/ BLOG

Data Privacy Act: Offshore and Outsourcing Confidence in Security

The Offshoring outsourcing industry is one of the biggest contributors to the Philippine economy also has a considerable amount of information interchange. Keeping that in mind, data breaches and information theft is also a risk that the industry fends off every day. With that in mind, the government of the Philippines is implementing the Data Privacy Act of 2012 or the Republic Act 10173 that aims to protect data exchange in any manner. 

What is the Data Privacy Act of 2012 for and how does the offshoring industry?

AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES” 

(1)Further elaborating that the policy aims to protect all manners of communication as a human right and ensuring free-flowing information exchange to promote innovation and growth. It also expounds that the state indeed recognizes the vitality of information and communications technology and ensure all communication systems in the government and private sector are secured and protected.

With the Act in place and the National Privacy Commission overseeing the implementation of it, the Philippine outsourcing partners, particularly in the Insurance sectors, can rest a little bit easier. (1)Under the Act, offshoring outsourcing industry falls in Section 6 of the policy in which:

SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:

(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;

(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and

(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and

(c) The entity has other links in the Philippines such as, but not limited to:

(1) The entity carries on business in the Philippines; and

(2) The personal information was collected or held by an entity in the Philippines.

Thus, the law requires any business that uses data processing on any scale to register with the NPC to ensure that the said establishment is in compliance with the Republic act. According to the 

(2)July 31, 2017, NPC Circular-17-01-registration entitled: REGISTRATION OF DATA PROCESSING SYSTEMS AND NOTIFICATIONS REGARDING AUTOMATED DECISION-MAKING, 

This section expands on all the eligible registrations for all sectors concerning data processing in accordance with the kind of information covered. It also puts emphasis on how and when to register.  

 Regarding the compliance with the current DPA, Jam Jacob of the National Privacy Commission states that:

(3)I think it has lost its place in the ideal regulatory framework for data protection. The EU, which arguably has the most mature data protection regime today, did not retain this requirement when it updated its legal regime this 2016, with the enactment of the GDPR. That ought to say a lot.

Jam Jacob

At best, it provides a data protection authority with a baseline upon which it can begin its assessment or investigation of a particular company. If the registry is accessible to the public, the system also lends itself to the transparency principle espoused by data protection laws. With that, given the effort a company will have to expend to meet its obligations under a system like this, I just don’t see a fair tradeoff.

Jam Jacob

With this Data Privacy Law in place and the NPC closely monitoring its implementation, it is safe to say that outsourcing in the Philippines is just as safe as outsourcing in other countries. Aside from other reasons, cybersecurity does not start and end in just updating your firewall but also in compliance from the government-mandated policies. Policies that aims to not just secure information and data exchange but also makes sure that your offshore partner takes responsibility from any form of data breach. 

Working with a DPA compliant company such as Virtual Colony, you can rest easy knowing that all information and data that is under the provisions and premises of the DPA, is under secure monitoring. That any data exchange is carefully done as to prevent information leaks as much as possible. 

*Sources

  1. https://www.privacy.gov.ph/data-privacy-act/
  2. https://www.privacy.gov.ph/npc-circular-17-01-registration-data-processing-notifications-regarding-automated-decision-making/
  3. http://ateneo.edu/udpo/article/Data-privacy-101-What-businesses-should-know-about-systems-registration