Disini & Disini Law Office

“Navigating Compliance with the Data Privacy Act”


More than (6) years after the Data Privacy Act of 2012 was signed into law, both private and public organizations have faced multifaceted concerns relating to data privacy, from securing the consent of the data subject all the way to the problem of information security and data breaches. A full resolution of these compliance issues calls for a keen and nuanced understanding of the Data Privacy Act and the regulations issued by the National Privacy Commission.

The Disini & Disini Law Office and Data Privacy Philippines invite you to this forum in the hope of providing a deeper appreciation of the Data Privacy Act to a broader set of professionals dealing with compliance issues. By resolving these issues surrounding the law, organizations can now move forward with their own compliance efforts, without fear of making errors that may prove costly in the future.

Looking Beyond Privacy Awareness The National Privacy Commission deserves praise for raising data privacy awareness on a national scale and encouraging a culture of privacy across industries and sectors. As the Commission approaches its fourth year, our keynote speaker will give an insight on the agency’s direction and priorities for the near future. Participants will gain a better understanding of the Commission’s expectations from the organizations in terms of their respective privacy compliance and management programs. Deputy Comm. Leandro Aguirre
DPA Basics and Compliance Process Prior to initiating an organization’s compliance process, it is necessary to look into the fundamental concepts of the Data Privacy Act. It is only with a deep understanding of the same would organizations be able to ensure that their compliance efforts are aligned with their needs. This session shall put into focus what exactly compliance with the Data Privacy Act entails, as well as the highlights of the compliance process. D&D Privacy Team
Personal Information vs. Sensitive Personal Information vs. Personal Data The Data Privacy Act has devoted provisions for the purpose of dealing with personal information and sensitive personal information separately. This apparent difference in treatment calls for a discussion of whether personal information, sensitive personal information, and personal data are mutually exclusive concepts. The answer to this preliminary issue would have grave implications on how the Data Privacy Act can and will be interpreted. As an example, if personal information is not included within the concept of sensitive personal information, then the research exception under the Data Privacy Act cannot apply to sensitive personal information. How, then, should these be concepts be treated D&D Privacy Team
Consent as a Data Privacy Fundamental Consent is undoubtedly the touchstone of data privacy. By securing the data subject’s consent, an organization can, theoretically, use it without running afoul of the Data Privacy Act. However, that is a perilously simplistic reading of the requirement for consent. This session hopes to shed light on the various requirements in obtaining consent, as well as the most efficient means of securing such consent without straying from what is provided under the Data Privacy Act. D&D Privacy Team
Public Function Exception The Data Privacy Act affords the government a critical exception by allowing it to process personal information if such processing is necessary for the fulfillment of the functions of public authority. However, the limits of this exception remain undefined. Does that mean that the government need not obtain the consent of its data subjects? Moreover, as the exception seems to apply to the information to be processed and not to the entity processing such information, may corporations, then, use government data without the consent of its data subjects? D&D Privacy Team
Legitimate Interest Exception Under the Data Privacy Act, personal information may be processed if it done pursuant to legitimate interests. Simply put, there is no need to secure the consent of the data subject if his personal information is going to be processed for legitimate purposes. Given the undefined breadth of what constitutes “legitimate interests,” processing hinged upon such legitimate interests may lead to the nullification of the entire law. But is that really the case here? Is this the provision that, as Sen Edgardo J. Angara claimed, sought to marry the two competing privacy regimes? D&D Privacy Team
Research Exception The provisions of the Data Privacy Act do not apply when personal information is processed for research purposes. However, questions continue to hound the research exception. Preliminarily, there is a need to determine the scope of the research exception. Failure to resolve this will certainly put researchers at risk, as they would not know when they should secure the consent of their subjects. Moreover, this lack of a defined scope has resulted in the Data Privacy Act being seen as a possible threat to the integrity and accuracy of research results, as revealing the true purpose of the research necessitating such misdirection would, necessarily, skew the results. How, then, should the research purpose exception properly availed? D&D Privacy Team
Journalistic Exception The past few years have witnessed the blurring of the lines between journalism and what is not. The rise of the so-called alternative media, led by individuals like Mocha Uson, has fueled the discussions redefining journalistic boundaries. This redefinition necessarily calls for a discussion of this new brand of journalism with respect to the Data Privacy Act. Can these journalists of alternative media avail of the journalistic purpose exception under the law? D&D Privacy Team
Due Diligence in Data Sharing and Data Outsourcing The Data Privacy Act and its implementing rules do not prohibit the transfer of data to third parties, but such transfer should be in accordance with certain principles and guidelines. This session will clarify the differences between data sharing and data outsourcing, the legal implications and risks of each arrangement, and how to mitigate the risks from the standpoint of the entity sharing the personal data or outsourcing the processing thereof. D&D Privacy Team
NPC Guidelines on Compliance Checks Since 2017, the National Privacy Commission has been conducting compliance check visits to personal information controllers and personal information processors. In September 2018, the Commission issued a circular outlining the guidelines on compliance checks, which now include a high-level privacy sweep in addition to actual on-site visits. This session aims to provide a structured understanding of the guidelines, as well as some practical tips on how to handle a compliance check. D&D Privacy Team
Data Breach Management and Notification Under the Data Privacy Act, organizations are mandated to implement breach management systems and procedures to maintain the confidentiality, integrity, and accessibility of personal information. The law also requires them to promptly notify the Commission and affected data subjects in the event of a personal data breach. This session, designed to teach organizations the best practices for data breach management, shall have participants run through a whole gamut of breach scenarios, giving them insights on the best courses of action in the event of a data breach. D&D Privacy Team
Role of Information Security in Data Privacy Compliance While information security is indeed a significant and critical component of compliance with the Data Privacy Act, it is not equivalent to privacy compliance. This session shall clarify the role of information security within the sphere of data privacy compliance, as well as the specifics of fully complying with the security requirements of the Data Privacy Act. Mr. Kamesh Ganeson