Sunday, May 5, 2013

"Data privacy act" vs "National Identification System"

Republic of the Philippines
Arellano School of Law
Technology and the Law
(Atty. Berne Guerrero)


Is R.A. 10173 1, the enabling law contemplated by the Supreme Court in Ople vs Torres

                Before we dwell on matters regarding the particular issue at hand there is a need to first define National Identification number and relate it to “National Computerized Identification Reference System” mentioned in Ople vs Torres.
                The National Identification system is used in several countries all over the world. The most famous Identification number is the United States of America’s Social Security number. The Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents. The number is issued to an individual by the Social Security Administration, an independent agency of the United States government. Its primary purpose is to track individuals for Social Security purposes 2.  
                A national identification number, national identity number, or national insurance number is used by the governments of many countries as a means of tracking their citizens, permanent residents, and temporary residents for the purposes of work, taxation, government benefits, health care, and other governmentally-related functions. The number will appear on an identity document issued by a country 3.
                In the Philippines an identification system has been used and implemented in Sulu particularly in Patikul, a rebel infested part of the Philippines. Reports reveal that the implementation of the ID System in Patikul, Sulu was made possible through the efforts of the local government, the AFP, PNP and other stake holders of peace and development in the province. This proposed I.D. system to be implemented in patikul has generated a lot of controversies and serious doubts among the populace regarding the true intention of such I.D. system. It is alleged such implementation is an experiment on the revival of the National I.D. system which was declared unconstitutional by the Supreme Court in  Ople vs Torres.4
                In 2006, then President Gloria Macapagal Arroyo issued Executive Order 420 5 ,  REQUIRING ALL GOVERNMENT AGENCIES AND GOVERNMENT OWNED AND CONTROLLED CORPORATIONS TO STREAMLINE AND HARMONIZE THEIR IDENTIFICATION (ID) SYSTEMS, AND AUTHORIZING FOR SUCH PURPOSE THE DIRECTOR-GENERAL, NATIONAL ECONOMIC AND DEVELOPMENT AUTHORITY TO IMPLEMENT SAME, AND FOR OTHER PURPOSES”. A lot of controversy arose upon the issuance of the questioned E.O. Nongovernmental organizations and human rights activists and constitutionalists have opposed Executive Order 420. However in the case kilusang mayo uno vs Director General of NEDA 6, the Supreme Court decided in favor of the government pertaining to the constitutionality of such executive order on the grounds that it is within the executive department’s prerogative to adopt measures that will make government transactions efficient and cost effective. The President may by executive or administrative order mandate government agencies under his control to adopt a uniform ID data system in pursuance of section 17 Article V11 of the 1987 constitution. Ople vs torres is not an authority to hold that E.O. 420 violates the right to privacy because in that case the assailed executive issuance, broadly drawn and devoid of safeguards, was annulled solely on the ground that the subject matter required legislation. As then associate justice, now chief justice Artemio Panganiban noted in his concurring opinion in ople vs torres “the voting is decisive only on the need for appropriate legislation, and it is only on this ground that the petition is granted by this court.” 7
                Furthermore, the Kilusang Mayo uno vs Neda director case provides an interesting insight pertaining to the requirements in order for a National ID system to pass stringent constitutional requirement.
                “The act of issuing ID cards and collecting the necessary personal data for imprinting on the ID card does not require legislation. What require legislation are three aspects of a government maintained ID card system. First when the implementation of an ID card system requires a special appropriation because there is no existing appropriation for such purpose. Second when the ID card system is compulsory on all branches of government, including independent constitutional commissions, as well as compulsory on all citizens whether they have a use of the ID or not. Third when the ID card system requires the collection and recording of personal data beyond what is routinely or usually required for such purpose, such that the citizens right to privacy is infringed.”8
                Further reading of Kilusang mayo uno vs Neda director will enlighten our understanding on the definition of a Nationalized ID system contemplated in Ople vs torres. There is a sudden shift of view by the Supreme Court regarding the possible enactment of a national ID system. In Ople vs Torress the previous extensive discussions by the Supreme Court regarding the need for the government to safeguard Personal Information by private individuals has been liberally relaxed in the later case of kilusang mayo uno vs Neda Director.

