The Department of Information and Communications Technology (DICT) Mindanao Cluster 2 held this month in Cagayan de Oro City its Data Privacy Roadshow in collaboration with the National Privacy Commission (NPC).
Dondi Mapa, Deputy Privacy Commissioner of NPC said that Republic Act 10173 or Data Privacy Act of 2012 is the policy state to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.
According to him, data is the new oil of the digital economy. For instance, identity thieves can get a loan, open credit cards, open utility accounts, apply for a refund, apply for employment, get medical care and commit crime or fraud. On the part of the victims, they can get denied of credit/loans, denial of public service, denial of medical care and harassment by collectors, among others.
He explained that there are three types of privacy risks: low, medium and high. In a workshop that was conducted during the roadshow, it was found out that for a medium risk level of privacy, a government agency or private institution would need a Data Privacy Officer (DPO). Especially when the exposure level of data obtained such as personal information of beneficiaries is high, overall privacy risk is at stake.
Privacy risk is the probability that the data processing or other activity involving data will result in a loss of rights and freedom of an individual. Further, risk level may be adjusted for severity, likelihood and magnitude.
Meanwhile, lawyer Vida Bocar of Compliance and Monitoring Division of NPC shared that in order to have proper handling of data, an agency or entity must adhere to these five obligations as mandated by law. First, to appoint a DPO)/Compliance Officer, process according to principles, establish data protection framework, setup breach reporting procedure and register systems with the NPC.
According to her, designating a DPO is the first essential step towards compliance. You cannot register your systems with the NPC unless you have a DPO. You cannot report your compliance activities unless you go through your DPO.
To comply, there must be a notarized appointment or designation of a DPO, filed with the NPC. If there is a breach, report within 72 hours. Otherwise, if there is no notification within 72 hours, this could be punishable by 18 months to five years of imprisonment and a fine of P500,000 to P1M.
Causes of breach include theft or break in, poor controls allowing unauthorized access, equipment failure, human error, flood, earthquake, fire and hacking attacks.
NPC also shared that they are open for complaints or requests for investigations through their email ad at email@example.com or post mail or personal appearance at Room B-02, DICT Building, C.P. Gracia Ave., Quezon City. (JMOR/PIA10)