Constitutional and Statutory Setting
The constitutional privacy of communications and correspondence protects the secrecy and integrity of messages, correspondence, and communicative relationships, subject only to lawful exceptions based on a court order or a valid law addressing public safety or order. In modern information systems, that guarantee is reinforced by the Data Privacy Act, which regulates the processing of personal information by both government and private actors.
The Data Privacy Act protects informational privacy: the ability of an individual to control the collection, use, retention, disclosure, and disposal of information relating to him or her. Its general data privacy principles govern every stage of processing and supply the standard for determining whether a controller's act is lawful, fair, necessary, and accountable.
The statute is not limited to secrecy of communications. It applies to personal data held in databases, applications, paper records, surveillance systems, employment records, customer files, school records, health records, public registries, government systems, and outsourced processing arrangements whenever the data can identify a natural person directly or indirectly.
Basic Concepts
Personal information refers to information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained, or which, when combined with other information, would directly and certainly identify an individual. The protection is triggered not by the format of the record, but by the capacity of the information to identify a person.
Sensitive personal information receives stricter protection because misuse may create a higher risk of discrimination, profiling, identity fraud, reputational harm, or intrusion into intimate life. It includes information on race, ethnic origin, marital status, age, color, religious, philosophical, or political affiliations, health, education, genetic or sexual life, proceedings involving offenses, government-issued identifiers, and other information classified by law as sensitive.
Privileged information refers to information that is privileged under the Rules of Court or other laws, such as communications protected by recognized professional or fiduciary confidentiality. Its processing is generally subject to both data privacy rules and the separate law creating the privilege.
Processing is broad enough to cover collection, recording, organization, storage, updating, retrieval, consultation, use, consolidation, blocking, erasure, destruction, disclosure, and any other operation performed on personal data. A person may violate data privacy rules even without publishing the data if the collection, storage, use, transfer, or retention itself is unlawful.
Personal information controller refers to the person or organization that controls the collection, holding, processing, or use of personal information, including one that instructs another to process data on its behalf. Personal information processor refers to a person or organization that processes personal information upon the controller's instructions.
The controller remains principally accountable for compliance even when processing is outsourced. Outsourcing changes who performs the operation; it does not transfer away the controller's duty to choose a capable processor, impose proper safeguards, limit instructions, monitor compliance, and respond to data subjects.
The Three General Principles
The Data Privacy Act expressly requires processing of personal information to observe the principles of transparency, legitimate purpose, and proportionality. These principles are cumulative; satisfying one does not excuse violation of the others.
| Principle | Core Rule | Practical Legal Effect |
|---|---|---|
| Transparency | The data subject must be informed of the nature, purpose, extent, risks, recipients, retention, and legal basis of processing. | Hidden, vague, misleading, or surprise processing is inconsistent with lawful personal data processing. |
| Legitimate purpose | Processing must be compatible with a declared and lawful purpose that is not contrary to law, morals, or public policy. | A controller cannot collect data first and later invent an unrelated use to justify it. |
| Proportionality | Processing must be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose. | Even useful processing is unlawful if the same purpose can reasonably be achieved through a less intrusive means. |
Transparency
Transparency means the data subject should know what is being done to personal information before or at the time of collection, and whenever the processing substantially changes. It requires meaningful notice, not technical concealment behind ambiguous terms, overbroad forms, or obscure system settings.
A transparent privacy notice identifies the controller, describes the categories of personal data collected, states the purpose of collection and use, identifies the legal basis of processing, names or describes expected recipients or categories of recipients, explains retention, and informs the data subject of rights and available remedies. The notice must be understandable to the persons whose data are processed.
Transparency also applies when personal data are not collected directly from the data subject. If a controller obtains data from a third party, public source, platform, referral, database, device, or automated system, the data subject must still be given appropriate information unless a lawful exception applies.
Consent is valid only when it is freely given, specific, informed, and evidenced by written, electronic, or recorded means. A consent form that hides the real purpose, bundles unrelated processing, uses coercive conditions, or deprives the data subject of a real choice does not satisfy transparency.
Transparency is continuing. A controller that later uses data for a new purpose, shares it with new recipients, changes retention periods, deploys profiling, or introduces automated decision-making must reassess whether additional notice, consent, or another lawful basis is required.
