NPC FAQ
FREQUENTLY ASKED QUESTIONS ON DATA PRIVACY
FOR
LIFE INSURANCE SECTOR
01. Personal data refers to all personal information, sensitive personal information and privileged information
02. Personal information information about an individual, and from which he or she reasonably and directly identified
03. Sensitive personal information refers to personal information: a. about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; b. about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by 2
such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; c. issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and d. specifically established by an executive order or an act of Congress to be kept classified.
04. Personal information controller (PIC) a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf, and is obliged to safeguard such data under penalty of law.
KEY TERMS
KEY TERMS The term excludes: a. a natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
06. Data subject an individual whose personal, sensitive personal, or privileged information is processed
b. a natural person who processes personal data in connection with his or her personal, family, or household affairs
07. Personal information processing any operation or set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system
05. Personal information processor (PIP) a natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject, and who is also obliged to safeguard such data under penalty of law
3
Q
LIFE INSURANCE SECTOR
A Section 13 of the Data Privacy Act of 2012 provides that processing of sensitive personal information is prohibited except in any of the enumerated cases. This case illustrated may fall under the second and/or the
01 If customer’s sensitive personal information is to be shared with third parties for the purpose of investigating claims, will consent of the customer be required? One of the conditions for validly sharing sensitive personal information without consent of the data subject is when it is provided under applicable laws and regulations. The Insurance Code provides for 2-years incontestability period of insurance policies. Naturally, if the risk insured against occurs within those 2 years, the insurer will investigate the claim for
sixth criteria, wherein processing of sensitive personal information is provided for by existing laws and regulations and/or when the processing is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims. Hence, this processing for investigating insurance claims does not need consent of the data subject. However, the company must ensure that personal data is secured and protected when shared for investigation purposes. The fact that the company may obtain services of independent investigators should also be included in the contract with the customer and in its privacy notice.
any concealment. Such investigation usually requires the services of independent investigators. Can sharing in this case be done without the consent of the subject then, on the ground that it is allowed under applicable laws and regulations? 4
5
Q
LIFE INSURANCE SECTOR
A Yes, both manual and electronic or automated process must be registered with the NPC. Processing has been described in the IRR to be an operation or set of operations which may be performed through automated means or manual processing, if personal data are contained or intended to be contained in a filing system. Â Section 3(f) of NPC Circular No. 17-01 defines a
02
For the requirement of registering processes by Q1 next year, should manual processes be included? 6
processing system as a structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.
7
Q
LIFE INSURANCE SECTOR
A Section 8 of NPC Circular No. 16-01 provides that all personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the NPC recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard. Although NPC Circular 16-01 is addressed to all government branches, agencies, bureaus, offices, LGUs, GOCCs and state colleges and universities, it may be used by the private sector as reference. Â
03
Will the NPC prescribe minimum encryption standards? 8
For security measures, the NPC will also look at industry standards, provided that this standard is not below the level of security provided in the Data Privacy Act and related issuance of the Commission.
9
Q
LIFE INSURANCE SECTOR
A We must distinguish between the processing of personal data based on the existing contracts for insurance and those processing for a secondary purpose, i.e. sharing of personal data for marketing purpose. Â It is evident that insurance companies must continue processing data of their clients if there is an existing contractual obligation for providing insurance. However, the processing for a purpose other than the provision of insurance services is another matter. This is where the consent requirement is necessary. Where no sensitive information is used, consent may not be required if
04
company can demonstrate that processing is necessary for the purposes of its legitimate interests, except where such interests are overridden by fundamental rights and
We sent letters to existing clients informing them of the DPA. Will the continued availment of our customers of our products and services constitute as explicit consent to the processing of information including the marketing of our insurance products? 10
freedoms of the client. Â The DPA clearly defines consent as freely given, specific and informed indication of will, evidenced by written, electronic or recorded means. A positive act is required from the data subjects and an implied or assumed consent will not suffice. Thus, the failure to respond does not constitute as consent for processing for the other secondary purposes. 11
Q
LIFE INSURANCE SECTOR
A To clarify, privacy policies/statements/ notices are ways of showing adherence to the principle of transparency. These documents are not equivalent to a consent form. Â The processing of personal data pursuant to an existing contract of insurance is not dependent on whether or not a client/data subject accepts the revised privacy provisions.
