CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

The data subject, personal information controller, personal information processor, data p√rotection officer and national privacy commission are the direct stakeholders’
of data privacy protection in the filing system, automation program, or technology services of personal data processing. They have to own, agree and share the valid, verifiable,
coherent and consistent standards to recognize conformity of a data processing system to the data privacy control objectives of R.A. 10173, known as Data Privacy Act of 2012

The ISO 29100 privacy principles state the globally recognized conditions on how personal data processing systems must be designed and developed as “privacy by
design” and “privacy by default.” The standard was derived from existing principles developed by a number of states, countries and international organizations. The commonly
shared privacy principles are used to guide the design, development, and implementation of privacy policies and privacy controls. It is used as a privacy impact assessment risk
criteria, a reference baseline in the monitoring and measurement of performance, benchmarking and auditing aspects of privacy management programs in an organization.

The conformity test of data privacy control with ISO 29100 – Privacy Framework guide the data subject, personal information controller, personal information processor,
and compliance officer of a business enterprise or government agency to examine the applicability of the privacy principles in the way their data processing system collect,
process, retain, share and dispose the personal information of a “data subject” with right of privacy in the data that identify a person. The person with data privacy right comes
as an employee, personnel, citizen, customer, client, beneficiary, or manager of the business enterprise or government agency.

The eleven (11) principles that must be applied to the filing system, automation program, or technology services, that are considered compliant to the rules and
standards for data privacy by default and data privacy by design are the following:

Privacy Principles

1. Consent and Choice Principles 5. Use, retention and disclosure limitation 9. Accountability

2. Purpose legitimacy and specification principles 6. Accuracy and quality principles 10. Information security

3. Collection limitation 7. Openness, transparency and notice principles 11. Privacy Compliance

4. Data minimization 8. Individual participation and access principles

Conformity Rating

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

4 3 2 1

The control is systematically The control can be improved, mainly The control is not systematically implemented or The control is not implemented.
implemented and no improvement is from a procedural (i.e. support it is completely not suitable, so its effectiveness is
needed. documentation) point of view. not ensured.

Data Privacy Principles Privacy Control Objectives Rating

4 3 2 1

5.2 1. Present to the data subject the choice whether or not to allow the processing of their personal data √

Consent and choice principles 1. Obtain the opt-in consent of the data subject for collecting or otherwise processing sensitive personal
information √

2. Inform data subject, before obtaining consent, about their rights under the individual participation and
access principle √

4. Provide data subject, before obtaining consent, with the information indicated by the openness,
transparency and notice principle √

5. Explain to data subject the implications of granting or withholding consent. Data subject is provided the
opportunity to choose how their personal information is handled and to allow a data subject to withdraw
consent easily and free of charge.
√

6. Exception rules must be established that allow personal data processing without the requirement for
consent. √

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

7. Provide data subjects with clear, prominent, easily understandable, accessible and affordable mechanisms
to exercise choice and to give consent in relation to the processing of their personal data at the time of
collection, first use or as soon as practicable thereafter
√

8. Implement the data subject’s preferences as expressed in their consent

√

6 1. Ensure that the purpose(s) complies with applicable law and relies on a permissible legal basis
√
Purpose legitimacy and specification
principles 2. Communicate the purpose(s) to the data subject before the time the information is collected or used for the
first time for a new purpose √

3. Use language for this specification which is both clear and appropriately adapted to the circumstances
√

4. Give, if applicable, sufficient explanations for the need to process sensitive personal information √

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

Data Privacy Principles Privacy Control Objectives Rating

4 3 2 1

6.2 1. Limit the collection of personal data to that which is within the bounds of applicable law and strictly
necessary for the specified purpose(s) Collect less and necessary. Never collect personal data that cannot √
Collection limitation be protected or in compliant with regulatory controls.

5.5 1. Design and implement data processing procedures and Information and communications technology
systems that strictly limit personal data, and then minimize the processing of personal data to the √
Data minimization acceptable criteria of privacy protection

2. Minimize the personal data which is processed and the number of privacy stakeholders to be involved in
the handling of personal data. √

3. Ensure adoption of a “need-to-know” principle

√

4. Use or offer as default options, wherever possible, interactions and transactions which do not involve the
identification of data subject, reduce the observability of their behavior and limit the linkability of the
personal data collected
√

5. Delete and dispose of personal data whenever the purpose for personal data processing has expired. √

5.6 1. Limit the use of personal data to the purposes specified by the personal information controller prior to

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

Use, retention, disclosure and collection √

transfer limitation 2. Retaining personal data only as long as necessary to fulfill the stated purposes
√

3. Securely destroy or anonymize personal data √

4. Lock (i.e. archiving, securing and exempting the personal data from further processing) any personal when
and for as long as the stated purposes have expired. √

Data Privacy Principles Privacy Control Objectives Rating

4 3 2 1

5.7 1. Ensure that the personal data processed is accurate, complete, up to-date, adequate and relevant for the
purpose of use √
Accuracy and quality
2. Ensure the reliability of personal data collected from a source other than from the data subject before it is
processed √

“I am a Data Subject. Data Privacy is my Right”


5.8
Openness, Transparency and Notice
CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100
3. Verify, through appropriate means, the validity and correctness of the claims made by the data subject prior
to making any changes to the personal data √
4. Establish personal data collection procedures to help ensure accuracy and quality. √
5. Establish control mechanisms to periodically check the accuracy and quality of collected and stored personal
data √
1. Provide data subject with clear and easily accessible information about the personal information controller’s
policies, procedures and practices with respect to the processing of personal data √
2. Include in notices the fact that personal data is being processed, the purpose for which this is done, the
types of privacy stakeholders to whom the personal data might be disclosed, and the identity of the √
personal information controller including information on how to contact the personal information controller
3. Disclose the choices and means offered by the personal information controller to data subject for the
purposes of limiting the processing of, and for accessing, correcting and removing their information √
4. Give notice to the data subject when major changes in the personal data handling procedures occur. √
“I am a Data Subject. Data Privacy is my Right”
 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

Data Privacy Principles Privacy Control Objectives Rating

4 3 2 1

5.9
Individual participation and access
1. Give data subject the ability to access and review their personal data, provided their identity is first
authenticated with an appropriate level of assurance √
2. Allow data subject to challenge the accuracy and completeness of the personal data and have it amended,
corrected or removed as appropriate and possible in the specific context √

3. Provide any amendment, correction or removal to personal data processors and third parties to whom
personal data had been disclosed, where they are known √

4. Establish procedures to enable data subject to exercise these rights in a simple, fast and efficient way, which
does not entail undue delay or cost. √

5.10 1. Document and communicate as appropriate all privacy-related policies, procedures and practices √

Accountability 2. Assign to a specified individual within the organization (who might in turn delegate to others in the
organization as appropriate) the task of implementing the privacy-related policies, procedures and practices √

3. When transferring PII to third parties, ensuring that the third party recipient will be bound to provide an
equivalent level of privacy protection through contractual or other means such as mandatory internal
policies (applicable law can contain additional requirements regarding international data transfers)
√

4. Provide suitable training for the personnel of the personal information controller who will have access to

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

personal data √

5. Set-up efficient internal complaint handling and redress procedures for use by data subject
√

6. Inform data subject about privacy breaches that can lead to substantial damage to them (unless prohibited,
e.g., while working with law enforcement) as well as the measures taken for resolution √

7. Notify all relevant privacy stakeholders about privacy breaches as required in some jurisdictions (e.g., the
data protection authorities) and depending on the level of risk; √

8. Allow an aggrieved PII principal access to appropriate and effective sanctions and/or remedies, such as
rectification, expungement or restitution if a privacy breach has occurred √

9. Consider the procedures for compensation for situations in which it will be difficult or impossible to bring
the natural person’s privacy status back to a position as if nothing had occurred. Measures √

Data Privacy Principles Privacy Control Objectives Rating

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

4 3 2 1

5.10 1. Protect under its authority with appropriate controls at the operational, functional and strategic level to
ensure the integrity, confidentiality and availability of the personal data, and protect it against risks such as √
Information security unauthorized access, destruction, use, modification, disclosure or loss throughout the whole of its life cycle

2. Choose personal information processors that provide sufficient guarantees with regard to organizational,
physical and technical controls for the processing of personal data and ensuring compliance with these
controls
√

3. Base the controls on applicable legal requirements, security standards, the results of systematic security risk
assessments as described in ISO 31000, and the results of a cost/benefit analysis √

4. Implement controls in proportion to the likelihood and severity of the potential consequences, the
sensitivity of the personal data, the number of data subjects that might be affected, and the context in √
which it is held

5. Limit access to personal to those individuals who require such access to perform their duties, and limit the
access those individuals have to only that personal data which they require access to in order to perform √
their duties

6. Resolve risks and vulnerabilities that are discovered through privacy risk assessments and audit processes
√

7. Subject the controls to periodic review and reassessment in an ongoing security risk management process.
√

“I am a Data Subject. Data Privacy is my Right”

 CONFORMITY TEST OF DATA PRIVACY CONTROL WITH ISO 29100

5.11 1. Verify and demonstrate that the processing meets data protection and privacy safeguarding requirements
by periodically conducting audits using internal auditors or trusted third-party auditors √
Privacy compliance
2. Have appropriate internal controls and independent supervision mechanisms
√

3. Develop and maintain privacy risk assessments in order to evaluate whether program and service delivery
initiatives involving personal data processing comply with data protection and privacy requirements. √

“I am a Data Subject. Data Privacy is my Right”