INTRODUCTION
With
the world of technology we can almost do everything in a fast paced mode.
Messages can be delivered in just one click, information can be easily
researched and accessed and communication is just one click away from our
cellphones or computers. In short, with the advanced technology it makes our
life a whole lot easier.
With
all these technology booming all over the world it comes with the
responsibility of protecting our right in terms of privacy.
The
right to privacy is a constitutional right provided under our 1987 Constitution
particularly in the Bill of Rights. It is pertinent under the following
provisions:
Section
1. No person shall be deprived of life,
liberty, or property without due process of law, nor shall any person be denied
equal protection of the laws;
Section.
2. The right of the people to be secure in their persons, houses papers, and
effects against unreasonable searches and seizures of whatever nature and for
any purpose shall be inviolable, and no search warrant or warrant of arrest
shall issue except upon probable cause to be determined personally by the judge
after examination under oath or affirmation of the complainant and the
witnesses he may produce, and particularly describing the place to be searched
and the persons or things to be seized.
Section. 3. (1) The
privacy of communication and correspondence shall be inviolable except upon
lawful order of the court, or when public safety or order requires otherwise as
prescribed by law.
Section. 6. The liberty
of abode and of changing the same within the limits prescribed by law shall not
be impaired except upon lawful order of the court. Neither shall the right to
travel be impaired except in the interest of national security, public safety,
or public health as may be provided by law.
Section. 8. The right
of the people, including those employed in the public and private sectors, to
form unions, associations, or societies for purposes not contrary to law shall
not be abridged.
Section. 17. No person
shall be compelled to be a witness against himself.
With the above
provisions our legislature aimed in protecting the rights of the people in
terms of communication, association and information. With the enactment of RA
10173 or Data Privacy Act of 2012 the question arises whether such Act can
uphold the privacy of an individual’s personal information.
One of the issues is
whether or not a person violates the law when he/she gives a phone number of
another person registered in his/her phone to a third person.
OVERVIEW OF RA 10173
RA
10173 also known as Data Privacy Act of 2012, is an act protecting individual
personal information and communications systems in the government and the
private sector, creating for this purpose a national privacy commission and for
other purposes.
The
scope of the Act is provided under Section 4 which states that this Act applies
to the processing of all types of personal information and to any natural and
juridical person involved in personal information processing including those
personal information controllers and processors who, although not found or
established in the Philippines, use equipment that are located in the
Philippines, or those who maintain an office, branch or agency in the
Philippines subject to the immediately succeeding paragraph: Provided, That the
requirements of Section 5 are complied with.
This Act does not apply to the
following:
(a) Information about any
individual who is or was an officer or employee of a government institution
that relates to the position or functions of the individual, including:
(1) The fact that the individual
is or was an officer or employee of the government institution;
(2) The title, business address
and office telephone number of the individual;
(3) The classification, salary
range and responsibilities of the position held by the individual; and
(4) The name of the individual on
a document prepared by the individual in the course of employment with the
government;
(b) Information about an
individual who is or was performing service under contract for a government
institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance
of those services;
(c) Information relating to any
discretionary benefit of a financial nature such as the granting of a license
or permit given by the government to an individual, including the name of the
individual and the exact nature of the benefit;
(d) Personal information
processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in
order to carry out the functions of public authority which includes the
processing of personal data for the performance by the independent, central
monetary authority and law enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions. Nothing in this Act shall
be construed as to have amended or repealed Republic Act No. 1405, otherwise
known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise
known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise
known as the Credit Information System Act (CISA);
(f) Information necessary for
banks and other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas to
comply with Republic Act No. 9510, and Republic Act No. 9160, as amended,
otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information
originally collected from residents of foreign jurisdictions in accordance with
the laws of those foreign jurisdictions, including any applicable data privacy
laws, which is being processed in the Philippines.
SEC.
3. Definition of Terms. – Whenever used in this Act, the following terms shall
have the respective meanings hereafter set forth:
(a) Commission shall refer to the
National Privacy Commission created by virtue of this Act.
(b) Consent of the data subject
refers to any freely given, specific, informed indication of will, whereby the
data subject agrees to the collection and processing of personal information
about and/or relating to him or her. Consent shall be evidenced by written,
electronic or recorded means. It may also be given on behalf of the data
subject by an agent specifically authorized by the data subject to do so.
(c) Data subject refers to an
individual whose personal information is processed.
(d) Direct marketing refers to
communication by whatever means of any advertising or marketing material which
is directed to particular individuals.
(e) Filing system refers to any
act of information relating to natural or juridical persons to the extent that,
although the information is not processed by equipment operating automatically
in response to instructions given for that purpose, the set is structured, either
by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular
person is readily accessible.
