Raw PDF

Data Privacy Act of 2012 Trainers Guide
DATA PRIVACY ACT OF 2012
TRAINER’S NOTE: The topic overview below is meant for the trainer. Do not
read this to the participants.
1 day
Present DPA Slide 1
INTRODUCE THE BRIEFING
The Briefing on Data Privacy Act was designed to provide awareness and training to all
BIR officials and employees about protection on the privacy of individual while ensuring
of information to promote innovation and growth, regulates the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of personal data and ensures that the Philippines
complies with the international standards set for data protection through National Privacy
Commission (NPC).
REFERENCES:
Republic Act No. 10173

Implementing Rules and Regulations of the Data Privacy Act of 2012
National Privacy Commission Circular 16-01 Security of Personal Data in Government
Agencies
National Privacy Commission Circular 16-02 Data Sharing Agreements Involving
Government Agencies
Bureau of Internal Revenue September 2017

Training Management Division Version 1.0 -Page | 1
Present DPA Slide 2
DISCUSS the objectives of the briefing. At the end of this briefing, participants are
expected to:
• Understand the Data Privacy Act of 2012;

• Identify its effects to the individual and the organization;
• Know how can we protect the employee and taxpayer information entrusted to us;
and
• Determine the security measures to be compliant with RA 10173.
Present ISAB Slide 3
DISCUSS
SECTION 2: Policy
It is the policy of the state to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and growth.
It recognizes the vital role of information and communications technology in nation-
building and its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and
protected.
Present ISAB Slides 4 to 6
SECTION 4: Scope
The Act and these Rules apply to the processing of personal data by any natural and
juridical person in the government or private sector. They apply to an act done or practice
engaged in and outside of the Philippine if:
1. The natural or juridical person involved in the processing of personal data is found
or established in the Philippines;
2. The act, practice or processing related to personal data about a Philippine citizen
or Philippine resident;
3. The processing of personal data is being done in the Philippines; or

4. The act, practice or processing of personal data is done or engaged in by an entity

with links to the Philippines, with due consideration to international law and comity,
such as, but not limited to, the following:
a) Use of equipment located in the country, or maintains an office, branch or

agency in the Philippines for processing of personal data;
b) A contract is entered in the Philippines;
c) A juridical entity unincorporated in the Philippines but has central

management and control in the country;
d) An entity that has a branch, agency, office or subsidiary in the Philippines

and the parent or affiliate of the Philippine entity has access to personal
data;
e) An entity that carries on business in the Philippines; and
f) An entity that collects or holds personal data in the Philippines.
Present DPA Slides 7 to 16
SECTION 5: Special Cases
The Act and these Rules shall not apply to the following specified information, only to the
minimum extent of collection, access, use, disclosure or other processing necessary to
the purpose, function, or activity concerned:
1. Information processed for purpose of allowing public access to information that fall
within matters of public concern, pertaining to:
a) Information about any individual who is or was an officer or employee of

government that relates to his or her position or functions, including:
The fact that the individual is or was an officer or employee of the

government;
The title, office address, and office telephone number of the individual;
The classification, salary range, and responsibilities of the position held by

the individual; and

The name of the individual on a document he or she prepared in the course

of his or her employment with the government.
b) Information about an individual who is or was performing a service under

contract for a government institution, but only in so far as it relates to such
service, including the name of the individual and the terms of his or her contract;
and
c) Information relating to a benefit of a financial nature conferred on an individual

upon the discretion of the government, such as the granting of a license or
permit, including the name of the individual and the exact nature of the benefit:
Provided, that they do not include benefits given in the course of an ordinary
transaction or as a matter of right.
2. Personal information processed for journalistic, artistic or literary purpose, in order

to uphold freedom of speech, of expression, or of the press, subject to
requirements of other applicable law or regulations;
3. Personal information that will be processed for research purpose, intended for a
public benefit, subject to the requirements of applicable laws, regulations, or ethical
standards;
4. Information necessary in order to carry out the functions of public authority, in

accordance with a constitutionally or statutorily mandated function pertaining to
law enforcement or regulatory function, including the performance of the functions
of the independent, central monetary authority, subject to restrictions provided by
law. Nothing in this Act shall be construed as having amended or repealed
Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act;
Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and
Republic Act No. 9510, otherwise known as the Credit Information System Act
(CISA);
5. Information necessary for banks, other financial institutions under the jurisdiction
of the independent, central monetary authority or Bangko Sentral ng Pilipinas, and
other bodies authorized by law, to the extent necessary to comply with Republic
Act No. 9510 (CISA), Republic Act No. 9160, as amended, otherwise known as
the Anti-Money Laundering Act, and other applicable laws; and
6. Personal information originally collected from residents of foreign jurisdictions in

accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines. The burden of
proving the law of the foreign jurisdiction falls on the person or body seeking
exemption. In the absence of proof, the applicable law shall be presumed to be
the Act and these Rules:

Provided, that the non-applicability of the Act or these Rules do not extend to
personal information controllers or personal information processors, who remain
subject to the requirements of implementing security measures for personal data
protection: Provided further, that the processing of the information provided in the
preceding paragraphs shall be exempted from the requirements of the Act only to
the minimum extent necessary to achieve the specific purpose, function, or activity.
Section 6. Protection afforded to Data Subjects.
a. Unless directly incompatible or inconsistent with the preceding sections in

relation to the purpose, function, or activities the non-applicability concerns, the
personal information controller or personal information processor shall uphold
the rights of data subjects, and adhere to general data privacy principles and
the requirements of lawful processing.
b. The burden of proving that the Act and these Rules are not applicable to a
particular information falls on those involved in the processing of personal data
or the party claiming the non-applicability.
c. In all cases, the determination of any exemption shall be liberally interpreted in

favor of the rights and interests of the data subject.
Present DPA Slide 17
SHOW the video on Know Your Data Privacy Rights!
Present DPA Slides 18-19
Creation of Bureau’s Data Privacy Committee
Revenue Special Order No. 395-2017 dated May 15, 2017 was signed by CIR Caesar
R. Dulay – creation of a DATA PRIVACY COMMITTEE in the bureau reconstituting RSO
281-2017:
Deputy Commissioner of Information Security Group (ISG) assigned as Data Protection

Officer (DPO) who generally oversees the operations of the COP to ensure the
performance of his/her functions, efficiently and economically, but without interference
with day-to-day activities.
Regional Directors and Revenue District Officers assigned as COMPLIANCE OFFICERS

for PRIVACY (COP). They should actively coordinate and consult with the supervising
DPO, and should take instructions from the same.

