Jeramhane's Blog

Technology and the Law Blog: Situational Gray Area of RA 10173 – Data Privacy Act of 2012

Posted on: May 7, 2014


To begin this, it is better for us to look back on the reason why the law was passed.

We are now in what many people are saying as “I.C.T. or I.T. generation”, where if not all, most of the details you need or seek is just one click away from obtaining information, better and faster communication. And through this new technology, things are now easy for everybody, whether for individual, for the government agencies and the private sectors. And we cannot deny that this innovation should be adopted by all, in order for us not be left behind, and to have growth in many aspects.

As what the Delta University in Nigeria described it:

“According to Anyakoha (1991), information tenchnology is “the use of man made  tools for the collection, generation, communication, recording, re-management and exploitation of information. It includes those applications and commodities, by which information is transferred, recorded, edited, stored, manipulated or disseminated”.  Hawkridge (1983) described information technology as a revolution which has pene-trated almost all fields of human activity, thus transforming economic and social life. UNDP (2001) asserts that even if sustainable economic growth facilities the creation and diffusion of useful innovations, technology is not only the result of growth but can be used to support growth and development. xxx At the heart of technology lie two main or branches of technology: computing and telecommunication. The technologies covered are the computer system, Internet / electronic mail (e-mail), mobile phone, and fax machine.” 1


“Information and Communication Technologies (ICTs) are often associated with the most sophisticated and expensive computer-based technologies. But ICTs also encompass the more conventional technologies such as radio, television and telephone technology. While definitions of ICTs are varied, it might be useful to accept the definition provided by United Nations Development Programme (UNDP): ‘ICTs are basically information-handling tools- a varied set of goods, applications and services that are used to produce, store, process, distribute and exchange information. They include the ‘old’ ICTs of radio, television and telephone, and the ‘new’ ICTs of computers, satellite and wireless technology and the Internet.” 2

But because everything now can be obtain easily and immediately, an individual’s privacy with regards to his/her private information or details are being compromised, can be accessed and can be known to public through exposing it to everyone, most especially to those persons that has the intention to seek one’s information.

Just like my personal experience, I obtained a car loan from a well-known bank, the only bank I had loan with, to my surprise, I started to received calls and text messages relating to money, car, housing and other kinds of loans. At first, I was wondering where and to whom did they get my mobile number, I don’t even have credit cards for I don’t want headache of paying monthly debt and the hustle of plenty of callers following up payments due to them, because that’s what I used to see and hear from my friends and relatives, so I don’t have any. And then I realized, that loan is sort of “SALE” business, once a sales person obtained a target market, he/she will keep the information and will carry it to any company he/she will be employed with. Or, there’s a possibility that they are sharing the information to the other department within their company.

I’m sure that we have no issue in providing our personal information or details to a person or entity, most especially if it is necessary in order to facilitate what we wanted to obtain, such as licenses, and the like. But what is unacceptable is upon giving such informations, it is prone to be exposed by whom we’ve been entrusted by such to anyone.

This is a clear violation of our privacy as being exposed just for the sake of personal gain for their part. And such should be immediately ended up for its unconstitutionality.


As guaranteed by the Constitution, our privacy should be respected. Particularly stated under Section 3, (1) under Article III:

“The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.” 3

This has become the foundation to make this law passed and implemented. Anyone should NOT disclose any information or details of anybody without their consent, even the same has been given to them for a particular matter.


In connection with Section 3 (1) of Article III of the Constitution, its Declaration of Policy stated:

“Section 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications system in the government and in the private sector are secured and protected.”

Section 2 of Data Privacy Act upheld the constitutional guarantee of our privacy in relation to our personal information and details. That such cannot be exposed or disclosed by those entrusted except upon the consent of the data subject (as defined under Section 3 (c)).

The scope of its applicability is stated under Section 4:

“Section 4. Scope. – This Act applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the

individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”


Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

  • What if the Data Subject consented only a particular information, not the whole information provided, will the processing prosper?

Section 16. Rights of the Data Subject. – The data subject is entitled to:

(c) Reasonable access to, upon demand, the following:

(1) Contents of his or her personal information that were processed;

(2) Sources from which personal information were obtained;

(3) Names and addresses of recipients of the personal information;

(4) Manner by which such data were processed;

(5) Reasons for the disclosure of the personal information to recipients;

(6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;

(7) Date when his or her personal information concerning the data subject were last accessed and modified; and

(8) The designation, or name or identity and address of the personal information


  • In the above cited provision, as stated, these are some of the rights of the Data Subject, and I believe it is given mostly if the Data Subject is a natural person, they more or less doesn’t aware of this Act, and possibly they have no idea what they are entitled to, why not the Personal Information Controller voluntarily inform the Data Subject instead the latter demands for it? Just like Section 16 (b), which is the latter is being furnished of informations. Both are equally important.  

Section 20. Security of Personal Information. 

(c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:

(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;

(2) A security policy with respect to the processing of personal information;

(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and

(4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

  • Upon security breach, without knowing the culprit, will the Personal Information Controller be responsible for it? Let’s remember, it is considered one violation, disclosing the information of the Data Subject, only, unintentional. 
  • There’s no mention here if the Personal Information Controller must inform the Data Subject of such breach.

Section 21. Principle of Accountability. – Each personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.

(a) The personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party.

(b) The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request.

  • In case of juridical person that has plenty of departments / divisions with one Personal Information Controller, transfer from one department to another with different duties is allowed?

This is vital as this protects our right to privacy. I just hope that this will not be the same as the other laws that was passed and not fully implemented as to its purpose.


  3. Section 3 (1), Article III of the Philippine Constitution

1 Response to "Technology and the Law Blog: Situational Gray Area of RA 10173 – Data Privacy Act of 2012"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • None



%d bloggers like this: