The extent to which an organization is subject to obligations under the Data Privacy Act (hereinafter “DPA”) depends on whether or not they are a personal information controller or processor. Generally speaking, a party that handles personal personal information on behalf of the controller is known as a ‘personal information processor’ and is subject to far fewer obligations under the law.
However, it’s often far from clear who is the controller and who is the processor. Confusion on the part of some organizations as to their respective roles can have significant real-world consequences. For example, if there is a data breach it is essential for both the organizations involved to be able to determine where responsibility lies. Hence, it is imperative to know whether one is acting as a controller or a processor.
- Controller vis-à-vis Processor
Under the DPA, a personal information controller refers to a person, natural or juridical, who controls the processing of personal information, including a person or organization who instructs another to process personal information on his or her behalf. The term does not include a person who performs such functions as instructed by the controller and any individual who “collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.” Meanwhile, a personal information processor refers to any person “qualified to act as such to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.”
Control of personal data is the determining factor. The controller is the person who determines the ‘why’ and the ‘how’ of a data processing activity. Activities such as interpretation, the exercise of professional judgment or significant decision-making in relation to personal information must be carried out by a controller.
In contrast, a processor is anyone who processes personal data in behalf of the data controller. The definition of ‘processing’ suggests that a data processor’s activities must be limited to the more ‘technical’ aspects of an operation, such as storage, modification, consultation, and erasure.
A good illustration is when a bank hires an IT firm to store archived data on its behalf. In reality the IT firm will use its own technical knowledge to decide how best to store the data in a safe and accessible way. However, despite this freedom to make decisions, the IT firm is still not considered a controller. This is because the bank retains exclusive control over the purpose for which the data is processed and the content of the data. Again, the key consideration is who exercises control over the content of the personal data.
This distinction is important for compliance and accountability. Under the DPA, each controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing. For instance, the controller is responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information. Moreover, it is the controller who is obligated to notify the National Privacy Commission and the affected data subjects in case of data breaches.
- Data Sharing vis-à-vis Data Outsourcing
It is crucial to know if the contract is for sharing or for subcontracting as the law has set forth different requirements for each. Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. If it is the processor who discloses or transfers the information, it must have been upon the instructions of the personal information controller concerned. Outsourcing, on the other hand, is the disclosure or transfer of personal data by a personal information controller to a personal information processor, in order for the latter to process the data according to the instructions of the controller.
There two key differences between a data sharing agreement and outsourcing agreement. First, all parties to a data sharing agreement are considered personal information controllers, even if it is the processor who directly shares the data. In an outsourcing agreement, there has to be at least one personal information controller, and one personal information processor. Second, each party to a data sharing agreement has its own reason for processing the personal data involved. In an outsourcing agreement, the processor does not have its own purpose for processing, but merely carries out the instructions given by the controller. It cannot share, amend or further process personal data, outside the bounds of the contract.
Data sharing is allowed when it is expressly authorized by law and adequate safeguards are in place, including adherence by the parties to the general principles of transparency, legitimate purpose, and proportionality. In the private sector, it is permitted if the consent of the data subject is obtained, and the following are complied with:
- Consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships;
- Data sharing for commercial purposes, including direct marketing, shall be covered by a data sharing agreement.
- The data sharing agreement shall establish adequate safeguards for data privacy and security, and uphold rights of data subjects.
- The data sharing agreement shall be subject to review by the Commission, on its own initiative or upon complaint of data subject;
- The data subject shall be provided with the following information prior to collection or before data is shared:
- Identity of the personal information controllers or personal information processors that will be given access to the personal data;
- Purpose of data sharing;
- Categories of personal data concerned;
- Intended recipients or categories of recipients of the personal data;
- Existence of the rights of data subjects, including the right to access and correction, and the right to object;
- Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
Meanwhile, data sharing between government agencies should always have a basis in law in order to fulfill the performance of a public function and provision of a public service. This requirement may not be dispensed with by the mere fact that government agencies have executed data sharing agreements amongst themselves. It should also comply with the following:
- It shall specify, with due particularity, the purpose or purposes of the data sharing agreement, including the public function or public service the performance or provision of which the agreement is meant to facilitate: Provided, that if the purpose includes the grant of online access to personal data, or if access is open to the public or private entities, these shall also be clearly specified in the agreement.
