Data privacy principles

1. General Data Privacy Principles

The processing of personal data shall be allowed, subject to compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles of transparency, legitimate purpose, and proportionality. (Section 17, Rule IV, IRR of the Data Privacy Act)

The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality. (Section 18, Rule IV, Ibid.)

a. Transparency

The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. (Section 18[a], Rule IV, Ibid.)

b. Legitimate purpose

The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. (Section 18[b], Rule IV, Ibid.)

c. Proportionality

The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means. (Section 18[c], Rule IV, Ibid.)

2. General principles in collection, processing and retention

The processing of personal data shall adhere to the following general principles in the collection, processing, and retention of personal data:

a. Declared, specified, and legitimate purpose

a. Collection must be for a declared, specified, and legitimate purpose.

1. Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn.

2. The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing.

3. Purpose should be determined and declared before, or as soon as reasonably practicable, after collection.

4. Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected. (Section 19[a], Rule IV, Ibid.)

b. Fair and lawful processing

b. Personal data shall be processed fairly and lawfully.

1. Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing.

2. Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.

3. Processing must be in a manner compatible with declared, specified, and legitimate purpose.

4. Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

5. Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards. (Section 19[b], Rule IV, Ibid.)

c. Data quality

c. Processing should ensure data quality.

1. Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date.

2. Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted. (Section 19[c], Rule IV, Ibid.)

d. Not be retained longer than necessary

d. Personal Data shall not be retained longer than necessary.

1. Retention of personal data shall only for as long as necessary:

(a) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;

(b) for the establishment, exercise or defense of legal claims; or

(c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency.

2. Retention of personal data shall be allowed in cases provided by law.

3. Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects. (Section 19[d], Rule IV, Ibid.)

e. Adequate safeguards

e. Any authorized further processing shall have adequate safeguards.

1. Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the Act in order to safeguard the rights and freedoms of the data subject.

2. Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose.

3. Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. (Section 19[e], Rule IV, Ibid.)

3. General Principles for Data Sharing

Further Processing of Personal Data collected from a party other than the Data Subject shall be allowed under any of the following conditions:

a. Data sharing shall be allowed when it is expressly authorized by law: Provided, that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality.

b. Data Sharing shall be allowed in the private sector if the data subject consents to data sharing, and the following conditions are complied with:

1. Consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships;

2. Data sharing for commercial purposes, including direct marketing, shall be covered by a data sharing agreement.

(a) The data sharing agreement shall establish adequate safeguards for data privacy and security, and uphold rights of data subjects.

(b) The data sharing agreement shall be subject to review by the Commission, on its own initiative or upon complaint of data subject;

3. The data subject shall be provided with the following information prior to collection or before data is shared:

(a) Identity of the personal information controllers or personal information processors that will be given access to the personal data;

(b) Purpose of data sharing;

(c) Categories of personal data concerned;

(d) Intended recipients or categories of recipients of the personal data;

(e) Existence of the rights of data subjects, including the right to access and correction, and the right to object;

(f) Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.

4. Further processing of shared data shall adhere to the data privacy principles laid down in the Act, these Rules, and other issuances of the Commission.

c. Data collected from parties other than the data subject for purpose of research shall be allowed when the personal data is publicly available, or has the consent of the data subject for purpose of research: Provided, that adequate safeguards are in place, and no decision directly affecting the data subject shall be made on the basis of the data collected or processed. The rights of the data subject shall be upheld without compromising research integrity.

d. Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered a data sharing agreement.

1. Any or all government agencies party to the agreement shall comply with the Act, these Rules, and all other issuances of the Commission, including putting in place adequate safeguards for data privacy and security.

2. The data sharing agreement shall be subject to review of the Commission, on its own initiative or upon complaint of data subject. (Section 20], Rule IV, Ibid.)

References

Republic Act No. 10173, Data Privacy Act of 2012

2016 IRR of the Data Privacy Act

Similar Posts