The right to access

This is your right to find out whether an organization holds any personal data about you and if so, gain “reasonable access” to them. Through this right, you may also ask them to provide you with a written description of the kind of information they have about you as well as their purpose/s for holding them.

Under the Data Privacy Act of 2012, you have a right to obtain from an organization a copy of any information relating to you that they have on their computer database and/or manual filing system. It should be provided in an easy-to-access format, accompanied with a full explanation executed in plain language.

You may demand to access the following:

  • The contents of your personal data that were processed.

  • The sources from which they were obtained.

  • Names and addresses of the recipients of your data.

  • Manner by which they were processed.

  • Reasons for disclosure to recipients, if there were any.

  • Information on automated systems where your data is or may be available, and how it may affect you.

  • Date when your data was last accessed and modified

  • The identity and address of the personal information controller.

Example

An individual had been involved in an incident inside and outside a Manila restaurant where his wallet was stolen. He also suffered minor injuries in the incident. He requested access to the restaurant CCTV footage relating to himself, saying he wants to see all details surrounding the incident and possibly figure out a way to recover his wallet. He tried to personally speak to the manager but was referred to the security guard. After a few days of following up on his request, he was finally informed that the establishment would not provide him any data. This infuriated him and, upon going back to the restaurant, he demanded his right to view the footage or else he would create a scene. He was told that, as per their security policy, no “outsider” is allowed to enter areas in their establishment designated only as “for employees only”. As a compromise, the manager said they will give him a record of the footage using the customer’s handheld gadget.

How to exercise your right to access your personal data

You must execute a written request to the organization, addressed to its Data Protection Officer (DPO). In the letter, mention that your request is being made in exercise of your right to access under the Data Privacy Act of 2012. The DPO is required to respond to your written request. Be prepared to provide evidence of your identity, which the DPO should require of you to make sure that personal information is not given to the wrong person.

If your request was not granted, or if you feel your request was not sufficiently addressed, you may file a formal complaint with the NPC. Before doing so, however, we recommend that you inform the organization and its DPO of your intention to formally complain to the NPC. They might be able to the opportunity to apologize, better explain their position, or reconsider your request.

Additional notes:

Some exceptions may disallow the exercise of an individual’s right to access. This is to balance the right to privacy of an individual versus the needs of civil society. Here are some examples:

  • A criminal suspect is not allowed access to the personal data held about him by law enforcement agencies as it may impede investigation.

  • You are not allowed access to information about you as contained in communications between a lawyer and his or her client, if such communication is subject to legal privilege in court.

  • Your right to access your own medical and psychological data may be denied you in the rare instance where is is deemed that your health and well-being might be negatively affected.