DPO COP should actively coordinate and consult with the supervising DPO, and should
take instructions from the same.
What are the Duties and Responsibilities of a DPO?
1. Monitor the Personal Information Controllers (PICs) and Personal Information

Processors (PIPs) compliance with the DPA, its IRR, issuances by the NPC and
other applicable laws and policies. You may:
a. Collect information to identify the processing operations, activities, measures,

projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
b. Analyze and check the compliance of processing activities, including the

issuance of security clearances to and compliance by third-party service
providers;
c. Inform, advise, and issue recommendations to the PIC or PIP;
d. Ascertain renewal of accreditations or certifications necessary to maintain the

required standards in personal data processing; and
e. Advice the PIP or PIP as regards the necessity of executing a Data Sharing
Agreement with third parties, and ensure its compliance with the law.
2. Ensure the conduct of Privacy Impact Assessments relative to activities,

measures, projects, programs, or systems of the PIC or PIP;
3. Advise the PIC or PIP regarding complaints and/or the exercise by data subjects
of their rights (e.g., requests for information, clarifications, rectification or deletion
of personal data);
4. Ensure proper data breach and security incident management by the PIC or PIP,
including the latter’s preparation and submission to the NPC of reports and other
documentation concerning security incidents or data breaches within the
prescribed period;
5. Inform and cultivate awareness on privacy and data protection within your
organization, including all relevant laws, rules and regulations and issuances of
the NPC;

6. Advocate for the development, review and/or revision of policies, guidelines,

projects and/or programs of the PIC or PIP relating to privacy and data protection,
by adopting a privacy by design approach;
7. Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and
other authorities in all matters concerning data privacy or security issues or
concerns and the PIC or PIP;
8. Cooperate, coordinate and seek advice of the NPC regarding matters concerning
data privacy and security; and
9. Perform other duties and tasks that may be assigned by the PIC or PIP that will
further the interest of data privacy and security and uphold the rights of the data
subjects.
Note: Except for items (1) to (3), a COP shall perform all other functions of a DPO. Where
appropriate, he or she shall also assist the supervising DPO in the performance of the
latter’s functions.
What is PERSONAL INFORMATION?
Any information whether recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly ascertained by the entity holding
the information, or when put together with other information would directly and certainly
identify an individual.
What is SENSITIVE PERSONAL INFORMATION?
SENSITIVE PERSONAL INFORMATION – refers to personal information:
1. Individual’s race, ethnic origin, marital status, age, color and religious,
philosophical or political affiliations;
2. Individual’s health, education, genetic or sexual life of a person, or to any

proceeding for any offense committed or alleged to have been committed by such
person, the disposal of such proceedings, or the sentence of any court in such
proceedings;

3. Issued by government agencies peculiar to an individual which includes, but not

limited to, social security numbers, previous or current health records, licenses or
its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept

classified.
Who is a Personal Information Controller (PIC)?
“Personal Information Controller” refers to a person or organization who controls the

collection, holding, processing or use of personal information, including a person or
organization who instructs another person or organization to collect, hold, process, use,
transfer or disclose personal information on his or her behalf.
The term excludes:

1. A person or organization who performs such functions as instructed by another
person or organization; and
2. An individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.
Who is a Personal Information Processor (PIP)?
“Personal Information Processor” refers to any natural or juridical person qualified to

act as such [under the DPA] to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.
Present ISAB Slides 20
Right of the DATA SUBJECT
Data Subject are people whose personal information are collected, stored and processed.
Right to be informed
Right to object
Right to access
Right to correct/rectify
Right to block/remove

Right to data portability

Right to file a complaint
Right to be indemnified
Right to be INFORMED
The right to be informed whether his or her personal data shall be, are being, or have
been processed, including the existence of automated decision-making and profiling.
Description of the personal data

Purposes for processing
Basis of processing, when not based on consent of the data subject
Scope and method of processing
The recipients or classes of recipients of the personal data
Methods utilized for automated access, if allowed by the data subject
The identity and contact details of the personal data controller
or its representative
Retention period
The existence of their rights as data subjects
Right to OBJECT
The right to object to the processing of one’s personal data, including processing for direct
marketing, automated processing or profiling. Includes the right to be notified and given
an opportunity to withhold consent to the processing in case of changes or any
amendment to the information supplied or declared.
Exceptions:
Personal data is needed pursuant to a subpoena;
The processing are for obvious purposes;
Necessary for or related to a contract or service to which the data subject is a party;
or
Necessary or desirable in an employer-employee relationship; or
The information is being processed as a result of a legal obligation.

Right to ACCESS
The right to reasonable access to the following:

1. Personal data that were processed
2. Sources of personal data
3. Names and addresses of recipients
4. Manner/method of processing
5. Reasons for the disclosure to recipients, if any
6. Information re: automated processes
7. Date when personal data were last accessed and modified
8. The designation, name or identity, and address of the PIC
Right to RECTIFICATION
The right to dispute the inaccuracy or error in the personal data and have the Personnel
Information Controller (PIC) correct it immediately includes:
• Access to new and the retracted information; and

• Simultaneous receipt of the new and retracted information.
NOTE: The recipients previously given the personal data shall he informed of its
inaccuracy and its rectification upon reasonable request of the data subject.
Right to ERASURE or BLOCKING
The right to suspend, withdraw or order the blocking, removal or destruction of his or her
personal information from the personal information controller’s filing system. May be
exercised upon discovery and substantial proof of any of the following:
The personal data is

Incomplete, outdated, false or unlawfully obtained;
Being used for unauthorized purposes;

No longer necessary for the purpose for collection;

Private information prejudicial to data subject, unless justified by freedom
of speech, of expression, or of the press or otherwise authorized;
Data subject withdraws consent or objects to the processing, and there is

no other legal ground or overriding legitimate interest for the processing;
Processing is unlawful; or
The personal information controller or personal information processor

violated the rights of the data subject.
Right to DAMAGES
The right to be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data.
Right to DATA PORTABILITY
The right to obtain from the PIC a copy of data undergoing processing in an electronic
or structured format, which is commonly used and allows further use by the data
subject.
Primarily takes into account the right of data subject to have control over his or her
personal data being processed based on consent or contract for commercial purpose,
or through automated means.
Right to FILE A COMPLAINT
If your rights as a data subject have been violated and or a breach was committed
against you rights, you have the right to file a complaint.
Complaints can be filed at: [email protected]

Transmissibility of Rights
The lawful heirs and assigns of the data subject may invoke the rights of the data
subject at any given time after his or her death, or when he or she is incapacitated or
incapable of exercising his or her rights.
Note: The heirs and assigns of the data subject may invoke his or her rights after his
or her death, or when he or she is incapacitated.
Provisions re: Transmissibility of Rights and Right to Data
Portability are not applicable if processing is for:
scientific and statistical research; or

investigations relative to any criminal, administrative or tax liabilities of a data
subject.
Limitation on Rights
The provisions on transmissibility of rights and the right to portability are not
applicable:
• If the personal data are used only for the needs of scientific and statistical research
and, on the basis of such, no activities are carried out and no decisions are taken
regarding the data subject.
• If the processing is for the purpose of investigations relative to any criminal,
administrative or tax liabilities of a data subject.
The limitations on rights shall only be to the minimum extent necessary to achieve
the purpose of the research or investigation.

