The following terms shall have the respective meanings as provided for under the Data Privacy Act, its IRR, and as used by the National Privacy Commission.
Acceptable Use Policy shall refer to a document or set of rules stipulating controls or restrictions that agency personnel must agree to for access to their agency’s network, facilities, equipment, or services.
Accessing Personal Information and Sensitive Personal Information Due to Negligence. – a punishable act against persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
Act – refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012
Advisory Opinion – refers to a determination of the NPC on matters relating to data privacy or data protection, at the request of any party, or on a complaint endorsed by the Complaints and Investigations Division (CID) under Sections 4 and 10 of Rule II of NPC Circular No. 2016-04.
It shall be based only on the facts and circumstances provided by the requesting party, taking into account applicable laws and regulations. It shall serve to provide guidance to the requesting party and the general public, but shall not be used in the nature of a standing rule binding on the NPC when evaluating other cases regardless of the similarity of the facts and circumstances.
An advisory opinion shall neither adjudicate issues between parties nor impose any sanctions or award damages. It may be referred to the CID for evaluation, investigation and appropriate action, as may be necessary.
Agency Personnel refers to all officials, officers, employees or consultants of a government agency, including those covered by job orders or contracts of services
Automated Decision-making refers to a wholly or partially automated processing operation that serves as the sole basis for making decisions that would significantly affect a data subject. It includes the process of profiling based on an individual’s economic situation, political or religious beliefs, behavioral or marketing activities, electronic communication data, location data, and financial data, among others.
Breach Investigation – shall refer to an investigation conducted by the NPC with respect to a data breach notification triggered by the applicable rules promulgated by the Commission.
Cease and Desist Order” or “CDO” refers to a type of injunction that requires a natural or juridical person to stop its complained act of processing personal information or the conduct of any act or practice in violation of the Data Privacy Act of 2012 (DPA).
Certificate of No Significant Findings – refers to an issuance of the Commission to a Personal Information Controller or Personal Information Processor which serves as a certification that it has undergone a Compliance Check and there were no notable findings requiring further action from the Commission.
The Certificate also refers to an issuance which certifies that an entity has undergone a Compliance Check with findings of substantial deficiencies, and has implemented remediation measures as ordered by the Commission.
Closed-Circuit Television” or “CCTV refers to closed-circuit television or camera surveillance system in a fixed or stationary location that can capture images of individuals or other information relating to individuals
Complaint Proceedings – proceedings before the Complaints and Investigation Division commenced sua sponte or by the filing of a sworn affidavit or verified complaint, including investigations, except those arising from breach notifications.
Commission – it refers to the National Privacy Commission
Compliance Check – refers to the systematic and impartial evaluation of a PIC or PIP, in whole or any part, process or aspect thereof, to determine whether activities that involve the processing of personal data are carried out in accordance with the standards mandated by the Data Privacy Act and other issuances of the Commission. It is an examination, which includes Privacy Sweeps, Documents Submissions and On-Site Visits, intended to determine whether a PIC or PIP is able to demonstrate organizational commitment, program controls and review mechanisms intended to assure privacy and personal data protection in data processing systems.
Compliance Officer for Privacy” or “COP” refers to an individual that performs some of the functions of a DPO, as provided in NPC Advisory No. 17-01
Compliance Order – refers to an issuance of the Commission to a PIC or PIP directing it to perform actions, institute measures or any other prescriptions of the Commission in relation to the Compliance Check conducted.
Concealment of Security Breaches Involving Sensitive Personal Information. – a punishable act against persons who, after having knowledge of a security breach and of the obligation to notify the Commission, intentionally or by omission conceals the fact of such security breach.
Conflict of Interest refers to a scenario wherein a DPO is charged with performing tasks, duties, and responsibilities that may be opposed to or could affect his performance as DPO. This includes, inter alia, holding a position within the PIC or PIP that leads him to determine the purposes and the means of the processing of personal data.
