Data privacy in our time

Ramon L. Rodriguez
Data Privacy Office
Privacy Notice
• The orientation will be recorded for documentation and record keeping purposes.
• Your name, photo, video, voice, and chat responses may be included in the recording when you interact with
the participants of the meeting.
• The recording will not be shared and will be kept for a period of 1 year from the date of the event.
• Public posting of any portion of the meeting should not be performed by the participants of the meeting.
• You may contact dpo@national-u.edu.ph for any concerns and support for your data privacy rights.

09/20/2023 2
Agenda

Data Privacy Act Rights of Data Data privacy

of 2012 Subject principles

Overview on Classification of
Key roles
data privacy personal data

09/20/2023 3
Objectives

Understand the data National Privacy

privacy act of 2012 Commission Issuances

Practical tips of data

Data breaches
privacy

09/20/2023 4
Data privacy overview

09/20/2023 5
Do not
COLLECT if
you cannot
PROTECT

09/20/2023 6
Consciousness of Data Privacy

09/20/2023 7
Who stores data about us?
What is the Data Privacy Act of 2012?
SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”.

Republic Act 10173, the Data Privacy Act of 2012: AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION
AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER PURPOSES

The National Privacy Commission (NPC) is a body that is mandated to administer and implement this law. The functions of the NPC
include:

• rule-making,
• advisory,
• public education,
• compliance and monitoring,
• investigations and complaints,
• and enforcement.

09/20/2023 9
KEY ROLES IN THE DATA PRIVACY ACT

Personal Information Personal Information Data Protection National Privacy

Data Subjects
Controller (PIC) Processor (PIP) Officer (DPO) Commission
• Refers to an • Controls the • Organization or • Responsible for the • Independent body
individual whose, processing of individual whom a overall management mandated to
sensitive personal, or personal data, or personal information of compliance to DPA administer and
privileged instructs another to controller may implement the DPA
information is process personal outsource or instruct of 2012, and to
processed personal data on its behalf. the processing of monitor and ensure
personal data compliance of the
pertaining to a data country with
subject international
standards set for
personal data
protection

09/20/2023 10
Recently published circulars
• NPC Circular No. 2023-01: Schedule of Fees and Charges of the National Privacy Commission
• NPC Circular No. 2022-04 - REGISTRATION OF PERSONAL DATA PROCESSING
PROFILING, DESIGNATION OF DATA PROTECTION OFFICER, AND THE NATIONAL PRIVACY CO
MMISSION SEAL OF REGISTRATION
• NPC Circular No. 2022-03 -
Guidelines for Private Security Agencies on the Proper Handling of Customer and Visitor Information
• NPC Circular No. 2022-02 -
Amending Certain Provisions of NPC Circular No. 20-01 on the Guidelines on the Processing of Personal Dat
a for Loan-Related Transactions
• NPC Circular No. 2022-01 - GUIDELINES ON ADMINISTRATIVE FINES - FAQs on the
Guidelines on Administrative Fines

09/20/2023 11
Recent Public Consultation
• Data Privacy Competency Program of the National Privacy Commission (NPC)
• Guidelines on Consent
• Guidelines on ID Cards issued by Private Sector
• Guidelines on CCTV
• Call for public input on – Deceptive Design Patterns, Body-worn Cameras, Portable Storage Devices.

09/20/2023 12
Data Privacy Council
• NPC created data privacy council
• Education Sector – HEIs (Public & Private), Basic Education & Training Centers

09/20/2023 13
Examples of Breaches
• Student transferred by her parent without her knowledge
• Clinical record of a student to disclose with her parents
• List of top students/passers
• No Data sharing agreement (DSA) between and among
Schools and Universities
• Security issues in buildings – logbook
Examples of Breaches
• Unjustifiable collection of personal data of a school
• No Privacy Notice
• Personal laptop stolen
• Lost a files with PI in transit
• An error in viewing of student records in the online system
• Use of re-cycled papers
Examples of Breaches
• Universities and Colleges websites with weak authentication
• Personal Records stolen from home of an employee
• Release of CCTV Footage
• Hard drives sold online
• Password hacked/revealed
• Student Records Compromise
Examples of Breaches
• Financial Aid Data Leak
• Unauthorized Access to Health Records
• Phishing Attack on Staff Emails
• Faculty Personal Information Leak
• Online Learning Platform Breach
• Library System Data Exposure
Examples of data breaches in the Philippines
• Commission on Elections (COMELEC) Data Breach (2016) - in 2016, a hacking
group breached the Commission on Elections (COMELEC) website and
leaked sensitive voter information, including personal data of over 55 million
registered voters. This breach exposed names, addresses, passport details,
and even biometric data, raising concerns about identity theft and privacy.
• National Privacy Commission (NPC) Data Breach (2017) - in a somewhat
ironic incident, the National Privacy Commission (NPC) of the Philippines
suffered a data breach in 2017. The breach exposed the personal email
addresses and passwords of government employees who were subscribed
to the NPC mailing list. This highlighted the importance of strong
cybersecurity practices even within government organizations.
09/20/2023 18
Examples of data breaches in the Philippines
• Cebuana Lhuillier Data Breach (2019) - a well-known pawnshop and financial
services provider, experienced a data breach in 2019. The breach exposed
personal information of around 900,000 customers, including names,
addresses, birthdates, and transaction histories. This breach raised concerns
about the security of financial institutions' customer data.
• Philippine Long Distance Telephone Company (PLDT) Data Leak (2020)- in
2020, hackers claimed to have accessed customer data from the Philippine
Long Distance Telephone Company (PLDT). The breach exposed customer
names, addresses, and even account numbers. While PLDT denied the
claims initially, it later acknowledged that there had been unauthorized
access to some of its customer data..
09/20/2023 19
Examples of data breaches in the Philippines
• Land Transportation Office (LTO) Data Breach (2020)- a cybersecurity
researcher discovered a vulnerability in the Land Transportation Office
(LTO) website in 2020 that exposed personal information of vehicle
owners, including their names, addresses, and license plate numbers.
This incident highlighted the need for government agencies to
prioritize cybersecurity.
• TaskUs Data Exposure (2021)- sensitive data related to TaskUs clients,
which include major tech companies, was exposed due to a
misconfigured cloud storage bucket. The breach exposed confidential
client information, project details, and proprietary data.
09/20/2023 20
• According to Verizon’s 2021 Data Breach Investigations Report, social
engineering is the primary driver of data breaches–it’s involved in
nearly 40% of these incidents. Phishing, business email compromise,
and ransomware are the primary methods used in socially engineered
data breaches.

09/20/2023 21
Rights of the Data Subject
Right to be Right to data
Right to object - Right to access -
informed - IRR, portability - IRR,
IRR, Section 34.b IRR, Section 34.c
Section 34.a Section 36

Right to correct Right to erasure Right to file a

Right to damages
(rectification) - or blocking - IRR, complaint - IRR,
- IRR, Section 34.f
IRR, Section 34.d Section 34.e Section 34.a.2

Transmissibility
of Rights - IRR,
Section 35

09/20/2023 22
CLASSIFICATION OF PERSONAL DATA

Personal Information:
Personal information refers to any information
whether recorded in a material form or not, from
which the identity of an individual is apparent or can
be reasonably and directly ascertained by the entity
holding the information, or when put together with
other information would directly and certainly identify
an individual.
 Sensitive Personal Information.