- It shall identify all personal information controllers that are party to the agreement, and for every party, specify:
- the type of personal data to be shared under the agreement;
- any personal information processor that will have access to or process the personal data, including the types of processing it shall be allowed to perform;
- how the party may use or process the personal data, including, but not limited to, online access;
- the remedies available to a data subject, in case the processing of personal data violates his or her rights, and how these may be exercised;
- the designated data protection officer or compliance officer
- It shall specify the term or duration of the agreement, which may be renewed on the ground that the purpose or purposes of such agreement continues to exist: Provided, that in no case shall such term or any subsequent extensions thereof exceed five (5) years, without prejudice to entering into a new data sharing agreement.
- It shall contain an overview of the operational details of the sharing or transfer of personal data under the agreement. Such overview must adequately explain to a data subject and the Commission the need for the agreement, and the procedure that the parties intend to observe in implementing the same.
- It shall include a general description of the security measures that will ensure the protection of the personal data of data subjects, including the policy for retention or disposal of records.
- It shall state how a copy of the agreement may be accessed by a data subject: Provided, that the government agency may redact or prevent the disclosure of any detail or information that could endanger its computer network or system, or expose to harm the integrity, availability or confidentiality of personal data under its control or custody. Such information may include the program, middleware and encryption method in use, as provided in the next succeeding paragraph.
- If a personal information controller shall grant online access to personal data under its control or custody, it shall specify the following information:
- Justification for allowing online access;
- Parties that shall be granted online access;
- Types of personal data that shall be made accessible online;
- Estimated frequency and volume of the proposed access; and
- Program, middleware and encryption method that will be used.
- It shall specify the personal information controller responsible for addressing any information request, or any complaint filed by a data subject and/or any investigation by the Commission: Provided, that the Commission shall make the final determination as to which personal information controller is liable for any breach or violation of the Act, its IRR, or any applicable issuance of the Commission.
- It shall identify the method that shall be adopted for the secure return, destruction or disposal of the shared data and the timeline therefor.
- It shall specify any other terms or conditions that the parties may agree on.
Under Section 44 of the IRR, outsourcing agreements should contain the following:
- The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the personal information controller, and the geographic location of the processing under the subcontracting agreement.
- That the personal information processor shall:
- Process the personal data only upon the documented instructions of the personal information controller, including transfers of personal data to another country or an international organization, unless such transfer is authorized by law;
- Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data;
- Implement appropriate security measures and comply with the Act, these Rules, and other issuances of the Commission;
- Not engage another processor without prior instruction from the personal information controller: Provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
- Assist the personal information controller, by appropriate technical and organizational measures and to the extent possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their rights;
- Assist the personal information controller in ensuring compliance with the Act, these Rules, other relevant laws, and other issuances of the Commission, taking into account the nature of processing and the information available to the personal information processor;
- At the choice of the personal information controller, delete or return all personal data to the personal information controller after the end of the provision of services relating to the processing: Provided, that this includes deleting existing copies unless storage is authorized by the Act or another law;
- Make available to the personal information controller all information necessary to demonstrate compliance with the obligations laid down in the Act, and allow for and contribute to audits, including inspections, conducted by the personal information controller or another auditor mandated by the latter;
Immediately inform the personal information controller if, in its opinion, an instruction infringes the Act, these Rules, or any other issuance of the Commission.
To summarize, under the DPA, every data sharing agreement must comply with the conditions set forth in Section 20(b) of the IRR, as well as those indicated in NPC Circular 16-02 where the sharing arrangement involves the government. Outsourcing agreements, on the other hand, must comply with Section 44 of the IRR.