Professional Documents
Culture Documents
Items Updated
Management and Governance
Section Title Section Title Section-Circular No. Title
Have you appointed a Data Sec. 21 (b) Accountability for Sec. 26 (a) Organizational Security 16-01. Sec. 3 (F) Definition of Terms - Data
Protection Officer who will be Transfer of Personal Measures - Compliance Officers Protection Officer
1 responsible for data Information
protection compliance in your
ogranization? 16-01. Sec. 4 (A). General Obligations
Have you registered your Sec. 20 (c) Security of Personal Sec. 46. Registration and Compliance 16-01. Sec. 4 (E) General Obligations
personal data processing Information Requirements - Enforcement of
activities with the NPC? the Data Privacy Act
Have you formulated your Sec. 20 (c) Security of Personal 16-01. Sec. 6. General Provisions -
organization's Control Information Control Framework for
5 Framework for Data Data Protection
Protection ?
Does your organization have Sec. 16. (c) Rights of the Data Sec. 34 (c) Rights of Data Subjects - Right to 16-01.Sec. 4(C) General Obligations
policies/procedures for Subject Access
providing data subjects with
access to their personal
information including its
sources, recipients, method of
9
collection, purpose of
disclosure to third parties,
automated processes, date of
last access, and identity of the
controller?
Does your organization allow Sec. 16. (d) Rights of the Data Sec. 34 (d) Rights of Data Subjects - Right to 16-01.Sec. 4(C) General Obligations
data subjects to dispute Subject Rectification
inaccuracy or error of their
10 personal information
including policies/procedures
to keep the same up to date?
Does your organization have Sec. 16. (e) Rights of the Data Sec. 34 (e) Rights of Data Subjects - Right to 16-01.Sec. 4(C) General Obligations
policies/procedures that allow Subject Erasure or Blocking
a data subject to suspend
withdraw or order the
blocking, removal or
11 destruction of their personal
information if outdated, false,
unlawfully obtained,
unnecessary or used for
unauthorized purposes.
Does your organization have Sec. 16 (b) (8) Rights of the Data Sec. 26 (e) (4) Organizational Security 16-01.Sec. 4(C) General Obligations
procedures for accepting and Subject Measures - Processing of
addressing complaints from Personal Data
12
data subjects?
Does your organization allow Sec. 18 Right to Data Sec. 36 Right to Data Portability 16-01.Sec. 4(C) General Obligations
data subjects to obtain copies Portability
of their personal data in a
13
commonly portable format?
Retention Stage
Does your organization Sec. 16 (b)(7). Rights of the Data Sec. 26 (e) 5. Organizational Security 16-01.Sec. 4(C) General Obligations
maintain policies/procedures Subject Measures - Processing of
for retaining personal data for Personal Data
only a limited period or until
14 the purposed of the
processing has been achieved. Sec. 16 (e). Rights of the Data
Subject
Destruction/Disposal Stage
Does your organization have Sec. 27. Improper Disposal of Sec. 26 (e) 5. Organizational Security 16-01. Sec. 30. Disposal of Personal Data -
policies/procedures for Personal Information Measures - Processing of Archival Obligations
ensuring that Data is securely and Sensitive Personal Personal Data
15 destroyed or disposed of? Information
Sec. 54 Improper Disposal of Personal 16-01. Sec. 31. Disposal of Personal Data -
Information and Sensitive Procedures
Personal Information
Are your employees bound by Sec. 20 (e). Security of Personal Sec 12. Confidentiality of Personal Data 16-01. Sec. 6. General Provisions -
strict confidentiality? Information Control Framework for
Data Protection
Sec. 32. Unauthorized Sec. 26 (d). Management of Human
17 Disclosure Resources
Does your organization Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 8. Storage of Personal Data -
encrypt all digitally processed Information Measures Encryption of Personal
19
personal data? Data
Does your organization restrict Sec. 20 Security of Personal Sec. 27 Physical Security Measures 16-01. Sec. 9. Storage of Personal Data -
access to personal data only Information Restricted Access
20 to those with appropriate
security clearance?
Does your organization restrict Sec. 20 Security of Personal Sec. 27 Physical Security Measures 16-01. Sec. 14. Agency Access to Personal
access to personal information Information Data - Access to or
only to programs licensed or Modification of Databases
22 developed by it?