                To properly answer the controversy at hand, there is a need to first scrutinize the decision of the Supreme court in Ople vs torres. The brief facts are as follows.

Ople vs torres 9
                Then President Fidel V. Ramos issued Administrative order 308 entitled “Adoption of National Computerized Identification Reference System”, such law mandates of a national ID system that will be implemented in the whole country. The National ID system allegedly will efficiently facilitate government services, and will serve as cumulative information for the whole national population.
                Senator Blas Ople filed a petition before the Supreme Court assailing the constitutionality of said Administrative Order alleging that administrative Order 308 usurps the authority of Congress to legislate; furthermore the petitioner alleged that such administrative order undeniably intrudes to the right of the people to privacy.
                There are two issues on this case, first was the alleged usurpation of legislative prerogative by the executive branch, The second issue was, according to the petitioner it violates the right of the people to privacy guaranteed by the 1987 constitution.
                Dwelling on the issues that are related to the present article, the Supreme Court granted the Petition and declared administrative order 308 unconstitutional on the ground that it mainly violates the right of the People’s privacy. Although according to some dissenting opinions such issues are not ripe for adjudication since technically there are no acts yet by the government that infringes the right of the people’s to privacy, since it is not yet being implemented. The Supreme Court predicated their decision on the ground of possible and probable consequences in case of breach of such information system due to misuse, negligence, unlawful or unauthorized access to such information compiled by the government.
                The ratio decidendi pertaining to violation of the right to privacy however presumed that the present action passed the test as to whether the executive branch in promulgating the assailed Administrative Order did not encroach upon the power of the Legislative to enact laws. The Supreme Court in attacking the controversy in the case at bar, decided that administrative order must be in harmony to the present statute, and the sole purpose of issuing Administrative Order 308 is to implement a particular law enacted by Congress, since there is no law yet to implement there is no need for the issuance of the questioned Administrative order. The rationale for such decision is that there must be specific safeguards to protect the individual’s right to privacy which is lacking to the questioned administrative order.
                Furthermore the Supreme Court rejected the Argument that Administrative Order 308 merely implements the Administrative Code. The National identification reference system is being implemented for the first time. The said Administrative order therefore redefines the parameters of some basic rights of our citizenry. The Supreme Court furthermore said that “the line that separates administrative power of the President to make rules and legislative power of congress, it ought to be evident that such subject should be covered by a law.
                Indeed Administrative Order 308 encroaches upon the legislative prerogative. Such order promulgated if I may describe it as the Supreme Court often say, “Transcendental importance” need to be subject of a law. The fears and reservation of the Supreme Court cannot be understated nor underplayed. Right to privacy by the people is a fundamental right guaranteed by the constitution. Individuals who create acts prejudicial to other person thru the unauthorized use of information gathered under the questioned administrative order should be subjected to penal sanctions. Since administrative orders by the President by itself cannot incorporate within its provisions penal sanctions, such regulation will have no teeth in case of unauthorized use of such information. This situation creates beasts rather than civilized men.





                In 2012 congress enacted Republic Act 10173 otherwise known as “An Act Protecting Individual Personal Information and Communications systems in the Government and Private Sector, Creating for this Purpose a National Privacy commission and for other Purpose” 10
                The case of Kilusang mayo uno vs Neda Director enlightens us in answering some questions pertaining the National ID system.  
                The requirements maybe summarized as follows. 11
1.        Whether the ID card system requires special appropriation?
2.        Whether the ID card system is compulsory on all branches of government?
3.        Whether the ID card system requires the collection and recording of personal data beyond what is routinely or usually required for such purpose, such that the citizens’ right to privacy is infringed.
               

