Common Blunders in DPA Compliance
It’s been almost seven years since Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), was passed into law, and nearly three years since its Implementing Rules and Regulations (IRR) were issued by the National Privacy Commission (NPC). One would think most people would already know by now how to comply with the law and the NPC’s administrative issuances. It seems that’s not the case just yet.
I began my own journey in privacy and data protection in 2015, and to this day I still encounter many so-called experts in the field who maintain a flawed appreciation of the law, including its most basic concepts. When shared with others, this often leads to erroneous or at least ineffective compliance efforts, wasting precious manpower and company resources along the way.
Here are some of the mistakes I frequently come across in my work:
On personal information (PI), sensitive personal information (SPI), privileged information, and personal data. These are among the key terms that need to be fully understood before embarking on any compliance journey. I cannot emphasize often enough how these concepts are distinct and cannot be used interchangeably. For one, the law provides a different criteria for the lawful processing of PI, on the one hand, and SPI and privileged information, on the other. In most crimes defined by the DPA, the imposable penalties are also heavier if SPI are involved. Personal data, on the other hand, is a term introduced in the IRR. It does not only refer to personal information, but also includes the two others. One must also avoid using foreign terms like “personally identifiable information” (PII) in the local context because there is no such thing as a PII in the DPA. It only causes confusion and makes compliance work more difficult.
On personal information controller (PIC), personal information processor (PIP), and service provider (SP). Some people and organizations are still confused as regards the true meaning of these terms. This is not only unfortunate, but also risky. If a person or organization is unaware of its role in a data processing activity, it may not appreciate and fulfill the obligations attached to such role. A couple of things that could help sort things out are, as follows: (a) If an organization controls the processing of personal data, it is a PIC. This usually means the entire organization is the PIC—not just one unit, department, or employee thereof. There may be rare instances, though, wherein a particular unit or individual may be considered a separate and distinct PIC (e.g., when an employee decides to process personal data in a manner not required by or part of his or her work; (b) If a person or organization processes personal data as instructed or ordered by another person or organization, it is a PIP. It usually operates under an outsourcing or subcontracting agreement, although this is not a prerequisite; (c) If a particular service or function is outsourced to a person or organization, and the processing of personal data is merely incidental to the primary engagement, then the subcontractor may be considered as an ordinary service provider. One should remember that these concepts are not mutually exclusive. An organization can assume all three roles simultaneously.
On privacy notices and consent forms. A privacy notice describes an organization’s general approach or policy on data privacy. It informs the reader what personal data it collects, what it does with these data, and how, as an organization, it can be reached when there are related queries or complaints. A consent form, on the other hand, is mainly a tool which purpose is to establish a legal basis for processing personal data (i.e., consent). Sure, it will often feature the same information being relayed by a privacy notice. This does not mean, though, that they should be treated as one and the same. For a quick and easy reference on this topic, check the two sets of criteria for the lawful processing of personal data. A proper consent form is necessary if consent is to be the basis for data processing. For the rest of the legal bases, a privacy notice is enough. In some rare instances, both documents may be dispensed with.
On the responsibility of a DPO. What was initially a joke meant to liven up data privacy discussions has now become a common source of misunderstanding. For the record, there is nothing in the law that says the DPO will always be the one serving prison time and paying a fine should an organization fail to comply with the DPA. Neither is it accurate to say that the DPO will always be the one directly implementing DPA compliance activities in a given organization. The DPO’s responsibility is to develop policies, programs, and activities that facilitates compliance. At the end of the day, however, his or her role is advisory in nature. The decision-making remains with management, just as the actual implementation of policies and protocols remains a prerogative of the different units and offices of an institution.
Compliance with a law like the DPA is challenging, given the novelty of the concepts and principles it introduces. It’s unfortunate that the effort is being made more difficult by professionals—in government, even—claiming expertise on the subject, but are clearly just figuring things out just like the rest of us.
To end on a more optimistic tone, the fact that more people are taking interest in data protection shows a promising future for the field. It’ll just take some time before enough competent individuals are around to set things straight and keep everyone traveling along the correct path in what is expected to be a long but fulfilling compliance journey.
This article first appeared on GMA News Online on March 11, 2019 01:05 pm.