FOR GENERAL INFORMATION USE ONLY
THIS IS A REDACTED VERSION. FOR THE FULL VERSION, PLEASE SEND US AN EMAIL AT ADMIN@THCOUNSELS.PH
The following is a briefer on Data Sharing Agreement. This is based on the Circular (hereinafter referred to as the “Circular”) issued by the National Privacy Commission (hereinafter referred to as the “Commission”).
“Data sharing” is the sharing, disclosure, or transfer to a third party of personal data under the custody of a personal information controller to one or more other personal information controller/s. In the case of a personal information processor, data sharing should only be allowed if it is carried out on behalf of and upon the instructions of the personal information controller it is engaged with via a subcontracting agreement. Otherwise put, Data Sharing Agreement is generally between personal information controller (as discussed below) while, data subcontracting or outsourcing agreement is between personal information controller and personal information processors.
XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXX
I. LEGAL BASIS AND FRAMEWORK
Article II, Section 24, of the 1987 Constitution provides that the State recognizes the vital role of communication and information in nation-building. At the same time, Article II, Section 11 thereof emphasizes that the State values the dignity of every human person and guarantees full respect for human rights.
Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012 (hereinafter referred to as the “Act’) provides that it is the policy of the State to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth. The State also recognizes its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
The Act further states that a personal information controller is accountable for complying with the requirements of the law and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party. The Implementing Rules and Regulations (hereinafter referred to as the “IRR”) of the Act provides that further processing of personal data collected from a party other than the data subject shall be allowed under certain conditions.
The Commission is charged with the administration and implementation of the provisions of the law, which includes ensuring the compliance by personal information controllers with the provisions of the Act, and carrying out efforts to formulate and implement plans and policies that strengthen the protection of personal information in the country, in coordination with other government agencies and the private sector. The IRR of the Act provides that among the Commission’s functions, is to develop, promulgate, review or amend rules and regulations for the effective implementation of the Act.
II. SCOPE
The Circular shall apply to the following:
- Personal data under the control or custody of a personal information controller (PIC) that is being shared, disclosed, or transferred to another PIC; and
- Personal data that is consolidated by several PICs and shared or made available to each and/or to one or more PICs.
It excludes arrangements between a PIC and a personal information processor (PIP).
III. PARTIES TO DATA SHARING AGREEMENTS
Only PICs can be parties to data sharing arrangements. This is the case even where the actual sharing will transpire between a PIC and a PIP acting on behalf of, or upon the instructions of, another PIC.
IV. TRANSPARENCY
Each affected data subject should be provided with the following information before personal data is shared or at the next practical opportunity, through an appropriate consent form or privacy notice, whichever is applicable or appropriate to the lawful basis relied upon:
a. Categories of recipients of the personal data.
b. Purpose of data sharing;
c. Categories of personal data that will be shared;
d. Existence of the rights of data subjects; and
e. Others information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved.
V. CONTENTS OF A DATA SHARING AGREEMENT
The following shall be the contents of a DSA:
XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXX
VI. SECURITY AND ACCOUNTABILITY
Adequate safeguards to protect personal data should be put in place in every data sharing arrangement, subject to the conditions set forth under Section 9 of the Circular.
Where online access to personal data is granted, XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXX
VII. TERMINATION OF DATA SHARING AGREEMENT
The following are the grounds for the termination of data sharing agreements:
a. Upon the expiration of its term, or any valid extension thereof;
b. XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXX
c. Upon a finding by the Commission that data sharing is:
-
- XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX XXXX
oO END Oo