(f) Information and
Communications System refers to a system for generating, sending, receiving,
storing or otherwise processing electronic data messages or electronic
documents and includes the computer system or other similar device by or which
data is recorded, transmitted or stored and any procedure related to the
recording, transmission or storage of electronic data, electronic message, or
electronic document.
(g) Personal information refers
to any information whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with
other information would directly and certainly identify an individual.
(h) Personal information
controller refers to a person or organization who controls the collection,
holding, processing or use of personal information, including a person or
organization who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or her behalf.
The term excludes:
(1) A person or organization who
performs such functions as instructed by another person or organization; and
(2) An individual who collects,
holds, processes or uses personal information in connection with the
individual’s personal, family or household affairs.
(i) Personal information
processor refers to any natural or juridical person qualified to act as such
under this Act to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.
(j) Processing refers to any
operation or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data.
(k) Privileged information refers
to any and all forms of data which under the Rules of Court and other pertinent
laws constitute privileged communication.
(l) Sensitive personal
information refers to personal information:
(1) About an individual’s race,
ethnic origin, marital status, age, color, and religious, philosophical or
political affiliations;
(2) About an individual’s health,
education, genetic or sexual life of a person, or to any proceeding for any
offense committed or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies
peculiar to an individual which includes, but not limited to, social security
numbers, previous or cm-rent health records, licenses or its denials,
suspension or revocation, and tax returns; and
(4) Specifically established by
an executive order or an act of Congress to be kept classified.
Chapter
5 provides for the Security of Personal Information. The personal information
controller must implement reasonable and appropriate organizational, physical
and technical measures intended for the protection of personal information
against any accidental or unlawful destruction, alteration and disclosure, as
well as against any other unlawful processing.
(b) The personal information
controller shall implement reasonable and appropriate measures to protect
personal information against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination.
(c) The determination of the
appropriate level of security under this section must take into account the
nature of the personal information to be protected, the risks represented by
the processing, the size of the organization and complexity of its operations,
current data privacy best practices and the cost of security implementation.
Subject to guidelines as the Commission may issue from time to time, the measures
implemented must include:
(1) Safeguards to protect its
computer network against accidental, unlawful or unauthorized usage or
interference with or hindering of their functioning or availability;
(2) A security policy with
respect to the processing of personal information;
(3) A process for identifying and
accessing reasonably foreseeable vulnerabilities in its computer networks, and
for taking preventive, corrective and mitigating action against security
incidents that can lead to a security breach; and
(4) Regular monitoring for
security breaches and a process for taking preventive, corrective and
mitigating action against security incidents that can lead to a security
breach.
(d) The personal information
controller must further ensure that third parties processing personal
information on its behalf shall implement the security measures required by
this provision.
(e) The employees, agents or
representatives of a personal information controller who are involved in the
processing of personal information shall operate and hold personal information
under strict confidentiality if the personal information are not intended for
public disclosure. This obligation shall continue even after leaving the public
service, transfer to another position or upon termination of employment or
contractual relations.
(f) The personal information
controller shall promptly notify the Commission and affected data subjects when
sensitive personal information or other information that may, under the
circumstances, be used to enable identity fraud are reasonably believed to have
been acquired by an unauthorized person, and the personal information
controller or the Commission believes (bat such unauthorized acquisition is
likely to give rise to a real risk of serious harm to any affected data
subject. The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures taken by the
entity to address the breach. Notification may be delayed only to the extent
necessary to determine the scope of the breach, to prevent further disclosures,
or to restore reasonable integrity to the information and communications
system.
(1) In evaluating if notification
is unwarranted, the Commission may take into account compliance by the personal
information controller with this section and existence of good faith in the
acquisition of personal information.
(2) The Commission may exempt a
personal information controller from notification where, in its reasonable
judgment, such notification would not be in the public interest or in the
interests of the affected data subjects.
(3) The Commission may authorize
postponement of notification where it may hinder the progress of a criminal
investigation related to a serious breach.
CONCLUSION
According to the above
definition it can be concluded that a person who gives the number of another
person to a third person is not covered by RA 10173. First, a data controller
as defined by the law refers to a person or organization who controls the
collection, holding, processing or use of personal information, including a
person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her
behalf. Therefore the person who disclose the number is not considered as data
controller as provided in the definition of the law. Second, the act of
disclosing the number of another person cannot be considered as data
processing. Processing as defined by the law refers to any operation or any set
of operations performed upon personal information including, but not limited
to, the collection, recording, organization, storage, updating or modification,
retrieval, consultation, use, consolidation, blocking, erasure or destruction
of data.
Hence, the situation
under consideration is not violative of RA 10173 it would seem that there is no
remedy but to enact another law that would cover such issue.
No comments:
Post a Comment