Refers to personal information about an individual’s:

race, ethnic origin, marital status, age, color, religious,

philosophical or political affiliations, health, education, genetics,
sexual life, any proceeding for any offense committed or alleged to
have been committed, the disposal of such proceedings, the
sentence of any court in such proceedings;

Also includes information issued by government agencies

peculiar to an individual which includes, but not limited to:

social security numbers, previous or current health records,

licenses or its denials, suspension or revocation, and tax returns;
and specifically established by an executive order or an act of
09/20/2023 Congress to be kept classified. 24
09/20/2023 25
09/20/2023 26
 Personal Data Lifecycle • Key considerations when listing
your personal data:
– What personal data do you collect?
– In what form and through which
channels?
– For what purpose you collect
personal data
Acquisition Storage USE Transfer Destruction – How is it used?
– Who is this data shared with
internally and externally?
– Who is authorized to access this data?
– Where do you keep your data?
Retention/Disposal should be based on:
1. Law – How long do you keep your data?
2. Industry Best Practice – How do you dispose this data?
3. Business Needs
09/20/2023 27
TRANSPARENCY – “the CONSENT Regime”
Principle of Transparency

A data subject must be aware of the nature,

purpose, and extent of the processing of his
or her personal data, including the risks and
safeguards involved, the identity of personal
information controller, his or her rights as a
data subject, and how these can be exercised.
Any information and communication
relating to the processing of personal data
should be easy to access and understand,
using
09/20/2023clear and plain language. 28
Legitimate purpose

Principle of Legitimate Purpose

The processing of information shall be

compatible with a declared and specified
purpose, which must not be contrary to law,
morals, or public policy.
09/20/2023 29
09/20/2023 30
Proportionality
Principle of Proportionality

The processing of information shall be adequate, relevant,

suitable, necessary, and not excessive in relation to a
declared and specified purpose. Personal data shall be
processed only if the purpose of the processing could not
reasonably be fulfilled by other means.

Avoid this mentality:

“just in case we need it”
“this is what we always do”
09/20/2023 31
 Commit to
Appoint a Data Protection Officer (DPO)
Comply

Know Your Risk Conduct a Privacy Impact Assessment (PIA)

Five pillars
of Be Accountable Create your Privacy Management Program and Privacy Manual
compliance
Demonstrate Your
Implement your privacy and data protection (PDP) measures.
Compliance

Be Prepared for
Regularly exercise your Breach Reporting Procedures (BRP)
Breach
09/20/2023 32
Other Requirements
• Annual Breach Drill Agreement
• Notification to NPC
within 72 hours (in the
event of a personal
data breach)
• Annual Breach Report
• Security Clearance
• Privacy Notice
• Data Sharing Agreement
(DSA), if applicable
• Sub-contracting
Agreement / Outsourcing

09/20/2023 33
Privacy notice
What information is being collected?

Who is collecting it?

How is it collected?

Why is it being collected?

How will it be used?

09/20/2023 34
The Data Privacy Principles
• Personal data shall be:
1. processed fairly and lawfully
2. processed only for specified, lawful and compatible purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than necessary
6. processed in accordance with the rights of data subjects
7. kept secure
8. shared to other PICs only if there is a DSA.

09/20/2023 35
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.
Rule 1: Fair obtaining:
• At the time when we collect information about
individuals, are they made aware of the uses for
that information?
• Are people made aware of any disclosures of
their data to third parties?
• Have we obtained people's consent for any
secondary uses of their personal data, which
might not be obvious to them
• Can we describe our data-collection practices as
open, transparent and up-front?
Rule 2: Purpose specification
• Are we clear about the purpose (or purposes) for
which we keep personal information?
• Are the individuals on our database also clear about
this purpose?
• If we are required to register with NPC, does our
register entry include a proper, comprehensive
statement of our purpose? [Remember, if you are
using personal data for a purpose not listed on
your register entry, you may be committing an
offence.]
• Has responsibility been assigned for maintaining a list
of all data sets and the purpose associated with each?
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.

