) Generally performing such acts as may be (DOJ) the prosecution of crimes and imposition of
necessary to facilitate cross-border enforcement of penalties specified in the Act; (SEC.7i)
data privacy protection; (SEC.7q) 5) Compelling or petitioning any entity, government
5) Managing the registration of personal data agency, or instrumentality, to abide by its orders
processing systems in the country, including the or take action on a matter affecting data privacy;
personal data processing system of contractors (SEC.7d)
and their employees entering into contracts with 6) Imposing administrative fines for violations of the
government agencies that involves accessing or Act, these Rules, and other issuances of the
requiring sensitive personal information of at Commission.
least one thousand (1,000) individuals.(SEC.24) g. Other functions. The Commission shall exercise
such other functions as may be necessary to fulfill its
e. Complaints and Investigations. The Commission mandate under the Act.
shall adjudicate on complaints and investigations on Administrative Issuances. The Commission shall
matters affecting personal data: Provided, that In publish or issue official directives and administrative
resolving any complaint or investigation, except issuances, orders, and circulars, which include:
where amicable settlement is reached by the parties, a. Rules of procedure in the exercise of its quasi-
the Commission shall act as a collegial body. This judicial functions, subject to the suppletory
includes: application of the Rules of Court;
1) Receiving complaints and instituting b. Schedule of administrative fines and penalties for
investigations regarding violations of the Act, violations of the Act, these Rules, and issuances or
these Rules, and other issuances of the Orders of the Commission, including the
Commission, including violations of the rights of applicable fees for its administrative services and
data subjects and other matters affecting personal filing fees;
data; (SEC.7b) c. Procedure for registration of data processing
2) Summoning witnesses, and requiring the systems, and notification;
production of evidence by a subpoena duces d. Other administrative issuances consistent with its
tecum for the purpose of collecting the mandate and other functions.
information necessary to perform its functions SECTION 8 - Confidentiality
under the Act: Provided, that the Commission Members, employees, and consultants of the
may be given access to personal data that is Commission shall ensure at all times the
subject of any complaint; (SEC.16) confidentiality of any personal data that come to
3) Facilitating or enabling settlement of complaints their knowledge and possession: Provided, that
through the use of alternative dispute resolution such duty of confidentiality shall remain even
processes, and adjudicating on matters affecting after their term, employment, or contract has
any personal data; (SEC.7b) ended.
4) Preparing reports on the disposition of SECTION 9. Organizational Structure
complaints and the resolution of any investigation
it initiates, and, in cases it deems appropriate, The Commission shall be attached to the Department
publicizing such reports; (SEC.7b) of Information and Communications Technology
f. Enforcement. The Commission shall perform all (DICT) and
acts as may be necessary to effectively implement the
Act, these Rules, and its other issuances, and to for policy and program coordination in accordance
enforce its Orders, Resolutions or Decisions, including with Section 38(3) of Executive Order No. 292, series
the imposition of administrative sanctions, fines, or of 1987, also known as the Administrative Code of
penalties. This includes: 1987. The Commission shall remain completely
1) Issuing compliance or enforcement orders; independent in the performance of its functions.
2) Awarding indemnity on matters affecting any
personal data, or rights of data subjects;(SEC.7b) shall be headed by a Privacy Commissioner, who shall
3) Issuing cease and desist orders, or imposing a also act as Chairman of the Commission.
temporary or permanent ban on the processing of - shall be assisted by two (2) Deputy Privacy
personal data, upon finding that the processing Commissioners, one to be responsible for Data
will be detrimental to national security or public Processing Systems and one to be responsible for
Policies and Planning.
Data Security and Compliance Office;
The Privacy Commissioner and the two (2) Deputy Legal and Enforcement Office;
Privacy Commissioners shall be appointed by the Finance and Administrative Office;
President of the Philippines for a term of three (3) Privacy Policy Office;
