DPO ACE Review Note

WHAT IS THE RIGHT TO PRIVACY?
“The right to be let alone” – the most comprehensive of rights and the right most valued by
civilized men. (Brandeis, J., dissenting in Olmstead v. United States, 277 U.S. 438 (1928)
DECISIONAL PRIVACY involves the right to independence in making certain important

decisions.
LOCATIONAL PRIVACY refers to the privacy that is felt in physical space, such as
that which may be violated by trespass and unwarranted search and seizure.
INFORMATION PRIVACY is an individual’s ability to control the flow of information

concerning or describing him, which however must be overbalanced by legitimate
public concerns. To deprive an individual of his power to control or determine whom
to share information of his personal details would deny him of his right to his own
personhood. (Dissenting Opinion of Justice Ynares-Santiago in G.R. No. 167798
(Kilusang Mayo Uno vs. NEDA Dir. Gen.) and G.R. No. 167930 (Bayan Muna vs.
Ermita)
TWO ASPECTS OF INFORMATION PRIVACY

- the right not to have private information disclosed; and
- the right to live freely without surveillance and intrusion. (Whalen v. Roe, 429 U.S.
589 (1977)
INTRODUCTION TO DATA PRIVACY ACT OF 2012
PRIVACY
Locational/
Informational Decisional
N
Situational
I O
WHAT IS THE RIGHT TO PRIVACY?
S
IS
“The right to be let alone” – the most comprehensive of rights and the right most valued by
M
civilized men. (Brandeis, J., dissenting in Olmstead v. United States, 277 U.S. 438 (1928)
Module 1: M
DECISIONAL PRIVACY involves the right to independence in making certain important
O
decisions.
C
LOCATIONAL PRIVACY refers to the privacy that is felt in physical space, such as
that which may be violated by trespass and unwarranted search and seizure.
INTRODUCTION TO DATA PRIVACY ACT
OF 2012
C Y INFORMATION PRIVACY is an individual’s ability to control the flow of information
A
concerning or describing him, which however must be overbalanced by legitimate
public concerns. To deprive an individual of his power to control or determine whom
V
to share information of his personal details would deny him of his right to his own
I
personhood. (Dissenting Opinion of Justice Ynares-Santiago in G.R. No. 167798
(Kilusang Mayo Uno vs. NEDA Dir. Gen.) and G.R. No. 167930 (Bayan Muna vs.
R
Ermita)
L P TWO ASPECTS OF INFORMATION PRIVACY
A
- the right not to have private information disclosed; and
- the right to live freely without surveillance and intrusion. (Whalen v. Roe, 429 U.S.
N
589 (1977)
IO
THE 4TH INDUSTRIAL REVOLUTION: DATA AS THE NEW OIL OF THE DIGITAL ECONOMY?
AT
N
3
INTRODUCTION TO DATA PRIVACY ACT OF 2012 INTRODUCTION TO DATA PRIVACY ACT OF 2012
DATA PRIVACY ACT OF 2012 (DPA) ADVISORY

- The Commission shall be the advisory body on matters affecting protection of
- An Act protecting individual personal information in information and communications
personal data. This includes:
systems in the government and the private sector, creating for this purpose a National
Privacy Commission, and for other purposes a. Commenting on the implication on data privacy of proposed national or
local statutes, regulations or procedures, issuing advisory opinions, and
interpreting the provisions of the Act and other data privacy laws;
POLICY
b. Reviewing, approving, rejecting, or requiring modification of privacy codes
- SEC. 2. Protect the fundamental human right of privacy of communication while voluntarily adhered to by personal information controllers, which may
N
ensuring free flow of information to promote innovation and growth; role of include private dispute resolution mechanisms for complaints against any
information and communications technology to ensure that personal information participating personal information controller, and which adhere to the
O
under the custody of the government and private sector are secured. underlying data privacy principles embodied in the Act and these Rules;
SCOPE OF THE DPA

- The DPA “applies to the processing of all types of personal information and to any
S I
c. Providing assistance on matters relating to privacy or data protection at the
request of a national or local agency, a private entity or any person, including
the enforcement of rights of data subjects;
IS
natural and juridical person, in the country and even abroad, subject to certain d. Assisting Philippine companies doing business abroad to respond to data
qualifications. (Sec. 4, DPA) protection laws and regulations.
CREATION OF THE COMMISSION PUBLIC EDUCATION
M M
O
- The National Privacy Commission is an independent body mandated to administer - The Commission shall undertake necessary or appropriate efforts to inform and
and implement the Data Privacy Act, and to monitor and ensure compliance of the educate the public of data privacy, data protection, and fair information rights and
C
country with international standards set for personal data protection. responsibilities. This includes:
Y
a. Publishing, on a regular basis, a guide to all laws relating to data protection;
FUNCTIONS OF THE NATIONAL PRIVACY COMMISSION
C
b. Publishing a compilation of agency system of records and notices, including
index and other finding aids;
A
RULE MAKING c. Coordinating with other government agencies and the private sector on
V
- The Commission shall develop, promulgate, review or amend rules and regulations efforts to formulate and implement plans and policies to strengthen the
I
for the effective implementation of the Act. This includes: protection of personal data in the country;
R
- Recommending organizational, physical and technical security measures for personal
data protection, encryption, and access to sensitive personal information maintained COMPLIANCE AND MONITORING
P
by government agencies, considering the most appropriate standard recognized
by the information and communications technology industry, as may be necessary; - The Commission shall perform compliance and monitoring functions to ensure
L
Specifying electronic format and technical standards, modalities and procedures for effective implementation of the Act, these Rules, and other issuances. This includes:
data portability, as may be necessary;
A
a. Ensuring compliance by personal information controllers with the provisions
- Specifying electronic format and technical standards, modalities and procedures for of the Act;
N
data portability, as may be necessary;
b. Monitoring the compliance of all government agencies or instrumentalities
- Issuing guidelines for organizational, physical, and technical security measures for as regards their security and technical measures, and recommending the
IO
personal data protection, taking into account the nature of the personal data to be necessary action in order to meet minimum standards for protection of
protected, the risks presented by the processing, the size of the organization and personal data pursuant to the Act;
T
complexity of its operations, current data privacy best practices, cost of security
c. Negotiating and contracting with other data privacy authorities of other
A
implementation, and the most appropriate standard recognized by the information
countries for cross-border application and implementation of respective
and communications technology industry, as may be necessary;
privacy laws;
N
- Consulting with relevant regulatory agencies in the formulation, review, amendment,
d. Generally performing such acts as may be necessary to facilitate cross-
and administration of privacy codes, applying the standards set out in the Act, with
border enforcement of data privacy protection;
respect to the persons, entities, business activities, and business sectors that said
regulatory bodies are authorized to principally regulate pursuant to law; e. Managing the registration of personal data processing systems in the
country, including the personal data processing system of contractors and
- Proposing legislation, amendments or modifications to Philippine laws on privacy or
their employees entering into contracts with government agencies that
data protection, as may be necessary;
involves accessing or requiring sensitive personal information of at least one
- Ensuring proper and effective coordination with data privacy regulators in other thousand (1,000) individuals.
countries and private accountability agents;
- Participating in international and regional initiatives for data privacy protection.
4 5
COMPLAINTS AND INVESTIGATIONS DATA SUBJECTS

- The Commission shall adjudicate on complaints and investigations on matters - Refers to an individual whose sensitive personal, or privileged information is processed
affecting personal data: Provided, that In resolving any complaint or investigation,
except where amicable settlement is reached by the parties, the Commission shall PERSONAL INFORMATION CONTROLLER (PIC)
act as a collegial body. This includes:
- Controls the processing of personal data or instructs another to process personal
a. Receiving complaints and instituting investigations regarding violations of the
data on its behalf.
Act, these Rules, and other issuances of the Commission, including violations
of the rights of data subjects and other matters affecting personal data;
N
PERSONAL INFORMATION PROCESSOR (PIP)
b. Summoning witnesses, and requiring the production of evidence by a
subpoena duces tecum for the purpose of collecting the information necessary
O
- Natural or juridical person to whom a personal information controller may outsource
I
to perform its functions under the Act: Provided, that the Commission may processing of personal data
be given access to personal data that is subject of any complaint;
c. Facilitating or enabling settlement of complaints through the use of alternative
dispute resolution processes, and adjudicating on matters affecting any
DATA PROTECTION OFFICER (DPO)
S
IS
personal data; - Responsible for the overall management of compliance to the DPA (Refer to NPC
Advisory No. 2017-01 Designation of Data Protection Officers)
M
d. Preparing reports on the disposition of complaints and the resolution of any
investigation it initiates, and, in cases it deems appropriate, publicizing such
NATIONAL PRIVACY COMMISSION
M
reports;
- Independent body mandated to administer and implement the DPA of 2012, and to
ENFORCEMENT
O
monitor and ensure compliance of the country with international standards set for
C
personal data protection (IRR of DPA Section 8,)
- The Commission shall perform all acts as may be necessary to effectively implement
Y
the Act, these Rules, and its other issuances, and to enforce its Orders, Resolutions
or Decisions, including the imposition of administrative sanctions, fines, or penalties.
PERSONAL INFORMATION
C
This includes: - Refers to any information whether recorded in a material form or not from which the
identity of an individual is apparent or can be reasonably and directly ascertained
A
a. Issuing compliance or enforcement orders;
by the entity holding the information, or when put together with other information
V
b. Awarding indemnity on matters affecting any personal data, or rights of data would directly and certainly identify an individual.
I
subjects;
SENSITIVE PERSONAL INFORMATION
R
c. Issuing cease and desist orders, or imposing a temporary or permanent ban
on the processing of personal data, upon finding that the processing will
P
be detrimental to national security or public interest, or if it is necessary to - Race, ethnic origin, marital status, age, color, and religious, philosophical or political
preserve and protect the rights of data subjects; affiliations;
L
d. Recommending to the Department of Justice (DOJ) the prosecution of crimes - Health, education, genetic or sexual life, or to any proceeding for any offense
A
and imposition of penalties specified in the Act; committed or alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;
N
e. Compelling or petitioning any entity, government agency, or instrumentality,
to abide by its orders or take action on a matter affecting data privacy; - Info issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or current health records, licenses or its
IO
f. Imposing administrative fines for violations of the Act, these Rules, and other denials, suspension or revocation, and tax returns; and
issuances of the Commission.
T
- Specifically established by an executive order or an act of Congress to be kept
classified.
N A
SCOPE OF THE DPA
The DPA applies to the processing of all types of personal information and to any natural and
juridical person, in the country and even abroad, subject to certain qualifications.
PRIVILEGED PERSONAL INFORMATION
- Refers to any and all forms of data which under the Rules of Court and other pertinent
laws constitute privileged communication.
- Husband or wife cannot testify against one another without consent on any
KEY TERMS communication received by either in confidence marital privilege
Processing -
- -
limited to, the collection, recording, organization, storage, updating or modification,
-
retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
(IRR of DPA Section 3, check paragraph no.) -
6 7
DATA SHARING DATA PRIVACY PRINCIPLES

