Change is constant, the words of Heraclitus strongly applies to technology. The “change” is so fast that we cant afford to update our technology due to practicality. As technology advances people are getting more and more involved in the adaptation of such, almost all have their own gadgets and access to Internet but some are not aware of the risks they are taking. The more advanced the information technology is the more exposure to threat there is to the people. There are things yet to be discovered which may be a tool to commit a crime if none is punishable under the applicable laws. It is easy to generate or make up information from a person with bits of genuine information and images, let's face it people barely reads the terms and conditions provided under a sign up sheet.
Now talking about privacy, the right to privacy, as an inherent concept of liberty, has long been recognized as a constitutional right[i]. The Philippine Constitution provides that: No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.[ii]
The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.[iii]
The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.[iv]
Zones of privacy are likewise recognized and protected in our laws. The Civil Code provides that “[e]very person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another. It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, and recognizes the privacy of letters and other private communications. The Revised Penal Code makes a crime the violation of secrets by an officer, the revelation of trade and industrial secrets, and trespass to dwelling. Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposits Act and the Intellectual Property Code. The Rules of Court on privileged communication likewise recognize the privacy of certain information.[v]
The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected[vi], this is the view of our government that blossomed into the enactment of the “Data Privacy Act of 2012”. It applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing [vii] but the act also expressly excluded the application to some situations, thus it is not absolute. The act created an administer which is known as the National Privacy Commission which will be in charge to implement the provisions, monitor and ensure compliance of each with the international standards set for data provisions. The Commission shall act as a collegial buddy, which may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under the Act.
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.[viii] It may include sensitive personal information that is about an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations, etc. The act provided the approval of data processing under section 11, “The processing of personal information shall be allowed, subject to compliance with the requirements of the act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
According to Raul J. Palabrica, The most significant aspects of the law are: the procedures to be followed in the collection, processing and handling of personal information; the rights of data subjects; and the creation of a National Privacy Commission.
The law requires information collectors, holders and processors to follow strict rules on transparency, legitimacy and proportionality in the conduct of their activities.
Among others, the collection should be conducted for “specific and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.”
Accuracy, relevance and essentiality of purpose must likewise be observed during the collection stage.
Inaccurate or incomplete data should be corrected, supplemented, destroyed or their further processing restricted.
The information can be stored only as long as needed for the purpose for which it was obtained, or “for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.”
Once collected, the information can be processed or used only if it is not prohibited by law and the person who provided the information (or data subject) has given his consent; if no such consent is given, the processing can still go on provided it meets the “necessity” test.[ix]
It is well established that the act pertains to the protection of the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth[x] but the law is still new as it was approved August 15, 2012; making it open for an attack on its applicability.
One example would be on Personal information controller which refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf which excludes (1) A person or organization who performs such functions as instructed by another person or organization; and (2) an individual who collects, holds, process or uses personal information in connection with the individual’s personal family or household affairs.[xi] In relation to Section 14, A personal information controller may subcontract the processing of personal information: Provided, that the contractor will be responsible for ensuring that the proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally comply with the requirements of the act and other laws for processing of personal information.
Now the question is what if the subcontracted party used the data collected for unauthorized purpose, continued to gather data from the subject but the contract to collect had already lapsed and the one who contracted exhausted all efforts to ensure confidentiality and is not aware that the subcontracted party misused the data, Will the contractor or personal information controller be liable for the acts of the subcontracted party evidently that the former is in good faith, would vicarious liability apply? Lastly, what penalty will the sub contractor face? Is it under section 25- unauthorized processing of personal information and sensitive personal information or under section 28- processing of personal information and sensitive personal information for unauthorized purposes. The subcontractor has an authority to get data from the subject but upon expiration of the contract he exceeded his authority but will that hold the contractor also liable?
Now, if a person is punishable under this act would he still be liable for other laws? Like if a person is liable of Unauthorized Processing of Personal Information and Sensitive Personal Information, will that person be liable to also to the violation on ones privacy?
