0% found this document useful (0 votes)
94 views204 pages

Toolkit 2ndedition 2017

This document is a message from the Philippine National Privacy Commission introducing their 2017 Privacy Toolkit. The toolkit provides guidance for organizations on complying with the Philippines' Data Privacy Act. It outlines the Five Pillars of Data Privacy Accountability and Compliance: 1) appoint a data protection officer, 2) conduct a privacy risk assessment, 3) develop a privacy management program and privacy manual, 4) implement privacy and data protection measures, and 5) establish breach reporting procedures. The toolkit includes guidelines, templates, and forms to help organizations perform privacy-compliant tasks. It also contains information on registering with the privacy commission and practical guidance for data protection officers. The goal is to make compliance easy and help organizations protect

Uploaded by

bon AREnas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
94 views204 pages

Toolkit 2ndedition 2017

This document is a message from the Philippine National Privacy Commission introducing their 2017 Privacy Toolkit. The toolkit provides guidance for organizations on complying with the Philippines' Data Privacy Act. It outlines the Five Pillars of Data Privacy Accountability and Compliance: 1) appoint a data protection officer, 2) conduct a privacy risk assessment, 3) develop a privacy management program and privacy manual, 4) implement privacy and data protection measures, and 5) establish breach reporting procedures. The toolkit includes guidelines, templates, and forms to help organizations perform privacy-compliant tasks. It also contains information on registering with the privacy commission and practical guidance for data protection officers. The goal is to make compliance easy and help organizations protect

Uploaded by

bon AREnas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 204

MESSAGE FROM THE PRESIDENT

1
PREFACE

The National Privacy Commission (NPC) started strong in


2016 as we introduced the Data Privacy Act (DPA) to the
public. The DPA’s Implementing Rules and Regulations
(IRR), as well as four NPC Circulars were formulated and
approved, upon consultation with stakeholders. Over 250
representatives from the public and private sector were
convened during the December summit titled “Privacy.Gov.
PH: Government at the Forefront of Protecting the Filipino
in the Digital World”. We likewise held data privacy briefings
with various organizations, produced knowledge materials,
and built our online presence. Brick by brick, we started
creating awareness about data privacy in our first year.

To sustain this momentum as we move forward, the NPC is set to ensure compliance with the DPA
among personal information controllers (PICs) and personal information processors (PIPs). We realize
that to succeed in this endeavor, the NPC needs to make compliance easy and simple. We have lined
up ways to do this, one of which is this toolkit.

The 2017 NPC Privacy Toolkit equips and guides PICs, PIPs, and Data Protection Officers (DPOs)
through the process of complying with the law and building an organizational culture protective of
individuals’ data privacy rights. It outlines the Five (5) Pillars of Data Privacy Accountability and
Compliance, namely: 1) Commit to comply – appoint a DPO; 2) Know your risks – conduct a Privacy
Risk Assessment; 3) Be accountable – Develop your Privacy Management Program and Craft your
Privacy Manual; 4) Demonstrate your compliance – implement Privacy and Data Protection measures,
and 5) Be prepared for breach – regularly exercise your Breach Reporting Procedures. Guidelines,
templates, samples and forms were included in this toolkit to help you perform these tasks.

Materials on the NPC registration process as well as on the practical things that government and even
private sector DPOs should watch out for were also incorporated to further gear up PICs, PIPs and
DPOs. The kit also contains all NPC Circulars and the DPA’s IRR, for users’ comprehensive reference.

Rest assured that the NPC will intensify its efforts like the development of this toolkit, to help you and
have you as our partners in making privacy work for everyone. “Kung di tayo kikilos, sino ang kikilos?
Kung di ngayon, kailan pa?”. The time to act is now. Together, I am certain that we can make data
privacy practices in the Philippines citizen-centered, globally in-tune, pragmatic yet future-oriented.

RAYMUND ENRIQUEZ LIBORO


Privacy Commissioner

2
TABLE OF CONTENTS

Message from the President.......................................................................................................................... 1


Preface by the Privacy Commissioner.......................................................................................................... 2

Chapter I: Data Privacy Threats: Things to Watch Out for as a DPO .................................. 3
A. Internal weaknesses............................................................................................................... 4
A1. Employee negligence................................................................................................... 4
A2. Weak or lack of Information Security Policy........................................................... 5
B. Malicious Attacks.................................................................................................................. 6
B1. Phishing....................................................................................................................... 6
B2. Malware........................................................................................................................ 6
B3. Denial-of-Service......................................................................................................... 7
B4. Man-in-the-Middle...................................................................................................... 8
C. Emerging attack platforms......................................................................................................... 8
C1. Mobile.......................................................................................................................... 8
C2. Cloud........................................................................................................................... 9
C3. Internet of things....................................................................................................... 9
D. Combatting Data Privacy Threats............................................................................................ 9

Chapter II: The Five Pillars of Data Privacy Accountability and Compliance................... 10
1. Commit to Comply: Appoint a Data Protection Officer........................................................ 11

NPC Advisory No. 2017-01: Designation of Data Protection Officers....................... 11
Preamble............................................................................................................................. 11
Scope.................................................................................................................................. 11
Definition of Terms.......................................................................................................... 12
General Principle............................................................................................................... 13
Mandatory Designation.................................................................................................... 14
General Qualifications...................................................................................................... 14
Position of the DPO or the COP...................................................................................... 14
Independence, Autonomy and Conflict of Interest....................................................... 15
Duties and Responsibilities of the DPO and the COP.................................................. 15
General Obligations of the PIC or PIP relative to the DPO or COP........................... 16
Outsourcing or Subcontracting of Functions................................................................. 17
Protections.......................................................................................................................... 17
Publication and Communication of Contact Details.................................................... 17
Weight of Opinion............................................................................................................ 17
Accountability.................................................................................................................... 17

2. Know Your Risks: Conduct A Privacy Risk or Impact Assessment........................................ 19

NPC Advisory No. 2017-03: Guidelines on Privacy Impact Assessments.................... 19


Preamble............................................................................................................................. 19
Scope................................................................................................................................... 19
Definition of Terms........................................................................................................... 20
General Principles............................................................................................................. 21
Key Considerations........................................................................................................... 22
Objectives........................................................................................................................... 22
Responsibility..................................................................................................................... 23
Stakeholder Involvement.................................................................................................. 23
Structure and Form........................................................................................................... 23
Planning a PIA................................................................................................................... 24
Preparatory Activities........................................................................................................ 25
Conduct of the PIA........................................................................................................... 26
Documentation and Review............................................................................................. 27
Compliance and Accountability....................................................................................... 27

Privacy Impact Assessment - Template.......................................................................................... 29


I. Project/System Description.......................................................................................... 29
a. Description....................................................................................................... 29
b. Scope of the PIA............................................................................................. 29
II. Threshold Analysis............................................................................................................ 29
III. Stakeholder(s) Engagement............................................................................................. 30
IV. Personal Data Flows........................................................................................................ 31
V. Privacy Impact Analysis.................................................................................................. 32
VI. Privacy Risk Management.............................................................................................. 37
VII. Recommended Privacy Solutions.................................................................................. 39
VIII. Sign off and Action Plan................................................................................................. 40

3. Be Accountable: Write your Privacy Management Program and Privacy Manual.............. 41

Privacy Management Program Guide............................................................................. 41


Checklist............................................................................................................................ 49
Privacy Manual Guide...................................................................................................... 53

4. Demonstrate your Compliance: Implement Privacy and Data Protection Measures......... 62

The 10 Point Privacy Accountability and Compliance Framework


• Data Privacy Accountability and Compliance Framework....................................... 62
I. Establishing Data Privacy Governance........................................................................ 63
II. Privacy Risk Assessment................................................................................................. 63
III. Preparing Your Organization’s Data Privacy Rules..................................................... 64
IV. Privacy in Day to Day Data Life Cycle Operations..................................................... 64
V. Managing Personal Data Security Risks....................................................................... 76
VI. Data Breach Management.............................................................................................. 81
VII. Managing Third Party Risks.......................................................................................... 82
VIII. Managing Human Resources........................................................................................ 83
IX. Continuing Assessment and Development................................................................. 86
X. Managing Privacy Ecosystem......................................................................................... 88

5. Be Prepared For Breach: Regularly Exercise Your Breach Reporting Procedure.................. 90

• Data Privacy Accountability and Compliance Checklist........................................ 94

Chapter III: Registration............................................................................................................. 101

Annexes...................................................................................................................................... 115

Data Privacy Act of 2012 Implementing Rules and Regulation......................................... 116

Rule I. Preliminary Provisions........................................................................................................ 116


Section 1. Title................................................................................................................... 116
Section 2. Policy................................................................................................................. 116
Section 3. Definitions....................................................................................................... 116

Rule II. Scope of Application......................................................................................................... 118


Section 4. Scope................................................................................................................ 118
Section 5. Special Cases.................................................................................................... 119
Section 6. Protection Afforded to Data Subjects........................................................... 120
Section 7. Protection Afforded to Journalists and their Sources.................................. 120

Rule III. National Privacy Commission........................................................................................ 120


Section 8. Mandate........................................................................................................... 120
Section 9. Functions.......................................................................................................... 120
Section 10. Administrative Issuances.............................................................................. 123
Section 11. Reports and Information.............................................................................. 123
Section 12. Confidentiality of Personal Data................................................................. 123
Section 13. Organizational Structure.............................................................................. 123
Section 14. Secretariat....................................................................................................... 124
Section 15. Effect of Lawful Performance of Duty......................................................... 124
Section 16. Magna Carta for Science and Technology Personnel................................ 124

Rule IV. Data Privacy Principles.................................................................................................... 125


Section 17. General Data Privacy Principles................................................................... 125
Section 18. Principles of Transparency, Legitimate Purpose and Proportionality...... 125
Section 19. General Principles in Collection, Processing and Retention.................... 125
a. Collection must be for a specified and legitimate purpose......................... 125
b. Personal Data shall be processed fairly and lawfully................................... 125
c. Processing should ensure data quality.......................................................... 126
d. Personal data shall not be retained longer than necessary......................... 126
e. Any authorized further processing shall have adequate safeguards........... 126
Section 20. General Principles for Data Sharing............................................................ 127

Rule V. Lawful Processing of Personal Data................................................................................. 128


Section 21. Criteria for Lawful Processing of Personal Information........................... 128
Section 22. Sensitive Personal Information and Privileged Information.................... 128
Section 23. Extension of Privileged Communication................................................... 129
Section 24. Surveillance of Suspects and Interception of Recording
of Communications...................................................................................... 129

Rule VI. Security Measures for Protection of Personal Data...................................................... 129


Section 25. Data Privacy and Security............................................................................. 129
Section 26. Organizational Security Measures............................................................... 129
Section 27. Physical Security Measures........................................................................... 131
Section 28. Guidelines for Technical Security. Measures............................................ 132
Section 29. Appropriate Level of Security....................................................................... 132

Rule VII. Security of Sensitive Personal Information in Government...................................... 132


Section 30. Responsibility of Heads of Agencies............................................................ 132
Section 31. Requirements Relating to Access by Agency Personnel to Sensitive
Personal Information..................................................................................... 132
Section 32. Implementation of Security Requirements................................................. 133
Section 33. Applicability to Government Contractors.................................................. 134

Rule VIII. Rights of Data Subjects................................................................................................ 134


Section 34. Rights of the Data Subject........................................................................... 134
a. Right to be Informed...................................................................................... 134
b. Right to Object................................................................................................ 134
c. Right to Access................................................................................................ 135
d. Right to Rectification..................................................................................... 135
e. Right to Erasure or Blocking.......................................................................... 135
f. Right to Damages............................................................................................. 136
Section 35. Transmissibility of Rights of the Data Subject........................................... 136
Section 36. Right to Data Portability............................................................................... 136
Section 37. Limitation on Rights..................................................................................... 136

Rule IX. Data Breach Notification................................................................................................ 136


Section 38. Data Breach Notification............................................................................. 136
Section 39. Contents of Notification............................................................................... 136
Section 40. Delay of Notification.................................................................................... 137
Section 41. Breach Report................................................................................................ 137
Section 42. Procedure for Notification............................................................................ 137

Rule X. Outsourcing and Subcontracting Agreements............................................................... 137


Section 43. Subcontract of Personal Data....................................................................... 137
Section 44. Agreements for Outsourcing....................................................................... 137
Section 45. Duty of Personal Information Processor.................................................... 138

Rule XI. Registration and Compliance Requirements................................................................ 139


Section 46. Enforcement of the Data Privacy Act.......................................................... 139
Section 47. Registration of Personal Data Processing Systems..................................... 139
Section 48. Notification for Automated Processing Operations.................................. 140
Section 49. Review by the Commission.......................................................................... 140

Rule XII. Rules on Accountability................................................................................................. 140


Section 50. Accountability for Transfer of Personal Data............................................. 140
Section 51. Accountability for Violation of the Act, these Rules and other issuances
of the Commission........................................................................................ 141