Structure of RA 10173, the Data Privacy Act

Issuances to be complied by the PICs and PIPs
National Privacy Commission (NPC)
It is an independent body created under Republic Act No. 10173 or the Data Privacy
Act of 2012, mandated to administer and implement the provisions of the Act, and to
monitor and ensure compliance of the country with international standards set for
data protection. It is attached to the Philippines' Department of Information and
Communications Technology (DICT) for purposes of policy coordination, but remains
independent in the performance of its functions. The Commission safeguards the
fundamental human right of every individual to privacy, particularly information
privacy while ensuring free flow of information for innovation, growth, and national
development.

Five (5) Commandments of NPC
Rule 1: Commit to COMPLY - Appoint a

Data Protection Officer (DPO)
Rule 2: Know your RISKS – Conduct a

Privacy Impact Assessment (PIA)
Rule 3: Write your PLAN – Create a

Privacy Management Program
Rule 4: Be ACCOUNTABLE – Implement the

Privacy and Data Protection (PDP) Measures
Rule 5: Be prepared for BREACH – Regularly exercise

Breach Reporting Procedures (BRP)
Function of the National Privacy Commission
Formulate and Implement Policies

Safeguard Fundamental Human Rights
Advisory
Public Education
Monitor and Ensure Compliance of the Country with International Standards
Receive Complaints and Instituting Investigations
Enforcement
Represent the Philippine Government Internationally on Data Protection
Related Issues

Latest Updates from the National Privacy Commission
NPC released various updates / news on Data Privacy
June 16, 2017 - NPC conducts privacy compliance check on BPI

May 16, 2017 - Threats to Security and Privacy
February 20, 2017 - NPC starts probe into COMELEC’s 2nd large scale data
breach; issues compliance order
January 5, 2017 - Privacy Commission recommends criminal prosecution of
Bautista over “Comeleak”
October 19, 2016 - Government Open Data to Improve with Data Sharing
Directives
October 17, 2016 - Stricter government handling of personal data ordered in
Privacy Commission issuance
July 26, 2016 - Data Privacy Act Cannot Be Used As Shield Against FOI
Updates can be viewed at https://privacy.gov.ph/latest-updates/
NPC CIRCULAR 16-01 Security of Personal Data in Government Agencies
SECTION 4. General Obligations. A government agency engaged in the processing of

personal data shall observe the following duties and responsibilities:
1. Through its head of agency, designate a Data Protection Officer;
2. Conduct a Privacy Impact Assessment for each program, process or measure

within the agency that involves personal data, Provided, that such assessment
shall be updated as necessary;

3. Create privacy and data protection policies, taking into account the privacy impact
assessments, as well as Sections 25 to 29 of the IRR;
4. Conduct a mandatory, agency-wide training on privacy and data protection policies

once a year: Provided, that a similar training shall be provided during all agency
personnel orientations;
5. Register its data processing systems with the Commission in cases where
processing involves personal data of at least one thousand (1,000) individuals,
taking into account Sections 46 to 49 of the IRR; and
6. Cooperate with the Commission when the agency’s privacy and data protection
policies are subjected to review and assessment, in terms of their compliance with
the requirements of the Act, its IRR, and all issuances by the Commission.
SECTION 5. Privacy Impact Assessment
A government agency engaged in the processing of personal data shall ensure that
its conduct of a privacy impact assessment is proportionate or consistent with the size
and sensitivity of the personal data being processed, and the risk of harm from the
unauthorized processing of that data. The Privacy Impact Assessment shall include
the following:
1. A data inventory identifying:

a. the types of personal data held by the agency, including records of its own
employees;
b. list of all information repositories holding personal data, including their
location;
c. types of media used for storing the personal data; and
d. risks associated with the processing of the personal data.
2. A systematic description of the processing operations anticipated and the

purposes of the processing, including, where applicable, the legitimate interest
pursued by the agency;
3. An assessment of the necessity and proportionality of the processing in relation

to the purposes of the processing; and
4. An assessment of the risks to the rights and freedoms of data subjects.

SECTION 6. Control Framework for Data Protection
The risks identified in the privacy impact assessment must be addressed by a control
framework, which is a comprehensive enumeration of the measures intended to address
the risks, including organizational, physical and technical measures to maintain the
availability, integrity and confidentiality of personal data and to protect the personal data
against natural dangers such as accidental loss or destruction, and human dangers such
as unlawful access, fraudulent misuse, unlawful destruction, alteration and
contamination.
Control Framework for Data Protection
The contents of a control framework shall take into account, among others, the following:
1. Nature of the personal data to be protected;
2. Risks represented by the processing, the size of the organization and complexity
of its operations;
3. Current data privacy best practices; and
4. Cost of security implementation.
Storage of Personal Data
SECTION 7. General Rule
Personal data being processed by a government agency shall be stored in a data center,
which may or may not be owned and controlled by such agency: Provided, that the agency
must be able to demonstrate to the Commission how its control framework for data
protection, and/or, where applicable, that of its service provider, shall ensure compliance
with the Act: Provided further, that where a service provider is engaged, the Commission
may require the agency to submit its contract with its service provider for review.

SECTION 8. Encryption of Personal Data
All personal data that are digitally processed must be encrypted, whether at rest or in
transit. For this purpose, the Commission recommends Advanced Encryption Standard
with a key size of 256 bits (AES-256) as the most appropriate encryption standard.
Passwords or passphrases used to access personal data should be of sufficient strength
to deter password attacks. A password policy should be issued and enforced through a
system management tool.
SECTION 9. Restricted Access
Access to all data centers owned and controlled by a government agency shall be
restricted to agency personnel that have the appropriate security clearance. This should
be enforced by an access control system that records when, where, and by whom the
data centers are accessed. Access records and procedures shall be reviewed by agency
management regularly.
SECTION 10. Service Provider as Personal Information Processor
When a government agency engages a service provider for the purpose of storing
personal data under the agency’s control or custody, the service provider shall function
as a personal information processor and comply with all the requirements of the Act, its
IRR and all applicable issuances by the Commission.
SECTION 12. Recommended Independent Verification or Certification
The Commission recommends ISO/IEC 27018 as the most appropriate certification for
the service or function provided by a service provider under this Rule.

