Professional Documents
Culture Documents
quite a lot of
traveling and so this is really super appreciated so first off
first question did you ever think you would be a data protection officer
perhaps you can share with my students your professional journey probably let's start with your
undergrad course and what did you do soon after graduation um
so the floor is yours okay so thank you uh professor mia for having me over
and uh frankly i never thought that i would end up in
dpo as a matter of fact when i was taking up accountancy in my undergraduate there
was no internet yet so you know data privacy was not
you know wasn't in the area and immediately after college i joined
an ngo as project accountant and
after that i went into sales i went into sales
and then i worked also in the bank so when you told me that uh i'd be
talking about the application of data privacy app in the banking industry this has somehow
picked my interest and i mean i work there as a casa bookkeeper you know a current
account savings account keeper but since the salary of government was
very young by then and an offer from the private sector for credit investigator came in
uh i transferred a ci investigator
and while in law school i had to quit my ci job because i had to travel a lot and
have to attend my my law classes i was taken in by the
university of double believers as legal researcher for the university leader council
yeah wow what what a journey so you were a working student actually
um one section in in in one of my sections the banking
a lot of my students are really working students so i i mean i think you telling them that
it's really really appreciated so they can go a long way really but and i didn't know your
sort of banking background so this is such a perfect fit okay so being dpo
you are to my mind you are a trailblazer that is very courageous taking on a job uh where
neither your undergrad course which is accountancy know your work experience
has anything to do with data privacy law i guess because you said there was no internet and of
course when
you were in school there was no data privacy law so how did you end up uh being
in the data privacy field it is definitely a new field of specialization
and it strikes me like it's an on-the-job kind of training slash specialization
yes actually it was the president the new president of the university that picked
me up for the job uh she was formerly the dean of uh
information technology that's why maybe the application and the compliance with the
data privacy act of 2012 was important to her and the first thing she realized
was that the university had no dpo and this is a basic requirement of the
law so he she wanted someone who had a background in law
in hr because i used to be hr director also of uc and someone who understands ip because
when you look at the application really of the data privacy app the dpo
is really someone who holds many hacks and she thought that maybe
my experience and my academic preparation fits me
wow so she thinks she she cannot choose a better person you are all of those
rolled into one and until now i did not quite realize that those are really in in a sense and
be in dpo you struggle you know you you cut across different platforms
so probably in my case i'm a lawyer but definitely i'm nothing in i.t i don't have any background
on hr so probably i
will flunk being a dpo but okay i i do not wish to spoil probably
the the the conversation any further so i would like you now to start your
presentation with my class so class let us please welcome attorney rayne
ramos a man of many skills a man of many passions
who has journeyed far and wide he is the data protection officer of the
university of contenders so rain the platform is yours thank you for that introduction
professor mia so let's start class
as you will find out later on when we talk of the beta privacy act
the main concern here are personal information these are informations these
are information that are about you and about me
as you will find out later on the dpa also has extra territorial applications
okay next slide please okay so what does the dpa do basically it
regulates the collecting and processing of personal information and sensitive
personal information actually when you add both your pi and your spi
you you can call them as personal data okay
so they collect and process
so who are
personal data controllers and processors okay you are students law students
banking students
when you're involved at the lasalle you are giving them what?
your personal information like your name your address your
phone number etc these are personal information
that and personal data that you are giving to the school and the school
is what you call someone who is a personal data controller or processor
and later on as we go into the application of the DPA to the banks
in this case the banks becomes the personal data controller or processor and you
as depositor or borrower as the case will be is the data
subject
thus personal data controllers and professor
and processors can only collect and process data if a criterion for lawful
processing is present we will discuss this later and must observe the general
privacy principle of transparency legitimate purpose and proportionality when collecting
and processing personal data and are subject to certain obligations
including the need to observe rights of the data subjects these things we will discuss as
we go along and any violation of this since the dpa law of 2012 is criminal in nature in a
sense that it provides sanctions and penalties to data processors
who may fail to protect your data then the non-compliance obviously can trigger
sanctions okay i hope i am being clear so far
so when does let's go now to the middle of the discussion when does the dpa apply
to banks and in general okay next level
okay the data privacy act applies if the bank is involved in the collection or
processing of personal data found in the philippines of course
obviously
it applies to the bank because when you go to the bank i know most of you will have a bank
account or an ATM account
before you can get your atm or before you can get your passport or open an account
they make you fill up either online
or through a bank form personal data okay
about yourself okay and in a sense when you give
this data this is already part of collection and processing which you will discuss further as we go
along and
uh that the act practice or processing relates to personal data about a philippine citizen or
president
first you're a filipino citizen you're a resident of the philippines it is a data that is about you
okay and it is being done in the philippines of course like in you open an account at the bank of
philippine islands maybe in makati or elsewhere
in manila you are in the philippines obviously and the act practice or processing of
personal data is done or engaged in by an entity with links to the philippines or
this could be extra territorial so it could be a bank in new york with a
branch in the philippines or vice versa
QUESTION i'm
curious especially there the processing is done in the philippines
that is physically here in the philippines is that what it says?
