Republic of the Philippines DEPARTMENT OF TRANSPORTATION 07 June 2019 { DEPARTMENT ORDER NO. 2.0101 O11 To: All Officials/Employees All Others Concerned Subject: DOTr Data Privacy Guidelines A. Rationale: With the advances in information technology like rapid growth of the digital economy and increasing international trade data, private data/information can easily be disclosed. As a precautionary measure, the government Issued Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), including its Implementing Rules and Regulations (IRs) and other issuances from the National Privacy Commission (NPC}, to strengthen personal data security and protection, ‘These guidelines are issued in compliance with the DPA as the Department values and respects the data privacy rights of its stakeholders (internal/external) and to ensure that all personal data/ information, whether physical or digital, collected from its officials/employees, clients, customers and other stakeholders in the course of its business are collected and processed in accordance with the generat principles of transparency, legitimacy, accuracy, integrity and confidentiality. B. Objectives: 1. To ensure that the Department follows/complies with the laws, rules and regulations on data privacy. 2. To have a clear/transparent policy on the processes of collection, use, storage, retention, distribution and destruction of personal data/information gathered/collected. 3. To identify personal data/information gathered/collected and ascertain their proper usage and disposal, 1 FPNATUGO CORNER OSMERA ROAD ‘RUNKLINE:750.5300/790 300 Guam REPORT ZONE 2009 DOT ACTIONCENTER HOTUNE: 7850, PAMPANGA, PHLPONESc 4, To identify offices/persons responsible/authorized to collect and OD lose specific personal data/information to parties who may request them. 5. To ensure that the personal data/information gathered/collected are properly managed, secured and protected, 6. To establish a process for escalating, managing and resolving breaches and violations to Data Privacy. Definition of Terms: 1. Data Privacy Act (DPA) ~ Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, including its Implementing Rules and Regulations, and other issuances related thereto. It is an Act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes. 2. Data Subject - refers to an individual whose personal, sensitive personal or privileged information is processed by the Department. it may refer to officials, employees, consultants, clients and other stakeholders of the Department. 3. Department or DOTr ~ refers to the Department of Transportation. 4, Data Protection Officer (DPO) — oversees the compliance of the Department with the DPA, its IRR and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol and inquiry and complaints procedures, among others. 5, National Archives of the Philippines (NAP) — is mandated to plan, develop, prescribe, disseminate, and enforce policies, rules and regulations and coordinate government-wide programs governing the creation, general protection, use, storage and disposition of public records. 6. National Privacy Commission (NPC) - in charge of administering and implementing the provisions of the Data Privacy Act of 2012 (R.A. 10173) and its Implementing Rules and Regulations and monitoring and ensuring compliance of the country with international data protection standards. 7. Personal Data ~ refers to any data specific to a person such as name, mailing address, phone number, employer and job title, It also refers to sensitive personal information about an 210. ul. 12. 23, 14, 15, O ® individual's race, ethnic origin, marital status, age, color, religion, philosophical or political affiliations, health, education, genetic or sexual life, offense committed or alleged to have been committed and the disposal of such proceedings or the sentence of any court in such proceedings. It may also refer to data not specific to any person but may actually lead to an individuel’s identity such as fevorite color, regular bus route, college degree and others. Personal Data Breach ~ refers to a breach of security and/or violation of protocols leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or processed. Types of personal data breach are (a) availability breach (loss, accidental or unlawful destruction), (b} integrity breach (alteration), and {c) confidentiality breach (unauthorized disclosure or access). Personal Data Inventory — Includes the (a) types of personal data/information collected by the Department; (b) list of all data/information repositories/locations; (c) types of media used in storing the data/information; (d) risks associated with the processing of the data/ information; and (e) purpose or use for the data, Personal Information — refers to any information whether recorded in material form or not, from which the identity of the individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. Personal Information Controller (PIC) ~ a person or organization who controls the collection, holding, processing or use of personal data/information and who instructs another person to collect, hold, process, use or disclose the same on his/her behalf, Personal Information Processor (PIP) ~ any natural or juridical person or any other body to ‘whom a PIC may outsource or instruct the processing of personal data pertaining to a Data Subject. Privacy Impact Assessment (PIA) — process undertaken to evaluate and manage the impact on privacy of a particular project, program, process or measure. Processing —refers to any operation or any set of operations performed upon the personal