5 Reasons the Data Privacy Act and the Freedom of Information EO Don’t Conflict With

Each Other

Mel Sta. Maria, columnist-broadcaster, AksyonTV5 (from http://interaksyon.com.ph)

Broadcaster-lawyer Mel Sta. Maria wrote in his column recently that the Data Privacy Act (DPA) of
2012 or Republic Act (RA) 10173 potentially serves to make ineffective the Executive Order (EO) on
Freedom on Information (FOI) that President Rodrigo Duterte recently signed before he delivered
his first State of the Nation Address last Monday.
While as a matter of general principle Atty. Mel is correct, examining closely the provisions of the
Data Privacy Act and the recently-signed Executive Order would yield the following observations,
which may be seen as reasons why the said law does not actually conflict with the FOI EO :

1. The concepts of “data privacy” in the law (DPA) and “privacy” in the FOI EO are different
While RA 10173 may not have defined the concepts of “data privacy” as well as “privacy”, these are
two distinct concepts that operate for varying purposes and may be invoked through various means,
with the more general concept of “privacy” not dependent on what the law dealing with “data
privacy” provides.

“Data privacy” under RA 10173 involves personal information of individuals, without regard to their
nationality, who are referred to in the law as a “data subject” and this “data subject” are provided
certain rights in sec. 16 of the Act as regards the processing of their personal information while also
providing for the security of personal information being processed and providing for accountability
for the transfer of said personal information, among other noteworthy provisions of the law.

It can be conceded that even “privacy” as a solo concept is not as well defined in our laws, though
in the 1987 Constitution, in the Bill of Rights in art. III, Sec. 3(1), it has a qualifier, like “privacy of
communication and correspondence” and even the right in art. III, sec. 2 in the 1987 Constitution of
individuals or citizens to be secure in their persons, houses, papers and effects against any
unreasonable searches and seizures of whatever nature and for any purpose, is actually also a right
to privacy in a broader sense, along with what the original notion of “privacy” is, when it was first
articulated by US Supreme Court Justice Louis D. Brandeis and Samuel D. Warren in their famous
Harvard Law Journal article in 1890 as the “right to be let alone.”.

Somehow, the FOI EO in its sec. 7, as referred to by Mel Sta. Maria, may be referring to this broad
notion of “privacy”, not the “data privacy” referred to in the DPA. What this means is that the
“privacy” in the FOI will operate under different rules and will not necessarily be affected by the
provisions regarding “data privacy” in the DPA. However, if the implementing regulations of both this
FOI and the DPA, and the National Privacy Commission, which implements the DPA, has been
conducting nationwide consultations with its draft IRR of RA 10173, will have to be harmonized, the
rules may be written as to when the broad notion of “privacy” which is in the Constitution and the
notion of “data privacy” in the law, will apply and under what circumstances. As Mel Sta. Maria said,
the devil is in the details.

2. The processing of personal information done under the DPA does not involve disclosure
and public access to information on matters of public concern
What we as a “data subject” under the DPA should be watchful for is the “processing” of our
personal information and that word is defined in sec. 3(j) the law as “any operation or any set of
operations performed upon personal information including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data.”
These acts are an entirely different character from disclosure and the giving of public access to
information in the matter of public interest, thus the act of providing disclosure and public access to
information in the FOI EO may not be considered the “processing” of personal information as
contemplated by the law. Besides, the matters facilitated by the FOI EO, the disclosure and public
access in the matter of public interest, are constitutional in character, part of the Bill of Rights of the
People, dubbed as “the right of the people to information on matters of public concern”, as such
rights emanating from the Constitution, they cannot just be nullified or qualified by the notion of
“processing” of personal information provided for by the DPA. In other words, a law cannot be made
to prevail over a provision of the Constitution. Such constitutional mandate cannot also be given an
override by the FOI EO, since an Executive Order is usually considered a lower category of a
regulation compared to a legislative act.

Putting the FOI EO and the law side-by-side, this is where Mel Sta. Maria is correct that, if not fine-
tuned very well, the law, the DPA, may make ineffective the FOI EO, especially when the public
official opposes the giving of access to personal information citing sec. 7(b) of the FOI EO where
the public official may be unduly exposed to vilification, harassment or any other wrongful acts.
Resolving this dilemma points us to our succeeding points below.

