"Is
the act of a person, A, disclosing the mobile number of B, to a third person,
without B's consent, considered a violation of RA 10173?"
An affirmative answer would be too
harsh. On the other hand, a negative answer would be too lame, hence, my stand
to this query is that it is not necessarily so.
To consider or not to consider the acts of A, in
disclosing the mobile number of B to a third person without B's consent, as a
violation of RA 10173, otherwise known as the Data Privacy Act of 2012, a
couple of things are needed to be answered.
To start with, what is the character of A in the case? Is A's character contemplated under the
definition of a Personal Information Controller? Does A fall under one of those
excluded by the provision? Is the process of obtaining B's mobile number
lawful? Is the mobile number of B considered as a Personal Information in
accordance with the definition given by the law? Is A, in a situation where A
is allowed to disclose B's mobile phone number even without B's consent? What is consent? May it be presumed? Is consent a condition sine qua non for one
to disclose one's mobile number lawfully?
These are the vital questions that are needed to be clarified before rendering
an answer to the question at bar. The
answers lie in the appreciation of the provisions of the RA 10173, its
interpretation, and it's intent.
Therefore, one must not only consider the provisions of the law, but the
spirit or intent of the law as well. The
intent and the spirit of the law are based upon the reasons of it's enactment,
and while the purpose of the law is embedded within the law, the reasons behind
it's enactment is imperceptible on its face.
In deciding whether the act of A is a violation or not of the RA 10173,
one must defer not to "the letter that killeth" but to "the
spirit that vivifieth," to give effect to the law maker's will. However, in the appreciation of the law it
must also be remembered that when the law is clear there is no room for
interpretation or construction.
The purpose of the statute is
declared in Section 2 of the Act which is to protect the fundamental human
right of privacy, of communication while ensuring free flow of information to
promote innovation and growth.[1]
Question is, why did the legislative find it essential to protect the human
right of privacy vis a vis the guarantee of free flow of information? Is there a threat to it?
Confidentiality, discretion, secrecy, concealment, disclosure, solitude, seclusion, whatever name you call it, Privacy is essentially becoming progressively vital for citizens in a society, where one's data and practically an individual's whole fact of existence can effortlessly be retrieved by another party with a push of a button. With the advent of "gizmos", a person's continuity in this world can be compacted in a single gadget and by reason of this, such person's private life would be compromised due to the threat of one's personal information being exposed to the world. Without the parameters to control the dissemination of the information of a person, the right of a person to relish his own private life without intrusions would be despoiled. Possible interferences in private life have been the focus of a lot of enactments, rules, laws, regulations, etc., not only here in the Philippines but around the world. To name a few, in 1945, the United Nations created the Universal Declaration of Human Rights which speaks of the right to be protected from interferences with one's privacy, home, and communication.[2] It even created the Guidelines for the Regulation of Computerized Personal Data Files[3] in 1990, to keep up with the expansion of technology. In 1995, the Brussels-based European Union (EU) passed a comprehensive data privacy law called the “European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.[4] The Organization for Economic Control and Development created the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in which the Philippines is one of the members. The United Nations' Guidelines for the Regulation of Computerized Personal Data Files; the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data; and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data principally highlighted the security of personal information in a different setting, which is in a technology driven world.[5] On this note, the right to privacy of an individual escalated to a different concept wherein it came to mean the right to decide, and the right of control upon his own information. As a member-country we have established a legal, administrative or other procedures or institutions for the protection of privacy and individual liberties in respect of personal data. And RA 10173 or the Data Privacy Act of 2012 was born.
The Data
Privacy Act of 2012 aims to protect an individual's private information. The
scope encompasses "all types of processing of private information" [6]
save for some specific exceptions which are enumerated in Section 4.[7] What is within the meaning of private
information for such to be in accordance with the definition of Personal
Information? How is it different from a Privileged Information and
Sensitive Personal Information?[8] Does
it include the color of one's car? The school where one graduated? Professional
License number? User's name? Name of his pet? From the definition of the Act,[9]
personal information pertains to any information that would identify a specific
person or when associated with another information would readily characterize
an individual. Note that the law said
"any" information. The
reckoning point, however, is the identity of the individual to be readily
recognized given the specific information even though such information is
insignificant to another. Thus, what the
law is protecting is not the information itself but, the individual who can be
readily identified and associated with the information. Privileged Personal
Information includes those information considered by laws, statutes, or rules
to be confidential, restricted, or controlled, while Sensitive Personal
Information include those enumerated in the Act.