05 We have been sending out notices to our customers regarding revised privacy provisions in compliance with the DPA.
What should we do if the client does not give his or her consent or refuses to accept the revised privacy provisions? Do we terminate or cancel the policy considering refusal or withdrawal of consent? 12
Where there is an existing valid contract for insurance, the same must be honored.  In the event that the revised privacy policies would affect the very terms and conditions of the insurance contract itself in a way that the contract is novated, then the client’s refusal to accept may result to the termination of the contract. If otherwise, the contract should remain valid. The DPA clearly defines consent as freely given, specific and informed indication of will, evidenced by written, electronic or recorded means. A positive act is required from the data subjects and an implied or assumed consent will not suffice. Thus, the failure to respond does not constitute as consent for processing for the other secondary purposes.
13
Q
LIFE INSURANCE SECTOR
A Section 16(e) of the Data Privacy Act of 2012 and Section 34 of its Implementing Rules and Regulations (IRR) provides for the right of the data subject to suspend, withdraw, or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system upon discovery and substantial proof of any of the following: The personal data is incomplete, outdated, false, or unlawfully obtained; •
That the personal data is being used for purposes not authorized by the data subject;
•
That personal data is no longer necessary for the purposes for which they were collected;
•
The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding
06
legitimate interest for the processing; •
The personal data concerns private information that is prejudicial to data subject, unless justified by freedom
If a client requests the deletion of his or her records but the policy is still in force, how do we deal with such a request? 14
of speech, expression, or of the process or otherwise authorized; •
That the processing is unlawful; or
•
The personal information controller or personal information processor violated the rights of the data subject.
If the justification of the data subject is among those enumerated above, it is incumbent upon the company to comply with the request for deletion. 15
Q
LIFE INSURANCE SECTOR
A
There is a need to clarify on what processing is to be done with respect to the beneficiary’s personal information. If the processing is limited to the fulfillment of the insurance contract, the contract terms and conditions would be controlling. Consent may be required if the processing is for some other purpose unrelated to the insurance policy.
07
Do we need to seek the consent of the beneficiary nominated by the policy owner for the processing of beneficiary’s personal information? 16
17
Q
LIFE INSURANCE SECTOR
A Consent is just one of the criteria for lawful processing of personal or sensitive personal information. If there is an existing contract or some other legal obligation, the same is controlling as to how personal data is processed. Changes in the process or business improvements which would not change the purpose of processing would not necessarily require consent of the data subject. It is advisable that the company notify/inform the data subjects of the changes made and provide them a platform where they may ask for additional information. The client should be provided information when changes involve any of the following: 1. Description of the personal information to be entered into the system;
08
2. Purposes for which they are being or are to be processed; 3. Scope and method of the personal information processing;
If there an existing procedure for the processing of personal information, is there a need to seek client’s consent again for such procedure? Do we have to seek consent for all necessary business improvements as far as processing of personal information is concerned? 18
4. The recipients or classes of recipients to whom they are or may be disclosed; 5. Mehods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized; 6. The identity and contact details of the personal information controller or its representative; 7. The period for which the information will be stored; and 8. The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission. 19
Q
LIFE INSURANCE SECTOR
A A data sharing agreement is executed between/ among personal information controllers (PICs), while an outsourcing contract is between a PIC and a personal information processor (PIP). Â In a service provider transaction, we understand this to be between a PIC and a PIP. The contract is an outsourcing contract and not a data sharing agreement. Â
09
Is a Data Sharing Agreement necessary in a purely service provider transaction, or will a Non-Disclosure Agreement be sufficient? 20
A non-disclosure agreement may be made part of the outsourcing agreement. The PIC should likewise use contractual and other reasonable means to ensure that proper safeguards are in place, confidentiality, integrity and availability of personal data is ensured, prevent the use for unauthorized purposes, and compliance with the requirements of the law.
