Mandatory Action Data Privacy Act Implementing Rules and Regulations Circular Evidence Person Accountable/ Last

Items Updated
Management and Governance
Section Title Section Title Section-Circular No. Title
Have you appointed a Data Sec. 21 (b) Accountability for Sec. 26 (a) Organizational Security 16-01. Sec. 3 (F) Definition of Terms - Data
Protection Officer who will be Transfer of Personal Measures - Compliance Officers Protection Officer
1 responsible for data Information
protection compliance in your
ogranization? 16-01. Sec. 4 (A). General Obligations

Create a Personal Data Inventory

Have you conducted a Privacy Sec. 20 (c) Security of Personal Sec. 26 (c) Organizational Security 16-01. Sec. 5. Privacy Impact Assessment
Impact Assessment covering Information Measures - Records of
your entire organization Processing Activities
including the inventory of all
2 the personal data your
organization is processing and
their categories?

Have you registered your Sec. 20 (c) Security of Personal Sec. 46. Registration and Compliance 16-01. Sec. 4 (E) General Obligations
personal data processing Information Requirements - Enforcement of
activities with the NPC? the Data Privacy Act

Sec. 47. Registration and Compliance

Requirements - Registration of
3 Personal Data Processing
Systems

Sec. 48 Registration and Compliance

Requirements - Notification of
Automated Processing
Operations

Organization-Wide Privacy Policy

Have you formulated/ drafted Sec. 20. (a) Security of Personal Sec. 26 (b) Organizational Security 16-01. Sec. 4 (C) General Obligations
your organization's Privacy Information Measures - Data Protection
4
Manual? Policies

Have you formulated your Sec. 20 (c) Security of Personal 16-01. Sec. 6.  General Provisions -
organization's Control Information Control Framework for
5 Framework for Data Data Protection
Protection ?

Privacy in Day-to-Day Information Life Cycle Operations

Creation/Collection Stage
Does your ogranization inform Sec. 12. Criteria for Lawful Sec. 19. General Principles in Collection, 16-01.Sec. 4(C) General Obligations
data subjects of your personal Processing of Personal Processing and Retention
information processing Information
activities and obtain their
consent before doing so?. Sec. 3 (b) Definition of Terms - Sec. 3 (c). Definitions - Consent of the data
(Privacy Notice) Consent of the Data subject
6 Subject
Sec. 16 (b) Rights of the Data Sec. 26 (e) (1) Organizational Security
Subject Measures - Processing of
Personal Data

Sec. 34. (a) Rights of Data Subjects - Right to

be Informed
Does your organization have Sec. 12. Criteria for Lawful Sec. 34. (b) Rights of Data Subjects - Right to 16-01. Sec. 4 (C) General Obligation
policies/procedures that allow Processing of Personal object
data subjects to object to Information
7 subsequent processing or
changes to the information
supplied to them?

Storage/Transmission and Use/Distribution Stages

Does your organization Sec. 12. Criteria for Lawful Sec. 26 (e) (2) Organizational Security 16-01.Sec. 4(C) General Obligations
maintain policies for limiting Processing of Personal Measures - Processing of
8 data processing according to Information Personal Data
its declared, specified and
legitimate purpose?

Does your organization have Sec. 16. (c) Rights of the Data Sec. 34 (c) Rights of Data Subjects - Right to 16-01.Sec. 4(C) General Obligations
policies/procedures for Subject Access
providing data subjects with
access to their personal
information including its
sources, recipients, method of
9
collection, purpose of
disclosure to third parties,
automated processes, date of
last access, and identity of the
controller?

Does your organization allow Sec. 16. (d) Rights of the Data Sec. 34 (d) Rights of Data Subjects - Right to 16-01.Sec. 4(C) General Obligations
data subjects to dispute Subject Rectification
inaccuracy or error of their
10 personal information
including policies/procedures
to keep the same up to date?
 Does your organization have Sec. 16. (e) Rights of the Data Sec. 34 (e) Rights of Data Subjects - Right to 16-01.Sec. 4(C) General Obligations
policies/procedures that allow Subject Erasure or Blocking
a data subject to suspend
withdraw or order the
blocking, removal or
11 destruction of their personal
information if outdated, false,
unlawfully obtained,
unnecessary or used for
unauthorized purposes.