SECTION 13. Archives
The requirements of this Rule shall also apply to personal data that a government agency
has stored for archival purposes.
Agency Access to Personal Data
SECTION 14. Access to or Modification of Databases
Only programs developed or licensed by a government agency shall be allowed to access

and modify databases containing the personal data under the control or custody of that
agency.
SECTION 15. Security Clearance
A government agency shall strictly regulate access to personal data under its control or
custody. It shall grant access to agency personnel, through the issuance of a security
clearance by the head of agency, only when the performance of official functions or the
provision of a public service directly depends on such access or cannot otherwise be
performed without such access.
A copy of each security clearance must be filed with the agency’s Data Protection Officer.
SECTION 16. Contractors, Consultants and Service Providers
Access to personal data by independent contractors, consultants, and service providers

engaged by a government agency shall be governed by strict procedures contained in
formal contracts, which provisions must comply with the Act, its IRR, and all applicable
issuances by the Commission. The terms of the contract and undertakings given should
be subject to review and audit to ensure compliance.

SECTION 17. Acceptable Use Policy
Each government agency shall have an up-to-date Acceptable Use Policy regarding the
use by agency personnel of information and communications technology. The policy shall
be explained to all agency personnel who shall use such technology in relation to their
functions. Each user shall agree to such policy and, for this purpose, sign the appropriate
agreement or document, before being allowed access to and used of the technology.
SECTION 18. Online Access to Personal Data
Agency personnel who access personal data online shall authenticate their identity via a
secure encrypted link and must use multi-factor authentication. Their access rights must
be defined and controlled by a system management tool.
SECTION 19. Local Copies of Personal Data Accessed Online
A government agency shall adopt and utilize technologies that prevent personal data
accessible online to authorized agency personnel from being copied to a local machine.
The agency shall also provide for the automatic deletion of temporary files that may be
stored on a local machine by its operating system. Where possible, agency personnel
shall not be allowed to save files to a local machine. They shall be directed to only save
files to their allocated network drive.
Local Copies of Personal Data Accessed Online
Drives and USB ports on local machines may also be disabled as a security measure. A
government agency may also consider prohibiting the use of cameras in areas where
personal data is displayed or processed.

SECTION 20. Authorized Devices
A government agency shall ensure that only known devices, properly configured to the
agency’s security standards, are authorized to access personal data. The agency shall
also put in place solutions, which only allow authorized media to be used on its computer
equipment.
SECTION 21. Remote Disconnection or Deletion
A government agency shall adopt and use technologies that allow the remote
disconnection of a mobile device owned by the agency, or the deletion of personal data
contained therein, in event such mobile device is lost. A notification system for such loss
must also be established.
SECTION 22. Paper-based Filing System
If personal data is stored in paper files or any physical media, the government agency
shall maintain a log, from which it can be ascertained which file was accessed, including
when, where, and by whom. Such log shall also indicate whether copies of the file were
made. Agency management shall regularly review the log records, including all
applicable procedures.
SECTION 23. Personal Data Sharing Agreements
Access by other parties to personal data under the control or custody of a government
agency shall be governed by data sharing agreements that will be covered by a separate
issuance of the Commission.

Transfer of Personal Data
SECTION 24. Emails
A government agency that transfers personal data by email must either ensure that the
data is encrypted, or use a secure email facility that facilitates the encryption of the data,
including any attachments. Passwords should be sent on a separate email. It is also
recommended that agencies utilize systems that scan outgoing emails and attachments
for keywords that would indicate the presence of personal data and, if appropriate,
prevent its transmission.
SECTION 25. Personal Productivity Software
A government agency shall implement access controls to prevent agency personnel from
printing or copying personal data to personal productivity software like word processors
and spreadsheets that do not have any security or access controls in place.
SECTION 26. Portable Media
A government agency that uses portable media, such as disks or USB drives, to store or
transfer personal data must ensure that the data is encrypted. Agencies that use laptops
to store personal data must utilize full disk encryption.
SECTION 27. Removable Physical Media
Where possible, the manual transfer of personal data, such as through the use of
removable physical media like compact discs, shall not be allowed: Provided, that if such
mode of transfer is unavoidable or necessary, authentication technology, such as one-
time PINs, shall be implemented.

SECTION 28. Fax Machines
Facsimile technology shall not be used for transmitting documents containing personal
data.
SECTION 29. Transmittal
A government agency that transmits documents or media containing personal data by

mail or post shall make use of registered mail or, where appropriate, guaranteed parcel
post service. It shall establish procedures that ensure that such documents or media are
delivered only to the person to whom they are addressed, or his or her authorized
representative: Provided, that similar safeguards shall be adopted relative to documents
or media transmitted between offices or personnel within the agency.
Disposal of Personal Data
SECTION 30. Archival Obligations
A government agency must be aware of its legal obligations as set out in Republic Act
No. 9470, also known as the National Archives of the Philippines Act of 2007. Personal
data records, as well as incoming and outgoing emails, of enduring value may be archived
pursuant to such Act.
SECTION 31. Procedures
Procedures must be established regarding:
A. Disposal of files that contain personal data, whether such files are stored on paper,
film, optical or magnetic media;
B. Secure disposal of computer equipment, such as disk servers, desktop computers

and mobile phones at end-of-life, especially storage media: Provided, that the
procedure shall include the use of degaussers, erasers, and physical destruction
devices; and

C. Disposal of personal data stored offsite.
SECTION 32. Third-Party Service Providers
A government agency may engage a service provider to carry out the disposal of personal
data under its control or custody: Provided, that the service provider shall contractually
agree to the agency’s data protection procedures and ensure that the confidentiality of all
personal data is protected.
Miscellaneous Provisions
SECTION 33. Data Breach Management
The appropriate guidelines for managing data breaches will be the subject of a separate
issuance by the Commission.
Data Sharing
The disclosure or transfer to a third party of personal data under the control or custody
of a Personal Information Controller (PIC) or Personal Information Processor (PIP).
Excludes outsourcing or subcontracting.
General Principle
DATA SHARING shall adhere to the data privacy principles laid down in the DPA, IRR
and all issuances of the NPC.

Data Sharing – When Allowed
GENERAL RULE: When a personal information controller obtains the consent of the
data subject prior to collection and processing.
EXCEPTION: Consent is not required for the processing of personal data, as provided
by law.
Data Sharing Agreement (DSA)
A contract, joint issuance, or similar document that contains the terms and conditions of
a data sharing arrangement between 2 or more parties.
Only personal information controllers can be parties to a data sharing agreement.
Contents of a DSA
• Purpose/s of data sharing, including the public function or public service.

