Scribd Logo
Upload

Welcome to Scribd!

  • DPA QuickGuidefolder 1019 PDF

    Uploaded by

    Ma Mayla Imelda Lapa
    38 views1 page

    Original Title

    DPA_QuickGuidefolder_1019.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    38 views1 page

    DPA QuickGuidefolder 1019 PDF

    Uploaded by

    Ma Mayla Imelda Lapa

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    DATA PRIVACY ACT (DPA) QUICK GUIDE HOW COMPLIANT ARE YOU?

    Here’s a checklist to find out:

    Evidence of Compliance Evidence of Compliance


    WHAT IS THE DPA? WHAT ARE A PIC OR PIP’S PRIMARY OBLIGATIONS? 1. Establish Data Privacy Governance Vulnerability Assessment
    Designation/Appointment Papers/ Contract of the DPO and/or DPO team Penetration Testing for applications and network
    Fully titled, “An Act Protecting Individual Personal Adhere to data privacy principles
    Other means to demonstrate compliance Other means to demonstrate compliance
    Information in Information and Communications
    Transparency Legitimate purpose Proportionality 6. Data Breach Management
    Systems in the Government and the Private Sector, 2. Privacy Risk Assessment
    Creating for this Purpose a National Privacy Inventory of personal data processing systems Schedule of breach drills
    Uphold data subject rights
    Commission, and for Other Purposes” the DPA aims Visible announcement showing the contact details of DPO (e.g. website, Number of Trainings conducted for internal personnel on breach
    to protect the fundamental human right of privacy, Information Erasure or blocking privacy notice) management
    of communication while ensuring the free flow of Phase I - Registration Form (Notarized) Personnel Order constituting the Data Breach Response Team
    information to promote innovation and growth. Access To object
    Privacy Impact Assessment (PIA) report Incident Response Policy and Procedure (may be in Privacy Manual)
    Data Portability To file a complaint Record of Security incidents and personal data breaches, including
    Other means to demonstrate compliance
    Rectification To damages notification for personal data breaches
    3. Maintain Organization Commitment
    KEY DPA ACTORS Implement security measures Privacy Manual
    Other means to demonstrate compliance
    7. Manage Third Party Risks
    List of activities on privacy and data protection
    Organizational Physical Technical Data Sharing Agreements
    National Privacy Commission NPC List of key personnel assigned responsibilities for privacy and data
    independent body mandated to implement the DPA protection within the organization List of recipients of personal data (PIPs, other PICs, service providers,
    government agencies)
    Other means to demonstrate compliance
    Data subject 5 PILLARS OF DATA PRIVACY ACCOUNTABILITY & COMPLIANCE Review of Contracts with PIPs
    an individual whose personal data is processed 4. Privacy and Data Protection in day to day operations
    Review of Contracts for cross-border transfers
    Pillar Reference Valid Privacy Notice in Website and/or within organization (where
    collection of personal data occurs) Other means to demonstrate compliance
    Personal information controller PIC 1. Appoint a Data Protection Officer NPC Advisory 2017-01
    a natural or juridical person, or any other body who controls Consent forms for collection and use of personal data 8. Human Resources Management
    2. Conduct a Privacy Impact Assessment NPC Advisory 2017-03
    the processing of personal data List of Policies and Procedures in place that relate to privacy and data No. of employees who attended trainings on privacy and data protection
    3. Have a Privacy Management Program & PMP Guide in NPC Privacy
    protection (may be in privacy manual) Commitment to comply with Data Privacy Act as part of Code of Conduct
    codify it into a Privacy Manual Toolkit
    Personal information processor PIP Policies and Procedure in dealing with requests for information or through written document to be part of employee files
    4. Implement data privacy & protection NPC Circular 2016-01; DPAC in
    a natural or juridical person, or any other body to whom a PIC from parties other than the data subjects (media, law enforcement, Certificate of Training of DPO
    may outsource or instruct the processing of personal data measures NPC Privacy Toolkit representatives)
    Certifications of DPOs
    5. Exercise Breach Reporting Procedures NPC Circular 2016-03 Data subjects informed of rights through privacy notices, and other
    NDAs or confidentiality agreements
    means
    Security Clearance Policy
    WHAT IS PERSONAL INFORMATION (PI)? WHAT IS SENSITIVE PERSONAL INFORMATION (SPI)? Form or platform for data subjects to request copy of their personal
    information and request correction Other means to demonstrate compliance

