The National Privacy Commission (NPC) has issued a circular providing the procedure for the registration of Data Processing Systems of Personal Information Controllers (PICs) and Personal Information Processors (PIPs).
The NPC requires organizations that have at least 250 employees or those that process records involving sensitive personal information of 1000 or more individuals to register their data processing systems with the commission, beginning with the registration of their designated Data Protection Officers (Phase I Registration) on or before September 9, 2017.
In addition, the agency has identified critical industry sectors are required to register even if they do not meet the preceding criteria.
The industry sectors are considered involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects, or where the processing is not occasional.
The sectors identified were the following;
1. Government branches, bodies or entities, including national government agencies, bureaus or offices, constitutional commissions, local government units, and government-owned and controlled corporations (GOCCs).
2. Banks and non-bank financial institutions, including pawnshops, non-stock savings and loan associations (NSSLAS)
3. Telecommunications networks, internet service providers and other entities or organizations providing similar services
4. Business process outsourcing companies
5. Universities, colleges and other institutions of higher learning, all other schools and training institutions
6. Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data.
7. Providers of insurance undertakings, including life and non-life companies, pre-need companies and insurance brokers
8. Business involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs
9. Pharmaceutical companies engaged in research
10. Personal information processors (PIPs) processing personal data for a personal information controller (PIC) included in the preceding items, and data processing systems involving automated decision-making
Personal Information Controllers (PICs) refer to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.
On the other hand, sensitive personal information (SPI) refers to information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; information about an individual’s health, education, genetic or sexual life of a person, as well as legal proceedings involving the individual. SPI also includes government issued identifiers and records.
The new NPC circular 17-01 provides guidelines for the registration of data processing systems as well as notification requirements regarding automated decision-making.
The registration and notifications for these data processing systems (Phase II Registration) can be done on-line via the NPC?s registration portal beginning January 2018 until March 8, 2018.
According to NPC chief Raymund Liboro: “In the information age, automated decision making through profiling can have an adverse impact on data subjects, this is the reason we have obligated registration — people should be informed of their rights as data subjects.”
“We have made the process of registration as easy as possible for personal information controllers and processors, all the information, registration forms and tools they need to comply with the Data Privacy Act of 2012 are available on our website,” Liboro added.