The National Privacy Commission (NPC) has issued NPC Circular No. 2020-03, providing guidelines on the drafting of data sharing agreements. The circular amends NPC Circular No. 2016-02, expanding the coverage of the rules from only data shared by government agencies to all types of data shared by Personal Information Controllers (PICs) to other PICs. Data Sharing Agreements are required to be executed when data is being transferred by one PIC to another PIC for commercial purposes.
1. What is a Personal Information Controller (PIC)? How is it different from a Personal Information Processor (PIP)?
In simple terms, a Personal Information Controller is an entity that controls the processing of personal data, or instructs another entity to process personal data on its behalf. There is control if the entity decides on what data is processed or the purpose or extent of its processing.
The term excludes:
An entity that processes data pursuant to the instructions of another entity. (This is called a Personal Information Processor)
A natural person that processes data in connection with his/her personal, family, or household affairs.
2. What is meant by “Data Sharing”? How is it different from “Data Outsourcing”?
Data sharing is the sharing, disclosure, or transfer of personal data from one PIC to one or more other PICs. This arrangement is executed between PICs only.
If a PIC shares personal data to another entity and instructs the other entity to process the personal data, the arrangement is called “Data Outsourcing”. The entity to whom the personal data is shared and who processes the personal data under the instructions of the PIC is call the Personal Information Processor (PIP).
3. What are the principles governing Data Sharing?
All Data Sharing arrangements must adhere to the following principles:
Adherence to the data privacy principles of transparency, legitimate purpose, and proportionality;
Fulfilment of all applicable requirements prescribed by the Data Privacy Act, its IRR, and other issuances of the NPC;
Recognition of and upholding the rights of affected data subjects, unless otherwise provided by law;
Ensuring that the shared and collected data are accurate, complete, and where necessary for the declared, specified, and legitimate purpose, kept up to date; and
Implementation of reasonable and appropriate organizational, physical, and technical security measures intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.
4. Who are accountable for the data sharing arrangement?
Subject to the terms of the DSA, each party will be responsible for any personal data under its control or custody, including those where the processing has been outsourced or subcontracted to a PIP. This extends to personal data each party shares with or transfers to a third party located outside the Philippines, subject to cross-border arrangement and cooperation.
5. Prior to the implementation of a Data Sharing arrangement, what should the PIC do?
The PIC should inform the affected data subjects of the fact that their personal data will be the subject of a data sharing arrangement. Where the data sharing arrangement is done for commercial purposes, including direct marketing, the arrangement must be covered by a Data Sharing Agreement.
6. How should the data subjects be informed of the Data Sharing arrangement?
Where consent is required, the data subjects must be informed through a consent form and their consent to the data sharing arrangement must be obtained. Where no consent is required, a privacy notice shall suffice. In all cases, the best practice is to obtain the consent of the data subject.
The consent form or privacy notice must contain the following information:
Identity of the PIC or PIP who will be given access to the personal data;
Categories of recipients of the personal data: provided, that PICs shall provide a data subject with the identity of the recipients, upon request;
Purpose of data sharing and the objective/s it is meant to achieve;
Categories of personal data that will be shared;
Existence of the rights of data subjects; and
Other information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved.
7. What is a Data Sharing Agreement?
A Data Sharing Agreement (DSA) refers to a contract, joint issuance, or any similar document executed by the PICs involved in a data sharing arrangement which sets out the obligations, responsibilities, and liabilities of the PICs, including the implementation of adequate safeguards for data privacy and security and upholding the rights of the data subjects. Where the data sharing arrangement is done for commercial purposes, including direct marketing, the arrangement must be covered by a DSA
The execution of a DSA demonstrates good faith in complying with the requirements of the Data Privacy Act. The existence of a DSA is taken into account in the course of any investigation relating to a data sharing arrangement, as well as in the conduct of compliance checks.
8. What are the required contents of a Data Sharing Agreement?
Only PICs can be parties to a DSA and the DPOs of the parties will sign as witnesses. The following are the contents of a DSA:
a. Purpose of the data sharing arrangement
b. Lawful basis for the sharing of the personal data
c. Objectives for the data sharing arrangement
d. Parties to the data sharing arrangement, who must only be PICs
e. The following details regarding each Party
i. Type of personal data it will share
ii. Whether the personal data processing will be outsourced, including the types of processing PIPs or service providers will be allowed to perform;
iii. Method to be used for the processing of personal data; and
iv. Designated data protection officer.
f. The term or duration of the data sharing arrangement which will be based on the continued existence of the purpose/s of such arrangement. Perpetual or indeterminate terms are not allowed.
g. Operational Details of the data sharing arrangement. If the recipient will be allowed to disclose the shared data, or grant public access to the same, this must be established clearly in the DSA, including the following details:
i. Justification for allowing such access;
ii. Parties that are granted access;
iii. Types of personal data that are made accessible; and
iv. Estimated frequency and volume of such access.
Where disclosure or public access is facilitated by an online platform, the program, middleware, and encryption method that will be used should also be identified. Any other information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved should also be provided.
h. Security. A description of the reasonable and appropriate organizational, physical, and technical security measures that the parties intend to adopt to ensure the protection of the shared data.
i. Process for data breach management
j. Data subjects’ rights. The DSA must for provide for mechanisms that allow affected data subjects to exercise their rights relative to their personal data, including:
i. Identity of the party or parties responsible for addressing: information requests, complaints by a data subject, and/or any investigation by the NPC: provided, that 7 the NPC shall make the final determination as to which party is liable for any violation of the DPA, its IRR, or any applicable NPC issuance
ii. Procedure by which a data subject can access or obtain a copy of the DSA: provided, that the parties may redact or prevent the disclosure of trade or industrial secrets, confidential and proprietary business information, and any other detail or information that could endanger or compromise their information systems, or expose to harm the confidentiality, integrity, or availability of personal data under their control or custody
k. Retention and Data Disposal. It includes rules for the retention of shared data (which cannot be indeterminate or perpetual) and identify the method that will be adopted for the secure return, destruction, or disposal of the shared data and the timeline therefor.
9. How should DSAs be managed by the DPOs?
Each PIC should establish and maintain a record of its data sharing arrangements, including the following:
Contact details of all parties, including their respective data protection officers;
Legal bases for the data sharing arrangement/s;
Copy of the DSA/s, if executed;
Written, recorded, or electronic proof of the consent obtained from data subjects, where applicable; and
Date and/or time consent was obtained and withdrawn, where applicable
10. How are data sharing arrangements terminated?
Data sharing arrangements may be terminated:
upon the expiration of its term, or any valid extension thereof;
upon the agreement by all parties;
upon breach of any provisions of the DSA by any of the parties;
upon dissolution or death of the PIC;
upon a finding by the Commission that data sharing is:
no longer necessary for the specified purpose/s and its objective/s has already been achieved; or
detrimental to national security, public interest or public policy, or the termination of the same is necessary to preserve and protect the rights of a data subject.
upon order by the NPC when a party to a data sharing arrangement is determined to have violated the Data Privacy Act, its IRR or any applicable issuance by the NPC.
Should you require data privacy training or any assistance in the drafting of data privacy-related documents, kindly contact us here.