On Government Requests and Privacy
Take note that the non-applicability of the DPA does not extend to personal information controllers or personal information processors (i.e., the exception only applies to the data, not the person holding the data), who remain subject to the requirements of implementing security measures for personal data protection. This means that the processing of the information covered under the exemptions shall be exempted from the requirements of the DPA only to the minimum extent necessary to achieve the specific purpose, function, or activity.
For example, although information necessary in order to carry out the functions of public authority is not covered by the DPA, such public authority may still not violate the principle of proportionality. They may not request or obtain personal information at random or in excess of their purpose for requesting such data.
Take note that public authorities must still comply with their internal rules and other laws before they can request for personal data. In NPC Advisory Opinion No. 2023-018, though the Philippine Drug Enforcement Agency may demand for personal data in connection to their mandate, they still have to do so through a subpoena as required by law. A mere request letter is not sufficient.