RFBT NEW > Data Privacy Act > Flashcards

Data Privacy Act Flashcards

(155 cards)

Study These Flashcards
1
Q

What does ‘Commission’ refer to?

A

The National Privacy Commission created by virtue of this Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the definition of ‘Consent of the data subject’?

A

Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can consent be evidenced?

A

By written, electronic or recorded means.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who can give consent on behalf of the data subject?

A

An agent specifically authorized by the data subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a ‘Data subject’?

A

An individual whose personal information is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define ‘Direct marketing’.

A

Communication by whatever means of any advertising or marketing material which is directed to particular individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does ‘Filing system’ refer to?

A

Any act of information relating to natural or juridical persons structured for specific information to be readily accessible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an ‘Information and Communications System’?

A

A system for generating, sending, receiving, storing or processing electronic data messages or electronic documents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or False: A data subject can be a juridical person.

A

False.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a personal information controller?

A

A person or organization who controls the collection, holding, processing, or use of personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does a personal information controller exclude?

A
  1. A person or organization who performs such functions as instructed by another person or organization.
  2. An individual who collects, holds, processes, or uses personal information in connection with personal, family, or household affairs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a personal information processor?

A

Any natural or juridical person qualified to act as such under this Act to whom a personal information subject controller may outsource the processing of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False: A personal information processor can be an organization.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What role does a personal information processor serve in relation to a personal information controller?

A

They process personal data pertaining to a data subject as outsourced by the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the scope of personal information processing?

A
  • The processing of all types of personal information
  • Any natural and juridical person involved in personal information processing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Data Privacy Act does not apply to:

A
  • government officer/employee
  • performing service under contract for a government institution
  • information for discretionary benefit of a financial nature ( ex. license)
  • journalistic, artistry,literary, research
  • carry out functions of public authority
  • banks and other financial institutions
  • residents of foreign jurisdiction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does Republic Act No. 53 protect?

A

It protects publishers, editors, or duly accredited reporters from being compelled to reveal their sources of news reports or information.

This protection applies to publications of general circulation that receive information in confidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the extraterritorial application of the Data Privacy Act?

A

It applies to acts done or practices engaged in outside the Philippines by an entity if:

  • relates to personal information about Phil citizen or resident
  • has a link with the Philippines ( contract, juridical entity unincorporated, branch, agency etc)
  • has other link with the Philippines (carries business, personal information was collected or held by an entity with the Phils)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What must the Commission ensure regarding personal information?

A

The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession.

This emphasizes the importance of protecting personal data from unauthorized access or disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

To which department is the Commission attached?

A

The Commission shall be attached to the Department of Information and Communications Technology (DICT).

This indicates the Commission’s alignment with governmental oversight in information and communications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Who heads the Commission?

A

The Commission shall be headed by a Privacy Commissioner, who shall also act as Chairman of the Commission.

The dual role highlights the importance of leadership in privacy governance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What benefits does the Privacy Commissioner enjoy?

A

The Privacy Commissioner shall enjoy the benefits, privileges, and emoluments equivalent to the rank of Secretary.

This ensures that the position is respected and adequately compensated within the governmental structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Who assists the Privacy Commissioner?

A

Two (2) Deputy Privacy Commissioners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the responsibilities of the two Deputy Privacy Commissioners?

