Deputy Commissioners Dondi Mapa and Ivy Patdu presented the draft IRR.
- The Commission presented the rules in sequence and solicited comments and suggestions from the participants. Due to the number of questions and extent of discussion, the Commission was only able to tackle up to Rule IV out of 14 Rules with 72 sections.
- On Rule I, the Commission emphasized the introduction of a new term "personal data" which includes both personal and sensitive information. This was welcomed by the technical and legal participants as the term encompasses a broader scope of information subject to data protection.
- In response to questions on breach in relation to breach notifications under Rule IX, i.e. when does a personal information controller need to notify, the Commission said it will be releasing an issuance to provide guidelines on this specific subject. It also clarified that breach covers not just unlawful but also unauthorized processing of personal information.
- On Sec. 3(o), a question was raised by the BPM sector whether this prohibits BPMs from sharing information on fraud or misconduct by former/terminated employees with other BPMs. The Commission clarified that sensitive personal information includes personal information aboutany proceeding, whether administrative, civil, criminal, for any offense committed or alleged to have been committed.
- It was also suggested that definitions be provided for the following terms:
- Data sharing (for the purpose of distinguishing from personal information processing) (mentioned in Sec. 20)
- Data sharing agreement (mentioned in Sec. 20)
- Security incident (mentioned in Sec. 3[b])
- In terms of liability, the Commission clarified that although the actual “personal information controller” is a specific individual in the organization, it is the company which is ultimately considered as the "personal information controller" under the law. Thus, all responsibilities and liabilities fall upon the company.
- Rule II, Sec. 5(f) was hotly debated. This refers to the issue on whether the Data Privacy Act applies to personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions which is processed in the Philippines. Sec. 5(f) of the draft IRR provides that the Data Privacy Act shall apply to processing performed in the Philippines. This was found favorable by the BPM sector as it assures a foreign client that data processed in the Philippines will be protected. However, a question was also raised on the consistency of this rule with the Data Privacy Act which does not provide for such applicability. It was also pointed out that if the foreign jurisdiction in which the data was collected accords less protection, then why should the data be more protected when processed in the Philippines. To avoid such conflict of laws situations, it was suggested that the laws of the jurisdiction in which the data was collected be applied even when the data is processed in the Philippines. That way, the same protection is given. The Commission revealed that this was also extensively discussed and debated during the drafting of the IRR and invited the participants to submit their recommendations for the Commission’s consideration.
- The Commission also announced that it will release a separate issuance to address issues specific to business process outsourcing and provide guidelines.
- On Rule II, Sec. 5(d), the question was raised on whether it is necessary that a public authority processing personal information be able to cite a specific statute or legal basis in order for the information to be exempt from the coverage of the Data Privacy Act. The rule provides that it will not apply to information necessary in order to carry out functions of public authority only to the extent of collection and further processing consistent with a constitutionally or statutorily mandated function pertaining to national security, defense, law enforcement, taxation and other regulatory functions. A concern was raised that this might impede the performance of public functions if public authority would have to always cite a specific law or rule as basis for the processing of information. Specific examples mentioned were the National Bureau of Investigation and the Securities and Exchange Commission which publish and disclose information in the process of fulfilling their functions. In response, the Commission said that the rule does require a legal basis for public authority processing information to be exempt from the coverage of the Data Privacy Act.
- On Rule III, the Commission clarified that it has the authority to issue cease and desist orders but not warrants of arrest.
- On Rule IV, Sec. 19(a)(1), questions were raised on the form, scope, and period of consent.
- The next public consultation will be on 13 July 2016 in UP. The target publication of the IRR is in August.
- Other comments and recommendations may be sent to firstname.lastname@example.org.