Applications for accreditation: Membership. Compilation of membership accreditation assessment received on 9 July 2016

Similar documents
THE FINANCIAL SERVICES ACT ARRANGEMENT OF SECTIONS PART I PRELIMINARY PART II THE FINANCIAL SERVICES COMMISSION

THE FINANCIAL SERVICES ACT 2007

NATIONAL IDENTITY MANAGEMENT COMMISSION ACT

NIGERIAN COUNCIL OF REGISTERED INSURANCE BROKERS ACT

ARTICLE 29 Data Protection Working Party

NATIONAL IDENTITY MANAGEMENT COMMISSION ACT

LAWS OF KENYA THE NATIONAL POLICE SERVICE COMMISSION ACT. No. 30 of 2011

National Public Service Ethics Act Act No. 129 of 1999

Module 1 - Introduction

INTERSTATE COMPACT FOR THE SUPERVISION OF ADULT OFFENDERS PREAMBLE

COMMUNAL PROPERTY ASSOCIATIONS AMENDMENT BILL

7112. Authority to execute compact. The Governor of Pennsylvania, on behalf of this State, is hereby authorized to execute a compact in substantially

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Act No. 502 of 23 May 2018

NATIONAL DROUGHT MANAGEMENT AUTHORITY ACT

PART I PELIMINARY PROVISIONS. PART II ADMINISTRA non

Overview of the Act on the Protection of Specially Designated Secrets (SDS)

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

BERMUDA BERMUDA PUBLIC ACCOUNTABILITY ACT : 29

CHAPTER 61:07 REAL ESTATE PROFESSIONALS

PRIVATE SECURITY INDUSTRY REGULATION AMENDMENT BILL

COMMUNAL PROPERTY ASSOCIATIONS AMENDMENT BILL, 2016

THE INTERSTATE COMPACT FOR JUVENILES ARTICLE I PURPOSE

Brussels, 16 May 2006 (Case ) 1. Procedure

Information Privacy Act 2000

REGULATED HEALTH PROFESSIONS ACT

INSTITUTION OF SURVEYORS OF KENYA BILL

National Training Council Act 1991.

Challenges in complying with the Data Privacy Act of Damian Mapa Deputy Privacy Commissioner

LAW FOR PREVENTION OF TRANSFER OF CRIMINAL PROCEEDS (Law No. 22 of 31 March 2007) [Provisional translation]

TM NATIONAL DROUGHT MANAGEENT AUTHORITY BILL, 2013 ARRANGEMENT OF CLAUSES Clause PART I--PRELIMINARY 1-Short tle

DISTRIBUTED BY VERITAS TRUST

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

THE INDEPENDENT CONSUMER AND COMPETITION COMMISSION ACT 2002

Papua New Guinea Consolidated Legislation

Government Gazette REPUBLIC OF SOUTH AFRICA

ACCOUNTANTS ACT NO. 15 OF 2008 LAWS OF KENYA

LAW ON STANDARDS OF CAMBODIA

ARTICLE 29 DATA PROTECTION WORKING PARTY

Bangladesh Securities and Exchange Commission ACT, 1993 (ACT No. XV of 1993)

Article 16: Removal and resignation from office of members of the Panel of Arbitrators and the Advisory Committee

CHAPTER 497 PUBLIC ADMINISTRATION ACT

PERSONAL INFORMATION PROTECTION ACT

PART 15 FUNCTIONS OF REGISTRAR AND OF REGULATORY AND ADVISORY BODIES. Chapter 1. Registrar of Companies

BERMUDA INVESTMENT BUSINESS ACT : 20

BERMUDA BERMUDA PUBLIC ACCOUNTABILITY ACT : 29

PRIVATE SECURITY INDUSTRY REGULATION AMENDMENT BILL

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Data Protection Bill [HL]

New Zealand Institute of Chartered Accountants RULES OF THE NEW ZEALAND INSTITUTE OF CHARTERED ACCOUNTANTS EFFECTIVE 26 JUNE 2017 CONTENTS

Chapter 531 LAWS OF KENYA. Revised Edition 2009 (2008) Published by the National Council for Law Reporting with the Authority of the Attorney General

Whistleblower Protection Act 10 of 2017 (GG 6450) ACT

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

PUBLIC HEALTH OFFICERS (TRAINING, REGISTRATION AND LICENSING) ACT

OMBUDSMAN BILL, 2017

LAWS OF MALAYSIA. Act 679

Health Practitioners Competence Assurance Act 2003 Complaints and Discipline Process

THE PERSONAL DATA (PROTECTION) BILL, 2013

Act 19 Accountants Act 2013

Pursuant to Article 95 item 3 of the Constitution of Montenegro, I hereby issue the DECREE

