Opinion

The need for Data Privacy 101

BAR NONE - Atty. Ian Vincent Manticajon - The Freeman

February 2, 2019 | 12:00am

A week ago the Integrated Bar of the Philippines Cebu Chapter, under the leadership of our president Mundlyn Misal-Martin and vice president Ria Lidia Espina, organized a lecture at the IBP Social Hall in the Capitol Compound entitled Data Privacy 101 in view of the Data Privacy Act of 2012 (Republic Act 10173).

Lawyer Leandro Angelo Aguirre, deputy commissioner of the National Privacy Commission, was the event’s main speaker. Other speakers were data privacy experts from the Fajardo Law Offices, lawyers Juan Paolo Fajardo and Arthur Anthony Alicer. Both Fajardo and Alicer have advised the National Privacy Commission on matters of privacy policy and enforcement. Experts like them do not come here very often, so when the IBP Cebu Chapter organized this lecture, I made sure to be present the entire time.

The Data Privacy Act (DPA) applies to any natural or juridical persons involved in the processing of personal information. Those not found or established in the Philippines but use equipment located in the Philippines, and those who maintain an office, branch, or agency in the Philippines, are also covered by the law. The law seeks to protect all forms of information: private, personal, or sensitive.

Section 3(j) of the DPA defines “processing of personal information” as “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.” So whenever a person’s information is collected, modified, or used for some purpose, processing already takes place.

Personal information is any information which can be linked to a person’s identity, or that which makes the person readily identifiable. Section 3(g) of the DPA precisely defines it as follows: “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”

The implementing rules and regulations (IRR) of the DPA had been promulgated in August 24, 2016; yet most individuals and companies whose operations in one way or another involve the processing of personal information are not aware of what are required of them under this law. Under the law’s IRR, for example, all organizations are required to appoint a Data Protection Officer who shall be accountable for ensuring compliance with the appropriate data protection laws and regulations.

Thus, I urge individuals and companies (hotels, hospitals, schools, pawnshops, etc.) to seek the guidance of the Data Privacy Commission or data privacy experts about the law. Lawyers, especially the tech-savvy ones, are also urged to develop an expertise around this field.

One very important provision of the DPA is in distinguishing between personal information and sensitive personal information. Apparently the difference between the two matters because the law gives each a different treatment. While personal information may be processed upon compliance with certain requirements, the processing of sensitive personal information is only allowed in six instances. One is when the data subject has given his or her consent, specific to the purpose prior to the processing. The other five instances gravitate around the word “necessity” – like needed under the law, needed to protect life and health, or needed in court proceedings.

While I wrote here before that data privacy may be an illusion in the digital age, that should not hinder us from protecting our data privacy and holding to account those who knowingly or by their gross negligence violate people’s data privacy. And yes, the law imposes penalties against violators: payment of fine and imprisonment ranging from one to six years.

* * *

Incidentally today, the Municipality of Moalboal is conducting a Legal Aid Mission in coordination with the IBP Cebu Chapter. The chapter is providing a supervising lawyer in order for the activity to be credited under the Community Legal Aid Service Rule. The chapter is calling on member-lawyers who are available to join other volunteer lawyers in this activity.

Another community legal aid activity involving IBP Cebu Chapter, this time in coordination with officials of Tagnucan, Borbon, is slated on February 10. Those who want to join these activities, especially the new lawyers who need to comply with the Community Legal Aid Service Rule, may contact Attorney Mundlyn Misal-Martin or Attorney Ria Lidia Espina through the chapter’s social media page.