Change is constant, the words of Heraclitus
strongly applies to technology. The “change” is so fast that we cant afford to
update our technology due to practicality. As technology advances people are
getting more and more involved in the adaptation of such, almost all have their
own gadgets and access to Internet but some are not aware of the risks they are
taking. The more advanced the information technology is the more exposure to
threat there is to the people. There are things yet to be discovered which may be a
tool to commit a crime if none is punishable under the applicable laws. It
is easy to generate or make up information from a person with bits of genuine
information and images, let's face it people barely reads the terms and
conditions provided under a sign up sheet.
Now talking about privacy, the right to privacy, as an inherent concept of liberty, has
long been recognized as a constitutional right[i]. The Philippine
Constitution provides that: No person shall be deprived of life, liberty, or
property without due process of law, nor shall any person be denied the equal
protection of the laws.[ii]
The
right of the people to be secure in their persons, houses, papers, and effects
against unreasonable searches and seizures of whatever nature and for any
purpose shall be inviolable, and no search warrant or warrant of arrest shall
issue except upon probable cause to be determined personally by the judge after
examination under oath or affirmation of the complainant and the witnesses he
may produce, and particularly describing the place to be searched and the
persons or things to be seized.[iii]
The
privacy of communication and correspondence shall be inviolable except upon
lawful order of the court, or when public safety or order requires otherwise as
prescribed by law.[iv]
Zones of privacy are likewise
recognized and protected in our laws. The Civil Code provides that “[e]very
person shall respect the dignity, personality, privacy and peace of mind of his
neighbors and other persons” and punishes as actionable torts several acts by a
person of meddling and prying into the privacy of another. It also holds a
public officer or employee or any private individual liable for damages for any
violation of the rights and liberties of another person, and recognizes the privacy
of letters and other private communications. The Revised Penal Code makes a
crime the violation of secrets by an officer, the revelation of trade and
industrial secrets, and trespass to dwelling. Invasion of privacy is an offense
in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposits Act
and the Intellectual Property Code. The Rules of Court on privileged
communication likewise recognize the privacy of certain information.[v]
The State recognizes the vital role of information and communications
technology in nation-building and its inherent obligation to ensure that
personal information in information and communications systems in the
government and in the private sector are secured and protected[vi],
this is the view of our government that
blossomed into the enactment of the “Data Privacy Act of 2012”. It applies to
the processing of all types of personal information and to any natural and
juridical person involved in personal information processing [vii]
but the act also expressly excluded the application to some situations, thus it
is not absolute. The act created an administer which is known as the National
Privacy Commission which will be in charge to implement the provisions, monitor
and ensure compliance of each with the international standards set for data
provisions. The Commission shall act as a collegial buddy, which may be given
access to personal information that is subject of any complaint and to collect
the information necessary to perform its functions under the Act.
Personal information refers to any
information whether recorded in a material form or not, from which the identity
of an individual is apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together with other information
would directly and certainly identify an individual.[viii]
It may include sensitive personal information that is about an individual’s
race, ethnic origin, marital status, age, color and religious, philosophical or
political affiliations, etc. The act provided the approval of data processing
under section 11, “The processing of personal information shall be allowed,
subject to compliance with the requirements of the act and other laws allowing
disclosure of information to the public and adherence to the principles of
transparency, legitimate purpose and proportionality.
According to Raul J. Palabrica, The most significant aspects of the
law are: the procedures to be followed in the collection, processing and
handling of personal information; the rights of data subjects; and the creation
of a National Privacy Commission.
The law
requires information collectors, holders and processors to follow strict rules
on transparency, legitimacy and proportionality in the conduct of their
activities.
Among
others, the collection should be conducted for “specific and legitimate
purposes determined and declared before, or as soon as reasonably practicable
after collection, and later processed in a way compatible with such declared,
specified and legitimate purposes only.”
Accuracy,
relevance and essentiality of purpose must likewise be observed during the
collection stage.
Inaccurate or incomplete data should
be corrected, supplemented, destroyed or their further processing restricted.
The information can be stored only
as long as needed for the purpose for which it was obtained, or “for the
establishment, exercise or defense of legal claims, or for legitimate business
purposes, or as provided by law.”
Once collected, the information can
be processed or used only if it is not prohibited by law and the person who
provided the information (or data subject) has given his consent; if no such
consent is given, the processing can still go on provided it meets the
“necessity” test.[ix]
It is well established that the act
pertains to the protection of the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and
growth[x] but the law is still new as
it was approved August 15, 2012; making it open for an attack on its applicability.