data/ Information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data (whether manually, electronically or any other means). Security Measures — aim to maintain the availability, integrity and confidentiality of personal data/information and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent use, unlawful destruction, alteration and contamination.FB Scope and Limitation: ‘These guidelines are essentially an internal issuance and are meant for the use and application of the Department's officials/ersonnel (regardless of the type of employment or contractual arrangement) and persons/clientele and other stakeholders who have legitimate business deals with the Department. Privacy Policy The Department is committed to protecting the privacy of the personal data and information collected from its Data Subjects (officials/employees, clientele and other stakeholders) in the fulfillment of its mandate by ensuring full implementation of and compliance with the data protection principles and all relevant provisions under R.A. No. 10273, its Implementing Rules & Regulations and other related issuances. Privacy Notice The Department shall post in its website @ Privacy Notice (Annex 1) to inform all its Data Subjects that a system is in place ensuring protection of the personal data/information they submit to the Department with a link to the approved Department Order establishing the DOTr Data Privacy Guidelines. ‘The Privacy Notice shall also contain a feedback mechanism scheme for use by the Data Subjects in case they want to submit feedbacks, comments, complaints and concerns (please refer to Sec. 6.9, p. 11) Standard Procedures in the Processing of Personal Data/Information: The data life cycle or processing system (in existence within the Department), from collection of personal data/information to their actual use, storage or retention, accessibility and destruction, is established as follows: The Heads of all Offices/Divisions/Units or Specially-Created Ad Hoc Committees of the Department, or their representatives duly designated in writing, shall be named the Personal Information Controllers (PICs) in charge of all personal data/information collected by their respective offices/units.The Head of the Department shall designate in writing the Divisions/Units/Heads of Concerned Offices or their representatives as PIC/s. Collection a. The PIC shall identify, based on the Office's mandate and pertinent laws, the type or kind of personal data/information to be collected and the means of collection (manually, electronically or any other means) by conducting a regular Privacy Impact Assessment (PIA), including the maintenance of 2 Personal Data Inventory. In collecting personal data/information, the following attributes shall be considered: - Type of data/information to be collected - Reason/purpose/basis of collection - _ Person/office collecting the data/information ‘The basic rule to remember is not to collect any personal data/information if there is no need for it. b. The PIC shall ensure that the personal data/information gathered is reasonably necessary to carry out the official functions or activities of the Office. it must be for a specific and legal purpose and must not be used for any other purpose except for which it was obtained. ¢. Collection of the needed personal data/information shall have a prior written consent from the Data Subject, except where such consent is not required for its lawful processing as provided by law. Proof of Consent may be submitted separately using a standard format (Form No. 1, Annex 2) or may be incorporated/added in the form to be filled out, contract to be signed or any other document that will be submitted to the Department, containing the Data Subject’s personal data/information, which can be worded as follows: “This is to authorize the Department of Transportation (OOTr), or any of its Offices/Units, to collect, use, process and share the personal data/information | provided/submitted to complete my transaction with them only for the specific legitimate purpose for which it was collected. Signature over Printed Name of the Data Subject Date”2. Use The Department collects basic contact information of officials/employees, clientele/customers and other stakeholders for documentation as required/needed for a particular transaction/ business purpose and in compliance with laws, rules, regulations, policies and requirements issued by the following government organizations/institutions: = Civil Service Commission = Commission on Audit - Department of Budget & Management = Bureau of Internal Revenue = Congress of the Philippines - National Archives of the Philippines - Office of the President - Office of the Ombudsman = Department of Foreign Affairs ~ Bureau of the Treasury = Government Procurement and Policy Board = Others as may be specified by law 3. Storage/Safekeeping ‘a, The PIC shall see to it that documents containing personal data/information under his/her custody/responsibility, once collected in accordance with law, are reasonably protected against unauthorized use/access and against any accidental or unlawful destruction and alteration, b. Thus, the PIC shall develop guidelines/procedures and forms/reports to accomplish (if needed) and ensure a reasonably secured/protected physical or digital storage of the personat data/information collected by his/her Office/Unit. Based on the inventory listings submitted by the different Offices of the Department, the following are the sample/typical personal data/information collected by them:oO Personal Data/information