In this digital age, the value of data is increasing exponentially. Digital information is everywhere. It is generated, collected, analysed, stored, shared and sold for personal, business and political use. With such rapid growth, strong data protection rules must be in place to maintain privacy and prevent abuse in the disclosure of personal information. Recent events have also shown a steady surge of data breaches which further highlight the importance of data protection.
The Philippines followed suit in this global trend towards greater data privacy regulation with the enactment of the Data Privacy Act of 2012. It is broadly applicable to any natural and juridical person involved in the processing of personal information, with some exceptions. It has extraterritorial application covering those who, although not found or established in the Philippines, use equipment located in the Philippines or those who maintain an office, branch or agency in the Philippines. The law established the National Privacy Commission, which is the agency tasked to ensure compliance of the country with international standards for data protection, the procedures to be followed in the collection, processing and handling of personal information, and separate penalties for various violations.
To give more meaning to the law, the implementing rules and regulations (IRR), as well as other relevant components, were issued to impose the following obligations (among others) on relevant entities: (a) the registration at the National Privacy Commission of all personal data processing systems operating in the Philippines that involve the processing of the personal information of at least 1,000 individuals. Controllers or processors that employ fewer than 250 people are exempt from the registration requirement, subject to certain conditions; (b) the notification of security incidents and/or personal data breaches; and (c) the designation of a data protection officer, who is accountable for ensuring compliance with laws and rules relating to privacy and data protection by entities covered by the law. Entities were given a period of one year from the effective date of the IRR, in other words, until September 9 2017, to register and comply with the requirements of the law.
The Data Privacy Act is the Philippines' response to the need to strengthen its privacy and security protection, as a result of the ever-growing digital economy. Although still relatively new, it is a first and crucial step towards greater protection and control over personal information.
|Franchette M |
|Fritzzie Lyn F |