Lawful Processing of Personal Data, Data Privacy Law

Concepts

“Personal data” refers to all types of personal information. (IRR, Section 3[j], Rule I)

“Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. (IRR, Section 3[l], Rule I)

“Sensitive personal information” refers to personal information:

1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

3) Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

4) Specifically established by an executive order or an act of Congress to be kept classified. (IRR, Section 3[t] , Rule I)

“Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system. (IRR, Section 3[o], Rule I)

Figure 1. Personal Data

Lawful Processing of Personal Information

Section 21. Criteria for Lawful Processing of Personal Information. Processing of personal information is allowed, unless prohibited by law. For processing to be lawful, any of the following conditions must be complied with:
a. The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable;
b. The processing involves the personal information of a data subject who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the said agreement;
c. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
d. The processing is necessary to protect vitally important interests of the data subject, including his or her life and health;
e. The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;
f. The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority; or
g. The processing is necessary to pursue the legitimate interests of the personal information controller, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution. (IRR, Rule V)

Processing of personal information

1) Processing of personal information is allowed, unless prohibited by law. (IRR, Section 21[a], Rule V)

2) If processing of personal information is done digitally, it is usually done via an information and communication system. “Information and communications system” refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted, or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document. (IRR, Section 3[i], Rule I)

3) To organize vast amounts of personal information, usually a filing system is implemented. “Filing system” refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. (IRR, Section 3[h], Rule I)

4) “Data processing systems” refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing. (IRR, Section 3[e], Rule I)

Conditions

For processing of personal information to be lawful, any of the following conditions must be complied with:

1) Data subject consents;

2) To full contractual obligations or take steps at the request of the data subject;

3) Compliance with a PIC’s legal obligation;

4) To protect vitally important interests of the data subject;

5) Necessary to respond to national emergency or to comply with public order and safety requirements;

6) Constitutional or statutory mandate of a public authority; or

7) Pursuit of legitimate interests of the PIC or by third parties. (IRR, Section 21, Rule V)

Figure 2. Conditions for lawful processing of personal data

Data subject consents

Processing of personal data is lawful if this condition is met:

• The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable. (IRR, Section 21[a], Rule V)

Contractual obligations or take steps at data subject’s request

Processing of personal data is lawful if this condition is met:

• The processing involves the personal information of a data subject who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the said agreement. (IRR, Section 21[b], Rule V)

Compliance with a PIC’s legal obligation

Processing of personal data is lawful if this condition is met:

• The processing is necessary for compliance with a legal obligation to which the personal information controller is subject. (IRR, Section 21[c], Rule V)

Vitally important interests of the data subject

Processing of personal data is lawful if this condition is met:

• The processing is necessary to protect vitally important interests of the data subject, including his or her life and health. (IRR, Section 21[d], Rule V)

National emergency, or public order and safety requirements

Processing of personal data is lawful if this condition is met:

• The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law. (IRR, Section 21[e], Rule V)

Constitutional or statutory mandate

Processing of personal data is lawful if this condition is met:

• The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority. (IRR, Section 21[f], Rule V)

Legitimate interests by PIC or third parties

Processing of personal data is lawful if this condition is met:

• The processing is necessary to pursue the legitimate interests of the personal information controller, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution. (IRR, Section 21[g], Rule V)

Processing of Sensitive Personal Information and Privileged Information

Section 22. Sensitive Personal Information and Privileged Information. The processing of sensitive personal and privileged information is prohibited, except in any of the following cases:
a. Consent is given by data subject, or by the parties to the exchange of privileged information, prior to the processing of the sensitive personal information or privileged information, which shall be undertaken pursuant to a declared, specified, and legitimate purpose;
b. The processing of the sensitive personal information or privileged information is Provided for by existing laws and regulations: Provided, that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data;
c. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
d. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations Provided that:
1. Processing is confined and related to the bona fide members of these organizations or their associations;
2. The sensitive personal information are not transferred to third parties; and
3. Consent of the data subject was obtained prior to processing;
e. The processing is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or
f. The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when Provided to government or public authority pursuant to a constitutional or statutory mandate. (IRR, Rule V)

“Privileged information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication. (IRR, Section 3[q], Rule I)

General prohibition; Exceptions

The processing of sensitive personal and privileged information is prohibited, except in any of the following cases:

1) Consent by data subject or by parties to exchange of privileged information;

2) Provided by law and regulations;

3) To protect the life and health of the data subject or another;

4) To achieve lawful and noncommercial objectives of public organizations and their associations;

5) Medical treatment;

6) Protection of lawful rights/interests or pursuant to constitutional or statutory mandate. (IRR, Section 22, Rule V)

Figure 3. Exceptions to Processing of Sensitive Personal Information and Privileged Information

Exceptions

Exception 1: Consent by data subject or by parties to exchange of privileged information

1) Processing of sensitive personal and privileged information is prohibited, except if:

• Consent is given by data subject, or by the parties to the exchange of privileged information, prior to the processing of the sensitive personal information or privileged information, which shall be undertaken pursuant to a declared, specified, and legitimate purpose. (IRR, Section 22[a], Rule V)

2) Consent should be an informed consent. Meaning, the data subject should have a complete and clear understanding of the declared, specified, and legitimate purpose of processing the sensitive personal and privileged information.

3) Consent should be given prior to the processing of the sensitive personal information or privileged information.

