Seminar on registering with the National Privacy Commission
Last week, I attended a primer on compliance with the Data Privacy Act. The organizers joined representatives from the National Privacy Commission in giving presentations and answering questions from the attendees. Here’s a quick run-down of my notes:
The introduction to the DPA included a discussion on the actors under the DPA. I thought this was a useful approach since the law was presented in a manner that is simple and a bit easier to understand.
One lawyer presented the exceptions to the consent requirement as “not covered by the DPA”. I thought this was confusing because the exception was only with respect to the consent of the data subject on the processing and not the rest of the DPA. The DPA also has portions on the data protection. These provisions apply regardless of whether consent on the processing was obtained from the data subject.
One of the attendees brought up the issue of data retention, noting that neither the law nor the rules prescribe a definite period for data retention. The resource person said that the personal information controller may consider basing the retention period on the Civil Code and Labor Code provisions on the prescription of claims.
An important point: knowledge by the personal information processor of the data breach or security incident will also be considered as knowledge of the PIC thereof. Thus, the 72-hours reporting period will start to be counted from the time the PIP learns of the breach/security incident. This makes it all the more important for companies to have clear reporting mechanisms with vendors and service providers.
A number of questions centered on the qualifications of the person to be appointed as a data protection officer. The NPC said that it would not recommend a person holding a position with inherent conflict of interest as the data protection officer. Pressed for more clarity, the NPC said that they could recommend that a company change its DPO if they see an inherent conflict of interest in the position. This comment resulted in even more questions, with some attendees challenging the NPC’s right to do so. Some attendees emphasized that small companies would not have the capacity to hire a person who would exclusively perform DPO functions. Further confusing matters, the NPC stated that there will be no sanctions imposed even if the company does not follow the NPC’s recommendation on the DPO. It is important to note here that the law and the rules merely require companies to appoint a DPO. There is no requirement (as far as I can remember) for a company to submit a form or report to the NPC on the DPO’s designation. Thus, I fail to see when the opportunity for NPC to “recommend” a DPO would arise.
According to the NPC, there is no citizenship or residence requirement for the DPO. This means that a company may appoint as DPO someone who is not located in the Philippines. The NPC however underscored that the designated DPO should be able to perform his/her functions even if he/she is based outside the country.
The NPC has no DPO certification process at the moment. However, the companies must ensure that the DPO appointed has adequate training to guide the company in its compliance efforts. What’s interesting to note is that the NPC said that a DPO certification process may be put in place 2-3 years down the line.
I asked a question on the development of data processing system by iteration. Will companies be required to re-register the data processing system gets new functions or features? According to the NPC, the online registration platform for the data processing systems will allow companies to amend their registration to reflect new functions or features added. Thus, there will be no need to re-do the registration.
One attendee asked for clarification on the requirement to disclose if personal information will be transferred out of the country. According to the NPC, companies will not be required to specify the exact location of servers abroad. An indication of which country the servers are located would be enough.