years, and may be reappointed for another term of Public Information and Assistance Office.
three (3) years.
Vacancies in the Commission shall be filled in the Majority of the members of the Secretariat must have
same manner in which the original appointment was served for at least five (5) years in any agency of the
made. government that is involved in the processing of
The Privacy Commissioner must be personal information including, but not limited to, the
 at least thirty-five (35) years of age and following offices: (SSS), (GSIS), (LTO), (BIR),
 of good moral character, (PhilHealth), (COMELEC), (DFA), (DOJ), (Philpost).
 unquestionable integrity and
 known probity, and The organizational structure shall be subject to review
 a recognized expert in the field of information and modification by the Commission, including the
technology and data privacy. creation of new divisions and units it may deem
necessary, and shall appoint officers and employees of
The Privacy Commissioner shall enjoy the benefits, the Commission in accordance with civil service law,
privileges and emoluments equivalent to the rank of rules, and regulations.
Secretary.
Magna Carta for Science and Technology Personnel.
The Deputy Privacy Commissioners must be Qualified employees of the Commission shall be
recognized experts in the field of information and covered by Republic Act No. 8349, which provides a
communications technology and data privacy. They magna carta for scientists, engineers, researchers, and
shall enjoy the benefits, privileges and emoluments other science and technology personnel in the
equivalent to the rank of Undersecretary. government.
The Privacy Commissioner, the Deputy SEC. 11. General Data Privacy Principles. – The
Commissioners, or any person acting on their behalf processing of personal information shall be allowed,
or under their direction, shall not be civilly liable for subject to compliance with the requirements of this
acts done in good faith in the performance of their Act and other laws allowing disclosure of information
duties. However, he or she shall be liable for willful to the public and adherence to the principles of
or negligent acts done by him or her which are transparency, legitimate purpose and proportionality.
contrary to law, morals, public policy and good
customs even if he or she acted under orders or a. Transparency. The data subject must be aware of
instructions of superiors: the nature, purpose, and extent of the processing
Provided, That in case a lawsuit is filed against such of his or her personal data, including the risks and
official on the subject of the performance of his or her safeguards involved, the identity of personal
duties, where such performance is lawful, he or she information controller, his or her rights as a data
shall be reimbursed by the Commission for reasonable subject, and how these can be exercised. Any
costs of litigation. information and communication relating to the
processing of personal data should be easy to
Section 38. access and understand, using clear and plain
(3) A head of a department or a superior officer language.
shall not be civilly liable for the wrongful acts,
omissions of duty, negligence, or misfeasance of his b. Legitimate purpose. The processing of
subordinates, unless he has actually authorized by information shall be compatible with a declared
written order the specific act or misconduct and specified purpose which must not be contrary
complained of. to law, morals, or public policy.
SEC. 10. The Secretariat. – The Commission is hereby
authorized to establish a Secretariat. c. Proportionality. The processing of information
which shall assist in the performance of its functions. shall be adequate, relevant, suitable, necessary,
The Secretariat shall be headed by an Executive and not excessive in relation to a declared and
Director and shall be organized according to the specified purpose. Personal data shall be
following offices: processed only if the purpose of the processing
 could not reasonably be fulfilled by other means. d.Personal Data shall not be retained longer than
necessary.
1.Retention of personal data shall only for as long as
Section 19. General principles in collection, necessary:
processing and retention. The processing of personal (a)for the fulfillment of the declared, specified, and
data shall adhere to the following general principles in legitimate purpose, or when the processing relevant to
the collection, processing, and retention of personal the purpose has been terminated;
data: (b)for the establishment, exercise or defense of legal
claims; or
a.Collection must be for a declared, specified, and (c)for legitimate business purposes, which must be
