Professional Documents
Culture Documents
Section 30. Responsibility of Heads of Agencies. All sensitive personal information maintained
by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with
the use of the most appropriate standard recognized by the information and communications
technology industry, subject to these Rules and other issuances of the Commission. The head of
each government agency or instrumentality shall be responsible for complying with the security
requirements mentioned herein. The Commission shall monitor government agency compliance
and may recommend the necessary action in order to satisfy the minimum standards.
2. A source agency shall strictly regulate access to sensitive personal information under its
custody or control, particularly when it allows online access. An employee of the government
shall only be granted a security clearance when the performance of his or her official functions or
the provision of a public service directly depends on and cannot otherwise be performed unless
access to the personal data is allowed.
3. Where allowed under the next preceding sections, online access to sensitive personal
information shall be subject to the following conditions:
(a) An information technology governance framework has been designed and implemented;
(b) Sufficient organizational, physical and technical security measures have been established;
(c) The agency is capable of protecting sensitive personal information in accordance with data
privacy practices and standards recognized by the information and communication technology
industry;
(d) The employee of the government is only given online access to sensitive personal
information necessary for the performance of official functions or the provision of a public
service.
b. Off-site access.
2. The head of agency shall approve requests for off-site access in accordance with the following
guidelines:
(a) Deadline for Approval or Disapproval. The head of agency shall approve or disapprove the
request within two (2) business days after the date of submission of the request. Where no action
is taken by the head of agency, the request is considered disapproved;
(b) Limitation to One thousand (1,000) Records. Where a request is approved, the head of
agency shall limit the access to not more than one thousand (1,000) records at a time, subject to
the next succeeding paragraph.
(c) Encryption. Any technology used to store, transport or access sensitive personal information
for purposes of off-site access approved under this subsection shall be secured by the use of the
most secure encryption standard recognized by the Commission.
Section 33. Applicability to Government Contractors. In entering into any contract with a private
service provider that may involve accessing or requiring sensitive personal information from one
thousand (1,000) or more individuals, a government agency shall require such service provider
and its employees to register their personal data processing system with the Commission in
accordance with the Act and these Rules. The service provider, as personal information
processor, shall comply with the other provisions of the Act and these Rules, particularly the
immediately preceding sections, similar to a government agency and its employees.