Rule 3: Use and disclosure of information Rule 4: Security

• Are there defined rules about the use and disclosure of
information?
• Are all staff aware of these rules?
• Are the individuals aware of the uses and disclosures of
their personal data? Would they be surprised if they
learned about them? Consider whether the consent of the
individuals should be obtained for these uses and
disclosures.
• If we are required to register with NPC, does our register
entry include a full list of persons to whom we may need to
disclose personal data? [Remember, if you disclose
personal data to someone not listed on your
register entry, you may be committing an offence.]
• Is there a list of security provisions in place for
each data set?
• Is someone responsible for the development and
review of these provisions?
• Are these provisions appropriate to the
sensitivity of the personal data we keep?
• Are our computers and our databases password-
protected, and encrypted if appropriate?
• Are our computers, servers, and files securely
locked away from unauthorized people?
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.

Rule 5: Adequate, relevant and not excessive Rule 6: Accurate and up-to-date
• Do we collect all the information we need to
serve our purpose effectively, and to deal with
• Do we check our data for accuracy?
individuals in a fair and comprehensive manner? • Do we know how much of our
• Have we checked to make sure that all the personal data is time-sensitive, i.e.
information we collect is relevant, and not
excessive, for our specified purpose? likely to become inaccurate over
• If an individual asked us to justify every piece of time unless it is updated?
information we hold about him or her, could we • Do we take steps to ensure our
do so?
databases are kept up-to-date?
• Does a policy exist in this regard?
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.

Rule 7: Retention time Rule 8: The Right of Access

• Is there a clear statement on how long personal
data are to be retained? • Is a named individual responsible
• Are we clear about any legal requirements on for handling access requests?
us to retain data for a certain period? • Are there clear procedures in place
• Do we regularly purge our databases of data
which we no longer need, such as data relating
for dealing with such requests?
to former customers or staff members? • Do these procedures guarantee
• Do we have a policy on deleting personal data compliance with the RA 10173
as soon as the purpose for which we obtained
the data has been completed?
requirements?
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.

Registration Training & Education

• Are we clear about whether or not we
need to be registered with the NPC?
• If registration is required, is the
registration kept up to date? Does the
registration accurately reflect our practices
for handling personal data? [Remember, if
your data-handling practices are out of line
with the details set out in your register entry,
you may be committing an offence.]
• Do we know about the levels of
awareness of data protection in our
organization?
• Are our staff aware of their data
protection responsibilities - including
the need for confidentiality?
• Is data protection included as part of
the training program for our staff?
Self-help checklist on data protection policy
Remember: you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection
viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.

Other Requirements
Co-ordination and Compliance
• Annual Breach Drill
• Has a Data Protection Officer (DPO) / Compliance
• Notification to NPC within 72 hours (in the
Officer for Privacy (COP) been appointed?
event of a personal data breach)
• Are all staff aware of his or her role?
• Annual Breach Report
• Are there mechanisms in place for formal review
by DPO activities within our organization? • Security Clearance
• Is the Privacy Impact Assessment (PIA) carefully • Privacy Notice
planned and executed according to its purpose? • Data Sharing Agreement (DSA), if applicable
• Is there a Breach Management Program (BMP) in • Sub-contracting Agreement / Outsourcing
place? Agreement
Technical

Encryption Backups
Secure: encrypted tapes | cloud-provider
To what standard? (cost Vs benefit)

All devices or just some? Auditable process

Passwords Access control

Enforced strength and updates?
Who decides permissions and privileges (‘need to
know’)?
Technical

Sharing data Remote access

Technical solutions – e.g. via email; portals
How delivered securely?

Permit Bring Your Own Device?

System testing & maintenance
Who has access, to what (System Administrators)

Live or dummy data? Firewalls / Anti-virus / Spam filters

Organisational – physical security

Secure Office Storage Remote working

For removable devices and hardcopy information Secure both hardcopies and devices when in transit.

Kept out of sight: in transit | at home.

Identifying marks? Locked print?

Kensington locks? Lockable pedestals | Kensington locks?