Remember
the times when a person needed coins to get in touch with another person
through a telephone? Or the times when
one can listen to a conversation on a party line? And those days when a phone number is
identified not with a single person exclusively but with a household? The days when it seems so impossible to bring
a telephone wherever you go, but you still wish for it to come true? Those were the days. Today, advanced technology has conquered the
world and even created another world. One of those advances that made yesterday
so remote is the creation of the cellular or mobile phone. Fast, easy, wireless, accessible, innovative,
modern, future,…mobile phones became a necessity and with the introduction of a
more sophisticated gadgets, where such can be a cell phone, a clock, a
calculator, a computer, a radio, a television, a recorder, a camera, etc., a
cell phone, to many, has been converted into something indispensable specially
in a country which was once tagged as the ''text capital of the
world". Consequently, cellphone
numbers have been used and abused.
Cellphones have become instruments in marketing, business transactions,
advertising, learning, reporting, compromise, illicit affairs, bullying, and
crimes. Whether or not a mobile phone
number would fall under the definition of "Personal Information", we
must qualify. Here in our country, cell
phone numbers are not regulated, one can easily change his or her mobile phone
number in an instant. Almost every
corner of the streets here in the metropolis or even in progressively growing
cities in the provinces have "sari-sari stores" where an
individual regardless of age, sex, or race can buy a SIM or a Subscriber
Identity Module card or Subscriber
Identification Module. Although SIM
cards can securely store the international
mobile subscriber identity (IMSI) and the related key
used to identify and authenticate subscribers on mobile telephony
devices (such as mobile phones and computers) or
the network-specific information used to authenticate and identify subscribers
on the network such Authentication Key, Local Area Identity (LAI) and
Operator-Specific Emergency Number as well as other carrier-specific data such
as the SMSC (Short Message Service Center) number, Service Provider Name (SPN),
Service Dialing Numbers (SDN)[10],
unfortunately, here in the Philippines
it is not always, that a person can be identified by his or her mobile phone
number. If the SIM card or the person's
subscription is a "prepaid" one, it would be arduous to identify the
subscriber, hence, such information may not fall under the definition of
"Personal Information". Say,
for example, a person collected 100 SIM card numbers to be distributed in the
city of Makati. Upon knowing that all
the SIM cards were already purchased, he disclosed all the numbers to an
advertiser, who after sometime, began sending advertisements in the form of
text messages to all the cellphone numbers that he collected. The situation does not fall within the ambit
of RA 10173, since the information gathered did not identify the persons
holding the cell phone numbers. Mobile
numbers of prepaid subscribers may not fall under the definition of Personal
Information, if the identity of the individual does not establish or determine
the identity of the person who owns the mobile number. Nevertheless, prepaid numbers may still be
regarded as a Personal Information defined in the law, if such mobile number
can readily be identified with the owner. The case is different if the SIM card
or the subscription is a "postpaid" one. In "postpaid" subscriptions, the
identity of the subscriber is known, hence, the cellular phone number of a
"postpaid" subscriber is a Personal Information within the sphere of
the definition under RA 10173. In view
of the foregoing, if the service provider of a "postpaid" subscriber
discloses the subscriber's cell phone number without the subscriber's consent,
to a third person, the statute is violated.
In the light of these, the mobile number of B, in the case at hand,
falls under the Personal Information defined in the law, since B can be readily
identified with his mobile phone number, assuming that the third person
specifically asked for B's mobile phone number.
What is
"processing" as defined by the statute? [11]Processing
is any operation performed upon the private information of the Data
Subject. It is the act of collecting,
storing, disseminating, disclosing, or any act or operation carried out upon
the private information. The disclosing
of B's mobile number to a third person by A is an act of processing within the
meaning of the statute.