Does your organization have Sec. 16 (b) (8) Rights of the Data Sec. 26 (e) (4) Organizational Security 16-01.Sec. 4(C) General Obligations
procedures for accepting and Subject Measures - Processing of
addressing complaints from Personal Data
12
data subjects?

Does your organization allow Sec. 18 Right to Data Sec. 36 Right to Data Portability 16-01.Sec. 4(C) General Obligations
data subjects to obtain copies Portability
of their personal data in a
13
commonly portable format?

Retention Stage
Does your organization Sec. 16 (b)(7). Rights of the Data Sec. 26 (e) 5. Organizational Security 16-01.Sec. 4(C) General Obligations
maintain policies/procedures Subject Measures - Processing of
for retaining personal data for Personal Data
only a limited period or until
14 the purposed of the
processing has been achieved. Sec. 16 (e). Rights of the Data
Subject

Does your organization have
policies/procedures for
ensuring that Data is securely
15 destroyed or disposed of?
Destruction/Disposal Stage
Sec. 27. Improper Disposal of Sec. 26 (e) 5. Organizational Security 16-01. Sec. 30. Disposal of Personal Data -
Personal Information Measures - Processing of Archival Obligations
and Sensitive Personal Personal Data
Information
Sec. 54 Improper Disposal of Personal 16-01. Sec. 31. Disposal of Personal Data -
Information and Sensitive Procedures
Personal Information

Managing Employees Who Handle Data

Does your organization Sec. 20 (c) Security of Personal Sec. 26 (d). Management of Human 16-01. Sec. 4 (D). General Obligations -
provide periodic and Information Resources Mandatory, agency-wide
mandatory personnel training training
on privacy and data protection
16 in general and in areas
reflecting job-specific content.

Are your employees bound by Sec. 20 (e). Security of Personal Sec 12.  Confidentiality of Personal Data 16-01. Sec. 6.  General Provisions -
strict confidentiality? Information Control Framework for
Data Protection
Sec. 32. Unauthorized Sec. 26 (d). Management of Human
17 Disclosure Resources

Sec. 32 (b). Unauthorized

Disclosure

Managing Information Security Risk

Storage of Personal Data
Does your organization store Sec. 20 Security of Personal Sec. 25 Data Privacy and Security 16-01. Sec. 7. Storage of Personal Data -
personal data in a data center Information General Rule
18 under a control framework for
data protection?

Does your organization Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 8. Storage of Personal Data -
encrypt all digitally processed Information Measures Encryption of Personal
19
personal data? Data

Does your organization restrict Sec. 20 Security of Personal Sec. 27 Physical Security Measures 16-01. Sec. 9. Storage of Personal Data -
access to personal data only Information Restricted Access
20 to those with appropriate
security clearance?

Agency/Organization Access to Personal Data

Does your organization Sec. 20 Security of Personal Sec. 27 Physical Security Measures 16-01. Sec. 15. Agency Access to Personal
control access to personal Information Data - Security Clearance
data (onsite, remotely or
online) via security clearance
21
issued by the head of the
agency or organization?

Does your organization restrict Sec. 20 Security of Personal Sec. 27 Physical Security Measures 16-01. Sec. 14. Agency Access to Personal
access to personal information Information Data - Access to or
only to programs licensed or Modification of Databases
22 developed by it?

Does your organization have Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 17. Agency Access to Personal
an acceptable use policy? Information Measures Data - Acceptable Use
Policy
23
Definition of Terms -
Acceptable Use Policy
 Does your organization have a Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 18. Agency Access to Personal
system management tool Information Measures Data - Online Access to
which defines agency Personal Data
personnel access rights
24
through secure encrypted link
and multi-factor
authentication?

Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 19. Agency Access to Personal
technology that prevents the Information Measures Data - Local Copies of
creation of localized copies of Personal Data Accessed
25 personal data accessed online Online
or remotely?

