Philippines

Franchette M. Acosta

Automated Decision-Making Operations, Institutions Likely to Pose Threats to Data Subjects and Phase 1 and Phase 2 of Registration with the NPC

By Franchette M. Acosta, Senior Partner, Villaraza & Angangco

Email: fm.acosta@thefirmva.com

On 31 July 2017 the National Privacy Commission (NPC) issued a Circular to further clarify the implementing rules and regulations of the Data Privacy Act. The Circular will take effect upon full compliance with publication requirements.

Under the Data Privacy Act and its rules, all Personal Information Controllers (PIC) and Personal Information Processors (PIP) with fewer than 250 employees are not required to register their data processing systems unless the processing carried out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive personal information of at least 1,000 individuals. Processing of personal data will not be considered occasional if processing constitutes a core activity of the PIC or PIP. Processing operations that pose a risk to data subjects are those involving information that would likely affect national security, public safety, public order or public health, information required by applicable laws or rules to be confidential, vulnerable data subjects (such as minors, the mentally ill, asylum seekers, elderly patients), automated-decision making, or profiling. The Circular identifies the processing of personal data by the following sectors or institutions as either likely to pose a risk to the rights and freedoms of data subjects or not occasional:

  • Telecommunications networks, internet services providers and other entities or organizations providing similar services;

  • Business process outsourcing companies;

  • Universities, colleges and other institutions of higher learning, all other schools and training institutions;

  • Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data;

  • Providers of insurance undertaking, including life and non-life companies, pre-need companies and insurance brokers;

  • Bank and non-bank financial institutions;

  • Businesses involved mainly in direct marketing, networking and companies providing reward cards and royalty programs;

  • Pharmaceutical companies engaged in research;

  • PIPs processing personal data for a PIC included in the preceding items and data processing systems involving automated decision-making; and

  • Government branches, bodies or entities, including the national government, agencies, bureaus or offices, constitutional commissions, local government units, government –owned and controlled corporations.

Automated decision making refers to a wholly or partially automated decision-making processes that significantly affect the data subject. It includes profiling based on economic situation, political or religious beliefs, behavioral or marketing activities, electronic communication data and financial data.

PIC and PIP registration with the NPC is completed in 2 phases:

Phase I: Submission of prescribed application form of a PIC or PIP through its Data Protection Officer (DPO).

Phase II: DPO shall provide all relevant information regarding its data processing systems through the NPC online registration system, such as:

  • Purpose and mandate of the entity;

  • All existing policies relating to data governance, data privacy and information security;

  • Data processing certifications attained by the PIC or PIP including personnel;

  • Description of the data processing systems, including: name of the system, purposes or purposes of processing, whether processing is done as PIC, PIP or both, whether the system is outsourced or subcontracted, categories of data subjects and their personal data or categories thereof; recipients or categories of recipients to whom the personal data might be disclosed; and whether personal data is transferred outside the Philippines; and

  • Notification regarding any automated decision-making operation.

Phase 1 must be completed by 9 September 2017. Phase II shall be completed on or before 8 March 2018. The NPC will issue a certificate of registration in favor of the PIC or PIP after successful registration. The certificate of registration shall be valid only until 8 March of the next following year. An application for renewal may be filed within 2 months prior to but not later than the 8th of March of every year. A PIC or PIP who has failed to comply with the registration requirements shall be subject to cease and desist orders or payment of fines in accordance with a schedule to be issued by the NPC.

The above summary of NPC Circular 17-01 is for information purposes only and is not intended to constitute legal advice.

http://www.thefirmva.com

Tags: Compliance, Cyber Security, Data Privacy, The Philippines
Articles by Lawyer
Law Passed Strengthening Consumer Protection in the Philippines
On December 19, 2017, the Gift Check Act of 2017 (Republic Act No. 10962) was signed into law ...
Philippines: Timing for Notification under the PCC Rules on Merger Procedure
The Philippine Competition Commission published its Rules on Merger Procedure ...
Joint Venture Agreements with Philippine Local Government Units as Public-Private Partnership Modality
The Duterte Administration is poised to fund its aggressive infrastructure program internally and through official development assistance ...
Philippine Competition Commission Merger Review Guidelines
On 23 March 2017 the The Philippine Competition Commission (PCC) released the Merger Review Guidelines ...
Related Articles by Firm
Law passed promoting ease of doing business in the Philippines
A law promoting the ease of doing business and efficient delivery of government services took effect this June 2018.
Non-bank credit card issuers subject to new Bangko Sentral Regulations
To ensure that credit card issuers have the capacity to deliver services efficiently and securely, management must implement appropriate risk management and control systems.
Joint Venture Guidelines of the Philippine Reclamation Authority
The Guidelines govern all JVAs formed for the development and disposition of PRA’s existing properties and projects.
The Philippine Anti-Money Laundering Commission extends compliance requirement
Jewellery dealers, dealers in precious metals and dealers in precious stones are now deemed covered persons.
Updates on Data Privacy Law Compliance in the Philippines
Phase II Registration with National Privacy Commission ...
Philippines: Bureau of Internal Revenue Clarifies Taxes on Offshore Gaming
The Bureau of Internal Revenue (BIR) issued Revenue Circular No. 102-2017 clarifying the tax imposed on entities engaged in Philippine offshore gaming operations ...
Law Passed Strengthening Consumer Protection in the Philippines
On December 19, 2017, the Gift Check Act of 2017 (Republic Act No. 10962) was signed into law ...
Casino Covered by Philippine Anti-Money Laundering Laws
The Philippine government has expanded anti-money laundering laws to include casinos, including internet and ship-based casinos ...
Philippine rules on merger procedure
The Philippine Competition Commission issued the Rules on Merger Procedure which explain the timing for the filing of a notice for covered transactions, the procedure for notification, Phase 1 and Phase 2 review and other matters, including confidentiality claims ...
Philippines: Timing for Notification under the PCC Rules on Merger Procedure
The Philippine Competition Commission published its Rules on Merger Procedure ...
Joint Venture Agreements with Philippine Local Government Units as Public-Private Partnership Modality
The Duterte Administration is poised to fund its aggressive infrastructure program internally and through official development assistance ...
Philippine Competition Commission Merger Review Guidelines
On 23 March 2017 the The Philippine Competition Commission (PCC) released the Merger Review Guidelines ...
Related Articles
Related Articles by Jurisdiction
Age discrimination in the workplace
Republic Act No. 10911 (also known as the ‘Anti-Age Discrimination in Employment Act’) lapsed into law on 21 July ...
The right to know: Freedom of information in the Supreme Court
Like all other rights, the “right to know” is not an absolute right.
Latest Articles