One example would be on Personal
information controller which refers to a person or organization who controls
the collection, holding, processing or use of personal information, including a
person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her
behalf which excludes (1) A person or organization who performs such functions
as instructed by another person or organization; and (2) an individual who
collects, holds, process or uses personal information in connection with the
individual’s personal family or household affairs.[xi] In relation to Section
14, A personal information controller may subcontract the processing of
personal information: Provided, that
the contractor will be responsible for ensuring that the proper safeguards are
in place to ensure the confidentiality of the personal information processed,
prevent its use for unauthorized purposes, and generally comply with the
requirements of the act and other laws for processing of personal information.
Now the question is what if the subcontracted party used the data
collected for unauthorized purpose, continued to gather data from the subject but
the contract to collect had already lapsed and the one who contracted exhausted
all efforts to ensure confidentiality and is not aware that the subcontracted
party misused the data, Will the contractor or personal information controller
be liable for the acts of the subcontracted party evidently that the former is
in good faith, would vicarious liability apply? Lastly, what penalty will the
sub contractor face? Is it under section 25- unauthorized processing of
personal information and sensitive personal information or under section 28-
processing of personal information and sensitive personal information for
unauthorized purposes. The subcontractor has an authority to get data from the
subject but upon expiration of the contract he exceeded his authority but will
that hold the contractor also liable?
Now, if a person is punishable under this act
would he still be liable for other laws? Like if a person is liable of
Unauthorized Processing of Personal Information and Sensitive Personal Information,
will that person be liable to also to the violation on ones privacy?
One situation in relation to anti-wiretapping law, it is
clear from above that this is made to protect the privacy of a person. If a
company is an authorized Personal information controller, is wiretapped by
someone (B) while in the process of collecting data what are the offenses
committed?
It shall be unlawful for any person, not being authorized
by all the parties to any private communication or spoken word, to tap any wire
or cable, or by using any other device or arrangement, to secretly overhear,
intercept, or record such communication or spoken word by using a device
commonly known as a dictaphone or dictagraph or detectaphone or walkie-talkie
or tape recorder, or however otherwise described.[xii]
Clearly B, is in violation of wiretapping, which is
punishable of 6 months to 6 years imprisonment and he is also in violation of
data privacy act under Unauthorized Processing of Personal Information and
Sensitive Personal Information. –
(a) The unauthorized
processing of personal information shall be penalized by imprisonment ranging
from one (1) year to three (3) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who process personal information
without the consent of the data subject, or without being authorized under this
Act or any existing law.
(b) The unauthorized
processing of personal sensitive information shall be penalized by imprisonment
ranging from three (3) years to six (6) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Four million pesos
(Php4,000,000.00) shall be imposed on persons who process personal information
without the consent of the data subject, or without being authorized under this
Act or any existing law.[xiii]
The question is will the
company be also liable? According to Section 20 of the act, (a) The personal
information controller must implement reasonable and appropriate
organizational, physical and technical measures intended for the protection of
personal information against any accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing.
(b) The personal
information controller shall implement reasonable and appropriate measures to
protect personal information against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination.
(c) The determination of
the appropriate level of security under this section must take into account the
nature of the personal information to be protected, the risks represented by
the processing, the size of the organization and complexity of its operations,
current data privacy best practices and the cost of security implementation.
Subject to guidelines as the Commission may issue from time to time, the
measures implemented must include:
(1)
Safeguards to protect its computer network against accidental, unlawful or
unauthorized usage or interference with or hindering of their functioning or
availability;
(2)
A security policy with respect to the processing of personal information;
(3)
A process for identifying and accessing reasonably foreseeable vulnerabilities
in its computer networks, and for taking preventive, corrective and mitigating
action against security incidents that can lead to a security breach; and
(4)
Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach.
(d) The personal
information controller must further ensure that third parties processing
personal information on its behalf shall implement the security measures
required by this provision.
(e) The employees,
agents or representatives of a personal information controller who are involved
in the processing of personal information shall operate and hold personal
information under strict confidentiality if the personal information are not
intended for public disclosure. This obligation shall continue even after
leaving the public service, transfer to another position or upon termination of
employment or contractual relations.
(f) The personal
information controller shall promptly notify the Commission and affected data
subjects when sensitive personal information or other information that may,
under the circumstances, be used to enable identity fraud are reasonably
believed to have been acquired by an unauthorized person, and the personal
information controller or the Commission believes (bat such unauthorized
acquisition is likely to give rise to a real risk of serious harm to any
affected data subject. The notification shall at least describe the nature of
the breach, the sensitive personal information possibly involved, and the
measures taken by the entity to address the breach. Notification may be delayed
only to the extent necessary to determine the scope of the breach, to prevent
further disclosures, or to restore reasonable integrity to the information and
communications system.