- It is the DISCLOSURE or TRANSFER to a third party of personal data under the control - The processing of personal information shall be allowed, subject to compliance with
or custody of a Personal Information Controller (PIC) the requirements of this Act and other laws allowing disclosure of information to
the public and adherence to the principles of transparency, legitimate purpose and
- the disclosure or transfer may be done by a Personal Information Processor (PIP)
proportionality
upon instructions of the PIC
DATA SHARING AGREEMENT (DSA) TRANSPARENCY
N
- CONTRACT, JOINT ISSUANCE or any similar document that contains the terms and - A data subject must be aware of the nature, purpose, and extent of the processing
conditions of a data sharing arrangement between two or more parties. of his or her personal data, including the risks and safeguards involved, the identity
O
of personal information controller, his or her rights as a data subject, and how these
I
- Only PERSONAL INFORMATION CONTROLLERS (PIC) shall be made parties to a data can be exercised. Any information and communication relating to the processing
S
sharing agreement. (Covered by NPC Circular No. 16-02) of personal data should be easy to access and understand, using clear and plain
language.
CONSENT
- refers to any freely given, specific, informed indication of will, whereby the data
subject agrees to the collection and processing of his or her personal, sensitive
personal, or privileged information. Consent shall be evidenced by written, electronic
LEGITIMATE PURPOSE
-
M IS
The processing of information shall be compatible with a declared and specified
M
purpose, which must not be contrary to law, morals, or public policy.
or recorded means. It may also be given on behalf of a data subject by a lawful
O
representative or an agent specifically authorized by the data subject to do so.
C
Lawful Processing
OBLIGATIONS OF A PERSONAL INFORMATION CONTROLLER
- The PIC should collect personal information for specified and legitimate purposes
determined and declared before, or as soon as reasonably practicable after collection;
C Y Consent Contract Legal Obligation
- The PIC should process personal information fairly and lawfully, and in accordance
with the rights of a data subject;
V A
I
Public Order
- The PIC should process accurate, relevant and up to date personal information; Law and Medical
and Public
R
Regulation Treatment
- The PIC should collect and process personal information adequately and not Safety
P
excessively;
L
- The PIC should retain personal information only for as long as necessary for the fulfillment Court
of the purposes for which the data was obtained. The information should be kept in a Legitimate
Protect Life proceedings,
A
form which permits identification of data subjects for no longer than is necessary; Interest
Legal claims
N
- The PIC must implement reasonable and appropriate organizational, physical and
technical measures intended for the protection of personal information.
I O
PROPORTIONALITY
T
The processing of information shall be adequate, relevant, suitable, necessary, and not
Data Privacy Act

A
Data Privacy
excessive in relation to a declared and specified purpose. Personal data shall be processed
Principles only if the purpose of the processing could not reasonably be fulfilled by other means.
N Security
Measures
Avoid this mentality:
•
•
“just in case we need it”
“this is what we always do”
Uphold Rights of
Data Subject
8 9
SECURITY MEASURES TECHNICAL

- Technical security involves the technological aspect of security in protecting personal
IMPLEMENT SECURITY MEASURES information. It includes protecting the network, encrypting personal information in
storage and in transit, mitigating data transfer risks, implementing software system
designs and having efficient access control policies. The NPC has issued technical
security guidelines for the personal information controllers and personal information
Organizational processors, specifically for Data Center, Encryption and Access Control Policy. (NPC
Toolkit Page 76)
Physical - Security policy system monitoring
N
- Safeguards: encryption, authentication process
O
Technical - Incident response, correct and mitigate breach, restore system
I
- Password policy
S
- Maintain your information security program and integrate data privacy
Organizational Confidentiality
IS
Physical Availability
Technical Integrity
RIGHTS OF THE DATA SUBJECT
M
(Rule VIII, Section 34 of IRR)
M
Right to be Informed
The determination of the appropriate level of security must consider the following:
O
- The data subject has a right to be informed whether personal data pertaining to him
1. Nature of the personal data to be protected; or her will be, are being, or were processed. The data subject should be notified and
C
2. Risks represented by the processing; furnished with the following information before the entry of his or her personal data
3. Size of the organization and complexity of its operations; into the processing system, or at the next practical opportunity.
Y
4. Current data privacy best practices; and
C
5. Cost of security implementation a. Description of the personal data to be entered in the system;
A
b. Purposes for which they are being or will be processed, including processing
ORGANIZATIONAL
V
for direct marketing, profiling or historical, statistical or scientific purpose;
I
- Where appropriate, personal information controllers and personal information c. Basis of processing, when processing is not based on the consent of the data
R
processors shall comply with the following guidelines for organizational security: subject;
P
d. Scope and method of the personal data processing;
ORGANIZATIONAL SECURITY MEASURES e. The recipients or classes of recipients to whom the personal data are or may
L
be disclosed;
Data Protection Officer
A
f. Methods utilized for automated access, if the same is allowed by the
Records of Processing Activities data subject, and the extent to which such access is authorized, including
N
meaningful information about the logic involved, as well as the significance
Data Privacy and Data Security Policy and the expected consequences of such processing for the data subject;
IO
Management of Human Resources g. The identity and contact details of the personal information controller or its
T
representative;
Management of Third Parties
h. The period for which the information will be stored; and
N APHYSICAL
Review and Monitoring
Right to Access
i. The existence of their rights as data subjects.
- The data subject has the right to reasonable access to, upon demand, the following:
- Physical security must be implemented properly to prevent unauthorized access.
Similar to the “human” factor in data protection, this element is also often overlooked. a. Contents of his or her personal data that were processed;
Hacking into the network system is not the only way that personal or sensitive personal
b. Sources from which personal data were obtained;
information can be taken or used against an organization or any individual. Designing
and implementing physical security must be taken seriously and instituted. Its main c. Names and addresses of recipients of the personal data;
focus is to protect physical assets through office designs and layout, environmental
components, emergency response readiness, accessibility to the public, security d. Manner by which such data were processed;
against natural disasters and any other relevant points. (NPC Toolkit Page 76) e. Reasons for the disclosure of the personal data to recipients, if any;
10 11
f. Information on automated processes where the data will, or is likely to, be Right to Damages
made as the sole basis for any decision that significantly affects or will affect
the data subject; - Data subject shall have the right to get indemnified for any damages sustained
due to such inaccurate, incomplete, outdated, false, unlawfully obtained personal
g. Date when his or her personal data concerning the data subject were last information.
accessed and modified; and
h. The designation, name or identity, and address of the personal information Right to Data Portability
controller
- Where personal data is processed by electronic means and in a structured and
commonly used format, the data subject has the right to obtain from the personal
N
Right to Correct/Rectify
information controller a copy of such data in an electronic or structured format that is
commonly used and allows further use. The exercise of this right should consider the
O
- This refers to the right of data subject to dispute the inaccuracy or error in the
right of data subject to have control over his or her personal data being processed
I
personal data and have the personal information controller correct it immediately
and accordingly, unless the request is vexatious or otherwise unreasonable. based on consent or contract, for commercial purpose, or through automated
S
means. The Commission may specify the electronic format, as well as the technical
Right to Erasure/Blocking standards, modalities, procedures and other rules for their transfer.
IS
- The data subject has the right to suspend, withdraw or order the blocking, removal
Right to File a Complaint
M
or destruction of his or her personal data from the personal information controller’s
filing system. This right may be exercised upon discovery and substantial proof of - If personal information has been misused, maliciously disclosed, or improperly
M
any of the following: disposed, or that any of your data privacy rights have been violated, the data subject
has a right to file a complaint with the NPC.
a. The personal data is incomplete, outdated, false, or unlawfully obtained;
b. The personal data is being used for a purpose not authorized by the data
subject;
C O Consequences of Non-observance of Data Subject Rights
Y
c. The personal data is no longer necessary for the purposes for which they
were collected;
C
Discrimination
d. The data subject withdraws consent or objects to the processing of his or Damaged
Harassment
Loss of trust
A
Reputation
her information, and there is no other legal ground or overriding legitimate
interest for the processing;
e. The personal data concerns private information that is prejudicial to data
I
subject, unless justified by freedom of speech, of expression, or of the press
V
R
or otherwise authorized;
P
Loss of self- Loss of
f. The processing is unlawful; or Loss of money Stigmatization
determination autonomy
L
g. The personal information controller or personal information processor
violated the rights of the data subject.
such processed personal information
Right to Object
A
The personal information controller may notify third parties who have previously received
N
CRIMES AGAINST DATA PRIVACY AND PRESCRIBED PENALTIES
(Rule VIII, Section 34 of IRR)
IO
PUNISHABLE ACT IMPRISONMENT FINE (PESOS)
T
- The data subject has the right to object to the processing of his or her personal data,
Access due to negligence 1y to 3y - 3y to 6y 500k to 4m
including processing for direct marketing, automated processing or profiling. He or
A
she should be given an opportunity to withhold consent in case of any amendment Unauthorized processing 1y to 3y - 3y to 6y 500k to 4m
to the information supplied to the data subject under the right to be informed.
N
Unauthorized purposes 18m to 5y - 2y to 7y 500k to 2m
The personal information controller should not process the personal data without
consent unless: Improper disposal 6m to 2y - 3y to 6y 100k to 1m
a. The personal data is needed pursuant to a subpoena; Intentional breach 1y to 3y 500k to 2m

b. The collection and processing are for obvious purposes, including, when it 18m to 5y
is necessary for the performance of or in relation to a contract or service
to which the data subject is a party, or when necessary or desirable in the 18m to 5y
context of an employer-employee relationship between the collector and the
data subject; or 1y to 3y - 3y to 5y
c. The information is being collected and processed because of a legal obligation. 3y to 6y
12 13
DATA PRIVACY PRINCIPLES
Transparency Data Quality
Legitimate Security
Accountability
Purpose Safeguards
Data Subject
N
Proportionality
Rights
Transparency
S I O
IS
DATA SUBJECT RIGHTS Notice Fairness
M
Access Opennes
Module 2: M
TRANSPARENCY
DATA PRIVACY PRINCIPLES

- Means
C
that the
processing
Odata
of his or subject must be
her personal aware
data, of thethe
including nature,
risks purpose, and extent
and safeguards of the
involved,
the identity of personal information controller, rights as a data subject, and how
Y
these can be exercised.
C
- Any information and communication relating to the processing of personal data
should be easy to access and understand, using clear and plain language.
V A - The data subject should be informed whether personal information pertaining to him
or her shall be, are being or have been processed
I
- The data subject must be:
R
• Furnished information relevant to the processing of his or her personal data;
P
• Provided reasonable access upon demand; and
• Given a copy of his or her personal data undergoing processing in an
L
electronic or structured format to allow further use (data portability)
A N
RIGHT TO INFORMATION
Classes of recipients of personal
IO
WHAT Description of personal data WHOM
data
T
A WHY
Purposes of processing, including
direct marketing, automated
WHO
Identity and contact details of PIC
Contact details of Data Protection
N
decision-making, profiling, basis of
Officer
processing
Scope and method of processing

Data subjects’ rights, including
Methods utilized for automated
HOW access RIGHTS right to file a complaint before the
Privacy Commission
Storage period
15
DATA PRIVACY PRINCIPLES DATA PRIVACY PRINCIPLES
PRIVACY NOTICE REMEMBER

- is a statement on the data processing activities of an agency or organization, - The Data Subject can be provided information through a clear privacy notice that is
providing information about the categories of personal data processed, purpose and accessible and easy to understand.
extent of processing, and safeguards in place for data protection. It demonstrates
transparency and fairness in processing and provides one of the means to uphold - While a privacy notice may not include specific details of contents of personal data
rights of data subjects. To be effective, the privacy notice should be accessible, being processed or recipients, the data subject may obtain such information through
engaging and easy to understand. the right to access.
- A Privacy Notice is different from Consent. (AdOp No. 2018-013)
CONTENTS OF PRIVACY NOTICE

I. Service description COMPLIANCE FRAMEWORK
O N
I
• Designate a DPO
II. Personal Information that are collected
• Have privacy notices
S
III. Collection method • Establish mechanisms for exercise of data subject rights
• Where appropriate, data subjects should be notified in case of a personal data
IV. Timing of collection
IS
breach
V. Purpose of collected personal information
M
VI. Storage and transmission of personal information
Legitimate Purpose
M
VII. Method of use
O
VIII. Location of personal information Purpose Specification Lawfulness
NOTICE AND CHOICE
C
IX. Third party transfer Purpose Limitation Use Limitation
X. Retention period
XI. Participation of data subject
XII. Inquiry (Please refer to NPC Toolkit (3 rd edition) for further information)
C Y
LEGITIMATE PURPOSE
- Means that processing of information shall be compatible with a declared and
A
specified purpose which must not be contrary to law, morals, or public policy.
V
ROLE OF DPO IN TRANSPARENCY
I
- The DPO serves as the contact person of the PIC or PIP vis-à-vis data subjects, and CONSENT
R
the NPC - Means giving data subjects genuine choice and control over how a PIC uses their
P
- Contact details of the DPO and COP should be published in the website, privacy data. This means data subjects must be able to refuse consent and must be able to
notice, and manual. Their names need not be published but should be made available withdraw consent easily at any time.
L
upon request of data subject. (NPC Advisory 17-01) - It also means consent should be unbundled from other terms and conditions (including
A
- Notification of data subjects may be required in cases of personal data breach (NPC giving granular consent options for different types of processing) wherever possible
Circular 16-03)
N
“Implied, implicit or negative consent is not recognized under the law. Thus, a company
policy that merely stipulates that the inputting of requested personal information
RIGHT TO ACCESS amounts to consent or a waiver by a data subject of his or her data privacy rights shall
IO
not be considered as valid consent, as required under the DPA”. (AdOp No. 2017-007)
Reasonable Access To, Upon Demand:
A
-
- T
Contents of personal information processed
Sources from which personal information were obtained;
FREELY GIVEN, SPECIFIC, AND INFORMED
N
- Names and addresses of recipients of the personal information; - Consent means giving data subjects genuine choice and control over how a PIC uses
their data. This means data subjects must be able to refuse consent, and must be
- Manner by which such data were processed;
able to withdraw consent easily at any time.
- Reasons for the disclosure to recipients;
- Information on automated processes where the data will or likely to be made as the
- It also means consent should be unbundled from other terms and conditions (including
sole basis for any decision significantly affecting or will affect the data subject;
giving granular consent options for different types of processing) wherever possible.
- Date when personal information was last accessed and modified; and Source: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-
- The designation, or name or identity and address of the personal information consent-guidance-for-consultation-201703.pdf
controller;
16 17
PROCESSING OF PERSONAL INFORMATION IS ALLOWED IF: COMPLIANCE FRAMEWORK

