Thursday, July 4, 2013

TECHNOLOGY AND THE LAW: RA 10173


"Is the act of a person, A, disclosing the mobile number of B, to a third person, without B's consent, considered a violation of RA 10173?"

            An affirmative answer would be too harsh. On the other hand, a negative answer would be too lame, hence, my stand to this query is that it is not necessarily so.

            To consider or not to consider the acts of A, in disclosing the mobile number of B to a third person without B's consent, as a violation of RA 10173, otherwise known as the Data Privacy Act of 2012, a couple of things are needed to be answered.  To start with, what is the character of A in the case?  Is A's character contemplated under the definition of a Personal Information Controller? Does A fall under one of those excluded by the provision? Is the process of obtaining B's mobile number lawful? Is the mobile number of B considered as a Personal Information in accordance with the definition given by the law? Is A, in a situation where A is allowed to disclose B's mobile phone number even without B's consent?  What is consent? May it be presumed?  Is consent a condition sine qua non for one to disclose one's mobile number lawfully?  These are the vital questions that are needed to be clarified before rendering an answer to the question at bar.  The answers lie in the appreciation of the provisions of the RA 10173, its interpretation, and it's intent.  Therefore, one must not only consider the provisions of the law, but the spirit or intent of the law as well.  The intent and the spirit of the law are based upon the reasons of it's enactment, and while the purpose of the law is embedded within the law, the reasons behind it's enactment is imperceptible on its face.  In deciding whether the act of A is a violation or not of the RA 10173, one must defer not to "the letter that killeth" but to "the spirit that vivifieth," to give effect to the law maker's will.  However, in the appreciation of the law it must also be remembered that when the law is clear there is no room for interpretation or construction.

            The purpose of the statute is declared in Section 2 of the Act which is to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.[1] Question is, why did the legislative find it essential to protect the human right of privacy vis a vis the guarantee of free flow of information?  Is there a threat to it?

                Confidentiality, discretion, secrecy, concealment, disclosure, solitude, seclusion, whatever name you call it, Privacy is essentially becoming progressively vital for citizens in a society, where one's data and practically an individual's whole fact of existence can effortlessly be retrieved by another party with a push of a button.  With the advent of "gizmos", a person's continuity in this world can be compacted in a single gadget and by reason of this, such person's private life would be compromised due to the threat of one's personal information being exposed to the world.  Without the parameters to control the dissemination of the information of a person, the right of a person to relish his own private life without intrusions would be despoiled. Possible interferences in private life have been the focus of a lot of enactments, rules, laws, regulations, etc., not only here in the Philippines but around the world.  To name a few, in 1945, the United Nations created the Universal Declaration of Human Rights which speaks of the right to be protected from interferences with one's privacy, home, and communication.[2] It even created the Guidelines for the Regulation of Computerized Personal Data Files[3] in 1990, to keep up with the expansion of technology.  In 1995, the Brussels-based European Union (EU) passed a comprehensive data privacy law called the “European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.[4]  The Organization for Economic Control and Development created the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in which the Philippines is one of the members.  The United Nations' Guidelines for the Regulation of Computerized Personal Data Files; the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data;  and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data principally highlighted the security of personal information in a different setting, which is in a technology driven world.[5] On this note, the right to privacy of an individual escalated to a different concept wherein it came to mean the right to decide, and the right of control upon his own information. As a member-country we have established a legal, administrative or other procedures or institutions for the protection of privacy and individual liberties in respect of personal data.  And RA 10173 or the Data Privacy Act of 2012 was born.

            The Data Privacy Act of 2012 aims to protect an individual's private information. The scope encompasses "all types of processing of private information" [6] save for some specific exceptions which are enumerated in Section 4.[7]  What is within the meaning of private information for such to be in accordance with the definition of Personal Information? How is it different from a Privileged Information and Sensitive Personal Information?[8] Does it include the color of one's car? The school where one graduated? Professional License number? User's name? Name of his pet? From the definition of the Act,[9] personal information pertains to any information that would identify a specific person or when associated with another information would readily characterize an individual.  Note that the law said "any" information.  The reckoning point, however, is the identity of the individual to be readily recognized given the specific information even though such information is insignificant to another.  Thus, what the law is protecting is not the information itself but, the individual who can be readily identified and associated with the information. Privileged Personal Information includes those information considered by laws, statutes, or rules to be confidential, restricted, or controlled, while Sensitive Personal Information include those enumerated in the Act.