Consent of the data subject – any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
Control Framework for Data Protection – a comprehensive enumeration of the measures intended to address the risks, including organizational, physical and technical measures to maintain the availability, integrity and confidentiality of personal data and to protect the personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. The contents of a control framework shall take into account, among others, the following:
- nature of the personal data to be protected;
- risks represented by the processing, the size of the organization and complexity of its operations;
- current data privacy best practices; and
- cost of security implementation.
For agencies that process the personal data records of more than one thousand (1,000) individuals, including agency personnel, the Commission recommends the use of the ISO/IEC 27002 control set as the minimum standard to assess any gaps in the agency’s control framework.
Core Activity refers to a key operation or process carried out by a PIC or PIP to achieve its mandate or function: Provided, that processing of personal data forms an integral and necessary part of such operations or processes
Data Center refers to a centralized repository, which may be physical or virtual, may be analog or digital, used for the storage, management, and dissemination of data including personal data
Data processing systems refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing
Data Protection Officer refers to an individual designated by the head of agency, or the head of a private entity, to be accountable for the agency’s or entity’s compliance with the Act, its IRR, and other issuances of the Commission: Provided, that the individual must be an organic employee of the government agency or private entity: Provided further, that a government agency or private entity may have more than one data protection officer.
Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.
Data Sharing Agreement refers to a contract, joint issuance, or any similar document that contains the terms and conditions of a data sharing arrangement between two or more parties: Provided, that only personal information controllers shall be made parties to a data sharing agreement
Data subject refers to an individual whose personal, sensitive personal, or privileged information is processed.
Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
Discovery Conference – a meeting pursuant to an Order to Confer for Discovery issued by the investigating officer during complaint proceedings.
Encryption Method refers to the technique that renders data or information unreadable, ensures that it is not altered in transit, and verifies the identity of its sender.
Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
General Data Privacy Principles refer to the principles of transparency, legitimate purpose and proportionality.
Government Agency refers to a government branch or body or entity, including national government agencies, bureaus, or offices, constitutional commissions, local government units, government-owned and controlled corporations, government financial institutions, state colleges and universities.
Head of Agency refers to: (1) the head of the government entity or body, for national government agencies, constitutional commissions or offices, or branches of the government; (2) the governing board or its duly authorized official for government owned and controlled corporations, government financial institutions, and state colleges and universities; (3) the local chief executive, for local government units
Head of a private entity refers to the head or decision-making body of a private entity.
Implementing Rules and Regulations or IRR shall pertain to Implementing Rules and Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012
Improper Disposal of Personal Information and Sensitive Personal Information. – a punishable act persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.
Legitimate purpose – this privacy principle provides that the processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
Malicious Disclosure. – a punishable act against any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her.
Masking refers to concealing parts of the video or still imagery from view, which may include masking certain body parts or inanimate objects that could potentially disclose the identity of an individual. The common types of masking include solid color masked areas, where no details or movement in the scene covered by the masked area can be viewed, and blurred masking or pixelated masking, where the resulting images enables a partial outline to be seen but with detailed features obscured.
Mediation – refers to the voluntary process in which a mediation officer facilitates communication and negotiation, and assists the parties in reaching a voluntary agreement regarding a dispute.
Middleware refers to any software or program that facilitates the exchange of data between two applications or programs that are either within the same environment, or are located in different hardware or network environments;
Notice of Deficiencies – refers to a document issued by the Commission indicating the deficiencies of a PIC or PIP found to be non-compliant upon the conduct of a Compliance Check, taking into consideration the provisions of the DPA, its IRR, and the relevant issuances and orders of the NPC.
Personal data refers to all types of personal information. It includes those pertaining to agency personnel.
Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing
Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
Principle of Accountability. – Each personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.
(a) The personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party.
(b) The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request.
Privacy – the right to be let alone – the most comprehensive of rights and the right most valued by civilized men.
Privacy by Design is an approach to the development and implementation of projects, programs, and processes that integrates into the latter’s design or structure safeguards that are necessary to protect and promote privacy, such as appropriate organizational, technical, and policy measures
Privacy Compliance Questionnaire is a document containing a series of questions formulated by the Commission to be answered by the PIC or PIP to contextualize documents and policies that the Commission requires to be submitted.