legitimate purpose. consistent with standards followed by the applicable
1.Consent is required prior to the collection and industry or approved by appropriate government
processing of personal data, subject to exemptions agency.
provided by the Act and other applicable laws and 2.Retention of personal data shall be allowed in cases
regulations. When consent is required, it must be provided by law.
time-bound in relation to the declared, specified and 3.Personal data shall be disposed or discarded in a
legitimate purpose. Consent given may be withdrawn. secure manner that would prevent further processing,
2.The data subject must be provided specific unauthorized access, or disclosure to any other party
information regarding the purpose and extent of or the public, or prejudice the interests of the data
processing, including, where applicable, the subjects.
automated processing of his or her personal data for e.Any authorized further processing shall have
profiling, or processing for direct marketing, and data adequate safeguards.
sharing. 1.Personal data originally collected for a declared,
3.Purpose should be determined and declared before, specified, or legitimate purpose may be processed
or as soon as reasonably practicable, after collection. further for historical, statistical, or scientific purposes,
4.Only personal data that is necessary and compatible and, in cases laid down in law, may be stored for
with declared, specified, and legitimate purpose shall longer periods, subject to implementation of the
be collected. appropriate organizational, physical, and technical
security measures required by the Act in order to
b.Personal data shall be processed fairly and safeguard the rights and freedoms of the data subject.
lawfully. 2.Personal data which is aggregated or kept in a form
1.Processing shall uphold the rights of the data which does not permit identification of data subjects
subject, including the right to refuse, withdraw may be kept longer than necessary for the declared,
consent, or object. It shall likewise be transparent, and specified, and legitimate purpose.
allow the data subject sufficient information to know 3.Personal data shall not be retained in perpetuity in
the nature and extent of processing. contemplation of a possible future use yet to be
2.Information provided to a data subject must always determined.
be in clear and plain language to ensure that they are
easy to understand and access. Section 20. General Principles for Data Sharing.
3.Processing must be in a manner compatible with Further Processing of Personal Data collected from a
declared, specified, and legitimate purpose. party other than the Data Subject shall be allowed
4.Processed personal data should be adequate, under any of the following conditions:
relevant, and limited to what is necessary in relation
to the purposes for which they are processed. a.Data sharing shall be allowed when it is expressly
5.Processing shall be undertaken in a manner that authorized by law: Provided, that there are adequate
ensures appropriate privacy and security safeguards. safeguards for data privacy and security, and
processing adheres to principle of transparency,
c.Processing should ensure data quality. legitimate purpose and proportionality.
1.Personal data should be accurate and where b.Data Sharing shall be allowed in the private sector if
necessary for declared, specified and legitimate the data subject consents to data sharing, and the
purpose, kept up to date. following conditions are complied with:
2.Inaccurate or incomplete data must be rectified, 1.Consent for data sharing shall be required even
supplemented, destroyed or their further processing when the data is to be shared with an affiliate or
restricted. mother company, or similar relationships;
2.Data sharing for commercial purposes, including
direct marketing, shall be covered by a data sharing a.The data subject must have given his or her consent
agreement. prior to the collection, or as soon as practicable and
(a)The data sharing agreement shall establish reasonable;
adequate safeguards for data privacy and security,
and uphold rights of data subjects. b.The processing involves the personal information of
(b)The data sharing agreement shall be subject to a data subject who is a party to a contractual
review by the Commission, on its own initiative or agreement, in order to fulfill obligations under the
upon complaint of data subject; contract or to take steps at the request of the data
3.The data subject shall be provided with the subject prior to entering the said agreement;
following information prior to collection or before
data is shared: c.The processing is necessary for compliance with a