            Remember the times when a person needed coins to get in touch with another person through a telephone?  Or the times when one can listen to a conversation on a party line?  And those days when a phone number is identified not with a single person exclusively but with a household?  The days when it seems so impossible to bring a telephone wherever you go, but you still wish for it to come true?  Those were the days.  Today, advanced technology has conquered the world and even created another world. One of those advances that made yesterday so remote is the creation of the cellular or mobile phone.  Fast, easy, wireless, accessible, innovative, modern, future,…mobile phones became a necessity and with the introduction of a more sophisticated gadgets, where such can be a cell phone, a clock, a calculator, a computer, a radio, a television, a recorder, a camera, etc., a cell phone, to many, has been converted into something indispensable specially in a country which was once tagged as the ''text capital of the world".  Consequently, cellphone numbers have been used and abused.  Cellphones have become instruments in marketing, business transactions, advertising, learning, reporting, compromise, illicit affairs, bullying, and crimes.  Whether or not a mobile phone number would fall under the definition of "Personal Information", we must qualify.  Here in our country, cell phone numbers are not regulated, one can easily change his or her mobile phone number in an instant.  Almost every corner of the streets here in the metropolis or even in progressively growing cities in the provinces have  "sari-sari stores" where an individual regardless of age, sex, or race can buy a SIM or a Subscriber Identity Module card  or Subscriber Identification Module.  Although SIM cards can securely store the international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers) or the network-specific information used to authenticate and identify subscribers on the network such Authentication Key, Local Area Identity (LAI) and Operator-Specific Emergency Number as well as other carrier-specific data such as the SMSC (Short Message Service Center) number, Service Provider Name (SPN), Service Dialing Numbers (SDN)[10], unfortunately,  here in the Philippines it is not always, that a person can be identified by his or her mobile phone number.  If the SIM card or the person's subscription is a "prepaid" one, it would be arduous to identify the subscriber, hence, such information may not fall under the definition of "Personal Information".  Say, for example, a person collected 100 SIM card numbers to be distributed in the city of Makati.  Upon knowing that all the SIM cards were already purchased, he disclosed all the numbers to an advertiser, who after sometime, began sending advertisements in the form of text messages to all the cellphone numbers that he collected.  The situation does not fall within the ambit of RA 10173, since the information gathered did not identify the persons holding the cell phone numbers.  Mobile numbers of prepaid subscribers may not fall under the definition of Personal Information, if the identity of the individual does not establish or determine the identity of the person who owns the mobile number.  Nevertheless, prepaid numbers may still be regarded as a Personal Information defined in the law, if such mobile number can readily be identified with the owner. The case is different if the SIM card or the subscription is a "postpaid" one.  In "postpaid" subscriptions, the identity of the subscriber is known, hence, the cellular phone number of a "postpaid" subscriber is a Personal Information within the sphere of the definition under RA 10173.  In view of the foregoing, if the service provider of a "postpaid" subscriber discloses the subscriber's cell phone number without the subscriber's consent, to a third person, the statute is violated.  In the light of these, the mobile number of B, in the case at hand, falls under the Personal Information defined in the law, since B can be readily identified with his mobile phone number, assuming that the third person specifically asked for B's mobile phone number. 

            What is "processing" as defined by the statute? [11]Processing is any operation performed upon the private information of the Data Subject.  It is the act of collecting, storing, disseminating, disclosing, or any act or operation carried out upon the private information.  The disclosing of B's mobile number to a third person by A is an act of processing within the meaning of the statute.

            Now, within the provisions of the statute are definitions of the different characters that are within the scope of the law.  There's the Personal Information Controller and Data subject.[12]  A Personal Information Controller is the person entrusted with the private information and they are the ones who control, collect, hold, and process or use the information, except if such person is performing the process under the instruction of another party or if such individual performs such process in connection with the individual's personal, family or household affairs.  The Data Subject, on the other hand, is the person who owns the information which is being processed.   In the case at bar A may or may not be assumed to be the Personal Information Controller, who holds the mobile number of B, while B is the Data Subject, who owns the mobile number, which may or may not be considered as the Personal Information.  Hence, if A gave the mobile number of B, assuming that A is the one who has the control, and the one who collected, held, processed or used the mobile number of B and disclosed such to a third person, without the consent of B, A is not considered as a Personal Information Controller if A is performing the process under the instruction of another party or if A did such act in connection with the individual's personal, family, or household affairs because such qualifications fall under the description of those who would not be considered as a Personal Information Controller.[13]  For example, let us suppose that the third person is the niece of A, C, who for the first time after a long time, saw her aunt, A, in the mall, and in the course of their casual conversation C asked for B's mobile number who is the daughter of A, hence C's cousin.  If A gives B's mobile number to C without B's consent, there was no law being violated for such disclosure of A of B's mobile number is in connection with A's family affairs, because A is not considered here as a Personal Information Controller within the purview of its definition given by the statute.  On the other hand A will be considered as  the Personal Information Controller, if A is not one of those excluded by the statute, who gave B's mobile number to a third person, without B's consent.

