The National Privacy Commission issued a circular providing the procedure for the registration of Data Processing Systems of Personal Information Controllers (PICs) and Personal Information Processors (PIPs) subject to the mandatory registration requirement under the Data Privacy Act and its Implementing Rules and Regulations.
IMAGE FROM PEXELS.COM
The NPC requires organizations that have at least 250 employees or those that process records involving sensitive personal information of 1000 or more individuals to register their data processing systems with the commission, beginning with the registration of their designated Data Protection Officers (Phase I Registration) on or before 9 September 2017.
In addition, the Privacy Commission identified critical industry sectors are required to register even if they do not meet the preceding criteria. The industry sectors are considered involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects, or where the processing is not occasional.
The sectors identified were the following;
- Government branches, bodies or entities, including national government agencies, bureaus or offices, constitutional commissions, local government units, and government-owned and controlled corporations (GOCCs).
- Banks and non-bank financial institutions, including pawnshops, non-stock savings and loan associations (NSSLAS)
- Telecommunications networks, internet service providers and other entities or organizations providing similar services
- Business process outsourcing companies
- Universities, colleges and other institutions of higher learning, all other schools and training institutions
- Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data.
- Providers of insurance undertakings, including life and non-life companies, pre-need companies and insurance brokers
- Business involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs
- Pharmaceutical companies engaged in research
- Personal information processors (PIPs) processing personal data for a personal information controller (PIC) included in the preceding items, and data processing systems involving automated decision making
Personal Information Controllers (PICs) refer to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. On the other hand, sensitive personal information (SPI) refers to information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; information about an individual’s health, education, genetic or sexual life of a person, as well as legal proceedings involving the individual. Sensitive Personal information also includes government issued identifiers and records.
The new NPC circular 17-01 provides guidelines for the registration of data processing systems as well as notification requirements regarding automated decision-making. The registration and notifications for these data processing systems (Phase II Registration) can be done on-line via the NPC’s registration portal beginning January 2018 until 8 March 2018.
According to Privacy Commissioner Raymund Enriquez Liboro: “In the information age, automated decision making through profiling can have an adverse impact on data subjects, this is the reason we have obligated registration–people should be informed of their rights as data subjects.”
For more information on the Data Privacy Act of 2012, visit www.privacy.gov.ph.