You are on page 1of 35

Data Privacy Act:

Compliance Framework
Ivy D. Patdu, MD JD
National Privacy Commission
Right to privacy
the right to be let alone - 0111
0000

the most comprehensive of 0110


0001

rights and the right most 0111


0100

valued by civilized men 0110


0100

[Brandeis J, dissenting in Olmstead v. 0111


United States, 277 U.S. 438 (1928)]. 0101
WHO IS WATCHING YOU?
Freedom of Information

http://pcoo.gov.ph/photo14-112416/
(last accessed Feb. 22, 2017).
Photo available at
Available at http://bayanihannews.com.au/2015/04/20/dswd-training-of-field-
staff-for-listahanan-ongoing/ (last accessed June 14, 2017)

Available at http://pwd.doh.gov.ph/login.php (last accessed June 14,2017)


What
can you
0111
buy 0000

0110
with 0001

your 0111
0100

personal 0110
0100

data? 0111
0101
RIGHT TO INFORMATION PRIVACY
The individuals ability to control the flow of 0111
information concerning or describing him, which 0000

however must be overbalanced by legitimate public 0110


0001
concerns. To deprive an individual of his power to 0111
control or determine whom to share information of 0100

his personal details would deny him of his right to 0110


0100
his own personhood. 0111
Dissenting Opinion of Justice Consuelo Ynares-Santiago in G.R No 167798 Kilusang Mayo Uno, et al., v. 0101
The Director General, National Economic Development Authority, et al., and G.R No. 167930 Bayan Muna Representatives Satur C.
Ocampo, et al., v. Eduardo Ermita, et al. (19 April2006)
In this digital era,
information is the
currency of power
valuable,
coveted, but at a
very high risk.
-Senator Edgardo
Angara,
sponsorship speech
for the Data Privacy Act
Data Privacy Act Data
Free Flow
Privacy
It is the policy of the 0111
0000
State to protect the
0110
fundamental human 0001

right of privacy of 0111


0100
communication while
0110
ensuring free flow of 0100

information to promote 0111


0101
innovation and growth.
Scope of the Data Privacy Act
Data Privacy Act Data Subjects 0111
applies to the 0000

processing of Those who National 0110


personal data process Privacy 0001

by any natural and Personal Data Commission 0111


0100
juridical person
in the government Processing 0110
0100
of Personal
or private sector. Data 0111
0101
Data
Privacy
Principles

Security
Measures

Uphold
Rights of
Data Subject
DATA PRIVACY PRINCIPLES
TRANSPARENCY

LEGITIMATE PURPOSE

PROPORTIONALITY
SECURITY MEASURES
Rights of Data Subjects
1. Right to Information 0111
2. Right to Object 0000

3. Right to Access 0110


0001
4. Right to Correct 0111
5. Right to Erase 0100

6. Right to Damages 0110


0100
7. Right to Data Portability 0111
8. Right to File a Complaint 0101
01110000

01100001

01110100

01100100

01110101

Compliance Framework
1. 2. Risk 3. 4. Day to 5. Data
Governance Assessment Organization Day Security

6. 7. Third 8. Manage 9. 10. Privacy


Breaches Parties HR Continuity Ecosystem
1. Governance
Designate a
0111
q 0000

DPO 0110
0001

0111
0100

0110
0100

0111
0101
What do I
2. Risk Assessment process and
how?

q Register Data 0111


0000
When will I Do I comply
Processing System re-assess? Privacy with law?0110
0001
q Have Records of Impact
Assessment 0111
Processing Activities 0100

q Conduct Privacy
0110
0100

Impact Assessment What can I do What are the 0111


about it? risks? 0101
3. Organization
q Implement Privacy 0111
0000

Management Program 0110


0001
q Develop Privacy 0111
Manual 0100

0110
0100

0111
0101
4. Day to Day
q Have Privacy 0111
0000
Notices 0110

q Mechanism for 0001

exercise of Data Subject 0111


0100

Rights 0110
0100
q Policies for every 0111
stage of Data Life Cycle 0101
5. Data Security
q Implement Organizational, Physical and 0111
Technical Security Measures 0000

0110
0001

0111
0100

0110
0100

0111
0101
6. Breaches
q Have in place 0111
0000

Data Breach 0110

Management
0001

Program
0111
0100

Tyler Durden, "Worst-Ever Recorded" Ransomware Attack Strikes Over 57,000 Users Worldwide, Using 0110
NSA-Leaked Tools, ZeroHedge, 12 May 2017, available at http://www.zerohedge.com/news/2017-05-
12/massive-ransomware-attack-goes-global-huge (last accessed May 14, 2017). 0100
Breach Incident Notification
Security 0111
Response Response Document and
Policy 0101
Team Procedure Reporting
7. Third Parties
q Manage Third 0111
0000

