article banner
Line of Sight

Do your own 'personal data'

DO YOU ever read the online portal terms and conditions before logging in to a website or the user agreement before signing up with social sites like Facebook, Twitter, Pinterest and LinkedIn? Do you take the time to understand the fine print of a loan, investment, insurance or credit card application form before affixing your signature? Do you give a second thought when you write in your complete name and birth date in surveys?

We may live in a fast-paced digital age where “Knowledge is Power” and “Data is the new Oil” but why are we taking our privacy for granted?

Republic Act No. 10173, also known as the Data Privacy Act, aims to zero in on this lingering concern. First promulgated in 2012, this law was compelled to action when the implementing rules and regulations took effect only last September 2016.

The law seeks to protect (1) personal information such as the name and birth date of an individual; (2) sensitive personal information which usually includes the individual’s affiliation with religion, philosophy and politics, ethnic origin or race, marital status, age, and license, social security and tax identification numbers; and (3) privileged information which refers to all forms of data under the Rules of Court and other pertinent laws.

The newly-formed National Privacy Commission (NPC) is the governing body tasked to monitor and ensure that our personal information as business owners, private and public sector employees, students or ordinary citizens of our country are protected in accordance with the international standards.

Malicious attacks like the hacking of the Commission on Elections’ poll database between March 20 to 27, 2016 is a grim reminder of the possible impact when privacy is breached. Millions of unencrypted sensitive personal information like passport numbers and fingerprints were already made accessible to the online public by hackers.

Surprisingly, a malicious attack is at the bottom list of the top five breaches, according to the NPC. A company’s employees’ indiscretions top the list, followed by unsecured mobile devices, cloud storage application, and third-party service providers.

With our country arguably becoming the business process outsourcing (BPO) center of the world, how do processors of personal information like P&A Grant Thornton that caters to outsourced payroll and accounting ensure compliance to privacy security?

Under the law, safeguards are critical to compliance which include: (1) appointing a data protection officer who will ensure compliance with applicable laws on data protection and privacy; (2) conducting a privacy impact assessment to evaluate the impact of an organization’s program and process on data privacy; (3) creating a privacy management program to serve as specific guidelines on compliance and data breach mitigation, (4) implementing privacy and data protection measures subject to periodic review, and (5) regularly exercising breach reporting procedures which covers notifying affected data subjects and the NPC within 72 hours from discovery of breach.

Knowing our rights as data subjects is also key. These rights include the right to be informed, to object, to access, to correct or rectify, to block or remove, to data portability, to file a complaint and to be indemnified.

Are there penalties involved? Any violation laid out by the Data Privacy Act from collection to the disposal of personal information will be subject to imprisonment from six months to seven years and fine of P100,000 to P5,000,000, depending on the nature of the deed.

Furthermore, all processors and controllers of personal information are given until September 2017 or one year from the effectivity of the implementing rules and regulations to fully comply with the law.

With all these in place, can we safely call our “personal data” as personal? At the end of the day, it’s still a personal choice to control how much personal information is shared and up to what extent the personal information is used.

Maybe it’s time to start safeguarding our personal information the same way we protect our cash and other valuables even in this digital age when almost anything is shared online.

Ms. Dano is manager for Tax and Outsourcing at P&A Grant Thornton, one of the leading Audit, Tax, Advisory, and Outsourcing firms in the Philippines, with 21 Partners and over 800 staff members.  It has branches in Cavite, Cebu, and Davao. For comments on this article, please email or For our services, visit Follow us on Twitter: pagrantthornton, and FB: P&A Grant Thornton.


As published in The Mindanao Times, dated 7 February 2017