THE NPC DATA PRIVACY Date Date Remarks

Started Finished
ACCOUNTABILITY AND COMPLIANCE
CHECKLIST

I. Establishing Data Privacy Governance Done

1. Appointment of your Data Privacy Officer 5/19/22 5/19/22 Done during 2nd
(DPO) board meeting
II. Risk Assessment
2. Register 7/7/22
3. Records of processing activities 7/10/22
4. Conduct of a Privacy Impact Assessment
(PIA)
a. Medical Records
b. Radiology
c. NSO
d. Laboratory
e. Admitting
f. Billing
g. Nutrition and Dietetics
h. Pharmacy
i. Social Services
j. Revenue
k. Computerized Systems (PARS, VCP,etc.)
l. CCTV
III. Preparing Your Organization’s Data Privacy Before
Rules Conducting Risk
Assessment
5. Formulate your organization’s privacy 8/12/2022 8/12/2022 To come-up with
management program (PMP) this
6. Develop your agency’s privacy manual and N/A N/A Existing
complaints mechanism
IV. Privacy in Day-to-Day Information Life Cycle Full
Operations (To be included in the Privacy Manual) implementation
in 2023
7. Informing data subjects of your personal Included in the
information processing activities and Data Privacy
obtain their consent, when necessary. Manual
(Privacy Notice)
8. Formulation of policies/procedure that Included in the
allows data subjects to object to Data Privacy
subsequent processing or changes to Manual
information supplied to them
9 Policies for limiting data processing Included in the
according to its declared specified & legitimate Data Privacy
purpose Manual
10. Policies/procedures for providing data Included in the
subject with access to their personal Data Privacy
information including its sources, Manual
recipients, method of collection, purpose
of disclosure to third parties, automated
processes, data of last access, and identity
of the controller (data subject access
request)
11. Policies/procedure that allow data subjects Included in the
to dispute inaccuracy of error of their Data Privacy
personal information including Manual
policies/procedures to keep the same up
to date
12. Policies/procedure that allow a data Included in the
subject to suspend withdraw or order the Data Privacy
blocking, removal or destruction of their Manual
personal information.
13. Policies/procedure for accepting and Included in the
addressing complaints from data subject Data Privacy
Manual
14. Policies/procedures that allow a data Included in the
subjects to get indemnified for any Data Privacy
damages sustained due to such inaccurate, Manual
incomplete, outdated false and unlawfully
obtained or unauthorized use of personal
information
15. Policies/procedures that allow data Included in the
subjects to obtain from the personal Data Privacy
information controller a copy of his or her Manual
personal data processed by electronic
means and in a structured and commonly
used format.
16. Policies/procedures for creation and Included in the
collection, storage, transmission, use and Data Privacy
distribution, retaining personal data for Manual
only a limited period or until the purpose
of the processing has been archived, and
ensuring that data is securely destroyed or
dispose of
V. Managing Personal Data Security Risks 2022
17. Implement appropriate and sufficient To be
organizational security measures (Policies implemented
and procedures in place) after conducting
the Privacy
Impact
Assessment
 18. Implement appropriate and sufficient To be
physical security measures (Physical access implemented
and security design and infrastructure) after conducting
the Privacy
Impact
Assessment
19. Implement appropriate and sufficient To be
physical security measures (Physical access implemented
and security design and infrastructure) after conducting
the Privacy
Impact
Assessment
VI. Data Breach Management 2022
20. Compliance with the DPA’s Data Breach To create in
Management Requirements (e.g. security coordination
policy, Data Breach Response Team, with
Incident respond procedure, document, Management
Breach Notification) Committee.
VII. Managing Third Party Risks 2022
21. Maintaining data privacy Legal basis for Identify third
disclosure, Data Sharing Agreements, Cross parties that
Border, Security of Transfers for Third need DSA or
Parties (e.g. clients, vendors, processor, Outsourcing
affiliates) Agreement/Non-
Disclosure
Agreement.
Execute such
documents with
third-parties.
VIII. Managing Human Resources (HR) 2022
22. Periodic and mandatory personnel training To be conducted
on privacy and data protection in general during
and in areas reflecting job-specific content. September 2022
23. Issuance of Security Clearance for those To create a form
handling personal data in consultation
with other DPOs
in Mindanao.
IX. Continuing Assessment and Development 2023
24. Scheduling of Regular PIA for new and This can be done
existing programs, systems, processes and in 2023 after
projects setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
25. Review of forms, contracts, policies and This can be done
 procedures on a regular basis in 2023 after
setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
26. Scheduling of regular compliance This can be done
monitoring, Internal Assessment and in 2023 after
Security Audits setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
27. Review, validation and update of Privacy This can be done
Manual in 2023 after
setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
28. Regular evaluation of Privacy Management This can be done
Program in 2023 after
setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
29. Establishing a culture of privacy by This can be done
obtaining certifications and accreditations in 2023 after
vis-à-vis existing international standards setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
X. Managing Privacy Ecosystem 2023
30. Managing of emerging technologies, new This can be done
risk of data processing and privacy in 2023 after
ecosystem setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
 Manual
31. Keeping track of data privacy best This can be done
practices, sector specific standards, and in 2023 after
international data protection standards setting-up the
Data Privacy
Program and
Approval of the
Data Privacy
Manual
32. Seeking guidance and legal opinion on new Ongoing
National Privacy Commission (NPC) consultation
issuances or requirements with NPC as to
requirements.
XI. Others
33. Conduct Data Privacy Training to Orderlies, This will be done
Security Guards, Doctors and their Secretaries after setting- up
the Data Privacy
Program of the
Hospital.
34. Assist doctors in their registration to This will be done
National Privacy Commission and other assistance after setting- up
and advices to comply the Data Privacy Act. the Data Privacy
Program of the
Hospital.
35. Constant Communication and Ongoing
Consultations with the DPOs of other MPHHI
Hospitals, Chief Compliance Officer and MPHHI DPO
for benchmarking of the best privacy practices to
comply with the Data Privacy Act

Prepared by: ROMMEL Y. TENECIO, Compliance

Officer for Privacy
Signature over Printed Name/ Date

Checked by: DANIEL NEMESES C. ESPINA,Data

Privacy Officer (MJSH and PCC-Nasipit)
Signature over Printed Name/ Date

Approved by: DR. TERENCE ANTHONY S. VESAGAS,

MD, CHIEF OPERATING OFFICER
Signature over Printed Name/Date
Approved by: DR. TERENCE ANTHONY S. VESAGAS,
MD, CHIEF OPERATING OFFICER