INFORMATION CONTROL AND PRIVACY
PRIVILEGED INFORMATION - refers to
DATA PRIVACY - refers to the right of individuals to
control their personal data and ensure that it is
handled, processed, and stored in a way that respects
their privacy and confidentiality.
Data Privacy Act No. 10173 (also known as the
‘Data Privacy Act of 2012 (DPA)) - is an act
protecting individual personal information in
information and communications systems in the
government and the private sector, creating for this
purpose a national privacy commission, and for other
purposes.
WHY DOES DATA PRIVACY ACT IS IMPORTANT?
- Protection of Personal Data
- Privacy Rights
- Data Security
- Cross-Border Data Transfer
- Accountability
- Consent
- Penalties
- International Recognition
HOW DOES R.A. 10173 PROTECTS DATA
PRIVACY?
Republic Act No. 10173 protects
data privacy by establishing rules
and principles for the responsible
handling of personal information.
- Consent
- Transparency
- Data Security
- Data Minimization
- Data Portability
- Penalties
- Data Subject Rights
- Data Breach Notification
DATA SUBJECT - is an individual whose personal
data is being collected, processed, stored, or
otherwise handled by an organization or entity.
TYPES OF INFORMATION
1. PERSONAL DATA - This is the broadest
category and includes any information that
relates to an identified or identifiable
individual.
2. SENSITIVE PERSONAL DATA - some laws
designate a subset of personal data as
“sensitive”.
3.
information protected bi attorney-client
privilege, doctor-patient confidentiality, or
similar legal privileges.
4. CONFIDENTIAL INFORMATION - this
category includes business or trade secrets,
propriety, and any data that an organization
deems confidential.
5. PUBLICLY AVAILABLE INFORMATION -
some data privacy laws exclude information
that is publicly available or easily accessible
from their scope.
6. ANONYMIZED DATA - information that has
been processed or modified in such a way
that it can no longer be used to identify an
individual is often considered anonymized
data.
7. EMPLOYEES DATA - employee-related
information, such as HR records, payroll
data, and performance evaluations, is often
treated separately and subject to specific
privacy and confidentiality requirements.
8. CHILDREN’S DATA - many data privacy
laws provide special protections for the
personal data of children, often requiring
parental consent for data processing.
9. FINANCIAL DATA - this category includes
sensitive financial information, such as bank
account numbers, credit card details, and
financial transaction records.
10. HEALTH DATA - information related to an
individual’s health or medical history is
considered highly sensitive and is often
subject to additional privacy protections.
INFORMATION AND PRIVACY
- Information privacy refers to control over
individuals' personal data, such as
personally identifying information (PII) or
personal health information (PHI). In the
United States and many other countries,
these types of personal information receive
legal protections.
DATA LIFE CYCLE
1. CREATE AND COLLECT - collection of
information through all available channels.
2. STORE AND TRANSMIT - storage and
transmittal of collected information for
processing through: IT systems, physical
filing & transport.
 3. USE AND DISTRIBUTE - processing of -Personal data can be misused in a number of ways if
collected information & internal distribution. it is not kept private or if people don’t have the ability
4. RETAIN - retention of processed information to control how their information is used: criminals can
due to: possible use and statutory use personal data to defraud or harass users, entities
requirements. may sell personal data to advertisers or other outside
5. DISPOSE AND DESTROY - disposal of parties without user consent. Which can result in
processed information once retention period users receiving unwanted marketing or advertising,
lapses. and when a person’s activities are tracked and
monitored, this may restrict their ability to express
SECURITY MEASURES - aim to maintain the themselves freely, especially under repressive
availability, integrity, and confidentiality of personal governments.
data and protect them against natural dangers such
as accidental loss or destruction, and human dangers THE NATIONAL PRIVACY COMMISSION
such as unlawful access, fraudulent, misuse, unlawful - To administer and implement the provisions of the
destruction, alteration, and contamination. act, and to monitor and ensure compliance of the
country with international standards set for data
3 SECURITY MEASURES protection.
1. ORGANIZATION SECURITY MEASURES - -under section 7 of RA 10173, the NPC has 16
every personal information controller and functions. In a nutshell, the main goal of the law is to
personal information processor must also safeguard an individual’s rights to privacy while
consider the human aspect of data allowing the free flow of information. It also
protection. emphasizes the role of technology in ensuring that
2. PHYSICAL SECURITY MEASURES - this
portion shall feature the procedures intended
to monitor and limit access to the facility
containing the personal data, including the
activities therein.
3. TECHNICAL SECURITY MEASURES -
each personal information controller and
personal processor must implement
technical security measures to make sure
that there are appropriate and sufficient
safeguards to secure the processing of
personal data, particularly the computer
network in palace, including encryption and
data remains secure.
authentication processes that control and
limit access.
PILLAR 1: APPOINT A DATA PROTECTION
OFFICER
DATA QUALITY - refers to the accuracy and reliability
-Appointing a data protection officer (DPO) is a legal
of the data itself, data governance is how the
requirement for personal information controllers
organization manages its data on a high level.
(PICS) and personal information processors (PIPS),
under data privacy act of 2012.
INFORMATION SECURITY - The principal legislation
in the Philippines on cybersecurity is the Cybercrime
COMPLIANCE OFFICER FOR PRIVACY (COP) - is
Prevention Act and the Implementing Rules and
an individual or individuals who perform some of the
Regulations of Republic Act No. 10175 ('the
functions of a DPO in these cases:
Cybercrime IRRs').
- LOCAL GOVERNMENT UNITS (LGUs)
- PRIVATE SECTOR
- OTHER ANALOGOUS CASES
INTRODUCTION TO THE 5 PILLARS OF
COMPLIANCE
DIFFERENCE OF COP AND DPO