TAMIL NADU BUSINESS FACILITATION ACT 2017

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

MEMBERS HANDBOOK PART I

PUBLIC SERVICE ACT 1995 ARRANGEMENT OF SECTIONS PART 1- PRELIMINARY

"collective agreement" means an agreement as to industrial matters;

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Copyright Juta & Company Limited

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

THE PUBLIC RELATIONS PRACTITIONERS ACT ARRANGEMENTS OF SECTIONS. Section. 1. Short Title 2. Interpretation

as amended by Architects and Quantity Surveyors Amendment Act 11 of 1992 (GG 420) came into force on date of publication: 17 June 1992 ACT

BERMUDA TRUSTS (REGULATION OF TRUST BUSINESS) ACT : 22

Amended Act on the Protection of Personal Information (Tentative Translation)

The Political Parties Act, 2011

CHARTERED INSURANCE INSTITUTE OF NIGERIA ACT

CERTIFIED PUBLIC SECRETARIES OF KENYA ACT

INSTITUTE OF CHARTERED ACCOUNTANTS OF NIGERIA ACT

Proclamation No 433/2005. The REVISED PROCLAMATION FOR THE ESTABLISHMENT OF THE FEDERAL ETHICS AND ANTI-CORRUPTION COMMISSION

ACT ARRANGEMENT OF ACT. as amended by

Act on the Protection of Specially Designated Secrets

Law No. 7/2009 of 15 June ESTABLISHING THE CIVIL SERVICE COMMISSION

FILMS AND PUBLICATIONS AMENDMENT BILL

Social Workers Act CHAPTER 12 OF THE ACTS OF as amended by. 2001, c. 19; 2005, c. 60; 2012, c. 48, s. 40; 2015, c. 52

LAND (GROUP REPRESENTATIVES)ACT

INSTITUTE OF CHARTERED ACCOUNTANTS OF NIGERIA ACT

Japan: Law Concerning Access to Information Held by Administrative Organs

NIGERIAN COMMUNICATIONS ACT (2003 No. 19)

OBJECTS AND REASONS. Arrangement of Sections PART I. Preliminary PART II. Licensing Requirements for International Service Providers

Chapter 381. Probation Act Certified on: / /20.

(1 August 2014 to date) EMPLOYMENT EQUITY ACT 55 OF (Gazette No , Notice No dated 19 October 1998.

COLLEGE OF OPTOMETRISTS OF BRITISH COLUMBIA. Bylaws

Act 2 Equal Opportunities Commission Act 2007

Development Financial Institutions (Amendment) 1 A BILL. i n t i t u l e d

THE POLITICAL PARTIES ACT, 2011

BELIZE INTERNATIONAL FINANCIAL SERVICES COMMISSION ACT CHAPTER 272 REVISED EDITION 2011 SHOWING THE SUBSTANTIVE LAWS AS AT 31 ST DECEMBER, 2011

AYURVEDIC AND OTHER TRADITIONAL MEDICINES ACT

The Patent Regulation Board and The Trade Mark Regulation Board. Disciplinary Procedure Rules

Occupational Safety and Health Act 1984

DRAFT OMBUDSMAN ACT FOR THE NORTHWEST TERRITORIES

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

APPRENTICESHIP AND TRADES QUALIFICATION ACT

Transcription:

Item 3(b)(i) Applications for accreditation: Membership Compilation of membership accreditation assessment received on 9 July 2016 The Secretariat provides this compilation of 4 membership accreditation assessments conducted by Canada. Attached are complete assessments of membership applications submitted by: 1. Cote d Ivoire Telecommunications Regulatory Authority (Annex A) 2. Japan Personal Information Protection Commission (Annex B) 3. Nigeria National Identity Management Commission (Annex C) 4. Philippines National Privacy Commission (Annex D) Executive Committee Secretariat 12 July 2016