21
Q
LIFE INSURANCE SECTOR
A
10
10
In case of conflicting heirs of similar degree, which heir under Section 17 (processing of data) of the DPA has precedence in allowing or invoking the rights of the deceased? Spouse over parents? Spouse over adult children?
For the invocation of rights of the deceased,
11
11
In the case where the insured gave his consent allowing hospitals to give medical information to insurance companies, can the heirs overturn such consent upon the death of the insured?
Yes, the heirs may lawfully object to the sharing of
the provisions under the Civil Code (Succession) shall govern.
medical information pursuant Section 35 of the IRR on the transmissibility of rights of the data subject. The right to object, exercised by a lawful heir will only be to the extent allowed the insured, if he or she were alive.
22
23
Q
LIFE INSURANCE SECTOR
12
To which entity is the decision (fine and imprisonment) of the NPC appealable?
12
A
Section 30 of NPC Circular 16-04 states that the decision of the NPC shall become final and executory fifteen (15) days after the receipt of a copy by the party adversely affected. One motion for reconsideration may be filed, which shall suspend the running of the said period. Any appeal from the Decision shall be to the proper courts, in accordance with law and rules.
13 Under the new IRR of the AMLA, beneficial owner information is now required to be similar to policy owner information. However, we must note that during actual sales process, it is only the policy owner who is present to provide all the details. The beneficial owner is usually absent and never signs the application form.
13
Information necessary for AMLA reporting is outside of the scope of the Data Privacy Act of 2012, to the minimum extent necessary to comply with such law. Â This is interpreted to mean that companies covered by the AMLA need not obtain consent if they need to report covered or suspicious transactions.
So how do we go about complying with the consent requirement for the beneficial owner? 24
25
Q
LIFE INSURANCE SECTOR
A
14
14
The first element of a reportable breach is that “the personal
This should be read as:
data involves sensitive personal information or any other
The personal data involves:
information that may be used to enable identity fraud.”
Sensitive personal information; or Any other information that may be used to enable identity
Is the underlined phrase applied to both sensitive personal information and any other information? To illustrate, will the combination of the name and marital status of a client be sufficient to meet this element?
fraud. The element is flexible enough to let the company determine whether the personal data involved in the breach can be used to enable identity fraud. In your example, the name and marital status may indeed be used to enable identity fraud.
15 15
Is the premium amount and face amount considered as data about the financial or economic situation of the data subject? 26
Yes.
27
Q
LIFE INSURANCE SECTOR
A
The PIC may decide on its own. This third element should be liberally interpreted in a manner mindful of the rights and interests of the data subjects. The PIC assumes the risk when its assessment is different from the NPC. When in doubt, PIC should notify.
16 For the third element, do we need to obtain confirmation from the NPC at all times or is the PIC expected to exercise judgment and only consult the NPC when unsure? 28
29
Q
LIFE INSURANCE SECTOR
A Where the acquisition may lead to physical, material or non-material damage, in particular, where the acquisition may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization, or any other significant economic or social disadvantage. Consider also Section 13 of NPC Circular 16-03: SECTION 13. Determination of the Need to Notify. Where there is uncertainty as to the need for notification, the personal information controller shall take into account, as a primary consideration, the likelihood of harm or negative consequences on the affected data subjects, and how notification, particulary of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred.
17
The personal information controller shall also consider if the personal data reasonably believed to have been compromised involves:
Please provide examples of (i) real risk and (2) serious harm, with regard to breach reporting. 30
A. Information that would likely affect national security, public safety, public order, or public health; B. At least one hundred (100) individuals; C. Information required by applicable laws or rules to be confidential; or D. Personal data of vulnerable groups. 31