Offsite?
Organisational – physical security

Building access control Secure disposal

Secure premises – CCTV | locked windows | perimeter
Shredding of hardcopies

Locked CCTV room | server room

Beyond use | Reuse | Resale

ID badges, supervised visitors | contractors
Organisational – other measures

Human Resources Policy, procedures, guidance & training

Explicit roles and responsibilities in Job Descriptions Eliminate ambiguities
and Terms of Reference
Clearly communicated, readily accessible and understood

Terms and Conditions: confidentiality clauses

Clear expectations | reporting lines

Disciplinary process Training records

Other security measure
Encrypting any
Installing a firewall
Shredding all Using strong personal
and virus checker
confidential waste. passwords. information held
on your computers.
electronically.

Holding telephone Checking the Keeping devices

Disabling any ‘auto-
calls in private security of storage under lock and key
complete’ settings.
areas. systems. when not in use.

Not leaving papers

and devices lying
around.

09/20/2023 47
12 offline measures to keep your physical data secure

01 02 03 04 05 06

Lock rooms Make sure Use swipe Use CCTV Shield Shred
containing employees cards or cameras to keyboards confidential
confidential don’t write keypads to monitor your when waste.
information their access the office space. inputting
when not in passwords office. passwords.
use. down.

09/20/2023 48
12 offline measures to keep your physical data secure
(cont.)

07 08 09 10 11 12
Use forensic Use anti-climb Install an Place bars on Hide valuable Assign a
property paint on alarm system. ground floor equipment limited
marking exterior walls windows. from view number of
equipment and drains. when not in trustworthy
and spray the office. employees as
systems to key safe
mark assets. holders.

09/20/2023 49
 Holding Data and Keeping it Up-to-Date
• Carry out an information audit at least annually.
• Write a letter at the start of each school year asking parents and students to check that
their details are correct. This also helps prevent emergency risks, e.g. if an old address or
phone number is on record.
• Check that ‘live’ files are accurate and up to date.
• Any time you become aware that information needs amending, do so immediately
• Any personal data that is out of date or no longer needed should be ‘destroyed’. This may
involve shredding documents or deleting computer files securely so that they cannot be
retrieved.
• Schools must follow the disposal of records schedule. This schedule states how long certain
types of personal data can be held for until it must be destroyed. Some stipulations are
legal obligations while others are best practice.

You are violating the Data Privacy Act if you keep any data for longer than it is needed.
Ways to Love Yourself Online

09/20/2023 51
Create STRONG passwords
• strong passwords are at least 12
characters long and contain a
combination of upper and lower
case letters, numbers, and if
possible, symbols.
• Pumili ng password na
talagang ipaglalaban ka sa
mga hacker.

09/20/2023 52
NEVER use the same password on multiple
accounts
• having different passwords on
multiple accounts makes it
harder for hackers to guess
them.
• Wag masyadong loyal sa isang
password, para mo na ring
sinuko lahat agad-agad

09/20/2023 53
Lock your device
• Diba kapag mahal mo, aalagaan
mo?
• Leaving a laptop or cellphone
unlocked is like leaving an open
purse, which hackers are more
than happy to take advantage of.

09/20/2023 54
Always LOG OUT of browsers
• Google Chrome has a unified log in
system, which logs you into the
browser even if you only log in
through the e-mail, so don’t forget
to log out. Or better yet, use
Incognito mode.
• Matuto ng malinis na
pamamaalam, lalo na kung hindi
naman talaga sa’yo…ang laptop

09/20/2023 55
Make sure there is an HTTPS in the browser
address bar
• the S after the HTTP stands for
“Secure,” which means the data
being sent between your
browser and the site you are on
is encrypted.
• Sa umaga’t sa gabi, sa bawat
minutong lumilipas, ito ang
dapat mong hinahanap-hanap

09/20/2023 56
Do not log in on personal accounts on FREE or
PUBLIC WIDI
• Open networks make it very easy
for people to peek into your
activity and accounts, and the
people you share the network
with may also be using
compromised devices
• Hindi lahat ng libre at willing
magpagamit ay dapat gamitin

09/20/2023 57
Install an Anti-Virus … and UPDATE it
• New viruses are being created all
the time, so simply installing an
anti-virus program doesn’t cut it.
It is important to update the
programs to keep up with new
and emerging threats.
• Hindi porket nakuha mo na,
iiwan mo nalang sa ere.