Rule XIII. Penalties.......................................................................................................................... 141


Section 52. Unauthorized Processing of Personal Information and Sensitive
Personal Information.................................................................................... 141
Section 53. Accessing Personal Information and Sensitive Personal Information
Due to Negligence.......................................................................................... 141
Section 54. Improper Disposal of Personal Information and
Sensitive Personal Information.................................................................... 142
Section 55. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes................................................................................. 142
Section 56. Unauthorized Access or Intentional Breach.............................................. 142
Section 57. Concealment of Security Breaches Involving
Sensitive Personal Information..................................................................... 142
Section 58. Malicious Disclosure..................................................................................... 143
Section 59. Unauthorized Disclosure.............................................................................. 143
Section 60. Combination or Series of Acts..................................................................... 143
Section 61. Extent of Liability.......................................................................................... 143
Section 62. Large-Scale...................................................................................................... 143
Section 63. Offense Committed by Public Officer......................................................... 143
Section 64. Restitution...................................................................................................... 143
Section 65. Fines and Penalties........................................................................................ 144

Rule XIV. Miscellaneous Provisions.............................................................................................. 144


Section 66. Appeal............................................................................................................ 144
Section 67. Period for Compliance.................................................................................. 144
Section 68. Appropriations Clause.................................................................................. 144
Section 69. Interpretation................................................................................................. 144
Section 70. Separability Clause........................................................................................ 144
Section 71. Repealing Clause........................................................................................... 144
Section 72. Effectivity Clause.......................................................................................... 144

NPC Memorandum Circulars......................................................................................................... 146

NPC Circular 16-01: Security of Personal Data in Government Agencies......................... 146

Rule I. General Provisions.............................................................................................................. 147


Section 1. Scope................................................................................................................ 147
Section 2. Purpose............................................................................................................ 147
Section 3. Definition of Terms......................................................................................... 147
Section 4. General Obligations........................................................................................ 148
Section 5. Privacy Impact Assessment............................................................................. 148
Section 6. Control Framework for Data Protection....................................................... 149

Rule II. Storage of Personal Data................................................................................................... 149


Section 7. General Rule.................................................................................................... 149
Section 8. Encryption of Personal Data.......................................................................... 149
Section 9. Restricted Access............................................................................................. 149
Section 10. Service Provider as Personal Information Processor................................. 149
Section 11. Audit............................................................................................................... 150
Section 12. Recommended Independent Verification or Certification....................... 150
Section 13. Archives.......................................................................................................... 150

Rule III. Agency Access to Personal Data..................................................................................... 150


Section 14. Access to or Modification of Databases...................................................... 150
Section 15. Security Clearance .................................................................................... 150
Section 16. Contractors, Consultants and Service Providers....................................... 150
Section 17. Acceptable Use Policy.................................................................................... 150
Section 18. Online Access to Personal Data.................................................................. 150
Section 19. Local Copies of Personal Data Accessed Online....................................... 150
Section 20. Authorized Devices....................................................................................... 151
Section 21. Remote Disconnection or Deletion............................................................. 151
Section 22. Paper-based Filing System............................................................................. 151
Section 23. Personal Data Sharing Agreements............................................................. 151

Rule IV. Transfer of Personal Data................................................................................................ 151


Section 24. Emails............................................................................................................. 151
Section 25. Personal Productivity Software.................................................................... 151
Section 26. Portable Media............................................................................................... 151
Section 27. Removable Physical Media............................................................................ 151
Section 28. Fax Machines................................................................................................. 151
Section 29. Transmittal..................................................................................................... 152

Rule V. Disposal of Personal Data................................................................................................. 152


Section 30. Archival Obligations..................................................................................... 152
Section 31. Procedures...................................................................................................... 152
Section 32. Third Party Service Providers...................................................................... 152

Rule VI. Miscellaneous Provisions................................................................................................ 152


Section 33. Data Breach Management............................................................................ 152
Section 34. Penalties.......................................................................................................... 152
Section 35. Amendments.................................................................................................. 153
Section 36. Transitory Period........................................................................................... 152
Section 37. Separability Clause........................................................................................ 153
Section 38. Repealing Clause.......................................................................................... 153
Section 39. Effectivity........................................................................................................ 153

NPC Circular 16-02: Data Sharing Agreements Involving Government Agencies............. 154

Section 1. General Principle............................................................................................. 154


Section 2. Scope................................................................................................................ 154
Section 3. Definition of Terms......................................................................................... 155
Section 4. Consent............................................................................................................ 156
Section 5. Data Privacy Principles................................................................................... 157
Section 6. Content of a Data Sharing Agreement......................................................... 157
Section 7. Online Access.................................................................................................. 158
Section 8. Transfer of Personal Data............................................................................... 158
Section 9. Responsibility of the Parties........................................................................... 158
Section 10. Accountability for Cross-border Transfer of Personal Data...................... 158
Section 11. Prior Consultation......................................................................................... 158
Section 12. Security of Personal Data............................................................................. 159
Section 13. Review by the Commission.......................................................................... 159
Section 14. Mandatory Periodic Review.......................................................................... 159
Section 15. Revisions and Amendments......................................................................... 159
Section 16. Termination................................................................................................... 159
Section 17. Return, Destruction, or Disposal of Transferred Personal Data.............. 159
Section 18. Penalties.......................................................................................................... 159
Section 19. Transitory Period........................................................................................... 160
Section 20. Repealing Clause........................................................................................... 160
Section 21. Separability Clause........................................................................................ 160
Section 22. Effectivity....................................................................................................... 160

NPC Circular 16-03: Personal Data Breach Management................................................. 162

Rule I. General Provisions.............................................................................................................. 162


Section 1. Scope................................................................................................................. 162
Section 2. Purpose............................................................................................................. 162
Section 3. Definition of Terms......................................................................................... 162

Rule II. Guidelines for Personal Data Breach Management....................................................... 164


Section 4. Security Incident Management Policy........................................................... 164
Section 5. Data Breach Response Team.......................................................................... 164

Rule III. Guidelines for the Prevention of Personal Data Breach............................................... 165
Section 6. Preventive or Minimization Measures........................................................... 165
Section 7. Availability, Integrity and Confidentiality of Personal Data....................... 165

Rule IV. Guidelines for Incident Response Policy and Procedures............................................ 166
Section 8. Policies and Procedures.................................................................................. 166
Section 9. Documentation................................................................................................ 166
Section 10. Regular Review............................................................................................... 167

Rule V. Procedure for Personal Data Breach Notification and Other Requirements.............. 167
Section 11. When Notification is Required................................................................... 167
Section 12. Public Information........................................................................................ 167
Section 13. Determination of the Need to Notify......................................................... 167
Section 14. Discovery of Vulnerability............................................................................ 168
Section 15. Who Should Notify....................................................................................... 168
Section 16. Reporting by Personal Information Processors.......................................... 168
Section 17. Notification of the Commission.................................................................. 168
Section 18. Notification of Data Subjects....................................................................... 170
Section 19. Exemption from Notification Requirements.............................................. 171
Section 20. Failure to Notify............................................................................................ 171
Section 21. Investigation of a Breach or a Security Incidents....................................... 171
Section 22. Reportorial Requirements................................................... 171
Section 23. Notification and Reporting to the National Privacy Commission.......... 172
Section 24. Separability Clause........................................................................................ 172
Section 25. Effectivity........................................................................................................ 172

Summary........................................................................................................................................... 173

NPC Circular 16-04: Rules of Procedure of the National Privacy Commission................ 174

Rule I. Preliminary Provisions........................................................................................................ 174


Section 1. General Principles............................................................................................ 174
Section 2. Scope and Coverage........................................................................................ 174

Rule II. Complaints for Violations of the Data Privacy Act........................................................ 174
Section 3. Who May File Complaints............................................................................. 174
Section 4. Exhaustion of Remedies.................................................................................. 174
Section 5. Filing Fees......................................................................................................... 175
Section 6. Printed Copies................................................................................................. 175
Section 7. Where to File................................................................................................... 175
Section 8. Electronic Filing.............................................................................................. 175
Section 9. Parties to the Complaint................................................................................. 175
Section 10. Form and Contents of the Complaint........................................................ 176

Rule III. Procedure in Complaints................................................................................................ 176


Section 11. Evaluation...................................................................................................... 176
Section 12. Outright Dismissal........................................................................................ 177
Section 13. Order to Confer for Discovery.................................................................... 177
Section 14. Discovery........................................................................................................ 177
Section 15. Order to Submit Comment.......................................................................... 179
Section 16. Investigation; Examination of Systems and Procedures............................ 179
Section 17. Failure to Submit Comment......................................................................... 179
Section 18. Recommendation of the Investigating Officer........................................... 179
Section 19. Temporary Ban on Processing Personal Data............................................. 179
Section 20. Permanent Ban on Processing Personal Data............................................. 180
Section 21. Action on the Recommendations of the Investigating Officer................. 180
Section 22. Rendition of Decision................................................................................... 181

Rule IV. Complaints of the National Privacy Commission........................................................ 181


Section 23. Own Initiative............................................................................................... 181
Section 24. Uniform Procedure....................................................................................... 181

Rule V. Alternative Modes of Dispute Resolution....................................................................... 181


Section 25. Alternative Modes of Dispute Resolution.................................................. 181
Section 26. Mediation Officer.......................................................................................... 182
Section 27. Failure to Reach Settlement.......................................................................... 182
Rule VI. Requests for Advisory Opinion...................................................................................... 182
Section 28. Advisory Opinions........................................................................................ 182
Section 29. Uniform Procedure....................................................................................... 182

Rule VII. Appeals............................................................................................................................ 182


Section 30. Appeal............................................................................................................. 182

Rule VIII. General Provisions........................................................................................................ 183


Section 31. Confidentiality............................................................................................... 183
Section 32. Application of Rules of Court...................................................................... 183
Section 33. Interpretation................................................................................................. 183
Section 34. Separability Clause........................................................................................ 183
Section 35. Effectivity........................................................................................................ 183

Key Questions................................................................................................................................... 184


CHAPTER I DATA PRIVACY THREATS:
THINGS TO WATCH OUT FOR AS A DPO
THINGS TO WATCH FOR AS A DPO
Our generation saw a tectonic shift in what creates value in societies and economies. This, following
the emergence of the digital economy as a driver of global growth. Data has come to replace oil as
the greatest currency, prompting economists to hail it as “the new oil”. Braving this new frontier
are innovative governments and businesses. They utilized personal data to improve existing services,
products and policies. In so doing, they ended up generating better alternatives and new leads for future
growth. For the first time in history, we are able to use personal data to build a society responsive to
the needs of all. Unfortunately, along with the good came the bad. And so we see today how criminals
can hijack personal data for malicious ends.

Threats to data privacy come from various actors. They include state-sponsored, hacktivists and
commercial actors. State-sponsored actors usually target organizations with proprietary data such as
those involved in technology, pharmaceuticals or finance. They aim to gain sustained access to an
organization’s IT infrastructure. On the other hand, hacktivists are generally viewed as those who
use technology hacking to promote a political agenda and effect social change. Commercial or fraud-
oriented actors are threat actors primarily interested in money. Highly equipped and knowledgeable,
they include identity thieves and personal data marketers.

Thus, the practice of information security becomes essential in ensuring personal data protection. By
definition, information security is the process of protecting physical and electronic information from
unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction.

However, information security has become a tough job for organizations. Technological advancements
that interconnect the world in an unprecedented degree, also brings with it countless types of threats.
Threats that undermine privacy arise every day while organizations still address threats which have
long been existing. As the online realm infinitely evolves, organizations’ shields should always be up
and constantly upgraded.

Thus, the NPC lists the following items that you, as a DPO, should currently be on the look out for to
secure your organizations’ information and avoid data breaches. This section underscores not only the
common attacks but also the internal factors that makes organizations vulnerable to these attacks, as
well as the emerging platforms used by perpetrators.

A. Internal weaknesses

Organizations can sometimes get too concerned with investing in the most updated and best
information security software there is. What they fail to realize, however, is that any software becomes
useless when vulnerabilities within the organization are not addressed.

A.1. Employee negligence

Employees serve as one of, if not the primary asset of any organization. But they may also be an
organization’s major security weakness. The 2016 Ponemon Institute Study found that employee
negligence accounts for 25% of data breaches, globally.

Without even resorting to sophisticated methods, perpetrators can use your unwitting employees
as “portal” for their attacks. Considering organizations’ use of advanced security software, social
engineering still proves to be a very cost-effective tactic for perpetrators. All they need do is
identify and target the weakest link in the organization’s security chain, who are none other than

4
NPC PRIVACY TOOLKIT

your careless employees.

Some of the common mistakes employees make include having weak password, email, social
media and web browsing practices. Cybercriminals exploit employees who do not use passwords,
who use simple and short passwords, who use the same password across different services and
accounts, and those who carelessly share passwords with others. Employees clicking on suspicious
email links, social media content and website advertisements are also the easiest entry points to
perpetuate malicious attacks discussed in the succeeding sections. Organizations also get exposed
by employees’ poor security habits outside work such as the use of unsecured personal device to
access work-related data, and the connection to unsecured wi-fi networks.