• Identity of personal information controller/s.
• Term of duration
• Overview of operational details
• General description of security measures
• (How) data subject may access the DSA
• Details re: online access (if any)
• PIC responsible for addressing info request or complaint
• Method for return, destruction, or disposal
• Other terms and conditions

Data Sharing Agreement Review by the NPC
A DSA may be reviewed by the National Privacy Commission (NPC), on its own initiative
or based on a complaint.
Prior approval by the NPC is not necessary for the execution of DSAs.
DATA SHARING is:
Data Sharing is the disclosure/transfer to a third party personal information.
Data Sharing is different from the subcontracting or outsourcing of the processing

of personal data.
Unless otherwise provided by law, the consent of the data subject is always
necessary to engage in data sharing.
There are specific items/information that must be included in a DSA.
Although prior approval of the NPC is not necessary for the execution of a DSA,
the latter may be reviewed by the NPC at any time.
SECTION 34. Penalties
Violations of these Rules, shall, upon notice and hearing, be subject to compliance and
enforcement orders, cease and desist orders, temporary or permanent ban on the
processing of personal data, or payment of fines, in accordance with a schedule to be
published by the Commission.

Failure to comply with the provisions of this Circular may be a ground for administrative
and disciplinary sanctions against any erring public officer or employee in accordance
with existing laws or regulations.
The commencement of any action under this Circular is independent and without
prejudice to the filing of any action with the regular courts or other quasi-judicial bodies.
What Happen If You Don’t Comply?
Punishable Act Jail Term Fine (Peso)

Unauthorized processing 1 year to 3 years – 3 years to 6 years 500k to 4M
Access due to negligence 1 year to 3 years – 3 years to 6 years 500k to 4M
Improper disposal 6 mos. to 2 years – 3 years to 6 years 100k to 1M
Unauthorized purposes 18 mos. To 5 years – 2 years to 7 years 500k to 2M
Intentional breach 1 year to 3 years 500k to 2M
Concealing breach 18 mos. to 5 years 500k to 1M
Malicious disclosure 18 mos. to 5 years 500k to 1M
Unauthorized disclosure 1 year to 3 years – 3 years to 5 years 500k to 2M
Combination of acts 3 years to 6 years 1M to 5M
Philippines’ First Conviction Under the Data Privacy Act of 2012
It was stated in the Information that the accused, “being a customer care professional” of
a multinational BPO company in the Philippines “unlawfully, willfully and feloniously
accessed and processed without authority” the account of one of said company’s
American client account “by enrolling it to express cash and issuing a temporary PIN for
the said account, for the unauthorized purpose of withdrawing $500 from the said
account,” which was in violation of Section 28 of Republic Act (R.A.) No. 10173 otherwise
known as the “Data Privacy Act of 2012”.
According to the dispositive portion of the Judgment, the accused was sentenced to suffer
imprisonment for one (1) year and six (6) months as minimum and five (5) years as

maximum, and a fine of Five Hundred Thousand Pesos (PhP 500,000.00) pursuant to
Sec. 28 of the R.A. 10173.
The “Comeleak” Data
The voter database in the Precinct Finder application contained each voter’s complete
name, date of birth, gender, civil status, address, precinct number, birthplace, disability,
voter identification number, voter registration record number, reason for
deletion/deactivation, registration date, and update time.
The voter database in the Post Finder application contained each voter’s verified name,
date of birth, gender, civil status, post of registration, passport information, with number
and expiry date, taxpayer identification number, e-mail address, mailing address,
spouse’s name, the complete names of the voter’s mother and father, the voter’s
addresses in the Philippines and abroad, post or country of registration, old registration
information, Philippine representative’s complete name, citizenship, registration assistor,
profession, sector, height and weight, identifying marks, biometrics description, voting
history, mode of voting, and other textual reference information for the voter registration
system.
The firearms-ban exemptions database, containing personal data records of licensees,

and owner, serial number and license number of the firearms.
COMELEC 2nd Large Scale Data Breach
February 20, 2017 - NPC starts probe into COMELEC’s 2nd large scale data breach;
issues compliance order
• At around midnight of January 11, 2017, unidentified persons reportedly stole the
desktop computer of the COMELEC’s OEO in Wao, Lanao Del Sur.
• Seventeen days later, on January 28, 2017, COMELEC Executive Director Jose
M. Tolentino notified the NPC of the data breach.

• The data breach exposed information in the NLRV and the Voter Search
application, as well as the detailed voter registration records of registered voters
of Wao, Lanao del Sur.
• The NLRV contains approximately 75,898,336 records as of October 17, 2016. Of

these, 55,195,674 are active voters and 20,703,662 are deactivated voters.
• While the COMELEC claims the data in the database is encrypted, the COMELEC
admitted that “If the robber will be able to gain access to the VRS, and to decrypt
the VRS and the NLRV data, the personal data might be used by unscrupulous
persons for purposes other than those legitimately intended.”
• The National Privacy Commission (NPC) has ordered the Commission on

Elections (COMELEC) on Monday to take serious measures to address its data
processing vulnerabilities after the computer of the Office of the Election Officer
(OEO) in Wao, Lanao Del Sur was stolen last January 11, 2017.
• The stolen computer contains data from the Voter Registration System (VRS) and
Voter Search applications, as well as the National List of Registered Voters
(NLRV). The stolen data also contains biometric records of registered voters in
Wao, Lanao del Sur.
• “This breach illustrates that there are many ways to lose personal data. That is
why data protection is not only an IT security issue involving firewalls. It’s a
governance matter that covers organizational and physical measures to protect
data,” Liboro added. “In this case, failure to secure the very computer containing
personal data can be just as disastrous. If the COMELEC won’t address the
problem systemically, this will happen again and again.”
NPC Conducts Privacy Compliance Check on BPI
The National Privacy Commission (NPC) is conducting a privacy compliance check on

the Bank of Philippine Islands (BPI) after the recent incident that caused the bank’s
electronic channels to be temporarily suspended, inconveniencing many of its clients.

