13 July 2020
When a school discloses to an entity the entire student data for archiving or recording purposes, is there data sharing? How about when a bank transfers to a third party personal data of clients for purposes of loan or credit rating? What if a telecommunications company discloses personal data of its subscribers which it obtained for purposes of marketing to a bank for the latter’s purpose of credit rating and vice versa?
Did you answer affirmative to all three questions? Note that only the last item involves data sharing. The first two scenarios are considered outsourcing or subcontracting under the Data Privacy Act of 2012.
It has been eight years since the Data Privacy Act of 2012 came into effect and four years later, its Implementing Rules and Regulations were promulgated. This notwithstanding, many of us are still uncertain on whether a transaction which involves transfer or disclosure of collected personal data from one person to another is one of data sharing or outsourcing. In this article, we discuss the key differences between the two arrangements.
Outsourcing or subcontracting is the disclosure or transfer of personal data by a personal information controller to a personal information processor. The purpose of such disclosure is for the personal information processor to perform processing activities on the personal data upon the instructions of the personal information controller.
A personal informational controller, from the name itself, controls the processing activities and decides on what information shall be collected, or the purpose or extent of its processing. A personal information processor, on the other hand, refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
The processing by a personal information processor must be governed by a contract or other legal act that binds the personal information controller to the personal information processor. For the protection of the parties, the best document to clearly indicate their legal rights and obligations under an outsourcing arrangement is an outsourcing agreement. Such agreement must comply with the provisions of the law on outsourcing as provided in Section 44 of the Implementing Rules and Regulations.
The National Privacy Commission does not require the submission of the outsourcing agreement for approval prior to execution. However, it may require the submission of said document in case of a compliance check or an investigation.
Meanwhile, data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. Data sharing is allowed when expressly authorized by law, provided there are adequate safeguards for data privacy and security, and processing adheres to principles of data privacy.
By its definition, the parties involved in data sharing are all personal information controllers even if the transferor is a personal information processor since the latter’s act of disclosing personal data is upon the instructions of the personal information controller. Each party in a data sharing agreement has its own purpose or use for personal data involved.
Parties to data sharing may either be private entities or government agencies. In both cases, data sharing must be governed by a data sharing agreement which is subject to the review of the National Privacy Commission.
To emphasize, the following are the key differences between data sharing and outsourcing: First, all parties to a data sharing agreement are considered personal information controllers while in a subcontracting or outsourcing agreement, the parties have to be at least one personal information controller and one personal information processor. Second, in terms of objective, each party to a data sharing agreement has its own purpose for processing the personal data involved, while in a subcontracting or outsourcing agreement, a personal information processor has no other reason for processing the personal data other than that as instructed by the personal information controller. Lastly, data sharing shall be governed by a data sharing agreement while outsourcing is best evidenced by an outsourcing agreement.
Data sharing and outsourcing agreements must comply with the principles of transparency, legitimate purpose, and proportionality as well as general principles in collection, processing, and retention of personal data.
Indeed, the concepts of data sharing and outsourcing are integral in any given data privacy framework and the ability to distinguish between the two is essential as they give rise to differing rights and responsibilities.
First published on The Daily Tribune.
For further information, please contact:
Nilo T. Divina, Managing Partner, DivinaLaw
nilo.divina@divinalaw.com