One situation in relation to anti-wiretapping law, it is clear from above that this is made to protect the privacy of a person. If a company is an authorized Personal information controller, is wiretapped by someone (B) while in the process of collecting data what are the offenses committed?
It shall be unlawful for any person, not being authorized by all the parties to any private communication or spoken word, to tap any wire or cable, or by using any other device or arrangement, to secretly overhear, intercept, or record such communication or spoken word by using a device commonly known as a dictaphone or dictagraph or detectaphone or walkie-talkie or tape recorder, or however otherwise described.[xii]
Clearly B, is in violation of wiretapping, which is punishable of 6 months to 6 years imprisonment and he is also in violation of data privacy act under Unauthorized Processing of Personal Information and Sensitive Personal Information. –
(a) The unauthorized processing of personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.[xiii]
The question is will the company be also liable? According to Section 20 of the act, (a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
(c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
(2) A security policy with respect to the processing of personal information;
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
(4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.
(d) The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision.
(e) The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations.
(f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.
(1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information.
(2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects.
(3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach.[xiv]
What if the company implemented reasonable appropriate measures to protect personal information and if the company satisfies all of this still B consummated the crime. Will the company be liable? What if the company is subcontracted? Will the original personal information processor be liable even if the latter ensured that all security measures are complied with?
Another situation, If a government official within the scope of his duties discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her considering that the official is a personal information controller or personal information processor.
According to the revised penal code, Any public officer who shall reveal any secret known to him by reason of his official capacity, or shall wrongfully deliver papers or copies of papers of which he may have charge and which should not be published, shall suffer the penalties of prision correccional in its medium and maximum periods, perpetual special disqualification and a fine not exceeding 2,000 pesos if the revelation of such secrets or the delivery of such papers shall have caused serious damage to the public interest; otherwise, the penalties of prision correccional in its minimum period, temporary special disqualification and a fine not exceeding 50 pesos shall be imposed.[xv] And in relation to RA 10173, Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00). [xvi] In addition to that, When the offender or the person responsible for the offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.[xvii]
What law should we apply? Or should we apply both? There is nothing in the act that repeals or amends this kind of provision, will he be liable under RA 10173 or be liable to Revelation of secrets by an officer?
It is in the same scenario when instead of malicious disclosure the government official committed unauthorized disclosure.
Lastly, If an officer (A) is interested in an another person (B), knowing that they are in the same organization or company, asked the HR officer for B’s data is it within the context of the Data Privacy Act? B’s data includes all the information disclosed upon B’s application to the said organization or company, personal and sensitive information included; the HR gave the data to A because A is an officer. Will A be liable to Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes. – The processing of personal information for unauthorized purposes shall be penalized by imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
The processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.[xviii]
Yes. But will the HR also be liable though the act was done with confidence?
The Data Privacy Act is still new and there are a lot of gray areas, but this does not give the public the right to abuse one’s privacy. Remember, it is as an inherent concept of liberty, has long been recognized as a constitutional right. A right which we all enjoy and should respect.
[i] Gamboa vs. Chan, G.R. No. 193636, 24/July/2012, p. 9
[ii] 1987 Philippine Constitution, section 1
[iii] Ibid, section 2
[iv] Ibid, section 3
[v] Gamboa vs. Chan, G.R. No. 193636, 24/July/2012, p. 11
[vi] RA 10173, Section 2
[vii] Ibid, Section 4
[viii] Ibid, Section 3(g)
[x] RA 10173, Section 2
[xi]RA 10173, Section 3(h)
[xii] RA 4200, An ACT TO PROHIBIT AND PENALIZE WIRE TAPPING AND OTHER RELATED VIOLATIONS OF THE PRIVACY OF COMMUNICATION, AND FOR OTHER PURPOSES, sec 1
[xiii] RA 10173, Section 25
[xiv] Ibid, Section 20
[xv] The Revised Penal Code of the Philippines, Article 229
[xvi] RA 10173, Section 31
[xvii]Ibid, Section 36
[xviii] Ibid, Section 28
translation credits --google. :)))
translation credits --google. :)))