Data Privacy for Business Owners

I receive data from my customers including, their name, address and order. Do I have responsibilities under the Data Privacy Act?

Yes. That information (name, address and order) is protected by the Data Privacy Act.

How does the law protect the information?

First, as a business that collects this information, you are required to appoint a Data Privacy Officer (DPO) who will be responsible for keeping the data safe and private.  Second, the law provides penalties if the information is misused.

What use of information is permitted?

In general, the use of the personal information is considered lawful if the provider has given consent for its use, and that it is necessary for the contract/transaction or other lawful purpose.

In addition: the purpose of the collection and use of personal information must be declared; and, the information should be:

  1. processed in a fair manner;
  2. accurate, relevant, updated;
  3. adequate and not excessive for the purpose intended;
  4. retained for only a reasonable time;
  5. How do I obtain consent?

It must be in writing.  If you interact online there must be a form where the consent can be indicated.

What are the penalties for misuse of information?

The law provides a set of fines and period of imprisonment.

What is the penalty if my DPO sells my database of personal information?

It depends on the details, but could be: imprisonment of one year to five years and a fine of Php500,000.00 to Php1,000,000.00.

I noticed some forms use the term “sensitive personal information”. What is the difference between “sensitive personal information” and “personal information”.

The law defines “sensitive personal information” this way:

“Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.”

Why is there a distinction between personal information and sensitive personal information?

There are additional requirements and protections for “sensitive personal information”.  For instance, if there is a breach of sensitive information, you are required to notify the National Privacy Commission.  If you do not, there are penalties.  Note: if your business handles sensitive personal information, it is highly recommended that you spend time to read through the materials provided by the National Privacy Commission, and/or to consult with a lawyer.

What can I do to make sure I’m compliant?

At minimum, you should have a standard consent form whenever you obtain personal information from your customers.  You must also appoint a Data Privacy Officer.  Considering the gravity of penalties for misuse of Data, if you are unsure if you are compliant with law, it is highly recommended that you take the time to study carefully the materials made available by the National Privacy Commission, and/or to consult with a lawyer.