LAND TRANSPORTATION OFFICE

Republic Act No. 10173, also known as the Data Privacy Act of 2012, protects personal information in information and communications systems in both the government and the private sector. It also created the National Privacy Commission (NPC) to administer and implement the Act.

The Act recognizes the fundamental right to privacy (including privacy of communication) while ensuring the free flow of information to promote innovation and growth, and requires that personal information be secured and protected.

This notice summarizes key Data Privacy Act concepts relevant to the LTO-HRIS and explains, at a high level, how the platform processes personal information for legitimate human resource functions.

The Data Privacy Act applies to the processing of all types of personal information and to persons and organizations involved in personal information processing, including personal information controllers and personal information processors. The Act provides for extraterritorial application in certain cases (e.g., when equipment located in the Philippines is used, or when an office, branch, or agency is maintained in the Philippines).

Key terms used in the Act include: "data subject" (the individual whose personal information is processed), "processing" (operations performed on personal information such as collection, recording, storage, use, disclosure, blocking, erasure, or destruction), "personal information," and "sensitive personal information," as defined under the Act.

The Act allows processing of personal information subject to compliance with its requirements and adherence to the principles of transparency, legitimate purpose, and proportionality.

Personal information must be collected for specified and legitimate purposes, processed fairly and lawfully, kept accurate and up to date when necessary, adequate and not excessive for the declared purpose, and retained only for as long as necessary for the declared purposes (or as otherwise provided by law).

Under the Act, processing of personal information is permitted only if not otherwise prohibited by law and when at least one lawful condition exists (such as consent, necessity in relation to a contract, compliance with a legal obligation, protection of vitally important interests, performance of functions of public authority, or legitimate interests that are not overridden by the data subject's fundamental rights and freedoms).

Processing of sensitive personal information and privileged information is generally prohibited, except in specific circumstances provided under the Act (e.g., when specific consent is given, when provided for by existing laws and regulations with safeguards, to protect life and health when the data subject cannot consent, for certain public organization objectives, for medical treatment under required protection, or for lawful rights and claims in proceedings, among others).

The Act grants data subjects rights including: to be informed whether personal information will be, is being, or has been processed; to be furnished specific information about the processing (such as the purpose, scope and method, recipients, storage period, and the existence of rights); and to reasonable access to personal information upon demand.

It also provides the right to dispute inaccuracy or error and have information corrected, the right to suspend/withdraw or request blocking, removal, or destruction in certain cases, the right to be indemnified for damages under conditions stated in the Act, and the right to data portability where personal information is processed electronically in a structured and commonly used format. The Act also recognizes the right to lodge a complaint before the NPC.

The Act requires personal information controllers to implement reasonable and appropriate organizational, physical, and technical measures for the protection of personal information. It also sets the principle of accountability for transfers of personal information and provides specific requirements for government agencies' handling of sensitive personal information.

This notice may be updated to reflect changes in applicable laws, NPC issuances, and LTO-HRIS processes. For the full text of Republic Act No. 10173, refer to the National Privacy Commission's Data Privacy Act page.