Now,
within the provisions of the statute are definitions of the different
characters that are within the scope of the law. There's the Personal Information Controller
and Data subject.[12] A Personal Information Controller is the
person entrusted with the private information and they are the ones who
control, collect, hold, and process or use the information, except if such
person is performing the process under the instruction of another party or if
such individual performs such process in connection with the individual's
personal, family or household affairs. The
Data Subject, on the other hand, is the person who owns the information which
is being processed. In the case at bar
A may or may not be assumed to be the Personal Information Controller, who
holds the mobile number of B, while B is the Data Subject, who owns the mobile
number, which may or may not be considered as the Personal Information. Hence, if A gave the mobile number of B,
assuming that A is the one who has the control, and the one who collected,
held, processed or used the mobile number of B and disclosed such to a third
person, without the consent of B, A is not considered as a Personal Information
Controller if A is performing the process under the instruction of another
party or if A did such act in connection with the individual's personal,
family, or household affairs because such qualifications fall under the
description of those who would not be considered as a Personal Information
Controller.[13] For example, let us suppose that the third
person is the niece of A, C, who for the first time after a long time, saw her
aunt, A, in the mall, and in the course of their casual conversation C asked
for B's mobile number who is the daughter of A, hence C's cousin. If A gives B's mobile number to C without B's
consent, there was no law being violated for such disclosure of A of B's mobile
number is in connection with A's family affairs, because A is not considered
here as a Personal Information Controller within the purview of its definition
given by the statute. On the other hand
A will be considered as the Personal
Information Controller, if A is not one of those excluded by the statute, who gave
B's mobile number to a third person, without B's consent.
Another
situation which will render a negative reply to the question above, is that, if
B, the Data Subject, is an
officer or employee of a government institution and that his cell phone number
relates to the position or functions of the individual, and if his or her
mobile number is disclosed to another person, in relation to his or her
official function, the said setting is one of those instances where the Act
does not apply. Like for example if B is
an officer of PAG ASA who may be reached through his cell phone anytime of the
day by radio or television broadcasters or other government and nongovernment
entities concerned with the weather update
whenever the need arises. A is B's secretary while the third person is
a news reporter. The mobile number of B
has been provided by the government to him in relation with his official
function as an officer of PAGASA. The
act of disclosing the mobile number of B by A to the news reporter for the
purpose of gathering news in relation to the weather is one of those situations
where RA 10173 does not apply.[14]
If the
parties, such as the Personal Information Controller falls within the scope of
the statute and the Data Subject did not give his or her consent to the
Processing of his or her Personal Information, the act of the Personal
Information Controller would still be lawful if the acts are consistent with at
least one of the Criteria for Lawful Processing of Personal Information.[15] For example, in the case at bar, if the third
person, C, is a medical health practitioner, who happened to forget to relate
to B, a very important warning regarding the medicine that B is about to take,
and it happened that A knows the mobile phone number of B. C without wanting to
reveal to A the reason of C's interest on B's cell phone number, because of a
privilege information within the scope of doctor-patient relationship, asked A
for B's number. Due to the alleged
urgency of the situation A disclosed to C, B's number without B's consent. There was no law violated because the
circumstances of the situation are within the range of a lawful process, since
such event is one of the Criteria for Lawful Processing of Personal Information
wherein "the processing is necessary to protect vitally important interests
of the data subject, including life and health". Or, like in the case in the previous
paragraph, in an event where a natural calamity is about to occur and C, a
famous radio announcer, needed to announce to the public of such calamity thru
his program, and A as B's secretary disclosed B's number to C, without B's
consent. The act of A is a "processing
which is necessary in order to respond to national emergency, to comply with
the requirements of public order and safety". Contemplating on these situations, it must be
stressed that the absence of consent of the Data Subject in the processing of
his or her personal information is not a condition sine qua non for the
Personal Information Controller to violate RA 10173. There are a lot of situations wherein the
consent of the Data Subject may not be sought for.
Consent must not be presumed in
situations where the consent of the Data Subject is needed to convict the
person who violated the provisions of RA 10173.
