With the inevitable growth of modern technology, coupled with its accessibility and the convenience it brings, the way we gather and record information on almost anything (or anyone for that matter) has been ten times easier that how it was 10 years ago. With this in mind, certain measures would have to be undertaken to ensure that the privacy of each and every individual will not be reduced to a mere figment of the imagination.
Data Privacy Act of 2012
On August 15, 2012, President Benigno Aquino signed into law RA 10173, otherwise known as the Data Privacy Act of 2012. The law was enacted to “protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” Among its salient features are:
- Creation of the National Privacy Commission, which shall be the lead agency in the implementation and administration of the provisions of the Data Privacy Act.
- The law sets criteria for lawful processing of personal information.
- Prohibits the processing of sensitive personal information and privileged information, except in certain cases as defined in the Act.
- Establishes the rights of individuals whose personal information is processed.
- Provides guidelines as to the implementation of measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any unlawful processing.
- Penalties are also provided in case of any violation of the Act
While the law allows for the collection of personal information, such is subject to certain limitations set forth in the Act, to wit:
- Personal information must be collected for a specified and legitimate purpose determined and declared before the collection;
- Processed fairly and lawfully;
- Accurate and relevant to the purpose, and any incomplete or incorrect data must be rectified;
- Adequate and not excessive in relation to the purpose for which they are collected; and
- Retained only as necessary;
Furthermore, the law provides that the processing of personal information will be permitted ONLY (unless the law prohibits otherwise) when any of the following criteria were met:
- That consent has been freely given by the owner of the information
- The gathering of personal information is necessary to the fulfillment of a contract
- The gathering of personal data is for compliance with a legal obligation by the owner of the information
- The gathering of personal data is for the protection of the owner of the data
- The gathering of personal data is “necessary in order to respond to national emergency , to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
- For legitimate interest pursued by the personal information controller, or third persons to whom the data is disclosed.
Section 25 of the Act penalizes any unauthorized gathering of personal information by imprisonment ranging from one year to three years and a fine of not less than five thousand pesos but not more than two thousand pesos shall be imposed on any person who processes one’s personal information without his consent. The Act likewise punishes the processing of personal information for unauthorized purposes.
RA 10173 defines a personal information controller as “a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf” The definition expressly excludes a person who process such personal information as instructed by another person or organization, as well as those who process personal information in connection with the individual’s personal, family or household affairs.
The Act speaks of three types of information: personal information, sensitive personal information and privileged information. Section 3 of the Act defines personal information as any information “from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify the individual.” It excludes the following information:
- Information about an officer or employee of the government in relation to his position;
- Information about persons performing labor or services under contract for the government that relates to the services performed;
- Information about a financial benefit granted by the government, the name of the individual and the nature of the benefit
- Personal information processed for journalistic, artistic, literary or research purposes;
- Information necessary to carry out functions of government authority;
- Information necessary for banks and financial institutions to comply with Anti-Money Laundering Act and other applicable laws
- Personal Information collected from residents of foreign countries processed in the Philippines.
On the other hand, sensitive personal information shall refer to those which, because of its nature, requires stricter requirements for its handling and processing. This includes a person’s race, ethnicity, marital status, age, color, religious, political or philosophical affiliations, health, education , genetic or sexual life, as well as those information peculiar to an individual which are issued by the government, such as social security number, taxpayer’s identification number, among others. While Privileged information shall refer to any and all data which the Rules of Court, and other pertinent laws, constitute as privileged communication.
Personal Information, then, would include, among others, a person’s address, name, phone number, which, with almost everyone carrying a mobile phone (others more than one, in fact), would “directly and certainly identify” the owner thereof.
This begs the question, is the disclosure of one’s phone number to a stranger or a third person without the consent of the former violative of the Data Privacy Act of 2012? Say, for example, person A gives his friend B’s phone number to C. Is B’s right to privacy violated by either A or C?
In order to determine whether there is liability, one would have to look at facts and circumstances by which the act was done. What is the purpose and intent of C in asking for B’s phone number, and in what capacity was C acting under? Is he considered as a “personal information processor” or a “personal information controller”? We also have to establish the relationship between A, B and C. Lastly, the nature of the phone number collected would have to be determined whether it is to be construed as a personal information, sensitive personal information or privileged information within the meaning of the act.