Does your organization have Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 17. Agency Access to Personal
an acceptable use policy? Information Measures Data - Acceptable Use
Policy
23
Definition of Terms -
Acceptable Use Policy
Does your organization have a Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 18. Agency Access to Personal
system management tool Information Measures Data - Online Access to
which defines agency Personal Data
personnel access rights
24
through secure encrypted link
and multi-factor
authentication?
Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 19. Agency Access to Personal
technology that prevents the Information Measures Data - Local Copies of
creation of localized copies of Personal Data Accessed
25 personal data accessed online Online
or remotely?
Does your organization Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 20. Agency Access to Personal
require external devices Information Measures Data - Authorized Devices
accessing personal data on
26 agency computer equipment
to conform to agency or
organization standards?
Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 21. Agency Access to Personal
technology that provides for Information Measures Data - Remote
remote disconnection of Disconnection or Deletion
27 mobile devices used by the
agency or the organization
and deletion of personal data
contained therein?
Does your organization keep Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 22. Agency Access to Personal
access logs for paper-based or Information Measures Data - Paper-based Filing
28
phyical media-based personal System
data?
Transfer of Personal Data
Does your organization have Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec.24. Transfer of Personal Data -
an encryption system for Information Measures Emails
29
transfers of personal data via
electronic mail?
Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 25. Transfer of Personal Data -
security controls covering Information Measures Personal Productivity
30 personal productivity software Software
accessing personal data?
Does your encrypt personal Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 26 Transfer of Personal Data -
data transferred or stored on Information Measures Portable Media
31 external portable media used
by the agency or organization?
Does your organization use Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 27. Transfer of Personal Data -
authentication technology to Information Measures Removable Physical Media
access physical media into
32 which personal data is
physically transferred?
Does your organization Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 28. Transfer of Personal Data -
prohibit the use of fax Information Measures Fax Machines
33
machines in the transfer of
personal data?
Does your organization have Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-01. Sec. 29. Transfer of Personal Data -
rules governing the postal Information Measures Transmittal
transfer of documents or
34 media containing personal
data to a designated
authorized person?
Does your organization Sec. 20 (d) Security of Personal Sec. 44. Outsourcing and Subcontracting 16-01. Sec. 16. Contractors, Consultants
maintain procedures to Information Agreements - Agreements for and Service Providers
execute contracts or Outsourcing
36 agreements with all personal
data processors and third-
party service providers?
Does your organization Sec. 20 (d) Security of Personal Sec. 45. Outsourcing and Subcontracting 16-01. Sec. 12 Recommended
regularly conduct due Information Agreements - Duty of Personal Independent Verification
diligence on third party data Information Controller or Certification
processors through
37
appropriate cerification and Sec. 50. Rules on Accountability -
verificaiton procedures? Accountability for Transfer of
Personal Data
Does your organization have Sec. 12. Criteria for Lawful Sec. 20(b). General Principles for Data 16-02. Sec. 4. Consent
policies and procedures Processing of Personal Sharing
ensuring that consent of the Information
data subject is obtained
before data sharing Sec 3. (f) Definitions - Data Sharing
38
arrangements between
private personal information
controllers are made?
Does your organization have Sec. 12. Criteria for Lawful Sec. 20 (d). General Principles for Data 16-02. Sec. 4. Consent
policies and procedures Processing of Personal Sharing - Data Sharing Between
ensuring that consent of the Information Government Agencies
data subject is obtained
before data sharing
39 arrangements with third
parties are made by a public
personal information
controllers?
44. Does your organization's Sec. 21 Accountability for Sec. 50. Rules on Accountability - 16-02.Sec. 6(A)-(J) Consent of Data Sharing
data sharing agreements Transfer of Personal Accountability for Transfer of Agreement
comply with the requirements Information Personal Data
of the law? 16-02. Sec. 10. Accountability for Cross-
40 border Transfer of Personal
Data
Does your organization use a Sec. 20 Security of Personal Sec. 28 Guidelines for Technical Security 16-02. Sec. 7. Online Access
secure encyrpted link via Information Measures
middleware whenever it
41 grants online access to
personal data under its
control?
Does your organization Sec. 21 Accountability for Sec. 50. Rules on Accountability - 16-02. Sec. 14. Mandatory Periodic
conduct mandatory reviews of Transfer of Personal Accountability for Transfer of Review
42 data sharing agreements Information Personal Data
upon their expiration?