Does your organization Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 20.  Agency Access to Personal
require external devices Information Measures Data - Authorized Devices
accessing personal data on
26 agency computer equipment
to conform to agency or
organization standards?

Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 21. Agency Access to Personal
technology that provides for Information Measures Data - Remote
remote disconnection of Disconnection or Deletion
27 mobile devices used by the
agency or the organization
and deletion of personal data
contained therein?

Does your organization keep Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 22. Agency Access to Personal
access logs for paper-based or Information Measures Data - Paper-based Filing
28
phyical media-based personal System
data?
Transfer of Personal Data
Does your organization have Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec.24. Transfer of Personal Data -
an encryption system for Information Measures Emails
29
transfers of personal data via
electronic mail?
Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 25.  Transfer of Personal Data -
security controls covering Information Measures Personal Productivity
30 personal productivity software Software
accessing personal data?

Does your encrypt personal Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 26 Transfer of Personal Data -
data transferred or stored on Information Measures Portable Media
31 external portable media used
by the agency or organization?

Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 27. Transfer of Personal Data -
authentication technology to Information Measures Removable Physical Media
access physical media into
32 which personal data is
physically transferred?

Does your organization Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 28. Transfer of Personal Data -
prohibit the use of fax Information Measures Fax Machines
33
machines in the transfer of
personal data?
Does your organization have Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 29. Transfer of Personal Data -
rules governing the postal Information Measures Transmittal
transfer of documents or
34 media containing personal
data to a designated
authorized person?

Managing Third Party Risk

Does your organization Sec. 3 (i) Definition of Terms - Sec. 33.  Applicability to Government 16-01. Sec. 10.  Storage of Personal Data -
maintain data privacy Personal Information Contractors Service Provider as
requirements for third Processor Personal Information
parties (e.g. clients, vendors, Processor
35 processors, affiliates)?
Sec. 14. Subcontract of Sec. 43. Outsourcing and Subcontracting 16-01. Sec. 32. Disposal of Personal Data -
Personal Information Agreements - Subscontract of Third-Party Service
Personal Data Providers

Does your organization Sec. 20 (d) Security of Personal Sec. 44. Outsourcing and Subcontracting 16-01. Sec. 16. Contractors, Consultants
maintain procedures to Information Agreements - Agreements for and Service Providers
execute contracts or Outsourcing
36 agreements with all personal
data processors and third-
party service providers?

Does your organization
regularly conduct due
diligence on third party data
processors through
37
appropriate cerification and
verificaiton procedures?
Sec. 20 (d) Security of Personal Sec. 45.   Outsourcing and Subcontracting 16-01. Sec. 12 Recommended
Information Agreements - Duty of Personal Independent Verification
Information Controller or Certification
Sec. 50. Rules on Accountability -
Accountability for Transfer of
Personal Data

Does your organization have Sec. 12. Criteria for Lawful Sec. 20(b). General Principles for Data 16-02. Sec. 4. Consent
policies and procedures Processing of Personal Sharing
ensuring that consent of the Information
data subject is obtained
before data sharing Sec 3. (f) Definitions - Data Sharing
38
arrangements between
private personal information
controllers are made?
 Does your organization have Sec. 12. Criteria for Lawful Sec. 20 (d). General Principles for Data 16-02. Sec. 4. Consent
policies and procedures Processing of Personal Sharing - Data Sharing Between
ensuring that consent of the Information Government Agencies
data subject is obtained
before data sharing
39 arrangements with third
parties are made by a public
personal information
controllers?

44. Does your organization's Sec. 21 Accountability for Sec. 50. Rules on Accountability - 16-02.Sec. 6(A)-(J) Consent of Data Sharing
data sharing agreements Transfer of Personal Accountability for Transfer of Agreement
comply with the requirements Information Personal Data
of the law? 16-02. Sec. 10. Accountability for Cross-
40 border Transfer of Personal
Data

16-02. Sec. 12. Security of Personal Data

Does your organization use a Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-02. Sec. 7. Online Access
secure encyrpted link via Information Measures
middleware whenever it
41 grants online access to
personal data under its
control?