3. Sensitive personal information in the DPA does not include investigation into a public
official’s alleged hidden wealth or wrongdoing
Delving further on the nitty-gritty of the DPA, there may be certain types of personal information
whose processing is absolutely prohibited save for certain exceptions provided by sec. 13 of the law
and we ask our readers to just consult that section for them to know what those exceptions are.

But looking at what may be considered as “sensitive” personal information, it also refers to “any
proceeding for any offense committed or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court in such proceedings.”

What this means is that if there’s any alleged hidden wealth or wrongdoing by a public official, which
is what to be sought for disclosure by the FOI EO, the public official cannot simply allege they are
sensitive as there has to be a “proceeding” first where such sensitive personal information may be
involved. This “proceeding” which has to be a formal process, does not extend to any investigation
done by a reporter, a researcher or anyone, to determine if there is such hidden wealth or
wrongdoing. Besides, the DPA in sec. 4(d) does not apply to processing of personal information for
“journalistic, artistic, literary or research purposes.”

4. The provisions on data privacy in the DPA do not apply to acts to which public officials
have performed their tasks under their mandate and function
RA 10173 has expressly provided in sec. 4(a) that “information about any individual who is or was
an officer or employee of a government institution that relates to the position or functions of the
individual” is outside of the scope of the law, thus any such information about the acts of the public
official on how he or she has performed his or her functions are not covered by the rights to data
privacy provided by RA 10173.

When related to sec. 7(c) in the FOI EO, which states the following :

“any employee, official or director of a government office per section 2 hereof who has access,
authorized or unauthorized, to personal information in the custody of the office, must not disclose
that information except when authorized under this order or pursuant to existing laws, rules or
regulation.”
what this means is that the DPA cannot be used to deny access to the information being requested,
since the DPA has nothing to do with information about any individual who is or was an officer or
employee of a government institution that relates to the position or functions of the individual .
Instead, it is the implementing rules of the FOI EO that will deal with how this non-disclosure or
disclosure of the public official’s personal information will be carried out and perhaps those rules
should be written in a manner that does not defeat the people’s constitutional right to information on
matters of public concern. Here, Atty. Mel is correct there can be further layers of rules that will
subject the FOI EO to further limitations and contingencies, but that is not due to the DPA, but to the
rules that will be further issued as stated in the FOI EO.

5. Civil liabilities arise from the violation of the general right to privacy, but in the right to
data privacy, only “restitution” is possible, a remedy which is but one form of civil liability
The Civil Code in its art. 32, makes liable for damages any public officer or employee, or any private
individual, who directly or indirectly obstructs, defeats, violates or in any manner defeats or impairs
the constitutional rights of a person among which rights are the right to be secure in one’s person,
house, papers and effects against unreasonable searches and seizures and the privacy of
communication and correspondence.

What this means is that the public official concerned, whose right to privacy in the FOI EO is
protected, can sue for damages anyone, including his or her fellow public employees, who may
interfere with the public official’s right to privacy, the constitutional rights, but not the data privacy
referred to in the DPA.

This right to sue for damages for violation of the said constitutional rights is a broad one, which is
different from the right to restitution, mentioned in sec. 37 of the DPA, which is what is only provided
for to those aggrieved by the implementation of the law.

Restitution, which is explained in art. 105 of the Revised Penal Code, refers to the restoration of the
thing itself, which means a rectification of any error in the processing of personal information by the
data subject and nothing else, though if a public official whose information may have been unduly
processed under the DPA may invoke the penal provisions of the DPA and the accompanying hefty
fines included therein, but given this is a special law, the general notion of damages, from moral
damages, nominal damages, actual damages, exemplary damages may not be invoked when the
public official is suing under the DPA.

In summary, the unqualified right to privacy may, at first glance, defeat the public’s right to
information on matters of public concern but this must be distinguished with the right to data privacy
which operates under rules provided by the Data Privacy Act (DPA). The DPA and the FOI EO do
not outrightly clash, but the implementing rules of both the law and the Executive Order may need to
be fine-tuned and harmonized to fully implement the public’s right to information on matters of public
concern.