Does your organization Sec. 21 Accountability for Sec. 50. Rules on Accountability - 16-02. Sec. 17. Return, Destruction, or
contain procedures for Transfer of Personal Accountability for Transfer of Disposal of Transferred
ensuring that transferred Information Personal Data Personal Data
personal data to other parties
by virtue of a data sharing
43
agreement shall be returned,
destroyed, or disposed upon
its termination?
Does your organization Sec. 20 © Security of Personal Sec. 28 (d) Guidelines for Technical Security 16-03. Sec. 6 (D). Preventive or Minimization
regularly monitor for security Information Measures Measures
breaches and take preventive,
45 corrective and mitigating
action against security
incidents?
Does your organization have a Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 4. Security Incident
46 Security Incident Management Information Measures - Processing of Management Policy
Policy? Personal Data
Does your organization have a Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 5. Data Breach Response
47 Data Breach Response Team? Information Measures - Processing of Team
Personal Data
Does your organization Sec. 20 (c) Security of Personal Sec. 26 (b) Organizational Security - Data 16-03. Sec. 6 (A). Preventive or Minimization
48 regularly conduct privacy Information Protection Policies Measures
impact assessments?
Does your organization have a Sec. 20 (c) Security of Personal Sec. 25 Data Privacy and Security 16-03. Sec. 6 (B). Preventive or Minimization
49 Data Governance Policy? Information Measures
Does your organization have Sec. 20 (c) Security of Personal Sec. 26 (d) Organizational Security 16-03. Sec. 6 (E). Preventive or Minimization
capable personnel who have Information Measures - Management of Measures
knowledge of data breach Human Resources
50 management principles and
internal procedures for
responding to security
threats?
Does your organization have Sec. 20 (c) Security of Personal Sec. 28 Guidelines for Technical Security 16-03. Sec. 7 (A). Availability, Integrity and
51 back-up solutions in case of Information Measures Confidentiality of Personal
data breach? Data
Does your organization have Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 8. Guidelines for Incident
security incident response and Information Measures - Processing of Response Policy and
52 monitoring procedures? Personal Data Procedure - Policies and
Procedures
Does your organization have Sec. 20 (c) Security of Personal Sec. 26 (e) Organizational Security 16-03. Sec. 9. Guidelines for Incident
a system for documenting all Information Measures - Processing of Response Policy and
actions addressing security Personal Data Procedure -
53
incidents? Documentation
56. Does your organization Sec. 20 (c) Security of Personal Sec. 26 (b) Organizational Security - Data 16-03. Sec. 10. Guidelines for Incident
regularly review its incident Information Protection Policies Response Policy and
54 response policy and Procedure - Regular Review
procedure?
Does your organization Sec. 20 (f) Security of Personal Secs. 38-42 Data Breach Notification 16-03. Sec. 11. When notification is
comply with personal data Information required
55 breach notifications
requirements.
Does your organization have Sec. 20 (f) Security of Personal Secs. 38-42 Data Breach Notification 16-03. Sec. 18. Notification of Data
policies and procedures for Information Subjects
56 notifying data subjects of a
breach?
Does your company have Sec. 20 (f) Security of Personal Secs. 38-42 Data Breach Notification 16-03. Sec. 22. Reportorial requirements
policies and procedures for Information
57 notifying the Commission of a
data breach?
60 There is a process to monitor and comply with the applicable legal requirements in all the jurisdictions in which the organisation handles data.
The legal implications of any data transfers, including cross-border data transfers, have been considered.
61
62 Review ongoing long-term contracts for new and previously unconsidered privacy risks.
64 Maintain a record/report of existing and new laws and regulations governing data privacy.
65 Seek advisory opinions from the NPC for ambiguities in the law or for new legal developments.
The legal implications of the use of any third parties to handle data on the organisation’s behalf have been considered.
66
CHECKLIST FOR DPO
30-Day 60-Day 90-Day
Select a software application to assist you
Draw up your TOR. Be sure to get an
in monitoring compliance of the agency.
assurance that you shall be Review results of IT Security audit with top
These tools should include features such as
reimbursed in case of litigation related management.
workflow management, and document
to the Data Privacy Act.
management.