Photo from Unsplash | ZHENYU LUO

This article was originally published on June 1, 2022 and has been updated to reflect recent legal developments.

The following post does not create a lawyer-client relationship between Alburo Alburo and Associates Law Offices (or any of its lawyers) and the reader. It is still best for you to engage the services of a lawyer or you may directly contact and consult Alburo Alburo and Associates Law Offices to address your specific legal concerns, if there is any.

Also, the matters contained in the following were written in accordance with the law, rules, and jurisprudence prevailing at the time of writing and posting, and do not include any future developments on the subject matter under discussion.

AT A GLANCE:

In Zoleta v. Investigating Staff, Internal Affairs Board, Office of the Ombudsman, G.R. No. 258888, April 08, 2024, the Supreme Court stated that both sensitive personal information and privileged information has a special regime of protection in the Philippine privacy law. Sensitive personal information, as compared to a non-sensitive or a non-privileged information, is more highly protected by laws due to its vulnerable nature. These types of personal information are subject to more stringent requirements before such could be lawfully processed.

Many people believe that personal information cannot be collected, used, or recorded by another person or an entity without their consent. This, however, is a misconception. 

The Data Privacy Act of 2012, or Republic Act No. 10173  is designed to protect the personal information of individuals in information and communication systems in the government and the private sector, creating for this purpose a national privacy commission, and for other purposes. 

Under the Act, it is the policy of the state to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. (Section 2)

In our previous article, we discussed the general criteria for processing personal information. This time, we focus on more specific types of personal information, namely privileged information and sensitive personal information.

What is Privileged Information?

Under Section 3(k) of the Data Privacy Act of 2012, privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. 

A common example is in the doctor-patient relationship, wherein a doctor cannot, without the consent of the patient, be examined regarding any advice or treatment given, or any information which the doctor may have acquired while attending the patient in professional capacity. This protects information that is necessary for the professional to act in their role and prevents disclosure of facts that could harm the patient’s reputation.

What is Sensitive Personal Information?

On the other hand, Section 3(l) of the Data Privacy Act, defines sensitive personal information, as referring to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.

In Zoleta v. Investigating Staff, Internal Affairs Board, Office of the Ombudsman, G.R. No. 258888, April 08, 2024, the Supreme Court stated that both sensitive personal information and privileged information has a special regime of protection in the Philippine privacy law. Sensitive personal information, as compared to a non-sensitive or a non-privileged information, is more highly protected by laws due to its vulnerable nature. These types of personal information are subject to more stringent requirements before such could be lawfully processed.

Processing of Sensitive Personal Information and Privileged Information

Section 13 of the Data Privacy Act provides for that the processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
6. The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

Penalties for Violations in cases of Sensitive Personal Information

1. Unauthorized Processing and Accessing due to negligence 

The unauthorized processing of personal sensitive information and accessing sensitive personal information due to negligence shall both be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (PhP500,000.00) but not more than Four million pesos (PhP4,000,000.00), as provided for under Section 25(b) and Section 26(b) of the Data Privacy Act of 2012. 

Under Section 25(b) the penalty for unauthorized processing of personal sensitive information shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law. 

While, Section 26(b) provides that in cases of accessing sensitive personal information due to negligence, the penalty shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.

2. Processing for Unauthorized Purposes

Section 28 (par. 2) states that the processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (PhP500,000.00) but not more than Two million pesos (PhP2,000,000.00) shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.

Related Articles:

• WHAT ARE THE CRITERIA FOR LAWFUL PROCESSING OF PERSONAL INFORMATION?
• GUIDELINES FOR THE PREVENTION OF PERSONAL DATA BREACH
• WHAT ARE THE DUTIES OF A PERSONAL INFORMATION CONTROLLER UNDER R.A. NO. 10173?

Click here to subscribe to our newsletter

Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries regarding legal services, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/ 09175772207/ 09778050020.

All rights reserved.