- Consent • Have records of processing activities and document basis of processing
- Contract • Policies and procedures for every stage of the data life cycle (procedures for
Compliance with a legal obligation obtaining consent)
-
• Manage third party risks (outsourcing contracts, data sharing, disclosures to any
- Protect vitally important interests of the data subject, including life and health third party and reporting requirements)
- Fulfill functions of public authority (national emergency, public order and safety) • Regular assessment and review (review consent forms, contracts, notices)
- Legitimate interests (Sec. 12, DPA)
PROCESSING OF SENSITIVE PERSONAL INFORMATION IS Proportionality

O N
I
PROHIBITED PROVIDED THAT: Collection Limitation Necessity
DATA MINIMIZATION
S
a. Consent Storage Limitation Deidentification*
IS
b. Existing laws and regulations
c. Protect the life and health of a data subject or another person (Emergency PROPORTIONALITY
M
cases)
- Means that processing of information shall be adequate, relevant, suitable, necessary,
M
d. Medical treatment (Medical Practitioner)
and not excessive in relation to a declared and specified purpose.
O
e. Court proceedings, legal mandate of government authorities (Sec. 13, DPA) - Personal data shall be processed only if the purpose of the processing could not
reasonably be fulfilled by other means.
ILLUSTRATION
C
Y
PROCESSING OF PERSONAL INFORMATION MUST BE:
“Under Republic Act No. 9406, it is our understanding that the mandate of PAO is to
C
extend free legal assistance to indigent persons in criminal, civil, labor, administrative - Adequate - Necessary
and other quasi-judicial cases. Should PAO then be authorized as legal representatives
A
- Relevant - Not excessive
of the minor data subjects, they may then be provided information regarding the
- Suitable
V
particular data subject they are representing, subject to the presentation of proof of
I
such authorization”.
OAKES PROPORTIONALITY TEST
R
“Lastly, as to the request of the media and other private organizations, the disclosure of
statistical or aggregated information without involving any personal or sensitive personal - Examines whether the measure is necessary to meet the objective—that is, whether
P
information should suffice. The release of a copy of the master list of students and there are less intrusive ways of achieving the same objective.
individuals who were vaccinated with Dengvaxia®, which contains sensitive personal
L
information to the Requesting, to any requesting public, could constitute an unwarranted - Examines whether the measure chosen for the collection of information is effective in
invasion of personal privacy”. (NPC Privacy Policy Office Advisory Opinion No. 2018-07) achieving the objective—that is, whether it is rationally connected to it.
A
- Weighs the proportional benefits of collecting information against the harm to the
N
employee’s/data subject’s privacy. (R vs. Oakes, S.C.R. 103, Supreme Court of
Canada, 1986)
PRIVACY POLICY OFFICE
IO
Illustration ADVISORY OPINION NO. 2018-007
ILLUSTRATION
T
26 February 2018
Information Sought “It is proper for the CAAC and the Board to judiciously evaluate and determine whether
A
Name RE: DISCLOSURE OF THE MASTER LIST OF the publication of the decisions on the website is indispensable in achieving its purpose.
STUDENTS AND INDIVIDUALS WHO
The Board can consider redaction of sensitive personal information, such as the identity
N
Birthday
Home Address Request was:
of patients and their health information, which may not be necessary for purposes of
Name of parents f. Not provided by existing laws and regulations; posting in the website”. (NPC Privacy Policy Office Advisory Opinion No. 2018-18)
Consent form g. Made without the consent of the data subjects or their authorized
representatives; and
Vaccination card h. Not done pursuant to PAO’s constitutional or statutory mandate.
Name of Vaccinator COMPLIANCE FRAMEWORK
Position of the Vaccinator
Health Educator • Have Records of Processing Activities, including data inventory and data flow
See Section 13 - instances when processing of • Conduct Privacy Impact Assessment
sensitive personal information is considered lawful
• Policies and procedures for every stage of the data life cycle (use, records
retention policy, disposal)
• Regular Assessment and Review (review consent forms, contracts, data collection
forms)
18 19
• Registration
Data Quality •
•
Policies and Procedures
Data Security
Adequate Integrity • Capacity Building
ACCESS and CORRECTION • Breach Management
Relevant Accurate
• Notification
• Third-Party Management
• Communication
WHAT DOES DATA QUALITY MEANS?
Continuing Assessment and Development
N
- Ensuring that the Personal Information is accurate, complete, up-to-date;
• Continuity and Review
O
- Ensuring the reliability of the Personal Information from a source other than the data
I
subject before it is processed;
COMPLIANCE FRAMEWORK
S
- Establishing personal information collection procedures to help ensure accuracy and
quality; and
• Implement Privacy Management Program
IS
- Establishing control mechanism to periodically check the accuracy and quality
• Develop Privacy Manual
of collected and stored personal information. (ISO/IEC 29100:2011 – Information
• Implement Organizational, Physical and Technical Security Measures
M
Technology – Security Techniques – Privacy Framework)
M
It also means that:
Data Subject Rights
OC
- Personal data should be accurate and where necessary for declared, specified and
legitimate purpose, kept up to date.
INDIVIDUAL PARTICIPATION Choice Notice
- Inaccurate or incomplete data must be rectified, supplemented, destroyed or their Access and Correction Remedies
Y
further processing restricted. (Section 11, par. c, Chapter III, IRR of the Data Privacy
Act of 2012)
C
Uphold the Rights of the Data Subject
A
COMPLIANCE FRAMEWORK
V
- Policies and procedures for every stage of the data life cycle (access control,
I
Updating of Records)
R
- Implement Organizational, Physical and Technical Security Measures (Maintain
P
integrity of personal data) Right to be Informed Right to Access Right to Object Right to Erasure
or Blocking
L
- Regular Assessment and Review (Internal audit)
N A
Security Safeguards
IO
Right to Damages Right to File a Complaint Right to Rectify Right to Data Portability
PREVENTING HARM Confidentiality Resilience
T
Integrity Availability
DATA SUBJECT RIGHTS
N A
Organizational Commitment
RIGHT TO OBJECT
When does the right to object apply?
• Processing is based on consent (including processing for direct marketing,
• Management Buy-In automated processing, or profiling)
• DPO • Processing is based on legitimate interests of the PIC
• Reporting Mechanism
If you process personal data for direct marketing purposes:
Program Controls
• You must stop processing as soon as you receive an objection. There are no
• Records of Processing Activities exemptions or grounds to refuse.
• Risk Assessment
20 21
RIGHT TO OBJECT PROCESSING PERSONAL INFORMATION CAN CREATE

When a data subject objects or withholds consent, the PIC shall no longer process the PROBLEMS FOR INDIVIDUAL
personal data, unless:
• Loss of trust
- Personal data is needed pursuant to a subpoena; • Loss of self-determination
- Processing are for obvious purposes, i.e. necessary for the performance of a contract, • Loss of autonomy
or when necessary or desirable in the context of an employer-employee relationship • Loss of liberty
between collector and data subject; or • Discrimination
• Stigmatization
N
- Information is being collected and processed as a result of a legal obligation.
O
RIGHT TO ERASURE OR BLOCKING ACCOUNTABILITY
I
• Demonstrate Compliance
S
When does the right apply?
• DPO
- The personal data is incomplete, outdated, false, or unlawfully obtained; • Risk Assessment and Privacy Management Program
IS
• Responsibility for third party transfers of personal data
- Being used for unauthorized purpose;
• Certifications
M
- No longer necessary for the purposes for which they were collected; • Privacy Codes
- The data subject withdraws consent or objects to the processing, and there is no COMPLIANCE FRAMEWORK
M
other legal ground or overriding legitimate interest for the processing;
• Designate a DPO
O
- The personal data concerns private information that is prejudicial to data subject, • Have Records of Processing Activities
unless justified by freedom of speech, of expression, or of the press or otherwise
C
• Conduct Privacy Impact Assessment
authorized;
• Implement a Privacy Management Program
Y
- The processing is unlawful; • Regular Assessment and Review (Review of Policies, Internal Audit, Certifications)
C
- The PIC or PIP violated the rights of the data subject.
The NPC Data Privacy Accountability
A
RIGHT TO RECTIFICATION
and Compliance Framework
I V
- Right to dispute the inaccuracy or error in the personal data and have the PIC correct
it immediately, unless the request is vexatious or otherwise unreasonable.
R
- PIC shall ensure the accessibility of both the new and the retracted information and
P
the simultaneous receipt of the new and the retracted information by the intended
recipients.
L
GOVERNANCE RISK ASSESSMENT ORGANIZATION DAY TO DAY DATA SECURITY
a. Choose a Dpo b. Register e. Privacy Management g. Privacy notice q. Organization
- If you have disclosed the personal data in question to third parties, you must inform c. Records of Program h-o. Data Subject r. Physical
A
them of the rectification upon reasonable request of the data subject. processing activities f. Privacy Manual
DataCycle
Center
Rights s. Technical
d. Conduct PIA p. Data Life
Encryption
N
Access Control Policy
RIGHT TO DAMAGES
- The data subject shall be indemnified for any damages sustained due to such
IO
inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of
T
personal data, taking into account any violation of his or her rights and freedoms as
data subject. (See: NPC Circular No. 16-04 – Rules of Procedure) BREACHES THIRD PARTIES MANAGER HR CONTINUITY PRIVACY ECOSYSTEM
A
t. Data Breach u. Third Parties v. Trainings and x. Continuing y. New Technologies
Management; Certifications LegalAssessment
basis for disclosure
and and Standards
Data sharing agreements
N
Security Policy w. Security Clearance Development z. New Legal
RIGHT TO DATA PORTABILITY Team
Data Breach Response Cross border
Regular PIA
Review Contracts
Requirements
Incident Response Internal Assessment
Procedure
When does the right to data portability apply? Document
Review PMP
Accreditations
Breach Notification
- If personal data is processed electronically, the data subject shall have the right to
obtain from the PIC a copy of such data in an electronic/structured format that is
commonly used and allows for further use by the data subject.
Ethical use of personal data BENEFITS
What is the purpose of this right?
- In order for the data subject to have control over his or her personal data being Accountability
processed based on consent or contract, for commercial purpose, or through HARMS
automated means.
22 23
APPOINTING A DATA PROTECTION OFFICER
All PICs and PIPs should designate a Data Protection Officer

• The personal information controller shall designate an individual or individuals who
are accountable for the organization’s compliance with this Act. The identity of the
individual(s) so designated shall be made known to any data subject upon request.
(Sec. 21[b], DPA)
General Qualifications of a DPO

• Knowledgeable
N
• Reliable
• Expertise in data privacy
O
• Sufficient understanding of the processing operations being carried out by the PIC
I
or PIP
S
• Knowledge by the DPO of the sector or field of the PIC or PIP
COMPLIANCE OFFICER FOR PRIVACY (COP)

