Professional Documents
Culture Documents
Ramon L. Rodriguez
Data Privacy Office
Privacy Notice
• The orientation will be recorded for documentation and record keeping purposes.
• Your name, photo, video, voice, and chat responses may be included in the recording when you interact with
the participants of the meeting.
• The recording will not be shared and will be kept for a period of 1 year from the date of the event.
• Public posting of any portion of the meeting should not be performed by the participants of the meeting.
• You may contact dpo@national-u.edu.ph for any concerns and support for your data privacy rights.
09/20/2023 2
Agenda
Overview on Classification of
Key roles
data privacy personal data
09/20/2023 3
Objectives
09/20/2023 4
Data privacy overview
09/20/2023 5
Do not
COLLECT if
you cannot
PROTECT
09/20/2023 6
Consciousness of Data Privacy
09/20/2023 7
Who stores data about us?
What is the Data Privacy Act of 2012?
SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”.
Republic Act 10173, the Data Privacy Act of 2012: AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION
AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER PURPOSES
The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC
include:
• rule-making,
• advisory,
• public education,
• compliance and monitoring,
• investigations and complaints,
• and enforcement.
09/20/2023 9
KEY ROLES IN THE DATA PRIVACY ACT
09/20/2023 10
Recently published circulars
• NPC Circular No. 2023-01: Schedule of Fees and Charges of the National Privacy Commission
• NPC Circular No. 2022-04 - REGISTRATION OF PERSONAL DATA PROCESSING
PROFILING, DESIGNATION OF DATA PROTECTION OFFICER, AND THE NATIONAL PRIVACY CO
MMISSION SEAL OF REGISTRATION
• NPC Circular No. 2022-03 -
Guidelines for Private Security Agencies on the Proper Handling of Customer and Visitor Information
• NPC Circular No. 2022-02 -
Amending Certain Provisions of NPC Circular No. 20-01 on the Guidelines on the Processing of Personal Dat
a for Loan-Related Transactions
• NPC Circular No. 2022-01 - GUIDELINES ON ADMINISTRATIVE FINES - FAQs on the
Guidelines on Administrative Fines
09/20/2023 11
Recent Public Consultation
• Data Privacy Competency Program of the National Privacy Commission (NPC)
• Guidelines on Consent
• Guidelines on ID Cards issued by Private Sector
• Guidelines on CCTV
• Call for public input on – Deceptive Design Patterns, Body-worn Cameras, Portable Storage Devices.
09/20/2023 12
Data Privacy Council
• NPC created data privacy council
• Education Sector – HEIs (Public & Private), Basic Education & Training Centers
09/20/2023 13
Examples of Breaches
• Student transferred by her parent without her knowledge
• Clinical record of a student to disclose with her parents
• List of top students/passers
• No Data sharing agreement (DSA) between and among
Schools and Universities
• Security issues in buildings – logbook
Examples of Breaches
• Unjustifiable collection of personal data of a school
• No Privacy Notice
• Personal laptop stolen
• Lost a files with PI in transit
• An error in viewing of student records in the online system
• Use of re-cycled papers
Examples of Breaches
• Universities and Colleges websites with weak authentication
• Personal Records stolen from home of an employee
• Release of CCTV Footage
• Hard drives sold online
• Password hacked/revealed
• Student Records Compromise
Examples of Breaches
• Financial Aid Data Leak
• Unauthorized Access to Health Records
• Phishing Attack on Staff Emails
• Faculty Personal Information Leak
• Online Learning Platform Breach
• Library System Data Exposure
Examples of data breaches in the Philippines
• Commission on Elections (COMELEC) Data Breach (2016) - in 2016, a hacking
group breached the Commission on Elections (COMELEC) website and
leaked sensitive voter information, including personal data of over 55 million
registered voters. This breach exposed names, addresses, passport details,
and even biometric data, raising concerns about identity theft and privacy.
• National Privacy Commission (NPC) Data Breach (2017) - in a somewhat
ironic incident, the National Privacy Commission (NPC) of the Philippines
suffered a data breach in 2017. The breach exposed the personal email
addresses and passwords of government employees who were subscribed
to the NPC mailing list. This highlighted the importance of strong
cybersecurity practices even within government organizations.
09/20/2023 18
Examples of data breaches in the Philippines
• Cebuana Lhuillier Data Breach (2019) - a well-known pawnshop and financial
services provider, experienced a data breach in 2019. The breach exposed
personal information of around 900,000 customers, including names,
addresses, birthdates, and transaction histories. This breach raised concerns
about the security of financial institutions' customer data.
• Philippine Long Distance Telephone Company (PLDT) Data Leak (2020)- in
2020, hackers claimed to have accessed customer data from the Philippine
Long Distance Telephone Company (PLDT). The breach exposed customer
names, addresses, and even account numbers. While PLDT denied the
claims initially, it later acknowledged that there had been unauthorized
access to some of its customer data..