1
                In section 41 of Republic Act 10173 12, there exist an appropriation clause mandating that the National Privacy Commission shall have initial appropriation of twenty million pesos to be drawn from the  national government. But upon reading of this particular provision there exists neither clause nor phrase pertaining to the appropriation for the establishment of the national ID system. Section 41 only speaks of an initial funding of twenty million and that succeeding appropriation under the general appropriations act. It may be deduced from the provision therefore that the exclusion of a specific mention of appropriation for the establishment of a national ID system was intent of congress not include such provision.

2
                In section 4 of Republic act 10173 13 lies the scope of the provisions. This provision provides where and when such statute may apply. According to section 4, the act shall apply to the processing of all types of personal information. This provision did not distinguish on whether personal controllers are domestic nor foreign neither does it distinguish if it is private or government owned processing centers. There is a phrase however that includes those persons who maintain an office, branch or agency in the Philippines subject to the exceptions provided for in section 4.
                By reading section 2 14 the declaration of policy section of this law, it is declared that it is the state’s inherent obligation to ensure that personal information of data subjects compiled in information and communication system in the government and in the private sector shall be secured and protected.
                The reading of certain provisions of Republic Act 10173, it is therefore implied that it applies to all personal information controllers which does not even distinguish a public and a private personal information controller. It may therefore be safely discerned that Republic Act 10173 applies to all branches, departments and instrumentalities of the government as long as such government branch comes within the definition of personal controller as defined in section 3(g) hereof. 15
                Although the aforementioned sections speaks of wide application of this statute to all departments and branches of the Government. It does not specifically provide for the mechanism on how the national ID system maybe incorporated to all such branches and how it will operate. There is not even one single provision that pertains to the creation and application of the national ID system upon those mentioned provisions, which pertains to the scope of application of this particular statute.

3
                In answering the issue raised in question number three,  we may therefore safely conclude that Republic Act 10173 is not the enabling law for the national ID system contemplated in Ople vs torres. On the contrary Republic Act 10173 provides for the security of gathered information from the different agencies and offices of the government, it does not mandate the gathering of information but merely recognizes the significance of free flow of information and striking a balance between privacy and use of gathered information. It promotes the fundamental human right of privacy of communication.

                In order for us to better understand the difference between Republic Act 10173 commonly known as “Data Privacy Act” and the Future Enabling law of the national ID system, there is a need for us to dissect nay define and understand Republic Act 10173.
                The main purpose of the “Data Privacy Act” according to section 2 of Republic Act 10173 is the policy of the state to protect the fundamental human right of privacy while ensuring the flow of information to promote innovation and growth. 16
                 Upon the advancement of information technology and the creation of different medium of communication thru cyberspace, the users themselves supply the information for the creation of a utopia behind the screens of their devices. But such world may not be perfect after all. The creators of the internet as a network envisioned a world where information is at every user’s fingertips; indeed their dreams have come true as a witness myself. With an internet connection and a device connecting to such network, vast amounts of information are at every user’s disposal. But as they say “dreams are not always good, sometimes you have an off night”. The information that the internet holds created monsters and abusers of information the network holds. The users who themselves provided the information become victims of this individuals since the personal information they have provided are used against them to their injury by unscrupulous individuals. It is basic under constitutional law of the inherent police power of the state. It is the duty of the state to protect their citizens against abuses and to regulate public utilities such as the internet. Upon such exercise of police power comes now the enactment of the “Data Privacy act of 2012”
                In whalen vs Roe “Justice John Paul Stevens (J. Stevens) argued that there are two different interests implicated by zones of privacy. The first is the right to avoid disclosing personal matters and the second is the right to independence in making certain decisions.” 17
                Republic Act 10173 in its declaration of policy declared that the state recognizes the vital role of information in nation building but the state consequently has the obligation to ensure that personal information in the government and the private sector are secured and protected.
                The most significant aspects of the law are: the procedures to be followed in the collection, processing and handling of personal information; the rights of data subjects; and the creation of a National Privacy Commission. 18
                However section 5 of this statute prohibits journalist in being compelled to disclose information regarding reveal the identity of their source that revealed information pertaining to a particular news report or article which was published. The statute has extra territorial application as mandated in section 6 hereof.
                The law requires information collectors, holders and processors to follow strict rules on transparency, legitimacy and proportionality in the conduct of their activities. Among others, the collection should be conducted for “specific and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.” Accuracy, relevance and essentiality of purpose must likewise be observed during the collection stage. Inaccurate or incomplete data should be corrected, supplemented, destroyed or their further processing restricted. The information can be stored only as long as needed for the purpose for which it was obtained, or “for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.” Once collected, the information can be processed or used only if it is not prohibited by law and the person who provided the information (or data subject) has given his consent; if no such consent is given, the processing can still go on provided it meets the “necessity” test. 18

