After reading “What are the duties of a Personal Information Controller under R.A. No. 10173?”, read also “What Is The Legal Recognition Of Electronic Data Messages?“
-
A personal information controller refers to any person or organization who controls the collection, holding, processing, or the use of personal information;
-
It is the duty of a personal information controller to implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information;
-
It is likewise the duty of a personal information controller to ensure that third parties processing personal information on its behalf shall implement the security measures required.
For us to be able to understand the duties of a Personal Information Controller, we must first note what personal information is and who a personal information controller is.
Personal Information, as defined in Section 3(g) of R.A. no. 10173 or the Data Privacy Act of 2012, refers to any information whether recorded in a material form of not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
A Personal Information Controller refers to any person or organization who controls the collection, holding, processing, or the use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. (Data Privacy Act of 2012, Section 3(h).)
The following cannot be considered as a personal information controller:
- A person or organization who performs such functions as instructed by another person or organization; and
- An individual who collects, holds, processes, or uses personal information in connection with the individual’s personal, family or household affairs. (Data Privacy Act of 2012, Section 3(h).)
What are the duties of a Personal Information Controller?
The law says:
Under R.A. No. 10173 or the Data Privacy Act of 2012, these are the duties and responsibilities of a Personal Information Controller:
- To implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information;
-
- Against any incidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing;
- Against natural dangers such as accidental loss or destruction, and human dangers, such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. (Data Privacy Act of 2012, Section 20 (a) and (b).)
- To ensure that third parties processing personal information on its behalf shall implement the security measures required (Data Privacy Act of 2012, Section 20 (d).)
- The employees, agents, or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if it is not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. (Data Privacy Act of 2012, Section 20 (e).)
- To notify the Commission and affected data subjects when sensitive personal information or other information that may be used to enable identity fraud have been acquired by an unauthorized person and is likely to give rise to a real risk of serious harm to any affected data subject. (Data Privacy Act of 2012, Section 20(f).)
What is the Principle of Accountability for Transfer of Personal Information?
Corollary to the duties and responsibilities of a personal information controller under the Data Privacy Act of 2012, the Principle of Accountability for Transfer of Personal Information provides that each personal information controller shall:
- Be responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation;
- Be accountable for complying with the requirements of the Data Privacy Act of 2012 and shall use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third party; and
- Designate individuals who are accountable for the organization’s compliance with this Act, whose identity shall be made known to any data subject upon request. (Data Privacy Act of 2012, Section 21.)
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.
[email-subscribers-form id=”4″]