International Conference of Data Protection and Privacy Commissioners Executive Committee 2016 Accreditation review prepared by OPC-Canada Review of the Application for Member Status of the Cote d Ivoire Telecommunications Regulatory Authority to the International Conference of Data Protection and Privacy Commissioners Following an assessment of the application received in 2015 and other information provided in support, our Office believes that the Cote d Ivoire Telecommunications Regulatory Authority (hereinafter the ARTCI for its French name) meets the five requisite criteria to be granted member status. It is suggested that the Executive Committee put this recommendation to the full membership of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). Analysis In accordance with article 5.1 of the Rules and Procedures of the ICDPPC, we are satisfied that the ARTCI: a. Is a public entity, created by an appropriate legal instrument based upon legal traditions of the country or international organization which it belongs to Cote d Ivoire s law n o 2013-450, adopted by the National Assembly after its promulgation by the President on 19 June 2013, regulates the protection of personal data. 1 The ARTCI is a public entity, created by legal decree n o 2012-293 of 21 March 2012 that merged the Cote d Ivoire s Telecommunications Council and the Cote d Ivoire Telecommunications Agency. 2 The decree stipulates that the ARTCI is an independent administrative authority with legal personality and financial autonomy. b. Has the supervision of the implementation of the legislation on the protection of personal data or privacy as one of its principal regulatory mandates Law n o 2013-450 designates the ARTCI as the independent administrative authority responsible for ensuring that personal data processing are implemented in accordance with the provisions of this law (Art. 46). The ARTCI ensures that the use of Information and Communications Technologies (ICT) does not affect or does not represent a threat to the freedoms and the privacy of users located in the Cote d Ivoire s territory (Art. 47). 1 The original French version of the law is available on the ARTCI website at http://www.artci.ci/images/stories/pdf/lois/loi_2013_450.pdf. 2 The original French version of the decree is available on the ARTCI website at http://www.artci.ci/images/stories/pdf/ordonnance/ordonnance_2012-293.pdf

Cote d Ivoire ARTCI In addition to data protection, the ARTCI s mandate includes the regulation of competition, telecommunications and consumer protection. These other mandates come from other legislative instruments. c. Operates under a legislation that is compatible with the principal international instruments dealing with data protection or privacy The ARTCI reports that Law n o 2013-450 principally implements the OECD Guidelines of 1980, Council of Europe Convention N o 108 (1981), the UN Guidelines of 1990 and the Economic Community of West African States (ECOWAS) Treaty of 1975. The ARTCI also notes that the Cote d Ivoire law complies with the African Union Convention on Cyber Security and Personal Data Protection of 2014 (which,it appears, is not yet in force). 3 In addition, Law n o 2013-450 also implements Supplementary Act A/SA.1/01/10 on Personal Data Protection within Economic Community of West African States (ECOWAS). 4 It is observed that the Cote d Ivoire law largely resembles the provisions, protections and framework of the ECOWAS Supplementary Act. d. Has an appropriate range of legal powers to perform its functions Public and private sector processing of personal information in Cote d Ivoire is subject to declarations and requests for opinions, notifications and authorizations to the ARTCI, depending on the case. The minimum contents of these declarations and requests are set in law, but the ARTCI can decide to set additional conditions (Art. 9). Where individuals cannot gain access to data they have requested from data controllers, the ARTCI can exercise that right of access on their behalf, conduct an investigation and order the correction, erasure or securing of the data (Art. 29). The ARTCI s range of powers and obligations are further specified in Articles 47 and 49-51 of Law n o 2013-450. They include: Compliance: the ARTCI can develop rules of conduct on processing and data protection, Supervision: the ARTCI must respond to all requests for opinions regarding personal data protection; Investigation: the ARTCI has the power to investigate and issue orders (art. 29), it can also take sworn statements, conduct audits, issue fines and administrative sanctions, and refer infractions to judicial authorities; 3 The convention is available at http://pages.au.int/sites/default/files/en_au%20convention%20on%20cybersecurity%20pers%20data%20 Protec%20AUCyC%20adopted%20Malabo.pdf. Its implementation status is detailed at http://pages.au.int/infosoc/cybersecurity. 4 http://www.statewatch.org/news/2013/mar/ecowas-dp-act.pdf

Cote d Ivoire ARTCI Redress: the ARTCI can issue warnings and injunctions and, after adversarial proceedings, issue orders to interrupt, lock or otherwise forbid personal data processing that is against the law; Guidance: the ARTCI can update and publish a directory of personal data processing, it can provide its opinion on bills dealing with data protection and suggest amendments to data protection laws and regulations; and, Public Education: the ARTCI can counsel individuals and organisations on data processing, as well as participate in scientific research, training and study related to data protection and privacy rights. e. Has appropriate autonomy and independence Law n o 2013-450 defines the data protection authority charged with enforcing the law as an independent administrative authority and specifies that this task is assigned to the ARTCI. Legal decree n o 2012-293 of 21 March 2012, creates the ARTCI and its operation through a Regulatory Board. Legal decree n o 2012-934 of 19 September 2012 specifies the organisation of the ARTCI and its Regulatory Board. It largely reiterates the March 2012 decree without repealing it. Both decrees declare that the ARTCI has legal personality and financial autonomy, and that it is to exercise its regulatory missions in an independent, impartial and transparent manner. According to both decrees, the Regulatory Board is responsible for the technical, legal, administrative and financial operations of the ARTCI. The board has seven members, chosen on merit and appointed by decree of the Council of Ministers on the recommendation of the Minister charged with Information Technology and Telecommunications upon completion of a transparent, competitive selection process. Board members serve for a non-renewable term of six years. Their decisions are made by simple majority, recorded and publicly available. Article 74 of legal decree n o 2012-293 of 21 March 2012 states that Board Members cannot be removed before the end of their mandate, except for duly justified serious misconduct. The September 2012 decree is silent on the removal of Board Members. Several provisions of Law n o 2013-450 speak to autonomy and independence of the ARTCI. At article 47, the ARTCI is given the power to provide annual reports to the Executive and the Legislative branches, to speak publicly on personal data protection matters, to put in place cooperation agreements with other data protection authorities and to participate in international negotiations on personal data protection. The ARTCI does not, however, have the power to initiate investigations. Nevertheless, on balance, the ARTCI has appropriate autonomy and independence.

