The Data Privacy Act of 2012 applies to any natural or juridical (relating to judicial proceedings and the administration of the law) persons involved in the processing of personal information. It also covers those who, although not found or established in the Philippines, use equipment located in the Philippines, or those who maintain an office, branch, or agency in the Philippines. 

Under Sec. 3(j) of the Data Privacy Act of 2012, “[p]rocessing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”

In other words, processing of personal information is any operation where personal information is involved. Whenever your information is, among other things, collected, modified, or used for some purpose, processing already takes place.

Under Sec. 3(k) of the Data Privacy Act of 2012, “privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.” One such example would be any information given by a client to his lawyer. Such information would fall under attorney-client privilege and would, therefore, be considered privileged information.

Yes. While personal information refers to information that makes you readily identifiable, sensitive personal information, as defined in Sec. 3(l) of the Data Privacy Act of 2012, refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.

Therefore, any information that can be categorized under any of the enumerated items are considered sensitive personal information.

The Data Privacy Act of 2012 explicitly states that its provisions are not applicable in the following cases:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Yes. Under the Implementing Rules and Regulations of the Data Privacy Act of 2012, all organizations are required to appoint a Data Protection Officer (“DPO”). The Data Protection Officer shall be accountable for ensuring compliance with the appropriate data protection laws and regulations. 

Yes. The Implementing Rules and Regulations of the Data Privacy Act speaks of an individual or individuals who shall perform the functions of a Data Protection Officer or a Compliance Officer. 

Section 13 of the Data Privacy Act of 2012 enumerates the cases where sensitive personal information and privileged information may be processed. These are the following:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;

(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

Much like sensitive personal information, the processing of privileged information is prohibited by the law. 

Yes. The law treats both kinds of personal information differently. Personal information may be processed, provided that the requirements of the Data Privacy Act of 2012 are complied with. On the other hand, the processing of sensitive personal information is, in general, prohibited. The Data Privacy Act of 2012 provides the specific cases where processing of sensitive personal information is allowed.