DPO - the position of the DPO remains a legal

DATA PRIVACY RISKS
requirement that companies must comply with
COP - are a mark of an organization that takes
privacy seriously at the highest level.
DATA PROCESSING SYSTEM
- is a combination of machines, people, and
processes that for a set of inputs produces a defined
set of outputs.
-inputs and outputs are interpreted as data, facts,
information, etc.
MANDATORY REGISTRATION
- Please note that not all entities are required to
create an account with the NPCRS. Only the following
PICs or PIPs are mandated to register its data
processing systems:
a.A PIC or PIP that employs two hundred fifty (250)
or more persons; or
b.Those processing sensitive personal information of
one thousand (1,000) or more individuals; or
c.Those processing data that will likely pose a risk to
the rights and freedoms of data subjects shall register
all Data
Processing Systems; or
d. Government Agency or Instrumentality.
VOLUNTARY REGISTRATION
- PICs or PIPs whose Data Processing System does
not operate under any of the conditions set out above
may register voluntarily.
REGISTRATION PROCESS
- A PIC or PIP shall create an account by signing up
in the NPC’s official registration platform through the
NPCRS. The prescribed application form shall be
accomplished and shall be uploaded together with all
the supporting documents.
- The NPC shall issue a Certificate of Registration in
favor of a PIC or PIP that has successfully completed
the registration process.
REQUIREMENTS FOR DATA PROCESSING
REGISTRATION
- Fee(s)
- Provision of detailed information
PILLAR 2: CONDUCT A PRIVACY RISK
ASSESSMENT
- is a risk management framework for
determining the risk of holding and
maintaining PII (Personal Identifiable
Information).
PRIVACY IMPACT ASSESSMENT (PIA)
- is an instrument for assessing the potential impacts
on privacy of a process, information system, program,
software
module, device or other initiative which
processes personal information and in
consultation with stakeholders, for
taking actions as necessary to treat privacy risk.
REASONS TO CAUSE PRIVACY IMPACT
ASSESSMENT
- Collects personal data
- Change in applicable privacy related laws
and regulations
- New or prospective technology, service
- Sensitive personal information
- Privacy violation complaint
WHO CONDUCTS PIA
1. Personal Information Controller (PIC)
2. Personal Information Processor (PIP)
BENEFITS OF PIA
- Demonstrate commitment to privacy
protection
- Enhances trust with individuals and
stakeholders
- Minimizes privacy risk and potential legal
consequences
PILLAR 3: CREATE A PRIVACY MANAGEMENT
PROGRAM
PRIVACY MANAGEMENT PROGRAM (PMP) - is a
holistic approach to privacy and data protection,
important for all agencies, companies or other
organizations involved in processing of personal data.
IMPORTANCE OF PRIVACY MANAGEMENT
PROGRAM (PMP)
- Puts everyone on the same page
- Compliance with the Act becomes more
manageable
- Gives PICs and PIPs competitive advantage
- Saves PICs and PIPs from avoidable
expenses
PRIVACY MANUAL
- serves as a guide or handbook for ensuring
the compliance of an organization or entity
with the DPA, its Implementing Rules and
Regulations (IRR), and other relevant issues
of the National Privacy Commission (NPC). It
also encapsulates the privacy and data
protection protocols that need to be
observed and carried out within the
organization for specific circumstances (e.g.,
from collection to destruction), directed
toward the fulfillment and realization of the
rights of data subjects.
WHAT IS THE PLAN DO CHECK ACT MODEL
(PDCA)?
- Plan-Do-Check-Act is also called the Deming
Cycle because it was popularized by William
Edwards Deming.
- The cycle is called Plan-Do-Check-Act
because it consists of these four steps (plan,
do, check and act).
- The cycle was invented for improvement of
manufacturing processes, but is now used
for all kinds of processes, including
enterprise processes such as information
security.
PILLAR 4: IMPLEMENT YOUR PRIVACY
AND DATA PROTECTION MEASURES
ACCESS CONTROL POLICY - sets
requirements of credentials
and identification that specify how access to
computers,
systems, or applications is managed and
who may
access the information in most
circumstances.
DATA CENTER - is a facility housing
electronic equipment
used for data processing, data storage, and
communications networking.
ENCRYPTION - protects emails, bank
accounts, transactions, and
messages. In general, it protects data by
encoding the information in
such a way that it is only accessible to
authorized parties or
individuals.
What should be encrypted?
- Emails
- Portable Media
- Links (URL)
DATA SHARING - is the disclosure or transfer to a
third party of personal