Review of the Application for Member Status of the Personal Information Protection Commission of Japan to the International Conference of Data Protection and Privacy Commissioners Following an assessment of the application received on 18 May 2016 and other information provided in support, the Personal Information Protection Commission of Japan (hereinafter the PPC) is found to meet the five requisite criteria to be granted member status. However, as measures in the PIPA related to the powers of the PPC will not fully take effect until two years from its September 9, 2015 date of promulgation, it is recommended that the PPC be granted Observer Status and be invited to apply for full Membership once the Act for which they provide oversight comes into full effect. 5 It is suggested that the Executive Committee put this recommendation to the full membership of the International Conference of Data Protection and Data Commissioners (ICDPPC). In accordance with article 5.1 of the Rules and Procedures of the ICDPPC, the PPC: f. Is a public entity, created by an appropriate legal instrument based upon legal traditions of the country or international organization which it belongs to The PPC is created under Article 59 of Japan s Amended Act on the Protection of Personal information (PIPA) 6, which was promulgated on September 9, 2015. The Commission was established on January 1, 2016, and replaces the former Specific Personal Information Protection Commission (SPIPC). g. Has the supervision of the implementation of the legislation on the protection of personal data or privacy as one of its principal regulatory mandates When the amended Act comes into full effect in September 2017, the PPC will be responsible for supervising the protection of personal information in the private sector. These responsibilities are in addition to the responsibilities of the former SPIPC, which are to supervise the protection of Specific Personal Information. Specific Personal Information is 5 Measures related to the Commission s creation, independence, removal of officials from duty, and selected international responsibilities, etc, have already taken effect, for example Articles 59(2), 61(viii), 62, 64(1) and 65 of the Act. 6 The following web link to the Act on the Protection of Personal Information (PIPA) was included in the application: http://www.ppc.go.jp/files/pdf/280222_amendedlaw.pdf as well as the link to the act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (My Number Use Act) http://www.ppc.go.jp/files/pdf/en3.pdf

Japan PPC personal information relating to MY NUMBER, an individual number assigned to each resident of Japan. The PPC will also have authorities that are currently exercised by various competent ministers. More specifically, the duties of the Commission, as specified under Article 60 of the amended PIPA, are to ensure the proper handling of personal information in order to protect the rights and interests of individuals. This responsibility is balanced with economic and social objectives, also outlined in Article 60 of the Act. Further, as specified in Article 61, the PPC, in order to accomplish the duties set forth in Article 60, is responsible for, amongst others, matters related to the formulation and promotion of the Basic Policy 7 (Article 61(i)), matters related to supervision of the handling of personal information and de-identified information (Article 61(ii)) and matters related to the supervision or monitoring of the handling of Specific Personal Information (Article 61(iv)). h. Operates under a legislation that is compatible with the principal international instruments dealing with data protection or privacy In its accreditation application, the PPC reports that its PIPA principally implements the OECD Privacy Guidelines (1998/2013) and the Asia Pacific Economic Cooperation (APEC) Privacy Framework (2005). The PIPA contains provisions that align with privacy protection principles in international instruments, including: appropriate collection; notice; consent (for sensitive information); accuracy; purpose specification and limitation; security safeguards; limits to disclosure; right of access, correction and deletion; and the obligation to have a complaint-handling process. Further, section 6 of the PIPA requires the Government to coordinate with the governments of other countries through coordination with other organs and other international frameworks to take the measures necessary to building a system for personal information that is internationally integrated. As well, the PPC is responsible for matters related to international cooperation pertaining to jurisdictional affairs. Article 61(viii) of the PIPA this Article has already taken effect. 7 Article 7(3) specifies that the Prime Minister must prepare a Basic Policy, created by the PPC, and seek Cabinet Approval. Under Article 7(2), matters to be set out by the Basic Policy include, amongst others, measures to be taken to protect personal information and matters related to the smooth processing of complaints about the handling of personal information.

