Republic of the Philippines

NATIONAL PRIVACY COMMISSION

PRIVACY POLICY OFFICE

ADVISORY OPINION NO. 2017-020

18 July 2017

''''''''''''''''''''''''''''''''''''''''''''' ''''''''' '''''''''''''''''''''

''''''''' ''''''' '''''''''''' '''''''''''' '''''' ''''''
''''''''''' '''''' ''''''''
'''''''''''''''' ''' '''''''''

Re: PHILIPPINE BUSINESS DATA BANK

Dear '''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''

This pertains to your request for advisory opinion dated 10 April 2017, received by the
National Privacy Commission (NPC) on 19 April 2017, in relation to the Philippine Business
Data Bank (PBDB), an initiative of the Ease of Doing Business Component of the DOF Anti-
Red Tape Program.

Specifically, you are requesting for an opinion on whether or not the data collected and to be
shared by and among certain government agencies, and to the public pursuant to the PBDB
is exempt from the coverage of the Data Privacy Act of 2012 (DPA).

Philippine Business Data Bank (PBDB)

We understand that the PBDB is an online facility that consolidates publicly-accessible,

business-related data sourced from government regulatory agencies. This online portal
digitizes the data collected by each of the following agencies from natural and juridical
persons engaged in business:

1. Cooperative Development Authority (CDA);

2. Department of Trade and Industry (DTI);
3. Securities and Exchange Commission (SEC);
4. Local Government Units (LGUs); and
5. Bureau of Fire Protection (BFP).

The common data collected by each of the above are as follows:

1. Business Name;
2. Regulatory Reference ID;
3. Registration Date;
4. Expiry Date;

Level 3, Core G, GSIS Headquarters Bldg., Financial Center, Pasay City, Metro Manila 1308
URL: http://privacy.gov.ph Email Add: [email protected]
 5. Status (registered or not);
6. Address;
7. City/Municipality;
8. Contact Number;
9. PSIC Reference;
10. Tax Identification Number;
11. Agency Code/LGU Code; and
12. Names of Individuals:

CDA DTI SEC LGUs

Board Members Business Owners Incorporators Business Owners

Scope of the DPA

At the outset, we wish to clarify that the DPA is applicable to the processing of all types of
personal information1, sensitive personal information2, and privileged information3
(collectively referred to as personal data), and to any natural and juridical person involved
in personal information processing within and without4 the Philippines.

We note that the list of data above is not wholly composed of personal data as most of these
pertain to data of juridical entities. The personal data in the list would likely pertain to the
details of the following:

1. Individuals who are engaged in business through sole proprietorships and possibly
partnerships;
2. Incorporators of corporations and cooperators of cooperatives;
3. Members of the board of directors or trustees;
4. Officers of corporations (including resident agents of foreign corporations licensed to
do business in the Philippines) and cooperatives; and
5. Individual stockholders of stock corporations and individual members of non-stock
corporations and cooperatives.

Thus, Items 1 to 11 of the list may pertain to a juridical entity, hence, not covered by the
DPA. In the case of sole proprietorships and possibly partnerships, the same items may be
considered as personal data.

1 RA No. 10173, §3(g) - Personal information refers to any information whether recorded in a material form or not, from
which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly
identify an individual.
2 Id., §3(l) - Sensitive personal information refers to personal information:

1.) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political
affiliations;
2.) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of
any court in such proceedings;
3.) Issued by government agencies peculiar to an individual which includes, but not limited to, social security
numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4.) Specifically established by an executive order or an act of Congress to be kept classified.
3 Id., §3(k) - Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent

laws constitute privileged communication.

4 See §6 of RA No. 10173 – Extraterritorial Application

2
In the instances where personal data may be involved in the consolidation of business-
related data of the PBDB, there is a need to determine if such personal data falls under the
special cases which is outside of the scope of the law.

As stated in the request, Sections 4(c) and (e) of the DPA may be a basis for the exemption,
to wit:

“SECTION 4. Scope. — xxx

This Act does not apply to the following: xxx

c. Information relating to any discretionary benefit of a financial nature such as

the granting of a license or permit given by the government to an individual,
including the name of the individual and the exact nature of the benefit;

xxx

e. Information necessary in order to carry out the functions of public authority

which includes the processing of personal data for the performance by the
independent central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functions. xxx”

We agree that the personal data falling under the abovementioned provisions is outside the
scope of the DPA. But for purposes of the DOF and for the other government agencies
involved in the PBDB, the exemption more aptly finds basis in Section 4(e) and not Section
4(c).