Legitimate Purpose
Legitimate purpose requires a real, specific, and lawful reason for processing. The purpose must exist at the time of collection or as soon as practicable thereafter, and it must be declared in a manner that allows the data subject and regulators to evaluate the necessity and fairness of the processing.
A purpose is legitimate when it is connected to a contract, legal duty, statutory mandate, public function, vital interest, lawful business process, or other lawful interest recognized by the Data Privacy Act and related rules. It is not legitimate if it is fraudulent, discriminatory, retaliatory, oppressive, contrary to public policy, or unrelated to the relationship between the controller and the data subject.
Purpose limitation is the central consequence of this principle. Personal data collected for enrollment, employment, medical treatment, banking, delivery, litigation, public service, or security cannot be freely repurposed for marketing, profiling, publication, investigation, or unrelated data sharing unless the new processing has its own lawful basis and remains compatible with the original context.
Legitimate purpose does not always mean consent. The Data Privacy Act recognizes other bases for processing personal information, such as performance of a contract, compliance with a legal obligation, protection of vital interests, response to national emergency or public safety requirements, performance of public authority, and legitimate interests that are not overridden by fundamental rights and freedoms.
For sensitive personal information and privileged information, the default posture is stricter: processing is generally prohibited unless a specific statutory exception applies. These exceptions include explicit consent for a declared purpose, processing authorized by law, protection of life or health, medical treatment subject to confidentiality, legal claims, and other recognized grounds requiring heightened safeguards.
Proportionality
Proportionality limits processing to what is adequate, relevant, suitable, necessary, and not excessive in relation to the declared and legitimate purpose. The principle restrains both overcollection and overuse.
Data minimization follows from proportionality. A controller should collect only the data fields genuinely needed for the purpose, avoid mandatory collection of irrelevant information, and prefer less identifying information when the same objective can be achieved through anonymized, aggregated, masked, or pseudonymized data.
Proportionality also governs access. Employees, contractors, processors, officers, and systems should access only the data necessary for their functions, for the period necessary to perform them, and under controls that allow accountability.
Retention is part of proportionality. Personal data may be retained only while necessary for the declared purpose, for the establishment or defense of legal claims, for legitimate business or operational needs, or as required by law. Once the reason for retention ends, the controller must securely delete, anonymize, archive under lawful restrictions, or otherwise dispose of the data in a manner that prevents unauthorized recovery or use.
Proportionality is context-sensitive. The amount of data reasonably required for a hospital, bank, court, school, employer, telecommunications provider, or law enforcement agency may differ, but each must justify the scope of processing by reference to its lawful function and the risks created for the data subject.
Operational Requirements Flowing From the Principles
The general principles are implemented through concrete duties that regulate the life cycle of personal data. A controller must be able to show that personal data were collected for specified and legitimate purposes, processed fairly and lawfully, kept accurate where necessary, limited to what is relevant, retained only as long as needed, and protected by appropriate safeguards.
| Requirement | Data Privacy Consequence |
|---|---|
| Purpose specification | The controller must determine and declare the purpose before collection or as soon as practicable, and later processing must remain compatible or separately justified. |
| Fair and lawful processing | Processing must be consistent with law, the relationship of the parties, reasonable expectations, and the rights of the data subject. |
| Data quality | Personal data must be accurate, relevant, and kept up to date where accuracy matters to the purpose. |
| Correction or restriction | Inaccurate or incomplete data should be corrected, supplemented, destroyed, or restricted from further processing when appropriate. |
| Collection limitation | The controller should avoid collecting data that are speculative, merely convenient, or unrelated to the declared purpose. |
| Retention limitation | Data should not be kept indefinitely in identifiable form unless a lawful ground justifies continued retention. |
| Security | Reasonable organizational, physical, and technical measures must protect data against unauthorized processing, loss, destruction, alteration, disclosure, or access. |
| Accountability | The controller must be able to demonstrate compliance through governance, policies, records, contracts, training, controls, and response mechanisms. |
Lawful Bases and the General Principles
A lawful basis authorizes processing, but the general principles determine how the authorized processing must be carried out. Consent, contract, law, public authority, vital interest, or legitimate interest does not permit unlimited collection, indefinite storage, indiscriminate disclosure, or insecure handling.
Consent is strongest when the data subject has real choice and adequate information. It is weakest when the data subject faces unequal bargaining power, denial of a basic service for unrelated processing, vague authorization, or silence treated as acceptance.
