Constitutional and Statutory Setting
The constitutional privacy of communications and correspondence protects private exchanges against intrusion, yields only to a lawful court order or to public safety or order as prescribed by law, and makes evidence obtained in violation of that privacy inadmissible for any purpose in any proceeding. Data privacy under Republic Act No. 10173 complements that protection by regulating the collection, use, storage, sharing, retention, and disposal of information about identifiable natural persons, even when no interception of a communication is involved.
The Data Privacy Act protects individuals as data subjects and binds persons or entities that control or process their data. Its central classification is between personal information, sensitive personal information, and privileged information. The classification determines the lawful bases for processing, the level of security expected, the validity of consent, the scope of disclosure, the risk of harm, and the gravity of statutory consequences.
The Act uses a functional approach. A datum is protected not because it is secret, but because it identifies or can identify a person. Information publicly visible in one setting may still be protected when collected, profiled, combined, sold, disclosed, or reused for a different purpose.
Personal Information
Personal information is information, whether recorded in material form or not, from which the identity of an individual is apparent, can be reasonably and directly ascertained by the entity holding the information, or would directly and certainly identify the individual when put together with other information.
Identifiability is the controlling idea. A name, photograph, signature, home address, mobile number, personal email address, account identifier, device identifier, location trail, employment record, transaction history, customer profile, or online activity log may be personal information when it points to a particular person or can reasonably be linked to that person.
Personal information need not be intimate, damaging, confidential, or accurate. An erroneous address, outdated number, or wrong label may still be personal information because it is processed as information about a particular data subject. The law protects the person from misuse of the identifying relation, not only from exposure of true private facts.
Information about a juridical entity is not personal information of that entity, although records of corporations, associations, or offices may contain personal information of directors, officers, employees, agents, clients, or beneficial owners. The protection follows the identifiable natural person embedded in the record.
Sensitive Personal Information
Sensitive personal information is a specially protected subset of personal information. It consists of personal information about matters that the law treats as carrying a heightened risk of discrimination, stigma, coercion, identity fraud, bodily or economic harm, or undue intrusion into personal autonomy.
The statutory categories include information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical, or political affiliations; health, education, genetic information, or sexual life; proceedings for any offense, offenses committed or alleged, and the disposition or sentence in those proceedings; government-issued identifiers peculiar to the individual; and information specifically established by executive order or by law to be kept classified.
The statutory list matters. A fact is not sensitive personal information merely because it is embarrassing or because the data subject considers it private. Conversely, a fact within the statutory categories is sensitive even if commonly requested, routinely stored, or already known to several persons.
Government-issued identifiers deserve special attention because they are often used to authenticate identity and obtain access to services. Social security numbers, tax identification numbers, passport numbers, driver's license details, professional license numbers, and similar unique identifiers are treated with greater caution because exposure may enable impersonation, fraud, or unauthorized profiling.
Health and education information are sensitive even when they appear in ordinary institutional records. A clinic form, laboratory result, disability accommodation record, vaccination status, school transcript, disciplinary record forming part of an educational file, scholarship file, or learning assessment may be sensitive personal information when it relates to the individual's health or education.
Privileged Information
Privileged information consists of all forms of data which, under the Rules of Court and other pertinent laws, constitute privileged communication. It is grouped with sensitive personal information for processing restrictions, but its special character comes from a legal privilege rather than from the nature of the subject matter alone.
Privileged information may arise from relationships or proceedings where confidentiality is protected by law, such as communications covered by attorney-client privilege, physician-patient privilege, priest-penitent privilege, marital privilege, or other legally recognized confidentiality. When a record is both sensitive and privileged, the stricter protection applies.