                The law also provides for the creation of the National Privacy commission. The Primary role of the commission is to “administer and implement the provisions of the act, and also to make sure that the country complies with international standards for data protection. The Commission shall also ensure the confidentiality of any personal information that comes to its knowledge and possession. 19
                One of the most important provisions of Republic Act 10173 is the penal sanctions. The penal sanctions are provided in Chapter 8 sections 25 to 36. 20. The penal sanctions for violation/s of this act gives data privacy act of 2012 teeth. The commission is specially task to report violators to the Department of Justice for appropriate actions. Without such penal provision this statue will be meaningless since violators may simply ignore this statute. The only problem for the criminal aspect of this statute is that, most evidence are electronic in nature, in light with the recent decision of the Supreme Court in Rustan Ang vs Court appeals which declared that the electronic evidence rule does not apply to criminal cases. The evidence gathered must not be electronic in nature in order for the court to appreciate the evidence presented. It is of my honest opinion that the decision of the Supreme Court in Rustan Ang vs Court of Appeals is not proper under different circumstances especially if the provisions of this act is applied.
               
                                A number of states have adopted a certain form of an ID system for the purpose of certain government services like law enforcement, social security, availment of licenses etc. In the Philippines, the government has tried to adopt a national ID system, as discussed in Ople vs Torres, and then President Fidel V. Ramos tried to adopt a form of a national ID system by enacting Administrative Order 308 which was later declared unconstitutional. In 2006, President Gloria Macapagal Arroyo then issued Executive Order 420 for the adoption of a form that resembles a national ID system, which was later on upheld by the Supreme Court as valid and within the constitutional prerogative of the President to issue. All of the proponents of the national ID system pushes the idea that a national ID system is needed in order to streamline government services, nationalize the identification process and curb out red tape which is of course prevalent within the Philippine Government’s bureaucracy.

                However several human rights activists, civil libertarians and militant groups have long claimed that and ID system violates the rights of citizen’s intrinsic right to privacy.21
                A greater understanding of whether in the Philippine setup; there is a need for the government to set up a National Identification system. According to Privacy international 1996 (via Dir. Jean Encinas-Franco of Sepo) 22 the concept of a national identification system was first instituted in countries where its population comes from diverse ethnic groups. However experiences show that oppressive regimes have used their own identification system to systematically discriminate the minority groups, states who have political subdivisions example of which is ethnicity, religious affiliation, ideological belief etc, upon which the minority were often persecuted by the ruling majority thru the use of national identification system that the government itself has institutionalized. The best example of negative application of the National ID system is when the nazi regime of Rwanda where hutu ethnic majority performed classic ethnic cleansing of tutsi minority with the help of a national identification system created by their own government. In the Philippine setup however, ethnicity and religion will not be a basis for the persecution of a particular group. But rather, the distinction will come from political ideology. Human rights activists, libertarians and several non-governmental organizations have long opposed the establishment of a national identification system, primarily because this organizations are somewhat affiliated with the left leaning groups (communists-socialist). The government specially the military and police as the main proponent of a nationalized Identification system have expressed their disappointment for the failure of congress to enact the law that will establish a national Identification system.

