What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Data Privacy Act of 2012 (Republic Act No. 10173) along with associated implementing rules and regulations sets the privacy standard in the Republic of the Philippines and is designed to protect personal information held in information and communication systems.
The Act applies to employers who use equipment in the Philippines, or who maintain an office, branch or agency in the Philippines (with a few exceptions). Note that the Act does not apply to data “originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”
The Act outlines the role of Personal Information Controller (PIC), which would be the employer in the context of employment as they control the collecting, holding and processing of personal employee and applicant information. It also sets the role of a Personal Information Processor (PIP), who processes data at the instructions of the controller.
A higher level of protection is required for sensitive personal information, which is defined as information relating to:
- an employee or applicant’s race, ethnicity, marital status, age, color, religious/ philosophical/political affiliations;
- health, education, genetic/sexual life, court sentences/proceedings/dismissals (alleged or committed);
- government issued data specific to individuals such as social security numbers, cm-rent health records, licenses (including denial/suspension/revocation of licenses), tax returns; and,
- records that have been classified by Congress or an executive order.
With respect to medical files, certain laws require that they be kept confidential by the employer, such as Republic Act No. 8504 (HIV/AIDS), RA No. 9262 (Violence Against Women and their Children), RA No. 9165 (Comprehensive Dangerous Drugs Act), and RA No. 7277 (Magna Carta for Disabled Persons). Separately, in the event of a gender-based sexual harassment investigation Republic Act No. 11313 places a special emphasis on the confidentiality of victim records.
Employees should be provided with notice in advance of collecting personal employee information, and generally must provide recorded consent prior to sensitive personal information being collected (with some exceptions).
The current authority responsible for enforcement of data privacy law and regulations in the Philippines is the:
National Privacy Commission