Automated Decision-Making Operations, Institutions Likely to Pose Threats to Data Subjects and Phase 1 and Phase 2 of Registration with the NPC
By Franchette M. Acosta, Senior Partner, Villaraza & Angangco
Email: fm.acosta@thefirmva.com
On 31 July 2017 the National Privacy Commission (NPC) issued a Circular to further clarify the implementing rules and regulations of the Data Privacy Act. The Circular will take effect upon full compliance with publication requirements.
Under the Data Privacy Act and its rules, all Personal Information Controllers (PIC) and Personal Information Processors (PIP) with fewer than 250 employees are not required to register their data processing systems unless the processing carried out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive personal information of at least 1,000 individuals. Processing of personal data will not be considered occasional if processing constitutes a core activity of the PIC or PIP. Processing operations that pose a risk to data subjects are those involving information that would likely affect national security, public safety, public order or public health, information required by applicable laws or rules to be confidential, vulnerable data subjects (such as minors, the mentally ill, asylum seekers, elderly patients), automated-decision making, or profiling. The Circular identifies the processing of personal data by the following sectors or institutions as either likely to pose a risk to the rights and freedoms of data subjects or not occasional:
-
Telecommunications networks, internet services providers and other entities or organizations providing similar services;
-
Business process outsourcing companies;
-
Universities, colleges and other institutions of higher learning, all other schools and training institutions;
-
Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data;
-
Providers of insurance undertaking, including life and non-life companies, pre-need companies and insurance brokers;
-
Bank and non-bank financial institutions;
-
Businesses involved mainly in direct marketing, networking and companies providing reward cards and royalty programs;
-
Pharmaceutical companies engaged in research;
-
PIPs processing personal data for a PIC included in the preceding items and data processing systems involving automated decision-making; and
-
Government branches, bodies or entities, including the national government, agencies, bureaus or offices, constitutional commissions, local government units, government –owned and controlled corporations.
Automated decision making refers to a wholly or partially automated decision-making processes that significantly affect the data subject. It includes profiling based on economic situation, political or religious beliefs, behavioral or marketing activities, electronic communication data and financial data.
PIC and PIP registration with the NPC is completed in 2 phases:
Phase I: Submission of prescribed application form of a PIC or PIP through its Data Protection Officer (DPO).
Phase II: DPO shall provide all relevant information regarding its data processing systems through the NPC online registration system, such as:
-
Purpose and mandate of the entity;
-
All existing policies relating to data governance, data privacy and information security;
-
Data processing certifications attained by the PIC or PIP including personnel;
-
Description of the data processing systems, including: name of the system, purposes or purposes of processing, whether processing is done as PIC, PIP or both, whether the system is outsourced or subcontracted, categories of data subjects and their personal data or categories thereof; recipients or categories of recipients to whom the personal data might be disclosed; and whether personal data is transferred outside the Philippines; and
-
Notification regarding any automated decision-making operation.
Phase 1 must be completed by 9 September 2017. Phase II shall be completed on or before 8 March 2018. The NPC will issue a certificate of registration in favor of the PIC or PIP after successful registration. The certificate of registration shall be valid only until 8 March of the next following year. An application for renewal may be filed within 2 months prior to but not later than the 8th of March of every year. A PIC or PIP who has failed to comply with the registration requirements shall be subject to cease and desist orders or payment of fines in accordance with a schedule to be issued by the NPC.
The above summary of NPC Circular 17-01 is for information purposes only and is not intended to constitute legal advice.