(1) In evaluating if
notification is unwarranted, the Commission may take into account compliance by
the personal information controller with this section and existence of good
faith in the acquisition of personal information.
(2) The Commission may
exempt a personal information controller from notification where, in its
reasonable judgment, such notification would not be in the public interest or
in the interests of the affected data subjects.
(3) The Commission may
authorize postponement of notification where it may hinder the progress of a
criminal investigation related to a serious breach.[xiv]
What
if the company implemented reasonable appropriate measures to protect personal
information and if the company satisfies all of this still B consummated the
crime. Will the company be liable? What if the company is subcontracted? Will
the original personal information processor be liable even if the latter
ensured that all security measures are complied with?
Another
situation, If a government official within the scope of his duties discloses
unwarranted or false information relative to any personal information or
personal sensitive information obtained by him or her considering that the
official is a personal information controller or personal information
processor.
According
to the revised penal code, Any public officer who shall reveal any secret known
to him by reason of his official capacity, or shall wrongfully deliver papers
or copies of papers of which he may have charge and which should not be
published, shall suffer the penalties of prision correccional in its medium and
maximum periods, perpetual special disqualification and a fine not exceeding
2,000 pesos if the revelation of such secrets or the delivery of such papers shall
have caused serious damage to the public interest; otherwise, the penalties of
prision correccional in its minimum period, temporary special disqualification
and a fine not exceeding 50 pesos shall be imposed.[xv]
And in relation to RA 10173, Any personal information controller or personal
information processor or any of its officials, employees or agents, who, with
malice or in bad faith, discloses unwarranted or false information relative to
any personal information or personal sensitive information obtained by him or
her, shall be subject to imprisonment ranging from one (1) year and six (6)
months to five (5) years and a fine of not less than Five hundred thousand
pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
[xvi]
In addition to that, When the offender or the person responsible for the
offense is a public officer as defined in the Administrative Code of the
Philippines in the exercise of his or her duties, an accessory penalty
consisting in the disqualification to occupy public office for a term double
the term of criminal penalty imposed shall he applied.[xvii]
What
law should we apply? Or should we apply both? There is nothing in the act that
repeals or amends this kind of provision, will he be liable under RA 10173 or
be liable to Revelation of secrets by an officer?
It
is in the same scenario when instead of malicious disclosure the government
official committed unauthorized disclosure.
Lastly,
If an officer (A) is interested in an another person (B), knowing that they are
in the same organization or company, asked the HR officer for B’s data is it
within the context of the Data Privacy Act? B’s data includes all the
information disclosed upon B’s application to the said organization or company,
personal and sensitive information included; the HR gave the data to A because
A is an officer. Will A be liable to Processing of Personal Information and
Sensitive Personal Information for Unauthorized Purposes. – The processing
of personal information for unauthorized purposes shall be penalized by
imprisonment ranging from one (1) year and six (6) months to five (5) years and
a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than One million pesos (Php1,000,000.00) shall be imposed on persons
processing personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws.
The
processing of sensitive personal information for unauthorized purposes shall be
penalized by imprisonment ranging from two (2) years to seven (7) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than Two million pesos (Php2,000,000.00) shall be imposed on persons processing
sensitive personal information for purposes not authorized by the data subject,
or otherwise authorized under this Act or under existing laws.[xviii]
Yes.
But will the HR also be liable though the act was done with confidence?
The
Data Privacy Act is still new and there are a lot of gray areas, but this does
not give the public the right to abuse one’s privacy. Remember, it is as an
inherent concept of liberty, has long been recognized as a constitutional
right. A right which we all enjoy and should respect.
[i]
Gamboa vs. Chan, G.R. No. 193636, 24/July/2012, p. 9
[ii]
1987 Philippine Constitution, section 1
[iii] Ibid, section 2
[iv] Ibid, section 3
[v]
Gamboa vs. Chan, G.R. No. 193636, 24/July/2012, p. 11
[vii] Ibid, Section 4
[viii]
Ibid, Section 3(g)
[ix] http://business.inquirer.net/79534/data-privacy-act-of-2012
[x] RA
10173, Section 2
[xi]RA
10173, Section 3(h)
[xii] RA 4200, An ACT TO
PROHIBIT AND PENALIZE WIRE TAPPING AND OTHER RELATED VIOLATIONS OF THE PRIVACY
OF COMMUNICATION, AND FOR OTHER PURPOSES, sec 1
[xiii]
RA 10173, Section 25
[xiv] Ibid, Section 20
[xv]
The Revised Penal Code of the Philippines, Article 229
[xvi]
RA 10173, Section 31
[xvii]Ibid, Section 36