The go-to firm for Corporate, Taxation, Negotiation, Visa and Immigration concerns.

OUR LOCATION

Unit 1202 Tycoon Centre Bldg. Pearl Drive
Brgy., San Antonio Ortigas Center,
1611 Pasig City, Philippines
MFBR Logo MFBR Logo

CONTACT US

Phone : +632 6953262
Email: mfl@mflegal.com.ph
  • Blog

    Blog

  • Home
  • Attorney Mathew Mortega
  • ‘APPOINTING A DATA PROTECTION OFFICER.’ The first of Atty. Matthew Mortega’s articles on the Data Privacy Act of 2012.

‘APPOINTING A DATA PROTECTION OFFICER.’ The first of Atty. Matthew Mortega’s articles on the Data Privacy Act of 2012.

data privacy

We live in a time when personal information can be freely transferred from one entity to another without any authorization whatsoever, causing consternation among many who use online services, particularly social media. Thus, in 2012, Republic Act No. 10173 or The Data Privacy Act of 2012 was passed, the purpose of which is “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Sec. 2). This Act protects an individual’s personal data in information and communication systems in both the government and private sector.

In order to guide the public for compliance of the said provision, the National Privacy Commission (“NPC”), created five pillars of compliance and accountability to assist entities that are covered by the DPA. The first pillar is the appointment of Data Protection Officers.

 

Why Appoint a Data Protection Officer?

A Data Protection Officer (“DPO”), is a person assigned by the organization to ensure that the personal and sensitive information of the data subjects is protected and secured. As such, DPOs will be accountable for ensuring compliance by the Personal Information Controllers or Personal Information Processors with the DPA, its Implementing Rules and Regulations, related issuances of the NPC, and other applicable laws and regulations in relation to data privacy and security.

 

What are the General Qualifications to be a DPO?

The law does not expressly state the qualifications required to be a DPO; however for a smoother compliance, a DPO should possess specialized knowledge and demonstrate the reliability necessary for the performance of his or her duties and responsibilities. As such, they should have expertise in relevant privacy or data protection policies and practices. Likewise, they should have sufficient understanding of the processing operations being carried out by the controllers or processors.

 

Duties and Responsibilities of the DPO.

A DPO, among other things, shall monitor whether the collection of personal information or data subjects is in accordance with the DPA. For this purpose, he/she may:

  1. Monitor the controller, or processor’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. As such, they may:

  • Collect information to identify the processing, operations, activities, measures, projects, programs, or systems of the Personal Information Controllers PIC) or Personal Information Processors (PIP), and maintain record thereof;

  • Analyze and check the compliance of processing activities, including the issuance of security clearances and compliance by the third-party service providers;

  • Inform, advise, and issue recommendations to the PIC, or PIP;

  • Ascertain renewal of accreditations or certifications necessary to maintain the required standards on personal data processing; and

  • Advise the Personal Information Controllers or Personal Information Processors as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;

  1. Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the controllers, or processors;

  2. Advise the controller, or processors regarding complaints and/or the exercise by data subjects of their rights such as request for information, clarifications, rectifications or deletion of personal data;

  3. Ensure proper data breach and security incident management by the controllers or processors, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within prescribed period;

  4. Inform and cultivate awareness on privacy and data protection within the organization of the controller or processor, including all relevant laws, rules and regulations and issuances of the NPC;

  5. Advocate for development, review and/or revision of policies, guidelines, projects and or programs of the controllers, or processors, relating to privacy and data protection;

  6. Serve as the contract person of the controller, or processors vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues;

  7. Perform other duties and tasks for the further interest of data privacy and security and uphold the rights of the data subjects.

Conclusion:

In sum, the first step to compliance is appointing a qualified Data Protection Officer for the furtherance of protection and security of all kinds of information of its data subjects, whether personal or sensitive. The primary function of a DPO is to protect and secure all private information; any DPO failing to do so shall be accountable before the National Privacy Commission.

The second pillar of compliance is Assessment of Risk: Conducting a Privacy Impact Assessment, which I’ll discuss in the next article.

Atty. Matthew Mortega. Sept. 12, 2018.

LINK :  RA10173 – The Data Privacy Act of 2012.

WE FIND SOLUTIONS
As a rapidly growing, highly qualified group of lawyers, associates, accountants, consultants and paralegals we are dedicated to finding innovative and swift solutions to all our clients' concerns.