Careless handling of data also results in self-inflicted data breaches. An example would be the
Woolworths Data Breach, which forced management to cancel over $1 million in gift cards
after someone within the Australian grocery chain accidentally email a spreadsheet containing
customer information and redeemable codes for around 8,000 gift cards to over 1,000 customers.

Employees also put their organizations at risk when they disregard well-crafted ICT standards and even
the organization’s IT team. Critical errors under this category include doing unauthorized system
changes, plugging unknown devices, downloading software and disabling security features—all
without the IT team’s knowledge.

A.2. Weak or lack of Information Security Policy

To avoid data breaches, it is desirable that an organization’s information security policies be


always at par with emerging technology trends. Due to fast-paced changes, it is highly possible
that no standards exist yet for handling these nascent practices. One such trend is the so-called
“Bring Your Own Device” or BYOD.

Organizations allow BYOD in a desire to reduce costs and increase productivity, given the new-
found IT self-sufficiency among employees. The setup allows employees to work and access
corporate data using their own device, be it a laptop, ultrabook, tablet or smartphone. This
frees up organizations from so much hardware, software, and device maintenance expenses.
Presumably, it also empowers and motivates employees, given the ease, mobility, and flexibility
of access that it makes possible. Organizations expect the resulting convenience and employee
satisfaction to drive productivity levels up.

However, without adequate standards and employee preparations in place, BYOD puts corporate
data at risk. This, especially in the absence of clear policies on who can access which data, and on
what to do in case a personal device gets lost, stolen or compromised,

The lack of standards on the use of thumb drives or USB flash drives also poses a risk. It is a favorite
storage device of perpetrators as it is small and concealable. Perpetrators can easily steal corporate
data through these devices or use them to install malicious programs in computers.

Unrestricted access to certain corporate data also jeopardizes an organization’s security. For
instance, access to sensitive employee information should be exclusive to the human resources
department. This would make it harder for perpetrators to turn an employee into a portal of
attack.

5
CHAPTER I DATA PRIVACY THREATS

B. Malicious attacks

B.1. Phishing

This is a type of social engineering attack where cybercriminals pose as legitimate representatives
of reputable organizations. The intent is to trick employees into divulging sensitive information
that may result in data breach, identity theft and financial loss. Perpetrators carry this out through
email, instant messages, phone calls, chat rooms, SMS, fake banner ads, message boards, fake job
search sites and browser toolbars.

Phishing.org enumerates the common features of phishing emails as follows:


“Too Good To Be True” - Lucrative offers and eye-catching or attention-grabbing statements are
designed to attract people’s attention immediately. For instance, many claim that you have
won an iPhone, a lottery, or some other lavish prize. Just don’t click on any suspicious emails.
Remember that if it seems too good to be true, it probably is!

Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast because the
super deals are only for a limited time. Some of them will even tell you that you have only a
few minutes to respond. When you come across these kinds of emails, it’s best to just ignore
them. Sometimes, they will tell you that your account will be suspended unless you update your
personal details immediately. Most reliable organizations give ample time before they terminate
an account and they never ask patrons to update personal details over the Internet. When in
doubt, visit the source directly rather than clicking a link in an email.

Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL
where you will be directed upon clicking on it. It could be completely different or it could be a
popular website with a misspelling, for instance www.bankofarnerica.com - the ‘m’ is actually an
‘r’ and an ‘n’, so look carefully.

Attachments - If you see an attachment in an email you weren’t expecting or that doesn’t make
sense, don’t open it! They often contain payloads like ransomware or other viruses. The only file
type that is always safe to click on is a .txt file.

Unusual Sender - Whether it looks like it’s from someone you don’t know or someone you do
know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in
general don’t click on it!”

B.2. Malware

Malware is short for ‘malicious software’ which includes computer viruses, worms, Trojan horses,
rootkit, ransomware, spyware, adware, scareware, among others. It is meant to infiltrate and
infect computers to compromise device, disrupt service, steal data or monitor user activities. The
common types of malware are described below:

6
NPC PRIVACY TOOLKIT

Malware Type Description

Virus a type of malware that attaches itself to the program, executes itself
and replicates itself by infecting other programs; may crash systems,
acquire hard disk space or CPU time, spam email contacts, access
private info, corrupt files or wipe data

Worm similar to viruses but do not require a host program to spread and
damage your computers

Trojan Horse a malware that masquerades as a legitimate and harmless program; do


not replicate themselves

Rootkit an application or set of applications that enables administrator-level


access to the victim’s system while actively hiding its presence making
it difficult to detect; allows perpetrator to execute files, access logs,
monitor user activity and change computer’s configuration

Ransomware blocks victims’ access to their files by locking the system’s screen or
encrypting victims’ files; requires victims to pay a ransom to get back
their files through a decrypt key

Spyware a malware that collects information about victims’ surfing habits,


browsing history and other personal information, and passes this
information to third parties through the internet

Adware attached and downloaded with other software, designed to display


unwanted advertisements in the form of pop-up windows; may collect
marketing-type data about you to customize advertisements displayed

Scareware a malware that deceives victims to download and purchase fake and
potentially dangerous software using intimidating, unsettling and
fear messages

B.3.Denial-of-Service

A denial-of-service or DoS attack seeks to disrupt a network’s service and make it unavailable to
its intended and legitimate users. This is done by flooding the network with useless traffic until
it overwhelms the resources and crashes the system. Zeltser.com lists the following as common
motives behind DoS attacks:

“Extortion via a threat of a DoS attack: The attacker might aim to directly profit from his
perceived ability to disrupt the vi ctim’s services by demanding payment to avoid the
disruption.

Turf wars and fights between online gangs: Groups and individuals in engaged on Internet-
based malicious activities might use DoS as weapons against each other’s infrastructure

7
CHAPTER I DATA PRIVACY THREATS

and operations, catching legitimate businesses in the crossfire.

Anticompetitive business practices: Cybercriminals sometimes offer DoS services to take out
competitor’s websites or otherwise disrupt their operations.

Punishment for undesired actions: A DoS attack might aim to punish the victim for refusing
an extortion demand or for causing disruption to the attacker’s business model (e.g., spam-
sending operations).

Expression of anger and criticism: Attackers might use the DoS attack as a way of criticizing the
company or government organization for exhibiting undesirable political or geopolitical,
economic or monetary behaviors.

Training ground for other attacks: Attackers sometimes might target the organization when
fine-tuning DoS tools and capabilities for future attacks, which will be directed at other
victims.

Distraction from other malicious actions: Adversaries might perform a DoS attack just to draw
your attention away from other intrusion activities that they perform elsewhere in your
environment.

Self-induced: Some downtime and service disruptions are the result of the non-malicious
actions that the organization’s employees took by mistake (e.g., a server configuration
problem).

No apparent reason at all: Unfortunately, many DoS victims never learn what motivated the
attack.”

In 2016, the largest DoS attacks were recorded. One hit the servers of Dyn that brought down
Twitter, the Guardian, Netflix, Reddit, CNN, among other sites in Europe and US. This was
carried out through a distributed DoS (DDoS) that utilized multiple devices infected with a
special malware, called ‘botnet’. A botnet is a group of inter-connected devices infected with
malware to enable perpetrators to control the devices without the owners’ knowledge. Around
100,000 malicious endpoints were estimated to have powered this 1.2Tbps-strong attack.

B.4. Man-in-the-Middle

This is an attack designed to intercept communication between two parties, say a consumer and
a website, in an attempt to impersonate both parties and steal valuable personal information.

It takes advantage of the weaknesses in the authentication protocols used by the parties. MITM,
usually used to commit financial fraud, may be done via Wi-Fi connection, browser, mobile, app,
cloud or through any networked device.

C. Emerging attack platforms

C.1. Mobile

As a widely-used platform even in the workplace, mobile serves as a huge attack surface for

8
NPC PRIVACY TOOLKIT

perpetrators. The breadth of data found in mobile devices – contact information, photos, emails
and other sensitive data, also makes them a primary attack target. The relative security weakness
of mobile compared to personal computers increases its vulnerability.

Symantec estimated that the overall volume of malicious Android apps grew by 105 percent in
2016 at 18.4 million. Meanwhile, the iOS operating system remains to be rarely attacked, but
experienced one in 2016 through the Pegasus spyware. Clicking the malicious link sent via text
message jailbreaks the phone and injects the malware into it. Pegasus accesses messages, calls
and emails, and also gathers app information from services like Gmail, Facebook, Skype and
WhatsApp.

C.2. Cloud

Similar to BYOD, cloud adoption in organizations has been on the rise. It is seen as a cost-efficient
and effective measure to meet heightened computing needs. As cloud shifts organizations’ data
and applications over high-capacity networks hosted in the internet, it helps reduce infrastructure
and maintenance cost and improve manageability. However, it also serves as a new and easily
accessible threat surface for perpetrators.

The borderless nature of cloud computing allows threat actors to easily bypass organization-wide
security policies. Cloud’s dependence on third party applications also increases users’ exposure
to malware. In its 2016 report, the Cloud Security Alliance identified 12 critical cloud issues
including: data breaches; weak identity, credential and access management; insecure application
program interfaces; system and application vulnerabilities; account hijacking; malicious insiders;
advanced persistent threats; data loss, insufficient due diligence; abuse and nefarious use of
cloud services; DOS; and shared technology issues.

C.3. Internet of things

The internet of things or IoT is the concept of interconnectedness of physical devices ranging
from cellphones, cars, ovens, washing machines, headphones, lamps, to wearable devices, via the
internet. It espouses people-people, people-things and things-things relationships, intended to
improve efficiency and promote a smart approach in doing things.

While the IoT opens the world to countless opportunities, it also presents serious challenges.
One is the perceived weak security of most IoT devices, which are protected by factory default or
hardcoded user names and passwords. The largest DDoS attacks in 2016 using Mirai, as discussed
in the previous section, exploited IoT devices and converted them into bots. The seemingly
harmless webcams produced by Chinese electronics firm Xiong Mai Technologies primarily
powered the 1.2Tbps-strong attack on Dyn. Citizens become unaware

D. Combatting Data Privacy Threats

The National Privacy Commission has devised various means to address the above threats. These means
are integrated into the “Five Pillars of Data Privacy Accountability and Compliance”, as discussed in
the succeeding sections. This framework is not only meant to combat data privacy threats, but to
also help personal information controllers and processors comply with the Data Privacy Act of 2012.
Encompassing organizational, physical and technical measures, the framework is aimed at helping
develop an organizational culture protective of privacy.

9
CHAPTER II THE FIVE PILLARS OF DATA PRIVACY
ACCOUNTABILITY AND COMPLIANCE
1. COMMIT TO COMPLY:
APPOINT A DATA PROTECTION OFFICER
NPC Advisory No. 2017-01

DATE : 14 MARCH 2017


SUBJECT : DESIGNATION OF DATA PROTECTION OFFICERS

Preamble

WHEREAS, Article II, Section 24 of the 1987 Constitution provides that the State recognizes the
vital role of communication and information in nation-building. At the same time, Article II, Section
11 thereof stresses that the State values the dignity of every human person and guarantees full respect
for human rights. Finally, Article XIII, Section 21 states that Congress shall give highest priority to the
enactment of measures that protect and enhance the right of the people to human dignity;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012
(DPA), provides that it is the policy of the State to protect the fundamental human right of privacy
of communication while ensuring free flow of information to promote innovation and growth. The
State also recognizes its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and protected;

WHEREAS, Section 21(b) of the DPA and Section 50(b) of its Implementing Rules and Regulations
(IRR) provide that personal information controllers (PICs) shall designate an individual or individuals
who are accountable for the organization’s compliance with this Act. Section 14 of the DPA and Section
45 of the IRR also require personal information processors (PIPs) to comply with all the requirements
of the Act and other applicable laws, including issuances by the NPC;

WHEREAS, pursuant to Section 26(a) of the IRR, any natural or juridical person or other body
involved in the processing of personal data shall designate an individual or individuals who shall
function as data protection officer (DPO), compliance officer, or shall otherwise be accountable for
ensuring compliance with applicable laws and regulations for the protection of data privacy and
security;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission (NPC) is charged
with the administration and implementation of the provisions of the law, which includes ensuring
compliance with the provisions of the DPA and with international standards for data protection, and
carrying out efforts to formulate and implement plans and policies that strengthen the protection of
personal information in the country, in coordination with other government agencies and the private
sector;

WHEREAS, Section 4 of NPC Circular 2016-01 declares that a government agency engaged in the
processing of personal data shall, through its head of agency, designate a DPO;

WHEREAS, in consideration of the foregoing premises, the NPC hereby issues this Advisory that
prescribes the guidelines for the designation of a DPO:

Scope

These Guidelines shall apply to all natural or juridical persons, or any other body in the government or
private sector engaged in the processing of personal data within and outside of the Philippines, subject

11
NPC PRIVACY TOOLKIT

to the applicable provisions of the DPA, its IRR, and issuances by the NPC.