The compliance check will evaluate the existing governance, organizational, physical and
technical measures in place and seek to address any gaps especially in the bank’s breach
management protocol, with the view of preventing or mitigating similar incidents in the
future.
The BPI incident was reported to have been caused by human error resulting in previously
posted transactions to be reposted. The discovery of the error prompted to the Bank to
suspend access to thousands of accounts. The BPI incident involved a breach in security
affecting the availability and integrity of information that relates to individuals, considered
a personal data breach under NPC’s memorandum circular on personal data breach
management (NPC MC 16-03).
Commissioner Liboro explains further, “First, the BPI incident impacted information which
is considered personal under the Data Privacy Act. This includes the processing of data,
which is capable of uniquely identifying data subjects, such as the account information of
BPI and BPI Family Bank customers contained in BPI’s systems. Second, the nature of
the incident impacted both the availability and integrity of personal information
considering that the incident resulted in the posting of erroneous account information and
the prevention of its access to account holders. Under the law, impacts to availability and
integrity of personal information may constitute a breach where loss and/or alteration to
personal information occurs, whether accidentally or unlawfully.”
Commissioner Liboro underscored the importance of data protection in the Internet age.
“With many services being on-line, a simple data processing error can affect thousands
of data subjects as well as have national impact, we can’t help to reiterate the importance
of good housekeeping for data processing systems and having breach management
protocols in place compliance with data protection and privacy regulations reduces
breach incidents and puts data subjects out of harm’s way.”
Data Privacy Act Cannot Be Used As Shield Against FOI
The Data Privacy Act of 2012 cannot be used by government officials as protection
against the Freedom of Information Executive Order issued by President Duterte.

“A government official who abuses his position or takes undue advantage of his functions
for personal benefit will not be able to use the Data Privacy Act to restrict access of the
people to information.”
The right to information on matters of public concern is a fundamental right provided in

the Constitution and the right to privacy must always be balanced with the right of the
people to be provided information on matters that affect their lives.
SHOW the video on Data Protection…..What You Need To Know
Which is More Valuable?
“Data is more valuable, people are trying to get more of it.”
With your personal information or data – Identity thieves can:

• Get a loan (example: Filipino teacher who posted his PRC license in FB and
thieves got a loan amounting to P800k+ using his identity)
• Open credit cards
• Commit crime or fraud etc.
Impact on Victims:
• Lawsuits, stress/anxiety, denial of credit and loans and time/expenses spent on

recovery steps.

How is Data Collected?
Application Forms
Questionnaires
Survey Forms
Interviews
Mailing List
Registration Forms
Social Media
Raffle Tickets
Data Privacy and Security
As required in RA 10173 – as per Rule VI of the Implementing Rules and Regulations

(IRR) of the DPA Security Measures for the Protection of Personal Data must be in place.
Data Privacy and Security. Personal information controllers and personal information
processors shall implement reasonable and appropriate organizational, physical, and
technical security measures for the protection of personal data.
The personal information controller and personal information processor shall take steps
to ensure that any natural person acting under their authority and who has access to
personal data, does not process them except upon their instructions, or as required by
law.
The security measures shall aim to maintain the availability, integrity, and confidentiality
of personal data and are intended for the protection of personal data against any
accidental or unlawful destruction, alteration, and disclosure, as well as against any other
unlawful processing. These measures shall be implemented to protect personal data
against natural dangers such as accidental loss or destruction, and human dangers such
as unlawful access, fraudulent misuse, unlawful destruction, alteration and
contamination.

Security is all About Risk Management
It’s About DAD and Safety
Information security is about managing threats involving:
• D - Disclosure of Sensitive Information (breach of confidentiality)

• A - Alteration of that information, so that one cannot rely on its integrity
• D - Destruction of that information or disrupting its availability
“Authorization is given to the “right people” to access the information and Access
Control is preventing the “wrong people” from accessing that information.”
Risk management is the identification, assessment and prioritization of risks followed by

coordinated and economical application of resources to minimize, monitor, and control
the probability and/or impact of unforeseen events.
SHOW the slide “How can we protect the personal information and sensitive personal
information entrusted to us?
Security Measures
These are the three key principles which should be guaranteed in any kind of secure
system. It is a model designed to guide policies for information security within the
organization.
• Confidentiality – Information must be protected from disclosure to unauthorized

individuals, entities or processes.

• Integrity – Information must be protected from unauthorized modification or

destruction so that the accuracy, completeness and reliability of the information
are assured.
• Availability – Information must be available when and where needed to enable BIR
to function efficiently and to ensure that BIR can serve the taxpayer’s effectively.
Types of Computer Security
PHYSICAL SECURITY including:

Prevention from theft
Protection from fire
Protection from environmental hazards
TECHNICAL SECURITY including:

Protection from viruses
Backing up data
Protecting files
Encryption
Physical Security Measures
As required in RA 10173 – Section 27 of the Implementing Rules and Regulations (IRR)
Section 27. Physical Security Measures. Where appropriate, personal information

controllers and personal information processors shall comply with the following guidelines
for physical security:
a) Policies and procedures shall be implemented to monitor and limit access

to and activities in the room, workstation or facility, including guidelines that
specify the proper use of and access to electronic media;
b) Design of office space and work stations, including the physical

arrangement of furniture and equipment, shall provide privacy to anyone

processing personal data, taking into consideration the environment and

accessibility to the public;
c) The duties, responsibilities and schedule of individuals involved in the

processing of personal data shall be clearly defined to ensure that only the
individuals actually performing official duties shall be in the room or work
station, at any given time;
d) Any natural or juridical person or other body involved in the processing of

personal data shall implement Policies and procedures regarding the
transfer, removal, disposal, and reuse of electronic media, to ensure
appropriate protection of personal data; and
e) Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established. The room and workstation used in the
processing of personal data shall, as far as practicable, be secured against
natural disasters, power disturbances, external access, and other similar
threats.
This Could Happen to Us
Loss of PCs
Office submerged in floodwaters
Fire in office
SHOW pictures that do not practice security measures.
Physical Security
• The most obvious choice of protecting data is to keep it in a safe locked

room/building.

• Protected room can be safeguarded by:

Lock-and-key
ID card scanning
Biometrics (retina scan, fingerprint scanning)
Using a safe
Alarm systems
Technical Security Measures
As required in RA 10173 – Section 28 of the Implementing Rules and Regulations (IRR)
Section 28. Guidelines for Technical Security Measures. Where appropriate, personal
information controllers and personal information processors shall adopt and establish the
following technical security measures:
a) A security policy with respect to the processing of personal data;
b) Safeguards to protect their computer network against accidental, unlawful or

unauthorized usage, any interference which will affect data integrity or hinder the
functioning or availability of the system, and unauthorized access through an
electronic network;
c) The ability to ensure and maintain the confidentiality, integrity, availability, and
resilience of their processing systems and services;
d) Regular monitoring for security breaches, and a process both for identifying and
accessing reasonably foreseeable vulnerabilities in their computer networks, and
for taking preventive, corrective, and mitigating action against security incidents
that can lead to a personal data breach;
e) The ability to restore the availability and access to personal data in a timely manner
in the event of a physical or technical incident;
f) A process for regularly testing, assessing, and evaluating the effectiveness of

security measures; and

g) Encryption of personal data during storage and while in transit, authentication

process, and other technical security measures that control and limit access.
Examples of Security Breaches and Practices to Avoid Them
Data Breach Recommended Practices

