Data Privacy Act of 2012
The Philippine Digital Society
The Philippines is considered the fastest growing market for smart phones and anything to do with digital stuff and social media, not only in our small region of Southeast Asia, but likely to hit the global scale based on reports before, stating that the Philippines is the texting capital and the self-portrait, more commonly known as “selfie” capial in the world. Now that is something. We cannot fully ascertain what is that “something”, but that is “something.”
Presently, Filipinos, statistically speaking spend more time holding their smart phones and surfing the Internet to post or view their status, pictures, or videos of themselves, their clothes, food, or practically anything under the sun. The Internet has become the real world and the real world became the virtual one. Well that is as what to majority of people, either young or adult, think of because of too much time spending on the internet.
When we speak about people using or surfing the internet through the use of smart phones, it is necessarily included that smart phone users subscribe to a particular mobile network in order to make use of the networks internet data services (which were so expensive yet so slow compared to those offered in our neighboring countries like Vietnam, Laos, Malaysia, and Singapore, the latter having the fastest internet services in our region, if not globally).
The networks in the country offer various data packages for their internet services. But before the users immersed themselves in the usage of smart phones, the latter was known first as mobile phones, the ones used for sending text messages, and making calls to others. It follows then that for one to be able to use the mobile phones, one has to subscribe into a networks pre-paid sim card, (the one mostly used by the masses because its cheaper, and subscribers have the option to reload it anytime when the prepaid load runs out) and the postpaid sim card, (the one used mostly by those who can afford to spend more, and those who are able to pay monthly their bills from such network).
Mobile Numbers: Personal Information Identifications?
Mobile numbers are the numbers assigned to a particular user upon payment of a certain fee and after agreeing with the terms and conditions on the use of such as provided by the network company. The number may be from any random number provided by the company or those which the subscribers may choose based on their own preference and customization after paying additional amount. Again, the company provides an End User License Agreement between the company and the subscriber, to which most of us may assume is the kind of agreement that users never fully read but still consents or agrees to the same on the “I have read and agree” portion of the agreement.
Now, we have established the root or origin of the mobile numbers that we still use nowadays on different smart phones regardless of having other multiple accounts on social media sites in the internet. There are options on said social media sites, and practically all forms of application or subscriptions wherein the user or subscriber is required to provide his or her mobile number for reference and identification or confirmation of identification after signing up to a certain site. Does this mean that mobile numbers now are equivalent to the person’s identity as well? If so, are there any security measures to make sure that the same is protected from, say identity theft or other kinds of fraud that may damage a person’s identity in the physical or virtual world?
Behold, this article presents to you the Data Privacy Act of 2012! Republic Act 10173 or An Act Protecting Individual Personal Information in Information and Communication in the Government and the Private sector, creating for this purpose a National Privacy Commission, and for other purposes, is the answer that was thought thoroughly by the country’s legislators to provide security in the Personal Information of a commoner and the government.
The Data Privacy Act, how is it applicable in the real world?
Let us give the reader, you, a brief overview of what does RA 10173 or the Data Privacy Act contains and how may it protect you.
The AIM of the Data Privacy Act of 2012 is to protect the fundamental right of every person to privacy of communication while ensuring the free flow of information to promote innovation and growth. Another aim is also to ensure that personal information and communication systems in the government and the private sector are protected and secured.
This Act was approved by the President, Benigno Aquino III on 15 of August 2012 and took effect on 8 of September 2012 after its publication on 24 August 2012. As stated in the Title of the Act, a government body known as the National Privacy Commission was created to administer and implement the said act and see to it that everyone complies with the standards and procedures laid by the Act based on international standards set for data protection.
The Act mandates the public and private institutions to protect and preserve the confidentiality and integrity of all personal data that they may gather, in compliance with international standards of data security.
Now going back to the mobile phone numbers, may it be considered as personal information falling under the definition provided by law?
The National Institute of Science and Technology provides one of their specific examples of Personally Identifiable Information is the mobile number.
But then again, based on the definition under the Data Privacy Act, may a mobile number be considered as a Data under the scope of applicability of the Law?