um yes ma'am actually uh it's the keeping actually of the data i
see and the processing itself like when you go to amman you do it here
the reason i'm asking because in the age of digital banking
i'm thinking if the if i if someone outside of the philippines a filipino
who is in the outside of the philippines would like to say open an account like
say example union bank or go bank then they are outside
but the processing is done here in the philippines and it works also vice versa
if i want to open a bank account within a singapore bank that's is that covered
by the dpa as well so i think i'm a little confused on the processing whether dito and what does it
really entail
but let's
say that it's a BDO account in uae in dubai
and and uh they have a branch in dubai
and they have the head office in the philippines in the philippines even the processing month in
dubai can be
considered and can be covered by the dpa you know extra territorially extensive ah okay
thank you because i i thought the question before i lose it in my mind thank you
that's why the law even provides for extraterritoriality because of the very nature of the
data now that you know
it is it goes beyond borders so it has it there should be a way of uh
covering it even if it goes outside the philippines
he
defense of the credit card company was you know this is not considered our records because
these
are uh rejected credit card applications but the uh
npc said no you're still liable because even though they were rejected and they were not able to
get credit card with you you process their
data and therefore you should still be protecting those data and since you did not protect that
those data then
you are reliable under the dpa the data protection act of 2012
so that
is how important it is to us to really protect the data especially if you are disposing them from the
time you collect them up to the
time you dispose them because you might still be liable
QUESTION: is there a
requirement for the bank to alert a potential customer on that
Like nakahighlight ba yan or that is something that is in the fine
print na hindi natin nakikita
- Usually di na nakikita
so what has been your experience in this i mean
that by you signing by signing whereby filling up this application you agree
on language
- Dapat nakahiwalay talaga ung consent form sabi ng NPC
- Pero the practice is kasama na
and of course with the right to give and data is the right to object when the moon
[Music]
okay gender if ayaw mo idisclose
if you do not want to disclose that should be acceptable already (gender-sensitivity)
Yung right to data portability - magdala ka ng usb or anything you can get your data
yung
outsourcing or subcontracting
Nangyari when may manpower pooling agencies uh uae dubai
um emirati but they engage a company
to uh check the records academic records of their applicants who come from our
university
to check the data and to classes the data okay so you know outsourcing and
subcontracting of personal data in behalf of a controller
so important
Covered ng data outsourcing or subcontracting agreement na kung kanino mapupunta ung
data, applicable ung DPA
okay next okay five commandments of the npc
next next please so uh actually this is the the main
requirement of the law uh that we implement data policy and
security measures but security measures because of the possibility of data breach along you
know in this
day of technology and age you know your data can be used anywhere in the in the
world and this data should be protected
in fact
sells our information facebook
you know this can be used and through data analytics and through the ai
alumni preferences
of course the first thing we did before was to conduct a privacy impact assessment we
have already finished our
data privacy manual
Q&A
pnp for
example gets uh tries or attempts
to get the list of your graduating
students for criminology and i would
imagine that is because they are on the
loop out for recruits but you just said
you refuse
Q: i see i see
so i would imagine the range of
inquiries or
the range of
how how do you
keep track my goodness i didn't realize
that
this is such like
stressful
because the
you you always have to be very vigilant
to ensure compliance with the dpa but i
would imagine there would be uh
many instances in a workday
where you would probably be bordering on
or where you have to make judgment calls
on
how do you cope i mean where do you draw
the line
do you always have to exercise like high
level judgment calls with respect to
data privacy
A:
well what we did in the uh inducing what
i did was to of course orient everyone
and then i went one office for office
and then
x number how many male 1 will be
specific
oops
foreign