Comparison of the Two Main Classes
| Point of Comparison | Personal Information | Sensitive Personal Information |
|---|---|---|
| Core test | The information identifies or can reasonably identify a natural person. | The information identifies a natural person and falls within a legally protected sensitive category. |
| Nature of protection | General data protection against unfair, unlawful, or disproportionate processing. | Heightened protection because misuse is more likely to cause serious harm, discrimination, fraud, or coercion. |
| Processing posture | Processing is allowed when not prohibited by law and supported by an applicable lawful basis. | Processing is generally prohibited unless it falls within a specific statutory exception. |
| Consent | Consent is one lawful basis, but it is not the only basis. | Consent must be specific to the purpose, and another exception must exist when consent is not relied upon. |
| Typical examples | Name, ordinary contact details, image, employment profile, customer account, or transaction record. | Health data, school records, age, marital status, religion, political affiliation, criminal proceeding data, or government identifiers. |
| Effect of breach | Unauthorized access or disclosure may trigger liability, remedies, and security obligations. | Unauthorized access or disclosure usually carries greater risk, stronger notification concerns, and heavier statutory consequences. |
Processing and the Importance of Classification
Processing covers any operation performed upon personal data, including collection, recording, organization, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction. Classification must therefore be made before collection and must be reassessed when information is combined, reused, shared, or repurposed.
For ordinary personal information, processing is permitted when it is not otherwise prohibited and at least one lawful basis applies. These lawful bases include consent, necessity for a contract or pre-contractual steps requested by the data subject, compliance with a legal obligation, protection of vitally important interests including life and health, response to national emergency or public order and safety requirements, and pursuit of legitimate interests not overridden by the fundamental rights and freedoms of the data subject.
For sensitive personal information and privileged information, the law begins from prohibition and then recognizes narrow exceptions. Processing may be allowed when the data subject has given specific consent for the stated purpose; when existing laws and regulations require or allow processing while assuring protection; when processing is necessary to protect life and health and the data subject is legally or physically unable to express consent; when necessary for lawful and noncommercial objectives of public organizations and associations under limited conditions; when necessary for medical treatment by a health professional or medical institution subject to adequate safeguards; or when necessary for the protection of lawful rights and interests in court proceedings, legal claims, or legal advice.
The difference in posture is decisive. Ordinary personal information may be processed on several practical grounds, including legitimate interest. Sensitive personal information cannot be processed merely because it is useful, efficient, profitable, or convenient. The controller must point to a specific legal exception and must still comply with transparency, legitimate purpose, and proportionality.
Consent, Purpose, and Proportionality
Consent under the Data Privacy Act is a freely given, specific, informed indication of will by which the data subject agrees to the processing of personal data. It may be evidenced by written, electronic, or recorded means, but it must relate to a declared purpose and to the kind of data being processed.
Consent is weakened when it is bundled with unrelated terms, hidden in vague language, obtained through coercion, or framed so broadly that the data subject cannot know what processing will occur. A general agreement to receive a service is not automatically a specific consent to disclose health records, government identifiers, or educational files to third parties.
For ordinary personal information, consent may be unnecessary when another lawful basis clearly applies, such as performance of a contract or compliance with law. For sensitive personal information, consent must be specific when used as the exception, and the controller must avoid treating silence, inertia, or mere continued use as consent to heightened-risk processing.
Purpose limitation requires the controller to collect and use personal data only for declared, specified, and legitimate purposes. Proportionality requires that the data be adequate, relevant, suitable, necessary, and not excessive in relation to those purposes. A process that lawfully requires a person's name does not automatically justify collecting that person's religion, marital status, school records, or government identification numbers.
Classification in Context
Classification depends on the record as held and used, not on isolated words detached from context. A name in a visitor log is ordinary personal information, but the same name attached to a laboratory result is part of health information. A photograph used for an office directory is personal information, while an image processed as a biometric identifier or linked to a criminal proceeding may call for heightened treatment.
An employee number issued only by a private employer is usually ordinary personal information, while a government-issued identifier peculiar to the individual is sensitive personal information. A business email address may be personal information if it identifies an employee, but it does not become sensitive merely because it is used for official work. A school record is sensitive because education information is expressly protected.
Public availability does not automatically remove data protection. Information in a public record, social media page, website, directory, or posted notice may still be personal information when copied, aggregated, profiled, monetized, or used for a purpose different from the context in which it became available. The fact that data can be seen by others is not the same as unrestricted consent to all forms of processing.
Information relating to public officers and employees may be treated differently when it concerns their position, functions, or performance of public duties, because transparency in public office has constitutional value. However, their home addresses, family details, health records, private communications, and unrelated personal circumstances remain protected when they identify the individual outside the legitimate scope of public accountability.