(a)Identity of the personal information controllers or legal obligation to which the personal information
personal information processors that will be given controller is subject;
access to the personal data;
(b)Purpose of data sharing; d.The processing is necessary to protect vitally
(c)Categories of personal data concerned; important interests of the data subject, including his or
(d)Intended recipients or categories of recipients of her life and health;
the personal data;
(e)Existence of the rights of data subjects, including e.The processing of personal information is necessary
the right to access and correction, and the right to to respond to national emergency or to comply with
object; the requirements of public order and safety, as
(f)Other information that would sufficiently notify the prescribed by law;
data subject of the nature and extent of data sharing
and the manner of processing. f.The processing of personal information is necessary
for the fulfillment of the constitutional or statutory
4.Further processing of shared data shall adhere to the mandate of a public authority; or
data privacy principles laid down in the Act, these
Rules, and other issuances of the Commission. g.The processing is necessary to pursue the legitimate
c.Data collected from parties other than the data interests of the personal information controller, or by a
subject for purpose of research shall be allowed when third party or parties to whom the data is disclosed,
the personal data is publicly available, or has the except where such interests are overridden by
consent of the data subject for purpose of research: fundamental rights and freedoms of the data subject,
Provided, that adequate safeguards are in place, and which require protection under the Philippine
no decision directly affecting the data subject shall be Constitution.
made on the basis of the data collected or processed.
The rights of the data subject shall be upheld without Section 22. Sensitive Personal Information and
compromising research integrity. Privileged Information. The processing of sensitive
d.Data sharing between government agencies for the personal and privileged information is prohibited,
purpose of a public function or provision of a public except in any of the following cases:
service shall be covered a data sharing agreement.
1.Any or all government agencies party to the a.Consent is given by data subject, or by the parties to
agreement shall comply with the Act, these Rules, and the exchange of privileged information, prior to the
all other issuances of the Commission, including processing of the sensitive personal information or
putting in place adequate safeguards for data privacy privileged information, which shall be undertaken
and security. pursuant to a declared, specified, and legitimate
2.The data sharing agreement shall be subject to purpose;
review of the Commission, on its own initiative or
upon complaint of data subject. b.The processing of the sensitive personal information
or privileged information is provided for by existing
Section 21. Criteria for Lawful Processing of Personal laws and regulations: Provided, that said laws and
Information. Processing of personal information is regulations do not require the consent of the data
allowed, unless prohibited by law. For processing to subject for the processing, and guarantee the
be lawful, any of the following conditions must be protection of personal data;
complied with:
c.The processing is necessary to protect the life and
health of the data subject or another person, and the gathered from privileged information is inadmissible.
data subject is not legally or physically able to express
his or her consent prior to the processing; When the Commission inquires upon communication
claimed to be privileged, the personal information
d.The processing is necessary to achieve the lawful controller concerned shall prove the nature of the
and noncommercial objectives of public organizations communication in an executive session. Should the
and their associations provided that: communication be determined as privileged, it shall
be excluded from evidence, and the contents thereof
1.Processing is confined and related to the bona fide shall not form part of the records of the case:
members of these organizations or their associations; Provided, that where the privileged communication
itself is the subject of a breach, or a privacy concern or
2.The sensitive personal information are not investigation, it may be disclosed to the Commission
transferred to third parties; and but only to the extent necessary for the purpose of
investigation, without including the contents thereof
3.Consent of the data subject was obtained prior to in the records.
processing;