(Advisory 17-01)
•
M IS
COP refers to an individual or individuals who shall perform some of the functions
Module 3:
of a DPO.
M
• DPO generally oversees the operations of the COP to ensure the performance of
his/her functions, efficiently and economically, but without interference with day-
O
to-day activities.
C
• COP should actively coordinate and consult with the supervising DPO and should
take instructions from the same.
APPOINTING A DATA PROTECTION
Y
• Instances where a PIC or PIP is allowed to designate a COP:
C
A. LOCAL GOVERNMENT UNITS (LGUS)
OFFICER
A
- A component city, municipality, or barangay may designate a COP in their respective
LGUs, so long as the COP remains under the supervision of the DPO.
I V B. GOVERNMENT AGENCIES
R
- A government agency that has regional, provincial, district, city, municipal offices,
P
or any other similar sub-units, may designate or appoint COP for each sub-unit. The
COPs shall be under the supervision of the DPO in the head office.
A L C. PRIVATE SECTOR
- Where a private entity has branches, sub-offices, or any other component units, it
N
may also appoint or designate a COP for each component unit.
D. GROUP OF COMPANIES
IO
- Subject to the approval of the NPC , a group of related companies may appoint or
T
designate the DPO of one of its members to be primarily accountable for ensuring
the compliance of the entire group with all data protection policies. Where such
A
common DPO is allowed by the NPC, the other members of the group must still have
a COP, as defined in the Advisory.
N E. OTHER ANALOGOUS CASES

- PICs or PIPs that are under similar or analogous circumstances may also seek the
approval of the NPC for the appointment or designation of a COP, in lieu of a DPO
Points to consider:
• The PIC/PIP must make a determination of the privacy risks represented by its data
processing operations. This should be considered when deciding on whether to
have one DPO for multiple companies, or to have COPs in addition to the DPO.
• There should be at least one DPO per PIC/PIP.
25
APPOINTING A DATA PROTECTION OFFICER APPOINTING A DATA PROTECTION OFFICER
• An individual PIC or PIP shall be considered a de facto DPO. DUTIES & RESPONSIBILITIES
Position of a DPO or a COP in the organization 1. Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and
• Full-time or organic employee other applicable laws and policies.
• In the government, may be career or appointive.
• In the private sector, may be regular or permanent. May also be contractual, but Compliance and Accountability
the term or duration should not be less than 2 years. Monitor Compliance
Framework
Conflict of Interest Collect information and maintain records Records of processing activities
N
• Definition under Advisory 17-01: “refers to a scenario wherein a DPO is charged of processing activities
with performing tasks, duties, and responsibilities that may be opposed to or could
IO
Analyze and check the compliance • Privacy Compliance and Progress Report
affect his performance as DPO. This includes, inter alia, holding a position within
• Privacy Impact Assessment
the PIC or PIP that leads him to determine the purposes and the means of the
S
processing of personal data.”
Inform, advise, and issue • Be aware of privacy ecosystem
• A DPO/COP may perform (or be assigned to perform) other tasks or assume other recommendations to the PIC or PIP • Privacy Management Program
IS
functions not relating to data privacy so long as those will not result in any conflict
of interest. Ascertain renewal of accreditation or Continuing assessment and
M
• The DPO/COP may also occupy a concurrent position in the organization (e.g., certifications Development
legal counsel, risk management officer, etc.).
M
Advise the PIC or PIP as regards the Manage third parties
Independence and Autonomy necessity of executing a Data Sharing
O
Agreement
• The DPO or COP shall act independently in the performance of his or her functions
C
and shall enjoy a sufficient degree of autonomy.
2. Ensure the conduct of Privacy Impact Assessments relative to activities, measures,
Y
- PIC or PIP should not instruct the DPO or COP on how to interpret the law nor
influence his or her position relative to a specific data protection issue. projects, programs, or systems of the PIC or PIP;
C
3. Advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their
- A PIC or PIP should not directly or indirectly penalize or dismiss the DPO or
rights
A
COP for performing his or her tasks; but nothing shall preclude the legitimate
application of labor, administrative, civil or criminal laws against the DPO or 4. Ensure proper data breach and security incident management by the PIC or PIP, including
V
COP, based on just or authorized grounds. the latter’s preparation and submission to the NPC of reports and other documentation
I
concerning security incidents or data breaches within the prescribed period;
R
5. Inform and cultivate awareness on privacy and data protection within the organization of
CONFIDENTIALITY the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC;
•
•
performance of his or her tasks.
L P
The DPO or COP is bound by secrecy or confidentiality concerning the
The DPO or COP should not use any information obtained in the course of
6. Advocate for the development, review and/or revision of policies, guidelines, projects
and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a
privacy by design approach;
A
performing his or her duties for any purpose outside his or her scope of work. 7. Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other
N
authorities in all matters concerning data privacy or security issues or concerns and the
PIC or PIP;
Weight of Opinion
8. Cooperate, coordinate and seek advice of the NPC regarding matters concerning data
IO
• The opinion of the DPO or COP must be given due weight. In case of disagreement, privacy and security; and
T
and should the PIC or PIP choose not to follow the advice of the DPO or COP, it is
9. 9. Perform other duties and tasks that may be assigned by the PIC or PIP that will further
recommended, as good practice, to document the reasons therefor.
the interest of data privacy and security and uphold the rights of the data subjects.
N A
SUBCONTRACTING FUNCTIONS
• Outsourcing or subcontracting some of the functions is allowed.
SUPPORTING THE DPO
• DPO/COP must oversee the performance of the third-party service provider. Obligations of PIC or PIP
• DPO/ COP shall remain the contact person for NPC and general public.
• Allow the DPO or COP to be involved from the earliest stage possible in all issues
relating to privacy and data protection;
• Provide sufficient time and resources (financial, infrastructure, equipment, training,
and staff) necessary to keep be updated with the developments in data privacy
and security and to carry out his or her tasks effectively and efficiently;
• Grant appropriate access to the personal data it is processing;
• Where applicable, invite the DPO or COP to participate in meetings of senior and
26 27
APPOINTING A DATA PROTECTION OFFICER
middle management to represent the interest of privacy and data protection;

• Promptly consult the DPO or COP in the event of a personal data breach or
security incident; and
• Ensure that the DPO or COP is made a part of all relevant working groups that deal
with personal data processing activities conducted inside the organization, or with
other organizations.
Support for the DPO
N
Privacy
Compliance Champion
O
Officer for Information Data Protection
I
Security
Privacy Officer
Data
S
Protection Privacy Network
Officer
Clear Reporting Lines
IS
IT Legal
Compliance Resources and
M
Officer
Support
TOP MANAGEMENT
•
C
Module
O M
Budget support for security controls (technical, organizational, physical) 4:
Y PRIVACY IMPACT ASSESSMENT (PIA)
• Incorporating compliance into the performance bonus parameters of those
concerned, especially for those handling personal data
C
• Drive the message throughout the organization
A
• Drive the urgency (e.g. like the SARS epidemic, when everyone started installing
hand sanitizers)
PROCESS OWNERS
I V
R
• Own/maintain their respective privacy impact assessments
P
• Consult on strategic projects involving the use of personal data (“privacy by
design”)
L
• Conduct breach drill regularly – test each privacy impact at least once a year
A
HUMAN RESOURCE
N
• Roll-out training on privacy and data protection
• Issue security clearances to staff processing personal data (such clearance to be
IO
made contingent on passing the privacy training). DPOs must have access to all
security clearances issued.
T
• Implement the recommended organizational controls
N A
LEGAL DIVISION
•
•
Ensure that all PIP/service provider contracts, job orders, etc. are compliant with
the DPA.
Ensure that all external sharing of data meets the required guidelines of the NPC.
OTHERS
• IT to implement the recommended technical controls
• Security to implement the recommended physical controls
• Internal audit to test internally for compliance
28
PRIVACY IMPACT ASSESSMENT (PIA) PRIVACY IMPACT ASSESSMENT (PIA)
- Is a process to evaluate and manage privacy impacts in an organization’s programs, • COMPLIANCE with the Data Privacy Act of 2012
process, activities, systems and operations. • COST EFFECTIVE
• Prevents PRIVACY RISKS and creates risk management processes
- Overall process of identifying, analyzing, evaluating, consulting, communicating, • Identify PRIVACY STRATEGIES to achieve the project’s goals without impacting on
planning to treat potential privacy matters. privacy
- Takes into account the following:
• Nature of the personal data to be protected;
COMPONENTS OF PIA
• The personal data flow; 1. Ownership
• The risks to privacy and security posed by the processing; 2. Stakeholders Involvement
N
• Current data privacy best practices; 3. Privacy Risk Map
• The cost of security implementation; and 4. Controls
O
• Where applicable, the size of the organization, its resources, and the 5. Sign Off
I
complexity of its operations. 6. Implementation & Monitoring Plan
S
- An instrument for a systematic assessment of privacy risks
PARTICIPATION IN A PIA
IS
- Part of data privacy best practices and adopts risk-based approach to compliance
and accountability • Stakeholder involvement may be accomplished through:
M
• Direct participation in the process;
• Consultations in a public forum; or
OBJECTIVES OF CONDUCTING PIA
M
• Focus group discussions or using surveys and feedback forms.
• Stakeholders may be involved in the whole process or may be consulted
O
- Identify the privacy risks and vulnerabilities for specific stages such as in the preparatory stage, during risk analysis and
evaluation, or after the process during review that leads up to the preparation of
C
- Determine the following:
the report.
• Adherence to transparency, legitimacy, proportionality • The results of a PIA should be communicated to the stakeholders via a written
Y
• Lapses in organizational, physical and technical security measures report.
• How the organization upholds the rights of the data subjects
C
• Ideally stakeholders should be the following:
• Process owners
A
- Establish a control framework that should address all the issues identified • End-Users
• Persons involved in the data lifecycle
V
• Internal stakeholders (such as HR, Legal, Facilities, Compliance, DPO)
WHEN IS PIA NECESSARY?
I
• Data Protection Authorities (you may invite them as well)
R
Consider these points based on NPC ADVISORY 17-01:
DETERMINATION OF SECURITY MEASURES (Sec. 20 [c])
P
• When establishing a baseline for the organization;
• Prior to implementation of new programs, software, processes, systems, measures • The determination of the appropriate level of security under this section must
L
and technology products; take into account the nature of the personal information to be protected, the
• If there’s a change in the way of personal data is being processed; risks represented by the processing, the size of the organization and complexity
A
• When entering into a data sharing agreement (DSA) or outsourcing contract; of its operations, current data privacy best practice and the cost of security
• When entering into a large-scale data collection;
N
implementation.
• Prior to outsourcing any type of processing to a service provider;
• PIA results feed the Privacy Management Program (PMP) QUESTIONS TO CONSIDER DURING PIA
IS PIA REQUIRED?
T IO What do I
A
• The PIC or PIP may forego the conduct of a PIA only if it determines that the process and
processing involves minimal risks to the rights and freedoms of individuals, how?
N
considering recommendations from the DPO.
• The PIC or PIP should still conduct a preliminary or general risk assessment and
provide a basis for the decision not to conduct a PIA.
• In making this determination, the PIC or PIP should consider the size and sensitivity When will I Do I comply
of the personal data being processed, the duration and extent of processing, the reassess? with the law?
likely impact of the processing to the life of data subject and possible harm in case
of a personal data breach.
BENEFITS OF PIA What can I What are the

do about it? risks?
• Promote PRIVACY AWARENESS, understanding and acceptance
• Supports GOOD GOVERNANCE and enhances informed decision-making
30 31
What do I process and how? DATA LIFE CYCLE

