FAQs - the Philippine Data Privacy Act for BPOs.

Yesterday marked my very first year working in data privacy for a Business Process Outsourcing company, and I have to say, it was an adventure to say the least. After spending more than two decades working in the public sector, I ended up retiring from government service and making the transition to pursuing my data privacy advocacies from a BPO perspective. This was certainly a challenge as the application of Philippine Data Privacy Act (DPA) is not really as straightforward as you might expect from say, a Philippine government agency, or a straight up private Philippine company providing goods and/or services to Philippine residents. Unsurprisingly, it's a bit more complicated in the BPO realm. In the past year, I made a number of realizations regarding the applicability of the DPA with regard to BPOs, or with my BPO at least, things I haven't seen before as I was viewing data privacy from different vantage point.

This article is intended to share some of these realizations with my connections who are similarly situated, in a convenient question-and-answer format and with somewhat less legal jargon than as stated in the law itself. I certainly don't claim to be the expert when it comes applying the DPA in a BPO setting, more so considering variances between the corporate objectives, management, and day-to-day operations of different BPOs, and the fact that like most of you, I'm also learning as I go. I'm hoping though that the information presented in this article at least points you in the right direction. This is certainly a work in progress, so expect this article to be edited and expanded as we go along.

Now without any further ado, let's get on with the FAQs:

1. Does the DPA apply to my organization?

If your organization processes the personal information of Philippine residents, whether as a personal information controller (PIC) or a personal information processor (PIP), the DPA applies.

If your organization processes the personal information of residents of foreign jurisdictions, the DPA does not apply if the processing is in accordance with the applicable privacy laws of that jurisdiction. If the privacy laws of that jurisdiction are not applied, it will be presumed that the DPA applies. (Sec. 4, DPA)

2. What's the difference between a personal information controller (PIC), and a personal information processor (PIP)?

A PIC is an entity who actually controls the collection, holding, processing or use of personal information. A PIP is an entity to whom a PIC may outsource the processing of personal information. (Sec. 3, DPA)

3. Is my organization a PIC or a PIP?

It depends on the functions being performed by the entity. If it collects and processes information on its own, it could be a PIC. If it processes information on behalf of another entity, it could be a PIP. In reality, an organization could be a PIC for some functions, and a PIP for others.

4. My organization is not based (founded or established) in the Philippines. Does the DPA apply?

Even if your organization is not Philippine-based, the DPA will still apply if:

• Your organization uses equipment that is in the Philippines (e.g. server farm);
• Your organization maintains an office, branch or agency in the Philippines. (Sec. 4, DPA)

5. What is personal information under the DPA?

It is any information that by itself, or in conjunction with other information, can be used by the entity holding the information to determine the identity of an individual. (Sec. 3, DPA)

6. What is covered by the term “processing”?

It just about covers any set of operations performed on personal information, such as collection, recording, organizing, storing, updating or modification, retrieval, consultation, using, blocking, erasing or destruction. Basically any operation done on personal information can be considered “processing”. (Sec. 3, DPA)

7. What are the exceptions to the DPA?

The DPA does not apply to:

• Philippine government officers and employees, insofar as their titles, business addresses, official telephone numbers, position classification, salaries and responsibilities are concerned;
• Names of individuals on documents prepared by the individual himself/herself in the course of employment with the Philippine government;
• Personal information of individuals performing services under a government contract in relation to the services performed, as well as the terms of the contract itself;
• Personal information of individuals in relation to any discretionary financial benefit emanating from the government, as well as the nature of the benefit;
• Personal information used for journalistic, artistic, literary or research purposes;
• Information necessary for carrying out functions of public authority (law enforcement, regulatory agencies) as provided for by law;
• Information necessary for banks and other financial institutions to comply with the Credit Information System Act, the Anti-Money Laundering Act, and other applicable related laws;
• Personal information collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions. (Sec. 4, DPA)

8. Can the DPA apply to foreign organizations which may not necessarily have a presence in the Philippines?

It can apply to your organization if your organization processes the personal information of a Philippine citizen or resident, or if your organization has a link with the Philippines, such as:

• A contract entered in the Philippines;
• Management or control of operations in the Philippines;
• A branch, agency, office or subsidiary in the Philippines, and the personal information is accessible by the foreign parent or affiliates;
• The conduct of business in the Philippines;
• The collection or holding of personal information in the Philippines. (Sec. 6, DPA)

9. What are the conditions for the processing of personal information to be lawful under the DPA?

For the processing of personal information to be lawful, it has to satisfy at least one of the following conditions:

• The data subject has given his or her consent;
• The processing is necessary and in relation to the fulfillment of a contract with, or entering into a contract with, the data subject;
• The processing is necessary for compliance with a legal obligation;
• The processing is necessary to protect the vital interests of the data subject, including life and health;
• The processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority;
• The processing is necessary for the purposes of legitimate interests, unless overridden by the rights and freedoms of the data subject (Sec. 12, DPA).

10. What are "legitimate interests"?

While the DPA itself is seemingly silent with regard to the definition of legitimate interests, this is commonly interpreted to include tasks such as fraud prevention, internal administration of employees and clients, maintaining information security, and reporting possible criminal acts or threats. Essentially this is any interest that may provide a legal basis for the processing, as long as said processing does not violate the rights and freedoms of the data subject.

11. Does “legitimate interests” include the use of personal information for marketing purposes?

No. The implementing rules and regulations (IRR) of the DPA address question this by invoking the rights of the data subject, particularly the right to be informed before the entry of his or her personal information into a system or at the next practical opportunity, and the right to object. This essentially makes consent a requirement for direct marketing purposes. (Sec. 34, Rule VIII, IRR)

12. What are the rights of data subjects?

In a nutshell, the rights of data subjects are as follows:

• Right to be informed that his or her personal information shall be, is being, or have been processed;
• Right to be furnished the information before its entry into a processing system, or at the next practical opportunity;
• Right to reasonable access to his or her personal information and details behind its collection and processing;
• Right to correct errors in their personal information;
• Right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information if it is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purposes for which they were collected;
• Right to be indemnified for damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information (Sec. 16, DPA).

That's all I have for now, but if you have any questions you may want added to this list, comments, suggested answers, or any errors in the answers I provided that you may want to point out, please do let me know.