e.The processing is necessary for the purpose of

medical treatment: Provided, that it is carried out by a Section 24. Surveillance of Suspects
medical practitioner or a medical treatment
and Interception of Recording of
institution, and an adequate level of protection of
personal data is ensured; or Communications. Section 7 of
Republic Act No. 9372, otherwise
e. The processing concerns sensitive personal known as the "Human Security Act
information or privileged information necessary
for the protection of lawful rights and interests of
of 2007”, is hereby amended to
natural or legal persons in court proceedings, or include the condition that the
the establishment, exercise, or defense of legal processing of personal data for the
claims, or when provided to government or purpose of surveillance, interception,
public authority pursuant to a constitutional or
statutory mandate.
or recording of communications
SEC. 14. Subcontract of Personal shall comply with the Data Privacy
Information. – A personal information Act, including adherence to the
controller may subcontract the processing principles of transparency,
of personal information: Provided, That proportionality, and legitimate
the personal information controller shall be purpose.
responsible for ensuring that proper
safeguards are in place to ensure the Section 34. Rights of the Data Subject. The data subject
confidentiality of the personal information is entitled to the following rights:
processed, prevent its use for unauthorized
a.Right to be informed.
purposes, and generally, comply with the
requirements of this Act and other laws for 1.The data subject has a right to be informed whether
processing of personal information. The personal data pertaining to him or her shall be, are
personal information processor shall being, or have been processed, including the existence
comply with all the requirements of this of automated decision-making and profiling.
Act and other applicable laws. 2.The data subject shall be notified and furnished with
information indicated hereunder before the entry of
Section 23. Extension of Privileged Communication.
his or her personal data into the processing system of
Personal information controllers may invoke the
the personal information controller, or at the next
principle of privileged communication over privileged
practical opportunity:
information that they lawfully control or process.
Subject to existing laws and regulations, any evidence
(a)Description of the personal data to be entered into 5.Reasons for the disclosure of the personal data to
the system; recipients, if any;
(b)Purposes for which they are being or will be 6.Information on automated processes where the data
processed, including processing for direct marketing, will, or is likely to, be made as the sole basis for any
profiling or historical, statistical or scientific purpose; decision that significantly affects or will affect the data
(c)Basis of processing, when processing is not based subject;
on the consent of the data subject; 7.Date when his or her personal data concerning the
(d)Scope and method of the personal data processing; data subject were last accessed and modified; and
(e)The recipients or classes of recipients to whom the 8.The designation, name or identity, and address of
personal data are or may be disclosed; the personal information controller.
(f)Methods utilized for automated access, if the same d.Right to rectification. The data subject has the right
is allowed by the data subject, and the extent to which to dispute the inaccuracy or error in the personal data
such access is authorized, including meaningful and have the personal information controller correct it
information about the logic involved, as well as the immediately and accordingly, unless the request is
significance and the envisaged consequences of such vexatious or otherwise unreasonable. If the personal
processing for the data subject; data has been corrected, the personal information
(g)The identity and contact details of the personal data controller shall ensure the accessibility of both the
controller or its representative; new and the retracted information and the
(h)The period for which the information will be simultaneous receipt of the new and the retracted
stored; and information by the intended recipients thereof:
(i)The existence of their rights as data subjects, Provided, That receipients or third parties who have
including the right to access, correction, and object to previously received such processed personal data
the processing, as well as the right to lodge a shall be informed of its inaccuracy and its rectification,
complaint before the Commission. upon reasonable request of the data subject.
b.Right to object. The data subject shall have the right e.Right to Erasure or Blocking. The data subject shall
to object to the processing of his or her personal data, have the right to suspend, withdraw or order the
including processing for direct marketing, automated blocking, removal or destruction of his or her personal
processing or profiling. The data subject shall also be data from the personal information controller’s filing
notified and given an opportunity to withhold consent system.
to the processing in case of changes or any 1.This right may be exercised upon discovery and
amendment to the information supplied or declared to substantial proof of any of the following:
the data subject in the preceding paragraph. (a)The personal data is incomplete, outdated, false, or
When a data subject objects or withholds consent, the unlawfully obtained;
personal information controller shall no longer (b)The personal data is being used for purpose not
process the personal data, unless: authorized by the data subject;