Does your organization Sec. 21 Accountability for Sec. 50. Rules on Accountability - 16-02. Sec. 14. Mandatory Periodic
conduct mandatory reviews of Transfer of Personal Accountability for Transfer of Review
42 data sharing agreements Information Personal Data
upon their expiration?

Does your organization Sec. 21 Accountability for Sec. 50. Rules on Accountability - 16-02. Sec. 17. Return, Destruction, or
contain procedures for Transfer of Personal Accountability for Transfer of Disposal of Transferred
ensuring that transferred Information Personal Data Personal Data
personal data to other parties
by virtue of a data sharing
43
agreement shall be returned,
destroyed, or disposed upon
its termination?

Data Breach Management Program

Does your organization have a Sec. 20 (c) (2) Security of Personal Sec. 28 (d) Guidelines for Technical Security 16-03. Sec. 6 (C). Preventive or Minimization
process for identifying and Information Measures Measures
accessing reasonably
foreseeable vulnerabilities in
its computer networks, and
44
for taking preventive,
corrective and mitigating ction
against security incidents?

Does your organization Sec. 20 © Security of Personal Sec. 28 (d) Guidelines for Technical Security 16-03. Sec. 6 (D). Preventive or Minimization
regularly monitor for security Information Measures Measures
breaches and take preventive,
45 corrective and mitigating
action against security
incidents?

Does your organization have a Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 4. Security Incident
46 Security Incident Management Information Measures - Processing of Management Policy
Policy? Personal Data

Does your organization have a Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 5. Data Breach Response
47 Data Breach Response Team? Information Measures - Processing of Team
Personal Data
Does your organization Sec. 20 (c) Security of Personal Sec. 26 (b) Organizational Security - Data 16-03. Sec. 6 (A). Preventive or Minimization
48 regularly conduct privacy Information Protection Policies Measures
impact assessments?

Does your organization have a Sec. 20 (c) Security of Personal Sec. 25 Data Privacy and Security 16-03. Sec. 6 (B). Preventive or Minimization
49 Data Governance Policy? Information Measures

Does your organization have Sec. 20 (c) Security of Personal Sec. 26 (d) Organizational Security 16-03. Sec. 6 (E). Preventive or Minimization
capable personnel who have Information Measures - Management of Measures
knowledge of data breach Human Resources
50 management principles and
internal procedures for
responding to security
threats?

Does your organization have Sec. 20 (c) Security of Personal Sec. 28 Guidelines for Technical Security 16-03. Sec. 7 (A). Availability, Integrity and
51 back-up solutions in case of Information Measures Confidentiality of Personal
data breach? Data

Does your organization have Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 8. Guidelines for Incident
security incident response and Information Measures - Processing of Response Policy and
52 monitoring procedures? Personal Data Procedure - Policies and
Procedures

Does your organization have Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 9. Guidelines for Incident
a system for documenting all Information Measures - Processing of Response Policy and
actions addressing security Personal Data Procedure -
53
incidents? Documentation

56. Does your organization Sec. 20 (c) Security of Personal Sec. 26 (b) Organizational Security - Data 16-03. Sec. 10. Guidelines for Incident
regularly review its incident Information Protection Policies Response Policy and
54 response policy and Procedure - Regular Review
procedure?
 Does your organization Sec. 20 (f) Security of Personal Secs. 38-42 Data Breach Notification 16-03. Sec. 11. When notification is
comply with personal data Information required
55 breach notifications
requirements.
Does your organization have Sec. 20 (f) Security of Personal Secs. 38-42 Data Breach Notification 16-03. Sec. 18. Notification of Data
policies and procedures for Information Subjects
56 notifying data subjects of a
breach?

Does your company have Sec. 20 (f) Security of Personal Secs. 38-42 Data Breach Notification 16-03. Sec. 22. Reportorial requirements
policies and procedures for Information
57 notifying the Commission of a
data breach?

