Compliance with the Data Privacy Act of 2012: The DPO

Business entities almost always deal with data, whether it is data that is generated internally (e.g., information about the company’s own personnel) or from outside sources (e.g., information gathered about its customers, clients, etc.). All these data are protected by the Data Privacy Act of 2012 and the company has the obligation under the law to implement such protection.

Each company that collects data is considered by the law as a Personal Information Controller and those within the company that process them as Personal Information Processors. The latter could be the accounting department, the human relations department, or any such department or personnel within the company that gathers the data and process them in anyway. The HR department would have, for example, the medical records of each employee which it uses or processes for the purpose of securing health and medical insurance for everyone. Necessarily, the HR department will be required to release such data to the prospective HMO provider and so it is important to note that from the moment of the collection of the data, the application of the law kicks in.

Thus, the first ever obligation of a business entity in relation to the DPA is to appoint a Data Protection Officer (DPO) who shall be accountable for the organization’s compliance with the DPA. This is required by Section 21 of the DPA (See also Circular 16-01 and Advisory 17-01 by the NPC). It is required that the appointment of a DPO be notarized and then filed with the National Privacy Commission, that the DPO’s contact details are easy to find, and that there is a commitment that the DPO undergo continuing education. There must also be evidence that the DPO’s recommendations are taken into consideration when the company makes decisions that affect data.

While there are many obligations that will have to be complied with by businesses who deal with data under the law, designating the DPO is the first essential step to compliance.