IT News article listing  »

Data Privacy Act: What This Means for Outsourcing

Posted on June 8, 2017

Data Privacy Act for outsourcing

The Data Privacy Act of 2012 of the Philippines is the first data protection law. The Act mandated the creation of National Privacy Commission (NPC), which was finally formed in March 2016, to enforce security and privacy of personal information with the aid of implementing rules and regulations (IRRs). On the 9th of September 2016, the IRRs have now taken effect.

The information technology-business process outsourcing (IT-BPO) industry is the largest contributor to the country’s GDP, and is worth over $20 billion. The IRRs will have a significant effect in the IT-BPO industry.

The Act brings the country in line with international data protection standards to engage more investors and uphold its title as the top IT-BPO outsourcing destination.

The IRRs apply to personal information controllers – those who control the processing of personal data; and personal information processors – those engaged by personal information controllers to process personal data on their behalf. This indicates both IT-BPO vendor and client must comply with the IRRs.

The IRRs will also have an impact to other industries – retail, tourism, finance, banking, and other industries which requires client, employee, and other personal information.

Some of the concepts of the IRRs were borrowed from Europe and South Korea such as data sharing consent, data portability, mandated 72-hour breach notification, and right to object to profiling.

Within one year, personal information controllers and processors are required to register in NPC.

Other remarkable features of IRRs include:

  • The scope of protected information

“Personal information” refers to “any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”. The IRRs aim to protect personal information of the data subject.

  • Outsourcing of data processing activities

An outsourcing contract between personal information controllers who engage personal information processors must be constructed properly to ensure the compliance of confidentiality and integrity. The outsourcing vendor and client are required to review their contracts to match with the IRRs.

  • Data protection officers

One data protection officer must be present in a company involved in processing of personal information. The task of the data protection officer is to ensure the data privacy and security.

  • Data protection principles

The IRRs key principles are legitimate purpose, proportionality, and transparency. Other principles are fair and lawful processing of personal information, ensuring accuracy and quality of personal information, adequate safeguards in the processing and transmission of personal information, consent as the basis for gathering personal information with certain exemptions, and non-retention of personal information.

  • Data subject rights

Not only the personal information controllers and processors are involved in the IRRs. The data subject has the right to object to any profiling, the right to obtain a copy of their personal information (data portability), right to know about the processing of their personal information, and the right of access and correction of personal information.

  • Mandatory breach notification

When there is data breach, the personal information collector is required to inform the NPC and the data subjects of the situation within 72 hours.

  • Security measures

Effective physical, organizational, and technical measures must be put in place as security measures.

  • Penalties

Significant and corresponding penalties are given when there are instances of personal data breaches depending on the damage caused by the breach.

The Act’s IRRs are a huge step for the Philippines’ data privacy regulation. Businesses and industries will be affected by these regulations to set a higher standard for data handling.



 Philippines Finalizes Data Privacy Act Implementing Rules,