WikiFrameworksPhilippines DPA (2012)Sensitive Data Restriction

Sensitive Data Restriction

Plain English Translation

Sensitive personal information — including health records, financial data, religious beliefs, and political affiliations — is subject to heightened restrictions under RA 10173 and may generally not be processed without explicit consent or another narrowly defined legal ground. Privileged information, such as communications between attorneys and clients, is similarly protected and restricted. Organizations must implement stricter controls and access limitations for any system that handles these categories of data.

Executive Takeaway

The Philippines DPA strictly prohibits processing sensitive personal information like health or government IDs without explicit prior consent or a recognized legal exception.

ImpactHigh
ComplexityHigh

Why This Matters

  • Unauthorized processing of sensitive data carries severe penalties, including imprisonment of 3 to 6 years and fines up to Php4,000,000.
  • Protecting sensitive personal information prevents significant reputational damage and regulatory enforcement actions by the National Privacy Commission.
  • Ensuring a lawful basis prevents business interruption when handling necessary employee health records or customer government-issued identification.

What “Good” Looks Like

  • A documented lawful basis exists and is tracked for every sensitive data processing activity in the organization; tools like WatchDog Security's Compliance Center can help centralize this mapping and associated evidence.
  • Consent forms explicitly state the specific, declared, and legitimate purpose for sensitive data collection prior to processing.
  • Strict access controls and encryption are applied to all repositories and workflows containing sensitive personal data, with tools like WatchDog Security's Posture Management helping detect misconfigurations that could weaken those protections.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under RA 10173, sensitive personal information includes an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life, offenses, and government-issued numbers like social security and tax returns.

An organization can process sensitive data if the data subject gives prior consent for a specific, legitimate purpose, or if a legal exception applies, such as protecting vital interests, medical treatment, or establishing legal claims.

Yes, the general rule is that processing sensitive personal information is prohibited unless the data subject provides explicit prior consent pursuant to a declared, specified, and legitimate purpose.

Exceptions include existing laws guaranteeing protection, protecting the life and health of a person unable to consent, lawful noncommercial objectives of public organizations, medical treatment by practitioners, and protection of lawful rights in court proceedings.

Yes, information about an individual's health, genetic life, and previous or current health records are explicitly defined as sensitive personal information under the Act.

Personal information is any data from which an identity is apparent or ascertainable, whereas sensitive personal information is a protected subset requiring stricter measures, covering intimate details like race, health, religious beliefs, and government IDs.

Employers can only process such sensitive data if they obtain prior explicit consent from the employee for a declared and legitimate purpose, or if another legal exception applies, such as a strict statutory obligation.

Organizations must implement appropriate organizational, physical, and technical security measures, such as encryption and strict access controls, to ensure the confidentiality, integrity, and availability of sensitive data.

Yes, the processing of sensitive information is allowed if necessary for medical treatment by a medical practitioner, or for the establishment, exercise, or defense of legal claims and court proceedings.

The unauthorized processing of sensitive personal information is penalized by imprisonment ranging from three to six years and a fine of Php500,000 to Php,000,000.

Sensitive personal information requires tighter governance because processing is generally prohibited unless explicit consent or a recognized exception applies. WatchDog Security's Compliance Center can help teams map sensitive data processing activities to required controls, track evidence such as consent records or legal basis documentation, and identify gaps before an audit or privacy review.

Sensitive data often exists across HR systems, cloud storage, SaaS tools, and internal databases, so organizations need visibility into where it lives and who can access it. WatchDog Security's Asset Inventory can help maintain an inventory of connected systems and identity mappings, while WatchDog Security's Posture Management can surface misconfigurations that may expose sensitive personal information.

PHILIPPINES-DPA IRR Section 22

"The processing of sensitive personal and privileged information is prohibited. It shall be allowed only in the following cases: Consent is given pursuant to a declared, specified and legitimate purpose by data subject prior to the processing..."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content TeamInitial publication