                The basic question that will arise from the facts stated therein is the level of necessity in the establishment of a centralized national identification system. Indeed as discussed in ople vs torres, there is a great risk in the fundamental right of privacy of individuals if abuses not only by government officials but also of private individual who has the resources and the proper contacts to obtain such information. Since a nationalized identification system has never been established in the Philippines we may only visualized the pros and cons of a nationalized identification system. The probable pros is the possible lessening of red tape, experience tell us red tape is prevalent in government offices. But the basic question will be? How exactly will the establishment of a national identification system curb out red tape. That remains to be seen. But the establishment of a centralized identification system will probably hasten the identification of citizens who wish to avail government services, since the government need not to verify the identification of an individual of whether he is entitled to such benefits. A centralized system of identification will indeed be some beneficial. In matters of identification by law enforcement agencies, a centralized system would probably help the police and the military of possible identification of terrorist, criminals and rebels. I would presume that a form of biometrics would be incorporated in the national Identification system. But the pros of the national identification system would all be speculation.
                The probable negative effects of a nationalized identification system would all stem out from fraud!!. Human Rights and Privacy Issue would be the main disadvantage of a nationalized identification system.
“Civil libertarians and human rights activists reject the idea of a national ID card based on three reasons: “functionality creep,”the potential for misuse due to identity fraud, and the privacy issue. The common denominator that runs through these arguments is the extent through which the government would hold power vis-à-vis its citizens. According to human rights activists, an ID system can be a double-edged sword because it can suffer from “functionality creep” which means it can serve purposes other than its original intent. Thus, even if the original rationale for an ID system is simply to cut government red tape, a government may eventually use it as a mechanism for repression against political opponents or to discriminate on the basis of race Or ethnicity. For instance, as mentioned earlier, the Rwanda genocide in 1995 was facilitated by the use of ID cards. Newspaper reports recounted that Rwandans who presented ID cards bearing Tutsi identification were hacked to death by the Hutu militia. While supporters claim that ID systems can be legislated to specifically state the purpose of its implementation, critics believe that this is not a guarantee. The context or political environment within which ID systems are implemented is not static, hence the potential for abuse is very great. The advent of biometrics and microchips technology also has profound implications. Critics argue that the potential for abuse and invasion of privacy is even greater with the use of biometrics since it is vulnerable to identity
fraud. The citizen is no longer in control of his personal information. For instance, the research claims that “facial recognition and iris scanning can sometimes be defeated by presenting a picture of someone else’s face or iris”. Activists on the other hand, are more concerned with information security such as “unauthorized changes to or disclosure of biometric data stored in a central database or on an identity document”. Aside from the issue of misuse, ID system opponents believe that the idea of a government tracking the activities of its citizens violates a citizen’s intrinsic right to privacy. They say that a government intruding in the affairs of citizens is dangerous and has dire consequences for social order. Moreover, the extent of personal information that will be collected by the government and whether it really serves a legitimate aim is a cause of alarm to rights activists. Supporters ofan IDsystem, on the other hand, contend that people who do not violate laws have nothing to hide and should therefor have no reason to fear a government monitoring their activities.” 23

                Upon the facts stated therein, we can therefore conclude that first, Republic Act 10173 is not the enabling law of the national identification system contemplated in Ople vs torres as well as kilusang mayo uno vs neda director. The main reason for such conclusion is the lack of specific provisions to such law that would imply that indeed “data privacy act” is the enabling law for the establishment of a national identification system. Even assuming ex gratia argument that the “Data Privacy act of 2012” impliedly mandates for the establishment of a national identification system, I would seriously doubt the constitutionality of such law, since such provision would in fact be a “rider provision”.
                On the second issue discussed on whether we need a centralized identification system that is compulsory? I answer in the negative; I have of the opinion that the risk for fraud and human rights abuses of the information that would be gathered under such law outweighs the possible benefits that will accrue to the people. The Philippine government I opined is not mature enough to handle such information pertaining to its citizens without being tempted to use such information for their own benefit and to the prejudice of the data subject. It is a matter of public knowledge that although the current administration’s policy is the curbing out of corruption, it still there and rampant. I personally have witnesses such acts by our government officials. Corruption in the Philippine Society at large is rampant; it is a habit and a tradition started by our predecessors. It is saddening to hear Cadets of a prestigious academy in the Philippines talk about corruption – “ Sir, Kmusta area nyo, ok ba kita sir” paraphrasing a first class cadet, talking about an area of his upperclassman who has already graduated and asking such upperclassman if his area yields nice profits coming from activities besides his salary. Until the Philippine bureaucracy matures similar to that of the United Kingdom, Australia, New Zealand, Singapore, Japan, and the United States of America; I would respectfully oppose the establishment of a National Identification system.