Monitoring Mechanisms for New and Current Operational Practices

Maintenance and conduct of Sec. 20 (c) Security of Personal Sec. 26 (b) Organizational Security 16-01. Sec. 4.. General Obligations
Privacy Impact Assessment Information Measures - Data Protection
guidelines for new and Policies
58 existing programs, systems,
prcoesses and projects

Managing the Legal Environment

59 There is a process to monitor and comply with the applicable legal requirements in all the jurisdictions in which the organisation handles data.

60 There is a process to monitor and comply with the applicable legal requirements in all the jurisdictions in which the organisation handles data.

The legal implications of any data transfers, including cross-border data transfers, have been considered.
61

62 Review ongoing long-term contracts for new and previously unconsidered privacy risks.

63 Identify ongoing data protection compliance laws and codes

64 Maintain a record/report of existing and new laws and regulations governing data privacy.

65 Seek advisory opinions from the NPC for ambiguities in the law or for new legal developments.

The legal implications of the use of any third parties to handle data on the organisation’s behalf have been considered.
66

30-Day
Draw up your TOR. Be sure to get an
assurance that you shall be
reimbursed in case of litigation related
to the Data Privacy Act.
 If your agency is considered medium-
 
or high-risk, you may want to consider
education and consider working towards a
forming a data protection task force
certification such as IAPP’s CIPT and CIPM
or committee, or at the least, having
an assistant DPO.
Register your
appointment/designation with the
owners to do a Privacy Impact Assessment more than 1,000 individuals, NPC recommends the
NPC, likewise, update agency’s
website to reflect such.
Join an existing network of privacy
professionals, such as the IAPP
(International Association of Privacy Use the results of the PIAs to begin drawing
Professionals). Or organize one
yourself, perhaps the CIO Forum
could have a special interest group for
DPOs.
Reach out to your counterpart is a
similar agency in Europe, Canada,
Select an external consultant to conduct an
Australia or the US. He or she can
coach you about the role, and can
share their best practices.
CHECKLIST FOR DPO
60-Day 90-Day
Select a software application to assist you
in monitoring compliance of the agency.
Review results of IT Security audit with top
These tools should include features such as
management.
workflow management, and document
management.
Develop your own plan for continuing
 Ensure that all those who are handling personal
data have been issued a security clearance by the
head of agency.
certifications.
With the help of HR, Legal, IT, and Security, begin
drafting your agency’s privacy and data protection
Schedule workshops with all process policies. If your agency handles personal data for
(PIA) of the process/es which they own. use of the ISO/IEC 27002 control set as the
minimum standard to assess any gaps in your
control framework.
Select a governance framework that will help you
strategize and orchestrate the implementation of
the agency’s privacy programs. There are several
available, and you may want to start with a simple
one. Within 12 to 18 months, you can then assess
up your agency’s control framework for
whether you need to evolve to a more advanced
privacy and data protection.
framework. This is consistent with an approach of
continuous assessment and development, taking
into account inputs from top management and the
process owners.
Conduct breach management drill, prioritizing
IT Security audit, and initiate such audit. those processes with the highest privacy risk.
 Send out an RFQ for an external
consultant to do an IT Security audit
Establish breach management framework.
to discover what are your agency’s
“pre-existing conditions”

Send out an RFQ for a software

application to assist you in monitoring
compliance of the agency. These tools
should include features such as
workflow management, and
document management.

Obtain an agency inventory of

processes that handle personal data,
including the list of process owners.
CHECKLIST FOR HEAD OF AGENCY
30-Day 60-Day 90-Day

Designate a DPO and ensure he/she

has access to top management. This
can be done either through direct
reporting on the organizational Support your DPO in scheduling PIA
structure, or through membership in workshops, and in ensuring that the Ensure that breach drills are being conducted on a
the executive committee. It is process owner(s) take full ownership of the regular basis.
important that your DPO is constantly PIA outputs.
up-to-date on the strategic issues and
change drivers that are impacting
your agency.

Send out an announcement to the

agency that the DPO is the “privacy
Ask DPO for calendar of training and
champion” and the point of contact Ask DPO for results of the IT Security audit and the
education events related to privacy
within the agency for anything related Privacy Impact Assessments.
management.
to compliance with the Data Privacy
Act