The law explicitly provides that the consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of the
data subject by an agent specifically authorized by the data subject to do so.[16] In statutory construction, the use of the
word "shall" is mandatory and hence must be strictly complied
with. Therefore, there must be a
positive, tangible proof that consent was given. If such consent is given
orally, it must be recorded. An example
could be a recorded telephone conversation wherein consent was given. It is imperative that the Data Subject had
been informed of all the facts upon which he or she is consenting to before the
consent is given.[17] It is the individual or the Data Subject that
is the owner of the information, wherefore, supreme
right and control over decisions regarding collecting and usage or processing
of personal information should be vested upon the Data Subject himself or
herself, hence consent is essential in most cases. Such right and control must not be bestowed
in either the government, institutions, persons who collect personal
information or even the National Privacy Commission, who merely monitor the
processing of personal information in all forms and media of communication and ensure compliance of the law.
Is it necessary to consider the
intent of the Personal Information Controller in processing the information, such
as disclosing Personal Information to a third party without the Data Subject's
consent, assuming that the situation is not one of those excluded by the
statute? Answering in the negative, the
law provides that it is the unauthorized disclosure or the absence of the
consent of the Data Subject that is penalized by the law. Section 32 of RA 10173[18] did
not require for the intent of the Personal Information Controller to be an
element of the crime, and since the statute is a mala prohibita, intent is not
necessary. Take for example, in the case at bar, say, B gave his roaming mobile
phone number to A before going in a foreign country, with the intent of B to be
notified by A in case of any emergency. Thereafter without any malice or bad
faith, A disclosed B's roaming mobile phone number to C, a third party, without
B's consent. C made so many missed calls to B.
When B came home, B was charged exorbitantly by the service provider
because of the number of missed calls B received while B was in a foreign
country. Here, in this example, A
violated the provisions of RA 10173 even if there was no malice or bad faith on
the part of A. If only A implored B's
consent first before disclosing B's
number to C, B could not have incurred such expenses. However, in another
scenario, under Section 31 of RA 10173, if there is a disclosure of a false or
unwarranted information relative to the Personal Information of the Data
Subject, malice or bad faith is wanting to convict the Personal Information
Controller under this section.[19]
Is it necessary that the unlawful
process made by the Personal Information Controller resulted damages suffered
by the Data Subject? The law did not
provide that damages must be incurred for the perpetrator to be convicted. The fact, that the unlawful process made by
the Personal Information Controller poses threat upon the privacy of the
individual on the possibility of exposure is enough. One need not wait for the damage to be done. To illustrate, if A, a service provider without
malice or bad faith disclosed B's phone number to C, an advertiser who pools
cell numbers and post them in the internet for the public, without B's
consent. The exposure of the identity of
B, even without incurring any damages yet, poses a great threat of interference
from other persons or entity thereby piercing the sanctity of B's privacy in
the future, is enough for one to assail that the offender had violated the law.
In summary, A may only be deemed to
have violated the provisions of RA 10173 if :
(1) A is considered as a Personal Information Controller defined under
the law, except if A is a person or organization who performs such functions as
instructed by another person or organization; and if A
is an individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs. If A is one of the exceptions, then A did not
violate RA 10173.;
(2) B's mobile phone number is
considered as a Personal Information which readily identified B, except if B
and the mobile number are not one of those exemptions enumerated under Section
4 of RA 10173; (3) the disclosure of B's mobile number by A to the third party is
unlawful, which means that the disclosure is not one of those Criteria for Lawful Processing of
Personal Information contemplated by Section 14 of RA 10173;
(4) the consent must be wanting for the disclosure and not one of those
instances where consent is not wanting under Section 4 of RA 10173. Intent of A
or the third person, nor the existence or nonexistence of damages incurred by B
should not be considered.
I
therefore conclude, that the act of A in disclosing the mobile number of B to a
third person without B's consent, should not be inferred as a violation of RA
10173 or the Data Privacy Act of 2012 instantly. The law qualified the persons, the
information, the process, and the circumstances
for which the law should
apply. Not all disclosures of Personal
Information are violations of the statute and not all information are
included. There are times when
arbitrariness results when a particular provision is applied in a particular
case because of its uniqueness. The
circumstances surrounding the facts of each case must be contemplated for the
reason that each context gives different scenarios ensuing different
consequences.
Given
the infantile existence of the Act, the law must be examined basing on the
results, by its meaning, and by its purpose.