data under the custody of a personal information
controller or
personal information processor.
Personal Information Controllers (PIC) are those
who decide what types of data are collected and how
they are processed (i.e. Ayala Land).
Personal Information Processors (PIP) are those
who process data as instructed by the controllers (i.e.
HR Mall).
DATA SHARING AGREEMENT- refers to a contract,
joint issuance, or any similar document that contains
the terms and conditions of a data sharing
arrangement
between two or more parties provided that only
personal information controllers shall be made parties
to a data sharing agreement.
TYPES OF SECURITY CONTROL
1. PHYSICAL CONTROLS - describe anything
tangible that’s used to prevent or detect
unauthorized access to physical areas,
systems, or assets.
2. TECHNICAL CONTROLS - Also known as
logical controls include hardware or software
mechanisms used to protect assets.
3. ADMINISTRATIVE CONTROLS - It refers to
policies, procedures, or guidelines that
define personnel or business practices in
accordance with the organization's security
goals.
PILLAR 5: REGULARLY EXERCISE YOUR
BREACH REPORTING
PROCEDURE.
SECURITY INCIDENT - is any event or occurrence
that affects or tends to affect data protection, or may
compromise the availability, integrity, and
confidentiality of personal data. It includes incidents
that would result in a personal data breach, if
not for safeguards that have been put in place.
DATA BREACH - is a kind of security incident. It
happens when there is a breach of security leading to
the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise
processed.
3 KINDS OF DATA BREACHES:
1. AVAILABILITY BREACH - from the loss
accidental or unlawful destruction of
personal data
2. INTEGRITY BREACH - from the
unauthorized alteration of personal data;
3. CONFIDENTIALITY BREACH - from the
unauthorized disclosure of or access to
personal data.
THE SECURITY INCIDENT MANAGEMENT - is the
process of identifying, managing, recording and
analyzing security threats or incidents in real-time. It
seeks to give a robust and
comprehensive view of any security issues within an
IT infrastructure.
1. Creation of a security
incident response team
2. Implementation of organizational,
physical and technical security
measures and personal data
privacy policies.
3. Implementation of an incident
response procedure
4. Mitigation of possible harm
and negative consequences to
a data subject in the event
of a personal data breach
5. Compliance with the Data Privacy
Act, its IRR, and all related
issuances by the NPC pertaining to
personal data breach notification
INCIDENT RESPONSE TEAM - analyzes
information, discusses observations
and activities, and shares important reports and
communications across the company.
The Security Incident Management Policy must
also include measures intended to prevent or
minimize the occurrence of a personal data
breach. These measures include:
1. Conduct of a privacy
impact assessment - to identify attendant risks in the
processing of personal data. It shall take into account
the size and sensitivity of the personal data being
processed, and impact and likely harm of a personal
data breach.
2. Data governance policy - that ensures
adherence to the principles of transparency,
legitimate purpose, and proportionality
3. Implementation of appropriate security
measures - that ensure the accessibility,
consistency, and privacy of personal data being
handled
4. Regular monitoring for security breaches -
vulnerability scanning of computer networks
5. Capacity building of personnel - to ensure
understanding of company policies for handling
security incidents and information breach
management principles
6. Procedure for the regular review of policies and
procedures - testing, evaluating, and assessing the
effectiveness of the security measures
ANNUAL REPORTS - where all security incidents
and personal data breaches must be documented
through written reports, including those not covered
by the notification requirements.
MANDATORY NOTIFICATION - refers to the legal
requirement for organizations to notify individuals
whose personal data has been compromised in a
data breach.
AUTOMATION AND EMPLOYMENT
1. AUTOMATION AND JOB DESTRUCTION
2. AUTOMATION AND JOB CREATION
3. EFFECTS OF INCREASE IN
PRODUCTIVITY
WORKPLACE CHANGES
ORGANIZATIONAL CHANGES - are the
structured and strategic approaches used by
corporations and company businesses to manage
and handle adjustments and improvements within
their organizations.
TELEWORK (also known as
telecommuting) - is a work arrangement in which
employees spend a significant portion of their
workday away from their employer or traditional place
of employment.
 COMPUTER SIMULATION-USES AND
VALIDATION:

COMPUTER SIMULATIONS
The use of a computer to represent the
dynamic responses of one system by the
behavior of another system modeled after it.

USES OF SIMULATION
- Computer simulations have been used to
design nuclear weapons, search for oil,
create pharmaceuticals, and design safer,
more fuel efficient cars.
- A second use of computer simulations is to
understand the world around us .
GIG ECONOMY - refers to service workers who make
- Computer simulations are also used to
a living by completing these types of short-term jobs
predict the future.
for clients.
VALIDATION OF SIMULATION
MONITORING - Its principal purpose is to identify
inappropriate use of company resources.
VERIFICATION - is the process of
- Monitoring can help detect illegal activities of
determining if the computer program
employees as well. By monitoring instant
correctly implements the model.
messaging conversations.
VALIDATION - is the process of determining
- Monitoring is also used to ensure that
if the model is an accurate representation of
customers are getting the products and
the real system.
services they need. Reviewing customer
phone calls to help desks can reveal if the
company ought to be providing its customers
with better documentation or training.
SOFTWARE ENGINEERING
- Monitoring can help an organization assess
- is the process of designing, creating, testing
the quality of the work done by its
and maintaining software.
employees.
- The term software engineering became
prominent when Margaret Hamilton used it to
MULTINATIONAL TEAMS - also known as
describe her work on the Apollo spaceflight
international teams or cross-border teams, are groups
program in the 1960s.
of people from various national
and cultural backgrounds who work together within an
SOFTWARE PROCESS - a set of related activities
organization on projects, tasks, or objectives.
that will lead to the creation of a software product.