A

One for Data Processing Systems and one for Policies and Planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What rank do the Deputy Privacy Commissioners enjoy?
Equivalent to the rank of Undersecretary
26
What is the term length for the Privacy Commissioner and Deputy Privacy Commissioners?
Three (3) years
27
Who appoints the Privacy Commissioner and Deputy Privacy Commissioners?
The President of the Philippines
28
What qualifications must the Privacy Commissioner have?
* At least thirty-five (35) years of age * Good moral character * Unquestionable integrity * Recognized expert in information technology and data privacy
29
What qualifications must the Deputy Privacy Commissioners have?
Recognized experts in information and communications technology and data privacy
30
Are the Privacy Commissioner and Deputy Commissioners liable for acts done in good faith?
No, they shall not be civilly liable for acts done in good faith
31
What happens if the Privacy Commissioner or Deputy Commissioners commit willful or negligent acts?
They shall be liable for acts contrary to law, morals, public policy, and good customs
32
What is the reimbursement policy for legal costs incurred by the Privacy Commissioner?
They shall be reimbursed by the Commission for reasonable costs of litigation if the performance of their duties is lawful
33
What is the minimum service requirement for members of the Secretariat?
At least five (5) years in any government agency involved in processing personal information
34
What does protesting refer to in the context of personal information?
Any operation or any sited operations performed upon: * Collection * Recording * Organization * Storage * Updating or Modification * Retrieval * Consultation * Use * Consolidation * Blocking * Erasure or * Destruction of data. ## Footnote This defines the various operations that can be performed on personal information.
35
What are the two main conditions for the processing of personal information?
1. Compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the public. 2. Adherence to general data privacy principles. ## Footnote These conditions ensure that personal information is handled legally and ethically.
36
What is the Principle of Proportionality?
The Processing of Personal data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. ## Footnote This principle emphasizes that personal data should only be processed if it cannot be achieved by other means.
37
What does the Principle of Legitimate Purpose entail?
The Processing of Personal Data by the Company shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. ## Footnote This principle ensures that data processing is aligned with ethical standards and legal requirements.
38
What is required under the Principle of Transparency?
The Data Subject must be aware of the nature, purpose, and extent of the Processing of his or her Personal Data. ## Footnote Transparency helps build trust between the data subject and the entity processing the data.
39
What is the definition of PERSONAL INFORMATION?
Information from which the identity of an individual can be directly ascertained or reasonably inferred. ## Footnote This includes information that is apparent or can be combined with other information to identify an individual.
40
What are examples of personal information?
Examples include: * Data Owner's Name * Home address * Phone number ## Footnote These examples illustrate the types of information that can identify an individual.
41
What must be declared before collecting personal information?
Specified and legitimate purposes for collection. ## Footnote This declaration should occur before or as soon as reasonably practicable after collection.
42
What is required for the processing of personal information?
It must be processed fairly and lawfully. ## Footnote Fairness and legality are essential principles in handling personal information.
43
What characteristics must personal information have?
It must be: * Accurate * Relevant * Up to date when necessary for the purposes of processing. ## Footnote Keeping personal information accurate and current is important for its effective use.
44
True or False: Personal information can be processed for any purpose after it is collected.
False. ## Footnote Personal information must only be processed in ways compatible with the declared purposes.
45
What principle states that data must be adequate and not excessive?
Data minimization principle ## Footnote This principle relates to collecting only the data necessary for specified purposes.
46
For how long should personal data be retained?
Only for as long as necessary for the fulfillment of purposes ## Footnote This includes legal claims, legitimate business purposes, or requirements by law.
47
What is the requirement for keeping data in a form that permits identification of data subjects?
For no longer than necessary for the purposes of collection and processing ## Footnote This ensures that personal data is not held longer than required.
48
Under what circumstances may personal information be processed for longer periods?
For historical, statistical or scientific purposes ## Footnote This is permitted by law under certain conditions.
49
What must be guaranteed by laws authorizing the longer processing of personal data?
Adequate safeguards ## Footnote This ensures that data is processed in a manner that protects the rights of data subjects.
50
Who is responsible for ensuring the implementation of personal information processing principles?
The personal information controller ## Footnote This role includes overseeing compliance with data processing principles.
51
What is required for the lawful processing of personal information?
Processing is permitted if not prohibited by law and at least one condition exists: ## Footnote These conditions must be met for lawful processing of personal data.
52
What is the first condition that allows for the processing of personal information?
The data subject has given his or her consent ## Footnote Consent must be informed and voluntary.
53
What is the second condition for lawful processing of personal information?