In order to start the conduct a PIA, PIC/PIP must first identify the processes, systems or • Data Inventory
applications that should undergo the process of assessment • Data Flow
• Purpose of processing
Do I comply with the law? • Sources and Recipients of personal data
• Accountable and Responsible Persons
After identifying, are those processes/systems factors for incompliance • Existing Safeguards
What are the risks? IDENTIFYING AND RATING PRIVACY RISKS

sks that are associated with the identified processes/systems. Risk - the potential for loss, damage or destruction as a result of a threat exploiting a
O N
I
vulnerability (Loss of data, alteration, identity theft, unauthorized access, unauthorized
What can I do about it? disclosure). –
ontrols or solutions are appropriate to mitigate the risks Threat - a potential cause of an unwanted incident, which may result in harm to a system
or organization (Malware, hacking, poor disposal, shoulder sniffing, power outage). –
S
IS
When will I re-assess? Vulnerability - a weakness of an asset or group of assets that can be exploited by one
M
his would help maintain the steady state of a personal data processing. All controls wear out or more threats (Software, hardware, employees/individuals, ICT assets).
time and should be re-evaluated to check if it’s still effective.
ECORDS OF PROCESSING ACTIVITIES
O M PRIVACY RISKS
C
Rights
• Conduct of PIA ensures that PICs and PIPs keep a record of their data processing
activities.
Y
Unauthorized or Violation of
Illegal Processing Rights of Data
C
IA and PRIVACY BY DESIGN Subjects
A
• Conducting PIA also helps organizations take a privacy by design approach when
developing and implementing projects, programs, and processes to ensure the
V
Confidential Personal Data Failure to Comply
compliance with the law but also the importance of valuing the privacy of the data
I
Breach NPC requirements
subjects and adhering to data privacy principles.
IA PROVIDES INITIAL STEP TOWARDS ACCOUNTABILITY
P R
A L In identifying privacy risks, consider the following:
Privacy Design
N Privacy by Accountability - Identify privacy risks in relation to the data life cycle
IO
Records of Management Personal Data Flow - Privacy Risks relating to collection of personal data may be non-adherence to the
Processingprogram Data Privacy Principles (Transparency, Legitimate Purpose, and Proportionality)
T
• Source and collection
Activities • Accountable and - Privacy Risks relating to use of personal data may give rise to violation of Data
A
responsible persons Subjects’ Rights under the DPA
N
Data Life Cycle • Purpose of processing
Collection • Personal data processing - Privacy Risks in storage or sharing of personal data may indicate failure to comply
• Data inventory - use, disclosure, storage, with NPC requirements relative to such aspect in the data life cycle
• Data flow disposal
• Purpose of
Use and - Non-adherence to Data Protection Principles (Confidentiality. Integrity and
Disposal Access• Security measures
processing • Transfer outside country Availability) in the course of sharing or disposal of personal data may lead to personal
• Sources and data breach/es
recipients of Identify and Asses Privacy Risks
Note: Once you have identified the privacy risks, you need to rate the risk, which will determine
personal data
• Accountable and • Privacy risk identification whether or not it is safe enough to continue with the process, program or activity, or whether
Storage Sharing • Privacy risk analysis you need to adopt additional Security Measures to reduce or eliminate the risk
responsible persons and and (impact and likelihood)
• Existing safeguards Retention Transfers
• Privacy risk evaluation
• Address risks
Risk rating = IMPACT x PROBABILITY
32 33
Impact - severity of the injuries/harm that might arise if the event does occur Privacy Risk Map is a diagram that indicates the level of impact and probability of privacy risk
• Irritations, damage to property, physical ailments, etc., identified. The map is typically used to determine the order in which the privacy risks should
Probability - chance or probability of something happening. be prioritized and treated.
• Possibility of theft, accidents, loss of control, natural disasters and any threats.
Note: There are four (4) levels in determining the Impact and Probability ratings
Residual Risk
IMPACT RATING
N
Residual risk is defined in ISO
27001 and ISO 31000 as the risk
O
Negligible Either not be affected or may Re-entering data, irritations, remaining after risk treatment.
I
1
encounter a few inconveniences aggravations
2
S
Limited Significant inconveniences Additional costs,
inaccessibility, minor physical Residual
IS
Risk
Controls
ailments, stress
M
3 Significant Significant inconveniences with Misuse of funds,
serious difficulties unemployment, subpoena,
M
damage to property
4 Maximum Significant inconveniences which Unserviceable debt, long
O
may not overcome term psychological or
C
physical ailments, deaths
APPROACHES TORISK MANAGEMENT
PROBABILITY RATING
C Y • Avoidance - The easiest way for a business to manage its identified risk is to avoid
it altogether.
A
Unlikely Not expected Data room protected by • Mitigation - Businesses can also choose to manage risk through mitigation or
1 reduction.
badge reader and lock
V
• Transfer - In some instances, businesses choose to transfer risk away from
I
2 Possible Casual occurrence Data room protected by the organization. Risk transfer typically takes place by paying a premium to an
badge reader or lock
R
insurance company in exchange for protection against substantial financial loss.
• Acceptance - Risk management can also be implemented through the acceptance
3 Likely Frequent occurrence Has a security lobby
P
of risk. Companies retain a certain level of risk brought on by specific projects
4 Almost Very likely No security measure or expansion if the anticipated profit generated from the business activity is far
L
Certain greater than its potential risk.
its privacy risk rating.
N A
Once the impact and probability of a risk have been calculated, multiply both numbers to get
DUTY OF DPO IN RELATION TO PIA
• In case of disagreement between the DPO and its principal on the conduct of a PIA,
IO
this should be properly documented, particularly the reason for the conflicting views.
PRIVACY RISK RATING The extent of the involvement of the DPO in the PIA is left to the discretion of the PIC
T PRIVACY RISK MAPPING or PIP. The PIC or PIP may allow the DPO to actively take part in the PIA, or it may
1 Negligible
A
simply consult and seek his or her recommendations based on the results of the PIA.
2 Low Risk Where the PIC or PIP has a COP, the involvement of the latter in the PIA shall also be
N
Negligible determined by the PIC or PIP.
3 Medium Risk
IMPACT
Alteration
4 High Risk Limited

Loss of
data
Significant
ID theft
Maximum
Negligible Possible Likely Almost Certain
34 35
PRIVACY IMPACT ASSESSMENT (PIA)
THE PIA PROCESS
1. PRELIMINARY
N
2. MOBILIZE
I O
S
3. CONDUCT
M IS
5:
4. IMPLEMENT
M
1. PRELIMINARY
Y CModule
O
PRIVACY MANAGEMENT PROGRAM
C
a. Make an inventory of personal data held by the company/agency
A
b. Identify the projects, processes, programs, or measures that act on this data
V
c. Determine whether a PIA is necessary (threshold analysis)
I
d. Risks associated with the processing of the personal data
2. MOBILIZE
P
a. Setup the team, determine the scope, plan the PIA R
L
b. Determine what resources are needed
A
N
3. CONDUCT
a. Consult stakeholders, analyze risks, create risk map
IO
b. Determine necessary controls
T
c. Create risk management plan, get sign off
N A 4. IMPLEMENT
a. Deploy risk management controls
b. Monitor and evaluate on a regular basis
Note: It is important to always consider the BENEFITS against HARMS it can be done to the
data subjects as well as to the organizations.
36
PRIVACY MANAGEMENT PROGRAM PRIVACY MANAGEMENT PROGRAM
Conducting a Privacy Impact Assessment is not the end in complying with the DPA and Compliance with the law (RA 10173) -
protecting data subject’s rights. The recommended solutions formulated in the PIA feed into
the Privacy Management Program (PMP). With the passage of Republic Act (RA) No. 10173 otherwise known as the Data Privacy
Act (DPA) of 2012, government and private organizations covered by the DPA – or the Personal
Information Controllers (PICs) and Personal Information Processors (PIPs) – are asking how do
they start complying with the law. The simple answer is to have a PRIVACY MANAGEMENT
PROGRAM (PMP) in place.
Simple! Have a Privacy
N
How do we start Management Program
complying with the law? in place!
I O
Appoint Conduct Create a Implement Regularly
S
IS
a Data a Privacy Privacy Privacy and Exercise
Protection Impact Management Data Protection Data Breach
MM
Officer Assessment Program Measures Reporting
Procedure
The first thing the NPC Compliance Team asks when they visit you for a compliance
O
check is your Privacy Management Program or PMP. It is an initiative that your organization A PMP will lead organizations, both in public and private sectors, towards a
must have aside from your operating, strategic, business, marketing and sales plans. The
C
PMP demonstrates your commitment to build trust with both internal and external customers culture protective o data privacy rights of individuals as part of their corporate
(internal being your employees and external being your clients) through open and transparent governance responsibilities
Y
information policies and practices.
Five Pillars of NPC

In your journey towards being a privacy-resilient organization which will ensure the
A C
V
protection of the rights of data subjects, the third pillar or milestone is: Be Accountable –
I
Create your Privacy Management Program. What is PMP?
The Data Privacy Accountability and Compliance Framework
P R How will the PMP help

your organization
L
This framework is aligned with the NPC’s 5 Pillars of Data Privacy Accountability and
Compliance. comply with the DPA?
N A The NPC Data Privacy Accountability

and Compliance Framework
T IO Privacy Management Program
A
A Privacy Management Program is a holistic approach to privacy and data protection,
GOVERNANCE RISK ASSESSMENT ORGANIZATION DAY TO DAY DATA SECURITY
important for all agencies, companies or other organization involved in the processing of
N
a. Choose a Dpo b. Register e. Privacy Management g. Privacy notice q. Organization
c. Records of Program h-o. Data Subject r. Physical personal data .
processing activities f. Privacy Manual Rights s. Technical
d. Conduct PIA p. Data Life Cycle Data Center
Encryption
Access Control Policy
It is a process intended to embed privacy and data protection in the strategic framework
and daily operations of a personal information controller or personal information processor.
The Privacy Management Program is maintained through organizational commitment

BREACHES THIRD PARTIES MANAGER HR CONTINUITY
PRIVACY ECOSYSTEM and oversight of coordinated projects and activities implemented throughout the agency,
t. Data Breach u. Third Parties v. Trainings and x. Continuing y. New Technologies company or organization, that allows efficient use of available resources, implements control
Management; Legal basis for and Standards
Security Policy disclosure
Certifications
w. Security Clearance
Assessment and
Development z. New Legal measures to assure privacy and data protection, and puts in place a system for review to allow
Data Breach Response Data sharing
Team agreements
Regular PIA
Review Contracts
Requirements
for improvements responsive to data privacy best practices and technological developments.
Incident Response Cross border
Procedure Internal Assessment
Review PMP
Document
Breach Notification
38 39
Risks of Privacy Breaches, Maximizes… an encompassing privacy management program. The Commission expects that through this
guide, organizations will be able to further strengthen their good practices, demonstrate
It minimizes the risks of privacy breaches, maximizes the ability to address underlying due diligence, and potentially elevate their privacy awareness as well as their personal data
problems, and reduces the damage arising from breaches. protection.
The objective of a PMP is to pave the way for changes within the organization that
will: address the threats, vulnerabilities, risks and gaps identified during the privacy impact
assessment (PIA); strengthen data processing systems to minimize the costs of personal data
breaches; allow meaningful use of information for the benefit of both the organization and
the data subjects; and manage the challenges of the digital age to safeguard the right to
N
information privacy. NPC Advisory 17-03 (Privacy Impact Assessment is a process undertaken
O
and used to evaluate and manage impacts on privacy of a particular program, project, process,
I
measure, system or technology product)
Demonstrates Commitment
S
Demonstrates commitment to building trust with employees and clients through open
and transparent information policies and practices.
- A PMP is an acknowledgment by the PIC or PIP of their accountability for complying
M IS
M
with the requirements of the Act and their responsibility for personal data under
their control or custody. The Act mandates that PICs and PIPs ensure implementation
O
of data privacy principles, security measures, and procedures for data subjects to
C
exercise their rights. Data Privacy Act Sec.14 (The personal information processor
shall comply with all the requirements of this Act and other applicable laws.).
Y
Key Components
Importance of a PMP
C
To establish a strong and effective Privacy Management Program, it must have a firm
- It puts everyone on the same page.
A
governance, steady program controls and continuous evaluation. Cultivating a strong and
resilient privacy culture within the organization must have these components.
• A PMP provides an easier way to explain to the management and staff:
V
• why is the organization doing this;
I
• what are the results we expect; Governance
R
• what are the benefits of those results
• what do organizations need to do to get there? This first building block is the development of an internal governance structure that fosters
P
• This will ensure that everyone are on board. a culture of privacy.
L
- Compliance with the Act becomes more manageable. Organizations are expected to develop and implement program controls that give effect
A
• A PMP reduces the likelihood that organizations will violate the law, its IRR, NPC to the privacy principles contained in the DPA. Compliance with the law, however, requires
Circulars and Advisories and all other Commission issuances as it outlines the organizations to have a governance structure in place, with processes to follow and the
N
WHATs and HOWs of data privacy. means to ensure that they are being followed. Fundamentally, in order to be compliant
• It gives PICs and PIPs competitive advantage. and effective, a privacy-resilient culture needs to be cultivated.
• Implementing a PMP shows your organization’s commitment to protect the
IO
personal information of your customers and clientele. This will, in turn, lead to
T
increased trust and higher patronage.
• It saves PICs and PIPs from avoidable expenses. - Top management support is a pivotal key to a successful writing of a PMP and
A
• A strong and robust PMP can lead to prevention of “clean-up costs” brought essential for the emergence of a culture of privacy in the PIC or PIP.
about by personal data breaches. Further, it helps safeguard the reputation of
N
- When top management is committed to ensuring that the organization is compliant
organizations and individuals as well. with the DPA, the program will have a better chance of success, and a culture of
privacy will more likely be established.
Privacy Management Program Guide - Top management needs to actively champion the PMP. It must:
1. Designate a Data Protection Officer (DPO) or a Compliance Officer for Privacy
This guide is intended to help organizations develop their Privacy Management Program.
(COP) as the case may be;
The development of it within the organization should always consider careful planning and 2. Endorse a set of Program Controls; and
consideration across law regulation, disciplines and job functions. In this guide, components 3. Report to the Board, as appropriate, on the program
of the privacy management program are divided into three (3) stages. Each stage has specific
tasks for the organization to follow in fully completing their privacy management program. Top management should also provide support for the resources the PMP needs to
This also outlines the Commission’s privacy advocacies as good approaches for developing succeed.
40 41
Data Protection Officer (DPO) Program Controls