Theft or loss: Computers and Ensure proper physical security of electronic and
laptops, portable electronic devices, physical restricted data wherever it lives.
electronic media, paper files. Lock down workstations and laptops as a
deterrent.
Secure your area, files and portable
equipment before leaving them unattended.
Don't leave papers, computers or other
electronic devices visible in an empty car or
house.
Shred sensitive paper records before
disposing of them.
Don’t leave sensitive information lying
around unprotected, including on printers,
fax machines, copiers, or in storage.
Laptops should be secured at all times. Keep it
with you or lock it up securely before you step
away -- and make sure it is locked to or in
something permanent.
Use extra security measures for portable
devices (including laptop computers) and
portable electronic media containing sensitive or
critical info:
Encryption
Extra physical security
Insecure storage or transmission of Be sure you know who has access to
information and other sensitive folders before you put restricted data there!
information. Be certain you don’t put sensitive
information in locations that are publicly
accessible from the Internet. Double check.

If you can access it online without a

password, so can others.
Don't use open/unencrypted wireless when
working with or sending this data.
Don’t email or IM (instant message)
unencrypted restricted data.
Password hacked or revealed. Use good, cryptic passwords that are
difficult to guess, and keep them secure.
Never share or reveal your passwords,
even to people or organizations you trust.
Use different passwords for accounts that
provide access to restricted data than for
your less-sensitive accounts.
Use different passwords for work and non-
work accounts.
Change initial and temporary passwords,
and password resets, as soon as possible
whenever possible. These tend to be less
secure.
Missing "patches" and updates: Make sure all systems connected to the
Hackers can take advantage of network/Internet have all necessary operating
vulnerabilities in operating systems system (OS) and application security “patches”
(OS) and applications if they are not and updates.
properly patched or updated. This
puts all of the data on those system
and other connected systems at risk.
Computer infected with a virus or Install anti-malware software and make
other malware: Computers that are sure it is always up-to-date.
not protected with anti-malware Don't click on unknown or unexpected links
software are vulnerable. Out-of-date or attachments. These can infect your
anti-malware may not detect known computer.
malware, leaving your computer Don’t open files sent via chat/IM or P2P
vulnerable to infection. software on a machine that contains
restricted data – these files can bypass anti-
virus screening.
Improperly configured or risky Don't install unknown or suspicious
software: programs on your computer. These can
This can open your computer up to harbor behind-the-scenes computer viruses
attackers.

or open a “back door” giving others access

to your computer without your knowledge.
Don’t put sensitive information in places
where access permissions are too broad.
Insecure disposal & re-use. Destroy or securely delete restricted data prior to
re-use or disposal of equipment or media.
Shred sensitive paper records before disposing of
them. Do not re-use them where the information
could be exposed.
Implementation of Information Security in the BIR
To ensure compliance with RA 10173, revenuers are duty-bound and mandated to follow:
Section 270 of the NIRC
According to Section 270 of the National Internal Revenue Code of 1997, as amended by
RA 10021 – Unlawful Divulgence of Trade Secrets except as provided in Section 71 of
the Tax Code and Section 26 of Republic Act. No. 6388, any officer or employee of the
Bureau of Internal Revenue who divulges to any person or makes known in any other
manner than may be provided by law information regarding the business, income or
estate of any taxpayer, the secrets, operation, style or work, or apparatus of any
manufacturer or producer, or confidential information regarding the business of any
taxpayer, knowledge of which was acquired by him in the discharge of his official duties,
shall upon conviction for each act or omission, be punished by a fine of not less than Fifty
thousand pesos (P50,000.00) but not more than One hundred thousand pesos
(P100,000.00), or suffer imprisonment of not less than two (2) years but not more than
five (5) years, or both.
Any officer or employee of the Bureau of Internal Revenue who divulges or makes known
in any other manner to any person other than the requesting foreign tax authority
information obtained from banks and financial institutions pursuant to Section 6(F),
knowledge or information acquired by him in the discharge of his official duties, shall,
upon conviction, be punished by a fine of not less than Fifty thousand pesos (P50, 000.00)
but not more than One hundred thousand pesos (P100, 000.00), or suffer imprisonment
of not less than two (2) years but not more than five (5) years, or both.

RMO No. 50-2004 – Policies & Guidelines on the BIR’s Information & Technology
Security Infrastructure
Establish policies/guidelines on Information and Communication (ICT) security

infrastructure; establish procedures and requirements to ensure the appropriate
protection of Bureau’s ICT systems and resources; delineate responsibilities of offices
concerned create and maintain awareness of the need for information security to be an
integral part of the day-to-day operation of business systems.
RMO No. 67-2010 – Policies & Guidelines on Information & Communication

Technology Security Offense
Defining thereat certain offenses as additional grounds for administrative disciplinary

action with their corresponding penalties.
RMO No. 12-2014 – Information Asset Classification Guidelines
The Information Asset Classification Guidelines aims to establish a standard approach to

classify information assets across all delivery mechanisms of on-line and physical ‘over-
the counter’ services for both electronically and non-electronically stored information. The
guideline includes the security classification schema and the security classification
process (i.e., identification of information assets, owner identification, limiting duration of
classification). It also established the basic security controls (i.e., filing and marking,
reclassification of information, storage) which serves as protection when handling and
dealing with the BIR’s information assets.
RMO No. 15-2014 – Revised Information & Communication Technology Security

Policy
This is being issued to define the principles, roles and responsibilities to which all BIR
employees and third parties must adhere to when handling owned by, entrusted to and/or
shared with the BIR, communicate the accepted requirements to maintain the
confidentiality, integrity and availability of information assets, maintain awareness of the
need of information security and the need to be an integral part of the day-to-day
operations of BIR.
ISG Memorandum Order 2-2017 – Personal Computer (PC) Baseline Standards

(Confidential to ISG)

Implementation of Information Security in the BIR
Various guidelines in compliance with RA 10173 are being reviewed for release
to BIR Users:
Password and Login Control Guidelines
Email Security Guidelines
Internet Security Guidelines
Application System Security Guidelines
Secure Application Development Guidelines
Network Security Guidelines
Various Baseline Security Standards and Procedures were also prepared and for
review:
Information Security Incident Management Procedures
IT SOLUTIONS in-place to ensure compliance with RA 10173

Anti-virus
Firewall
Intrusion Detection and Prevention System
Active Directory
eMail Security
Distributed Denial of Service (DDOS)
Web Content Filtering
Vulnerability Assessment
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) Solution
Bureau’s Compliance with RA 10173
The following teams were created at the National Office in order for the bureau to comply
with the Data Privacy Accountability and Compliance Framework to attain the Five
Pillars/Commandments of the National Privacy Commission, in line with the created Data
Privacy Committee under RSO 395-2017.
• Privacy Impact Assessment (PIA)

• Privacy Management Program and Privacy Manual
• Day-to-Day (Privacy Notice)
• Data Security
• Breach and Security Incidents

• Third Parties
• Manage HR
• Projects
• Manage Legal
Privacy Impact Assessment (PIA) Team
The team has already completed the conduct of PIA on the initially identified five
(5) critical systems:
Integrated Tax System (ITS)
Electronic Tax Information System (eTIS)
Electronic Filing and Payment System (eFPS)
eBIRForms
eRegistration
Note: Document is already being routed for signature of concerned Officials.
Continuous PIA effort of the remaining BIR Systems.
Privacy Management Program and Privacy Manual Team
• Prepare an outline for the manual.

• Dependent on the outputs of all the DPA Committee teams.
Privacy Notice Team
Privacy Notice for the Attendance Sheet.

CIR's Memorandum re: Privacy Notice in Attendance Sheets released through
email to ALL BIR users July 21, 2017
Privacy Notice for the Website for implementation

To formulate Notices for other documents (e.g. PDS/SALN/etc.).

To discuss Notices or Cover Notices (can be one liner) that would be
incorporated / attached to other documents.
Data / Physical Security Team
• Implementation of Data Security Policies, Procedures and Guidelines.

• Reinforce BIR Physical Security especially in the workplace (BIR employees
should be protected and security of documents).
• To conduct bureau-wide Physical and IT Security.
Breach and Security Incidents Team
• Create a Data Breach Response Team.

• Implementation of an Information Security Incident Management Procedure and
processes and procedures for data breach management.
Third Parties Team
• Maintain contracts and agreements with third-parties and affiliates consistent with
the data privacy policy, legal requirements, and operational risk tolerance.
• Review of Memoranda of Agreement with other agencies with reference to the
Data Privacy Act and other Circulars.
• Formulate procedure to address instances of non-compliance with contracts and
agreements.

Third Parties Team
• Maintain contracts and agreements with third-parties and affiliates consistent with
the data privacy policy, legal requirements, and operational risk tolerance.
• Review of Memoranda of Agreement with other agencies with reference to the

Data Privacy Act and other Circulars.
• Formulate procedure to address instances of non-compliance with contracts and

agreements.
Manage HR Team
• Provide ongoing training and awareness to promote compliance with the data
privacy policy.
• Conduct of Briefing on Data Privacy Act nationwide (October 2017 onwards).

• Conduct of Focus Group Discussion/meeting on DPA to RR Offices with
DPO/DCIR Lanee Cui-David to get the commitment of the Regional
Directors/Revenue District Officers.
Projects Team
• The Project Team will guide the Project/Process Owner in the
conceptualization/development of a project (i.e. during the
planning/design/FSR/TSR/Security requirements/etc.) in reference to DPA.
•
• During the data gathering stage, the team will identify/map out/analyze if there are
data privacy issues (or otherwise) and recommend procedures and processes to
address said issues.

Manage Legal Team
The Team will provide guidance and assistance on the legal aspect in compliance with
DPA.
SHOW the video on Handle Personal Info with Care
Given the volume of taxpayer transactions, data and information BIR handles on a regular
basis, we are mandated to comply with the Data Privacy Act of 2012 – RA 10173
Don’t just comply – Be accountable.


Raw PDF

Uploaded by

Copyright:

Available Formats

Raw PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Raw PDF

Uploaded by

Copyright:

Available Formats

Data Privacy Act of 2012 Trainers Guide

DATA PRIVACY ACT OF 2012

Present DPA Slide 1

INTRODUCE THE BRIEFING

Republic Act No. 10173

Bureau of Internal Revenue September 2017

Present DPA Slide 2

• Understand the Data Privacy Act of 2012;

Present ISAB Slide 3

Present ISAB Slides 4 to 6

Bureau of Internal Revenue September 2017

4. The act, practice or processing of personal data is done or engaged in by an entity

a) Use of equipment located in the country, or maintains an office, branch or

b) A contract is entered in the Philippines;

c) A juridical entity unincorporated in the Philippines but has central

d) An entity that has a branch, agency, office or subsidiary in the Philippines

e) An entity that carries on business in the Philippines; and

f) An entity that collects or holds personal data in the Philippines.

Present DPA Slides 7 to 16

SECTION 5: Special Cases

a) Information about any individual who is or was an officer or employee of

The fact that the individual is or was an officer or employee of the

The classification, salary range, and responsibilities of the position held by

Bureau of Internal Revenue September 2017

The name of the individual on a document he or she prepared in the course

b) Information about an individual who is or was performing a service under

c) Information relating to a benefit of a financial nature conferred on an individual

2. Personal information processed for journalistic, artistic or literary purpose, in order

4. Information necessary in order to carry out the functions of public authority, in

6. Personal information originally collected from residents of foreign jurisdictions in

Bureau of Internal Revenue September 2017

a. Unless directly incompatible or inconsistent with the preceding sections in

c. In all cases, the determination of any exemption shall be liberally interpreted in

Present DPA Slide 17

SHOW the video on Know Your Data Privacy Rights!

Present DPA Slides 18-19

Creation of Bureau’s Data Privacy Committee

Deputy Commissioner of Information Security Group (ISG) assigned as Data Protection

Regional Directors and Revenue District Officers assigned as COMPLIANCE OFFICERS

Bureau of Internal Revenue September 2017

Present DPA Slides 20-24

What are the Duties and Responsibilities of a DPO?

1. Monitor the Personal Information Controllers (PICs) and Personal Information

a. Collect information to identify the processing operations, activities, measures,

b. Analyze and check the compliance of processing activities, including the

c. Inform, advise, and issue recommendations to the PIC or PIP;

d. Ascertain renewal of accreditations or certifications necessary to maintain the

2. Ensure the conduct of Privacy Impact Assessments relative to activities,

Bureau of Internal Revenue September 2017

6. Advocate for the development, review and/or revision of policies, guidelines,

Present DPA Slide 25

What is PERSONAL INFORMATION?

Present DPA Slides 26-27

What is SENSITIVE PERSONAL INFORMATION?

SENSITIVE PERSONAL INFORMATION – refers to personal information:

2. Individual’s health, education, genetic or sexual life of a person, or to any

Bureau of Internal Revenue September 2017

3. Issued by government agencies peculiar to an individual which includes, but not

4. Specifically established by an executive order or an act of Congress to be kept