COMPUTER AND DATA PRIVACY Page 1 of 7

COMPUTER AND DATA PRIVACY

Right To Privacy
- The right to privacy is the right to be let alone. - Hing v. Choachuy (2013)
- It is the right of an individual “to be free from unwarranted publicity, or to live without unwarranted interference by the
public in matters in which the public is not necessarily concerned.”
Right To Privacy Against The State
- The State recognizes the right of the people to be secure in their houses. No one, not even the State, except "in case of
overriding social need and then only under the stringent procedural safeguards," can disturb them in the privacy of their
homes.
Right To Privacy Under Civil Code
- Art. 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons.
PROHIBITED ACTS:
1. Prying into the privacy of another's residence;
2. Meddling with or disturbing the private life or family relations of another;
3. Intriguing to cause another to be alienated from his friends;
4. Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other
personal condition.

HING V. CHOACHUY (2013)

- May an individual install surveillance cameras on his own property facing the property of another?
- NO. A man’s house is his castle, where his right to privacy cannot be denied or even restricted by others. It includes any act
of intrusion into, peeping or peering inquisitively into the residence of another without the consent of the latter.
- Privacy extends to business office
- A business office is entitled to the same privacy when the public is excluded therefrom and only such individuals as are
allowed to enter may come in.
- The installation of these cameras, however, should not cover places where there is reasonable expectation of privacy,
unless the consent of the individual, whose right to privacy would be affected, was obtained.

POLLO V. DAVID (2011)

- May government employer conduct search of office computer without the consent of the employee-user?
- Yes, provided there was no actual (subjective) expectation of privacy either in his office or government-issued computer
which contained his personal files.
- In the instant case, the subject of the search was a government-issued computer.
- No actions to maintain privacy of files was taken by Pollo.
- There was an existing office memorandum, Computer Use Policy, explicitly stating that there is no expectation of privacy on
the use of government-issued computers in CSC.
- Consider the following:
1. Government-issued or personal computer
2. Workplace privacy policy
3. Actions by employees to maintain privacy on the item
- May an employer install CCTV with audio inside the workplace?
- No case decided yet.
- However, in Pollo case, it was held that employees in workplace have less or no expectation of privacy.

May an employer install CCTV with audio inside the workplace?

- Objection: Issue of wiretapping when private conversations are recorded.
- The installation of a CCTV camera with audio cannot be considered tapping a wire or cable.
 COMPUTER AND DATA PRIVACY Page 2 of 7
ZULUETA V. CA (1996)
- Cecilia is the wife of Alfredo, a doctor of medicine.
- Cecilia entered the clinic of her husband and in the presence of witnesses, forcibly opened the drawers and cabinet in her
husbands clinic and took 157 documents consisting of private correspondence between Dr. Martin and his alleged
paramours, greetings cards, cancelled checks, diaries, Dr. Martins passport, and photographs. Said items were used as
evidence in legal separation case.
- Was the right to privacy of Alfredo violated?
- YES, thus the documents and papers are inadmissible in evidence.
- The Court held “the intimacies between husband and wife do not justify any one of them in breaking the drawers and
cabinets of the other and in ransacking them for any telltale evidence of marital infidelity.”
- “A person, by contracting marriage, does not shed his/her integrity or his right to privacy as an individual and the
constitutional protection is ever available to him or to her.”
- Would the Zulueta ruling be applicable to smartphones and social media accounts of spouses?

REPUBLIC ACT NO. 10173 Data Privacy Act of 2012

- It protects the privacy of individuals while ensuring free flow of information to promote innovation and growth
- It regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of personal data; and
- It ensures that the Philippines complies with international standards set for data protection through National Privacy
Commission (NPC).
Personal Information Controller (PIC)
- The individual, corporation, or body who decides what to do with data. The PIC is NOT the employee, CIO, or data
protection officer.
Personal Information Processor (PIP)
- One who processes data for a Personal Information Controller. By definition, the PIP does not process information for the
PIP’s own purpose.
Consent
- Where the data subject agrees to the collection and processing of his personal data. The agreement must inform: (a)
purpose, nature, and extent of processing; (b) period of consent/instruction; and (c) rights as a data subject.
Breach
A security incident that:
- Leads to unlawful or unauthorized processing of personal, sensitive, or privileged information
- Compromises the availability, integrity, or confidentiality of personal data
Personal Information
- Information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity
holding the information, or when put together with other information would directly and certainly identify an individual.
Sensitive Personal Information
Personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed
or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such
proceedings
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.