Contractual necessity allows processing needed to perform or prepare a contract with the data subject, such as verifying identity for a service, delivering goods, billing, maintaining an account, or responding to service requests. It does not automatically justify unrelated marketing, third-party disclosure, or excessive profiling.
Compliance with law allows processing required by statute, regulation, court order, subpoena, mandatory report, tax rule, labor rule, anti-money laundering rule, health regulation, or other legal command. The controller must still process only what the legal duty requires or reasonably implies.
Public authority allows government bodies to process data necessary to perform lawful mandates. A public office does not acquire a general license to expose, share, or centralize personal data merely because the data are useful to public administration.
Legitimate interest may support private-sector processing when the interest is lawful, real, and not overridden by the rights and freedoms of the data subject. The balancing inquiry considers the nature of the data, the reasonable expectations of the data subject, the impact of processing, safeguards, and the availability of less intrusive means.
Sensitive and Privileged Information
The general principles apply with greater force to sensitive and privileged information. The controller must identify the specific exception authorizing processing and must apply stricter necessity, access, retention, and security controls.
Explicit consent for sensitive information must refer to the specific purpose of processing. A broad statement that the data subject agrees to all future uses of sensitive information is inconsistent with transparency and purpose limitation.
Processing authorized by law must be confined to the legal authorization. If a statute requires collection of a government identifier, the controller may not use that identifier for unrelated tracking, profiling, publication, or disclosure without an independent lawful basis.
Medical and health-related processing is legitimate when necessary for treatment, health administration, or recognized public health purposes, but confidentiality and security obligations remain. Health data should be accessed only by persons with a proper function and should not be disclosed merely because the information is accurate or interesting.
Privileged information requires special caution because data privacy law does not dissolve evidentiary, professional, or statutory confidentiality. A controller handling privileged information must respect both the data subject's privacy rights and the privilege holder's right to prevent unauthorized disclosure.
Data Sharing, Outsourcing, and Disclosure
Data sharing is processing and must independently satisfy transparency, legitimate purpose, and proportionality. A controller should identify the recipient, purpose, categories of data, safeguards, retention, and the role of each party before sharing personal data.
A data sharing arrangement is generally proper when the sharing is lawful, necessary for a declared purpose, known to the data subject or otherwise authorized by law, and governed by safeguards that prevent unauthorized secondary use. Sharing becomes unlawful when it is hidden, excessive, unrelated, insecure, or used to evade consent and notice requirements.
Outsourcing to a processor requires contractual and operational controls. The processor should process data only on documented instructions, implement safeguards, ensure confidentiality of personnel, assist in responding to data subject requests, return or delete data after the service, and notify the controller of security incidents.
Disclosure within the same organization is still subject to limitation. Internal access by departments, officers, affiliates, or employees is lawful only when tied to a function that requires the data.
Publication is the most intrusive form of disclosure because it may make personal information searchable, permanent, and replicable. A controller should not publish personal data unless publication is required by law, necessary for a lawful public function, consented to for a specific purpose, or otherwise justified by a lawful basis and proportional safeguards.
Security and Breach Response
Security is inseparable from proportionality and accountability. The degree of security must match the nature of the data, the risks of processing, the size and complexity of the organization, the cost of safeguards, and the likely harm from unauthorized access or disclosure.
Organizational measures include governance structures, privacy policies, data protection officers where required, role-based responsibilities, training, incident response procedures, vendor management, confidentiality undertakings, and privacy impact assessments for high-risk processing.
Physical measures include secured premises, controlled file storage, visitor controls, device protection, secure disposal, and restrictions on physical access to records or servers. Technical measures include authentication, access controls, encryption where appropriate, logging, monitoring, backups, vulnerability management, and secure system design.
A personal data breach occurs when a security incident leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Breach response requires containment, assessment, documentation, mitigation, and notification when the legal conditions for notification are present.
Failure to notify a serious breach, concealment of a breach, negligent access, unauthorized disclosure, and improper disposal may produce administrative, civil, and criminal consequences. The seriousness of liability depends on the nature of the data, the fault involved, the harm created, and the statutory offense or regulatory violation established.
Rights of the Data Subject
The general principles are enforceable through the rights of the data subject. These rights convert privacy principles into concrete claims against controllers and processors.
- Right to be informed: the data subject may know whether personal data are being or have been processed, including the purpose, scope, recipients, retention, and rights available.