With the advent of modern technology and the accessibility of mobile devices, a person’s identity may indeed be ascertained by his phone number. Save for face-to-face personal communication, mobile communication may perhaps be the most convenient way by which people communicate with one another. Thus, when one loses his phone number, he would go to great lengths in trying to obtain the same number so as not to lose his contacts. In fact, only recently, hackers posted the President Aquino’s personal mobile number on the social media Facebook. This forced him to change his mobile number and to give up his old number which he used since 1998. According to reports, he refused to change his phone number for fear that “his old friends might be disassociated from him” 
Such being the case, we can definitely infer that a mobile number falls within the definition of Personal Information. It is not a sensitive information as a phone number, by its nature, does not entail sensitive information. Nor does it fall under the category privileged information as defined in the Rules of Court or other pertinent laws.
For Personal Use
Say, for example, A, B and C are students of Arellano University School of Law. A week before the scheduled midterm examinations, C failed to attend his Technology and the Law class. The following day, he saw his friend A, who also happened to be friends with B, one of C’s classmates in the said class. C asked A for B’s phone number as he needs to know what was discussed in class.
In the case at bar, it is clear that C, acting in his own capacity as a student, needed the phone number of B for personal reasons—he needs to get in touch with B so as to know what he missed in class. This is the most common scenario as applied in everyday life. People would ask for someone else’s number to be able to communicate with them. In this day and age, the fastest, easiest and most convenient way of reaching a person is through his mobile phone.
The law is clear on the applicability of the law on processing data for personal use. Senator Edgardo Angara, author of the senate version of the bill, said that the law was based on, and made compliant with, the Directive 95/46 EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the processing of personal data.  The Directive 95/46 EC expressly provides that it shall not apply to the processing of personal data “by a natural person in the course of a purely personal or household activity”. Corollary to this, section 4, in relation to section 2h or RA 10173 also excludes the processing of data by “an individual who collects, hold, process, use, transfer, or uses personal information in connection with the individual’s personal, family or household affairs. Therefore, in the first scenario, neither A nor C are liable under the Data Privacy Act for the disclosure of B’s phone number, as it was for his “personal, family or household affairs.”
Personal Information Controller
What if A, the person who discloses B’s number, falls within the definition of what a personal information controller is as defined by the Act? Say for example, A is an HR representative who has custody of the 201 files of all the employees in his organization? Will he be liable for disclosure of B’s number without his consent?
As discussed, the Act permits the processing of personal information, subject to the provisions of the Act and other pertinent laws. The law provides that personal information controller must ensure the implementation of the abovementioned criteria. Furthermore, the act provides for penalties in case of noncompliance to the provisions of the Act.
The Act also sets forth the criteria in determining whether collection of personal data is lawful. The law provides that processing of data shall be allowed when ANY OF THE conditions mentioned therein exists. In other words, even when the personal information was processed or collected by the personal information controller, such would still be lawful for as long as it is within ANY of the conditions mentioned in Sec 12. Needless to say, the personal information controller will only be liable is if none of the criteria exists in the processing of the data.
Data Privacy Act of 2012 provides penalties for the following acts:
- Unauthorized processing of personal information and sensitive personal information
- Accessing personal information and sensitive personal information due to negligence
- Improper disposal of personal information and sensitive personal information
- Processing of personal information and sensitive personal information for unauthorized purposes
- Unauthorized access of intentional breach
- Concealment of security breaches involving sensitive personal information
- Malicious disclosure
- Unauthorized disclosure
- Combination or series of acts 
The question of privacy is one which we all should be concerned about. Now that bits and pieces of our personal information is out there, we should ever be mindful of the information we disclose to others. And I am not just referring to our own information, but also that of others. While we enjoy the benefits of modern technology, let us also be vigilant in the way we conduct our business.
 Sec. 2 R.A. 10173, Data Privacy Act of 2012.
 Sec 11 RA 10173, Data Privacy Act of 2012
 Sec 12 R.A. 10173, Data Privacy Act of 2012.
 Sec 3 h R.A. 10173, Data Privacy Act of 2012
.Sec 3 g R.A. 10173, Data Privacy Act of 2012.
 Sec 4 RA 10173 Data Privacy Act of 2012
 Art 3, Directive 95/46 EC. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
 Sec 25, RA 10173, Data Privacy Act of 2012
 Sec 26, RA 10173, Data Privacy Act of 2012
 Sec 27, RA 10173, Data Privacy Act of 2012
 Sec 28, RA 10173, Data Privacy Act of 2012
 Sec 29, RA 10173, Data Privacy Act of 2012
 Sec 30, RA 10173, Data Privacy Act of 2012
 Sec 31, RA 10173, Data Privacy Act of 2012
 Sec 32, RA 10173, Data Privacy Act of 2012
 Sec 33, RA 10173, Data Privacy Act of 2012