In May, 2018, fastfood giant Jollibee got into hot water when it was found that its food delivery website contained vulnerabilities, which allowed unauthorized persons to gain access to customers’ personal information stored in the website’s database. The National Privacy Commission ordered the suspension of the site until the said vulnerabilities were addressed.
This incident highlighted the importance of data privacy in the Philippines, which is protected by RA 10173 or the Data Privacy Act of 2012 (DPA). The National Privacy Commission was created in 2016 to administer and implement this law.
The importance of the Data Privacy Act
With the phenomenal rise of internet use around the world, and with almost everything today found in the cloud, data protection laws have become important tools in protecting the privacy of individuals and consumers everywhere. Without these laws, personal information is vulnerable to misuse, which can not only lead to a breach of privacy but to cybercrimes like identity theft and transaction fraud, as well.
The DPA brings the Philippines up-to-date with international standards on data protection. As one of the world’s largest users of the internet, the country needs to ensure that its citizens’ fundamental right to privacy is protected and preserved.
By safeguarding the privacy rights of Filipinos, the DPA paves the way for a sustainable free flow of information where consumers feel safe to give out their personal data, and government and businesses are accountable for the responsible use of the information they collect.
Moreover, the Philippines has a fast-growing business outsourcing industry where data is transmitted and processed in large volumes every day. The DPA provides BPO clients – local and international – with the assurance that the data involved in their day-to-day operations are protected and secure.
The rights protected by the DPA
The DPA guarantees the following rights to data subjects, or owners of personal information stored in a database system:
- The right to be informed that their personal data is being collected
- The right to object to the collection of data
- The right to access and move the personal data that have been collected
- The right to rectify or correct any information that has been collected
- The right to withdraw their data from the database or to block the use of their data in certain activities
- The right to damages and to file a complaint for the misuse of their data
The impact of the DPA to businesses
At its core, the DPA requires businesses that collect personal information to abide by the following:
- Have specific, legitimate, and reasonable purpose for collecting personal data. They need to inform their customers that their personal data will be collected and the purpose for the collection of data. Customers can agree or disagree to have their data collected
- Store and use data for the stated purpose and only for a limited and reasonable period.
- Ensure the data collected is kept accurate
- Get customers’ explicit consent before sharing their data to a third party. Data sharing must be done within the guidelines set out by the DPA
- Discard data in a way that would not expose them to unauthorized entities
Violations of the DPA can result in imprisonment of up to six years or a fine of up to P5 million.
To learn more about the DPA, check out the National Privacy Commission’s website. If you need help in ensuring your business is compliant, get in touch with FilePino at +1.806.553.6552 (USA) or +63.917.8922337 (Philippines).