- Right to object: the data subject may object to processing in cases allowed by law, especially where processing is based on consent or legitimate interest rather than a mandatory legal ground.
- Right of access: the data subject may obtain reasonable access to personal data processed about him or her and to information explaining the processing.
- Right to rectification: inaccurate or erroneous personal data may be corrected unless the request is legally or factually unfounded.
- Right to erasure or blocking: personal data may be removed, blocked, or withdrawn from processing when unlawfully obtained, used for unauthorized purposes, no longer necessary, or prejudicial to the data subject's rights.
- Right to damages: a data subject may seek compensation when inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorizedly used personal data cause damage.
- Right to data portability: where processing is by electronic means and in a structured format, the data subject may obtain a copy in a commonly used electronic form subject to lawful limitations.
These rights are not absolute. They may yield to law enforcement, public order, public safety, statutory duties, legal claims, journalistic, artistic, literary, research, or other recognized purposes when the applicable law and safeguards justify the limitation.
Government Records and Public Interest
Government agencies are subject to data privacy principles when processing personal data, even when they act under statutory mandate. Public function supplies a possible lawful basis, but it does not eliminate transparency, proportionality, retention, access control, or security.
Not all information held by the government is freely disclosable. A record may be official or public in character while still containing personal data that require redaction, limited access, or controlled disclosure.
Access to information on matters of public concern must be harmonized with informational privacy. The proper inquiry considers the legal basis for disclosure, the public interest served, the sensitivity of the data, the expectations of the data subject, and the availability of less intrusive disclosure such as redaction or aggregation.
Government collection of identifiers, biometrics, location data, health data, education records, benefits records, or law enforcement information must be tied to the agency's mandate and protected against unauthorized sharing. Centralization or interoperability of government databases increases efficiency but also increases privacy risk, requiring stricter governance and security.
Anonymization, Pseudonymization, and Aggregation
Anonymized data fall outside ordinary personal data concerns only when individuals are no longer identifiable by reasonably likely means. Merely removing names is insufficient if other fields, combinations, or contextual clues can re-identify the person.
Pseudonymized data remain personal data when re-identification is possible through a key, separate database, device identifier, account number, token, or other linkable information. Pseudonymization is a safeguard, not a complete exemption.
Aggregated data reduce privacy risk when individual-level details are not exposed and the group size is sufficient to prevent singling out. Aggregation may still be problematic if the dataset permits inference about identifiable individuals or very small groups.
The choice among identifiable, pseudonymized, anonymized, or aggregated data is a proportionality question. A controller should prefer the least identifying form that can accomplish the lawful purpose.
Automated Processing and Profiling
Automated processing remains subject to the general principles even when no human directly views the data. Collection through applications, cookies, device identifiers, biometrics, geolocation, scoring systems, artificial intelligence tools, or automated filters still counts as processing.
Profiling must have a lawful basis, a declared purpose, and adequate notice when it affects the data subject's rights, opportunities, services, prices, benefits, or legal position. Secret profiling is difficult to reconcile with transparency, especially when the data subject reasonably expects ordinary service processing rather than behavioral evaluation.
Automated decisions based on inaccurate, irrelevant, outdated, or excessive data may violate both data quality and proportionality. The controller should maintain procedures for review, correction, contest, and explanation where the automated result has a significant effect on the data subject.
Accountability and Compliance
Accountability means the controller must not only comply but must be able to demonstrate compliance. Good faith is strengthened by records showing lawful basis, privacy notices, consent logs where applicable, data inventories, retention schedules, access controls, processor contracts, training, assessments, and incident records.
Privacy by design requires controllers to build compliance into systems and processes before processing begins. Default settings should favor limited collection, limited disclosure, appropriate retention, and controlled access.
Privacy impact assessment is appropriate for processing that is high-risk, large-scale, novel, systematic, intrusive, or involves sensitive information. The assessment identifies risks, evaluates necessity, selects safeguards, and documents the reasons for proceeding.
The National Privacy Commission may investigate complaints, conduct compliance checks, issue orders, and impose administrative consequences within its authority. Separate civil or criminal liability may arise when the facts satisfy the statutory elements of an offense or cause of action.
The controlling test is whether the processing respects the data subject as a rights-holder: the purpose must be lawful and declared, the data must be necessary and limited, the handling must be fair and secure, and the controller must remain accountable from collection to disposal.