Aggregated or anonymized information falls outside the Act only when individuals can no longer be identified by reasonable means. Pseudonymized or coded data remains personal information if the controller, processor, or another reasonably likely person can restore the link to the data subject. Small datasets, rare attributes, or combined databases may defeat apparent anonymization by making re-identification reasonably possible.
Duties of Controllers and Processors
A personal information controller determines the purposes and means of processing. A personal information processor processes personal data on behalf of the controller. Both roles matter because classification affects contract terms, access controls, retention periods, security design, breach response, and accountability.
The controller must observe transparency, legitimate purpose, and proportionality from collection to disposal. The data subject should know what data is collected, why it is collected, how it will be used, who may receive it, how long it will be retained, and how rights may be exercised. These duties apply to both ordinary and sensitive personal information, but sensitive data requires stricter scrutiny at every step.
Security measures must be reasonable and appropriate to the nature of the data, the risks of processing, the size and complexity of operations, and available technology. Sensitive personal information ordinarily demands tighter access limits, stronger authentication, more careful logging, encryption or equivalent safeguards where appropriate, and stricter internal need-to-know controls.
Outsourcing does not transfer accountability away from the controller. A processor that stores, hosts, analyzes, prints, transmits, or disposes of personal data must act within the controller's instructions and must maintain security and confidentiality. Contracts for processing sensitive personal information should define the purpose, data categories, authorized personnel, retention period, return or destruction obligations, breach reporting, and limits on subcontracting.
Rights of the Data Subject
The rights of the data subject attach to personal data regardless of whether it is ordinary or sensitive. These include the right to be informed, object to processing, access personal data, dispute inaccuracy, suspend, withdraw, or order blocking, removal, or destruction in proper cases, be indemnified for damages, and exercise data portability where applicable to electronically processed data in a structured and commonly used format.
The classification affects how those rights operate in practice. Requests for access to sensitive personal information may require identity verification and may be limited by privilege, law enforcement needs, court orders, or the rights of other persons. Correction and erasure are especially important where inaccurate sensitive data may affect employment, education, credit, benefits, medical treatment, liberty, or reputation.
Withdrawal of consent generally affects future processing based on consent, but it does not automatically erase processing already required by law, necessary for an existing legal claim, or justified by another lawful basis. A controller relying on a non-consent basis should be able to identify that basis and show why continued processing remains necessary and proportionate.
Breach, Disclosure, and Consequences
An unauthorized or accidental access, use, alteration, disclosure, loss, destruction, or disposal of personal data may constitute a security incident or personal data breach. Breaches involving sensitive personal information, government identifiers, financial access credentials, health or educational records, or data enabling identity fraud are more likely to create serious harm and require urgent assessment.
Data breach notification obligations are driven by the nature of the data, the likelihood of unauthorized acquisition, and the risk of serious harm. Sensitive personal information often raises the risk level because misuse may be difficult to reverse and may expose the data subject to fraud, discrimination, blackmail, denial of services, or physical and social harm.
Unlawful processing, unauthorized access, access due to negligence, improper disposal, processing for unauthorized purposes, unauthorized disclosure, malicious disclosure, and concealment of security breaches may result in administrative, civil, or criminal consequences. Penalties are generally more serious when sensitive personal information is involved because the law recognizes the higher level of injury and vulnerability.
Liability may arise even without public posting if the controller or processor collects data without a lawful basis, uses it beyond the declared purpose, keeps it longer than necessary, gives it to an unauthorized recipient, fails to secure it, or disposes of it in a way that permits recovery. Data privacy is therefore not only a confidentiality rule; it is a governance rule for the entire life cycle of identifiable information.
Operative Distinctions
Personal information answers the question whether a natural person is identifiable. Sensitive personal information asks the additional question whether the identifiable data falls within a category that the law protects more strictly. Privileged information asks whether a legal privilege independently protects the communication or record.
The practical consequence is that the controller must first identify the data subject, then classify the data, then choose a lawful basis or exception, then limit the processing to the declared purpose, and then apply security measures proportionate to the classification and risk. When one record contains both ordinary and sensitive details, the record should be handled according to the highest applicable level of protection.