Has an appropriate range of legal powers to perform its functions Japan PPC The PIPC s range of powers includes: Compliance (e.g. audit, inspection) Requiring business operators to submit reports or documentation regarding the handling of personal or de-identified information and entering offices, make inquiries, inspect documents or other items, etc. (Article 40(1) of the PIPA) Requiring relevant persons to make reports or submit materials on the treatment of Specific Personal Information, entering places, ask questions, inspect property such as books and documents. (Article 35 of the My Number Use Act - Article 52 of preamendment version of Act - link provided in footnote 1) Responsibility for matters related to necessary investigations and research for implementing the responsibilities as set out in Article 61 (i) to (vi) (Article 61(vii) of the PIPA) Approvals (e.g. prior checking, notification) Accreditation of corporations that will process complaints, provide information and perform other services to ensure proper handling of personal information by covered business operators (Articles 47-48-49-50 of the PIPA) Review and approval of Assessment Reports related to Specific Personal Information Files Specific Personal Information Protection Assessment (Article 28(2) of My Numbers Act Article 27(2) of pre-amendment version of Act - link provided in footnote 1) Redress for individuals (e.g. complaints, conciliation, awarding compensation) Mediation of the filing regarding complaints and cooperation with business operators processing of the complaints (Article 61(ii) of the PIPA); Applying sanctions (e.g. prosecution, compliance orders, awarding penalties) Recommendations and Orders against business operators that violate certain parts of the Act or fail to take recommended measures, (Article 42 of the PIPA); Recommendations and Orders against persons who violate the Act or fail to take recommended measures (Article 34 of My Numbers Act Article 51 of pre-amendment version of the Act link provided in footnote 1); Guidance (e.g. compliance advice) / Public education May guide or advise on the handling of personal information to the extent necessary for implementing Sections 1 and 2 of the PIPA (Article 41 of the PIPA) Responsible for matters related to public relations and awareness raising activities on protection and appropriate/effective use of personal information (Article 61(iv) of the PIPA)

Japan PPC Provision of necessary guidance and advice to the extent necessary for the enforcement of the My Numbers Act or to ensure appropriate treatment of Specific Personal Information (Article 33 or My Numbers Act Article 50 of pre-amendment version of the Act link provided in footnote 1) Policy Advice for Government May communicate opinions to the Prime Minister on the improvement of measures for the protection of Specific Personal Information (Article 38 of My Numbers Act Article 55 of pre-amendment version of Act - link provided in footnote 1); Rule-making (e.g. issuing codes of practice, approving standards) The PPC is responsible for matters related to the formulation and promotion of the Basic Policy (Article 61(i) of the PIPA) i. Has appropriate autonomy and independence Explicit statement in law that the Authority is to act independently Article 62 of the PIPA states that the chairperson and members of the Commission operate independently. This provision has already taken effect. Article 59(2) of the PIPA specifies that the Commission is administratively attached to the Prime Minister. This provision has already taken effect. Appointment of Head of Authority Under Article 63(3) of the PIPA, the chairperson and members of the Commission are appointed by the Prime Minister, with the consent of both Houses of the Diet. The term of office of the chairperson and members of the Commission is five years (Article 64(1) of the PIPA), and may be reappointed (Article 64(2) of the PIPA). Legal protection against civil suits for actions performed in good faith The application states that, in terms of civil suits, case law recognizes that public officers are irresponsible for actions performed in good faith in the course of their lawful duties. The application also specifies that the Commission members and their staff are public officers. Suitable guarantees for the funding of the authority

Japan PPC The application specifies that, as the Commission is a public body, the national budget is provided appropriately. Authority to remove the head or members of the authority (including relevant statutory provisions) Article 65 of the PIPA (already in effect) states that the chairperson and members of the Commission cannot be dismissed against their will while holding office, except under specific circumstances as follows: Ordered to commence bankruptcy proceedings; Punished for violating the PIPA or Number Use Act; Imprisoned; Found by the Commission to be incapable of executing their duties due to a physical or mental disorder, have contravened their duties of their position or have committed misconducts inappropriate for a chairperson or member of the Commission. (Such findings must be made on the unanimous consent of all members except the member concerned. Article 68(4)) Article 66 of the PIPA specifies that the Prime Minister must dismiss the chairperson or a member of the commission, if any of the circumstances outlined in Article 65 apply to them.