- Program controls form the second building block. These helps ensure that what is
• Organizations must appoint someone mandated in the governance structure is implemented in the organization. This
who is responsible for the PMP. section identifies the program controls in a privacy management program. Developing
• He shall be responsible in ensuring these controls will assist the Privacy Officer in structuring an appropriate privacy
compliance with the law (RA 10173), its management program within the organization and the controls will be used to
Implementing Rules and Regulations demonstrate how the program is compliant with privacy legislation.
(IRR), Circulars and Advisories and all
- Program controls provide the framework for achieving the goals of the program.
other Commission issuances relating to
N
They refer to the aspects of the program that can be evaluated to assess progress
data privacy and protection.
and effectiveness of implementation.
• Must be independent and with a
O
significant degree of autonomy in
Records of Processing Activities
I
performing his/her duties.
S
• May perform other duties or assume
other functions as long as these will not
create conflict of interest. PICs and PIPs should • What kinds of data i holds
IS
• Purpose, uses and bases of
• For larger organizations, staff assigned maintain records of processing
to work on privacy issues will be needed.
M
processing activities.
• Scope and method of
It should know processing
Reporting Mechanisms
O M
- Knowing, understanding and documenting all these things are important as these
will:
C • affect the type of CONSENT the PIC or PIP needs to obtain from its Data
Y
Subjects
• the manner on how personal data are to be protected
C
• make easier to assist individuals in exercising their data access and correction
rights
V A Risk Assessment
I
- PICs and PIPs should develop a process for identifying and mitigating leakage and
R
security risks which could include the use of privacy impact assessments (PIAs).
P
Privacy risks evolve over time. Conducting risk assessments, at least on an annual basis,
is an important part of any privacy management program to ensure that organizations
L
are in compliance with applicable legislation. Such assessments should be required
throughout the organization for all new projects involving personal information and on
any new collection, use or disclosure of personal information.
N
DPO > TOP MANAGEMENT > TOP MANAGEMENT > BOARD OF DIRECTORS
Organizations should develop a process for identifying and mitigating privacy and
security risks, including the use of privacy impact assessments and security threat risk
IO
assessments. Organizations should develop procedures for conducting such assessments
The DPO is assured of means to report to senior management, head of agency or board. The
T
and develop a review and approval process that involves the DPO when designing new
DPO shall report on monitoring activities, Privacy Impact Assessment reports, and the advice initiatives, services or programs. For larger organizations, the DPO should be aware of
A
and recommendations made to the PIC or PIP. the review process, and where there are high-risk initiatives, services or programs, the
There is a reporting system for DPA compliance activities, PIAs, audits and security assessments, Privacy Office should be directly involved.
N
breach management, complaints, the exercise of data subject rights, review processes and
means to measure effectiveness of Privacy Management Program. This should include reporting Registration
to senior management, and the internal and external stakeholders.
- The PMP should ensure compliance with the registration requirements under the
DPA.
An effective reporting program:
These include:
• Clearly defines its reporting structure (in terms of reporting on its overall
compliance activities) as well as employee reporting structures in the event of a - Registration of personal data processing systems operating in the country when
complaint or a potential breach the PIC or PIP employs at least 250 employees, when processing involves sensitive
• Tests and reports on the results of its internal reporting structures personal information of at least one thousand (1,000) individuals, when processing is
• Documents all of its reporting structures not occasional, or when processing poses a risk to the rights and freedoms of data
subjects.
42 43
Policies and Procedures unauthorized usage or interference with or hindering of their functioning or
availability;
2. A security policy with respect to the processing of personal information
3. A process for identifying and accessing reasonably foreseeable vulnerabilities in
its computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach; and
There should be policies 4. Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
and procedures for every security breach.
stage of the data life cycle
N
to ensure compliance with Capacity Building
law and accountability in
O
- A sound PMP requires all members of an organization to be aware of, and be ready
I
personal data processing. to act on privacy obligations.
S
Additional training specifically tailored to their roles should be given to those who handle
personal data. The training and education should be current and relevant.
IS
For privacy training and education to be effective, it must: be mandatory for all new
employees before they access personal information and periodically thereafter; cover
M
- PICs and PIPs should develop and document internal policies that address obligations the policies and procedures established by the organization; be delivered in the most
under the law and which should be make available to all employees and periodically appropriate and effective manner, based on organizational needs; and circulate essential
M
updated. information to relevant employees as soon as practical if an urgent need arises.
O
PICs and PIPs should develop internal policies that give effect to the data protection
principles in the law. The internal policies should be documented and should show how Breach Management
C
they connect to the legal requirements.
Y
The key policies that organizations must have in place are the following: i. Collection,
use and disclosure of personal information, including requirements for consent and
C
notification; ii. Access to and correction of personal information; iii. Retention and disposal
of personal information; iv. Responsible use of information and information technology, PIC and PIPs should have a policies,
A
including administrative, physical and technological security controls and appropriate
access controls; v. Challenging compliance. procedures and safeguards in
Organizations should also incorporate privacy compliance requirements in other policies
of the organization as appropriate. For example, in contract management policies,
I V place to manage security incidents,

including personal data breaches
R
procurement policies, human resources policies and policies dealing with the disclosure
P
of personal information to regulatory bodies, law enforcement agencies and internal
security departments.
L
- Breaches are expensive on many fronts and taxing on consumer trust.
A
Data Security - Responsibilities for internal and external reporting of the breach should be clear.
N
In handling personal data breach, PICs and PIPs should consider the circumstances of the
breach and decide whether any of the persons identified in NPC Circular No. 16-03 should be
notified.
IO
T
Notification
A
•
Notification of automated
processing operations where
N
PIC and PIPsthe processing becomes the sole
should comply basis of making decisions that
would significantly affect the data
with notification
subject
Organizational Physical Technical
requirements,
• Breach notification and annual
where report of security incidents and
- The PIC or PIP should have in place organizational, physical and technical security personal data breaches
measures for purpose of maintaining the confidentiality, integrity and availability of
personal data. These measures should include:
1. Safeguards to protect its computer network against accidental, unlawful or -
44 45
Notification shall be required upon knowledge of or when there is reasonable belief by the - Organizations also have to develop a procedure for informing individuals of their
personal information controller or personal information processor that a personal data breach privacy rights and the organization’s program controls. Communication should be
requiring notification has occurred, under the following conditions: clear and easily understandable and not simply a reiteration of the Data Privacy
A. The personal data involves sensitive personal information or any other information Act. It should: provide enough information so that the public knows the purpose of the
that may be used to enable identity fraud. For this purpose, “other information” collection, use and disclosure of personal information as well as how it is safeguarded
shall include, but not be limited to: data about the financial or economic situation and how long it is retained; notify individuals if their personal information is being
of the data subject; usernames, passwords and other login data; biometric data; transferred outside of the PH; include information on who to contact with questions
copies of identification documents, licenses or unique identifiers like Phil health, or concerns; and be made easily available to individuals.
SSS, GSIS, TIN number; or other similar information, which may be made the basis Individuals should be made aware of their ability to access their personal information
of decisions concerning the data subject, including the grant of rights or benefits.
N
held by the organization, and how to request correction or to complain about the
organization’s privacy compliance, including the right to challenge the organization’s
O
B. There is reason to believe that the information may have been acquired by an un- actions by submitting a complaint to the NPC.
I
authorized person; and
Continuity and Understanding of Privacy Ecosystem
S
C. The personal information controller or the Commission believes that the unautho-
rized acquisition is likely to give rise to a real risk of serious harm to any affected - This component outlines the critical tasks involved in the maintenance of a
IS
data subject. privacy management program to ensure ongoing effectiveness, compliance
and accountability. In order to properly protect privacy and meet legal obligations,
M
Third-Party Management organizations must monitor, assess and revise their framework to ensure it remains
relevant and effective. In order to accomplish this work, sufficient resources and
M
The PIC should use contractual or other reasonable means to training must be allocated to the DPO.
provide a comparable level of protection when personal data is
being processed by a third party.
-
C O
Oversight and Review Plan
This will help PICs and PIPs keep its PMP on track and up-to-date.
Y
The PIP, where appropriate, shall also ensure proper safeguards The DPO should develop an oversight and review plan on an annual basis that sets out
are in place when it transfers personal data to a third party.
C
how and when s/he will monitor and assess the organization’s privacy management
program’s effectiveness, as outlined in organizational commitments. The plan should
A
establish performance measures and include a schedule of when all policies and other
- The types of obligations to be imposed on PIP should include the following: program controls will be reviewed.
V
SECURITY MEASURES to be taken:
• Timely RETURN, DESTRUCTION or DELETION of the personal data no longer
required
R I Assess and Revise Program Controls

- Updates and Revision
P
• Prohibition against other USE and DISCLOSURE
• Prohibition (absolute or qualified) against SUB-CONTRACTING to other service - The effectiveness of program controls should be monitored regularly, audited
L
provider periodically and where necessary, revised accordingly.
• REPORTING of irregularity
A
• MEASURES to ensure contract staff’s compliance with the agreed obligations
• PICs right to AUDIT and INSPECT The effectiveness
N
Are the program controls addressing new threats and reflecting
• CONSEQUENCES for violation of the contract
of program controls the latest complaint or audit findings?
For additional guidelines you may refer to “Rule X. Outsourcing and Sub-Contracting
should be monitored, Are new services being offered involve increased collection, use or
IO
Agreements” of the Implementing Rules and Regulations (IRR) periodically audited, disclosure of personal data?
T
and where necessary, Is training necessary? If yes, is it taking place? Is it effective? Are
revised. policies and procedures being followed? Is the training up-to-date?
Communication
N A There should be effective means to communicate with

internal and external stakeholders.
Include information on who to contact with

- Monitoring is an ongoing process and should address at a minimum the following
questions: what are the latest threats and risks? Are the program controls addressing
new threats and reflecting the latest complaint or audit findings, or guidance of
questions or concerns
the privacy commissioners? Are new services being offered that involve increased
collection, use or disclosure of personal information? is training occurring, is it
effective, are policies and procedures being followed, and is the program up to date?
Provide enough information so that the public knows