    SPI refers to info about an individual’s: Procedure for addressing complaints of data subjects 9. Continuing Assessment and Development
    PI refers to any information from which the identity of an • Race sexual life Certificate of registration and notification Policy for Conduct of PIA (may be in manual)
    individual is apparent or can be reasonably and directly • Ethnic origin • Proceeding for any offense
    Other means to demonstrate compliance Policy on conduct of Internal Assessments and Security Audits
    ascertained, or when put together with other information • Marital status committed or alleged to have
    would directly and certainly identify an individual 5. Manage Security Risks Privacy Manual contains policy for regular review
    • Age been committed by an individual
    • Color • Government-issued IDs Data Center and Storage area with limited physical access List of activities to evaluate Privacy Management program (survey of
    • Religious, philosophical or • Those established by an customer, personnel assessment)
    CRITERIA FOR LAWFUL PROCESSING OF PI Report on technical security measures and information security tools in
    political affiliations executive order or an act of place Other means to demonstrate compliance
    • Consent • Health, education, genetic or Congress to be kept classified
    Firewalls used 10. Manage Privacy Ecosystem
    • Contract with the individual
    CRITERIA FOR LAWFUL PROCESSING OF SPI Encryption used for transmission No. of trainings and conferences attended on privacy and data protection
    • Vital interests/Life & health Encryption used for storage
    • Legal obligation • Consent • Medical treatment Policy papers, legal or position papers, or other research initiatives on
    Access Policy for onsite, remote and online access emerging technologies, data privacy best practices, sector specific
    • National emergency / public order & safety, as prescribed by • Existing laws & regulations • Lawful rights & interests
    in court proceedings/legal Audit logs standards, and international data protection standards
    law • Life & health
    • Processing by non-stock, claims Back-up solutions No. of management meetings which included privacy and data protection
    • Constitutional or statutory mandate of a public authority
    non-profit orgs Report of Internal Security Audit or other internal assessments in the agenda
    • Legitimate interests of the PIC or third parties
    Certifications or accreditations maintained Other means to demonstrate compliance

    PENALTIES EXEMPTIONS
    Violation Imprisonment Fine
    PI SPI PI SPI Applies not to the PIC/PIP but only to personal data relating to:
    Unauthorized 3–6 P500,000 – P500,000 –
    Processing 1 – 3 years years P2,000,000 P4,000,000 • Matters of public concern
    Accessing
    Due to 1 – 3 years 3–6 P500,000 – P500,000 – • Journalistic, artistic or literary purposes 5th Floor, Delegation Building
    years P2,000,000 P4,000,000
    Negligence Philippine International Convention Center
    • Research purposes, intended for a public benefit
    Improper 6 months 1–3 P100,000 – P100,000 – PICC Complex, Roxas Boulevard, Manila, 1307
    Disposal – 2 years years P500,000 P1,000,000 • Performance of law enforcement or rgulatory functions of
    public authority (e.g. Secrecy of Bank Deposits Act, Foreign
    Processing for 1 year and Currency Deposit Act, CISA)
    2–7 P500,000 – P500,000 –
    Unauthorized 6 months years P1,000,000 P2,000,000
    Purposes – 5 years
    • Compliance of BSP-regulated banks & financial institutions
    privacy.gov.ph privacy.gov.ph privacygovph
    Unauthorized 3–5 P500,000 – P1,000,000 – with the CISA, AMLA & other applicable laws
    1 – 3 years info@privacy.gov.ph PrivacyPH 234-22-28
    Disclosure years P1,000,000 P5,000,000
    • Residents of foreign jurisdictions w/ applicable data privacy
    1 year
    Concealment and 6 P500,000 – laws
    of Security months P1,000,000
    Breaches Exemptions are only allowed to the minimum extent needed
    – 5 years
    Unauthorized to achieve purpose, w/ consideration to requirements of other
    Access or 1 – 3 years P500,000 – P2,000,000 regulations.
    Intentional
    Breach
    Malicious 1 year and 6 months – P500,000 - P1,000,000
    Disclosure 5 years
    This material is downloadable at:
    Combination
    or Series of 3 – 6 years P1,000,000 – P5,000,000 privacy.gov.ph/quickguide An attached agency of the Department of
    Acts Information and Communications Technology

    You might also like