by: Paul Santos
General Manager for AMTI Ascend
We live in a country of heavy social media users – 42.1 million on Facebook, 13 million on Twitter, and 3.5 million on LinkedIn as of April 2017 – and a total IT spending of USD 4.4 billion in 2016, which is expected to more than double by 2020 (Source: Export.gov). This continuous rise of digitization heightens the need to secure the data that comes along with it. In order for our government to regulate how organizations collect, use, disclose, store, and dispose these data, all businesses are now mandated to comply with the Data Privacy Act of 2012. This law ensures the entire country’s compliance with international standards for data protection, making us equipped to compete in global markets.
A comprehensive and strict legislation aiming “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth”, the Data Privacy Act of 2012 (DPA) generally applies to individuals and legal entities that process personal information, or any piece of information that can identify a particular individual, with some exceptions.
Businesses’ Roadmap to Compliance
Section 46 of the Implementing Rules and Regulations (IRR) outlines the actions to ensure that data controllers – for this particular write-up, we can stick with ‘private businesses’ – comply with their obligations under the law. While compliance may be easy for established businesses and especially for technology solutions providers like AMTI (as a more secure and more resilient Philippine ICT sector is one of our primary advocacies), businesses with low level of privacy-consciousness may find themselves burdened with a lot of elements to assess and questions to answer, the most fundamental of which are ‘What do we do?’ and ‘Where do we begin?’, thus being unable to take the first step towards compliance.
In our attempt to make compliance easier for businesses, we were able to narrow down the initiation process to the following steps:
- Personal information life cycle which includes IT infrastructure, current management policies, extent of reviewed data, and proposed security measures should be drawn up;
- They must build a data privacy roadmap based on a proper assessment of the risks; and,
- A full and consistent implementation should follow, with periodic review and revision of the relevant policies and programs.
Better Control over Personal Information
The IRR states that the data subject has the right to object or withhold consent to processing of their personal information for direct marketing, automated processing, or profiling by the collector. Take the case of medical records as an example. The standard practice in hospitals used to involve automatic profiling of the patient’s records after a check-up or other medical procedure. With the DPA in place, the patient may now request for their medical files to be removed anytime.
However, some may find it confusing that this right is expressly limited by the fact that continued publication may be justified by constitutional rights to freedom of speech, expression, and other rights. So how will we really know which information should be made accessible at all times?
To resolve this, let us review the definitions of ‘personal information’ and ‘sensitive personal information’ as per the IRR. Summarizing Section 3(l), personal information is any information which can be linked to your identity, thus making you readily identifiable.
On the other hand, sensitive personal information as defined in Section 3(t) refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
Therefore, the given example on medical records falls under ‘sensitive personal information’, wherein continued publication may only be justified with the consent of the data subject.
How Does the DPA Coincide with the FOI?
While one of the primary reasons for the implementation of the Data Privacy Act is to strengthen an individual’s right to privacy, it also seeks to balance this right and the need for accessible information in nation building. This balance is especially important in light of the recently signed Freedom of Information Executive Order (FOI-EO).
Pursuant to the EO, all government agencies are encouraged to engage in proactive disclosure to increase transparency and accountability. Taking the DPA into consideration, the disclosure should take into account the rights of data subjects as stipulated in the act and the IRR. Agencies are encouraged to publish an accessible directory of information stating what it will publish, how often it will be published, and when it will be published in order to make the process easier.
In an era of data sharing, the need to assure individuals that their personal information will not be compromised is more crucial than ever. If you find your business still unable to go about the compliance process, give us a call and we’ll be more than happy to discuss it further with you.
Paul has over 15 years in executive management and leadership experience specializing in strategic planning, business transformation, and business development. He has executed key roles in business transformation, sales management, business development, and strategic planning in the BPO, IT, Mobile, and Consumer Electronics Industry.