The processing is necessary for fulfilling a contract with the data subject or taking steps at their request prior to entering into a contract ## Footnote This condition emphasizes the contractual relationship between the data subject and the processor.
54
What is the third condition that permits the processing of personal information?
The processing is necessary for compliance with a legal obligation to which the personal information controller is subject ## Footnote Legal obligations can vary depending on jurisdiction.
55
What does the fourth condition for processing personal information involve?
The processing is necessary to protect vitally important interests of the data subject, including life and health ## Footnote This condition is crucial in emergencies where personal data may save lives.
56
What is the fifth condition under which personal information processing is lawful?
The processing is necessary in order to respond to national emergency, comply with public order and safety, or fulfill functions of public authority ## Footnote This condition highlights the role of data in public safety and governance.
57
What is the sixth condition for processing personal information?
The processing is necessary for the purposes of legitimate interests pursued by the personal information controller or a third party, except where such interests are overridden by the interests of the data subject ## Footnote This condition requires a balance between the interests of the data processor and the rights of the data subject.
58
What is privileged information?
Any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
59
Give examples of privileged information.
* Attorney-client privileged information * Doctor-patient privileged information * Marital privilege communication * Priest-confessor privileged information
60
What is sensitive personal information?
Personal information about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations.
61
List types of sensitive personal information.
* Health information * Education information * Genetic or sexual life * Information regarding offenses committed or alleged * Government-issued information like social security numbers
62
Is processing of sensitive personal information and privileged information generally allowed?
No, the processing is prohibited except in certain cases.
63
What is one condition under which processing of sensitive personal information is allowed?
The data subject has given consent specific to the purpose prior to processing.
64
What is another condition that allows for the processing of privileged information?
All parties to the exchange have given their consent prior to processing.
65
True or False: Processing of sensitive personal information is allowed if provided for by existing laws and regulations.
True
66
What do regulatory enactments guarantee regarding sensitive personal information?
The protection of the sensitive personal information and the privileged information ## Footnote Regulatory enactments ensure compliance with data protection laws.
67
Is the consent of data subjects required by law for processing sensitive personal information?
No, the consent of the data subjects is not required by law or regulation ## Footnote This applies when other legal grounds for processing are present.
68
When is processing necessary to protect the life and health of a data subject?
When the data subject is not legally or physically able to express consent prior to processing ## Footnote This is a critical exception in emergency situations.
69
What are the lawful and noncommercial objectives for public organizations regarding data processing?
Processing must be confined to bona fide members and not transferred to third parties ## Footnote Consent of the data subject must be obtained prior to processing.
70
What conditions must be met for processing sensitive personal information for medical treatment?
It must be carried out by a medical practitioner or medical treatment institution with adequate protection ## Footnote This ensures that personal information is handled securely in healthcare settings.
71
For what purposes can personal information be processed in relation to legal claims?
To protect lawful rights and interests in court proceedings or for establishing, exercising, or defending legal claims ## Footnote This includes providing information to government or public authorities.
72
What is a personal information controller allowed to do regarding personal information?
A personal information controller may subcontract the processing of personal information. ## Footnote This refers to the ability of the personal information controller to delegate tasks related to the handling of personal data.
73
What responsibilities does a personal information controller have?
The personal information controller shall ensure: * The confidentiality of the personal information processed * Prevent its use for unauthorized purposes * Comply with the requirements of the Data Privacy Act and other laws for processing of personal information. ## Footnote These responsibilities are essential to protect personal data and ensure compliance with legal standards.
74
What must a personal information processor comply with?
The personal information processor shall comply with all the requirements of the Data Privacy Act and other applicable laws. ## Footnote This highlights the obligation of processors to adhere to legal standards in handling personal information.
75
What principle can personal information controllers invoke regarding privileged information?
Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. ## Footnote This principle protects certain communications from being disclosed in legal settings.
76
What is the status of evidence gathered on privileged information?
Any evidence gathered on privileged information is inadmissible. ## Footnote This means that such evidence cannot be used in court proceedings due to its protected status.
77
Rights of the Data Subject
- To informed consent - To object - To withold consent - To access - To correction - To erasure - To damages - To data portability
78
What can lawful heirs and assignees invoke after the death of the data subject?
The rights of the data subject for which they are an heir or assignee ## Footnote This principle ensures that the rights of individuals regarding their personal data can be passed on to their heirs.
