Giving away someone’s contact number without the owner’s consent is punishable under the Data Privacy Law.
Yes, you read it right. Giving away someone’s contact number without consent is punishable in the Republic Act 10173 also known as the Data Privacy Act of 2012.
Like everyone else who have a mobile phone, mine also contains lots of contact information and I am once guilty of giving that information away without the owner’s consent… but that’s all in the past now. I am now aware of the law and I will guard with diligence every information that was entrusted to me to avoid any problem in the future.
Maybe you are asking. Where did I learned these?
I found this out in the Digital Lead Generation and Customer Relationship Management for Real Estate Industry webinar last April 5, 2014 where Ms. Janette Toral talks about E-commerce Law, Data Privacy Law and Cybercrime law.
I plead guilty that I am not an expert in this field for I am no attorney but I will just write in this article the things that I have picked-up during the webinar.
Here are the prominent characteristics of the Data Privacy Act of 2012:
1. The law covers the Processing of Information (Section 3g) and Sensitive Personal Information (Section 3L)
- Personal information is any information that belongs to a person whether recorded in material form or not that even it does not state the name of the person but when the information was analyzed, we can more or less identifies who that person is. (As long as you can ascertains the identity of the individual, then that is referred to as personal information.)
- Sensitive personal information refers to more detailed personal information that includes race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations. It also includes health, education, sex life, cases in court. And also the information issued by the government agencies peculiar to an individual like SSS number, BIR number, license numb
2. The law created the provision of the creation of the National Privacy Commission to monitor the implementation of the law (Section 7).
3. The law basically gave parameters on when and on what premise can data processing of personal information be allowed. Its basic premise is when a data subject has given direct consent. (Section 12 and 13).
4. The law gave companies who subcontract processing of personal information to third party the full liability and can’t pass the accountability of such responsibility. (section 14)
- If you subcontract processing of personal information on the third party, like for instance you hired a staff or a consultant to process that information for you, if that person misused the information (like giving it away to another party or used the information to his/her own advantage), and the data subject found out, the data subject can still sue you and not your third party consultant or staff because at the end on the day, you are the one who is liable.
- As far as the customer is concerned, they are dealing with the entity and not with the agent so he will not sue your agent , he will sue the company because under the law, it is the personal information controller who is liable insofar the data privacy is concerned.
5. The law stipulates that the data subject has the right to know if their personal information is being processed. They can demand the source of info, how their info is being used, and copy of their information. They also have the right to request for the removal or the destruction of one’s personal data unless there is a legal obligation that required for it to be kept or processed (Sec 16 and 18)
- For instance somebody is offering you a loan and that person has a lot of information from you and you believe that you did not disclose it in the first place… Instead of you getting angry immediately, try to find out as much as you can about the person or the entity contacting you and send them a notification demanding on how they get hold of that information. And if you did not get a satisfactory response and action from the person who collected that information from you then you can contact the department of justice if you already want intervention insofar on the use of your data is concerned.
6. The law protects the data subject even she/he has already passed away or became incapacitated (for one reason or another). Their legal assignee or lawful heirs may invoke their data privacy rights. (Section 17)
- Data privacy right does not end when you die, it can be protected by your heir. If your information was misused with the intention of tarnishing your name or any intention there maybe your heir can run after those who violated your data privacy… So you can now include in your last will and testament as to who would be your lawful heir for your data privacy if you want to and invoke your data privacy right.
7. The law requires personal information controllers or entity who collects information must ensure security measures are in place to protect the information they process and be compliant with the requirement of this law (Sec 20 and 21)
- If you collect data you cannot allow the papers who are filled up by people to just be scattered everywhere. You are required to exercise due diligence to protect whatever information you collect because if they end up being copied and misused by others, you can become liable for it
8. In case a personal information controller systems or data got compromised, they must notify the affected data subjects and the National Privacy Commission. (Section 20)
- The National Privacy commission is not yet in place so for the meantime , any complains insofar as the law, they can complain with the Department of Justice
9. The law requires heads of government agencies to ensure their system compliance (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner. (Section 22)
10. Government contractors who have existing or future deals with the government that involves accessing of 1000 or more records of individuals should register their personal information processing system with the National Privacy Commission. (Section 25)
11.Provided penalties (up to 5 million as per sec. 33) on the processing of personal information and sensitive personal information based on the following acts:
– Unauthorized processing (sec. 25)
– Negligence (sec. 26)
– Improper disposal (sec. 27)
– Unauthorized purposes (sec. 28)
– Unauthorized access or intentional breach (sec. 29)
– Concealment of security breaches (sec. 30)
– Malicious (sec. 31) and unauthorized disclosure (sec. 32)
- If at least 100 persons are harmed, the maximum penalty shall apply (section 35).
12.For public officers (working in government), an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied. (sec. 36)
These are just part of the Law. If you wanted to see complete Chapter the the Data Privacy Act of 2012, then check this link .
The law is in being implemented for several years now, but many people are still unaware of it. Maybe this time they may not have the sophistication to examine and understand their right under the data privacy law and may not even have the capacity or even file a law suit or file a complaint to the improper use of their data but it is better to be in the side of caution so that by the time that the community group will become organized, especially when the data privacy groups gets formed and be in a position to file a complaint in behalf of many people, then it’s best to protect yourself as early as now.
A piece of advice: Do not collect information that you don’t need and make sure that you protect all the information that you gathered because if that information ended up being misused even by other entity, you are still liable for it because you are the one who collected that information.
The Digital Lead Generation and Customer Relation Management for Real Estate Industry is a 12-series webinar. All Webinar materials are being uploaded in the DigitalFilipino Influencers Boot camp E-leaning site so those people who are interested in the program can still join because it is always available 24/7 for its students. You can check this link to enroll or to just see the topics of the program.