Professional Documents
Culture Documents
• Unless:
• Personal data needed pursuant to a subpoena
• Collection and processing are for obvious purposes
• Necessary for the performance of or in relation to a contract or service
• Employer-employee relationship between the collector and the data
subject
Right to Damages
• Indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized
use of personal data
Right to Data Portability
• For data processed electronically
• Obtain from PIC a copy of data in an electronic or structured
format that is commonly used and allows for further use
Right to File a Complaint
• If personal information has been misused, maliciously
disclosed, improperly disposed, or any of the data privacy rights
have been violated
Data Privacy Principles
• Transparency
• Legitimate Purpose
• Proportionality
Transparency
• Data subject must be aware of the nature, purpose and extent
of the processing of his/her personal data, including the risks
and safeguards involved, the identity of the PIC, rights as a data
subject, and how these can be exercised
• Information on data processing must be easy to understand,
accessible
• Data subject must have reasonable access on demand
• For electronic data, can access a copy in a structured format
(data portability)
Privacy Notice
• Description of service
• Personal data to be collected, method of collection, timing of
collection
• Purpose of collection of data, method of use
• Storage and transmission, location of data
• Third-party transfers (if applicable)
• Retention period
• Participation of data subject (how consent is obtained)
• Contact information for inquiries or complaints
Legitimate Purpose
• Processing of data shall be compatible with a declared and
specified purpose which must not be contrary to law, morals, or
public policy
Consent
• Data subject must exercise control over how data will be used
• Consent requires a freely given, specific, and informed
indication of will, evidenced by a written or electronic record
• Consent must be unbundled from other terms and conditions
• Implied, implicit or negative consent is not recognized
Proportionality
• Processing of information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and
specified purpose
Other Principles
• Data Quality
• Ensure that data is accurate, complete and up-to-date
• Inaccurate or incomplete data must be rectified, supplemented,
destroyed, or their further processing restricted
• Security Safeguards
• Organizational Commitment
• Program Controls
• Continuing Assessment and Development
Privacy Impact Assessment
• Process to evaluate and manage privacy impacts in an
organization’s programs, processes, activities, systems and
operations
Objectives of Conducting a PIA
• Identify privacy risks and vulnerabilities
• Determine
• Adherence to transparency, legitimacy, proportionality
• Lapses in organizational, physical, and technical security measures
• How the organization upholds the rights of the data subjects
• Establish a control framework that should address all the issues
identified
When is PIA necessary?
• As baseline
• Prior to implementation of new programs
• Changes to processing of data
• When entering into a data-sharing agreement
• Large-scale data collection
Benefits of PIA
• Promote privacy awareness
• Good governance
• Compliance
• Cost-effective
• Prevents privacy risks
• Identifies privacy strategies
Questions to consider during PIA
• What do I process and how?
• Do I comply with the law?
• What are the risks?
• What can I do about it?
• When will I reassess?
Data Life Cycle
• Collection
• Use and access
• Sharing and transfers
• Storage and retention
• Disposal
Records of Processing Activities
• Data inventory
• Data flow
• Purpose of processing
• Sources and recipients of personal data
• Accountable and responsible persons
• Existing safeguards
Salient Points of the
WVSUMC Data Privacy Policy
Policy Objectives
To uphold the data rights of all data subjects of the WVSUMC.
To comply with the provisions of RA 10173, its IRR, NPC issuances, and other
regulations related to data privacy.
To foster and maintain awareness on data privacy, including how we safeguard data
privacy rights, among employees and data subjects.
To minimize, if not eliminate, risks that threaten data privacy rights.
Activities
Privacy Notice
Awareness-building activities
Monitoring compliance
Privacy Impact Assessment
Develop and implement data privacy procedures relevant
to their mandate
Activities
Data inventory, data flow, stated lawful purpose, sources
and recipients, accountable and responsible persons,
existing safeguards
Procedure on Data Breach Response
Data Privacy Committee
Evaluate data processing activities and make relevant
recommendations
Role of Unit/Department Heads
Privacy Notice
Awareness-building activities
Compliance –> monitoring as part of regular workflow
Conduct PIA
Assess risks –> Develop and implement data privacy procedures relevant to their
mandate
Document data processing activities
Document data privacy and security activities
Role of the Medical Center Chief
• As PIC – can designate Unit/Department Heads
• PIC determines privacy risks
• Designates/recommends DPO, Committee
Role of the Data Protection Officer
• No conflict of interest
• Independent, has autonomy
• Bound by confidentiality, secrecy
• Opinions have due weight
• Monitors compliance, ensures PIA, advices PIC
• Cooperate, coordinate and seek advice of NPC
Data Privacy Committee
• Chairman
• Unit and Department Heads
• Data Breach Response Team
• Data Privacy Training and Awareness Team (defunct)
Role of Data Privacy Committee
• Compliance
• Conduct PIA
• Security Incident Management
• Awareness
• Policy development and review – privacy by design approach
Essential Principles
• Privacy Mission: The WVSUMC is committed to delivering
health services effectively and efficiently while protecting the
data privacy rights of its patients, employees, and other data
subjects.