Section 4(c) speaks of information relating to any discretionary benefit of a financial nature.
The phrase “discretionary benefit” has been defined in other jurisdictions as follows:

"The prime factor is a 'discretionary' benefit, but not a 'gratuitous' benefit, nor
yet an 'exclusive' benefit, or even a cut-rate, or 'bargain basement' benefit. Any
of those imagined adjectives would narrow down paragraph 3(l)'s purview.
The kind of benefit contemplated here could well, on the words of the statute,
be nothing more than one of the constituent elements of consideration, or quid
pro quo, known to the law of contracts. In a real sense every contract involves
the conferring of a benefit on the other party and the enduring of a detriment,
on oneself. The statute mentions only the conferring of a discretionary benefit
from the government institution's point of view. It is so composed that it does
not need to mention the quid pro quo, because the conferred benefit is not so
narrowly contemplated as to be gratuitous nor yet exclusive or cut-rate. The
wording is sufficient to cover all of those narrower notions, so long as the
benefit be conferred upon the discretion of a government institution, official or
employee and is of a financial nature. The exacting of rent money from a tenant
is 'of a financial nature' just as surely as the according to the tenant of quite,
exclusive occupation of the premises during the term of the lease is conferring a
'discretionary benefit'."5

5Office of the Information Commissioner of Canada, citing Bland v. Canada (National Capital Commission), [1991] 3 F.C.
325; 41 F.T.R. 202, 4 Admin D.L.R. (2d) 171; 36 C.P.R. (3d) 289 (T.D.), available at http://www.oic-ci.gc.ca/eng/inv_inv-
gui-ati_gui-inv-ati_section_19.aspx
3
In the above case, the Canadian court found that “the National Capital Commission
exercised a discretion in accepting or rejecting those who seek to become its' tenants of real
property. The people chosen received a discretionary benefit because the rental payments
were of smaller amounts than for comparable residential properties. On that basis, the
information sought by the applicant was said not to be included in definition of 'personal
information'. On that basis, the court ordered disclosure of the name, addresses, and
property designations of NCC residential tenants.”6

We understand that the CDA, DTI, SEC, LGUs and BFP in their respective regulatory
mandates to register and/or issue licenses or permits are not given discretionary powers to
determine who becomes registered or not. The individual or entity applying would have to
submit all documentary requirements necessary for registration, and upon compliance, the
registration or permit will be issued. There is no discretion on the part of any of the
abovementioned government agencies insofar as this particular regulatory mandate is
concerned.

With this, it is clear that Section 4(c) is not applicable to the business-related registration
data sought to be consolidated by the PBDB.

As mentioned above, we believe that Section 4(e) may be made the basis for exemption of
the PBDB data as the same information is necessary in order to carry out the functions of
public authority.

However, we wish to emphasize that the exemption not absolute. The DPA and its
Implementing Rules and Regulations (IRR) shall not apply to the specified information, but
the exemption is limited “only to the minimum extent of collection, access, use, disclosure or
other processing necessary to the purpose, function, or activity concerned,” as stated in
Section 5 of the IRR.

Further, the proviso in said section states:

“Provided, that the non--applicability of the Act or these Rules do not extend to
personal information controllers or personal information processors, who
remain subject to the requirements of implementing security measures for
personal data protection: Provided further, that the processing of the
information provided in the preceding paragraphs shall be exempted from the
requirements of the Act only to the minimum extent necessary to achieve the
specific purpose, function, or activity.”

This is interpreted to the effect that there is a presumption that personal data may be
lawfully processed by a personal information controller or processor under the special cases,
but the processing shall be limited to achieving the specific purpose, function or activity,
and that the personal information controller or processor remains to be subject to the
requirements of implementing measures to secure and protect personal data.

6Office of the Information Commissioner of Canada, citing Bland v. Canada (National Capital Commission), [1991] 3 F.C.
325; 41 F.T.R. 202, 4 Admin D.L.R. (2d) 171; 36 C.P.R. (3d) 289 (T.D.), available at http://www.oic-ci.gc.ca/eng/inv_inv-
gui-ati_gui-inv-ati_section_19.aspx
4
For instance, a government agency having a statutory mandate to collect, access, use,
disclose, and generally process personal data may do so even without the consent of the
data subject.

But such processing is limited to the bare minimum to achieve the agency’s mandate, which
means that the agency shall collect only those data which it needs to perform its functions,
use these for the specified purpose only, and disclose only those data which are required to
be disclosed to other co-regulators or to the public, if necessary.

And the above is with the concomitant responsibility of ensuring that organizational,
physical and technical security measures are in place to protect the personal data that the
agency is processing.

Finally, we would like to remind all government agencies involved in the PBDB of the
obligations set out in NPC Circular No. 16-01 - Security of Personal Data in Government
Agencies and NPC Circular No. 16-02 - Data Sharing Agreements Involving Government
Agencies.

The first circular provides for the general obligations of government agencies engaged in the
processing of personal data and rules on storage, access, transfer, and disposal of personal
data, and the second requires the review of all existing data sharing arrangements and/or
actual contracts, joint issuances, or any similar documents, and make the necessary revisions
thereto, execution of a data sharing agreement (DSA) where applicable, and the immediate
termination the sharing of personal data in instances where the arrangement is not for the
purpose of performing a public function or providing a public service.

For your reference.

Sincerely,

RAYMUND E. LIBORO
Privacy Commissioner and Chairman