Review of the Application for Member Status of the National Identity Management Commission of Nigeria to the International Conference of Data Protection and Privacy Commissioners Following an assessment of the application received on 18 June 2016 and other information provided in support, our Office believes that the National Identity Management Commission of Nigeria (hereinafter the NIMC) does not meet the requisite criteria to be granted member status. It is suggested that the Executive Committee offer the NIMC to attend the Marrakech Conference as an Observer and that this recommendation be put to the full membership of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). Analysis In accordance with article 5.1 of the Rules and Procedures of the ICDPPC, we are satisfied that the NIMC: j. Is a public entity, created by an appropriate legal instrument based upon legal traditions of the country or international organization which it belongs to Nigeria s National Identity Management Commission Act No. 23 of 2007 (the NIMC Act ) was passed by the National Assembly of the Federal Republic of Nigeria in May 2007.8 Article 1 of the Act establishes the NIMC as a body corporate with perpetual succession and a common seal, and the power to sue and be sued in its corporate name. We are not, however, satisfied that the NIMC: k. Has the supervision of the implementation of the legislation on the protection of personal data or privacy as one of its principal regulatory mandates The NIMC is the statutory body charged with the responsibility of maintaining the National Identity Database, the registration of individuals onto that database, the issuance of general purpose identity cards, the registration of births and deaths in Nigeria and so forth. According to Article 5(g), the NIMC ensures the preservation, protection, sanctity and security (including cyber-security) of any information or data collected, obtained, maintained or stored in respect of the National Identity Database. The NIMC also maintains and ensures secured communications links with other relevant identity database or agency, collaborates in setting the standards for these communications links and responds to verification enquiries regarding the identification of individuals. Further, the NIMC has a general power to do such other things which [the NIMC Act] or any other enactment are required or permitted to be done by the Commission. 8 http://www.nimc.gov.ng/docs/reports/nimc_act.pdf.

Nigerian NIMC Inasmuch as the NIMC s functions present elements often related to the protection of personal data and privacy, the responsibilities of the NIMC do not explicitly include the protection of personal data or privacy. On the whole, in our opinion, the protection of personal data and privacy do not constitute one of the NIMC s principal regulatory mandates but rather a corollary of managing Nigeria s National Identity Database. l. Operates under a legislation that is compatible with the principal international instruments dealing with data protection or privacy The NIMC s applications states that the NIMC Act implements Supplementary Act A/SA.1/01/10 on Personal Data Protection within the Economic Community of West African States (ECOWAS). 9 We note that, though elements of that Supplementary Act are present in the NIMC Act, these do not appear to form a central or important component of the NIMC Act. That is certainly the case for the details and specificities found in the Supplementary Act related to personal data protection and processing, on which the NIMC Act is largely silent. m. Has an appropriate range of legal powers to perform its functions Article 6 of the NIMC Act gives the NIMC the power to request for any information on data from any person on matters relating to its function under the ACT, to monitor any matter that may affect the functions of the NIMC and do other such things which are required or permitted to be done by the Commission. Article 31 gives the NIMC the power to make regulations for the effective operation of the Act and the due administration thereof, including to provide for the collection, collation and processing of data and other relevant information. While these powers are broad and may ultimately facilitate the performance of data protection and privacy related functions, nothing in the application or supporting research indicates that the NIMC has exercised such functions. n. Has appropriate autonomy and independence Article 1 of the NIMC Act establishes the NIMC as a body corporate and allows it to hold, acquire and dispose of property. No provision of the NIMC Act explicitly provides for its independence or autonomy. The NIMC is composed of a Governing Board with a Chairman, representatives from fourteen (14) government institutions, three persons knowledgeable in information technology or identity management to represent the public interest, and the Director- General of the Commission. All members of the Governing Board, except the Director General serve the NIMC on a part-time basis. The Director-General is charged with the 9 http://www.statewatch.org/news/2013/mar/ecowas-dp-act.pdf

Nigerian NIMC execution of the policies and decisions of the Board, and the day-to-day operations of the NIMC (NIMC Act, Articles 3 and 7). The Chairman and other members of the Board are all appointed by the President for a once renewable term of 4 years. Notwithstanding this stated security of term, all Board members may be removed from office for certain specified reasons, including at the President s discretion if the President is satisfied that it is not in the interest of the Commission or in the interest of the public for the person to continue in office and notifies the member in writing to that effect. Further, Board members remunerations are set and approved by the President (NIMC Act, Article 3).