09/20/2023 58
DON’T CLICK on pop-ups or virus warnings
• These warnings are now called
“scareware,” which are fake
security alerts telling you to click
a link to download software to
remove the virus in your
computer. The links, however,
contain viruses.
• Kahit marupok, wag basta-basta
magpauto.

09/20/2023 59
Install an AD BLOCKER to lessen browser pop-
ups
• Extensions like AdBlock Plus,
available on Google Chrome and
Mozilla Firefox, prevent pop- ups
from appearing and notify you if
these seem malicious while you
browse.
• Minsan, mabuti nang umiwas,
bago ka pa masaktan.

09/20/2023 60
Have you been POWNED
• Check out
https://haveibeenpwned.com/P
wnedWebsites to see if you’ve
availed of compromised services
online. If, by any chance, you
have, change your passwords
immediately.
• Baka biniktima ka na nga, hindi
mo pa alam.

09/20/2023 61
Clean up your Facebook
Third-Party Apps.

While they are a fun way to find games or see

which celebrity you look like, third-party
apps on Facebook can and too often send
your personal data to at least 25 outside data
companies, so it is definitely a good idea to
remove permissions from unnecessary ones.

Malaking problema ang mga third party,

lalo na sa data privacy.

09/20/2023 62
Set up your Facebook Privacy Settings

• Setting your Facebook privacy

protects your content from
predators, stalkers, and identity
thieves. Not everyone has to
know what you’re doing every
minute of the day, especially if
it’s information on your vacation
details or bank accounts.
• Protektahan mo naman ang
puso mo paminsan-minsan
09/20/2023 63
Unfriend Facebook friends you don’t know personally

• With too many people’s names, birth

dates, education, and work history
available online, bogus accounts can
easily duplicate a person you may
know or want to be friends with.
These bogus accounts can target you
for identity theft, malicious links, or
spam attacks.
• ‘Kung ang ex mo nga ang bilis mong
na-unfriend, lalong dapat i-unfriend
ang mga bogus account.

09/20/2023 64
Avoid using work e-mail addresses for personal matters.

• Company e-mail addresses are

typically controlled by your IT
people and can be accessed by
your bosses, so it’s best to keep
personal matters outside of work.
Moreover, your work-email address
is usually an easy target for spam
and viruses, especially if it’s listed
in your company website.
• Trabaho lang, walang personalan

09/20/2023 65
Store personal and financial documents securely
• Never access your personal and
financial documents in internet cafes
or public computers. Additionally,
when storing your extra-sensitive files,
save them in one folder, compress
with a password, and delete the
original folder for extra safe-keeping.
• Pag-ingatan ang mga bagay na tunay
na sa’yo, mahirap nang maagawan ka

09/20/2023 66
 “Compliance to Data Privacy Act is not a one-shot initiative. It is a
discipline and culture that must be embedded on a continuous basis
within the organization.”

CULTURE OF PRIVACY in the PHILIPPINES

09/20/2023 67
Question?

09/20/2023 68
Summary
• Data privacy should be part of our culture
• Love yourself online by protecting your personal data.

09/20/2023 69
 Thank you!
Question?

09/20/2023 70
References
• National Privacy Commission.
https://www.privacy.gov.ph/wp-content/uploads/IRR-of-the-DPA.pdf
• National Privacy Commission. https://www.privacy.gov.ph/data-privacy-act/

09/20/2023 71
 fin
09/20/2023 72