The National Privacy Commission

SEC. 7. Functions of the National Privacy Commission

(a) Ensure compliance of personal information controllers (b) Receive complaints institute investigations facilitate or enable settlement of complaints through alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body.

For this purpose, the Commission should: have access to personal information complained about and collect such information (c) Issue cease and desist orders impose a temporary or permanent ban on the processing of personal information, if the processing is bad for national security and public interest; (d) Compel or petition any entity to abide by its orders (e) Monitor the compliance of other government agencies recommend the actions needed to meet minimum standards (f) Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies (g) Publish a guide to all laws relating to data protection; (h) Publish a compilation of agency system of records and notices, including index and other finding aids; (i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act; (j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controller, Provided: that the privacy codes shall adhere to this Act’s principles that such privacy codes may include private dispute resolution mechanisms for complaints against any participating personal information controller. .. (k) Help with privacy or data protection at the request any person; … (p) Help Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and (q) Do cross-border enforcement of data privacy protection. SEC. 8. Confidentiality. – The Commission shall ensure the confidentiality of any personal information it gets

SEC. 9. Organizational Structure of the Commission. – It will be a part of DICT.

CHAPTER 3: PROCESSING OF PERSONAL INFORMATION

SEC. 11. General Data Privacy Principles.

transparency, legitimate purpose proportionality.

Personal information must, be:

(a) Collected for legitimate purposes declared before collection (b) Processed fairly and lawfully; (c) Accurate, relevant, kept up to date; inaccurate or incomplete data must be corrected or destroyed or further processing restricted (d) Adequate and not excessive in relation to the purposes for which they are collected and processed; (e) Retained only as is necessary for legal claims, business purposes, or as provided by law (f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: That adequate safeguards are guaranteed by said laws authorizing their processing.

SEC. 12. Criteria for Lawful Processing of Personal Information:

(a) The data subject has given his or her consent; (b) The processing of personal information is: necessary related to: the fulfillment of a contract with the data subject or take steps at the request of the data subject prior to entering into a contract; (c) The processing is needed to comply with a legal obligation to which the personal information controller is subject; (d) The processing is needed to protect vitally important interests of the data subject, including life and health; (e) The processing is needed to: respond to national emergency comply with the requirements of public order and safety fulfill functions of public authority which includes the processing of personal data (f) The processing is necessary for the legitimate interests of the personal information controller or by third parties which have such data, except when overridden by the Constitution.

SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive and privileged information is allowed when:

(a) for sensitive info: the data subject has given consent, specific to the purpose prior to the processing for privileged information, all parties involved have given their consent prior to processing; (b) The processing of such data is allowed by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: That the consent of the data subjects are not required by law, allowing the processing of such information; (c) The processing is necessary to protect the life and health of the data subject or another person The data subject is not legally or physically able to express his or her consent prior to the processing; (d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided That such processing is only confined and related to members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing; (e) The processing is: necessary for purposes of medical treatment, done by a medical practitioner or a medical treatment institution, processing has an adequate level of protection of personal information is ensured; or (f) The processing of such information is needed to protect the rights and interests of persons in: court proceedings, exercise or defense of legal claims, or times when provided to government or public authority.

SEC. 14. Subcontract of Personal Information.

A personal information controller may subcontract the processing of personal information: Provided,

That the personal information controller shall be responsible for: the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and process personal information lawfully. The personal information processor shall comply with the laws

SEC. 15. Extension of Privileged Communication

Personal information controllers may invoke the principle of privileged communication over privileged information that they have Any evidence gathered on privileged information is inadmissible.