Definition of Terms

Whenever used in this Advisory, the following terms shall have their respective meanings as hereinafter
set forth:

a. “Act” or “DPA” refers to Republic Act No. 10173, otherwise known as the Data Privacy Act
of 2012;

b. “Commission” or “NPC” refers to the National Privacy Commission;

c. “Compliance Officer for Privacy” or “COP” refers to an individual or individuals who shall
perform some of the functions of a DPO, as provided in this Advisory;

d. “Conflict of Interest” refers to a scenario wherein a DPO is charged with performing tasks,
duties, and responsibilities that may be opposed to or could affect his performance as DPO.
This includes, inter alia, holding a position within the PIC or PIP that leads him to determine
the purposes and the means of the processing of personal data. The term shall be liberally
construed relative to the provisions of this Advisory;

e. “Data Sharing Agreement” refers to a contract, joint issuance, or any similar document that
contains the terms and conditions of a data sharing arrangement between two or more
parties: Provided, that only personal information controllers shall be made parties to a data
sharing agreement;

f. “Data Subject” refers to an individual whose personal, sensitive personal, or privileged


information is processed;

g. “Government Agency” refers to a government branch, body, or entity, including national


government agencies, bureaus, or offices, constitutional commissions, local government
units, government-owned and controlled corporations, government financial institutions,
state colleges and universities;

h. “Personal data” refers to all types of personal information, including privileged information;

i. “Personal information” refers to any information whether recorded in a material form


or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual;

j. “Personal information controller” or “PIC” refers to a person or organization who controls


the collection, holding, processing or use of personal information, including a person or
organization who instructs another person or organization to collect, hold, process, use,
transfer or disclose personal information on his or her behalf. The term excludes:

1. a person or organization who performs such functions as instructed by another person


or organization; or
2. an individual who collects, holds, processes or uses personal information in connection
with the individual’s personal, family or household affairs.

12
CHAPTER II FIVE PILLARS: 1. APPOINT A DPO

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

k. “Personal information processor” or “PIP” refers to any natural or juridical person or


any other body to whom a PIC may outsource or instruct the processing of personal data
pertaining to a data subject;

l. “Privacy by Design” is an approach to the development and implementation of projects,


programs, and processes that integrates into the latter’s design or structure safeguards that
are necessary to protect and promote privacy, such as appropriate organizational, technical,
and policy measures;

m. “Privacy Impact Assessment” is a process undertaken and used to evaluate and manage the
impact on privacy of a particular project, program, process or measure;

n. “Privileged Information” refers to any and all forms of data which, under the Rules of Court
and other pertinent laws, constitute privileged communication;

o. “Processing” refers to any operation or any set of operations performed upon personal data
including, but not limited to, the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of
data;

p. “Sensitive Personal Information” refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.

General Principles

These Guidelines shall be governed by the following general principles:

a. The responsibility for complying with the Act, its IRR, issuances by the NPC, and all other
applicable laws lies with the PIC or PIP. When necessary, it must be capable of demonstrating
1

its capacity to comply.

b. The DPO or COP shall act independently in the performance of his or her functions,
and shall enjoy sufficient degree of autonomy. For this purpose, he or she must not receive
instructions from the PIC or PIP regarding the exercise of his or her tasks.
2

c. The DPO or COP is bound by secrecy or confidentiality concerning the performance of his
or her tasks.
1 RA 10173, §21(a), and §14.
2 e.g., what results should be achieved, how to investigate a complaint, whether to consult the NPC, what view or interpretation of the law to take relative to a specific
data protection issue, etc.

13
NPC PRIVACY TOOLKIT

Mandatory Designation

A PIC or PIP shall designate an individual or individuals who shall function as DPO. The DPO shall
be accountable for ensuring the compliance by the PIC or PIP with the DPA, its IRR, issuances by the
NPC, and other applicable laws and regulations relating to privacy and data protection.
In certain cases, a PIC or PIP is allowed to designate a compliance officer for privacy (COP):

a. Local Government Units (LGUs). Each LGU shall designate a DPO. However, a component
city, municipality, or barangay is allowed to designate a COP, provided that the latter shall be
under the supervision of the DPO of the corresponding province, city, or municipality that
that component city, municipality or barangay forms part of.

b. Government Agencies. Each government agency shall designate a DPO. Where a government
agency has regional, provincial, district, city, municipal offices, or any other similar sub-
units, it may designate or appoint a COP for each sub-unit. The COPs shall be under the
supervision of the DPO.

c. Private Sector. Where a private entity has branches, sub-offices, or any other component
units, it may also appoint or designate a COP for each component unit.

Subject to the approval of the NPC, a group of related companies may appoint or designate
the DPO of one of its members to be primarily accountable for ensuring the compliance of
the entire group with all data protection policies. Where such common DPO is allowed by
the NPC, the other members of the group must still have a COP, as defined in this Advisory.

d. Other Analogous Cases. PICs or PIPs that are under similar or analogous circumstances may
also seek the approval of the NPC for the appointment or designation of a COP, in lieu of a
DPO.

An individual PIC or PIP shall be a de facto DPO.

General Qualifications

The DPO should possess specialized knowledge and demonstrate reliability necessary for the performance
of his or her duties and responsibilities. As such, the DPO should have expertise in relevant privacy or
data protection policies and practices. He or she should have sufficient understanding of the processing
operations being carried out by the PIC or PIP, including the latter’s information systems, data security
and/or data protection needs.

Knowledge by the DPO of the sector or field of the PIC or PIP, and the latter’s internal structure,
policies, and processes is also useful.

The minimum qualifications for a COP shall be proportionate to his or her functions, as provided in
this Advisory.

Position of the DPO or COP

The DPO or COP should be a full-time or organic employee of the PIC or PIP.

In the government or public sector, the DPO or COP may be a career or appointive position.

14
CHAPTER II FIVE PILLARS: 1. APPOINT A DPO

In the private sector, the DPO or COP should ideally be a regular or permanent position. Where the 3

employment of the DPO or COP is based on a contract, the term or duration thereof should at least
be two (2) years to ensure stability.
In the event the position of DPO or COP is left vacant, the PIC or PIP should provide for the 4

appointment, reappointment, or hiring of his or her replacement within a reasonable period of time.
The PIC or PIP may also require the incumbent DPO or COP to occupy such position in an holdover
capacity until the appointment or hiring of a new DPO or COP, in accordance with the PIC or PIP’s
internal policies or the provisions of the appropriate contract.

Independence, Autonomy and Conflict of Interest

A DPO or COP must be independent in the performance of his or her functions, and should be
accorded a significant degree of autonomy by the PIC or PIP.

In his or her capacity as DPO or COP, an individual may perform (or be assigned to perform) other
tasks or assume other functions that do not give rise to any conflict of interest.
5

Duties and Responsibilities of the DPO and COP

A DPO shall, inter alia:

a. monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and
other applicable laws and policies. For this purpose, he or she may:

1. collect information to identify the processing operations, activities, measures, projects,


programs, or systems of the PIC or PIP, and maintain a record thereof;
2. analyze and check the compliance of processing activities, including the issuance of
security clearances to and compliance by third-party service providers;
3. inform, advise, and issue recommendations to the PIC or PIP;
4. ascertain renewal of accreditations or certifications necessary to maintain the required
standards in personal data processing; and
5. advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with
third parties, and ensure its compliance with the law;

b. ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects,
programs, or systems of the PIC or PIP;

c. advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their
rights (e.g., requests for information, clarifications, rectification or deletion of personal data);

d. ensure proper data breach and security incident management by the PIC or PIP, including
the latter’s preparation and submission to the NPC of reports and other documentation
concerning security incidents or data breaches within the prescribed period;

e. inform and cultivate awareness on privacy and data protection within the organization of
the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC;

3 Consultants and project, seasonal, probationary, or casual employees should not be designated as DPOs
4 In the event of resignation, incapacity, or death of the DPO, or, where the term of the DPO is fixed or is coterminous with the appointing authority,
in the case of government agencies, or based on a contract, in the case of private sector entities.
5 The designated DPO may also occupy some other position in the organization (e.g., legal counsel, risk management officer, etc.).

15
NPC PRIVACY TOOLKIT

f. advocate for the development, review and/or revision of policies, guidelines, projects and/or
programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by
design approach;

g. serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other
authorities in all matters concerning data privacy or security issues or concerns and the PIC
or PIP;

h. cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy
and security; and

i. perform other duties and tasks that may be assigned by the PIC or PIP that will further the
interest of data privacy and security and uphold the rights of the data subjects.

Except for items (a) to (c), a COP shall perform all other functions of a DPO. Where appropriate, he or
she shall also assist the supervising DPO in the performance of the latter’s functions.

The DPO or COP must have due regard for the risks associated with the processing operations of the
PIC or PIP, taking into account the nature, scope, context and purposes of processing. Accordingly,
he or she must prioritize his or her activities and focus his or her efforts on issues that present higher
data protection risks.

General Obligations of the PIC or PIP Relative to the DPO or COP

The PIC or PIP should:

a. effectively communicate to its personnel, the designation of the DPO or COP and his or her
functions;

b. allow the DPO or COP to be involved from the earliest stage possible in all issues relating to
privacy and data protection;

c. provide sufficient time and resources (financial, infrastructure, equipment, training, and
staff) necessary for the DPO or COP to keep himself or herself updated with the developments
in data privacy and security and to carry out his or her tasks effectively and efficiently;

d. grant the DPO or COP appropriate access to the personal data it is processing, including the
processing systems;

e. where applicable, invite the DPO or COP to participate in meetings of senior and middle
management to represent the interest of privacy and data protection;

f. promptly consult the DPO or COP in the event of a personal data breach or security incident;
and

g. ensure that the DPO or COP is made a part of all relevant working groups that deal
with personal data processing activities conducted inside the organization, or with other
organizations.

16
CHAPTER II FIVE PILLARS: 1. APPOINT A DPO

Outsourcing or Subcontracting of Functions

A PIC or PIP may outsource or subcontract the functions of its DPO or COP. However, to the extent
possible, the DPO or COP must oversee the performance of his or her functions by the third-party
service provider or providers. The DPO or COP shall also remain the contact person of the PIC or PIP
vis-à-vis the NPC.

Protections

To strengthen the autonomy of the DPO or COP and ensure the independent nature of his or her
role in the organization, a PIC or PIP should not directly or indirectly penalize or dismiss the DPO
or COP for performing his or her tasks. It is not necessary that the penalty is actually imposed or
meted out. A mere threat is sufficient if it has the effect of impeding or preventing the DPO or COP
from performing his or her tasks. However, nothing shall preclude the legitimate application of labor,
administrative, civil or criminal laws against the DPO or COP, based on just or authorized grounds

Publication and Communication of Contact Details

To ensure that its own personnel, the data subjects, the NPC, or any other concerned party, is able to
easily, directly, and confidentially contact the DPO or COP, a PIC or PIP must publish the DPO’s or
COP’s contact details in, at least, the following materials:

a. website;
b. privacy notice;
c. privacy policy; and
d. privacy manual or privacy guide

A PIC or PIP may introduce or offer additional means of communicating (e.g., telefax, social media
platforms, etc.) with its DPO or COP.
For this purpose, the contact details of the DPO or COP should include the following information:

a. title or designation
b. postal address
c. a dedicated telephone number
d. a dedicated email address

The name or names of the DPO or COP need not be published. However, it should be made available
upon request by a data subject or the NPC.

Weight of Opinion

The opinion of the DPO or COP must be given due weight. In case of disagreement, and should the
PIC or PIP choose not to follow the advice of the DPO or COP, it is recommended, as good practice,
to document the reasons therefor.

Accountability

While the responsibility of complying with the DPA, its IRR, issuances by the NPC, and other

17
NPC PRIVACY TOOLKIT

applicable laws remains with the PIC or PIP, malfeasance, misfeasance, or nonfeasance on the part of
the DPO or COP relative to his designated functions may still be a ground for administrative, civil, or
criminal liability, in accordance with all applicable laws.