1.The personal data is needed pursuant to a subpoena; (c)The personal data is no longer necessary for the
purposes for which they were collected;
2.The collection and processing are for obvious (d)The data subject withdraws consent or objects to
purposes, including, when it is necessary for the the processing, and there is no other legal ground or
performance of or in relation to a contract or service to overriding legitimate interest for the processing;
which the data subject is a party, or when necessary or (e)The personal data concerns private information that
desirable in the context of an employer-employee is prejudicial to data subject, unless justified by
relationship between the collector and the data freedom of speech, of expression, or of the press or
subject; or otherwise authorized;
3.The information is being collected and processed as (f)The processing is unlawful;
a result of a legal obligation. (g)The personal information controller or personal
c.Right to Access. The data subject has the right to information processor violated the rights of the data
reasonable access to, upon demand, the following: subject.
1.Contents of his or her personal data that were 2.The personal information controller may notify third
processed; parties who have previously received such processed
2.Sources from which personal data were obtained; personal information.
3.Names and addresses of recipients of the personal f.Right to damages. The data subject shall be
data; indemnified for any damages sustained due to such
4.Manner by which such data were processed; inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data, taking
into account any violation of his or her rights and The security measures shall aim to maintain the
freedoms as data subject. availability, integrity, and confidentiality of personal
Section 35. Transmissibility of Rights of the Data data and are intended for the protection of personal
Subject. The lawful heirs and assigns of the data data against any accidental or unlawful destruction,
subject may invoke the rights of the data subject to alteration, and disclosure, as well as against any other
which he or she is an heir or an assignee, at any time unlawful processing. These measures shall be
after the death of the data subject, or when the data implemented to protect personal data against natural
subject is incapacitated or incapable of exercising the dangers such as accidental loss or destruction, and
rights as enumerated in the immediately preceding human dangers such as unlawful access, fraudulent
section. misuse, unlawful destruction, alteration and
Section 36. Right to Data Portability. Where his or her contamination.
personal data is processed by electronic means and in
a structured and commonly used format, the data Section 26. Organizational Security Measures. Where
subject shall have the right to obtain from the personal appropriate, personal information controllers and
information controller a copy of such data in an personal information processors shall comply with the
electronic or structured format that is commonly used following guidelines for organizational security:
and allows for further use by the data subject. The
exercise of this right shall primarily take into account a.Compliance Officers. Any natural or juridical person
the right of data subject to have control over his or her or other body involved in the processing of personal
personal data being processed based on consent or data shall designate an individual or individuals who
contract, for commercial purpose, or through shall function as data protection officer, compliance
automated means. The Commission may specify the officer or otherwise be accountable for ensuring
electronic format referred to above, as well as the compliance with applicable laws and regulations for
technical standards, modalities, procedures and other the protection of data privacy and security.
rules for their transfer.
b.Data Protection Policies. Any natural or juridical
Section 37. Limitation on Rights. The immediately person or other body involved in the processing of
preceding sections shall not be applicable if the personal data shall implement appropriate data
processed personal data are used only for the needs of protection policies that provide for organization,
scientific and statistical research and, on the basis of physical, and technical security measures, and, for
such, no activities are carried out and no decisions are such purpose, take into account the nature, scope,
taken regarding the data subject: Provided, that the context and purposes of the processing, as well as the
personal data shall be held under strict confidentiality risks posed to the rights and freedoms of data
and shall be used only for the declared purpose. The subjects.
said sections are also not applicable to the processing
of personal data gathered for the purpose of 1.The policies shall implement data protection
investigations in relation to any criminal, principles both at the time of the determination of the
administrative or tax liabilities of a data subject. Any means for processing and at the time of the processing
limitations on the rights of the data subject shall only itself.
be to the minimum extent necessary to achieve the
purpose of said research or investigation. 2.The policies shall implement appropriate security
measures that, by default, ensure only personal data
Section 25. Data Privacy and Security. Personal which is necessary for the specified purpose of the
information controllers and personal information processing are processed. They shall determine the
processors shall implement reasonable and amount of personal data collected, including the
appropriate organizational, physical, and technical extent of processing involved, the period of their
security measures for the protection of personal data. storage, and their accessibility.