09/20/2023 19
Examples of data breaches in the Philippines
• Land Transportation Office (LTO) Data Breach (2020)- a cybersecurity
researcher discovered a vulnerability in the Land Transportation Office
(LTO) website in 2020 that exposed personal information of vehicle
owners, including their names, addresses, and license plate numbers.
This incident highlighted the need for government agencies to
prioritize cybersecurity.
• TaskUs Data Exposure (2021)- sensitive data related to TaskUs clients,
which include major tech companies, was exposed due to a
misconfigured cloud storage bucket. The breach exposed confidential
client information, project details, and proprietary data.
09/20/2023 20
• According to Verizon’s 2021 Data Breach Investigations Report, social
engineering is the primary driver of data breaches–it’s involved in
nearly 40% of these incidents. Phishing, business email compromise,
and ransomware are the primary methods used in socially engineered
data breaches.
09/20/2023 21
Rights of the Data Subject
Right to be Right to data
Right to object - Right to access -
informed - IRR, portability - IRR,
IRR, Section 34.b IRR, Section 34.c
Section 34.a Section 36
Transmissibility
of Rights - IRR,
Section 35
09/20/2023 22
CLASSIFICATION OF PERSONAL DATA
Personal Information:
Personal information refers to any information
whether recorded in a material form or not, from
which the identity of an individual is apparent or can
be reasonably and directly ascertained by the entity
holding the information, or when put together with
other information would directly and certainly identify
an individual.
Sensitive Personal Information.
Five pillars
of Be Accountable Create your Privacy Management Program and Privacy Manual
compliance
Demonstrate Your
Implement your privacy and data protection (PDP) measures.
Compliance
Be Prepared for
Regularly exercise your Breach Reporting Procedures (BRP)
Breach
09/20/2023 32
Other Requirements
• Annual Breach Drill Agreement
• Notification to NPC
within 72 hours (in the
event of a personal
data breach)
• Annual Breach Report
• Security Clearance
• Privacy Notice
• Data Sharing Agreement
(DSA), if applicable
• Sub-contracting
Agreement / Outsourcing
09/20/2023 33
Privacy notice
What information is being collected?
How is it collected?
09/20/2023 34
The Data Privacy Principles
• Personal data shall be:
1. processed fairly and lawfully
2. processed only for specified, lawful and compatible purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than necessary
6. processed in accordance with the rights of data subjects
7. kept secure
8. shared to other PICs only if there is a DSA.
09/20/2023 35
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.
Rule 5: Adequate, relevant and not excessive Rule 6: Accurate and up-to-date
• Do we collect all the information we need to
serve our purpose effectively, and to deal with
• Do we check our data for accuracy?
individuals in a fair and comprehensive manner? • Do we know how much of our
• Have we checked to make sure that all the personal data is time-sensitive, i.e.
information we collect is relevant, and not
excessive, for our specified purpose? likely to become inaccurate over
• If an individual asked us to justify every piece of time unless it is updated?
information we hold about him or her, could we • Do we take steps to ensure our
do so?
databases are kept up-to-date?
• Does a policy exist in this regard?
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.
Other Requirements
Co-ordination and Compliance
• Annual Breach Drill
• Has a Data Protection Officer (DPO) / Compliance
• Notification to NPC within 72 hours (in the
Officer for Privacy (COP) been appointed?
event of a personal data breach)
• Are all staff aware of his or her role?
• Annual Breach Report
• Are there mechanisms in place for formal review
by DPO activities within our organization? • Security Clearance
• Is the Privacy Impact Assessment (PIA) carefully • Privacy Notice
planned and executed according to its purpose? • Data Sharing Agreement (DSA), if applicable
• Is there a Breach Management Program (BMP) in • Sub-contracting Agreement / Outsourcing
place? Agreement
Technical
Encryption Backups
Secure: encrypted tapes | cloud-provider
To what standard? (cost Vs benefit)
09/20/2023 47
12 offline measures to keep your physical data secure
01 02 03 04 05 06
Lock rooms Make sure Use swipe Use CCTV Shield Shred
containing employees cards or cameras to keyboards confidential
confidential don’t write keypads to monitor your when waste.
information their access the office space. inputting
when not in passwords office. passwords.
use. down.
09/20/2023 48
12 offline measures to keep your physical data secure
(cont.)
07 08 09 10 11 12
Use forensic Use anti-climb Install an Place bars on Hide valuable Assign a
property paint on alarm system. ground floor equipment limited
marking exterior walls windows. from view number of
equipment and drains. when not in trustworthy
and spray the office. employees as
systems to key safe
mark assets. holders.