Approved:

(Sgd.) RAYMUND E. LIBORO


Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: 14 March 2017

18
2. KNOW YOUR RISKS:
CONDUCT A PRIVACY IMPACT ASSESSMENT
NPC Advisory No. 2017-03

DATE : 31 July 2017


SUBJECT : GUIDELINES ON PRIVACY IMPACT ASSESSMENTS

Preamble

WHEREAS, Article II, Section 11 of the 1987 Constitution declares that the State values the dignity
of every human person and guarantees full respect for human rights, and Article XIII, Section 21 states
that Congress shall give highest priority to the enactment of measures that protect and enhance the
right of the people to human dignity. At the same time, enshrined in jurisprudence is the recognition
of the right to privacy as a right fully deserving of constitutional protection;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012
(DPA), provides that it is the policy of the State to protect the fundamental human right of privacy
of communication while ensuring free flow of information to promote innovation and growth. The
State also recognizes its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and protected;

WHEREAS, Section 20(c) of the DPA and Section 29 of its Implementing Rules and Regulations
(IRR) provide that the determination of the appropriate level of security for an agency or organization
processing personal data shall take into account the nature of the personal information to be protected,
the risks represented by the processing to the rights and freedoms of data subjects, the size of the
organization and complexity of its operations, current data privacy best practices, and the cost of
security implementation;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission (NPC) is mandated
to administer and implement the provisions of the DPA, monitor and ensure compliance of the country
with international standards set for data protection, and coordinate with government agencies and the
private sector on efforts to formulate and implement plans and policies that strengthen the protection
of personal information in the country;

WHEREAS, Sections 4, 5, and 6 of NPC Circular 2016-01 requires government agencies to conduct a
Privacy Impact Assessment (PIA) for each program, process, or measure within the agency that involves
personal data. At the same time, Section 6 of NPC Circular 2016-03 recommends the conduct of a PIA
as part of any organization’s security incident management policy.

WHEREFORE, in consideration of the foregoing premises, the NPC hereby issues this Advisory that
prescribes guidelines for the conduct of a Privacy Impact Assessment:

Scope

This Advisory shall apply to all natural or juridical persons, or any other body in the government or
private sector engaged in the processing of personal data within and outside of the Philippines, subject
to the applicable provisions of the DPA, its IRR, and other relevant issuances of the NPC

19
NPC PRIVACY TOOLKIT

Definition of Terms

For the purpose of this Advisory, the following terms are defined, as follows:

A. “Act” or “DPA” refers to Republic Act No. 10173, otherwise known as the Data Privacy Act
of 2012;
B. “Commission” or “NPC” refers to the National Privacy Commission;

C. “Compliance Officer for Privacy” or “COP” refers to an individual that performs some of the
functions of a DPO, as provided in NPC Advisory No. 17-01;

D. “Control Framework” refers to a comprehensive enumeration of measures a PIC or PIP has


established for the protection of personal data against natural dangers such as accidental loss
or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination;

E. “Data Protection Officer” or “DPO” refers to an individual designated by the head of


agency or organization to be accountable for its compliance with the Act, its IRR, and other
issuances of the Commission: Provided, that, except where allowed otherwise by law or
the Commission, the individual must be an organic employee of the government agency or
private entity: Provided further, that a government agency or private entity may have more
than one DPO;

F. “IRR” refers to the Implementing Rules and Regulations of the DPA;

G. “Personal data” refers to all types of personal information, including privileged information;

H. “Personal information” refers to any information whether recorded in a material form


or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual;

I. “Personal information controller” or “PIC” refers to a person or organization who controls


the collection, holding, processing or use of personal information, including a person or
organization who instructs another person or organization to collect, hold, process, use,
transfer or disclose personal information on his or her behalf. The term excludes:

1. a person or organization who performs such functions as instructed by another person


or organization; or
2. an individual who collects, holds, processes or uses personal information in connection
with the individual’s personal, family or household affairs;
3. There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

J. “Personal Information Processor” or “PIP” refers to any natural or juridical person or


any other body to whom a PIC may outsource or instruct the processing of personal data
pertaining to a data subject;

K. “Privacy Impact Assessment” is a process undertaken and used to evaluate and manage
impacts on privacy of a particular program, project, process, measure, system or technology

20
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

product of a PIC or PIP program, project, process, measure, system or technology product
of a PIC or PIP. It takes into account the nature of the personal data to be protected, the
personal data flow, the risks to privacy and security posed by the processing, current data
privacy best practices, the cost of security implementation, and, where applicable, the size of
the organization, its resources, and the complexity of its operations;

L. “Privacy Management Program” refers to a process intended to embed privacy and data
protection in the strategic framework and daily operations of a personal information controller
or personal information processor, maintained through organizational commitment and
oversight of coordinated projects and activities.

M. “Privileged Information” refers to any and all forms of data which, under the Rules of
Court and other pertinent laws, constitute privileged communication;

N. “Processing” refers to any operation or any set of operations performed upon personal data
including, but not limited to, the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of
data;

O.“Risk” refers to the potential of an incident to result in harm or danger to a data subject or
organization;

P. “Risk Rating” refers to a function of the probability and impact of an event;

Q.“Sensitive Personal Information” refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual life of a person, or to any


proceeding for any offense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;

3. Issued by government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and

4. Specifically established by an executive order or an act of Congress to be kept classified;

R. “Threat” refers to a potential cause of an unwanted incident, which may result in harm or
danger to a data subject, system, or organization;

S. “Vulnerability” refers to a weakness of a data processing system that makes it susceptible to


threats and other attacks.

General Principles

A Privacy Impact Assessment (PIA) helps a PIC and PIP navigate the process of understanding the
personal data flows in the organization. It identifies and provides an assessment of various privacy
risks, and proposes measures intended to address them.

21
NPC PRIVACY TOOLKIT

The identification of risks and the use of a control framework for risk management should consider
existing laws, regulations, and issuances relevant to privacy and data protection, as well as the rights
of data subjects. The most appropriate standard recognized by the sector or industry of the PIC or PIP,
as well as that of the information and communications technology industry shall also be considered.

Key Considerations

In general, a PIA should be undertaken for every processing system of a PIC or PIP that involves
personal data. It may also be carried out vis-à-vis the entire organization of the PIC or PIP with the
involvement or participation of the different process owners and stakeholders.

A PIA should be conducted for both new and existing systems, programs, projects, procedures,
measures, or technology products that involve or impact processing personal data. For new processing
systems, it should be undertaken prior to their adoption, use, or implementation. Changes in the
governing law or regulations, or those adopted within the organization or its industry may likewise
require the conduct of a PIA, particularly if such changes affect personal data processing.

A PIC may require a PIP or a service or product provider to conduct a PIA. For this purpose, the report
prepared by the PIP or the service or product provider may be considered by the PIC in determining
whether the former is able to provide a comparable level of protection to the processing of personal
data.

A PIC or PIP may choose to conduct a single PIA for multiple data processing systems that involve the
same personal data and pose similar risks. A single PIA may also be conducted on a data processing
system where two or more PICs or PIPs are involved.

The PIC or PIP may forego the conduct of a PIA only if it determines that the processing involves
minimal risks to the rights and freedoms of individuals, taking into account recommendations from
the DPO. In making this determination, the PIC or PIP should consider the size and sensitivity of
the personal data being processed, the duration and extent of processing, the likely impact of the
processing to the life of data subject and possible harm in case of a personal data breach.

Objectives

The conduct of a PIA is intended to:

A. identify, assess, evaluate, and manage the risks represented by the processing of personal
data;

B. assist the PIC or PIP in preparing the records of its processing activities, and in maintaining
its privacy management program;

C. facilitate compliance by the PIC or PIP with the DPA, its IRR, and other applicable issuances
of the NPC, by determining:

a. its adherence to the principles of transparency, legitimate purpose and proportionality;


b. its existing organizational, physical and technical security measures relative to its data
processing systems;
c. the extent by which it upholds the rights of data subjects; and

22
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

D. aid the PIC or PIP in addressing privacy risks by allowing it to establish a control framework;

In conducting a PIA, it is important that its results are properly documented in a report that includes
information on stakeholder involvement, proposed measures for privacy risk management, and
the process through which the results of the PIA will be communicated to internal and external
stakeholders.

Responsibility

The PIC or PIP is primarily accountable for the conduct of a PIA. This responsibility remains even
when it elects to outsource or subcontract the actual conduct of the activity. For this purpose, the PIC
or PIP may lay down a policy, which establishes the circumstances under which a PIA shall be carried
out, including the personnel involved, the resources available, and the review process that will be
undertaken.

A recommendation for the conduct of a PIA may also come from the DPO of the PIC or PIP. Part
of the functions of a DPO is to ensure the conduct of PIA relative to activities, measures, projects,
programs, or systems of the PIC or PIP. In case of disagreement between the DPO and its principal on
the conduct of a PIA, this should be properly documented, particularly the reason for the conflicting
views.

The extent of the involvement of the DPO in the PIA is left to the discretion of the PIC or PIP. The
PIC or PIP may allow the DPO to actively take part in the PIA, or it may simply consult and seek his
or her recommendations based on the results of the PIA.

Where the PIC or PIP has a COP, the involvement of the latter in the PIA shall also be determined by
the PIC or PIP.

Stakeholder Involvement

Stakeholder involvement is important in the conduct of a PIA. This may be accomplished through their
direct participation in the process, through consultations in a public forum or focus group discussions,
or through the use of surveys and feedback forms.

Stakeholders may be involved in the whole process, or may be consulted for specific stages, such as in
preparatory stage, during risk analysis and evaluation, or after the process during review that leads up
to the preparation of the report.

The results of a PIA should be communicated to the stakeholders via a written report.

Structure and Form

There is no prescribed standard or format for a PIA. As such, the PIC or PIP may determine the structure
and form of the PIA that it will use. It is not precluded from utilizing any existing methodology, 6

provided the latter is acceptable based on the following criteria: 7

6 Acceptable methodologies include ISO/IEC 29134, which provides standards for the conduct of the PIA.
7 This takes into consideration Art 29 Data Protection Working Party “Guidelines on Data Protection Impact Assessment (DPIA) and determining
whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” (4 April 2017) and the provisions of the DPA.

23
NPC PRIVACY TOOLKIT

1. It provides a systematic description of the personal data flow and processing activities of the
PIC or PIP. This includes:

1. purpose of the processing, including, where applicable, the legitimate interest pursued
by the PIC or PIP;
2. data inventory identifying the types of personal data held by the PIC or PIP;
3. sources of personal data and procedures for collection;
4. functional description of personal data processing, including a list of all information
repositories holding personal data and their location, and types of media used for storage;
5. transfers of personal data to another agency, company, or organization, including
transfers outside the country, if any;
6. storage and disposal method of personal data;
7. accountable and responsible persons involved in the processing of personal data; and
8. existing organizational, physical and technical security measures

2. It includes an assessment of the adherence by the PIC or PIP to the data privacy principles,
the implementation of security measures, and the provision of mechanisms for the exercise
by data subjects of their rights under the DPA.

3. It identifies and evaluates the risks posed by a data processing system to the rights and
freedoms of affected data subjects, and proposes measures that address them.

1. Risk identification. Risks include natural dangers such as accidental loss or destruction,
and human dangers such as unlawful access, fraudulent misuse, unlawful destruction,
alteration and contamination.
2. Risks evaluation based on impact and likelihood. The severity or extent of the impact
of a breach or privacy violation on the rights and freedoms of data subjects must be
determined. The probability of the risk happening and the sources of such risk should
also be taken into consideration.
3. Remedial measures. Based on an assessment of risks, measures should be proposed on how
to address and manage the said risks.

4. It is an inclusive process, in that it ensures the involvement of interested parties and secures
inputs from the DPO and data subjects.

Planning a PIA

The following should be considered when planning the conduct of a PIA:

1. The PIC or PIP should signify its commitment to the conduct of a PIA. This means:

a. deciding on the need for a PIA;


b. assigning a person responsible for the whole process;
c. providing resources to accomplish the objectives of the PIA; and
d. issuing a clear directive for its conduct.

2. The program, project, process, measure, system or technology product on which a PIA will
be conducted should be identified. The scope of the PIA must be clearly delineated.

3. The process owners, participants, and the persons in charge of conducting the PIA, including

24
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

the preparation of its report, should be identified. When the scope of the PIA is determined
to be broad and/or comprehensive, a taskforce or secretariat may be necessary. The PIC or PIP
may also outsource the conduct of the PIA, but great care should be taken in evaluating the
adequacy and propriety of the methodology that will be utilized, and the expected outputs.

4. The PIC or PIP should determine how internal and external stakeholders will be involved.

5. Other matters that should be established:

1. objectives, schedules, and available resources;


2. means of communicating the results of the PIA to stakeholders; and
3. procedure for integrating the recommendations of the PIA into the control framework
of the organization.

Preparatory Activities

The following should be considered in the preparatory activities leading up to the conduct of a PIA:

1. There should be records of the processing activities of the PIC or PIP, and an inventory of
the personal data involved in such activities. For this purpose, a personal data flow should
be created, starting from the collection of personal data, all the way up to its deletion or
disposal, including storage. The process owners may be assigned to provide these documents
prior to conduct of the PIA.

2. A preliminary assessment should be undertaken to determine baseline information, including


existing policies and security measures of the organization. It is critical that this be carried out
in coordination with the different units or offices of the organization, such as those in charge
of compliance, quality management, records and information management, information
technology, administration and planning, customer relations, and legal concerns.

3. Stakeholders may be consulted during the preparatory stage to identify their concerns,
expectations, and perception of the risks posed by the processing activities of the organization.
Existing reports may be considered, such as customer satisfaction surveys, internal audits,
and other assessment activities.

4. The objectives, scope, and methodology of the PIA should be established. A control framework
should be selected. For agencies that process the personal data records of more than one
thousand (1,000) individuals, including agency personnel, the Commission recommends the
use of the ISO/IEC 27002 and ISO/IEC 29151 control set as the minimum standard to
assess any gaps in the agency’s control framework.

5. The detailed plan for the conduct of the PIA should be prepared, including:

1. schedules and timelines for the completion of preparatory activities, conduct of the PIA,
and reporting or publication of results;
2. approval of resource and budget allocations;
3. participants and methods for stakeholder involvement;
4. documentation and review process;
5. other supporting documents.

25
NPC PRIVACY TOOLKIT

Conduct of the PIA

The following should be considered in the conduct of a PIA:

1. The records of processing activities, the personal data inventory, and the personal data flows
should all be evaluated to determine whether additional information are necessary for the
proper conduct of a PIA. Taken together, these constitute the baseline information, along
with the following:

1. purpose and legal basis of the processing activities, including data sharing and other
forms of data transfers.;
2. persons responsible for processing personal data, including a list of those individuals
with access thereto;
3. list of all information repositories and technology products used;
4. sources and recipients of personal data; and
5. existing policies, procedures and security measures relevant to personal data protection.

2. Once baseline information is complete, the processing activities should be evaluated against
the legal obligations of the PIC or PIP, and the latter’s chosen control framework.

3. The control framework should adhere to the data privacy principles. It should implement
security measures and establish procedures for the proper exercise by data subjects of their
rights. Privacy and data protection measures, whether planned and existing, should be
considered.

4. The data processing systems of the PIC or PIP should be assessed to determine if there are
gaps at any stage of the processing. There is a gap when:

1. there is a violation of any data privacy principle;


2. the organizational, physical, and technical security measures are inadequate to safeguard
the confidentiality, availability, and/or integrity of personal data; or
3. the exercise of data subjects of their rights is not possible or restricted without legal basis.

5. Gaps should be evaluated to determine the risks involved to personal data, possible threats,
and existing vulnerabilities of the systems. Risks include the following:

1. unauthorized or unlawful processing;


2. confidentiality breach;
3. integrity breach;
4. availability breach; and
5. violations of rights of data subjects

6. Risks, in turn, should be assessed to determine whether the breach or privacy violation it
poses is likely to happen. The assessment should consider the processing operations of the
PIC or PIP, vulnerabilities and threats, as well as existing safeguards, if any. A determination
of how the risk will affect the rights and freedoms of data subjects should be done based on
the amount and nature of personal data involved, and the impact of possible harm.

7. Measures to address the risks identified should be proposed. They may mitigate, accept,
avoid, or transfer the risks posed by the processing, by taking into account the likelihood and

26
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

impact of a breach or privacy violation, the available resources of the organization to address
the risks, current data privacy best practices, and industry or sector standards. The proposed
measures should include:

1. risks and strategies for risk management;


2. implementing activities, including definite plans and specific projects;
3. controlling mechanisms to monitor, review, and support implementation;
4. proposed time frame, expected completion, or schedules;
5. responsible and accountable persons; and
6. necessary and available resources.

8. Involvement of stakeholders should be documented.

9. The report featuring the results of the PIA should be reviewed before being finalized and
approved. It should include the proposed measures that should serve as basis for implementing
changes in the organization (e.g., new policies and procedures, security measures to strengthen
data processing systems, etc.). The report should also include recommendations as to when
the PIA will be updated and reviewed.

10. Results of the PIA should be reported to management and communicated to internal and
external stakeholders. The PIC or PIP can limit the information provided to the public
based on its legitimate interests, such as the legal, business operation, or security risks that
disclosure may give rise to.

Documentation and Review

A PIA requires documentation and procedures for review. Its results should be contained in a
corresponding report.

The PIC or PIP must maintain a record of all its PIA reports. When a report contains information that
are privileged or confidential, the PIC or PIP may prepare a PIA Summary that can be made available
to data subjects upon request. Other means of communicating the results of the PIA to internal and
external stakeholders should be considered, such as publishing key findings or result summaries in the
PIC or PIP website, through newsletters, annual reports, and other similar materials.
A PIA should be evaluated every year. This, however, does not preclude the conduct of a new PIA on
the same data processing system, when so required by significant changes required by law or policy,
and other similar circumstances.

Compliance and Accountability

The conduct of a PIA is one of the ways a PIC or PIP is able to demonstrate its compliance with
the DPA, its IRR, and related issuances of the NPC. It also represents a proactive approach to the
management of risks represented by personal data processing by ensuring that the rights of data
subjects are protected.

In the event a personal data breach occurs, or a complaint is filed by a data subject against the PIC or
PIP, the conduct of a PIA shall be considered in evaluating if the PIC or PIP exercised due diligence in
the processing of personal data.

When the NPC determines that a processing system of a PIC or PIP poses a significant risk to the rights

27
NPC PRIVACY TOOLKIT

and freedoms of data subjects, it may request for a copy of the PIA report regarding such system. When
so requested, such copy shall also be made available to the Commission for compliance monitoring
purposes.

Approved:

[SGD] RAYMUND E. LIBORO


Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: 31 July 2017

28
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

Privacy Impact Assessment


TEMPLATE

I. Project/System Description

a.Description
Describe the program, project, process, measure, system or technology product and its context.
Define and specify what it intends to achieve. Consider the pointers below to help you describe
the project.

• Brief Description of the project/system


— Describe the process of the projects
— Describe the scope and extent
— Any links with existing programs or other projects
• The system/project’s overall aims (purpose of the project/system)
— What is the project/system aims to achieve?
— What are the benefits for the organizations and data subjects?
• Any related documents to support the projects/system
— Project/System Requirements Specification
— Project/System Design Specification
— Or any related documents

b. Scope of the PIA


This section should explain, what part or phase of the program the PIA covers and, where
necessary for clarity, what it does not cover.

• What will the PIA cover?


• What areas are outside scope?
• Is this just a “desk-top” information gathering exercise, do I have to get information from a
wide variety of sources?
• Who needs to be involved and when will they be available?
• Where does the PIA need to fit in the overall project plan and timelines?
• Who will make decisions about the issues identified by the PIA? What information do they
need and how long will it take to get sign-off from them?
• Do I need to consult with anyone (for instance the individuals whose personal information
the project will involve)? When and how should this happen?
• Are there any third parties involved and how long do I need to allow for them to play their
part?

II. Threshold Analysis

The following questions are intended to help you decide whether a PIA is necessary. Answering ‘yes’ to
any of these questions is an indication that a PIA would be a useful exercise. You can expand on your
answers as the project develops if you need to.

a. Will the project or system involve the collection of new information about individuals?

O No O Yes

29
NPC PRIVACY TOOLKIT

b. Is the information about individuals sensitive in nature and likely to raise privacy concerns
or expectations e.g. health records, criminal records or other information people would
consider particularly private?

O No O Yes
c. Are you using information about individuals for a purpose it is not currently used for, or in
a way it is not currently used?

O No O Yes

d. Will the initiative require you to contact individuals in ways which they may find intrusive?

O No O Yes

e. Will information about individuals be disclosed to organizations or people who have not
previously had routine access to the information?

O No O Yes

f. Does the initiative involve you using new technology which might be perceived as being
privacy intrusive (e.g. biometrics or facial recognition)?

O No O Yes

g. Will the initiative result in you making decisions or taking action against individuals in ways
which can have a significant impact on them?

O No O Yes

h. Are the personal data collected prior to August 2016?

O No O Yes

III. Stakeholder(s) Engagement

State all project stakeholders, consulted in conducting PIA. Identify which part they were involved.
(Describe how stakeholders were engaged in the PIA process)

Name Role Involvement Inputs/


Recommendations

*
* add additional rows if needed.

30
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

IV. Personal Data Flows

Identify the personal data involved and describe the data flow from collection to disposal by answering
the following questions below:

What personal data are being or will be processed by this project/system?

List all personal data (e.g. Personal Full Name, address, gender, phone number, etc.,) and state
which is/are the sensitive personal information (e.g. race, ethnicity, marital status, health,
genetic, government issued numbers).

All the information stated above will be in accordance to the next section.

Collection
1. State who collected or will be collecting the personal information and/or sensitive information.

2. How the personal information/sensitive personal information is collected and from whom
it was collected?
»» If personal information is collected from some source other than the individual?

3. What is/are the purpose(s) of collecting the personal data?


»» Be clear about the purpose of collecting the information
»» Are you collecting what you only need?

4. How was or will the consent be obtained?


»» Do individuals have the opportunity and/or right to decline to provide data?
»» What happen if they decline?

Storage
1. Where is it currently being stored?
»» Is it being stored in a physical server or in the cloud?

2. Is it being stored in other country?


»» If it is subject to a cross-border transfer, specify what country or countries.

3. Is the storage of data being outsourced?


»» Specify if the storing process is being done in-house or is it handled by a service provider

Usage
1. How will the data being used or what is the purpose of its processing?
»» Describe how the collected information is being used or will be used
»» Specify the processing activities where the personal information is being used.

Retention
1. How long are the data being retained? And Why?
»» State the length of period the data is being retained?
»» What is the basis of retaining the data that long? Specify the reason(s)

2. The data is being retained by the organization or is it being outsourced?

31
NPC PRIVACY TOOLKIT

»» Specify if the data retention process is being done in-house or is it handled by a service provider

Disclosure/Sharing
1. To whom it is being disclosed to?

2. Is it being disclosed outside the organization? Why is it being disclosed?


»» Specify if the personal information is being shared outside the organization
»» What are the reasons for disclosing the personal information

Disposal/Destruction
1. How will the data be disposed?
»» Describe the process of disposing the personal information

2. Who will facilitate the destruction of the data?


»» State if the process is being managed in-house or if it is a third party

V. Privacy Impact Analysis

Each program, project or means for collecting personal information should be tested for consistency with the
following Data Privacy Principles (as identified in Rule IV, Implementing Rules and Regulations of Republic Act
No. 10173, known as the “Data Privacy Act of 2012”). Respond accordingly with the questions by checking either
the “Yes” or “No” column and/or listing the what the questions may indicate.

Transparency Yes No

1. Are data subjects aware of the nature, purpose, and extent of the processing
of his or her personal data?

2. Are data subjects aware of the risks and safeguards involved in the processing
of his or her personal data?

3. Are data subjects aware of his or her rights as a data subject and how these
can be exercised?
Below are the rights of the data subjects:
 Right to be informed
 Right to object
 Right to access
 Right to correct
 Right for erasure or blocking
 Right to file a complaint
 Right to damages
 Right to data portability

4. Is there a document available for public review that sets out the policies for
the management of personal data?
Please identify document(s) and provide link where available:

32
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

5. Are there steps in place to allow an individual to know what personal data
it holds about them and its purpose of collection, usage and disclosure?

6. Are the data subjects aware of the identity of the personal information
controller or the organization/entity processing their personal data?

7. Are the data subjects provided information about how to contact the
organization’s Data Protection Officer (DPO)?

Legitimate Purpose Yes No

1. Is the processing of personal data compatible with a declared and specified


purpose which are not contrary to law, morals, or public policy?

2. Is the processing of personal data authorized by a specific law or regulation,


or by the individual through express consent?

Proportionality Yes No

1. Is the processing of personal data adequate, relevant, suitable, necessary


and not excessive in relation to a declared and specified purpose?

2. Is the processing of personal data necessary to fulfill the purpose of the


processing and no other means are available?

Collection Yes No

1. Is the collection of personal data for a declared, specified and legitimate


purpose?

2. Is individual consent secured prior to the collection and processing of


personal data?
If no, specify the reason

3. Is consent time-bound in relation to the declared, specified and legitimate


purpose?

4. Can consent be withdrawn?

5. Are all the personal data collected necessary for the program?

6. Are the personal data anonymized or de-identified?

7. Is the collection of personal data directly from the individual?

8. Is there authority for collecting personal data about the individual from
other sources?

33
NPC PRIVACY TOOLKIT

9. Is it necessary to assign or collect a unique identifier to individuals to enable


your organization to carry out the program?