The passage of a law on FOI may have to await how these two measures will play out, so let’s have
those implementing rules and implement them already so that we will all benefit from experience
how they may be made to work with each other and the future law on FOI will be the means to
resolve their possible areas of conflict, if ever there may be a real one.

Systems Registration 101

Systems registrations requires companies to register their systems and processes that collect data
from individuals.
We live in an era when personal data is so valuable that many business models and economies are now actually
built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim
to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012
(DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.

To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s
day-to-day operations is a daunting but necessary task.

To remedy this, we've gone straight to the source, and signed up two experts – Jam Jacob, the data protection
officer of the Ateneo de Manila University and former head of the Privacy Policy Office of the NPC; and Ivy
Patdu, Deputy Privacy Commissioner for Policies and Planning of the NPC.

The two will be authoring a series of articles that take up the various compliance elements of the law, as seen
from two vantage points, and presented in FAQ form. In this issue, they talk about the NPC’s registration
platform for data processing systems.

Q: What is the reason for the registration system?

Ivy: The registration of data processing systems is one of the compliance requirements of the NPC. It is the
counterpart of the “notification” requirement of the European Union’s (EU) Data Protection Directive, which has
since been replaced by the General Data Protection Regulation (GDPR).

The NPC retained this requirement in line with the strategies it will implement pursuant to its compliance
monitoring function. It considers the system a means to administer and implement the DPA, particularly in
promoting transparency and public accountability in the processing of personal data.

For registered entities, it is an acknowledgment of their personal data processing activities, and a means to
provide their contact information for any data privacy-related matters. It also shows their commitment to comply
with the law and provides a venue for better engagements with the NPC.

It should be seen as part of the compliance journey insofar as it allows personal information controllers (PICs)
and personal information processors (PIPs) to comply with requirements of maintaining a record of their
processing activities, and to have an initial basis for their risk assessment activities.

In the future, the NPC may maintain a registry that is subject to reasonable public access. This is helpful to
those who may have concerns against big corporations, especially those operating across borders.

Q: What do you think of this compliance requirement?

Jam: I think it has lost its place in the ideal regulatory framework for data protection. The EU, which arguably
has the most mature data protection regime today, did not retain this requirement when it updated its legal
regime this 2016, with the enactment of the GDPR. That ought to say a lot.

At best, it provides a data protection authority a baseline upon which it can begin its assessment or investigation
of a particular company. If the registry is accessible to the public, the system also lends itself to the transparency
principle espoused by data protection laws. With that, given the effort a company will have to expend to meet
its obligations under a system like this, I just don’t see a fair tradeoff.

In the meantime, though, I hope that references and other resources from the NPC are forthcoming since there
are still plenty of matters to clarify about this compliance requirement.

Q: What are some common questions about the system that you want to address?

Ivy: One common issue is how to interpret “data processing systems." There is ambiguity, for example, on
whether each and every process will be registered, whether to include systems like the registration of guests in
a condominium lobby in a logbook, or whether storing data in one data server qualifies as one system.
Organizations are advised to group related processes together under one system for purposes of registration.
Factors that may be considered include their having a common or related purpose, having the same system
inputs or outputs, and similar processes using a common system.

For instance, the Human Resource Department can define systems based on its strategic functions such as
Hiring and Staffing Data Processing System, Performance Management Data Processing System, or Training
and Development Data Processing System. When processes are grouped together, the organization should be
prepared to justify or show the relationship of the processes with each other.

Q: What will happen if a company doesn’t register?

Ivy: The NPC can issue compliance orders, and file court processes to require compliance. At the same time,
non-registration is one of the considerations in identifying the organizations to be subjected to a compliance
check. Taking into account due process considerations and a proper investigation, the Commission may issue
stop processing orders and other enforcement actions.

With that, organizations should be mindful that registration is only one aspect of compliance. It does not exempt
anyone from an investigation, nor does it protect the PIC or PIP from breach. Accordingly, organizations would
do well to prioritize embedding privacy and data protection measures in their day-to-day operations.

Q: What are some of the issues or challenges encountered in its implementation?