PERSONAL INFORMATION V. SENSITIVE PERSONAL INFORMATION

- The processing of personal information is allowed unless explicitly prohibited by law, where one of several conditions are
met.
- The processing of sensitive personal information is prohibited unless certain criteria are met.
 COMPUTER AND DATA PRIVACY Page 3 of 7
Applicability
- The Data Privacy Act applies to all who process personal data.
- The processing of personal data is not a right.
Non- Applicability
- A PIC cannot say that the consent of a public officer is necessary before information that falls within matters of public
concern is released.
- A PIC cannot raise the Data Privacy Act to be exempt from FOI.
- Personal data in publication or exhibition is subject to established limits on freedom of press and expression.
- Law enforcement does not need to get consent of the data subject when it gathers personal data in an investigation. •
Banks do not need consent from the data subject before submitting transaction reports to the Anti-Money Laundering
Council.
Processing Personal Information
- The processing of personal information shall be allowed and shall adhere to the principles of transparency, legitimate
purpose and proportionality.
Principle Of Transparency
- The data subject must know: o The kind of personal data collected o How the personal data will be collected o Why
personal data will be collected
- The data processing policies of the PIC must be known to the data subject
- The information to be provided to the data subject must be in clear and plain language
Legitimate Purpose Principle
- Data collected must be always be collected only for the specific, explicit, and legitimate purposes of the PIC.
- No processing of data that is not compatible with the purpose for which the data was collected.
Principle Of Proportionality
- The processing of personal data should be limited to such processing as is adequate, relevant, and not excessive in relation
to the purpose of the data processing.
- Efforts should be made to limit the processed data to the minimum necessary.
Conditions For Processing Sensitive Personal Information
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in
order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order
and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the
fulfillment of its mandate; or
(f) (f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller
or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental
rights and freedoms of the data subject which require protection under the Philippine Constitution.
Exceptions To Processing SPI
Consent is always required except when:
- Necessary to protect life and health of another and the data subject cannot express prior consent.
- The processing is required for medical treatment.
- Information necessary in order to carry out the functions of public authority
- The processing is necessary to achieve lawful and noncommercial objectives of public organizations and their associations.

RIGHTS OF THE DATA SUBJECT

Right To Be Informed
- The right to be informed that personal data shall be, are being, or have been processed, including the existence of
automated decision-making and profiling
- The disclosure must be made before the entry of the data into the processing system or at the next practical opportunity
 COMPUTER AND DATA PRIVACY Page 4 of 7

Right To Object
- The right to object to the processing of personal data, including processing for direct marketing, automated processing, or
profiling.
- Includes the right to be notified and given an opportunity to withhold consent to the processing in case of any changes or
any amendment to the information supplied or declared
Exceptions To Right To Object
- Personal data is needed pursuant to a subpoena
- Processing is for obvious purposes
- Necessary for or related to a contract or service to which the data subject is a party; or • Necessary or desirable in an
employer-employee relationship • Information is being processed as a result of a legal obligation.
Right To Access
- The right to find out whether a PIC holds any personal data about you.
- The right to reasonable access to personal data that were processed, sources of personal data, names and addresses of
recipients, manner/method of processing, information on automated process, date when personal data was last accessed
and modified, designation, name or identity, and address of the PIC
Right To Rectification
- The right to dispute the inaccuracy or error in the personal data and have the PIC correct it immediately.
- Includes access to new and retracted information, and simultaneous receipt thereof.
- Recipients previously given erroneous data must be informed of inaccuracy and rectification upon reasonable request of
the data subject.
Right To Erasure Or Blocking
- The right to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal information from the
personal information controller’s filing system
When Right To Block Available
The personal data is:
- Incomplete, outdated, false, or unlawfully obtained
- Used for unauthorized purposes
- No longer necessary for purposes of collection
- Private information prejudicial to data subject, unless justified by freedom of speech, expression, or of the press, or
otherwise authorized
- Data subject withdraws consent and objects to the processing, and there is no other legal ground or overriding legitimate
interest
- Processing is unlawful
- PIC or PIP violated the rights of the data subject
Right To Damages
- The right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained,
or unauthorized use of personal data
Right To Data Portability
- The right to obtain a copy of data undergoing processing in an electronic or structured format, commonly used, and allows
for further use b the data subject.
- Takes into account the right to have control over personal data being processed based on consent, contract, for commercial
purposes, or through automated means
Right To File A Complaint
- File at complaints@privacy.gov.ph
- May a teacher/professor search the contents of a student’s cellular phone?
- NO. Any search through a student’s cellular phone without justification under a law or regulation is UNLAWFUL, and may be
construed as unauthorized processing under Section 25 of the DPA. (AO No. 2017- 049)
- May a teacher/professor search the contents of a student’s cellular phone?
 COMPUTER AND DATA PRIVACY Page 5 of 7
Exceptions:
1. With student’s consent (not applicable if minor)
2. When required by the student’s life and health, or by national emergency
- Is good faith or lack of intent to violate DPA a valid defense in a criminal case?
- NO. Although DPA is silent, it is a basic rule that criminal intent is not necessary to be liable for violation of a special penal
law. (AO No. 2017-039)

- Is an implied form of consent valid?