the purpose of the collection, use and disclosure of
personal data and how long it is retained;
46 47
Risk Assessment
• Records of processing activities
PRIVACY MANAGEMENT PROGRAM • Registration
• Privacy Impact Assessment
• Organization
Privacy • Background and organizational commitment Program
• PMP and Privacy Manual day to day
• Policies and Procedures
• Mission, vision and objectives of the program Governance
Strategy Controls • Rights of Data Subjects
N
Data Security
Privacy •
•
Functions of the Data Protection Office and reporting lines
Responsibilities of other offices to support the Privacy • Organizational
O
Network Management Program • Physical
I
• Technical
S
• General privacy policies, may refer to procedures and Continuity and Identify and Asses Privacy Risks
Privacy guidelines implementing the policy Privacy Ecosystem • Notification
IS
Manual • General description of security measures, may refer to
supporting documents Third Parties
M
• Manage HR
• Capacity Building
HOW DOES A PMP LOOK LIKE?
O M
PRIVACY MANAGEMENT PROGRAM
• The PMP may be documented through a Program Report and a Compliance
C I. Background
Y
Road Map. The PMP may also be contained in a Privacy Manual.
• The PMP should include a statement of the privacy strategy of the agency II. Mission, Vision, Objectives
C
or company, including its mission and vision statement.
III. Organizational Chart
A
• The Privacy Manual may contain the general privacy policy of the procedure
and security measures.
IV. Data Protection Office
V
• The Compliance Road Map can include the plan for implementation of
I
projects and activities intended for data protection, and the system for V. Privacy Policy and Security Measures
R
program review and evaluation.
VI. Oversight and Review Plan
P
L
VII. Compliance Roadmap
Records of
Processing N A
• Records of processing activities may be included,
•
SUPPORTING DOCUMENT OF A PMP
Designation of Data Protection Officer • Templates for Reporting Requirements
IO
including data inventory, data flow • Document creating Data Protection • Security Incident Management Policy
Activities
T
Office • HR Report on Capacity Building of
• Records of Processing Activities Employees
A
• Reporting requirements and documentation • Privacy Impact Assessment Reports • Records of Security Clearance
Review and • Policy for regular review of program • Inventory to data privacy and data • Copies of Contracts and Service
N Assessment Plan • Projects and activities intended for review and security Agreements
improvement of the program such as conduct of PIA, • Copies of Privacy Notices, Consent • Copies of Data Sharing Agreements
internal audits, and renewal of certifications. Forms, Data Subject request forms • Certificates of Attendance to
• Records of data subject and conferences and copies of
stakeholder engagements certifications
Compliance • Projects and activities to be implemented • Records of advisories and • Activity and Progress reports
Roadmap • May include responsible and accountable persons,
•
recommendations given
Copy of designation of breach
• Privacy Compliance Progress Report
• Other documentation
resource requirements and work plan
response team
48 49
SECURITY MEASURES AND HANDLING THIRD PARTY RISKS
SECURITY MEASURES
Personal information controllers (PICs) and personal information processors (PIPs) shall
implement reasonable and appropriate organizational, physical, and technical security
measures for the protection of personal data. (IRR, R.A. 10173, Sec. 25)
Shall aim to maintain:
• Availability,
• Integrity, and
• Confidentiality of personal data
Intended to protect personal data against any of the following:
O N
I
• Accidental or Unlawful Destruction, Alteration and Disclosure;
• Unlawful Processing;
S
• Natural Dangers (e.g. flood, earthquake and other natural calamities); and
• Human Dangers (e.g. unlawful access, fraudulent misuse, unlawful destruction,
IS
alteration and contamination.)
EXAMPLES OF SECURITY MEASURES (as per NPC Circular 16-01)

M
Module 6:
SECURITY MEASURES and HANDLING
Organizational:
•
•
C O M
Appointment of DPO
Creation of privacy policies
Y
• Records of processing activities
• Issuance of security clearances
THIRD PARTY RISKS

A C
Compliance Officers
V
- Any natural or juridical person or other body involved in the processing of personal
I
data shall designate an individual or individuals who shall function as data protection
R
officer, compliance officer or otherwise be accountable for ensuring compliance with
applicable laws and regulations for the protection of data privacy and security.
P L
Data Protection Policies
A
data shall implement appropriate data protection policies that provide for organization,
N
physical, and technical security measures, and, for such purpose, take into account
the nature, scope, context and purposes of the processing, as well as the risks posed
to the rights and freedoms of data subjects.
T IO a. The policies shall implement data protection principles both at the time of the
determination of the means for processing and at the time of the processing
A
itself.
N
b. The policies shall implement appropriate security measures that, by default,
ensure only personal data which is necessary for the specified purpose of
the processing are processed. They shall determine the amount of personal
data collected, including the extent of processing involved, the period of
their storage, and their accessibility.
c. The polices shall provide for documentation, regular review, evaluation, and
updating of the privacy and security policies and practices.
51
SECURITY MEASURES AND HANDLING THIRD PARTY RISKS SECURITY MEASURES AND HANDLING THIRD PARTY RISKS
Records of Processing Activities implement the security measures required by the Act and these Rules. It shall only
engage those personal information processors that provide sufficient guarantees to
- Any natural or juridical person or other body involved in the processing of personal implement appropriate security measures specified in the Act and these Rules and
data shall maintain records that sufficiently describe its data processing system and ensure the protection of the rights of the data subject.
identify the duties and responsibilities of those individuals who will have access to
personal data. Records should include:
PHYSICAL:
a. Information about the purpose of the processing of personal data, including
any intended future processing or data sharing; • Installation of CCTV cameras
• Workspace Design
N
b. A description of all categories of data subjects, personal data, and recipients • Monitoring of entrances and exits of office premises
of such personal data that will be involved in the processing; • Use of Authorized Devices
O
c. General information about the data flow within the organization, from the • Use of Logs for Paper-Based Filing Systems
I
time of collection, processing, and retention, including the time limits for • Transmittal of Paper Documents
S
disposal or erasure of personal data; • Archival of Personal Data
d. A general description of the organizational, physical, and technical security TECHNICAL:
IS
measures in place;
• Encryption of Emails
M
e. The name and contact details of the personal information controller and,
where applicable, the joint controller, the its representative, and the • Use of Authorized Software Programs/Licenses
• Authentication of Online Access
M
compliance officer or Data Protection Officer, or any other individual or
individuals accountable for ensuring compliance with the applicable laws and • Privacy Enhancing Technologies (e.g. remote disconnection/deletion)
O
regulations for the protection of data privacy and security.
C
SECURITY MEASURES
Management of Human Resources
- Any natural or juridical person or other entity involved in the processing of personal
data shall be responsible for selecting and supervising its employees, agents, or
representatives, particularly those who will have access to personal data.
C Y Organizational Physical Technical
- The said employees, agents, or representatives shall operate and hold personal data
under strict confidentiality if the personal data are not intended for public disclosure.
V A Governance, Risk ICT Infrastructure,
I
Assessment, Privacy Perimeter,
Network,Work
Computer
This obligation shall continue even after leaving the public service, transferring to Management Program Stations, StorageSystems
Areas
R
another position, or upon terminating their employment or contractual relations.
There shall be capacity building, orientation or training programs for such employees,
P
agents or representatives, regarding privacy or security policies. Privacy Enhancing
Policies, Procedures, Office Design, Technologies, Hardware,
Infrastructure, Equipment,
L
Guidelines Software, Vulnerability
Media and Storage Device
Assessments
Processing of Personal Data
A
N
data shall develop, implement and review:
a. A procedure for the collection of personal data, including procedures for
MANAGING THIRD PARTY RISKS
IO
obtaining consent, when applicable; DATA SHARING (Sec. 20, IRR, R.A. 10173)
T
b. Procedures that limit the processing of data, to ensure that it is only to the
• is the disclosure or transfer to a third party of personal data under the control or
extent necessary for the declared, specified, and legitimate purpose;
A
custody of a personal information controller: Provided, that a personal information
c. Policies for access management, system monitoring, and protocols to follow processor may be allowed to make such disclosure or transfer if it is upon the
N
during security incidents or technical problems; instructions of the personal information controller concerned.
d. Policies and procedures for data subjects to exercise their rights under the • May be a CONTRACT, JOINT ISSUANCE or any similar document that contains the
Act; terms and conditions of a data sharing arrangement between two or more parties
e. Data retention schedule, including timeline or conditions for erasure or
disposal of records.
GENERAL PRINCIPLES FOR DATA SHARING:
CONTRACTS WITH PERSONAL INFORMATION PROCESSORS • Data sharing shall be allowed when it is expressly authorized by law: Provided,
that there are adequate safeguards for data privacy and security, and processing
- The personal information controller, through appropriate contractual agreements, adheres to principle of transparency, legitimate purpose and proportionality.
shall ensure that its personal information processors, where applicable, shall also • Data Sharing shall be allowed in the private sector if the data subject consents to
52 53
SECURITY MEASURES AND HANDLING THIRD PARTY RISKS SECURITY MEASURES AND HANDLING THIRD PARTY RISKS
data sharing and under the following conditions: OUTSOURCING/SUBCONTRACTING

- when data is to be shared with an affiliate or mother company, or similar PIC may outsource/subcontract processing of personal data, provided:
relationships; • PIC shall use contractual or other reasonable means to ensure proper safeguards
- data sharing for commercial purposes, including direct marketing. are in place,
• to ensure the confidentiality, integrity and availability of the personal data
• Data sharing between government agencies for a public function or provision of a processed,
public service shall be covered by a data sharing agreement • prevent its use for unauthorized purposes, and generally, comply with the
• NPC Circular 16-02 is the governing issuance on data sharing between government requirements of DPA and other related issuances
agencies; organizations belonging to the private sector may use this issuance as
N
guidance in the execution and implementation of their respective data sharing
agreements OUTSOURCING AGREEMENT (IRR, Sec. 43)
Agreement shall set out the following:
I O
S
WHEN CONSENT OF DATA SUBJECT IS REQUIRED • Subject-matter
• The data subject shall be provided with the following information prior to collection • Duration of the processing,
IS
• Nature and purpose of the processing,
or before data is shared:
• Type of personal data
M
• Categories of data subjects,
a. Identity of PICs/PIPs that will be given access to the personal data;
• Obligations and rights of the personal information controller, and
M
b. Purpose of data sharing; • Geographic location of the processing under the subcontracting agreement
O
c. Categories of personal data concerned;
d. Intended recipients or categories of recipients of the personal data; REQUIRED STIPULATIONS: (IRR, Sec. 44)
e. Data subjects’ rights; -
C
Process the personal data only upon the documented instructions of PIC, including
Y
transfers of personal data to another country or an international organization, unless
f. Other information that would sufficiently notify the data subject of the nature such transfer is authorized by law;
C
and extent of data sharing and the manner of processing.
- Ensure obligation of confidentiality is imposed on persons authorized to process the
A
personal data;
V
CONTENTS OF A DATA SHARING AGREEMENT (DSA) - Implement appropriate security measures;
I
• Purpose/s of data sharing - Not engage another PIP without prior instruction from PIC;
R
• Identity of Personal Information Controllers (PICs) and Personal Information
- Fulfill the obligation to respond to requests by data subjects relative to the exercise
Processors (PIP) if any, including contact details of Data Protection Officer (DPO)
P
of their rights;
• Personal data subject of the DSA
L
• How personal data may be used by PICs, including type of access - Assist PIC in ensuring compliance with the DPA and other relevant laws;
• Term or duration of DSA which may be renewed as long as the purpose/s of the
- At the choice of PIC, delete or return all personal data after the end of the provision
A
agreement continue/s to exist [term and its extensions shall not exceed five (5)
of services relating to the processing;
years]
N
• Overview of the Operational Details of the sharing or transfer of personal data - Make available to the PIC all information necessary to demonstrate compliance with
• General description of security measures the obligations laid down in the DPA and allow for and contribute to audits (e.g.
• How data subject may access the DSA and exercise other rights when applicable compliance checks);
IO
• Specify the PIC responsible for addressing information request
- Immediately inform PIC if an instruction infringes the DPA and other relative issuances.
T
• Identify the method to secure RETURN, DESTRUCTION or DISPOSAL of the shared
data and timeline
A
• Other terms and conditions PICs may agree on
DISPOSAL OF PERSONAL DATA
NWHEN IS A DSA CONSIDERED TERMINATED?