Private entity refers to any natural or juridical person that is not a unit of the government including, but not limited to, a corporation, partnership, company, non-profit organization or any other legal entity.
Privacy Impact Assessment is a process undertaken and used to evaluate and manage impacts on privacy of a particular program, project, process, measure, system or technology product of a PIC or PIP. It takes into account the nature of the personal data to be protected, the personal data flow, the risks to privacy and security posed by the processing, current data privacy best practices, the cost of security implementation, and, where applicable, the size of the organization, its resources, and the complexity of its operations
Privacy Management Program refers to a process intended to embed privacy and data protection in the strategic framework and daily operations of a personal information controller or personal information processor, maintained through organizational commitment and oversight of coordinated projects and activities.
Privacy notice – is an embodiment of the observance or demonstration of the data privacy principle of transparency and upholding the right to information of data subjects. It is a statement made to data subjects that describes how the organization collects, uses, retains, and discloses personal information.
A privacy notice is not equivalent to consent. While consent may not be required in certain instances when it is not relied on as basis for processing personal data, a privacy notice is required at all times in order for data subjects to be informed of the processing of their personal data and their rights as data subjects.
Privacy Sweep – a review of PICs or PIPs compliance with respect to its obligation under the DPA, and its related issuances based on publicly available or accessible information, such as, but not limited to, websites, mobile applications, raffle coupons, brochures, and privacy notices. This is the initial mode of Compliance Check.
Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system
Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes. – a punishable act against persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Proportionality – this privacy principle provides that the processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Public authority refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions
Public space refers to a space that is generally open and accessible to the public, such as highways, streets, footbridges, overpass/underpass, parks, plazas, sidewalks, and other similar spaces
Right to be Informed — The data subject has the right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
Right to Damages. — The data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal data, taking into account any violation of his or her rights and freedoms as data subject.
Right to Data Portability – the right of the data subject, where personal information is processed by electronic means and in a structured and commonly used format, to obtain from the personal information controller a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject. The Commission may specify the electronic format referred to above, as well as the technical standards, modalities and procedures for their transfer.
Right to Erasure or Blocking. — A data subject has the right to request for the suspension, withdrawal, blocking, removal, or destruction of his or her personal data from the PIC’s filing system, in both live and back-up systems.
Right to Object. — The data subject shall have the right to object to the processing of his or her personal data where such processing is based on consent or legitimate interest.
Right to Rectification. — The data subject has the right to dispute the inaccuracy or error in his or her personal data and have the PIC correct the same within a reasonable period of time.
Risk refers to the potential of an incident to result in harm or danger to a data subject or organization
Risk Rating refers to a function of the probability and impact of an event
Security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place.
Security Incident Management Policy refers to policies and procedures implemented by a personal information controller or personal information processor to govern the actions to be taken in case of a security incident or personal data breach
Semi-public space refers to a space that, even if privately owned, is accessible to the public during operating hours. This include banks, educational institutions, hospitals, malls, offices, restaurants, transport stations, shops, and other similar establishments.
Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
Sua Sponte Investigation shall refer to an investigation initiated by the NPCitself for possible violation of the DPA by one or more entities.
Subcontracting refers to the outsourcing, assignment, or delegation of the processing of personal data by a personal information controller to a personal information processor. In this arrangement, the personal information controller retains control over the processing.
Subcontracting Agreement refers to a contract, agreement, or any similar document which sets out the obligations, responsibilities, and liabilities of the parties to a subcontracting arrangement. It shall contain mandatory stipulations prescribed by the IRR.
System Management Tool is a software system that facilitates the administration of user passwords and access rights.
Transparency –this privacy principle provides that the data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
Threat refers to a potential cause of an unwanted incident, which may result in harm or danger to a data subject, system, or organization
Unauthorized Access or Intentional Breach. – a punishable act against persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
Unauthorized Disclosure. – a punishable act against any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information without the consent of the data subject.
Unauthorized Processing of Personal Information and Sensitive Personal Information. – a punishable act against persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
Vulnerability refers to a weakness of a data processing system that makes it susceptible to threats and other attacks.