            Another situation which will render a negative reply to the question above, is that, if B, the Data Subject, is an officer or employee of a government institution and that his cell phone number relates to the position or functions of the individual, and if his or her mobile number is disclosed to another person, in relation to his or her official function, the said setting is one of those instances where the Act does not apply.  Like for example if B is an officer of PAG ASA who may be reached through his cell phone anytime of the day by radio or television broadcasters or other government and nongovernment entities concerned with the weather update  whenever  the need arises.  A is B's secretary while the third person is a news reporter.  The mobile number of B has been provided by the government to him in relation with his official function as an officer of PAGASA.  The act of disclosing the mobile number of B by A to the news reporter for the purpose of gathering news in relation to the weather is one of those situations where RA 10173 does not apply.[14]

            If the parties, such as the Personal Information Controller falls within the scope of the statute and the Data Subject did not give his or her consent to the Processing of his or her Personal Information, the act of the Personal Information Controller would still be lawful if the acts are consistent with at least one of the Criteria for Lawful Processing of Personal Information.[15]  For example, in the case at bar, if the third person, C, is a medical health practitioner, who happened to forget to relate to B, a very important warning regarding the medicine that B is about to take, and it happened that A knows the mobile phone number of B. C without wanting to reveal to A the reason of C's interest on B's cell phone number, because of a privilege information within the scope of doctor-patient relationship, asked A for B's number.  Due to the alleged urgency of the situation A disclosed to C, B's number without B's consent.  There was no law violated because the circumstances of the situation are within the range of a lawful process, since such event is one of the Criteria for Lawful Processing of Personal Information wherein "the processing is necessary to protect vitally important interests of the data subject, including life and health".  Or, like in the case in the previous paragraph, in an event where a natural calamity is about to occur and C, a famous radio announcer, needed to announce to the public of such calamity thru his program, and A as B's secretary disclosed B's number to C, without B's consent.  The act of A is a "processing which is necessary in order to respond to national emergency, to comply with the requirements of public order and safety".  Contemplating on these situations, it must be stressed that the absence of consent of the Data Subject in the processing of his or her personal information is not a condition sine qua non for the Personal Information Controller to violate RA 10173.  There are a lot of situations wherein the consent of the Data Subject may not be sought for. 

            Consent must not be presumed in situations where the consent of the Data Subject is needed to convict the person who violated the provisions of RA 10173.  The law explicitly provides that the consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.[16]  In statutory construction, the use of the word "shall" is mandatory and hence must be strictly complied with.  Therefore, there must be a positive, tangible proof that consent was given. If such consent is given orally, it must be recorded.  An example could be a recorded telephone conversation wherein consent was given.  It is imperative that the Data Subject had been informed of all the facts upon which he or she is consenting to before the consent is given.[17]  It is the individual or the Data Subject that is the owner of the information, wherefore, supreme right and control over decisions regarding collecting and usage or processing of personal information should be vested upon the Data Subject himself or herself, hence consent is essential in most cases.  Such right and control must not be bestowed in either the government, institutions, persons who collect personal information or even the National Privacy Commission, who merely monitor the processing of personal information in all forms and media of communication and ensure compliance of the law.

            Is it necessary to consider the intent of the Personal Information Controller in processing the information, such as disclosing Personal Information to a third party without the Data Subject's consent, assuming that the situation is not one of those excluded by the statute?  Answering in the negative, the law provides that it is the unauthorized disclosure or the absence of the consent of the Data Subject that is penalized by the law.  Section 32 of RA 10173[18] did not require for the intent of the Personal Information Controller to be an element of the crime, and since the statute is a mala prohibita, intent is not necessary. Take for example, in the case at bar, say, B gave his roaming mobile phone number to A before going in a foreign country, with the intent of B to be notified by A in case of any emergency. Thereafter without any malice or bad faith, A disclosed B's roaming mobile phone number to C, a third party, without B's consent. C made so many missed calls to B.  When B came home, B was charged exorbitantly by the service provider because of the number of missed calls B received while B was in a foreign country.  Here, in this example, A violated the provisions of RA 10173 even if there was no malice or bad faith on the part of A.  If only A implored B's consent first before disclosing  B's number to C, B could not have incurred such expenses. However, in another scenario, under Section 31 of RA 10173, if there is a disclosure of a false or unwarranted information relative to the Personal Information of the Data Subject, malice or bad faith is wanting to convict the Personal Information Controller under this section.[19]

            Is it necessary that the unlawful process made by the Personal Information Controller resulted damages suffered by the Data Subject?  The law did not provide that damages must be incurred for the perpetrator to be convicted.  The fact, that the unlawful process made by the Personal Information Controller poses threat upon the privacy of the individual on the possibility of exposure is enough.  One need not wait for the damage to be done.  To illustrate, if A, a service provider without malice or bad faith disclosed B's phone number to C, an advertiser who pools cell numbers and post them in the internet for the public, without B's consent.  The exposure of the identity of B, even without incurring any damages yet, poses a great threat of interference from other persons or entity thereby piercing the sanctity of B's privacy in the future, is enough for one to assail that the offender had violated the law.