4 FUNDAMENTAL ACTIVITIES OF SOFTWARE

ENGINEERING:
THE INFLUENCE OF IT ON CULTURE AND
- Software Specification
SOCIAL BEHAVIOR
- Software Development
- Software Validation
INFLUENCE ON CULTURE:
- Software Evolution
- Online Reviews
- Weblogging/Social Media
COMPUTER-AIDED SOFTWARE ENGINEERING -
- YouTube learners
describes a broad set of labor-saving tools used in
INFLUENCE ON SOCIAL BEHAVIOR:
software development. They create a framework for
- Cyberbullying - is an unwanted, hostile
managing projects and are intended to help users
behavior done by individuals to other people
stay organized and improve productivity.
in the hope of gaining control over them.
OBJECT ORIENTED DESIGN - The process of SOCIAL ENVIRONMENT - can be also called as
creating a software system or application utilizing an “networked publics” according to boyd.

SNS FEATURES:
- Persistence
- Replicability
- Scalability
- Searchability

ONLINE STRANGERS - A person who has not yet

met the individual physically but has interacted
through the internet.

ONLINE AND TECHNOLOGY THREATS - SOCIAL

NETWORKING ISSUES
object-oriented paradigm.
CYBER ABUSE - is any form of mistreatment or lack
of care, both physical and mental, based on the use
NECESSITIES OF SOFTWARE EVOLUTION
of an electronic communications device that causes
- Change in requirement in time
harm and distress to others.
- Bug Fixing
- Technology Advancement
CYBERHARASSMENT - is a form of cyber abuse in
- Security Updates
which the abusive behavior, which involves the use of
an electronic communications device, is degrading,
humiliating, hurtful, insulting, intimidating, malicious,
or otherwise offensive to an individual or group of
THE INTERNET AND ITS EFFECTS TO THE
individuals causing substantial emotional distress.
YOUTH

CYBERSTALKING - is a subcategory of cyber abuse

ONLINE COMMUNITIES - are designated group
that consists of a long-term pattern of unwanted,
where people regularly interact
persistent pursuit and intrusive behavior (involving the
though some specific virtual environment, such as
use of an electronic communications device) that is
web sites, blogs, or social network
directed by one person against another and that
site.
causes fear and distress in the victim.
BENEFITS:
- Control over self- presentation
- Be anonymous
WEB FILTERS - is a piece of software that prevents
- Interact at a comfortable distance
certain Web pages from being displayed by your
- Store information and materials.
browser.
- Accessibility
- Can be visited and joined by anyone.
TWO DIFFERENT METHODS TO DETERMINE IF A
PAGE SHOULD BE BLOCKED:
DRAWBACKS:
- The first method is to check the URL of the
- Limitation in self- expression and mutual
page against a blacklist of objectionable
understanding.
sites.
- Anonymity causes disinhibited behavior
- The second method is to look for
(benign and toxic).
combinations of letters or words that may
indicate a site has objectionable content.
SOCIAL NETWORK SITE (SNS) - is a website
whose purpose is to make people socialize through
the internet and its vast networks.
SEXTING - refers to sending sexually suggestive text
messages or emails containing nude or nearly nude
photographs.
IDENTITY THEFT - the misuse of another person’s
identity, such as name, Social Security number,
driver’s license, credit card numbers, and bank
account numbers. (Dorothy Denning)
IDENTITY THIEVES:
1. DUMPSTER DIVING - looking for personal
information in garbage cans or recycling
bins.
2. SHOULDER SURFING - looking over the
shoulders of people filling out forms.
3. SKIMMERS - waiters or store clerks match
each legal swipe through a cash register with
an illegal swipe through a skimmer, a small,
battery powered credit card reader.
4. PHISHING - gathering financial information
via spam is called phishing (pronounced
“fishing”).
FAKE REVIEWS - Some businesses try to boost
sales by posting fake positive reviews of their
enterprises or posting fake negative reviews of their
competitors.
CENSORSHIP
- occurs when individuals or groups try to
prevent others from saying, printing, or
depicting words and images.
2 TYPES OF CENSORSHIP
- Direct Censorship
- Self Censorship
ONLINE AND TECHNOLOGY THREATS
THREATS - refer to factors that have the potential to
harm.
INTELLECTUAL PROPERTY (IP) - refers to
creations of the mind, such as inventions, literary and
artistic works, designs, symbols, names and images
used in commerce.
COMMON TYPES OF IP
- Counterfeit Goods
- Software Piracy
- Plagiarism
TRADE SECRETS - are confidential information that
provide businesses with a competitive advantage.
TRADEMARKS - distinguish products or services
from competitors and can include logos, names, and
symbols.
SERVICE MARKS - are specific to services rather
than physical products. They represent the quality
and standards associated with a particular service
provider.
COPYRIGHT - protects original works of authorship.
PATENT - provides investors with exclusive rights to
their inventions for a limited period.
TRENDS
INTERNET OF THINGS - network of physical objects
–”things”--that are embedded with sensors, software,
and other technologies for the purpose of connecting
and exchanging data with other devices and systems
over the internet.
IT AUTOMATION - instructions to create a repeated
process that replaces an IT professional’s manual
work in data centers and cloud deployments.
● Banking
● Education
● Business
● Health
TRENDS AND DIGITAL GAMES
CLOUD COMPUTING - is the on-demand availability
of computer system resources, especially data
storage and computing power, without direct active
management by the user.
PROS AND CONS OF THIS NOT-SO-NEW
TECHNOLOGY:
ADVANTAGES:
- DISASTER RECOVERY (DR)
- ACCESS YOUR DATA ANYWHERE.
- LOW COST.
 - SCALABILITY. DENIAL-OF-SERVICE (DoS) - is an intentional action
- SECURITY. designed to prevent legitimate users from making use
of a computer service.
DISADVANTAGE:
- LACK OF TOTAL CONTROL.
- DIFFICULT TO MIGRATE.
- REQUIRES INTERNET GAMBLING
- Is an activity in which a person risks
something valuable to themselves in order to
win something valuable in return.
COMPUTER AND NETWORK SECURITY
GAMBLING MECHANISMS - it can be described as
HACKING - (understandable) a coping strategy.

