The Philippine National Privacy Commission (NPC) recently issued NPC Circular No. 2020-03 on Data Sharing Agreements (Circular). The Circular applies to the disclosure of personal data from a personal information controller (PIC) to another PIC. It likewise applies to personal data that is consolidated by several PICs and shared or made available to each other and/or to one or more PICs. It excludes outsourcing or subcontracting arrangements between a PIC and a personal information processor (PIP).
What the Circular Provides
Under the Circular, any PIC who engages in data sharing is required to adhere to the data privacy principles of transparency, legitimate purpose, and proportionality. It remains responsible for any personal data under its control or custody, including those where the processing has been outsourced or subcontracted to a personal information processor (PIP) and to all domestic and cross-border data transfers.
Data Sharing Agreement
Any data sharing should be supported by the applicable legal basis for data processing under Sections 12 and 13 of the Data Privacy Act of 2012. It should be covered by a written data sharing agreement (DSA) or a similar document containing the terms and conditions of the sharing arrangement, including obligations to protect the personal data shared, the responsibilities of the parties, and mechanisms through which data subjects may exercise their rights, among others. More specifically, the DSA should be executed by the PICs and witnessed by their respective Data Protection Officers (DPOs). The agreement should also contain the following:
- Purpose and lawful basis of the data sharing
- Objectives of the data sharing
- Parties to the DSA
- Term or duration of the DSA
- Operational details of the data sharing, including the procedure the parties intend to observe in implementing the same
- Description of the reasonable and appropriate organizational, physical, and technical security measures that the parties intend to adopt to ensure the protection of the shared data.
- Mechanisms that allow affected data subjects to exercise their rights relative to their personal data
- Rules for the retention of shared data and for the secure return, destruction, or disposal of the shared data and the timeline therefor.
- Other stipulations, clauses, terms and conditions as the parties may deem appropriate that are not contrary to law, morals, public order, or public policy.
Copies of the DSA or relevant written document should be provided to a data subject or the NPC, upon request.
Each affected data subject should also be provided with the following information before personal data is shared or at the next practical opportunity, through an appropriate privacy notice or consent form, whichever is applicable or appropriate (to the lawful basis for data sharing relied upon):
- Categories of recipients of the personal data (Note that the identity of the recipients may also be given upon request);
- Purpose of data sharing and the objective/s it is meant to achieve;
- Categories of personal data that will be shared;
- Existence of the rights of data subjects; and
- Other information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved.
Actions to Consider
Clients are advised to review their existing privacy notices and data sharing agreements, and implement changes if necessary, to ensure full compliance with the requirements of the Circular. In addition to compliance, the review of existing data sharing arrangements are also strongly encouraged in order to guarantee that the security measures being implemented are sufficient to protect and secure the personal data being processed by the organization.
*Authored by Quisumbing Torres, a member firm of Baker & McKenzie International, a Swiss Verein. Please contact QTInfoDesk@quisumbingtorres.com for inquiries.