Documents prepared/ collected based on initial submitted by Data Subjects documents submitted Receiving Office DOTr Officials and Employees Personal Data Sheet Name Personal Division ‘Appointment/contract Address Medical/Dental Unit Service Record Birthday Certificate of Employment —_| Telephone Number Statement of Assets, Liabilities | E-mail Address & Net Worth (SALN) Civil Status Travel Authority Parent's Name Gate Pass Name of Dependents Medical Records SIS Number (for permanent Individual Performance and contractual employees) Commitment and Review Employee’s ID (pcr) Tax Identification Number Division Performance (rin) Commitment and Review Service Record (OPCR) Performance Rating Report Number of Tardy and availed Leaves of Absence Status of Employment Present Position Net Worth Trainings/Seminars Attended Whereabouts Health Condition Monthly Payroll Name Treasury Division Application Form re: Opening | Address of- Birthday ATM Account Telephone Number + Membership to Civil Status Philhealth/PAGIBIG —_ | Employee’s ID List of Due and Demandable | TIN ‘Accounts Payable with Advice | Payslip to Debit Account (LODAP-ADA) | ATM Account Number Certificate of Compensation _| Philhealth Membership. Payment/Tax Withheld (BIR | Account ID Number Form 2316) PAGIBIG Membership 1D Application for Bond of Number Accountable Officers Gross Compensation Income Amount of Bond Risk Number DOTr Clients/CustomersContractor/Supplier Bidding Documents Name Procurement Planning Price Quotation Business Address Division Contract/Purchase Order TIN BAC Secretariat Division LDDAP-ADA Telephone Number Treasury Division Birthday Civil Status SSS Number PCAB License Number DTI Registration Number Bank Account Number PETC Applicants Duly Accomplished Application | Name FRS/ISLES Form and required supporting | Address documents Telephone Number Birthday | Civil Status | SSS Membership Certificate TIN DTI Accreditation Certificate Income Tax Return Resource Speakers/Officials & | Employees of DOTr Sectoral Offices/Attached Agencies requesting for Foreign Travel Authority Curriculum Vitae/Personal | Name Human Resource Data Sheet Telephone Number Development Division Birthday Civil Status E-mail Address TIN Training/Experience Service Record Parent’s Name Educational Attainment Passport Number ¢. Personal data/information maintained must be kept accurate and updated. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are taken, are processed, erased or rectified withoutOQ OQ delay. A regular review shall also be undertaken by the PIC to ensure that only the latest requirements are collected. d. Data Subject should be responsible in notifying the concerned office of any changes for updating of records. Any request for updating must be done in writing, In case of personal data/information withdrawal, request must also be done in writing. 4, Retention/Destruction a, Personal data/information collected must have a definite period of retention or should be maintained only as long as necessary. if purpose of collection has been served, personal data/information collected (whether in hard or electronic forms) must be disposed or discarded in accordance with pertinent laws such as those issued by the National Archives of the Philippines (NAP) in such a way that would prevent further processing, unauthorized access or disclosure to any other party or the public. 5. Access a. To maintain the confidentiality and to protect the personal data/information held by the Department, access must be limited only to the PIC, PIP (staff within the division/unit in charge of processing) and to the Data Subject or his/her authorized representative. Any person/entity requesting to access the data/information collected, for purposes other than what was originally intended, shall seek a written authorization from the Data Subject (Form No. 2, Annex 3}. b. Appropriate degree of protection such as physical, procedural and organizational measures shall be implemented as follows: - Documents shall be properly receipted from the Data Subject/authorized representative and shall be recorded in the official logbook of the PIC of the Receiving Office. - Due to the confidentiality of the personal data/information contained in official documents being processed, access shall only be allowed upon prior approval of the designated PIC,QO 6, Disclosure/Data Sharing a. All personal data/information that come to any Department personnel’s knowledge in the processing of any transaction must be kept confidential. It must be disclosed only pursuant to 2 lawful purpose and with consent and approval of the PIC/Department. b. Data Outsourcing Agreements A Data Outsourcing Agreement (DOA) must be entered into by the Department with any other party that may need access to the personal data/information collected from its Data Subjects. This party shall act as the Personal Information Processor (PIP) in behalf of the Department. ‘The DOA must include the following basic/minimum conditions for the PIP to comply: = Must only use the personal data/information obtained for the specific purpose as agreed upon. = Must not disclose personal date/information nor further outsource the data processing to external parties without prior consent of the Department. = Must maintain reasonable and appropriate security measures to protect the personal data/ information being handled such as, but not limited to: Y Secured and private workplace/limited access thereto, Y Well defined duties and responsibilities of personnel involved in the personal data/ Information processing. Y Protection of personal data/information and systems against accidental, unlawful or unauthorized usage to maintain their confidentiality, integrity and availability. Y Well-placed monitoring system. - Right of the Department to conduct audit/monitoring/inspection of the party's systems/facilities pertinent to the DOA. 7. Security Measures a. All personal data/information collected must be kept in a locked cabinet, stored in a computer (password-protected) or thru any other appropriate means which is accessible only to the designated/authorized PIC. Records stored shall not be taken out of the Office without written authorization. 