Party Risks 0110


0001

0111
0100

0110
0100

Picture from Surabhi Agarwal, BPOs edge towards high-end work in changing market, Live Mint 0111
Sep.6, 2012, available at
http://www.livemint.com/Industry/hdDwofLyBZc0XQI0bb70hO/BPOs-edge-towards-highend-work- 0101
in-changing-market.html (last accesed May 15, 2017)
8. Manage HR
q Undergo 0111
0000

Trainings and Get 0110

Certifications
0001

0111
q Give Security 0100

Clearance 0110
0100

Villupuram nurses jump on to technological bandwagon at 0111


http://www.thehindu.com/news/national/tamil-nadu/villupuram-nurses-jump-on-to- 0101
technological-bandwagon/article5699852.ece
9. Continuity
q Regular Assessment 0111
0000

and Review, Get 0110

Accreditations
0001

0111
0100

0110
0100

0111
0101
10. Privacy
16-02 DATA
16-01 SECURITY OF SHARING
PERSONAL DATA IN AGREEMENTS

Ecosystem
GOVERNMENT INVOLVING
AGENCIES GOVERNMENT
AGENCIES
0111
q Be updated 0000

on New 0110
0001
technologies 16-04 RULES OF
PROCEDURE OF THE 16-03 PERSONAL
DATA BREACH 0111
and standard, NATIONAL PRIVACY
COMMISSION MANAGEMENT 0100

New legal 0110


0100
requirements 0111
0101
Advisory 17-01 17-01
DESIGNATION OF REGISTRATION OF
DATA PROTECTION DATA PROCESSING
OFFICERS SYSTEMS
WHY SHOULD
PERSONAL
DATA BE
PROTECTED?
CRIME IMPRISON FINE
MENT

Processing of Personal/Sensitive Processing information for other purposes 1yr 6mos Php500,000 to
Information for which are no longer authorized by law or 7 years Php2,000,000
Unauthorized Purpose consent

Access to Personal/Sensitive Persons who provide access due to 1-6 years Php500,000 to
Information due to Negligence negligence shall be liable Php4,000,000

Concealment of Security Breach Duty to notify Privacy Commission in case of 1yr 6mos Php500,000 to
breach (within 72 hours) 5 years Php1,000,000

Improper Disposal Negligently dispose, discard or abandon 6 months Php 100,000 to


personal data of an in an area accessible to 3 years Php 1,000,000
the public or placed in its container for trash
collection.
The Ashley Madison hackers have
posted personal data like e-mail
addresses and account details from 32M
of the site's members.

The group claimed two motivations:


First, they've criticized Ashley
Madison's core mission of arranging
affairs between married individuals.
Second, they've attacked its business
practices, in particular its requirement
that users pay $19 for the privilege of
deleting all their data from the site (but,
as it turns out, not all data was
scrubbed). Photograph by Philippe Lopez AFP/Getty Images

Robert Hackett, What to know about the Ashley Madison hack (Aug. 26, 2015)available at
http://fortune.com/2015/08/26/ashley-madison-hack/ (last accessed 2/22/17).
http://www.scmp.com/news/hong-kong/politics/article/2082566/laptops-containing-37-million-hong-kong-
voters-data-stolen
Available at: http://www.socialtrendsph.com/2016/02/public-school-teacher-in-p800k-debt_37.html
The recipients' email
addresses, of which 730
contained people's full
names, were entered into
the "to" field instead of
"bcc", which masks the
email addresses of people
receiving the message.

Cara McGoogan, NHS sexual health clinic fined 180K for patients' HIV status leak (May 9, 2016)
Available at www.telegraph.co.uk/technology/2016/05/09/nhs-sexual-health-clinic-fined-180k-
for-patients-hiv-status-leak/ (last accessed Jan.11, 2017).
0111
0000

0110
0001

0111
0100

0110
0100

0111
Kelly Jackson. Healthcare suffers estimated 6.2 Billion in Data Breaches. Available at 0101
http://www.darkreading.com/threat-intelligence/healthcare-suffers-estimated-$62-billion-in-data-breaches/d/d-id/1325482
A Violation of Privacy is an affront to
Human Dignity
Unauthorized use or 0111
disclosure may put 0000

data subjects at risk 0110


0001
for unwanted
publicity, 0111
0100
discrimination, 0110
identity theft and 0100

other acts prejudicial 0111


0101
to the data subjects.
Embracing a Privacy Culture

Source of picture: available at http://www.pmcgregor.com/building-habits-keeping-them/


privacy.gov.ph
0111

Thank
ivypatdu@privacy.gov.ph 0000

info@privacy.gov.ph 0110
0001

you!
0111
0100

0110
Ivy D. Patdu 0100

0111
National Privacy 0101
Commission