The personal information controller and personal 3.The polices shall provide for documentation, regular
information processor shall take steps to ensure that review, evaluation, and updating of the privacy and
any natural person acting under their authority and security policies and practices.
who has access to personal data, does not process
them except upon their instructions, or as required by c.Records of Processing Activities. Any natural or
law. juridical person or other body involved in the
processing of personal data shall maintain records
that sufficiently describe its data processing system, 2.Procedures that limit the processing of data, to
and identify the duties and responsibilities of those ensure that it is only to the extent necessary for the
individuals who will have access to personal data. declared, specified, and legitimate purpose;
Records should include:
3.Policies for access management, system monitoring,
1.Information about the purpose of the processing of and protocols to follow during security incidents or
personal data, including any intended future technical problems;
processing or data sharing;
4.Policies and procedures for data subjects to exercise
2.A description of all categories of data subjects, their rights under the Act;
personal data, and recipients of such personal data
that will be involved in the processing; 5.Data retention schedule, including timeline or
conditions for erasure or disposal of records.
3.General information about the data flow within the
organization, from the time of collection, processing, f.Contracts with Personal Information Processors. The
and retention, including the time limits for disposal or personal information controller, through appropriate
erasure of personal data; contractual agreements, shall ensure that its personal
information processors, where applicable, shall also
4.A general description of the organizational, physical, implement the security measures required by the Act
and technical security measures in place; and these Rules. It shall only engage those personal
information processors that provide sufficient
5.The name and contact details of the personal guarantees to implement appropriate security
information controller and, where applicable, the joint measures specified in the Act and these Rules, and
controller, the its representative, and the compliance ensure the protection of the rights of the data subject.
officer or Data Protection Officer, or any other
individual or individuals accountable for ensuring Section 27. Physical Security Measures. Where
compliance with the applicable laws and regulations appropriate, personal information controllers and
for the protection of data privacy and security. personal information processors shall comply with the
following guidelines for physical security:
d.Management of Human Resources. Any natural or
juridical person or other entity involved in the a.Policies and procedures shall be implemented to
processing of personal data shall be responsible for monitor and limit access to and activities in the room,
selecting and supervising its employees, agents, or workstation or facility, including guidelines that
representatives, particularly those who will have specify the proper use of and access to electronic
access to personal data. media;

The said employees, agents, or representatives shall b.Design of office space and work stations, including
operate and hold personal data under strict the physical arrangement of furniture and equipment,
confidentiality if the personal data are not intended shall provide privacy to anyone processing personal
for public disclosure. This obligation shall continue data, taking into consideration the environment and
even after leaving the public service, transferring to accessibility to the public;
another position, or upon terminating their
employment or contractual relations. There shall be c.The duties, responsibilities and schedule of
capacity building, orientation or training programs for individuals involved in the processing of personal
such employees, agents or representatives, regarding data shall be clearly defined to ensure that only the
privacy or security policies. individuals actually performing official duties shall be
in the room or work station, at any given time;
e.Processing of Personal Data. Any natural or juridical
person or other body involved in the processing of d.Any natural or juridical person or other body
personal data shall develop, implement and review: involved in the processing of personal data shall
implement Policies and procedures regarding the
1.A procedure for the collection of personal data, transfer, removal, disposal, and re-use of electronic
including procedures for obtaining consent, when media, to ensure appropriate protection of personal
applicable; data;
 particular personal information controller or personal
e.Policies and procedures that prevent the mechanical information processor, the Commission shall take into
destruction of files and equipment shall be account the nature of the personal data that requires
established. The room and workstation used in the protection, the risks posed by the processing, the size
processing of personal data shall, as far as practicable, of the organization and complexity of its operations,
be secured against natural disasters, power current data privacy best practices, and the cost of
disturbances, external access, and other similar security implementation. The security measures
threats. provided herein shall be subject to regular review and
evaluation, and may be updated as necessary by the
Section 28. Guidelines for Technical Security Commission in separate issuances, taking into account
Measures. Where appropriate, personal information the most appropriate standard recognized by the
controllers and personal information processors shall information and communications technology industry
adopt and establish the following technical security and data privacy best practices.
measures:
Rule VII. Security of Sensitive Personal Information in
a.A security policy with respect to the processing of Government
personal data; Section 30. Responsibility of Heads of Agencies. All
sensitive personal information maintained by the
b.Safeguards to protect their computer network government, its agencies, and instrumentalities shall
against accidental, unlawful or unauthorized usage, be secured, as far as practicable, with the use of the
any interference which will affect data integrity or most appropriate standard recognized by the
hinder the functioning or availability of the system, information and communications technology
and unauthorized access through an electronic industry, subject to these Rules and other issuances of
network; the Commission. The head of each government
agency or instrumentality shall be responsible for
c.The ability to ensure and maintain the complying with the security requirements mentioned
confidentiality, integrity, availability, and resilience of herein. The Commission shall monitor government
their processing systems and services; agency compliance and may recommend the
necessary action in order to satisfy the minimum
d.Regular monitoring for security breaches, and a standards.
process both for identifying and accessing reasonably
foreseeable vulnerabilities in their computer Section 31. Requirements Relating to Access by
networks, and for taking preventive, corrective, and Agency Personnel to Sensitive Personal Information.
mitigating action against security incidents that can
lead to a personal data breach; a.On-site and Online Access.

