(As originally published in THE BAR, The Official Newsletter of the Integrated Bar of the Philippines, Vol. 15 Issue 1)
The Data Privacy Act of 2012 requires registration for entities (public and private) that collect or process personal information which may reasonably, directly or certainly identify the identity of the person (or data subject) giving such information.
Is registration mandatory or voluntary?
The National Privacy Commission requires mandatory registration for the following:
1. Any public or private entity with at least 250 employees;
2. Any public or private entity which processes the sensitive personal information of at least 1000 individuals;
3. When the entity’s procession is likely to pose a risk to the rights of the data subject, including:
a. Information likely to affect national security, public safety, public order, or public health;
b. Information required by applicable law or rule to be confidential;
c. Vulnerable data subjects (minors, elderly, patients, mentally ill, those involving criminal offenses, or in any other case where there is an imbalance between the data subject and Personal Information Controller [PIC] or Personal Information Processor [PIP]);
d. Automated decision-making or
- When the processing of data is not occasional but incidental to the mandate or function of the PIC or PIP;
- As of 31 July 2017, the NPC requires mandatory registration for the following sectors, industries or entities:
a. Government agencies; local government units; government owned and controlled corporations;
b. Banks and non-bank financial institutions, including pawnshops, non-stock saving and loan association (‘NSSLAS’);
c. Telecommunications networks, internet service providers, and other entities providing similar services;
d. Business process outsourcing companies;
e. All educational and training institutions;
f. Hospitals, including primary care facilities, multi-specialty clinics, diagnostic or therapeutic or specialized out-patient facilities and other entities processing genetic data;
g. Insurance companies, including life and non-life, and pre-need companies, and insurance brokers;
h. Entities involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs;
i. Pharmaceutical companies engaged in research; and
j. PIPs processing personal data for a PIC included in the preceding items, and data processing systems involving automated decision-making.
Electric cooperatives are also compelled by the National Electrification Administration to designate a DPO and register with the NPA.
If you are not covered under the mandatory registration requirements above, you may opt for voluntary requirements. In case of voluntary registration, your data will be subject to the supervision of the NPC; you will have to comply with the reportorial requirements.
How to register?
First, designate you DPO (Data Protection Officer) or COP (Compliance Officer for Privacy). Then register with the NPC either online or through manual registration.
You may opt to register online with the NPC at this link: https://register.privacy.gov.ph/
We note, however, that NPC’s online registration page seems to be perennially down. Your alternative is to proceed with manual registration as described below.
The instructions for manual registration are available in the NPC’s website at this link: https://privacy.gov.ph/manual_registration/, but we have re-printed the instructions below;
1. Download and accomplish the DPO registration form and have it signed by the Head of Agency and the DPO. The link for the DPO registration form is available here: https://privacy.gov.ph/wp-content/files/atachments/RODPS_FormV24.pdf. A sample blank DPO registration form is also attached hereto for your reference.
2. Once signed, have it notarized, then submit to the NPC together with the following documents:
For private entities:
a. Duly notarized Secretary’s Certificate authorizing the appointment/designation of the DPO, or any other document evidencing the validity of the appointment/designation;
b. Certified true copy of any of the following documents, where applicable:
. Certificate of Registration (SEC Certificate, or DTI Certificate or DTI Certificate of Business Name or Sole Proprietorship) or any similar document; and/or
. Franchise, license to operate or any similar document.
3. Personally deliver or send via registered mail the DPO registration form together with supporting documents to the NPC office at:
National Privacy Commission
3rd Level Core G. GSIS Headquarters, Financial Center, Pasig City, Metro Manila, Phils.
Compliance after Registration
The NPC will verify your registration. Once registered, you, through your DPO or COP, as the case may be, would need to ensure your organizations continuing compliance with the following requirements:
1. Appoint a Data Protection Officer;
2. Conduct a Privacy Impact Assessment to evaluate and manage the impact of the company’s program, process, and/or measure on data privacy;
3. Implement a Security Incident Management Policy;
4. Register personal data processing systems where such systems involve accessing or requiring sensitive personal information of at least one thousand individuals;
5. Notify the NPC about automated processing information;
6. Submit an annual report of the summary of documented security incidents and personal data breaches.