It is a fundamental
rule that, in pursuing the meaning of the law, the paramount priority is to render justice, thus the statute must be construed
and applied in harmony with justice. There must be stability between the language
of the law and the intent of the legislative so that justice may prevail
as the law is followed. In interpreting the law, Section 38[20]
of RA 10173 provides that in case there are ambiguities in its provisions, the
law must be construed liberally in favor of the rights and interests of the
Data Subject, who owns the information.
Wherefore in the case at bar, whether or not A is guilty of violating RA
10173, in the end, generally speaking, it is still the rights and interests of
B which were compromised. So take hold
of your personal information and be warned of the lurking world astute to
imperil your existence, unexpectedly unmasking your identity, and swiftly
interfering with your solitude. Likewise, take caution in divulging other
individual's information to others without such individual's consent, lest, you
might unknowingly become an instrument of intrusion, whether unintentionally or
not, to the detriment of the Data Subject turning out to be a hapless victim of
the prowling intruders.
[1] RA 10173 Section 2. Declaration
of Policy. – It is the policy of the State to protect the fundamental human
right of privacy, of communication while ensuring free flow of information to
promote innovation and growth. The State recognizes the vital role of
information and communications technology in nation-building and its inherent
obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured
and protected.
[2] Universal
Declaration of Human Rights Article 12 No one shall be subjected to arbitrary
interference with his privacy, family, home or correspondence, nor to attack
upon his honor and reputation. Everyone has the right to the protection of the
law against such interference or attacks.
Guidelines
for the regulation of computerized personal data files
The
General Assembly,Recalling its resolution 44/132 of 15 December 1989
[4] EU Directive
95/46/EC of the European Parliament and the Council of 24 1.
October 1995 on the Protection of Individuals with Regard to the
Processing of Personal Data and the Free Movement of Such Data, 1995 O.J. L 281
[hereinafter “Directive”].
[5]OECD Guidelines
on the Protection of Privacy and Transborder Flows of Personal Data: the
guidelines play a major role in assisting governments, business and consumer
representatives in their efforts to protect privacy and personal data, and in
obviating unnecessary restrictions to transborder data flows, both on and off
line.
[6] RA 10173 Section
4. Scope. – This Act applies to the processing of all types of
personal information and to any natural and juridical person involved in
personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those who
maintain an office, branch or agency in the Philippines subject to the
immediately succeeding paragraph: Provided, That the requirements of
Section 5 are complied with.
[7]
RA 10173 Section 4…This Act does not apply to the following:
(a) Information about
any individual who is or was an officer or employee of a government institution
that relates to the position or functions of the individual, including:
(1) The fact that the
individual is or was an officer or employee of the government institution;
(2) The title, business
address and office telephone number of the individual;
(3) The classification,
salary range and responsibilities of the position held by the individual; and
(4) The name of the
individual on a document prepared by the individual in the course of employment
with the government;
(b) Information about
an individual who is or was performing service under contract for a government
institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance
of those services;
(c) Information
relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual,
including the name of the individual and the exact nature of the benefit;
(d) Personal
information processed for journalistic, artistic, literary or research
purposes;
(e) Information
necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the
independent, central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functions. Nothing
in this Act shall be construed as to have amended or repealed Republic Act No.
1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No.
6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No.
9510, otherwise known as the Credit Information System Act (CISA);
(f) Information
necessary for banks and other financial institutions under the jurisdiction of
the independent, central monetary authority or Bangko Sentral ng Pilipinas to
comply with Republic Act No. 9510, and Republic Act No. 9160, as amended,
otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal
information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being processed in the Philippines.
[8]
RA 10173 Section 3
(k) Privileged information refers to any and all forms of data which under the Rides of Court and other pertinent laws constitute privileged communication.
(l) Sensitive personal information refers to personal information:
(k) Privileged information refers to any and all forms of data which under the Rides of Court and other pertinent laws constitute privileged communication.
(l) Sensitive personal information refers to personal information:
(1) About an
individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
(2) About an
individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such
person, the disposal of such proceedings, or the sentence of any court in such
proceedings;
(3) Issued by
government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or cm-rent health records, licenses or
its denials, suspension or revocation, and tax returns; and
(4) Specifically established
by an executive order or an act of Congress to be kept classified.