Review of the Application for Member Status of the National Privacy Commission of the Philippines to the International Conference of Data Protection and Privacy Commissioners Following an assessment of the application received on 9 February 2016 and other information provided in support, our Office believes that the National Privacy Commission of the Philippines (hereinafter the NPC) meets the five requisite criteria to be granted Member Status. It is suggested that the Executive Committee put this recommendation to the full membership of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). Analysis: In accordance with article 5.1 of the Rules and Procedures of the ICDPPC, we are satisfied that the NPC: o. Is a public entity, created by an appropriate legal instrument based upon legal traditions of the country or international organization which it belongs to The NPC is created under the Philippines s Republic Act 1073, the Data Privacy Act of 2012 10. The DP Act was signed into law on 15 August 2012 by President Benigno Aquino, and came into effect in that same year, 15 days after its publication. 11 Sec 7, Chapter II of the DP Act creates an independent body to be known as the National Privacy Commission.. Sec. 9 of the Act specifies that the NPC is to be attached to the Department of Information and Communications Technologies (DICT). The first Commissioner of the NPC took his oath of office on March 7, 2016. Sec. 39 of the DP Act specifies that to effectively implement the provisions of the Act, the NPC is required to promulgate Implementing Rules and Regulations (IRR) within 90 days from the effectivity of the Act. Proposed IRRs, titled Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 12 were published in the Official Gazette on 20 June 2016. The IRRs establish further parameters and details on the requirements of the Act. Consultations on the proposed IRRs took place in the weeks following their publication and the NPC indicates that the IRRs will most likely be in effect mid-august 2016. 10 The following web link to the Data Privacy Act of 2012 was included in the application: http://www.gov.ph/2012/08/15/republic-act-no-10173/ 11 DP Act, s. 45 12 http://www.gov.ph/2016/06/20/irr-data-privacy-act-2012/

Philippines NPC Sec 42 of the DP Act (Transitory Provisions), industries, businesses, and offices affected by the implementation of the Act are to be given one year transitory period from the effectivity of the IRR, or such other period as may be determined by the Commission, to comply with the requirements of the Act. However, the DP Act 2012 is currently in force and data controllers as well as data processors are already obliged to abide by the requirements of the Act. The NPC is currently operational in enforcing the Act, receiving complaints and conducting investigations. A transitory period will only apply to elements that are specific to the IRRs, such as those related to Data Brach Notification (Rule IX, Sections 38-42 of the Proposed IRRs). p. Has the supervision of the implementation of the legislation on the protection of personal data or privacy as one of its principal regulatory mandates The NPC is created to, amongst others, administer and implement the provisions of the DP Act (sec 7, Chapter II). To that end, the Commission functions include ensuring compliance of personal information controllers with the provisions of the Act (Sec 7(a)). q. Operates under a legislation that is compatible with the principal international instruments dealing with data protection or privacy In its accreditation application, the NPC reports that its DP Act principally implements the EU Data Protection Directive (95/46/EC) and the Asia Pacific Economic Cooperation (APEC) Privacy Framework. The PD Act contains provisions on fundamental protection principles that align with those in international instruments, including: fair and lawful processing, proportionality, notice, accuracy, purpose limitation, limits to retention, transparency, legitimate grounds for processing including consent, as well as the right of access, correction and the right to have information destroyed or removed, and to lodge a complaint. Certain provisions are reflective of those in the EU Data Protection Directive, including accommodations for legitimate grounds for processing and provisions related to sensitive and privileged information Further, section 7 of the PD Act specifies that the NPC is, in part, created to monitor and ensure compliance of the country with international standards set for data protection. r. Has an appropriate range of legal powers to perform its functions The NPC s range of powers, as specified in section 7 includes: Compliance (e.g. audit, inspection) Ensuring compliance (sec.7(a));

Philippines NPC Approvals (e.g. prior checking, notification) Receiving notification of data breaches (sec. 20(f)) Ability to require government contractors to register large-scale information processing systems (sec.24); Redress for individuals (e.g. complaints, conciliation, awarding compensation) Receiving complaints, instituting investigations, facilitating or enabling the settlement of disputes (sec. 7(b); Applying sanctions (e.g. prosecution, compliance orders, awarding penalties) Issuing cease and desist orders and imposing temporary or permanent bans on the processing of personal information (sec. 7(c); Compelling entities to abide by orders or to take action on a matter affecting data privacy (sec. 7(d)); Recommending to the Department of Justice the prosecution and imposition of penalties (sec. 7(i)); Guidance (e.g. compliance advice) / Public education Publishing guides to laws relating to data protection (sec. 7(g)) Publishing a compilation of agency system of records and notices (sec. 7(h)) Providing assistance related to privacy or data protection at the request of agencies, private entities or any person (sec. 7(k)); As well, under sec 40 of the DP Act, the Commissioner is required to undertake every effort it may determine to be necessary or appropriate to inform and educate the public of data privacy, data protection, and fair information rights and responsibilities. Policy Advice for Government Commenting on the implication on data privacy of proposed statutes, regulations or procedures, issue advisory opinions (sec. 7(l)) Interpret the provisions of the DP Act or other data privacy laws (sec. 7(l)); Proposing legislation, amendments to laws on privacy (sec. 7(m)); Rule-making (e.g. issuing codes of practice, approving standards) Reviewing, approving, rejecting or requiring modification of privacy codes (sec. 7(j)) s. Has appropriate autonomy and independence Explicit statement in law that the Authority is to act independently