109. 10. oO b. All PIPs are mandated to safeguard personal data/information collected/stored from unauthorized processing, access or disclosure including accidental loss, destruction and modification. Personal Data Breach Management To handle the Personal Data Breach Management, for the purpose of managing security incidents such as personal data breach, there is @ need to establish a Data Breach Response Team (DBRT) (the composition of which shall be based on law) who is responsible in coming up with clearly defined responsibilities (i.e., management of the Department's security incident management policy; management of security incidents and personal data breaches; compliance with the relevant provisions of R.A. 10173, its IRR and other related issuances on Personal Data Breach Management) and set of organizational, physical and technical security measures/policies to prevent or minimize the occurrence of personal data breach and assure a timely discovery of security incidents. The BRT shall submit a report to the National Privacy Commission (NPC), copy furnished the DOT OPO, within five (5) days upon knowledge or occurrence of the breach, unless granted additional time by them. Feedbacks/Comments/Complaints/Concerns For simple complaints/concerns, feedbacks and comments (other than those falling under Data Breach], Data Subjects and other interested parties may file their inquiries/complaints and may provide feedbacks/comments using a prescribed form (Form No. 3, Annex 4) with the Department's Data Protection Officer (DPO) in accordance with established procedures. If the nature of complaint/concern cannot be resolved thru dialogue/discussion between the DPO, the Data Subject and the concerned Office/Unit of the Department, the issue shall be referred to the Data Breach Response Team (DBRT) for resolution. Data Protection Office/Data Protection Officer (DPO) Qualifications of the Data Protection Officer: a. Should possess specialized knowledge and demonstrate reliability necessary for the performance of his/her duties and responsibilities. b. Should have expertise relevant to privacy or data protection policies and practices. 1c. Should have sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter’s information systems, data security/data protection needs, internal structures, policies and processes. d. Should be a full-time or organic employee or may be a holder of a career or appointive posi e. Preferably with background in Legal, Accounting, Human Resource Management and Information Technology. ‘The designated Data Protection Office/Data Protection Officer (2PO) of the Department shall have the following duties and responsi ies: a. Oversee/ensure the compliance of the Department with che DPA and its IRR, related policies, including the conduct of periodic assessment and review to ensure adequate implementation. b. Monitor the Department's Personal Data Processing activities, including the conduct of periodic audits and reviews, in order to ensure that all the Department's data privacy policies are adequately implemented by its officials, employees and other concerned Offices/Units. ©. Ensure the conduct by the PIC of a regular Privacy Impact Assessment (PIA) relative to his/her Office’s/Unit’s activities, measures, projects, programs or systems. d. Develop, establish and review policies and procedures for the exercise of by the Data Subjects of their rights under the DPA and other applicable data privacy laws, rules and regulations. fe. Act on feedbacks/complaints/other concerns submitted by the Data Subjects and call all concerned offices for possible solutions thereto. £. Serves as contact person of PIC vis-a-vis Data Subjects, the NPC and other authorities in all matters concerning data privacy or security and other concerns. g. Cooperate, coordinate and seek advice of the NPC on data privacy matters. 1211. Capacity Building ‘All Department officials and personnel, particularly those involved in the handling of personal data/information, shall undergo regular training programs or seminars to keep them updated in the developments in data privacy and security. 12. Penal Clauses Failure to comply with the provisions of this Department Order, R.A. No. 10173 and its IRR and all relevant laws pertinent to data privacy shall be ground for the following administrative penalties: toffense - —_—Reprimand 2 offense ‘Suspension of one (4) to thirty (30) days 3 Offense - Dismissal from the service ‘The Revised Rules on Administrative Cases in the Civil Service shall be applicable in the disposition of data privacy-related cases. More specific guidelines and procedures shall be issued from time to time to ensure the full implementation and compliance of this Department to R.A. 10173. For the strict compliance of all concerned. This Order shall take effect immediately. etl CF ® Jou ZA ow... RA, 10174 (Data Privacy Act of 2022) and its IRR thar NPC issuances Other Raference Materials on Data Privacy Source 13