“Sec.3 Definition of Terms. –
…c. Data Subject refers to an individual whose personal information is processed.
…g. Personal Information refers to any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify the individual.
…j. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”
“Sec.4 Scope. – This Act applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately preceding paragraph: Provided, That the requirements of Section 5 are complied with.”
It can be observed from these provisions that mobile phone numbers does not necessarily fall within the definition of personal information, regardless of its relevance to many applications or subscriptions because anyone can easily change a prepaid mobile number.
Then, the question of “will the act of improper or malicious or negligent disclosure of someone’s mobile number to another person fall under the category of this Act and shall be penalized for doing so?” , will become immaterial because:
First, personal information was already defined wherein the identity of someone may be ascertained. Is it necessarily correct to say that by knowing someone’s mobile number means that the holder of such information already has a concrete information or certainty as to the identity of the owner of the number? In this fast-paced generation of mobile technology, the author doesn’t think that it follows. Why? Anyone can own a sim card just like buying a stick of cigarette in a store because of its easy accessibility and cheap price. Anyone can change their numbers like changing their clothes. So there you have it, mobile numbers cannot give the certainty of the information that the owner is who you think he is.
Second, the scope of application covers only those persons involved in personal information processing like the BPO companies. So there is no worry if you accidentally or intentionally gave your friend’s number to all your classmates or officemates and tell them to text that number to get a free reply.
A mere exchange of information between yourself and another person will not constitute a violation of this Act because it made clearly that it only covers those persons, juridical or natural, engaged in the business of data processing such as processing of personal information but not including mobile numbers.
Applicability of the law
Based on the readings the author has made with this Act, it is safe to assume that there are several parts, which may have caught the attention for some questions regarding such provisions.
First, the provision relating to journalists would seem to be beneficial and all, but a more comprehensive reading of the same would seem to give them the confidence to abuse their right as media personnel. Hopefully this will not happen. The media is a venue to broadcast facts and information that is supposed to be beneficial. Well, it may broadcast even the wrong committed, but just because it is a fact. In these times, what we see in the media especially in the news is only what the media wants us to see for the have the control over such information on whether to reveal the truthfulness of it or merely air it for the sake of ratings and not because of true journalism and broadcasting.
The pertinent provision on Sec. 5 provides:
Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing on said publication which was related in any confidence to such publisher, editor or reporter.
Also, noteworthy it is that the Act enumerated different kinds of penalties according to each violation that may be committed;
1. The unauthorized processing of personal information or personal sensitive information – penalties are imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
2. Accessing Personal Information and Sensitive Personal Information Due to Negligence – penalties are imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
3. Improper Disposal of Personal Information and Sensitive Personal Information – penalties are imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
4. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes – penalties are imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
5. Unauthorized Access or Intentional Breach – penalties are imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
6. Concealment of Security Breaches Involving Sensitive Personal Information – penalties are imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach.
7. Malicious disclosure – penalties are imposed on any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her.
8. Unauthorized disclosure – penalties are imposed on any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject.
Because of these penalties, one may say that there is ample security and protection of their personal information. But then again, reality check, will the government really be able to implement such actions? There are numerous questions as to the competency of the government agencies involved. True that this is just a neophyte Act that needs a lot of adjustments for its implementation. But that is what is wrong with the government’s implementation. Every time that a new act or law emerges, the government agencies expect the people to forgive their incompetence and unpreparedness for the implementation.
Well, we can only hope for the best. It is a reasonable, timely, and a good law, this RA 10173 because it says that it will afford protection and security for the processing of data by those persons involved in that operation. But as members of a civilised society that engulfs itself in the magnificent offers of the digital world, it is the people’s own responsibility to stay vigilant, whether walking alone at night, or giving information to anyone. It is always better to be safe. Be responsible.
Note: The author made her own observation and put her own insights as to the effects and basically the nature of the Act involved. This is not intended as a legal advice or a very reliable educational reference at par with the likes of other known published works, but only an opinion and viewpoint on the matter at hand.
The Author also wishes to share this article, which may be helpful for other researchers. Some ideas were based on the said article. http://business.inquirer.net/79534/data-privacy-act-of-2012