79
What does the term 'Transmissibility of Rights of the Data Subject' refer to?
The ability of lawful heirs and assignees to invoke the rights of the data subject after their death ## Footnote This concept is important in data protection laws to ensure continuity of rights.
80
What is the Data Privacy Act?
A law that governs the processing of personal information to protect the rights of data subjects.
81
Under what condition are the rights of a data subject not applicable?
If the processed personal information is used only for the needs of scientific and statistical research.
82
What must be ensured when using personal information for research?
The personal information shall be held under strict confidentiality and shall be used only for the declared purpose.
83
What is one of the exceptions to the rights of a data subject?
Processing of personal information gathered for investigations related to criminal, administrative, or tax liabilities.
84
What is required for processed personal information used in scientific research?
It must be held under strict confidentiality.
85
What happens if personal information is processed for purposes beyond research?
The rights of the data subject may apply.
86
What must the personal information controller implement to protect personal information?
Reasonable and appropriate organizational, physical and technical measures ## Footnote This includes protection against accidental or unlawful destruction, alteration, and disclosure.
87
What are the two types of dangers that personal information must be protected against?
Natural dangers and human dangers ## Footnote Natural dangers include accidental loss or destruction; human dangers include unlawful access and fraudulent misuse.
88
What factors should be considered when determining the appropriate level of security?
* Nature of the personal information * Risks represented by the processing * Size of the organization * Complexity of its operations * Current data privacy best practices * Cost of security implementation ## Footnote These factors help tailor security measures to specific contexts.
89
What type of safeguards must be implemented to protect computer networks?
Safeguards against accidental, unlawful, or unauthorized usage or interference ## Footnote These safeguards ensure the functioning and availability of the network.
90
What must a personal information controller have regarding the processing of personal information?
A security policy ## Footnote This policy outlines the measures and protocols for handling personal information securely.
91
True or False: The personal information controller does not need to consider the size of the organization when implementing security measures.
False ## Footnote The size of the organization is one of the factors that must be taken into account.
92
What must a personal information controller ensure regarding third parties?
The personal information controller must ensure that third parties processing personal information on its behalf implement the security measures required by the provision. ## Footnote This is crucial for safeguarding personal information shared with external parties.
93
What is the obligation of employees, agents, or representatives involved in processing personal information?
They shall operate and hold personal information under strict confidentiality if the personal information is not intended for public disclosure. ## Footnote This obligation continues even after leaving public service or upon termination of employment.
94
What must a personal information controller do if sensitive personal information is believed to have been acquired by an unauthorized person?
The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information is reasonably believed to have been acquired by an unauthorized person and is likely to cause serious harm. ## Footnote This notification is critical for mitigating risks of identity fraud.
95
What must the notification to the Commission describe?
The nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach ## Footnote This ensures that the Commission has a clear understanding of the incident and can take appropriate action.
96
Under what circumstances can notification be delayed?
To determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system ## Footnote This allows for a more thorough investigation and remediation before public disclosure.
97
What factors does the Commission consider when evaluating if notification is unwarranted?
Compliance by the personal information controller with this provision and existence of good faith in the acquisition of personal information ## Footnote These factors help assess whether the breach was handled appropriately.
98
True or False: The Commission can exempt a personal information controller from notification if it deems it reasonable.
True ## Footnote This allows for flexibility in handling breaches based on specific circumstances.
99
Under what condition may the Commission authorize postponement of notification of a data breach?
When it may hinder the progress of a criminal investigation related to a serious breach ## Footnote This provision allows for exceptions in cases where notifying affected individuals could impede law enforcement efforts.
100
What is the time frame for reporting data breaches if there is a likelihood of risk to individuals?
Within 72 hours ## Footnote Timely reporting is crucial for mitigating potential harm to affected individuals.
101
What is the Principle of Accountability in the context of the Data Privacy Act?
Each personal information controller is responsible for personal information under its control ## Footnote This includes information transferred to third parties for processing.
102
What must a personal information controller ensure when transferring information to a third party?
A comparable level of protection for personal information ## Footnote This can be achieved through contractual or reasonable means.
103
Who is responsible for ensuring compliance with the Data Privacy Act within an organization?
Data Protection Officer ## Footnote This individual is designated to oversee adherence to data protection regulations.