10. Is it necessary to collect a unique identifier of another agency?


e.g. SSS number, PhilHealth, TIN, Pag-IBIG, etc.,

Use and Disclosure Yes No

1. Will Personal data only be used or disclosed for the primary purpose?

2. Are the uses and disclosures of personal data for a secondary purpose
authorized by law or the individual?

Data Quality Yes No

1. Please identify all steps taken to ensure that all data that is collected, used
or disclosed will be accurate, complete and up to date:

1. 1. Information was obtained from a reputable source such as another


government agency

1. 2. The system is regularly tested for accuracy

1. 3. Periodic reviews of the information

1. 4. A disposal schedule in place that deletes information that is over the


retention period

1. 5. Staff are trained in the use of the tools and receive periodic updates

1. 6. Reviews of audit trails are undertaken regularly

1. 7. Independent oversight

1. 8. Incidents are reviewed for lessons learnt and systems/processes updated


appropriately

1. 9. Others, please specify

34
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

Data Security Yes No

1. Do you have appropriate and reasonable organizational, physical and


technical security measures in place?

organizational measures - refer to the system’s environment, particularly to the


individuals carrying them out. Implementing the organizational data protection
policies aim to maintain the availability, integrity, and confidentiality of personal
data against any accidental or unlawful processing (i.e. access control policy,
employee training, surveillance, etc.,)

physical measures – refers to policies and procedures shall be implemented to


monitor and limit access to and activities in the room, workstation or facility,
including guidelines that specify the proper use of and access to electronic media
(i.e. locks, backup protection, workstation protection, etc.,)

technical measures - involves the technological aspect of security in protecting


personal information (i.e. encryption, data center policies, data transfer policies,
etc.,)

Organizational Security Yes No

1. Have you appointed a data protection officer or compliance officer?

2. Are there any data protection and security measure policies in place?

3. Do you have an inventory of processing systems? Will you include this


project/system?

4. Are the users/staffs that will process personal data through this project/
system under strict confidentiality if the personal data are not intended for
public disclosure?

5. If the processing is delegated to a Personal Information Processor have you


review the contract with the personal information processor?

Physical Security Yes No

1. Are there policies and procedures to monitor and limit the access to this
project/system?

2. Are the duties, responsibilities and schedule of the individuals that will
handle the personal data processing clearly defined?

3. Are there policies and procedures to prevent destruction of files generated


by this project/system?

35
NPC PRIVACY TOOLKIT

Technical Security Yes No

1. Is there a security policy with respect to the processing of personal data?

Do you have policies and procedures to restore the availability and


access to personal data when an incident happens?

Do/Will you regularly test, assess and evaluate the effectiveness of the
security measures of this project/system?

Are the personal data processed by this project/system encrypted


while in transit or at rest?

2. The program has taken reasonable steps to protect the personal data it
holds from misuse and loss and from unauthorized access, modification or
disclosure?

3. If yes, which of the following has the program undertaken to protect


personal data across the information lifecycle:
3. 1 Identifying and understanding information types
3. 2 Assessing and determining the value of the information
3. 3 Identifying the security risks to the information
3. 4 Applying security measures to protect the information
3. 5 Managing the information risks

Disposal Yes No

1. The program will take reasonable steps to destroy or de-identify personal


data if it is no longer needed for any purpose.
If YES, please list the steps

Cross-border Data Flows (Optional) Yes No

1. The program will transfer personal data to an organization or person


outside of the Philippines
If YES, please describe:

36
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

2. Personal data will only be transferred to someone outside of the Philippines


if any of the following apply:
a. The individual consents to the transfer
b. The organization reasonably believes that the recipient is subject to laws or a
contract enforcing information handling principles substantially similar to the
DPA of 2012
c. The transfer is necessary for the performance of a contract between the
individual and the organization
d. The transfer is necessary as part of a contract in the interest of the individual
between the organization and a third party
e. The transfer is for the benefit of the individual;

3. The organization has taken reasonable steps so that the information


transferred will be stored, used, disclosed and otherwise processed
consistently with the DPA of 2012
If YES, please describe steps:

VI. Privacy Risk Management

For the purpose of this section, a risk refers to the potential of an incident to result in harm or danger
to a data subject or organization. Risks are those that could lead to the unauthorized collection, use,
disclosure or access to personal data. It includes risks that the confidentiality, integrity and availability
of personal data will not be maintained, or the risk that processing will violate rights of data subjects
or privacy principles (transparency, legitimacy and proportionality).

The first step in managing risks is to identify them, including threats and vulnerabilities, and by
evaluating its impact and probability.

The following definitions are used in this section,

a. Risk - “the potential for loss, damage or destruction as a result of a threat exploiting a
vulnerability”;
b. Threat - “a potential cause of an unwanted incident, which may result in harm to a system
or organization”;
c. Vulnerability - “a weakness of an asset or group of assets that can be exploited by one or more
threats”;
d. Impact - severity of the injuries that might arise if the event does occur (can be ranked from
trivial injuries to major injuries); and
e. Probability - chance or probability of something happening;

37
NPC PRIVACY TOOLKIT

Impact

Rating Types Description

The data subjects will either not be affected or may encounter a few
1 Negligible
inconveniences, which they will overcome without any problem.

The data subject may encounter significant inconveniences, which they


2 Limited
will be able to overcome despite a few difficulties.

The data subjects may encounter significant inconveniences, which they


3 Significant
should be able to overcome but with serious difficulties.

The data subjects may encounter significant inconveniences, or even


4 Maximum
irreversible, consequences, which they may not overcome.

Probability

1 Unlikely Not expected, but there is a slight possibility it may occur at some time.

2 Possible Casual occurrence. It might happen at some time.

3 Likely Frequent occurrence. There is a strong possibility that it might occur.

Almost
4 Very likely. It is expected to occur in most circumstances.
Certain

Select the appropriate level or criteria of impact and probability to better assess the risk. Kindly refer
to the table below for the criteria.

Note: Try to itemized your risks by designating a reference number. This will be used as a basis on the
next sections (VII. Recommended Privacy Solutions and VIII. Sign off and Action Plan). Also, base the risks
on the violation of privacy principles, rights of data subjects and confidentiality, integrity and availability
of personal data.

Ref # Threats/Vulnerabilities Impact Probability Risk Rating

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

* 1 2 3 4 1 2 3 4
* add additional rows if needed

38
CHAPTER II FIVE PILLARS: 2. CONDUCT A PIA

Kindly follow the formula below for getting the Risk Rating:

Risk Rating = Impact x Probability

P R IVACY R I S K MAP

4 4 8 12 16

I
M 3 3 6 9 12
P
A
C 2 2 4 6 8
T

1 1 2 3 4

1 2 3 4
PROBABILIT Y

Kindly refer to the table below for the criteria

Rating Types

1 Negligible

2-4 Low Risk

6-9 Medium Risk

12-16 High Risk

VII. Recommended Privacy Solutions

From the risks stated in the previous section, identify the recommended solution or mitigation
measures. You can cite your existing controls to treat the risks in the same column.

39
NPC PRIVACY TOOLKIT

Approved
Ref# Recommended Solutions (Please provide justification)
(Y/N)

* add additional rows if needed

VIII. Sign off and Action Plan

State the approved solutions based on the stated solution on the last section. Indicate the person who
approved and its completion date.

Completion
Ref# Approved Solution Approved by
Date

* add additional rows if needed

Signatures:

Program/Process Owner Signature Date


Data Protection Officer Signature Date

Head of the Organization Signature Date

40
3. BE ACCOUNTABLE:
WRITE YOUR PRIVACY MANAGEMENT PROGRAM
AND PRIVACY MANUAL

Privacy Management Program Guide

The digital age undeniably made the world interconnected. At the same time, it entailed extensive
use of our personal data in corporate, professional and personal transactions. It may have resulted in
efficient and optimized processes but it exposed us to various security risks.

Over a billion records of personal identifiable information have been stolen in recent years worldwide.
Organizations incurred an average cost of $4 million due to data breaches in 2016, according to an
IBM and Ponemon Institute Study. In the Philippines alone, a security breach at the Commission on
Elections exposed the personal information of about 55 million voters.

The losses and dangers from data breach prompted global waves of data protection policies. In 2012, the
Philippines legislated Republic Act No. 10173, also known as the Data Privacy Act (DPA). It created the
National Privacy Commission (NPC) to safe guard our fundamental right to privacy while supporting
the free flow of information as the backbone of the new digital economy. The NPC was established in
2016 and is now set to implement the DPA.

With this, government and private organizations covered by the DPA—the personal information
controllers (PICs) and personal information processors (PIPs), probably have several questions in mind.
How do we comply with the provisions of the law? How do we not commit any data privacy violation?
Where do we start? The simplest answer is to have a Privacy Management Program (PMP) in place.

A Privacy Management Program is a holistic approach to privacy and data protection, important for all
agencies, companies or other organization involved in the processing of personal data. It is a process
intended to embed privacy and data protection in the strategic framework and daily operations of a
personal information controller or personal information processor. The Privacy Management Program
is maintained through organizational commitment and oversight of coordinated projects and activities
implemented throughout the agency, company or organization, that allows efficient use of available
resources, implements control measures to assure privacy and data protection, and puts in place a
system for review to allow for improvements responsive to data privacy best practices and technological
developments.

A Privacy Management Program is an acknowledgement by the PIC or PIP of their accountability 1

for complying with the requirements of the Act and their responsibility for personal data under their
control or custody. The Act mandates that PICs and PIPs ensure implementation of data privacy
2

principles, security measures, and procedures for data subjects to exercise their rights. The objective
3 4 5

of a Privacy Management Program is to pave the way for changes within the organization that will:

1 Data Privacy Act Sec.14 (The personal information processor shall comply with all the requirements of this Act and other applicable laws.).
2 Data Privacy Act Sec. 21 (Each personal information controller is responsible for personal information under its control or custody), 21(a)(The
personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means
to provide a comparable level of protection while the information are being processed by a third party).
3 Data Privacy Act Sec. 11 (The personal information controller must ensure implementation of personal information processing principles set out
herein.)
4 Data Privacy Act Sec. 20 (The personal information controller must implement reasonable and appropriate organizational, physical and technical
measures.)
5 Data Privacy Act Secs. 16-19 (Rights of Data Subjects).

41
NPC PRIVACY TOOLKIT

strengthen data processing systems to minimize the costs of personal data breaches; allow meaningful
use of information for the benefit of both the organization and the data subjects; and manage the
challenges of the digital age to safeguard the right to information privacy.

But creating, implementing and enhancing a Privacy Management Program is no easy task. It takes
thorough planning to ensure all pertinent aspects of your operations are considered and that protection
of customers and employees’ information comes first.

Why create a Privacy Management Program?

It puts everyone on the same page. A PMP provides an easier way to explain to the management and
staff: why are we doing this, what are the results we expect, what are the benefits of those results, and
what do we need to do to get there. With this, you will smoothly get everyone on board.

Compliance with the Act becomes more manageable. As a PMP outlines everything that stakeholders
need to know about the what(s) and how(s) of data privacy, there is a reduced likelihood you will violate
the DPA and incur penalties.

It gives PICs and PIPs competitive advantage. Implementing a PMP shows your organization’s
commitment to protect the personal information of your customers. This, in turn, leads to increased
trust and higher patronage.

It saves PICs and PIPs from avoidable expenses. ‘Clean up’ costs during personal data breaches may
be prevented through a strong PMP. Further, it helps safeguard the reputation of organizations and
individuals as well.

Key Components of a Privacy Management Program

A strong PMP has Organizational Commitment and Program Controls at its foundation.

1. Organizational Commitment

PICs and PIPs (both public and private) should develop and maintain a PMP intended to
allow the agency, company or organization to give effect to the data privacy principles of the
Data Privacy Act of 2012 (RA 10173), to put in place security measures for data protection, and
to provide a means for data subjects to exercise their rights. This means creating a governance
structure, built on the acknowledgment by the PICs and PIPs of their accountability for privacy
and data protection. From top management, the responsibility for compliance should be
shared by all those involved in the processing of personal data, driven by an organizational
commitment to cultivate a culture of privacy. The PMP, through its program controls, shall
allow privacy and data protection to be incorporated in the daily operations of the PIC or PIP.

1.1. Buy-in from the Top

Top management support is key to a successful PMP and essential for the emergence of a
culture of privacy in the PIC or PIP.

The PIC or PIP, through head of agency or Board, shall drive the urgency within the
organization to comply with the Data Privacy Act, its IRR and related issuances of the NPC.
The commitment to comply may be demonstrated by maintaining a Privacy Management

42
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

Program, and allocating resources to ensure its successful implementation.

The PMP is a means to implement control measures for privacy and data protection and to
put in place a review system for assessment and continuous improvement of the program.
Through the PMP, privacy and data protection will be embedded in the organization’s
policies, procedures, projects and other activities.
.
This means that top management should:

• appoint the Data Protection Officer(s);


• endorse a set of program controls; and
• report to the Board, as appropriate, on the program.

1.2. Data Protection Officer

A PIC or PIP shall designate an individual or individuals who shall function as DPO.
The DPO shall be accountable for ensuring the compliance by the PIC or PIP with the
DPA, its IRR, issuances by the NPC, and other applicable laws and regulations relating
to privacy and data protection. The DPO shall be responsible for structuring, designing
and managing the privacy management program, including compliance monitoring,
risk assessment, policy and procedure development, capacity building and data subject
assistance.
Please refer to NPC Advisory 17-01: Designation of Data Protection Officers for the list of
functions of a DPO.

PICs and PIPs face competing interests and personal data protection is one program of
many. Personal data protection should be seen not just as legal compliance but also in
terms of improving processes, customer/citizen relationship management, and reputation.
The importance of the PMP should be recognized at all levels. It is important to build
it into every major function involving the use of personal data, including product/
service development, customer services or public relations initiatives. The responsibility
for complying with the Data Privacy Act shall be cascaded to process owners, and the
organization’s personnel.