Endnotes
1.        AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES(http://www.gov.ph/2012/08/15/republic-act-no-10173/)
2.         Social Security Number. (http://en.wikipedia.org/wiki/Social_Security_number)
3.         National Identification Number (http://en.wikipedia.org/wiki/National_identification_number)
4.         Legal opinion by comission on Human Rights “ID System in Sulu, an Experimental Implementation of National ID System?” (http://www.chr.gov.ph/MAIN%20PAGES/news/region%20news/reg09_legalopFeb808.htm)
5.         REQUIRING ALL GOVERNMENT AGENCIES AND GOVERNMENT OWNED AND CONTROLLED CORPORATIONS TO STREAMLINE AND HARMONIZE THEIR IDENTIFICATION (ID) SYSTEMS, AND AUTHORIZING FOR SUCH PURPOSE THE DIRECTOR-GENERAL, NATIONAL ECONOMIC AND DEVELOPMENT AUTHORITY TO IMPLEMENT SAME, AND FOR OTHER PURPOSES (http://www.gov.ph/2005/04/13/executive-order-no-420-s-2005/)
6.         Kilusang mayo uno vs director general of  NEDA (http://sc.judiciary.gov.ph/jurisprudence/2006/april2006/G.R.%20No.%20167798.htm)
7.        Kilusang mayo uno vs director general of  NEDA (http://sc.judiciary.gov.ph/jurisprudence/2006/april2006/G.R.%20No.%20167798.htm)
8.        Kilusang mayo uno vs director general of  NEDA (http://sc.judiciary.gov.ph/jurisprudence/2006/april2006/G.R.%20No.%20167798.htm
11.     Kilusang mayo uno vs director general of  NEDA (http://sc.judiciary.gov.ph/jurisprudence/2006/april2006/G.R.%20No.%20167798.htm)
12.     Section 41. Appropriations Clause. – The Commission shall be provided with an initial appropriation of Twenty million pesos (Php20,000,000.00) to be drawn from the national government. Appropriations for the succeeding years shall be included in the General Appropriations Act. It shall likewise receive Ten million pesos (Php10,000,000.00) per year for five (5) years upon implementation of this Act drawn from the national government. (http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html)
13.  Section 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in       personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.(http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html).
14.  Section 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. (http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html)
15. Section 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective meanings hereafter set forth:
                Xxxxxx xxx
                Xxxxxxxxxxxxxx
                Xxxxxxxxxxxxx
                (g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
                xxxxxxxx. xxxxx.x
                xxxxxxxxxxxx
16. Section 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. (http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html).
19. Data privacy act chapter 2 (section 7 and 8) (http://www.gov.ph/2012/08/15/republic-act-no-10173/)
20. Penal sanctions of R.A. 10173 Section 25. Unauthorized Processing of Personal Information and Sensitive Personal Information. – (a) The unauthorized processing of personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
Section 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. – (a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
Section 27. Improper Disposal of Personal Information and Sensitive Personal Information. – (a) The improper disposal of personal information shall be penalized by imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
b) The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
Section 28. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes. –The processing of personal information for unauthorized purposes shall be penalized by imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
The processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
Section 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
Section 30. Concealment of Security Breaches Involving Sensitive Personal Information. – The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach.
Section 31. Malicious Disclosure. – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
Section 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
(b) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).
Section 33. Combination or Series of Acts. – Any combination or series of acts as defined in Sections 25 to 32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00).
Section 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be.
Section 35. Large-Scale. – The maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the above mentioned actions.
Section 36. Offense Committed by Public Officer. – When the offender or the person responsible for the offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.
Section 37. Restitution. – Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code. (http://www.gov.ph/2012/08/15/republic-act-no-10173/)