104
True or False: The identity of the Data Protection Officer must be disclosed to data subjects upon request.
True ## Footnote Transparency regarding the Data Protection Officer enhances accountability.
105
What must be provided to maintain protection when personal information is processed by a third party?
Contractual or other reasonable means ## Footnote This ensures that the level of data protection remains consistent.
106
What is the responsibility of Heads of Agencies regarding sensitive personal information?
All sensitive personal information maintained by the government must be secured using the most appropriate standard recognized by the information and communications technology industry. ## Footnote This standard is also recommended by the Commission.
107
Who is responsible for complying with the security requirements for sensitive personal information?
The head of each government agency or instrumentality. ## Footnote Each head must ensure compliance with security requirements.
108
What role does the Commission play in the security of sensitive personal information?
The Commission monitors compliance and may recommend necessary actions to satisfy minimum standards. ## Footnote This includes oversight of the security measures implemented by government agencies.
109
True or False: The Commission is responsible for securing sensitive personal information in government agencies.
False. ## Footnote The heads of agencies are responsible for securing information, while the Commission monitors compliance.
110
What is required for government employees to access sensitive personal information on government property?
They must receive a security clearance from the head of the source agency. ## Footnote This applies to both on-site and online access.
111
What is the general rule for off-site access to sensitive personal information maintained by an agency?
It may not be transported or accessed from a location off government property unless approved by the head of the agency. ## Footnote This requires a request to be submitted and approved.
112
What is the deadline for the head of an agency to approve or disapprove a request for off-site access?
Two (2) business days after the date of submission. ## Footnote If there is no action taken, the request is considered disapproved.
113
What is the maximum number of records that can be accessed at a time if a request for off-site access is approved?
Not more than one thousand (1,000) records. ## Footnote This limitation is set by the head of the agency.
114
What standard must be used for technology storing sensitive personal information for off-site access?
The most secure encryption standard recognized by the Commission. ## Footnote This is a requirement for approved off-site access.
115
What must agencies require from contractors who access sensitive personal information from one thousand (1,000) or more individuals?
They must register their personal information processing system with the Commission and comply with the Data Privacy Act. ## Footnote This is similar to the requirements for agencies and government employees.
116
What is the time frame for notifying the Commission of a personal data breach?
Within seventy-two (72) hours upon knowledge of or reasonable belief of a breach ## Footnote This applies to both personal information controllers and personal information processors.
117
Under what circumstances can the notification of a data breach be delayed?
To determine the scope of the breach, prevent further disclosures, or restore integrity ## Footnote Delay is not allowed if it is used to perpetuate fraud or conceal the breach.
118
True or False: The personal information controller must be absolutely certain of the breach's scope before notifying the Commission.
False ## Footnote Uncertainty does not justify a delay in notification.
119
What is the threshold for a breach that requires immediate notification without delay?
At least one hundred (100) data subjects or disclosure of sensitive personal information ## Footnote Notification must still occur within the 72-hour period.
120
Fill in the blank: The full report of the personal data breach must be submitted within ______ days.
five (5) days ## Footnote Additional time may be granted by the Commission if necessary.
121
What does the 'nature of the breach' refer to in the context of notification?
Description of how the breach occurred and the vulnerability of the data processing system ## Footnote This helps identify weaknesses in security measures.
122
True or False: The Commission must be notified of a breach even if the personal information controller has not secured the information system.
True ## Footnote Delay in notification is only allowed under specific conditions.
123
What is the significance of the approximate number of data subjects involved in a breach?
It helps assess the impact of the breach on individuals ## Footnote This information is critical for the Commission's response.
124
What is the form of notification required for data protection?
A report, whether written or electronic ## Footnote The report must contain the required contents of notification.
125
What must the notification report include regarding personnel?
The name and contact details of the data protection officer and a designated representative of the personal information controller ## Footnote This ensures accountability and proper communication channels.
126
What additional information should be included in the report when applicable?
The manner of notification of the data subjects ## Footnote This helps clarify how individuals will be informed.
127
What must a personal information controller ensure when transmitting notification by electronic mail?
Secure transmission ## Footnote This is essential to protect sensitive information.
128
What action does the Commission take upon receipt of the notification?
Sends a confirmation to the personal information controller ## Footnote This confirmation is necessary for the filing process.
129
Is a report considered filed without confirmation from the Commission?
No ## Footnote The confirmation is a crucial part of the filing process.
130