- “By continuing to avail of xxx products and services:
- You explicitly authorize xxx, its employees, duly authorized representatives, related companies and third-party service
providers, to use, process and share personal data needed in the administration of your xxx”
- Is an implied form of consent valid?
- INVALID. An implied or inferred consent is not recognized in this jurisdiction.
- The PIC or PIP must never assume the data subject’s consent for any activity involving his or her personal information
unless otherwise allowed by law.
- Is an implied form of consent valid?
- Consent under the DPA has three requirements:
1. Freely given
2. Specific
3. Informed indication of will

- Is an implied form of consent valid?

- First requirement: ABSENT. No overt act of consent from data subject.
- Second and third requirements: ABSENT. The entity used blanket statements in authorizing the related companies and
third-party service providers to use, process and share the personal data. (AO No. 2017-042)
- Is an implied form of consent valid?
How to secure express consent
- New subscribers: Sign form at the point of application
- Existing subscribers: Send them updated privacy policy and consent form.
What if subscriber did not reply?
Whether handwritten signatures are considered sensitive personal information.
NO. But they may be considered personal information when used to identify an individual. (AO No. 2017-063)
Whether username, password, IP and MAC address, location cookies and birthday (month and day only) are considered personal
information.
YES, but only when they are combined with other pieces of information that may allow an individual to be distinguished from others
. (AO No. 2017-063)
But per se, are they considered personal information?
Unauthorized Processing Of Personal Information And Sensitive Personal Information
• Imprisonment from 1 to 3 years • Fine from ₱500,000.00 to ₱2,000,000.00 • Imposed on persons who: o Process personal
information o Without the consent of the data subject or without being authorized under the Data Privacy Act or any other law.
Unauthorized Processing Of Personal Information And Sensitive Personal Information
• Imprisonment from 3 to 6 years • Fine from ₱500,000.00 to ₱4,000,000.00 • Imposed on persons who: o Process sensitive
personal information o Without the consent of the data subject or without being authorized under the Data Privacy Act or any other
law.
Accessing Personal Information And Sensitive Personal Information Due To Negligence
• Imprisonment from 1 to 3 years • Fine from ₱500,000.00 to ₱2,000,000.00 • Imposed on persons who: o Provided access to
personal information o Providing access due to negligence o Access was unauthorized under the Data Privacy Act or any existing law
Accessing Personal Information And Sensitive Personal Information Due To Negligence
• Imprisonment from 3 to 6 years • Fine from ₱500,000.00 to ₱4,000,000.00
• Imposed on persons who: o Provided access to sensitive personal information o Providing access due to negligence o Access was
unauthorized under the Data Privacy Act or any existing law
 COMPUTER AND DATA PRIVACY Page 6 of 7

Improper Disposal Of Personal Information And Sensitive Personal Information

• Imprisonment from 6 months to 2 years • Fine from ₱100,000.00 to ₱500,000.00 • Imposed on persons who: o Negligently
dispose, discard or abandon the personal information of an individual o In an area accessible to the public o Placed the personal
information of an individual in a container for trash collection
Improper Disposal Of Personal Information And Sensitive Personal Information
• Imprisonment from 1 to 3 years • Fine from ₱100,000.00 to ₱1,000,000.00 • Imposed on persons who: o Negligently dispose,
discard or abandon the sensitive personal information of an individual o In an area accessible to the public o Placed the personal
information of an individual in a container for trash collection
Processing Of Personal Information And Sensitive Personal Information For Unauthorized Purposes
• Imprisonment from 1 year and 6 months to 5 years • Fine from ₱500,000.00 to ₱1,000,000.00 • Imposed on persons who: o
Process personal information o For purposes not authorized by the data subject or not otherwise authorized by the Data Privacy Act
or under existing laws
Processing Of Personal Information And Sensitive Personal Information For Unauthorized Purposes
• Imprisonment from 2 to 7 years • Fine from ₱500,000.00 to ₱2,000,000.00 • Imposed on persons who: o Process sensitive
personal information o For purposes not authorized by the data subject or not otherwise authorized by the Data Privacy Act or
under existing laws
Unauthorized Access Or Intentional Breach
• Imprisonment from 1 to 3 years • Fine from ₱500,000.00 to ₱2,000,000.00 • Imposed on persons who: o Knowingly and unlawfully
violate data confidentiality and security data systems o Where personal and sensitive personal information is stored
Concealment Of Security Breaches Involving Sensitive Personal Information
• Imprisonment from 1 year and 6 months to 5 years • Fine from ₱500,000.00 to ₱1,000,000.00 • Imposed on persons who: o After
having knowledge of a security breach and of the obligation to notify the National Privacy Commission o Either intentionally or by
omission conceals the fact of such breach
Malicious Disclosure
• Imprisonment from 1 year and 6 months to 5 years • Fine from ₱500,000.00 to ₱1,000,000.00 • Imposed on a PIC or PIP, or any of
its employees or its agents who: o Discloses to a third party unwarranted or false information o In malice or in bad faith o Relative to
any personal information or sensitive personal information obtained by such PIC or PIP
Unauthorized Disclosure Of Personal Information
• Imprisonment from 1 to 3 years • Fine from ₱500,000.00 to ₱1,000,000.00 • Imposed on a PIC or PIP, or any of its employees or its
agents who: o Discloses to a third party o Personal information not covered by Malicious Disclosure obtained by such PIC or PIP o
Without the consent of the data subject
Unauthorized Disclosure Of Sensitive Personal Information
• Imprisonment from 3 to 5 years • Fine from ₱500,000.00 to ₱2,000,000.00 • Imposed on a PIC or PIP, or any of its employees or its
agents who: o Discloses to a third party o Sensitive personal information not covered by Malicious Disclosure obtained by such PIC
or PIP o Without the consent of the data subject
Extent Of Liability
• Penalty imposed upon responsible officers who participated in, or who by their gross negligence, allowed the commission of the
crime. • Aliens may be deported • Juridical persons may have licenses revoked • Public officers shall have perpetual or temporary
absolute disqualification from office.
Republic Act No. 11055 Philippine Identification System Act
PURPOSE
To establish a single national identification system referred to as the “Philippine Identification System” or the “PhilSys” for all
citizens and residents of the Philippines To provide a valid proof of identity for them as a means of simplifying public and private
transactions.
Relevant Provisions
• The management, maintenance, and administration of the PhilSys shall carried out by the Philippine Statistics Authority. • Each
citizen and resident alien is required to have a PhilID. • The initial application and issuance, as well as renewal of the PhilID is free of
charge for Filipino citizens; however, reissuance or replacement has a standard fee
 COMPUTER AND DATA PRIVACY Page 7 of 7
Data To Be Included
• Required: Full name, sex, date and place of birth, blood type, address, biometric information, and if he or she is a Filipino citizen or
a resident alien.
• Optional: Marital status, mobile number, and e-mail address
Privacy Concerns
• The government would have access to all the transactions entered into by the individual using the PhilID.
• The possibility that such data collected may be used for purposes other than the law’s purpose of identity verification
HAVE WE LEARNED? OR STILL LEARNING?
ONLINE PRIVACY
Right To Informational Privacy
- Right of individuals to control information about themselves.
- Having an expectation of informational privacy is not necessarily incompatible with engaging in cyberspace activities.
VIVARES V. ST. THERESA’S COLLEGE (2014)

BELO V. GUEVARRA (2016)

• Disbarment case against Atty. Guevarra who wrote a series of posts on his Facebook account insulting and verbally abusing Vicki
Belo.
Source: Belomed.com
“Dr. Vicki Belo, watch out for Josefina Norcio's Big Bang on Friday - You will go down in Medical History as a QUACK DOCTOR!!!!
QUACK QUACK QUACK QUACK. CNN, FOX NEWS, BLOOMBERG, CHICAGO TRIBUNE, L.A. TIMES c/o my partner in the U.S., Atty. Trixie
Cruz-Angeles :)”
• Guevarra's defense: His right to privacy was violated as those were “private remarks” on his “private account.” His posts were
viewable by his “Friends Only.”
• HELD: Guevarra did not manifest his intention to keep the post private by utilizing Facebook’s privacy tools to prevent or limit its
accessibility.

Taken from;
SEMINAR ON COMPUTER AND DATA PRIVACY by Atty. Marco Polo E. Cunanan Public Attorney II, PAO San Fernando (P)
District Lecturer, Tarlac State University School of Law