•
•
•
Upon expiration of its term, or any valid extension thereof;
Upon agreement by all parties;
Upon a breach of its provisions by any of the parties; or
•
•
Organization may engage third-party service provider to carry out disposal of
personal data under its control/custody
Archival may also be outsourced to third-party service provider. Service provider
shall contractually agree to the organization’s data protection procedures and
ensure that the confidentiality of all personal data is protected
• Where there is disagreement, upon a finding by NPC that the DSA’s continued
operation:
• is no longer necessary; or
• is contrary to public interest or public policy.
54 55
BREACH MANAGEMENT
DEFINITION OF KEY TERMS

- A SECURITY INCIDENT is:
a. An event or occurrence that affects or tends to affect data protection; or
b. An incident that compromises the availability, integrity, or confidentiality of
personal data.
- A DATA BREACH is a security incident that:
a. Leads to accidental or unlawful destruction, loss, alteration, unauthorized
N
disclosure or access of or unauthorized processing of personal data
O
b. Compromises the availability , integrity , or confidentiality of person
S
Security Incident
I
IS
(Information Security
M
Incident)
Module 7: M
Personal Data
BREACH MANAGEMENT C O Personal Data Breach

subject of mandatory
Y
notification requirements
A C
I V
R
PERSONAL DATA BREACH MANAGEMENT GUIDELINES
P
Sec. 20, R.A. 10173 RULE IV, Secs. 8-9, NPC Circular 16-03
L
Causes of Breach
Examples of Threats and Risks
AN CAUSES OF BREACH
IO
Examples of Threats and Risks
A T Theft Earthquake Human Error
N
Espionage Eavesdropping Image Capture
Loss Phishing Man-in-middle
Fire Ransomware Forgery
Flood DDOS Redirection
SW Malfunction HW Malfunction Malice
57
BREACH MANAGEMENT BREACH MANAGEMENT
SECURITY INCIDENT MANAGEMENT POLICY B. Responsibilities of the Incident Response Team

Implementation of a procedure for timely discovery of security incidents and persons
A security incident management policy is implemented by the Personal Information responsible for monitoring and evaluation – checking unusual activity, review of
Controller or Processor for the purpose of managing security incidents, including personal audit logs. There should be clear reporting lines which identifies persons who should
data breaches. immediately be informed.
REQUIREMENTS: The procedure should provide for responsibilities of the breach response team
Every Personal Information Controller or Processor should have policies and procedures
for: 9 Evaluation and Investigation of breach
N
1. The creation of a data breach response team 9 Damage mitigation
2. Implementation of security measures and privacy policies
O
3. Implementation of an incident response procedure 9 Communications with law enforcement, third parties, data subjects
I
4. Mitigation of possible harm and other negative consequences of a data breach
9 Compliance with reporting requirements to NPC
5. Compliance with the Data Privacy Act and other data protection laws and
S
regulations 9 Documentation
9 Incident Response Procedure
PARTS OF SECURITY INCIDENT MANAGEMENT POLICY
This the general policy providing for the:
• Preliminary Assessment
•
M IS
Identify Responsible persons for assessing incident
M
a. Creation of a data breach response team
• Determine criteria for involving law enforcement
b. Incident response procedure • Procedures to secure evidence, contain incident, restore integrity
c. Documentation and reporting requirements

d. Regular review and improvement of policies
•
•
•
C O
Full investigation and evaluation of the incident
Mitigation of harm
Documentation and Reporting requirements
A. Creation of a data breach response team
C Y
A
DATA BREACH RESPONSE TEAM MANDATORY NOTIFICATION
V
(Sec. 20, R.A. 10173, Rule V, Sec. 11, NPC Circular 16-03)
I
- The data breach response team must have at least Notification of a data breach is mandatory when:
R
one member with the authority to make immediate
decisions on critical actions . All three elements must be present:
P
1. The personal data involves:
- The team shall be responsible for:
a. Sensitive personal information or
L
• Compliance with the security incident
b. Any other information that may be used to enable identity fraud.
A
management policy
• Management of security incident and personal 2. There is reason to believe that the information may have been acquired by an
N
data breaches unauthorized person; and
• Compliance with the data privacy law and
other issuances 3. The unauthorized real risk of serious harm acquisition is likely to give rise to a to
IO
any affected data subject.
T
This may be outsourced by the PIC or PIP
N A IMPLEMENTATION OF SECURITY MEASURES AND PRIVACY POLICIES
- Policies in the Security Incident Management policy may include those in the general
data security policies of the PIC of PIP, particularly measures intended to prevent or
minimized occurrence of personal data breach
- Existing policies may be incorporated in the document by reference
Regular conduct of PIA
Data governance and information security policies
•
Regular monitoring for security breaches and vulnerability scanning
Testing and evaluation of effectiveness of the security measures
•
Capacity building of personnel
•
58 • 59
BREACH MANAGEMENT BREACH MANAGEMENT
NOTIFICATION REQUIREMENTS consequences, and limit the damage or distress to those affected by the incident
• Action being taken to inform the data subjects affected by the incident, or reasons
Rule IX, Secs. 38-42, IRR, R.A. 10173
for any delay in the notification
Rule V, Secs. 15-18, 23 • The measures being taken to prevent a recurrence of the incident.
NPC Circular 16-03
WHO should notify? FULL REPORT

- The Personal Information Controller through the data breach response team. The full report of the personal data breach must be submitted within five (5) days, unless
the Personal Information Controller is granted additional time by the Commission to
Note: The obligation to notify remains with the Personal Information Controller even if
N
comply.
the processing of information is outsourced or subcontracted to a Personal Information
Processor.
WHEN should we notify?

CONCEALMENT OR FAILURE TO DISCLOSE
IO
S
Sec. 30, R.A. 10173 Sec. 57, IRR, R.A. 10173 Sec. 20, NPC Circular 16-03
- The notification must be made within 72 hours upon knowledge of, or when there is
- An intention to conceal is presumed if the Commission does not receive notification
IS
reasonable belief that a personal data breach has occurred.
from the personal information controller within five (5) days from knowledge of or
upon a reasonable belief that a security breach occurred.
M
WHO SHOULD BE notified?
M
- Notification must be made to the Commission and to any affected data subjects. Concealment is a crime!
O
Imprisonment from 1 year and 6 months to 5 years plus fine from ₱500,000 to ₱1,000,000
HOW to notify?
Imposed on persons who:
COMMISSION - Notification to the Commission may be done through e-mail at
complaints@privacy.gov.ph or through delivering a hard copy to the NPC office.
•
C After having knowledge of a security breach and of the obligation to notify the
Y
National Privacy Commission
• Either intentionally or by omission conceals the fact of such breach
- Upon receipt of the notification, the Commission shall send a confirmation message/
C
e-mail to the Personal Information Controller.
ANNUAL SECURITY INCIDENT REPORT
A
DATA SUBJECTS - Notification to affected data subjects may be done electronically or
Sec. 22, NPC Circular 16-03 NPC Advisory 18-02
V
in written form but must be done individually. The notification must not involve a further,
I
unnecessary disclosure of personal data. If individual notice takes disproportional effort,
The report must contain general information:
NPC authorization is required for alternative means.
R
• The number of security incidents and data breaches encountered
• The classification of data breaches according to their impact on the availability,
P
NOTE: Notification may be made on the basis of available information within the 72-hour period
if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data integrity, or confidentiality of personal data
L
subjects.
In the event of a security incident amounting to a personal data breach, the report must
A
May be supplemented with additional information at a later stage on the basis of further include:
investigation. • The facts surrounding the incident
N
• The effects of the incident
• Remedial action taken by the PIC
CONTENTS of notice All security incidents and personal data breaches shall be documented.
I. Nature of the Breach
T IO For security incidents not involving a personal data breach, aggregated data suffices.
A
HOW TO FILE ANNUAL REPORT
• Description or nature of the personal data breach
Advisory 18-02
N
• Description of the likely consequences of the personal data breach
• Name and contact details of the data protection or compliance officer or any other
accountable persons SEC. 4. Online Filing – Those wishing to submit through the internet may fill out the
form at the NPC website; submission through this electronic Form shall be considered
II. Personal Data Possibly Involved as sufficient compliance with the required Annual Security Incident Report. An annual
report is not necessary for those who do not experience any security incident within a
• Description of sensitive personal information involved calendar year.
• Description of other information involved that may be used to enable identity fraud
III. Remedial Measures to Address Breach

• Description of the measures taken or proposed to be taken to address the breach
• Actions being taken to secure or recover the personal data that were compromised
• Actions performed or proposed to mitigate possible harm or negative
60 61
In Conclusion Notes:
• Notifications are mandatory only for a specific form of confidentiality breach.
• There are two kinds of notifications:

- Notification to the data subject
- Notification to the NPC
N
• These notifications must be made within 72 hours of knowledge or
reasonable belief that a personal data breach requiring mandatory notification
O
has occurred.
• Failure to comply with the notification requirement can lead to criminal penalties.
S I
M IS
O M
C
C Y
V A
R I
P L
A N
T IO
N A
Notes: Notes:
O N
S I
M IS
O M
C
C Y
V A
R I
L P
N A
T IO
N A
Notes: Notes:
O N
S I
M IS
O M
C
C Y
V A
R I
L P
N A
T IO
N A
Notes: Notes:
O N
S I
M IS
O M
C
C Y
V A
R I
L P
N A
T IO
N A

DPO ACE Review Note

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DPO ACE Review Note

Uploaded by

Copyright:

Available Formats

WHAT IS THE RIGHT TO PRIVACY?

DECISIONAL PRIVACY involves the right to independence in making certain important

INFORMATION PRIVACY is an individual’s ability to control the flow of information

TWO ASPECTS OF INFORMATION PRIVACY

L P TWO ASPECTS OF INFORMATION PRIVACY

DATA PRIVACY ACT OF 2012 (DPA) ADVISORY

SCOPE OF THE DPA

CREATION OF THE COMMISSION PUBLIC EDUCATION

COMPLAINTS AND INVESTIGATIONS DATA SUBJECTS

DATA SHARING DATA PRIVACY PRINCIPLES

DATA SHARING AGREEMENT (DSA) TRANSPARENCY

C Y Consent Contract Legal Obligation

Data Privacy Act

SECURITY MEASURES TECHNICAL

C O Consequences of Non-observance of Data Subject Rights

such processed personal information

a. The personal data is needed pursuant to a subpoena; Intentional breach 1y to 3y 500k to 2m

c. The information is being collected and processed because of a legal obligation. 3y to 6y

Transparency Data Quality

DATA PRIVACY PRINCIPLES

Classes of recipients of personal

Scope and method of processing

PRIVACY NOTICE REMEMBER

CONTENTS OF PRIVACY NOTICE

PROCESSING OF PERSONAL INFORMATION IS ALLOWED IF: COMPLIANCE FRAMEWORK

PROCESSING OF SENSITIVE PERSONAL INFORMATION IS Proportionality

DATA SUBJECT RIGHTS

RIGHT TO OBJECT PROCESSING PERSONAL INFORMATION CAN CREATE

All PICs and PIPs should designate a Data Protection Officer

General Qualifications of a DPO

COMPLIANCE OFFICER FOR PRIVACY (COP)

N E. OTHER ANALOGOUS CASES

2. Ensure the conduct of Privacy Impact Assessments relative to activities, measures,

middle management to represent the interest of privacy and data protection;

Support for the DPO

BENEFITS OF PIA What can I What are the

What do I process and how? DATA LIFE CYCLE

What are the risks? IDENTIFYING AND RATING PRIVACY RISKS

ECORDS OF PROCESSING ACTIVITIES

IA PROVIDES INITIAL STEP TOWARDS ACCOUNTABILITY

4 Maximum Significant inconveniences which Unserviceable debt, long

its privacy risk rating.

4 High Risk Limited

Negligible Possible Likely Almost Certain

THE PIA PROCESS

Simple! Have a Privacy

Five Pillars of NPC

P R How will the PMP help

N A The NPC Data Privacy Accountability

T IO Privacy Management Program

The Privacy Management Program is maintained through organizational commitment

Data Protection Officer (DPO) Program Controls

I V place to manage security incidents,

R I Assess and Revise Program Controls

N A There should be effective means to communicate with

Include information on who to contact with

Provide enough information so that the public knows

HOW DOES A PMP LOOK LIKE?

Intended to protect personal data against any of the following:

EXAMPLES OF SECURITY MEASURES (as per NPC Circular 16-01)

THIRD PARTY RISKS

d. A general description of the organizational, physical, and technical security TECHNICAL:

V A Governance, Risk ICT Infrastructure,