[9]
RA 10173
Section 3 (g) Personal information refers to any information whether
recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding
the information, or when put together with other information would directly and
certainly identify an individual.
[11] RA 10173
Section 3 j) Processing refers to any operation or any set of operations
performed upon personal information including, but not limited to, the
collection, recording, organization, storage, updating or modification,
retrieval, consultation, use, consolidation, blocking, erasure or destruction
of data.
[12] (c) Data
subject refers to an individual whose personal information is processed.
(h) Personal information controller refers
to a person or organization who controls the collection, holding, processing or
use of personal information, including a person or organization who instructs
another person or organization to collect, hold, process, use, transfer or
disclose personal information on his or her behalf. The term excludes:
(1)
A person or organization who performs such functions as instructed by another
person or organization; and
(2)
An individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.
[13]
RA 10173 (h) Personal information….The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs
[14]
RA 10173 Section 4 This Act does not apply to the following:
(a) Information about
any individual who is or was an officer or employee of a government institution
that relates to the position or functions of the individual, including:
(1) The fact that the
individual is or was an officer or employee of the government institution;
(2) The title, business
address and office telephone number of the individual;
(3) The classification,
salary range and responsibilities of the position held by the individual; and
(4) The name of the
individual on a document prepared by the individual in the course of employment
with the government;
(b) Information about
an individual who is or was performing service under contract for a government
institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance
of those services;
(c) Information
relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual,
including the name of the individual and the exact nature of the benefit;
(d) Personal
information processed for journalistic, artistic, literary or research
purposes;
(e) Information
necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the
independent, central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functions. Nothing
in this Act shall be construed as to have amended or repealed Republic Act No.
1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No.
6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No.
9510, otherwise known as the Credit Information System Act (CISA);
(f) Information
necessary for banks and other financial institutions under the jurisdiction of
the independent, central monetary authority or Bangko Sentral ng Pilipinas to
comply with Republic Act No. 9510, and Republic Act No. 9160, as amended,
otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal
information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being processed in the Philippines.
[15]
Section 12. Criteria for Lawful Processing of Personal Information. –
The processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
(a)
The data subject has given his or her consent;
(b)
The processing of personal information is necessary and is related to the
fulfillment of a contract with the data subject or in order to take steps at
the request of the data subject prior to entering into a contract;
(c)
The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject;
(d)
The processing is necessary to protect vitally important interests of the data
subject, including life and health;
(e)
The processing is necessary in order to respond to national emergency, to
comply with the requirements of public order and safety, or to fulfill
functions of public authority which necessarily includes the processing of
personal data for the fulfillment of its mandate; or
(f)
The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or parties
to whom the data is disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which require protection
under the Philippine Constitution.
[16] RA 10173
Section 3 b) Consent of the data subject refers to any freely given,
specific, informed indication of will, whereby the data subject agrees to the
collection and processing of personal information about and/or relating to him
or her. Consent shall be evidenced by written, electronic or recorded means. It
may also be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so.
[17] Section
16. Rights of the Data Subject. – The data subject is
entitled to:
(a) Be informed whether
personal information pertaining to him or her shall be, are being or have been
processed;
(b) Be furnished the
information indicated hereunder before the entry of his or her personal
information into the processing system of the personal information controller,
or at the next practical opportunity:
[18] RA 10173 Section
32. Unauthorized Disclosure. – (a) Any personal information controller
or personal information processor or any of its officials, employees or agents,
who discloses to a third party personal information not covered by the
immediately preceding section without the consent of the data subject, shall he
subject to imprisonment ranging from one (1) year to three (3) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
One million pesos (Php1,000,000.00).
[19] RA 10173 Section
31. Malicious Disclosure. – Any personal information controller or
personal information processor or any of its officials, employees or agents,
who, with malice or in bad faith, discloses unwarranted or false information
relative to any personal information or personal sensitive information obtained
by him or her, shall be subject to imprisonment ranging from one (1) year and
six (6) months to five (5) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00).
[20] RA 10173 Section 38. Interpretation. – Any
doubt in the interpretation of any provision of this Act shall be liberally
interpreted in a manner mindful of the rights and interests of the individual
about whom personal information is processed.