Philippines NPC Sec. 7 of the DP Act creates the National Privacy Commission as an independent body: To administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission.. While sec. 9 of the DP Act states that the Commission shall be attached to the Department of Information and Communication Technology (DICT), section 13 of the proposed IRR clarifies that the NPC is attached to the DICT for policy and program coordination, but shall remain completely independent in the performance of its functions 13. Furthermore, sec. 40 of the DP Act indicates that the Commission shall annually report to the President and Congress on its activities in carrying on the provisions of the Act. It does not report to the DICT. Appointment of Head of Authority Under sec. 9 of the DP Act, the Privacy Commissioner, who is to head the NPC and act as its Chairman, is to be appointed by the President of the Philippines for a term of three years and may be reappointed for another term of three years. Legal protection against civil suits for actions performed in good faith The Commissioner, his Deputies and any person acting on their behalf or under their direction cannot be civilly liable for acts done in good faith in the performance of their duties (DP Act, Sec. 9). However, they can be liable for wilful or negligent acts done which are contrary to law, morals, public policy and good customs even if they acted under orders or instructions of superiors. Suitable guarantees for the funding of the authority Sec. 41 of the DP Act provides the Commission with an initial appropriation of 20 million pesos, drawn from the national government, with subsequent appropriations to be included in the General Appropriations Act. The DP Act specifies that following the initial appropriation, the Commission is to receive 10 million pesos for the following five years. 13 Republic Act 10844, the Department of Communications Technology Act of 2015 (DICT Act), http://www.gov.ph/2016/05/23/republic-act-no-10844/ which creates the DICT was signed into law on 23 May 2016. Sec. 15(b) of that Act states that the NPC is one of three agencies to be attached to the DICT for policy and program coordination, and is to operate and function in accordance with charters, laws or orders that created it, insofar as it is not inconsistent with the DICT Act.

Philippines NPC Authority to remove the head or members of the authority (including relevant statutory provisions) There are no provisions in the DP Act for the removal of members of the National Privacy Commission. However, the NPC Accreditation Application indicates that the laws of general application in the Philippines, such as the Ombudsman Act (Republic Act No. 6770) may apply. The Ombudsman Act (Sec 21) gives the Ombudsman disciplinary authority over all elective and appointive officials of the Government and its subdivisions, instrumentalities and agencies. Section 1 of the Administrative Order No. 07, Rules of Procedure of the Office of the Ombudsman 14 provides that administrative complaints may be made for a range of acts and omissions, including those that are: a) contrary to law or regulation; b) unreasonable, unfair, oppressive or discriminatory, etc. Complaints are evaluated and may be subject to Administrative Adjudication, followed by a decision by the Office of the Ombudsman (sections 4, 5 and 6, Rules of Procedure). Under Section 25 (Penalties), penalties that may be imposed by the Ombudsman include, but are not limited to, a one year suspension and dismissal with forfeiture of benefits. These penalties are to take into account circumstances that mitigate or aggravate the liability of the officer or employee found guilty of a complaint or charges. 15 In addition, Republic Act No. 6713 (Code of Conduct and Ethical Standards for Public Officials and Employees) 16 and its Implementing Rules (IRs) 17 include penalties for public officials that engage in prohibitive acts and transactions or acts and omissions that are to constitute grounds for administrative disciplinary action (Section 7 of the Code and Rule X section 1 of the IRs). These penalties include suspension not exceeding one (1) year, or removal. (Section 11 of the Code and Rule XI Section 1 of the Rules). 18 Under the Code, Public Officials are defined to capture elective and appointive officials, permanent or temporary. To the extent that the position of Commissioner can be interpreted to fall under 14 http://www.dpwh.gov.ph/about_us/reforms/graft_n_corruption/pdf/ombudsmanadministrativeorderno%2007.pdf 15 These penalties are further elaborated upon under the Administrative Order No. 07, Rules of Procedure of the Office of the Ombudsman (Rule III, Section 10 Penalties). 16 http://www.gov.ph/1989/02/20/republic-act-no-06713/ 17 http://www.ombudsman.gov.ph/docs/republicacts/implementing_rules_of_ra_6713.pdf 18 Depending on the gravity of the offence and after due notice and hearing by the appropriate body or agency.

Philippines NPC the definition of Public Official under Republic Act No. 6713, he or she should be subject to the Act s measures related to suspension and removal.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback