Data Privacy Manual
Data Privacy Manual
Data Privacy Manual
TABLE OF CONTENTS
I. INTRODUCTION 1
II. DEFINITION OF TERMS 1
III. SCOPE AND LIMITATIONS 4
IV. BIR DATA PRIVACY COMMITTEE 4
A. DATA PROTECTION OFFICER (DPO) 5
B. DATA PRIVACY TEAMS 8
V. PROCESSING OF PERSONAL DATA 11
A. RECORDS OF PROCESSING ACTIVITIES 11
B. SOURCES OF PERSONAL DATA 12
C. MODES OF DATA COLLECTION: 12
D. COLLECTION OF PERSONAL INFORMATION 13
E. USE OF PERSONAL INFORMATION 14
F. PROCESSING OF PERSONAL DATA 14
G. VERIFICATION OF INFORMATION 15
H. STORAGE, RETENTION AND DESTRUCTION OF PERSONAL DATA 15
I. CONFIDENTIALITY/DISCLOSURE OF INFORMATION 16
J. DATA SHARING 17
K. NON-APPLICABILITY OF THE ACT TO CERTAIN PERSONAL INFORMATION 17
VI. SECURITY MEASURES 19
A. PHYSICAL SECURITY MEASURES 19
B. TECHNICAL SECURITY MEASURES 20
C. ORGANIZATIONAL SECURITY MEASURES 22
D. SECURITY OF SENSITIVE PERSONAL INFORMATION IN GOVERNMENT 24
VII. DATA BREACH AND SECURITY INCIDENTS 25
A. CREATION OF A DATA BREACH RESPONSE TEAM 25
B. MEASURES TO PREVENT AND MINIMIZE OCCURRENCE OF BREACH 25
INCIDENTS
C. PROCEDURE FOR RECOVERY AND RESTORATION OF PERSONAL DATA 25
D. NOTIFICATION PROTOCOL 26
E. DOCUMENTATION AND REPORTING PROCEDURES OF SECURITY 26
INCIDENTS OR A PERSONAL DATA BREACH
VIII. RIGHTS OF THE DATA SUBJECT 27
A. RIGHT TO BE INFORMED 27
B. RIGHT TO OBJECT 28
C. RIGHT TO ACCESS 28
D. RIGHT TO RECTIFICATION 28
E. RIGHT TO ERASURE OR BLOCKING 29
F. RIGHT TO DAMAGES 29
G. TRANSMISSIBILITY OF RIGHTS OF THE DATA SUBJECT 29
H. RIGHT OF DATA PORTABILITY 29
I. LIMITATION OF RIGHTS 30
IX. INQUIRIES AND COMPLAINTS 30
A. HANDLING OF COMPLAINTS 30
B. INQUIRIES 31
X. EFFECTIVITY 31
I. INTRODUCTION
The Bureau of Internal Revenue (BIR) is the premiere revenue collecting agency of the
government. Its mandate is to raise revenue through collection of taxes and fees imposed
by law to fund the socio-economic programs of the government for the benefit of the more
than 100 million Filipinos here and abroad.
The mandate of the Bureau follows the State’s policy contained in the Tax Reform For
Acceleration and Inclusion (TRAIN) Law, to rationalize internal revenue tax system and tax
administration. Attainment of this mandate would require a well-organized, failsafe and
reliable profile of taxpayers, both natural and juridical.
The main source of the Bureau’s collection comes from about 60 million taxpayers from all
walks of life, more than 80% of which are individual taxpayers. All these taxpayers are
readily identified individually upon their registration with the BIR and through periodic filing
of tax returns wherein information obtained about their person and their earnings, business
income and other sources of gain are reported.
Information from taxpayers, be it personal or corporate, are held in strict confidence by the
Bureau and are strictly prohibited to be divulged to third persons, or to the public in general.
Section 270 of the National Internal Revenue Code of 1997 (NIRC), as amended, imposes
penalties upon each act or omission in violation thereof.
The effectivity of Republic Act No. 10173 (RA 10173) or the Data Privacy Act of 2012 has
extended and expanded the Bureau’s mandate to secure such personal, sensitive personal
information, privilege information as well as business information of individual taxpayers
that have already been collected, or will still be collected, in the course of the performance
of its official functions. The Act also requires that such information are collected, processed
and secured in adherence to the general principles of transparency, legitimate purpose and
proportionality.
This Data Privacy Manual, prepared and circularized, specifically lays out the processes
and procedures mandated by law in compliance with the requirements of the data privacy
management and security.
For consistency and uniformity in usage, the following terms are herein defined:
a. “Act” or “DPA” – refers to Republic Act No. 10173, also known as the Data
Privacy Act of 2012;
Page 1 of 31
d. “Conflict of Interest” refers to a scenario wherein a DPO is charged with
performing tasks, duties and responsibilities that may be opposed to or could affect
his performance as DPO. This includes, inter alia, holding a position within the
Personal Information Controller or Personal Information Processor that leads him
to determine the purposes and the means of the processing of personal data;
e. “Consent of the data subject” refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and processing
of his or her personal, sensitive personal, or privilege information. Consent shall
be evidenced by written, electronic or recorded means. It may also be given on
behalf of a data subject by a lawful representative or an agent specifically
authorized by the data subject to do so;
h. “Data sharing” is the disclosure or transfer to a third party of personal data under
the custody of a personal information controller or personal information processor.
In the case data sharing made by the latter, such disclosure or transfer must have
been upon the instructions of the personal information controller concerned. The
term excludes outsourcing, or the disclosure or transfer of personal data by a
personal information controller to a personal information processor;
Page 2 of 31
m. “Personal Data Sheet” or “PDS” refers to the form prepared by the BIR officials
and employees containing their personal information which is prepared and filed
annually and on specified occasions such as upon hiring, promotion, transfer and
other changes in employment status;
There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing.
s. “Privileged information” refers to any and all forms of data, which, under the rules
of Court and other pertinent laws constitute privileged communication;
Page 3 of 31
w. “Security incident” is an event or occurrence that affects or tends to affect data
protection, or may compromise the availability, integrity and confidentiality of
personal data. It includes incidents that would have resulted to a personal data
breach, if not for safeguards that have been put in place; and
1. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
This Data Privacy Manual specifies the processing, security measures and assurance of
security and confidentiality of personal data or information obtained in the performance of
the Bureau’s official functions mandated by law and inform users hereof of the rights of the
data subjects.
All personnel of the BIR, therefore, regardless of the type of employment or contractual
arrangements, must comply with the terms set out in this Data Privacy Manual.
The Bureau shall constitute the Data Privacy Committee composed of the following
groups/teams:
1. Executive Sponsors:
Commissioner of the Internal Revenue
Deputy Commissioner – Operations Group (OG)
Deputy Commissioner – Resource Management Group (RMG)
Deputy Commissioner – Legal Group (LG)
Deputy Commissioner – Information Systems Group (ISG)
Page 4 of 31
3. Compliance Officers on Privacy (COP) - a). National Office designate
b). Regional Directors (Regional Offices)
The Data Protection Officer (DPO) shall be designated by the PIC or PIP who shall
be accountable for ensuring the compliance by the PIC or PIP with the DPA, its IRR,
issuances by the National Privacy Commission (NPC), and other applicable laws
and regulations relating to privacy and data protection.
1. General Qualifications
The DPO shall possess specialized knowledge and demonstrate reliability
necessary for the performance of his or her duties and responsibilities. As such,
the DPO should have expertise in relevant privacy or data protection policies and
practices. He/she should have sufficient understanding of the processing
operations being carried out by the PIC or PIP, including the latter’s information
systems, data security and/or protection needs.
Page 5 of 31
2. Position of the DPO or Compliance Officer on Privacy (COP)
The DPO or COP to be assigned by the PIC or PIP may be a career or appointive
position. In the event that the position of DPO or COP is left vacant, the PIC or the
PIP will provide for the appointment, reappointment or hiring of his or her
replacement within a reasonable period of time. The PIC or PIP may also require
the incumbent DPO or COP to occupy such position in a holdover capacity until the
appointment or hiring of a new DPO or COP, in accordance with the PIC or PIP’s
internal policies and the provisions of the appropriate contract
The DPO or COP must be independent in the performance of his or her functions,
and should be accorded a significant degree of autonomy by the PIC or PIP. In his
or her capacity as DPO or COP, an individual may perform or be assigned to
perform other tasks or assume other functions that do not give rise to any conflict
of interest.
3.1.1 Monitor the Bureau’s compliance with the DPA, its IRR,
issuances by the NPC and other applicable laws and policies.
For this purpose, he or she may:
Page 6 of 31
3.1.3 Advise the PIC or PIP regarding complaints and /or the exercise of
data subjects of their rights (e.g., requests for information,
clarifications, rectification or deletion of personal data);
3.1.7 Serve as the contact person of the PIC or PIP vis-à-vis data
subjects, the NPC and other authorities in all matters concerning
data privacy or security issues or concerns;
3.1.8 Cooperate, coordinate and seek advice of the NPC regarding
matters concerning data privacy and security; and
3.1.9 Perform other duties and tasks that may be assigned by the PIC or
PIP that will further the interest of data privacy and security and
uphold the rights of the data subjects.
3.2. The Compliance Officers On Privacy (COP) and Assistant COPs shall:
3.2.1 Assume all of the above functions of the DPO, except for items a)
to c) of the Duties and Responsibilities of the DPO, in their
respective jurisdictions;
3.2.2 Cooperate, coordinate and seek advice from the DPO regarding
matters concerning data privacy and security; and
3.2.3 Where appropriate, COPs shall assist the DPO in the performance
of the latter’s functions.
The DPO or COP must have due regard for the risks associated with the
processing operations of the Bureau and/or its PIP, taking into account the
nature, scope, context and purposes of processing. Accordingly, he or she
must prioritize his or her activities and focus his or her efforts on issues that
present higher data protection risks.
Page 7 of 31
4. Protection of the DPO and COP
To strengthen the autonomy of the DPO or COP and to ensure the independent
nature of his or her role in the organization, a PIC or PIP should not directly or
indirectly penalize or dismiss the DPO or COP for performing his or her tasks.
It is not necessary that the penalty is actually imposed or meted out. A mere
threat is sufficient if it has the effect of impeding or preventing the DPO or COP
from performing his or her tasks. However, nothing shall preclude the legitimate
application of labor, administrative, civil or criminal laws against the DPO or
COP, based on just or authorized grounds.
5. Weight of Opinion
The opinion of the DPO or COP must be given due weight. In case of
disagreement, and should the PIC or PIP choose not to follow the advice of the
DPO or COP, it is recommended, as good practice, to document the reasons
therefor.
The Data Privacy Teams shall have the following duties and responsibilities:
1.1.5 Organize and make all necessary arrangements for the Data
Privacy meetings/presentations; and
Page 8 of 31
1.2 New Programs, Systems and Processes
2.2 Translate the DPA into a policy based on the Bureau’s operations,
types of personal data handled and the lifecycle of the personal data;
2.4 Establish and develop Privacy Notice that details the Bureau’s personal
data handling policies;
3.1 Develop processes and procedures for incident and breach management;
Page 9 of 31
3.2.2 Conduct an initial assessment of the incident or breach in order
to ascertain the nature and extent thereof; and
3.4 Ensure notification protocol wherein the head of the Incident and Data
Breach Response Team shall inform the DPO of the need to notify the
NPC and the data subjects affected by the incident or breach within the
period prescribed by law; and
4.1 Ensure that security measures are in place to maintain the availability,
integrity and confidentiality of personal data;
4.2 Ensure that technical security measures are in place to make sure that
there are appropriate and sufficient safeguards to secure the processing
or personal data, particularly the computer network in place, including
encryption and authentication processes that control and limit access;
4.4 Ensure that personnel with access to personal data shall verify his or her
identity using a secure encrypted link and multi-level authentication;
4.5 Ensure that software applications are reviewed and evaluated before the
installation in computers and devices;
4.7 Ensure that personal data are protected against natural dangers such as
accidental loss or destruction, and human dangers such as unlawful
access, fraudulent misuse, unlawful destruction, alteration and
contamination.
5.2 Maintain data privacy requirements for third parties (e.g. vendors,
processors, and affiliates);
Page 10 of 31
5.3 Maintain procedures to execute contracts or agreements with all
processors;
5.5 Conduct due diligence around the data privacy and security posture of
potential vendors/processors;
5.7 Conduct ongoing due diligence around the data privacy and security
posture of vendors/processors based on a risk assessment; and
5.8 Review long-term contracts for new or evolving data protection risks.
6. Manage HR Team
6.5 Integrate data privacy into other training programs such as HR, security
training etc.; and
6.6 Ensure that employees shall operate and hold personal data under strict
confidentiality even after leaving public service, transferring to another
position, or upon terminating their employment or contractual relations.
The Bureau shall maintain records that sufficiently describe its data processing system,
and identify the duties and responsibilities of those individuals who will have access to
personal data.
1. Information about the purpose of the processing of personal data, including any
intended future processing or data sharing;
2. A description of all categories of data subjects, personal data, and recipients of such
personal data that will be involved in the processing;
Page 11 of 31
3. General information about the data flow within the organization, from the time of
collection, processing, and retention, including the time limits for disposal or
erasure of personal data;
5. The name and contact details of the personal information controller and where
applicable, the joint controller, its representative, and the compliance officer or
Data Protection Officer, or any other individual or individuals accountable for
ensuring compliance with the applicable laws and regulations for the protection of
data privacy and security.
The Bureau shall register its processing systems with NPC in accordance and in
compliance with NPC issuances.
The BIR requires certain persons to declare personal information as part of, and in
compliance with, its official duties and functions and for certain undertakings with the
public to form part of its files. The following constitutes the main sources of such
information, including personal and sensitive information:
1. Taxpayers in general;
1. From Taxpayers:
1.2 Filing of tax returns, business financial statements and other information
certifications and information returns either on line or in hard copy;
1.8 Arrest and seizures pursuant to Sec. 15, NIRC of 1997, as amended.
2. From Employees:
2.2 Submission of Personal Data Sheet (PDS) and other related documents
To ensure that the rights of the data subjects are fully protected, the BIR shall
enforce the following policies and principles on personal data collection and
management:
2. Data subject’s consent must be obtained before collecting and processing the
information subject to exemptions provided by the Act and other applicable laws
and regulations. When consent is required, it must be time-bound in relation to
the declared, specified and legitimate purpose;
3. The data subject must be provided specific information regarding the purpose
and extent of processing including where applicable, the automated processing
of his or her personal data for profiling or processing for direct marketing and
data sharing;
“All information shall be used by the BIR for legitimate purposes specifically
for__________ and shall be processed by authorized personnel in
accordance with the data privacy policies of the BIR.”
“I hereby allow/authorize the BIR to use, collect and process the information
for legitimate purposes specifically for ________________, and allow
authorized personnel to process the information.”
Page 13 of 31
E. USE OF PERSONAL INFORMATION
Personal data collected shall be used by the Bureau only for legitimate purposes and
solely for evaluation, reportage and documentation purposes. The Bureau shall
ensure that there is no manipulation of personal data and that the same shall not be
used against any individual, unless required in the performance of its official functions
and responsibilities.
Authorized revenue officials are allowed to access, use and process said personal
data for legitimate purposes or that which is stated in the privacy statement contained
in the documents signed by the personnel, job applicants and taxpayers, provided
the following circumstances are present:
2. The employee, applicant or taxpayer would reasonably expect the Bureau through
its authorized personnel to use or process personal information only for legitimate
purposes.
Examples are: Tax information of data subjects, such as business addresses, TIN,
gross and taxable incomes, etc., shall be used only for legitimate purposes such
as profiling of a taxpayer.
The following general principles shall govern the processing of personal data:
1. Personal data shall be processed fairly and lawfully. For processing to be lawful,
any of the following conditions must be complied with:
1.1 The data subject must have given his or her consent prior to the collection,
or as soon as practicable and reasonable;
1.2 The processing involves the personal information of a data subject who is a
party to a contractual agreement, in order to fulfill obligations under the
contract or to take steps at the request of the data subject prior to entering
the said agreement;
1.3 The processing is necessary for compliance with a legal obligation to which
the personal information controller is subject;
1.4 The processing is necessary to protect vitally important interests of the data
subject, including his or her life and health;
1.6 The processing of personal information is necessary for the fulfillment of the
constitutional or statutory mandate of a public authority; or
1.7 The processing is necessary to pursue the legitimate interests of the personal
information controller, or by a third party or parties to whom the data is
disclosed, except where such interests are overridden by fundamental rights
Page 14 of 31
and freedoms of the data subject, which require protection under the
Philippine Constitution.
2. Processing shall uphold the rights of the data subject. It shall likewise be
transparent, and allow the data subject sufficient information to know the nature
and extent to processing;
3. Information provided to a data subject must always be in clear and plain language
to ensure that they are easy to understand;
G. VERIFICATION OF INFORMATION
Authorized Bureau personnel shall take reasonable steps to ensure that the collected
personal data of personnel are up-to-date, complete, relevant and not misleading.
The Bureau shall ensure that personal data under its custody are protected against any
accidental or unlawful destruction, alteration and disclosure. It shall implement
appropriate security measures in storing collected personal information, depending on
the nature of the information. The following policies/guidelines shall be observed:
1.1. for the fulfillment of the declared, specified, and legitimate purpose or when
the processing relevant to the purpose has been terminated;
1.3. for legitimate business purposes, which must be consistent with standards
followed by the applicable or approved by appropriate government agency.
Page 15 of 31
2. Personal data originally collected for a declared, specified, or legitimate purpose may
be processed further for historical, or statistical purposes, and, in cases laid down in
law, may be stored for longer periods, subject to implementation of the appropriate
organizational, physical and technical security measures required by the Act in order
to safeguard the rights and freedoms of the data subject;
3. Personal data which is aggregated or kept in a form which does not permit
identification of data subjects may be kept longer than necessary for the declared,
specified, and legitimate purpose;
5. Personal data shall be disposed or discarded in a secure manner that would prevent
further processing, unauthorized access, or disclosure to any other party of the public,
or prejudice the interests of the data subjects.
The Bureau shall ensure that personal data shall be disposed of properly in a way
that the same be unreadable (for paper) or irretrievable (for digital records). It shall
include in its procedure the use of degaussers, erasers and physical destruction of
devices to secure the disposal of computer equipment, disk servers, desktop
computers and mobile phones at end-of-life.
I. CONFIDENTIALITY/DISCLOSURE OF INFORMATION
There shall be capacity building, orientation or training programs for all Bureau
employees, agents or representatives, regarding privacy or security policies.
All employees and personnel of the Bureau and its agents or representatives shall
maintain the confidentiality and secrecy of all personal data that come to their
knowledge and possession, even after their resignation, termination of contract, or
other contractual relations.
Personal data under the custody of the BIR shall be disclosed only pursuant to a lawful
purpose, and only to authorized recipients of such data.
1.1 Consent is given by data subject, prior to the processing of the sensitive
personal information or privileged information, which shall be undertaken
pursuant to a declared, specified, and legitimate purpose of the Bureau;
1.2 The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express
his or her consent prior to the processing;
Page 16 of 31
to the bona fide employees of the Bureau; the sensitive personal information is
not transferred to third parties; and consent of the data subject was obtained
prior to processing;
1.4 The processing is necessary for the purpose of medical treatment: Provided,
that it is carried out by a medical practitioner or a medical treatment institution,
and an adequate level of protection of personal data is ensured; and
J. DATA SHARING
The Bureau shall enter into Data Sharing Agreements prior to any actual transfer of
personal data or a copy from one party to another, such transfer shall comply with
security requirements imposed by law.
1. Data sharing shall be allowed when it is expressly authorized by law: Provided, that
there are adequate safeguards for data privacy and security, and processing
adheres to principles of transparency, legitimate purpose and proportionality;
2. Data sharing between government agencies for the purpose of a public function or
provision of a public service shall be covered by a data sharing agreement; and
3. The data sharing agreement shall be subject to review of NPC, on its own initiative
or upon complaint of data subject.
The Act and its Rules shall not apply to the following specified information, only to the
minimum extent of collection, access, use, disclosure or other processing necessary
to the purpose, function, or activity concerned:
1.1 Information about any individual who is or was an officer or employee of the
government that relates to his or her position or functions, including:
1.1.1 The fact that the individual is or was an officer or employee of the
government;
1.1.2 The title, office address, and office telephone number of the
individual;
Page 17 of 31
1.1.3 The classification, salary range, and responsibilities of the position
held by the individual; and
3. Personal information that will be processed for research purposes, intended for
a public benefit, subject to the requirements of applicable laws, regulations, or
ethical standards;
4. Information necessary in order to carry out the functions of public authority, in
accordance with a constitutionally or statutorily mandated function pertaining to
law enforcement or regulatory function, including the performance of the
functions of the independent, central monetary authority, subject to restrictions
provided by law. Nothing in this privacy manual, however, shall be construed as
having superior application over Republic Act No. 1405, otherwise known as the
Secrecy of Bank Deposit Act; Republic Act No. 6426, otherwise known as the
Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as
the Credit Information System Act (CISA); and
Provided that the non-applicability of the Act and of its Rules do not extend to the PIC
or its PIP, who remain subject to the requirements of implementing security measures
for personal data protection; Provided further, that the processing of the information
provided in the preceding paragraphs shall be exempted from the requirements of
the Act only to the minimum extent necessary to achieve the specific purpose,
function, or activity.
Page 18 of 31
VI. SECURITY MEASURES
The Bureau shall establish and implement reasonable and appropriate physical, technical,
and organizational measures to ensure privacy and data protection. These security
measures aim to regulate the collection, recording, organization, storage, updating or
modification, retrieval, use, blocking an erasure or destruction of personal data, maintain the
confidentiality, integrity and, availability of personal data and protect personal information
and sensitive personal information (personal data) against natural dangers, such as
accidental loss or destruction, and human dangers, such as unlawful access, unlawful
divulgence, fraudulent issue, unlawful destruction, alteration, and contamination.
1. Format of Data
Personal data in the custody of the Bureau may be in digital/ electronic format and/
or paper-based/ physical format.
Officials/ employees are responsible for providing reasonable security for all
information, documents and property entrusted to them.
All personal data being collected and processed by the Bureau shall be stored in a
secured facility, whether virtual or physical. Papers or physical documents bearing
personal data shall be stored in locked filing cabinets/ room, access keys to which
shall be entrusted only to authorized personnel. Digital or electronic documents
containing personal data shall be stored in computers, portable disks, and other
devices, provided either the document or the device where it is stored is protected by
passwords or passcodes. Computers, portable disks and other devices used by the
Bureau and its PIP/s in processing personal data shall be encrypted with the most
appropriate encryption standard but which should not be lower than AES 250
encryption.
4. Monitoring of Access
Access of personal data by all authorized personnel and employees whose request
to access personal data were approved shall be monitored by the COP/ACOP
concerned, or the Chief of Office concerned. All those who enter and access the
storage/archive room of the Bureau must fill out and register in the logbook, which
shall indicate the date, time, duration, and purpose of each access.
Access to the Bureau’s data centers shall be restricted to personnel who have the
appropriate security clearance.
Access to records and procedures shall be reviewed by DPO and COP regularly.
Page 19 of 31
5. Design of Office Space and/ or Work Station
All offices specially those rendering front line services shall arrange their computers
and tables with considerable spaces between them and a countertop positioned to
prevent entry of visitors and/ or taxpayers to maintain the privacy and protect the
processing of personal data. Posting of the appropriate signage “Restricted Area”,
“No Entry”, “Unauthorized Person Not Allowed”, “Deposit your Firearm/s, Camera
and/ or Mobile Phone with Camera at the Assigned Lobby Guard/s”, etc., and
installation of CCTVs at strategic locations are essential to minimize risk of personal
data breach and other security incident/s.
Transfer of personal data via electronic mail shall use a secure email facility with
encryption of the data, including any or all attachments. The Bureau shall ensure that
the uses of portable media such as disk or USB drive to store or transfer Personal
Data is encrypted. Personal data stored in paper files or any physical media shall be
transmitted only thru registered mail or, where appropriate, authorized parcel post
service. As much as possible, facsimile technology shall not be used to transmitting
documents containing personal data.
b. Use data leakage prevention software to establish rules for accessing sensitive
information, keeping unauthorized users from sharing data maliciously;
e. Perform at least once every two years, a security risk assessment for
information systems and production applications shall be. A security risk
assessment shall also be performed before production, and prior to major
enhancements and changes associated with these systems or applications;
Page 20 of 31
f. Perform periodic audit on information systems to ensure the compliance of IT
security policies and effective implementation of security measures. The
selection of auditors and conduct of audits shall ensure objectivity and
impartiality of the audit process;
j. Monitor and review with external service providers to ensure that operations by
external service providers are documented and managed properly.
Confidentiality and non-disclosure agreements shall be properly managed, and
reviewed when changes occur that affect the security requirement; and
a. The Bureau shall procure and install effective and reliable antivirus software for
all devices where personal data are stored, including laptops/tablets that
regularly access the Internet. The Head of offices shall ensure that the antivirus
software is updated and a system check is done periodically;
c. The Bureau shall use web application firewall to protect servers and databases
from malicious online attacks; and
Page 21 of 31
3. Regular Testing, Assessment and Evaluation of Security Measures
a. Conduct periodic penetration testing of the firewall appliance from outside BIR
premises and from within to conduct vulnerability assessment of the same;
4.2 Authentication – Each personnel with access to personal data shall verify
his/her identity using a secure encrypted link and multi-level authentication.
Passwords or passcodes used to access data should be sufficient strength to
deter password attacks. A password policy shall be strictly enforced.
The Bureau shall use other technical security measures to keep its software security
tools up-to-date.
The PIC through appropriate contractual agreements, shall ensure that its PIP, where
applicable, shall also implement the security measures required by the Act and its
Rules. It shall only engage those PIP that provide sufficient guarantees to implement
appropriate security measures specified in the Act and its Rules, and ensure the
protection of the rights of the data subject.
A PIA should be undertaken for every processing system of the Bureau or its PIP that
involves personal data. It may also be carried out vis-à-vis the entire organization with
the involvement or participation of the different process owners and stakeholders.
A PIA should be conducted for both new and existing systems, programs, projects,
procedures, measures, or technology products that involve or impact processing
Page 22 of 31
personal data. For new processing systems, it should be undertaken prior to their
adoption, use or implementation. Changes in the governing law or regulations, or those
adopted within the organization or its industry may likewise require the conduct of a
PIA, particularly if such changes affect personal data processing.
A PIC may require a PIP or a service provider to conduct a PIA. For this purpose, the
report prepared by the PIP of the service or product provider may be considered by the
PIC in determining whether the former is able to provide a comparable level of
protection to the processing of personal data.
3. Control framework
4. Privacy by Design
The Bureau shall consider data privacy in the design of its processing systems
considering the following:
4.2 Collection limitation – the collection of personal information must be fair, lawful
and limited to that which is necessary for the specified purpose.
b. by the design or programs, ICT, and systems should begin with non-
identifiable interactions and transactions, as the default; and
4.4 Use, Retention and disclosure limitation – The use, retention and disclosure
of personal information shall be limited to the purposes for which the individual
has consented (unless required by law). Personal information shall be
retained only as long as necessary to fulfill the stated purposes, and then
securely destroyed.
Page 23 of 31
D. SECURITY OF SENSITIVE PERSONAL INFORMATION IN GOVERNMENT
All sensitive personal information maintained by the Bureau shall be secured with the use
of the most appropriate standard recognized by the information and communications
technology industry, subject to the Rules and other issuances of NPC. The PIC and PIP
shall be responsible for complying with the security requirements herein mentioned.
1.1.2 A source agency shall strictly regulate access to sensitive personal information
under its custody or control, particularly when it allows online access. An
employee of the government shall be granted a security clearance when the
performance of the employee’s official functions or the provision of a public
service directly depends on and cannot otherwise be performed unless
access to the personal data is allowed.
1.1.3 The online access allowed shall be subject to the following conditions:
2. Off-site access
2.1 Sensitive personal information maintained by the Bureau may not be transported or
accessed from a location off or outside of government property, whether by its agent
or employee, unless the head of agency has ensure the implementation of privacy
policies and appropriate security measures. A request for such transportation or
access shall be submitted to and approved by the head of agency. The request
must include proper accountability mechanisms in the processing of data.
2.2 The Commissioner or his representative shall approve request for off-site access in
accordance with the following guidelines:
2.2.1 Deadline for Approval or Disapproval. The head of agency shall approve or
disapprove the request within two (2) business days after the date of
Page 24 of 31
submission of the request. Where no action is taken by the head of agency,
the request is considered disapproved;
In entering into any contract with a private service provider that may involve accessing or
requiring sensitive personal information from the one thousand (1,000) or more
individuals, the Bureau shall require such service provider and its employees to register
their personal data processing system with NPC. The service provider, as PIP, shall
comply with the other provisions of the Act and its Rules, similar to a government agency
and its employees.
An Incident and Data Breach Response Team (IDBRT) shall be established by the
Bureau which shall be responsible for ensuring immediate action in the event of a
security incident or personal data breach to minimize impact and restore operations as
quickly as possible. The team shall conduct an assessment of the incident or breach in
order to ascertain the nature and extent thereof, recommend appropriate courses of
action and prepare/submit the necessary communications and documentations.
The Bureau shall regularly conduct a Privacy Impact Assessment to identify risks in
the processing system and monitor for security breaches and vulnerability scanning of
computer networks. Personnel directly involved in the processing or personal data
must attend trainings and seminars for capacity building. There must be a periodic
review of policies and procedures being implemented in the Bureau.
The Bureau shall always maintain a backup file for all personal data under its custody.
In the event of a security incident or data breach, it shall always compare the backup
with the affected file to determine the presence of any inconsistencies or alterations
resulting from the incident or breach.
4. Notification protocol
The leader of the Incident and Data Breach Response Team shall inform the DPO of the
need to notify the NPC and the data subjects affected by the incident or breach within
Page 25 of 31
the period prescribed by law. The Bureau may decide to delegate the actual notification
to the leader of the Incident and Data Breach Response Team.
The Incident and Data Breach Response Team shall prepare a detailed documentation
of every incident or breach encountered, as well as an annual report, to be submitted
to the Bureau and the NPC, within the prescribed period.
a. NPC and the affected data subjects shall be notified by the personal information
controller within seventy-two (72) hours upon knowledge of, or when there in
reasonable belief by the PIC or PIP that, a personal data breach requiring
notification has occurred;
The notification shall at least describe the nature of the breach, the personal data
possibly involved, and the measures taken to reduce the harm or negative
consequences of the breach, the representatives of the personal information
controller, including their contact details, from whom the data subject can obtain
additional information about the breach, and any assistance to be provided to the
affected data subjects.
Notification may be delayed only to the extent necessary to determine the scope of
the breach, to prevent further disclosures, or to restore reasonable integrity to the
information and communications system. The notification by the PIC may be
dispensed with by the NPC when such notification would not be in the public interest,
or in the interest of the affected data subject. The notification may be postponed
where it may hinder the progress of a criminal investigation related to a serious
breach.
5.3.1 The PIC shall notify the NPC by submitting a report, whether written or
electronic, containing the required contest of notification. The report shall
also include the name of a designated representative of the PIC, and contact
details; and
5.3.2 All security incidents and personal data breaches shall be documented by
the Incident and Data Breach Response Team through written reports,
Page 26 of 31
including those not covered by the notification requirements. In the case of
personal data breaches, a report shall include the facts surrounding an
incident, the effects of such incidents not involving personal data, a report
containing aggregated data shall constitute sufficient documentation. These
reports shall be made available when requested by the NPC. A general
summary of the reports shall be submitted to the NPC annually.
The procedure for breach notification shall be in accordance with the Act, its Rules,
and any other issuance of the NPC.
1.1 The data subject has a right to be informed whether personal data pertaining to him
or her shall be, are being, or have been processed, including the existence of
automated decision-making and profiling.
1.2 The data subject shall be notified and furnished with information indicated hereunder
before the entry of his or her personal data into the processing system of the
personal information controller, or at the next practical opportunity:
1.2.2 Purpose for which they are being or will be processed, including processing
for profiling or historical or statistical purposes;
1.2.3 Basis for processing, when processing is not based on the consent of the data
subject;
1.2.5 The recipient or classes of recipients to whom the personal data are or may
be disclosed;
1.2.6 Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized, including
meaningful information about the logic involved, as well as the significance
and the envisaged consequences of such processing for the data subject;
1.2.7 The identity and contact details of the personal data controller or its
representative;
1.2.8 The period for which the information will be stored; and
1.2.9 The existence of their rights as data subjects, including the right to access,
correction, and object to the processing, as well as the right to lodge a
complaint before the Commission.
Page 27 of 31
2. Right to Object
The data subject shall have the right to object to the processing of his or her personal
data, including processing for automated processing or profiling. The data subject shall
also be notified and given an opportunity to withhold consent to the processing in case
of changes or any amendment to the information supplied or declared to the data
subject in the preceding paragraph.
When a data subject objects or withholds consent, the Bureau shall no longer process
the personal data, unless:
2.2 The collection and processing are for obvious purposes, including, when it is
necessary for the performance of or in relating to a contract or service to which the
data subject is a party, or when necessary or desirable in the context of an
employer-employee relationship between the Bureau and the data subject; or
2.3 The information is being collected and processed as a result of a legal obligation,
and in the performance of the Bureau’s official functions.
3. Right to Access
The data subject has the right to reasonable access to upon demand, the following:
3.5 Reasons for the disclosure of the personal data to recipients, if any;
3.6 Information on automated processes where the data will, or is likely to be made as
the sole basis for any decision that significantly affects or will affect that data
subject;
3.7 Data when his or her personal data concerning the data subject were latest
accessed and modified; and
3.8 The designation, name or identity, and address of the personal information
controller.
4. Right to Rectification
The data subject has the right to dispute the inaccuracy or error in the personal data
and have the personal information controller correct it immediately and accordingly,
unless the request is vexatious or otherwise unreasonable. If the personal data has
been corrected, the personal information controller shall ensure the accessibility of
both the new and the retracted information and the simultaneous receipt of the new
and the retracted information by the intended recipients thereof: Provided, that
recipients or third parties who have previously received such processed personal data
Page 28 of 31
shall be informed of its inaccuracy and its rectification, upon reasonable request of the
data subject.
The data subject shall have the right to suspend, withdraw or order the blocking,
removal or destruction of his or her personal data from the personal information
controller’s filing system.
5.1 This right may be exercised upon discovery and substantial proof of any of the
following:
5.1.2 The personal data is being used for purpose not authorized by the data
subject;
5.1.3 The personal data is no longer necessary for the purposes for which they
were collected;
5.1.4 The data subject withdraws consent or object to the processing and there is
no other legal ground or overriding legitimate interest for the processing;
5.1.5 The personal data concerns private information that is prejudicial to the data
subject, unless justified by freedom of speech, or expression, or of the press
or otherwise authorized;
5.2 The personal information controller may notify third parties who have previously
received such processed personal information.
6. Right to Damages
The data subject shall be indemnified for any damages sustained due to such
inaccurate, incomplete outdated, false, unlawfully obtained or unauthorized use of
personal data, taking into account any violation of his or her rights and freedom as data
subject.
The lawful heirs and assigns of the data subject may invoke the rights of the data
subject to which he or she is an heir or an assignee, at any time after the death of the
data subject, or when the data subject is incapacitated or incapable of exercising the
rights as enumerated in the immediately preceding section.
Where his or her data is processed by electronic means and in a structured and
commonly used format, the data subject shall have the right to obtain from the
personal information controller a copy of such data in an electronic or structured
format that is commonly used and allows for further use by the data subject. The
Page 29 of 31
exercise of this right shall primarily take into account the right of data subject to have
control over his or her personal data being processed based on consent of contract,
for commercial purpose, or through automated means. The NPC may specify the
electronic format referred to above, as well as the technical standards, modalities,
procedures and other rules for their transfer.
9. Limitation of Rights
The immediate preceding sections shall not be applicable if the processed personal
data are used for the purpose of investigations in relation to any criminal,
administrative or tax liabilities of a data subject. Any limitations on the rights of the
data subject shall only be to the minimum extent necessary to achieve the purpose
of said research or investigation. Provided, that the personal data shall be held under
strict confidentiality and shall be used only for the declared purpose.
Any request or inquiry relative to the foregoing shall be made in writing, briefly and clearly
discussing the concern or inquiry, and indicating the full name and contact details of the
data subject for reference. Written inquiries and/or requests shall be sent to the Data
Protection Officer (DPO) or emailed at [email protected]. The DPO shall acknowledge
receipt of such letter and take the necessary action on the same.
Any violation of the Bureau’s data privacy policies, data privacy rights, or any breach, loss
or unauthorized access or disclosure of personal information in the possession or under
the custody of the Bureau may also be reported to the DPO. The report/complaint shall be
made in writing and sent to the same contact details above.
The DPO shall verify the allegations in the complaint and shall conduct an investigation in
cases of serious security breach as provided under the Act and its Implementing Rules and
Regulations.
The DPO may recommend actions for the violation/s committed, particularly when such is
serious or causes or has the potential to cause material damage to the Bureau or any of its
clients or employees. Such recommendation shall be submitted to the Commissioner for
approval. The Decision of the Commissioner may be appealed by the affected parties within
15 days from receipt of the Decision.
A. Handling of Complaints:
2. Complaints shall be received by/filed with the COP who shall conduct a local
verification/investigation of the complaint. COP shall be assisted by Chief, DPD,
Chief, Legal Division, Chief, Regional Investigation Division and a representative
from the concerned RDO. Resolution shall be made in 10 days from filing of
complaint.
B. Inquiries
Data subjects may make their inquiries with the Regional Director who shall assign
the same to the concerned ACOP.
X. EFFECTIVITY –
This Data Privacy Manual shall be effective immediately.
Page 31 of 31