DPA QuickGuidefolder 1019 PDF
DPA QuickGuidefolder 1019 PDF
DPA QuickGuidefolder 1019 PDF
SPI refers to info about an individual’s: Procedure for addressing complaints of data subjects 9. Continuing Assessment and Development
PI refers to any information from which the identity of an • Race sexual life Certificate of registration and notification Policy for Conduct of PIA (may be in manual)
individual is apparent or can be reasonably and directly • Ethnic origin • Proceeding for any offense
Other means to demonstrate compliance Policy on conduct of Internal Assessments and Security Audits
ascertained, or when put together with other information • Marital status committed or alleged to have
would directly and certainly identify an individual 5. Manage Security Risks Privacy Manual contains policy for regular review
• Age been committed by an individual
• Color • Government-issued IDs Data Center and Storage area with limited physical access List of activities to evaluate Privacy Management program (survey of
• Religious, philosophical or • Those established by an customer, personnel assessment)
CRITERIA FOR LAWFUL PROCESSING OF PI Report on technical security measures and information security tools in
political affiliations executive order or an act of place Other means to demonstrate compliance
• Consent • Health, education, genetic or Congress to be kept classified
Firewalls used 10. Manage Privacy Ecosystem
• Contract with the individual
CRITERIA FOR LAWFUL PROCESSING OF SPI Encryption used for transmission No. of trainings and conferences attended on privacy and data protection
• Vital interests/Life & health Encryption used for storage
• Legal obligation • Consent • Medical treatment Policy papers, legal or position papers, or other research initiatives on
Access Policy for onsite, remote and online access emerging technologies, data privacy best practices, sector specific
• National emergency / public order & safety, as prescribed by • Existing laws & regulations • Lawful rights & interests
in court proceedings/legal Audit logs standards, and international data protection standards
law • Life & health
• Processing by non-stock, claims Back-up solutions No. of management meetings which included privacy and data protection
• Constitutional or statutory mandate of a public authority
non-profit orgs Report of Internal Security Audit or other internal assessments in the agenda
• Legitimate interests of the PIC or third parties
Certifications or accreditations maintained Other means to demonstrate compliance
PENALTIES EXEMPTIONS
Violation Imprisonment Fine
PI SPI PI SPI Applies not to the PIC/PIP but only to personal data relating to:
Unauthorized 3–6 P500,000 – P500,000 –
Processing 1 – 3 years years P2,000,000 P4,000,000 • Matters of public concern
Accessing
Due to 1 – 3 years 3–6 P500,000 – P500,000 – • Journalistic, artistic or literary purposes 5th Floor, Delegation Building
years P2,000,000 P4,000,000
Negligence Philippine International Convention Center
• Research purposes, intended for a public benefit
Improper 6 months 1–3 P100,000 – P100,000 – PICC Complex, Roxas Boulevard, Manila, 1307
Disposal – 2 years years P500,000 P1,000,000 • Performance of law enforcement or rgulatory functions of
public authority (e.g. Secrecy of Bank Deposits Act, Foreign
Processing for 1 year and Currency Deposit Act, CISA)
2–7 P500,000 – P500,000 –
Unauthorized 6 months years P1,000,000 P2,000,000
Purposes – 5 years
• Compliance of BSP-regulated banks & financial institutions
privacy.gov.ph privacy.gov.ph privacygovph
Unauthorized 3–5 P500,000 – P1,000,000 – with the CISA, AMLA & other applicable laws
1 – 3 years info@privacy.gov.ph PrivacyPH 234-22-28
Disclosure years P1,000,000 P5,000,000
• Residents of foreign jurisdictions w/ applicable data privacy
1 year
Concealment and 6 P500,000 – laws
of Security months P1,000,000
Breaches Exemptions are only allowed to the minimum extent needed
– 5 years
Unauthorized to achieve purpose, w/ consideration to requirements of other
Access or 1 – 3 years P500,000 – P2,000,000 regulations.
Intentional
Breach
Malicious 1 year and 6 months – P500,000 - P1,000,000
Disclosure 5 years
This material is downloadable at:
Combination
or Series of 3 – 6 years P1,000,000 – P5,000,000 privacy.gov.ph/quickguide An attached agency of the Department of
Acts Information and Communications Technology