e.The ability to restore the availability and access to 1.No employee of the government shall have access to
personal data in a timely manner in the event of a sensitive personal information on government
physical or technical incident; property or through online facilities unless he or she
the employee has received a security clearance from
f.A process for regularly testing, assessing, and the head of the source agency. The source agency is
evaluating the effectiveness of security measures; the government agency who originally collected the
personal data.
g.Encryption of personal data during storage and
while in transit, authentication process, and other 2.A source agency shall strictly regulate access to
technical security measures that control and limit sensitive personal information under its custody or
access. control, particularly when it allows online access. An
employee of the government shall only be granted a
Section 29. Appropriate Level of Security. The security clearance when the performance of his or her
Commission shall monitor the compliance of natural official functions or the provision of a public service
or juridical person or other body involved in the directly depends on and cannot otherwise be
processing of personal data, specifically their security performed unless access to the personal data is
measures, with the guidelines provided in these Rules allowed.
and subsequent issuances of the Commission. In
determining the level of security appropriate for a 3.Where allowed under the next preceding sections,
online access to sensitive personal information shall be requirements in the preceding sections shall be
subject to the following conditions: implemented before any off-site or online access
(a)An information technology governance framework request is approved. Any data sharing agreement
has been designed and implemented; between a source agency and another government
agency shall be subject to review of the Commission
(b)Sufficient organizational, physical and technical on its own initiative or upon complaint of data
security measures have been established; subject.

(c)The agency is capable of protecting sensitive Section 33. Applicability to Government Contractors.
personal information in accordance with data privacy In entering into any contract with a private service
practices and standards recognized by the information provider that may involve accessing or requiring
and communication technology industry; sensitive personal information from one thousand
(1,000) or more individuals, a government agency
(d)The employee of the government is only given shall require such service provider and its employees
online access to sensitive personal information to register their personal data processing system with
necessary for the performance of official functions or the Commission in accordance with the Act and these
the provision of a public service. Rules. The service provider, as personal information
processor, shall comply with the other provisions of
b.Off-site access. the Act and these Rules, particularly the immediately
preceding sections, similar to a government agency
1.Sensitive personal information maintained by an and its employees.
agency may not be transported or accessed from a
location off or outside of government property,
whether by its agent or employee, unless the head of
agency has ensured the implementation of privacy
policies and appropriate security measures. A request
for such transportation or access shall be submitted to
and approved by the head of agency. The request
must include proper accountability mechanisms in the
processing of data.

2.The head of agency shall approve requests for off-

site access in accordance with the following
guidelines:

(a)Deadline for Approval or Disapproval. The head of

agency shall approve or disapprove the request within
two (2) business days after the date of submission of
the request. Where no action is taken by the head of
agency, the request is considered disapproved;

(b)Limitation to One thousand (1,000) Records. Where

a request is approved, the head of agency shall limit
the access to not more than one thousand (1,000)
records at a time, subject to the next succeeding
paragraph.

(c)Encryption. Any technology used to store, transport

or access sensitive personal information for purposes
of off-site access approved under this subsection shall
be secured by the use of the most secure encryption
standard recognized by the Commission.

Section 32. Implementation of Security Requirements.

Notwithstanding the effective date of these Rules, the