Friday, 7 December 2012

Republic Act No. 10173


[REPUBLIC ACT NO. 10173]

Republic Act 10173 is also known as “Data Privacy Act of 2012” it was approved last August 15, 2012 by our President Benigno Aquino III.

It is AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES

The National Privacy Commission will administer and implement the provisions of this Act and to monitor and ensure compliance of the country with International Standard sets for data protection.
It Applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing including those personal information controllers and processors who, although not found in the Philippines, use equipment that are located in the Philippines or those who maintain an office, branch or agency in the Philippines subject to succeeding paragraph; provided that the requirements of section 5 are complied with.
It requires public and private entities to preserve data they collected. In turn, the law also established the creation of a National Privacy Commission which will ensure that our country complies with international security standards when it comes to data protection.
It is seen that Information Technology (IT) and Business Process Outsourcing (BPO) industry by making it in line with International Standards of Privacy protection will benefit the most.
The rapidly growing business process outsourcing (BPO) sector of the Philippines is set to benefit from the Data Privacy Act or Republic Act 10173 as it aims to protect personal digital data of private and public entities, specifically those that are dealing with offshore businesses.


Advantages and Disadvantages

  1. Commission shall refer to the National Privacy Commission created by virtue of this Act.
  2. Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
  3. Data subject refers to an individual whose personal information is processed.
  4. Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
  5. Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
  6. Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.
  7. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  8. Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

Under this Act Section 20 states the Security and privacy of information

SEC. 20. Security of Personal Information.
(a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
(c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
  1. Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
  1. A security policy with respect to the processing of personal information;
  1. A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
  1. Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.
  1. The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision.
(e) The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations.
(f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.
(1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information.
  1. The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects.
(3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach.

How it will affect me? First Data Privacy It is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority. Personal Information is defined as “any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information.”
It includes facts and figures about a person’s race, ethnic origin, marital status, age, color and religious, philosophical and political affiliations. Or practically his life story.
Since my phone is an iphone4 I become addicted to social networking sites, so I simultaneously open my social network Facebook, Twitter, Skype, Foursquare and Email to check on recent happenings in people’s lives as well as new posts on my own wall. It is essential that personal information systems are secured and protected.
However there is an issue or problem regarding this privacy, those are the hackers of the web site. Hackers is a term used in computing for several types of person, someone who accesses a computer system by circumventing its security system. Website Hacking is now common. It is simply trying to break into a site unauthorized. The files of website are stored on a computer. The computer, called a "server" or "web server", is not too much different from your home PC, except that its configuration is specialized for making files available to the world wide web, so it has a lot of hard drive capacity and a very high speed internet connection. It probably doesn't have its own monitor or keyboard because everyone who communicates with it does so through its internet connection. With everybody connecting to our site through the internet, it might seem like just an accident if one of our files gets changed once in a while in all the commotion, but it's not.
Our website and server have several security systems that determine what kind of access each person has. I'am the owner of my web site, so I have passwords that give me read, write access to my site. I can view my files (read) and I can also change them (write). Everybody else only has read access. They can view your files, but they are never supposed to be able to change them, delete them, or add new ones.
A hack occurs when somebody gets through these security systems and obtains write access to your service. Once they obtain that, they can change, add, or delete files however they want.
But how to prevent our website from being hacked? The first thing you need to do is to maintain a strong security on the computer that you use in managing your website because someone who is successful in infecting your computer can use it to get into your website. Keep all your internet-related softwares up to date with the latest security patches. Use adequate security settings in your web browser. Use strong passwords, about 8 to 20 characters. Don’t give your passwords to anyone.If you give your password to anyone for some reasons, change it after they are done with their work.
The disadvantage of RA 10173 poses an equally on penaltiesnot only for a long time, but also for those who are newbies in using internet. Those who have capabilities to store and transfer sensitive personal information may be prosecuted in courts of the Philippines due to improper handling of information or negligence. Which states under Section 26:
SEC. 26.Accessing Personal Information and Sensitive Personal Information Due to Negligence.
(a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
















No comments:

Post a Comment