            In summary, A may only be deemed to have violated the provisions of RA 10173 if :  (1) A is considered as a Personal Information Controller defined under the law, except if A is a person or organization who performs such functions as instructed by another person or organization; and if A is an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.  If A is one of the exceptions, then A did not violate RA 10173.;

(2) B's mobile phone number is considered as a Personal Information which readily identified B, except if B and the mobile number are not one of those exemptions enumerated under Section 4 of RA 10173; (3) the disclosure of B's mobile number by A to the third party is unlawful, which means that the  disclosure is not one of those Criteria for Lawful Processing of Personal Information contemplated by Section 14 of RA 10173; (4) the consent must be wanting for the disclosure and not one of those instances where consent is not wanting under Section 4 of RA 10173. Intent of A or the third person, nor the existence or nonexistence of damages incurred by B should not be considered.

            I therefore conclude, that the act of A in disclosing the mobile number of B to a third person without B's consent, should not be inferred as a violation of RA 10173 or the Data Privacy Act of 2012 instantly.  The law qualified the persons, the information, the process, and the circumstances  for which  the law should apply.  Not all disclosures of Personal Information are violations of the statute and not all information are included.  There are times when arbitrariness results when a particular provision is applied in a particular case because of its uniqueness.  The circumstances surrounding the facts of each case must be contemplated for the reason that each context gives different scenarios ensuing different consequences. 

            Given the infantile existence of the Act, the law must be examined basing on the results, by its meaning, and by its purpose.  It is a fundamental rule that, in pursuing the meaning of the law, the paramount priority is to render justice, thus the statute must be construed and applied in harmony with justice. There must be stability between the language of the law and the intent of the legislative so that justice may prevail as  the law is followed.  In interpreting the law, Section 38[20] of RA 10173 provides that in case there are ambiguities in its provisions, the law must be construed liberally in favor of the rights and interests of the Data Subject, who owns the information.  Wherefore in the case at bar, whether or not A is guilty of violating RA 10173, in the end, generally speaking, it is still the rights and interests of B which were compromised.  So take hold of your personal information and be warned of the lurking world astute to imperil your existence, unexpectedly unmasking your identity, and swiftly interfering with your  solitude.  Likewise, take caution in divulging other individual's information to others without such individual's consent, lest, you might unknowingly become an instrument of intrusion, whether unintentionally or not, to the detriment of the Data Subject turning out to be a hapless victim of the prowling intruders.


[1] RA 10173 Section 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
 
[2] Universal Declaration of Human Rights Article 12 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attack upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.
 
Guidelines for the regulation of computerized personal data files
The General Assembly,Recalling its resolution 44/132 of 15 December 1989
 
[4] EU Directive 95/46/EC of the European Parliament and the Council of 24 1. October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, 1995 O.J. L 281 [hereinafter “Directive”].
 
[5]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data:  the guidelines play a major role in assisting governments, business and consumer representatives in their efforts to protect privacy and personal data, and in obviating unnecessary restrictions to transborder data flows, both on and off line.
 
[6] RA 10173 Section 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
[7] RA 10173 Section 4…This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
[8] RA 10173 Section 3
            (k) Privileged information refers to any and all forms of data which under the Rides of Court and                     other pertinent laws constitute privileged communication.
             (l) Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
[9] RA 10173 Section 3 (g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
[11] RA 10173 Section 3 j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
 
[12] (c) Data subject refers to an individual whose personal information is processed.
  (h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
 
[13] RA 10173 (h) Personal information….The term excludes:
                        (1) A person or organization who performs such functions as instructed by another person                    or organization; and
                        (2) An individual who collects, holds, processes or uses personal information in                                                connection with the individual’s personal, family or household affairs
 
[14] RA 10173 Section 4 This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
 
[15] Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
[16] RA 10173 Section 3 b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
[17] Section 16. Rights of the Data Subject. – The data subject is entitled to:
(a) Be informed whether personal information pertaining to him or her shall be, are being or have been processed;
(b) Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:
[18] RA 10173 Section 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
 
[19] RA 10173 Section 31. Malicious Disclosure. – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
 
[20] RA 10173 Section 38. Interpretation. – Any doubt in the interpretation of any provision of this Act shall be liberally interpreted in a manner mindful of the rights and interests of the individual about whom personal information is processed.

No comments:

Post a Comment