With almost everyone under lockdown all over the world, a lot of our daily activities are slowly but sure moving online – at least for those that can be done online, things ranging from shopping, food delivery, working, and consultations with professionals. This situation puts a lot of personal information stored in some server located god-knows-where or floating around in the cloud. Now, more than ever, it would be prudent for everyone to know their rights when it comes to their personal information.

Let us first define what personal information is. Republic Act No. 10173 or the Data Privacy Act defines three kinds of personal information. It is essential to know because each type of information has its specific protection under the law. 

First, we have the generic personal information which is defined as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.” (Sec. 3 (g), R.A. No. 10173). What this means is personal information is any information that can identify you are. So this can include a lot of things, including your name, address, employer, etc.

Next, we have sensitive personal information. It is defined as “personal information: (1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified.” (Sec. 3 (l), R.A. No. 10173). This information includes data that you would not usually divulge to anyone in any casual conversation. Given its nature, it is subject to more stringent protection measures than generic personal information.

Finally, we have privileged information, which is information that “the Rules of Court and other pertinent laws constitute privileged communication.” (Sec. 3 (k), R.A. No. 10173) Some examples of this are information shared by a client to their lawyer, information share in an executive session of Congress, and the like.

With that out of the way, what now? What can you do to protect your personal information and your recourse if and when there’s a breach? The Data Privacy Act gives each of us quite a number of rights to be exercised to protect our personal information. There are eight rights provided to each of us. Here's a quick rundown and overview of each one, which in no way exhaustive.

1. The right to be informed (Sec. 16 (a) and (b), R.A. No. 10173 ). As the name suggests, this is a right to know of any information regarding your personal information. The right to know of your rights under the Data Privacy Act is foremost in the information you have to be informed of. Then any information whether a certain person or organization has any information about, or is collecting or about to collect any information about you, the purpose for such collection, how your information would be used or processed, who has access to your information, etc. Additionally, you have the right to know whether any of your personal information has been compromised and the measures taken by the person or organization to safeguard said information or to address the issue. Also, you have the right to be informed of the person who has custody of your personal information and with whom you are to coordinate to exercise any of your rights under the Data Privacy Law. It is based on this information would you give your consent. Such consent shall be limited only to the kind of information, the purpose, etc. that you are informed of. Anything beyond that is not consented to, and you can exercise other rights listed below.
2. The right to access (Sec. 16 (c), R.A. No. 10173). Now that you know that your personal information is in the custody of some person or organization, you can now exercise your right to reasonably access said information. Under the law you can demand access to the (a) contents of your personal information that was processed; (b) Sources from which your personal information were obtained; (c) Names and addresses of recipients of your personal information; (d) Manner by which your data were processed; (e) Reasons for the disclosure of your personal information to recipients; (f) Information on automated processes where your data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject; (g) Date when your personal information concerning the data subject were last accessed and modified; and (h) The designation, or name or identity and address of the personal information controller;
3. The right to object (Sec. 16 (d), R.A. No. 10173). You already know that a person or organization has your personal information, and you were given access to your information. But you found that there was something wrong with the information and you want it corrected, then you are granted that exact right under the law. You can object or dispute any incorrect information and demand that the same be corrected. This, of course, given that you have consented to the collection and processing of your personal data.
4. The right to rectify (Sec. 11 (c), Sec. 16 (d) R.A. No. 10173). In connection with your right to object discussed above, you can demand that any inaccurate or incorrect information about you be corrected.
5. The right to erasure or blocking (Sec. 16 (e), R.A. No. 10173). You are also well within your rights to demand the “Suspen[sion], withdraw[al] or order the blocking, removal or destruction of [your] personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.” This right gives you full control over your personal information even when such information is in the custody and/or being processed by another person or organization. Upon proof of the conditions listed above, then you can exercise your right to have your information erased or blocked by the personal information controller.
6. The right to damages (Sec. 16 (f), R.A. No. 10173). If you suffered any damage because of any of your personal information being inaccurate, incomplete, outdated, false, unlawfully obtained, or used without authorization.
7. The right to file a complaint (Sec. 16 (b) (8), R.A. No. 10173). When any of your rights as owner of your personal information is violated or exercise of such rights were denied you can go ahead and file a complaint with the Data Privacy Commission.
8. The right to data portability (Sec. 18, R.A. No. 10173). If your personal information has been “processed by electronic means in a structured and commonly used format,” you have the right to demand a copy of such personal information for your personal or further use.
9. Transmissibility of rights (Sec. 17, R.A. No. 10173). If you become incapacitated or unable to exercise any of your rights, or after your death, your heirs or assigns may invoke any of your rights in relation to your personal information.

As a final note, in essence, your personal data is your personal property. It cannot be taken from you or used in any way that you do not allow or consent to. Like any other property, say like your cellphone, you protect what is yours and prevent its unauthorized taking or use. Admittedly it is hard to wrap your head around the idea that something that cannot be seen, smelled, touched, heard, or tasted, is your personal property but in truth and in fact, your personal information is. In this time where information flows freely and easily, more than ever before, there is a need to safeguard this precious property.

During this COVID-19 pandemic, is there any room for the exercise of your rights over your personal information, or are they suspended? That is something we will discuss next week.