Ivy: One of the challenges is perhaps the requirement of registration imposed on individual professionals,
particularly registration of physicians. There was a lot of confusion because some physicians were unsure
whether they were required to register or not. At the moment, physicians account for about a third of those
registered with the NPC. The registration should have a more even distribution across sectors.

The submission of paper-based registration forms is also a challenge. In those cases where registration was
done offline, forms had to be separately encoded, which entailed both manpower and budget costs. For early
registrants, NPC accepted submissions of paper-based forms in order to avoid imposing undue burden those
who opted not to use the online platform.

Jam: Based on the experience of our organization and those I’ve assisted in this area, there were quite a
number of problems with the system. I’ll just name four:

 Identifying systems. Singling out processes that qualify as a data processing system requiring registration
is difficult, especially for large organizations and/or complex systems. An organization can have hundreds
of units or offices, and each one is bound to have its own set of “systems”.
Which ones do you register? How about those who maintain similar systems (e.g., registration systems
for events)? Sometimes, a system is used by multiple units or offices. Sometimes a system forms part of
or connects to a much larger one. If a program, software, or application is being used, it is common for
people to assume that that’s the system that require registration. It’s not always the case.
 Technical glitches in the online registration system. We experienced a lot of technical difficulties. A couple
of times, after having put in all the entries for a particular system, we’d find out later on that nothing was
saved or recorded. Activation took a while, too. There was an issue with the link we were provided with. It
turned out it had already expired.
 Late launch of the online platform. The online registration system came out just a couple of weeks before
the deadline set by the NPC, leaving a very narrow window for organizations to meet it. Obviously, this
was unfair to bigger companies who had more systems to register compared to their peers.
 Registration of individuals. Suffice to say, I don’t believe it was the intention of the law to cover individuals
who process personal data. If this is to be upheld, then a comprehensive guide should be in the works
since there is a long list of questions waiting to be answered in this respect.

Q: Do you have any tips for those working to register their data processing systems
Jam: Pending further guidance from the NPC, I recommend that organizations decide early on how they intend
to interpret the definition given for “data processing system.” Using that interpretation, they should do a quick
in-house survey/study of all their existing systems, from the simple ones to the complex.

It is important to secure all the information required by the NPC in its online registration platform. Then they
should register. As long as there is no intention to commit fraud, they shouldn’t be afraid to get some things
wrong at first. Anyway, subsequently revising one’s registration information is permitted.

The key is to show that you are willing to comply by making a genuine effort to do so. After you’ve done this
initial but important step, carry out a comprehensive Privacy Impact Assessment (PIA) on your organization. It’s
going to take quite a while, especially if you’re a large organization, but only a proper enterprise-level PIA will
provide the accurate information necessary to comply with this registration requirement.

Q: How do you see this system moving forward?

Ivy: It is acknowledged that the trend in other countries has been to move away from notification (registration)
requirements. This may be because of the increasing importance of the role of data protection officers (DPOs),
and the view that registration requirements are just an administrative burden.

In many ways, the DPO is seen as addressing the need for transparency and public accountability in data
processing. In the Philippines, DPOs are those persons designated to ensure an organization’s compliance with
the DPA. They are supposed to be accessible to both internal and external stakeholders. This may be explored
by the NPC in the future.

Should the registration system continue, the challenge for the NPC is to be able to limit the focus of the
registration requirement to the critical few – those companies and businesses that have large-scale processing
activities for their core activity, and those with complex data processing systems. Further to that, the system
has to be both cost-effective and risk-based if it’s going to be sustainable.

Jam: Perhaps it’s because of my admitted bias towards this issue that I think the registration system will not
last long. Sooner or later, we’ll get to appreciate what the EU learned from their nearly two decades’ worth of
experience with their registration system. Today, the regulators there seem to think that organizations should
focus more on developing internal data protection measures.

That’s where they should be spending their attention and resources on. I agree. Transparency can be achieved
in so many other ways, and a data protection authority can simply ask an organization for baseline data if and
when it will conduct an inspection or investigation of that particular organization.

I should also mention that decommissioning the system will free up precious resources for the NPC, too.
Monitoring is bound to be a time-consuming task and is expensive to undertake. With that, the demise of this
system will actually be a win-win for everyone concerned.