Know your privacy rights!



REPUBLIC Act 10173, or the Data Privacy Act(DPA) of 2012, is one hell of a very important piece of legislation to ever hit the country and consequently, our collective lives. In these times where even the supposedly highly democratic nations have now been wantonly circumventing the privacy rights of their citizens in the name of anti-terrorism, it is very refreshing (and proudly at that!) that the Philippines remains at the forefront of protecting the sanctity of personal information.

Before moving on, there are some definitions that you must know. One, the Data Subject. That’s you, the owner of the personal information. Two, Personal Information. And that’s any piece of information that when singularly or collectively collected can ascertain your identity. There is an even more critical type of personal information though, and that is Sensitive Personal Information. This other type of personal information is your identity, plus all other very critical information that may define the various aspects of your life i. e. financial status, affiliations, religious or political leanings, medical records and other very critical pieces of information you hold very dear to your heart such that when deliberately or accidentally made available publicly could threaten your very well-being. Three, the Personal Information Controller (PIC) which is the individual or organization that collects the personal information. Four, the Personal Information Processor (PIP) is the one that processes or uses this data. This could be the PIC themselves or sometimes when outsourced to a third party could be any other person or entity outside of their organization. And lastly, five, the Data Privacy Officer (DPO). This guy is the designated go-to person on privacy inside any organization and is responsible (and liable) for safeguarding the confidentiality, integrity and availability of personal information that they collect.

Ok, now you’re ready to know your privacy rights.

Dubbed as the “Rights of the Data Subject” we are afforded the following under the DPA:

1. The right to be informed. We as data subjects have the right to know what specific data of our identity and our life for that matter is going to be entered into the database of the PIC, the purpose and basis of the collection or processing, the scope and method of the processing, which person or entity is it going to, the methods that are going to be used for automated access, the identity and contact details of the PIC and PIP, up to when it is going to be used (yes, there is a time limit on these things) and lastly notification that these rights exist.

2. The right to object. We as data subjects have the right to withhold any information that we deem would not be beneficial to the objective to the original purpose of the data collection. We do not need to give anything that we do not want to! This goes for those that use the data they have gathered for direct marketing and profiling. There should always be consent and this right affirms it.

3. The right to access. It is your data and you have all the rights to access it along with other pertinent information surrounding the collection. This applies to all the collected data, the sources from where this was collected, names and addresses who were given such data, the methods used on how it was processed, the reason why it was disclosed to the recipients, methods of automation for access, time and date when the data was last accessed and lastly, all contact information of whoever had obtained or processed the information (the PIC and PIP).

4. The right to erasure or blocking. The data subject is guaranteed the right to suspend, withdraw, order the blocking, removal and even destruction of his or her personal information from the database of the PIC if there is sufficient proof that the data obtained is incomplete, false or obtained by illegal means, if the information is used other than original intent, if the data is not relevant to the intent or purpose pf the collection, if you withdraw your consent, if there are information obtained that are prejudicial to your well-being.

5. The right to damages. Yes, you read it right. You have the right to collect compensation for damages inflicted upon you because of false, incomplete, dated, unlawfully, obtained or unauthorized use of personal data.

6. Transmissibility of the data subject’s rights. Your lawful heirs will inherit your rights in cases of death or incapacity.

7. Right to data portability. This is your right to obtain your personal data in a common and acceptable electronic (data) format as prescribed by the Privacy Commission if it was processed electronically.

I know exactly what you are thinking at this point. “Oh yeah. Great. But if any of my rights had been violated, who do I go to?” That, my friend, is the National Privacy Commission, mandated to receive and resolve complaints. They can even subpoena persons and entities as part of their investigation. File your complaints here >

Truth be told, the work of the commission is very impressive. Internet memes, “hugot” line posters capture your attention and gets the right message across. They know their audience and targets them with precision. Not only that, the creation of memorandum circulars to provide guidance of compliance in consonance with specific industry verticals (i.e. banks, large enterprises, etc.) is genius. One can only wish that the other ICT departments of the government were on par.


Please follow our commenting guidelines.

1 Comment

  1. jess nazario on

    Good that finally all these details on the Privacy Law are now being published for the public to be enlightened on this very important matter especially at this time when supposedly private information can be made accessible at the click of a mouse. But wouldn’t it be timely as well if we proceed looking at the actual sad situation the country is in right now in terms of the privacy of OUR (us of voting age) Person Identifying Information (PII) POST HACKING OF THE VOTERS’ DATABASE just a few weeks before the 2016 election. Can we ever recover from this biggest identity theft ever in the entire history of personal identity digital databases ?

    The Voters’ Database has fingerprint (FP) biometrics as its core PII. This means that the information that distinguishes one person from another person (to ensure that duplicates or replicates do not enter the system) in said database are the set of FPs that were captured by Comelec from each voter for the past 14 years (database build-up began in 2003) at the cost of billions. And since these are part (the very PII core) of the data that were compromised when that 2016 hacking happened there is a compelling need to replace it using biometrics OTHER than fingerprints. This is exacerbated by the fact that fingerprints are only of two IMMUTABLE biometrics given by God to each human being which has a computed possible repeatability or duplicate of only 1 in 64 million humans or only 0.000001562 %. This means that with 7 billion population of the earth it is possible to have exactly matching fingerprints of only about 110 “supposedly unique” individuals. The only other immutable biometrics of course is DNA which has a repeatability of only 1 in several billions.

    Now since the FP-based voters’ database was practically rendered USELESS by said hacking what biometrics can we use to build a replacement of the voters’ database ? All technologies that drive non-FP biometrics except DNA cannot match the accuracy of the FP in distinguishing one person from another. Iris, gait, body odor, facial, palm, voice and other biometrics as well plus possible fusions of two or more of them biometrics fall short of the accuracy we need for the voters’ database.

    That is how the terribly disastrous hacking of our voters database IS yet Comelec seems not worried at all when in fact we are in very deep trouble even if we don’t mention the ID theft consequences of the dissemination of the PII contained in said database all. over cyberspace. THERE SHOULD BE A SERIOUS INVESTIGATION OF THIS DISASTER ASAP !