FIRESHEEP - is a Mozilla Firefox extension that uses TYPES OF GAMBLING:

packet sniffing to hijack unsecured Wi-Fi network 1. ELECTRONIC MACHINE DEVICES
sessions and capture unencrypted website cookies 2. BETTING
during network data transmission. 3. POKER AND OTHER TABLE AND
TOURNAMENT CARD GAMES
3 TYPES OF ANALYSIS IN FIRESHEEP 4. CASINO GAMES
- ACT UTILITARIAN ANALYSIS
- KANTIAN ANALYSIS LIVE ONLINE BETTING - is the kind of gambling that
- VIRTUE ETHICS ANALYSIS is very specific to the online environment.

MALWARE (Malicious Software) ONLINE CASINO - (understandable)

VIRUSES - is a piece of self-

replicating code embedded within another program
called the host.
MASSIVELY MULTIPLAYER ONLINE GAMES
INTERNET WORM - sasser, instant messaging (MMOG)
worms, conficker, cross-site scripting.
CHARACTERISTICS:
DRIVE BY DOWNLOADS - Flow and dissociation
TROJAN HORSES - is a program with a benign - Availability
capability that conceals a - Proximity
sinister purpose. - Social Availability
- Financial availability
BACKDOOR HORSES - is a Trojan horse that gives - Social status and a feeling of
the attacker access to experience
the victim’s computer.
CONFLICT IN ONLINE GAMING:
ROOTKITS - is a set of programs that provide - Interaction influenced by the
privileged access to a computer. Once installed, a character
rootkit is activated every time the computer is booted. - Internet connection issue

SPEAR PHISHING - phishing is a variant of phishing ENVIRONMENT:

in which the attacker selects email addresses that - Family - personal - gaming society
target a particular group of recipients.
SOCIALIZATION:
SQL INJECTION - injection is a method of attacking a - Family (outside)
database-driven Web application that has improper - Personal (inside)
security. - Gaming society (outside)