What constitutes proof of confirmation when notification is through a written report?
The received copy retained by the personal information controller ## Footnote This serves as documentation of compliance.
131
What is unauthorized processing of personal information?
Processing personal information without consent or authorization under the Data Privacy Act or any existing law. ## Footnote This includes any action taken on personal data without proper legal grounds.
132
What are the penalties for unauthorized processing of personal information?
Imprisonment: 1 to 3 years Fine: P500,000 - P2,000,000 ## Footnote Penalties increase for sensitive personal information.
133
What constitutes access to personal information without authorization?
Providing access due to negligence without authorization under the Data Privacy Act or any existing law. ## Footnote This includes failure to secure personal data adequately.
134
What are the penalties for unauthorized access to personal information?
Imprisonment: 1 to 3 years Fine: P500,000 - P2,000,000 ## Footnote Similar penalties apply for sensitive personal information, with increased severity.
135
What is improper disposal of personal information?
Knowingly or negligently disposing, discarding, or abandoning personal information in public areas. ## Footnote This includes leaving personal data in trash or unsecured locations.
136
What are the penalties for improper disposal of personal information?
Imprisonment: 6 months to 2 years Fine: P100,000 - P500,000 ## Footnote Increased penalties apply for sensitive personal information.
137
What does processing for unauthorized purposes mean?
Processing personal information for purposes not authorized by the data subject or existing laws. ## Footnote This includes using data for marketing or other activities without consent.
138
What are the penalties for processing personal information for unauthorized purposes?
Imprisonment: 1 year and 6 months to 5 years Fine: P500,000 - P1,000,000 ## Footnote Penalties are harsher for sensitive personal information.
139
What is the penalty for Unauthorized Access or Intentional Breach?
Imprisonment of 1 year to 3 years and a fine of P500,000 to P2,000,000 ## Footnote This refers to breaking into systems where personal and sensitive information is stored.
140
What constitutes Concealment of Security Breaches Involving Sensitive Personal Information?
Intentionally or by omission concealing the fact of a security breach after having knowledge of it ## Footnote The penalty includes imprisonment of 1 year and 6 months to 5 years and a fine of P500,000 to P1,000,000.
141
Define Malicious Disclosure.
Disclosing unwarranted or false information related to personal information with malice or in bad faith ## Footnote Penalty includes imprisonment of 1 year and 6 months to 5 years and a fine of P500,000 to P1,000,000.
142
What is Unauthorized Disclosure?
Disclosing personal or sensitive personal information to a third party without consent of the data subject ## Footnote Penalties vary based on the type of information disclosed.
143
What are the penalties for Unauthorized Disclosure of Personal Information?
* Imprisonment: 1 year to 3 years * Fine: P500,000 to P1,000,000 ## Footnote This applies to personal information disclosed without consent.
144
What are the penalties for Unauthorized Disclosure of Sensitive Personal Information?
* Imprisonment: 3 to 5 years * Fine: P500,000 to P2,000,000 ## Footnote This applies to sensitive personal information disclosed without consent.
145
What is the consequence of a Combination or Series of Acts related to data breaches?
Imprisonment of 3 to 6 years and a fine of P1,000,000 to P5,000,000 ## Footnote This applies when multiple acts are committed as defined in the previous points.
146
Who is liable if the offender is a corporation or partnership?
The responsible officers who participated in the offense ## Footnote This includes those who acted on behalf of the juridical person.
147
What is the extent of liability for juridical persons?
The penalty shall be imposed upon the responsible officers ## Footnote This applies when the juridical person is involved in an offense.
148
True or False: Only individuals can be held liable for offenses committed by a corporation.
False ## Footnote Corporations can be held liable through their responsible officers.
149
What must be proven for responsible officers to be penalized?
Their participation in the offense or gross negligence ## Footnote Participation can be direct or indirect.
150
What is the consequence for a juridical person found guilty under the Data Privacy Act?
The court may suspend or revoke any of its rights under the Data Privacy Act. ## Footnote Juridical persons refer to legal entities like corporations or organizations.
151
What happens to an alien offender under the Data Privacy Act?
The alien shall be deported without further proceedings after serving the prescribed penalties. ## Footnote This applies in addition to any other penalties imposed.
152
What is the threshold for large-scale penalties under the Data Privacy Act?
The maximum penalty is imposed when the personal information of at least one hundred (100) persons is harmed, affected, or involved. ## Footnote This emphasizes the severity of the violation based on the number of individuals impacted.
153
What additional penalties do public officials face if found guilty of improper disposal of personal information?
They shall suffer perpetual or temporary absolute disqualification from office, as applicable. ## Footnote This is in addition to other penalties prescribed.
154
What is the accessory penalty for a public officer committing an offense in the exercise of their duties?
Disqualification to occupy public office for a term double the term of the criminal penalty imposed. ## Footnote This ensures accountability for public officers in their official capacity.
155
How is restitution for aggrieved parties governed under the Data Privacy Act?
Restitution shall be governed by the provisions of the New Civil Code. ## Footnote This indicates that restitution is aligned with existing civil law frameworks.
RFBT NEW
flashcards
Decks in class (13)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions