REPUBLIC Act 10173, or the Data Privacy Act(DPA) of 2012, is one hell of a very important piece of legislation to ever hit the country and consequently, our collective lives. In these times where even the supposedly highly democratic nations have now been wantonly circumventing the privacy rights of their citizens in the name of anti-terrorism, it is very refreshing (and proudly at that!) that the Philippines remains at the forefront of protecting the sanctity of personal information.
Before moving on, there are some definitions that you must know. One, the Data Subject. That’s you, the owner of the personal information. Two, Personal Information. And that’s any piece of information that when singularly or collectively collected can ascertain your identity. There is an even more critical type of personal information though, and that is Sensitive Personal Information. This other type of personal information is your identity, plus all other very critical information that may define the various aspects of your life i. e. financial status, affiliations, religious or political leanings, medical records and other very critical pieces of information you hold very dear to your heart such that when deliberately or accidentally made available publicly could threaten your very well-being. Three, the Personal Information Controller (PIC) which is the individual or organization that collects the personal information. Four, the Personal Information Processor (PIP) is the one that processes or uses this data. This could be the PIC themselves or sometimes when outsourced to a third party could be any other person or entity outside of their organization. And lastly, five, the Data Privacy Officer (DPO). This guy is the designated go-to person on privacy inside any organization and is responsible (and liable) for safeguarding the confidentiality, integrity and availability of personal information that they collect.
Ok, now you’re ready to know your privacy rights.
Dubbed as the “Rights of the Data Subject” we are afforded the following under the DPA:
1. The right to be informed. We as data subjects have the right to know what specific data of our identity and our life for that matter is going to be entered into the database of the PIC, the purpose and basis of the collection or processing, the scope and method of the processing, which person or entity is it going to, the methods that are going to be used for automated access, the identity and contact details of the PIC and PIP, up to when it is going to be used (yes, there is a time limit on these things) and lastly notification that these rights exist.
2. The right to object. We as data subjects have the right to withhold any information that we deem would not be beneficial to the objective to the original purpose of the data collection. We do not need to give anything that we do not want to! This goes for those that use the data they have gathered for direct marketing and profiling. There should always be consent and this right affirms it.
3. The right to access. It is your data and you have all the rights to access it along with other pertinent information surrounding the collection. This applies to all the collected data, the sources from where this was collected, names and addresses who were given such data, the methods used on how it was processed, the reason why it was disclosed to the recipients, methods of automation for access, time and date when the data was last accessed and lastly, all contact information of whoever had obtained or processed the information (the PIC and PIP).
4. The right to erasure or blocking. The data subject is guaranteed the right to suspend, withdraw, order the blocking, removal and even destruction of his or her personal information from the database of the PIC if there is sufficient proof that the data obtained is incomplete, false or obtained by illegal means, if the information is used other than original intent, if the data is not relevant to the intent or purpose pf the collection, if you withdraw your consent, if there are information obtained that are prejudicial to your well-being.
5. The right to damages. Yes, you read it right. You have the right to collect compensation for damages inflicted upon you because of false, incomplete, dated, unlawfully, obtained or unauthorized use of personal data.
6. Transmissibility of the data subject’s rights. Your lawful heirs will inherit your rights in cases of death or incapacity.
7. Right to data portability. This is your right to obtain your personal data in a common and acceptable electronic (data) format as prescribed by the Privacy Commission if it was processed electronically.
I know exactly what you are thinking at this point. “Oh yeah. Great. But if any of my rights had been violated, who do I go to?” That, my friend, is the National Privacy Commission, mandated to receive and resolve complaints. They can even subpoena persons and entities as part of their investigation. File your complaints here >firstname.lastname@example.org
Truth be told, the work of the commission is very impressive. Internet memes, “hugot” line posters capture your attention and gets the right message across. They know their audience and targets them with precision. Not only that, the creation of memorandum circulars to provide guidance of compliance in consonance with specific industry verticals (i.e. banks, large enterprises, etc.) is genius. One can only wish that the other ICT departments of the government were on par.