Exception 2:  Provided for by law and regulations;

1) Processing of sensitive personal and privileged information is prohibited, except if:

• The processing of the sensitive personal information or privileged information is Provided for by existing laws and regulations: Provided, that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data. (IRR, Section 22[b], Rule V)

2) The cited/applicable laws and/or regulations should be existing, i.e., still current or being enforced.

3) Notwithstanding any existing laws and regulations, there should not be any provision therein that requires consent of the data subject prior to the processing. Meaning, if the law and/or regulations itself require the consent of the data subject, then this exception will not apply as consent will be required.

Exception 3: To protect the life and health of the data subject or another;

1) Processing of sensitive personal and privileged information is prohibited, except if:

• The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing. (IRR, Section 22[c], Rule V)

2) This exception contemplates life-threatening situations such as a medical emergency for a patient to undergo surgery. If the patient is unable to express consent prior to the processing (i.e., preparation necessary for the surgery), then this exception will apply. The same applies if the data subject is the one who is required to give consent for another who requires surgery as in the case of a parent over a minor.

Exception 4: To achieve lawful and noncommercial objectives of public organizations and their associations

1) Processing of sensitive personal and privileged information is prohibited, except if:

• The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations Provided that:

a) Processing is confined and related to the bona fide members of these organizations or their associations;

b) The sensitive personal information are not transferred to third parties; and

c) Consent of the data subject was obtained prior to processing. (IRR, Section 22[d], Rule V)

2) Public organizations or associations refer to non-government organizations (NGOs) or non-profit organizations.

Exception 5:  Medical treatment

1) Processing of sensitive personal and privileged information is prohibited, except if:

• The processing is necessary for the purpose of medical treatment, subject to the following conditions:

a) it is carried out by a medical practitioner or a medical treatment institution; and

b) an adequate level of protection of personal data is ensured. (IRR, Section 22[e], Rule V)

2) A medical solo practitioner is covered by this exception. Thus, this physician may process sensitive personal and privileged information. Notwithstanding, the doctor should observe an adequate level of protection of personal data being collected. For example, if personal data is being collected manually (or by paper forms), these document should be kept in a locked filing cabinet; if the personal data is collected electronically, the digital files should be kept protected by having security applications installed on the computer.

Exception 6:  Protection of lawful rights/interests or pursuant to constitutional or statutory mandate

1) Processing of sensitive personal and privileged information is prohibited, except if:

• The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when Provided to government or public authority pursuant to a constitutional or statutory mandate. (IRR, Section 22[f], Rule V)

2) This exception contemplates situations involving the protection of one’s rights and interests, as well as a Government or public authority exercising its constitutional or statutory mandate. For example, in a legal proceeding, sensitive personal information and/or privileged information of both parties may have to be processed in order to prosecute or defend even if the other party does not consent to the disclosure of such sensitive personal information or privileged information. On the other hand, the court as a public authority has to process them in line with its constitutional and statutory mandate to adjudicate cases and controversies.

3) “Public authority” refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions. (IRR, Section 3[r], Rule I)

Extension of Privileged Communication

Section 23. Extension of Privileged Communication. Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered from privileged information is inadmissible.
When the Commission inquires upon communication claimed to be privileged, the personal information controller concerned shall prove the nature of the communication in an executive session. Should the communication be determined as privileged, it shall be excluded from evidence, and the contents thereof shall not form part of the records of the case: Provided, that where the privileged communication itself is the subject of a breach, or a privacy concern or investigation, it may be disclosed to the Commission but only to the extent necessary for the purpose of investigation, without including the contents thereof in the records. (IRR, Rule V)

PIC invoking Privileged Communication

Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. (IRR, Paragraph 1, Section 23, Rule V)

Inadmissibility of evidence

Subject to existing laws and regulations, any evidence gathered from privileged information is inadmissible. (IRR, Paragraph 1, Section 23, Rule V)

Burden of proof: PIC

When the Commission [or the NPC] inquires upon communication claimed to be privileged, the personal information controller concerned shall prove the nature of the communication in an executive session. (IRR, Paragraph 2, Section 23, Rule V)

Exclusion of evidence; Exception

Should the communication be determined as privileged, it shall be excluded from evidence, and the contents thereof shall not form part of the records of the case: Provided, that where the privileged communication itself is the subject of a breach, or a privacy concern or investigation, it may be disclosed to the Commission [or the NPC] but only to the extent necessary for the purpose of investigation, without including the contents thereof in the records. (IRR, Paragraph 2, Section 23, Rule V)

Surveillance of Suspects and Interception of Recording of Communications

Section 24. Surveillance of Suspects and Interception of Recording of Communications. Section 7 of Republic Act No. 9372, otherwise known as the “Human Security Act of 2007”, is hereby amended to include the condition that the processing of personal data for the purpose of surveillance, interception, or recording of communications shall comply with the Data Privacy Act, including adherence to the principles of transparency, proportionality, and legitimate purpose. (IRR, Rule V)

REFERENCES

National Privacy Commission. (n.d.) Implementing Rules and Regulations or Republic Act No. 10173, also known as the “Data Privacy Act of 2012”. https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/

National Privacy Commission. (n.d.). Powers & Functions. https://privacy.gov.ph/powers-functions/

Republic Act No. 10173. (2012). Data Privacy Act of 2012. https://privacy.gov.ph/data-privacy-act/

Similar Posts