09/20/2023 49
Holding Data and Keeping it Up-to-Date
• Carry out an information audit at least annually.
• Write a letter at the start of each school year asking parents and students to check that
their details are correct. This also helps prevent emergency risks, e.g. if an old address or
phone number is on record.
• Check that ‘live’ files are accurate and up to date.
• Any time you become aware that information needs amending, do so immediately
• Any personal data that is out of date or no longer needed should be ‘destroyed’. This may
involve shredding documents or deleting computer files securely so that they cannot be
retrieved.
• Schools must follow the disposal of records schedule. This schedule states how long certain
types of personal data can be held for until it must be destroyed. Some stipulations are
legal obligations while others are best practice.
You are violating the Data Privacy Act if you keep any data for longer than it is needed.
Ways to Love Yourself Online
09/20/2023 51
Create STRONG passwords
• strong passwords are at least 12
characters long and contain a
combination of upper and lower
case letters, numbers, and if
possible, symbols.
• Pumili ng password na
talagang ipaglalaban ka sa
mga hacker.
09/20/2023 52
NEVER use the same password on multiple
accounts
• having different passwords on
multiple accounts makes it
harder for hackers to guess
them.
• Wag masyadong loyal sa isang
password, para mo na ring
sinuko lahat agad-agad
09/20/2023 53
Lock your device
• Diba kapag mahal mo, aalagaan
mo?
• Leaving a laptop or cellphone
unlocked is like leaving an open
purse, which hackers are more
than happy to take advantage of.
09/20/2023 54
Always LOG OUT of browsers
• Google Chrome has a unified log in
system, which logs you into the
browser even if you only log in
through the e-mail, so don’t forget
to log out. Or better yet, use
Incognito mode.
• Matuto ng malinis na
pamamaalam, lalo na kung hindi
naman talaga sa’yo…ang laptop
09/20/2023 55
Make sure there is an HTTPS in the browser
address bar
• the S after the HTTP stands for
“Secure,” which means the data
being sent between your
browser and the site you are on
is encrypted.
• Sa umaga’t sa gabi, sa bawat
minutong lumilipas, ito ang
dapat mong hinahanap-hanap
09/20/2023 56
Do not log in on personal accounts on FREE or
PUBLIC WIDI
• Open networks make it very easy
for people to peek into your
activity and accounts, and the
people you share the network
with may also be using
compromised devices
• Hindi lahat ng libre at willing
magpagamit ay dapat gamitin
09/20/2023 57
Install an Anti-Virus … and UPDATE it
• New viruses are being created all
the time, so simply installing an
anti-virus program doesn’t cut it.
It is important to update the
programs to keep up with new
and emerging threats.
• Hindi porket nakuha mo na,
iiwan mo nalang sa ere.
09/20/2023 58
DON’T CLICK on pop-ups or virus warnings
• These warnings are now called
“scareware,” which are fake
security alerts telling you to click
a link to download software to
remove the virus in your
computer. The links, however,
contain viruses.
• Kahit marupok, wag basta-basta
magpauto.
09/20/2023 59
Install an AD BLOCKER to lessen browser pop-
ups
• Extensions like AdBlock Plus,
available on Google Chrome and
Mozilla Firefox, prevent pop- ups
from appearing and notify you if
these seem malicious while you
browse.
• Minsan, mabuti nang umiwas,
bago ka pa masaktan.
09/20/2023 60
Have you been POWNED
• Check out
https://haveibeenpwned.com/P
wnedWebsites to see if you’ve
availed of compromised services
online. If, by any chance, you
have, change your passwords
immediately.
• Baka biniktima ka na nga, hindi
mo pa alam.
09/20/2023 61
Clean up your Facebook
Third-Party Apps.
09/20/2023 62
Set up your Facebook Privacy Settings
09/20/2023 64
Avoid using work e-mail addresses for personal matters.
09/20/2023 65
Store personal and financial documents securely
• Never access your personal and
financial documents in internet cafes
or public computers. Additionally,
when storing your extra-sensitive files,
save them in one folder, compress
with a password, and delete the
original folder for extra safe-keeping.
• Pag-ingatan ang mga bagay na tunay
na sa’yo, mahirap nang maagawan ka
09/20/2023 66
“Compliance to Data Privacy Act is not a one-shot initiative. It is a
discipline and culture that must be embedded on a continuous basis
within the organization.”
09/20/2023 67
Question?
09/20/2023 68
Summary
• Data privacy should be part of our culture
• Love yourself online by protecting your personal data.
09/20/2023 69
Thank you!
Question?
09/20/2023 70
References
• National Privacy Commission.
https://www.privacy.gov.ph/wp-content/uploads/IRR-of-the-DPA.pdf
• National Privacy Commission. https://www.privacy.gov.ph/data-privacy-act/
09/20/2023 71
fin
09/20/2023 72