The Data Protection Officer should be a full time or regular employee. Where employment
is based on contract, the term should be for at least two years. In larger organizations
with complex operations, or those where data processing is high risk, the Data Protection
Officer may need to be supported by dedicated staff. Resources should be channeled to
provide the DPO with training, equipment, and time to allow fulfillment of functions.

1.3. Reporting

The PIC or PIP should establish internal reporting mechanisms to ensure that the privacy
management program is structured and whether it is functioning as expected. In larger
organizations, the audience for this information is likely to be top management, and in
turn, top management reports to the board of directors. All reporting mechanisms should
be reflected in the PIC or PIP’s program controls.

PICs and PIPs should establish internal audit and assurance program to monitor compliance
with the Data Privacy Act. This could include the form of customer/citizen and employee

43
NPC PRIVACY TOOLKIT

feedback (for smaller organizations) and third-party verifications (for larger organizations).
Should the PIC or PIP be subject to an inquiry, an inspection or an investigation, these
reports may be helpful in demonstrating the organization’s compliance with the law.

However, there is more to reporting. There will be times when escalation of personal data
issues should be considered (e.g., when there is a security breach or in case of complaints).
Escalation means both involving people of relevant responsibility and ensuring that the
needed persons in the PIC or PIP are included in the resolution of the issue. In large
PICs and PIPs, this could include, for example, representatives from technical, legal and
corporate communications streams. How and when to escalate should be clearly defined
and explained to employees. To ensure that related processes are being followed, PICs and
PIPs may need to monitor whether the necessary steps are being taken when triggered.
They may find it useful to conduct test runs, for example, for their personal data breach
identification, escalation and containment protocols.

An effective reporting program has the following characteristics:

• clearly defines its reporting structure (in terms of reporting on its overall compliance
activities) as well as employee reporting structures in the event of a complaint or a
potential breach;
• tests and reports on the results of its internal reporting structures; and
• documents all of its reporting structures.

2. Program Controls

These ensure that what is mandated in the governance structure is implemented by the PIC or
PIP. Program controls will assist the Data Protection Officer in monitoring compliance with the
Data Privacy Act, and in evaluating the privacy management program within the organization.

2.1. Records of Processing Activities

PICs and PIPs should know what kinds of personal data it holds, how the personal data is
being used, and whether it really needs those data at all.

Understanding and documenting the types of personal data that a PIC or PIP collects and
where it is held (e.g. whether the data has been passed to any PIP) are important. This
will affect the type of consent they obtain from individuals and how the data is protected;
and it will make it easier to assist individuals in exercising their data access and correction
rights. This will also assist the PIC or PIP in complying with registration requirements.
Every component of an accountable, effective PMP begins with personal data inventory.

Every PIC and PIP should document:

• the kinds of personal data it holds and where it is held (i.e. within the PIC or by the PIP;
and
• the reason(s) why it is collecting, using or disclosing personal data.

44
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

2.2. Risk Assessment Tools

Proper use of risk assessment tools can help prevent problems. The NPC recommends the
conduct of Privacy Impact Assessments for programs, projects, processes and technology
use that involve processing of personal data. The conduct of a PIA assists the PIC or PIP
in managing privacy risks and in determining the appropriate level of security required by
its personal data processing.

Risk assessments should be conducted throughout the PIC or PIP. Fixing a personal data
problem after the fact can be costly. Therefore, it is vital that careful consideration of the
purposes for a particular initiative, product or service, and an assessment that minimizes
any personal data impacts is done.

2.3. Policies and Procedures

The key components of the PMP should be included in a Privacy Manual or other internal
policies that address obligations and requirements under the law. These policies should be
made available to all employees and updated periodically.

PICs and PIPs should develop internal policies that addresses the obligations under
the law to adhere to data privacy principles, put in place security measures, and provide
procedures for data subjects to exercise their rights. These policies should be develop
to put in place controls at every stage of the personal data life cycle – from collection to
storage or disposal. These policies should be documented and should show how they
connect to the legal requirements.

The key policies that PICs and PIPs should have in place includes:

• Collection of personal data;


• Use of personal data including the requirements for consent;
• Retention and Disposal of personal data;
• Data quality assurance;
• Security of personal data;
• Data Sharing and cross-border transfers
• Transparency of their personal data policies and practices; and
• Access to and correction of personal data and other data subject rights.

PICs and PIPs should also consider incorporating the personal data compliance
requirements in their other policies such as contract management policies, procurement
policies, human resources policies and policies dealing with the disclosure of personal data
to regulatory bodies, law enforcement agencies and other government agencies.

2.4. Security Measures

The PIC or PIP should have in place organizational, physical and technical security measures
for purpose of maintaining the confidentiality, integrity and availability of personal data.
These measures should include:

(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized
usage or interference with or hindering of their functioning or availability;

45
NPC PRIVACY TOOLKIT

(2) A security policy with respect to the processing of personal information;

(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and

(4) Regular monitoring for security breaches and a process for taking preventive, corrective
and mitigating action against security incidents that can lead to a security breach.

For organizations that handle personal data for more than 1,000 individuals, NPC
recommends the use of the ISO/IEC 27002 control set as the minimum standard to assess
any gaps in your control framework.

2.5. Capacity Building

In order for the PMP to be effective, relevant employees should be made aware of personal
data protection generally and to be conversant with the PIC or PIP’s policies and practices
for compliance with the law. Those who handle personal data directly may need additional
training specifically tailored to their roles. Training and education need to be current and
relevant.

Employees will be able to better protect personal data when they are able to recognize
a matter as one that involves personal data protection. Even if PICs and PIPs have very
sound policies and program controls but employees do not follow them, the PMP has
broken down. Employees should be reminded to comply with the PIC or PIP’s policies
and program controls as an integral part of their duties.

There are many ways for PICs and PIPs to deliver training and general personal data
protection education. Examples include small group sessions, one-on-one training,
monthly e-newsletters, or inserting modules within training on organization policies. The
PIC or PIP should document its training processes and measure participation and success.

For personal data protection training and education to be effective, it should:

• be given to new employees and periodically thereafter;


• cover the policies and procedures established by the PIC or PIP;
• be delivered in an appropriate and effective manner, based on organizational needs; and
• circulate essential information to relevant employees as soon as practical if an urgent
need arises.

2.6. Registration and Notification Requirements

The PMP should ensure compliance with the notification and reporting requirements
under the Data Privacy Act. These include:

a. Registration of personal data processing systems operating in the country when the
PIC or PIP employs at least 250 employees, when processing involves sensitive personal
information of at least one thousand (1,000) individuals, when processing is not
occasional, or when processing poses a risk to the rights and freedoms of data subjects.

46
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

b. Notification of automated processing operations where the processing becomes the sole
basis of making decisions that would significantly affect the data subject;

c. Breach notification and annual report of the summary of documented security incidents
and personal data breaches;

2.7. Breach Management

Personal data breaches are expensive and could lead to loss of trust.

PICs and PIPs should have policies and procedures in place to prevent or minimize the
occurrence of a personal data breach, including a security incident policy. The PIC or
PIP should constitute a data breach response team with clear reporting lines and at least
one member with the capacity to make decisions in case of a breach. There must be an
incident response procedure that includes guidance on when to notify the NPC or data
subjects, and when to involve external agencies such as law enforcement.

In handling personal data breach, PICs and PIPs should consider the circumstances of
the breach, and decide whether any of the persons identified in NPC Circular No. 16-03
should be notified.

2.8. PIP Management

Personal data handling by the PIP is another key area to consider.

The types of obligations to be imposed on PIP should include the following:

• security measures to be taken by the PIP;


• timely return, destruction or deletion of the personal data no longer required;
• prohibition against other use and disclosure;
• prohibition (absolute or qualified) against sub-contracting to other service provider;
• reporting of irregularity;
• measures to ensure contract staff’s compliance with the agreed obligations;
• PICs’ right to audit and inspect; and
• consequences for violation of the contract.

For additional guidelines, please refer to Rule X. Outsourcing and Subcontracting


Agreements, of the IRR.

2.9. Communication

PICs and PIPs should take all practical steps to ensure employees and customers/citizens
can ascertain their personal data policies and practices.
Communication should be clear and easily understandable and not simply a reiteration of
the Data Privacy Act. In general, it should:

• provide enough information so that the public knows the purpose of the collection, use
and disclosure of personal data and how long it is retained;
• include information on who to contact with questions or concerns; and
• be made easily available to individuals.

47
NPC PRIVACY TOOLKIT

Individuals should be made aware of their ability to access their personal data held by
the PIC or PIP, and how to request correction or to enquire about the PICs or PIPs’
compliance with the law.

Continuing Assessment and Revision

In order to properly protect personal data and meet legal obligations, PICs and PIPs should monitor,
assess and revise their privacy management framework to ensure it remains relevant and effective.

1. Develop an Oversight and Review Plan

An oversight and review plan will help PICs and PIPs keep its PMP on track and up-to-date.

The Data Protection Officer should monitor data processing systems and ensure conduct
of PIAs when necessary. The policies of the PIC or PIP should include procedures for
documentation, regular review, evaluation, and updating of the privacy and security policies
and practices in the organization. The oversight and review plan should establish performance
measures and include a schedule of when the policies and other program controls will be
reviewed.

The DPO should also develop an oversight and review plan on a periodic basis that sets out
how and when the PMP’s effectiveness will be monitored and assessed. Depending on the
PIC or PIP’s compliance and control infrastructure, such plan may be covered in its overall
oversight and review system.

2. Assess and Revise Program Controls

The effectiveness of program controls should be monitored, periodically audited, and where
necessary, revised.
Monitoring, an ongoing process, should address the following questions:

• What are the latest threats and risks?


• Are the program controls addressing new threats and reflecting the latest complaint or audit
findings, or guidance of the National Privacy Commission?
• Are new services being offered that involve increased collection, use or disclosure of personal
data?
• Is training necessary? If yes, is it taking place? Is it effective? Are policies and procedures
being followed? And, Is the training program up to date?

If problems are found during the monitoring process, concerns will need to be documented
and addressed by the appropriate officials. Critical issues should be brought to the attention
of top management.

For critical or high-risk processes, periodic internal or external audits are important ways to
assess the effectiveness of a PIC or PIP’s PMP. Otherwise, it is recommended that the Data
Protection Officer should conduct periodic assessments to ensure key processes are being
respected. Through whatever means appropriate, PICs and PIPs need to put in place practical
measures to ensure that employees or contractors are following the mandated policies and
program controls.

48
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

Each PIC and PIP will need to decide how to structure its own privacy management program,
taking into consideration a number of factors, including the size of the PIC or PIP, its business/
mandate, and the amount and sensitivity of the personal data it handles.

PICs and PIPs should conduct assessments of their program controls in a focused, continuous
and thorough manner.

Based on the results of the assessment process, the Data Protection Officer should consider
whether to take action to update and revise the program controls. This is a critical responsibility.
The changes should be communicated to employees either as they are made or in “refresher”
education and training modules, as appropriate.

CHECKLIST

KEY COMPONENTS OF A PRIVACY MANAGEMENT PROGRAM

Organizational Commitment

MANAGEMENT BUY IN

The PIC or PIP, through head of agency or Board, resolves to acknowledge the
need to comply with the Data Privacy Act and related issuances of the NPC, and
to acknowledge its accountability for the protection of personal data under its
control or custody.

The PIC or PIP maintains a Privacy Management Program to implement control


measures for privacy and data protection and to put in place a review system for
assessment and continuous improvement of the program.

There are policies, procedures, projects and activities intended to embed privacy
and data protection in the organization’s daily operations.

ACCOUNTABLE AND RESPONSIBLE PERSONS

The PIC or PIP, through head of agency or Board, designates or appoints a Data
Protection Officer or a DPO team.

The PIC or PIP, through head of agency or Board, provides resources for the
DPO to effectively perform its functions.
For the full list of functions, see NPC Advisory 17-01.

The responsibility for complying with the Data Privacy Act has been assigned to
DPO, process owners, and the organization’s personnel.

49
NPC PRIVACY TOOLKIT

REPORTING MECHANISMS

The DPO is assured of means to report to senior management, head of agency or


Board. The DPO shall report on monitoring activities, Privacy Impact Assessment
reports, and the advice and recommendations made to the PIC or PIP.

There is a reporting system for DPA compliance activities, PIAs, audits and
security assessments, breach management, complaints, the exercise of data
subject rights, review processes and means to measure effectiveness of Privacy
Management Program. This should include reporting to senior management,
and the internal and external stakeholders.

Program Controls

Records of Processing Activities

• There is an inventory of personal data and data processing systems, including


data flow and transfers outside the country.

Risk Assessment

• Privacy impact assessment conducted in accordance with a PIA plan.


• Process in place for regularly testing, assessing, and evaluating the effectiveness
of security measures.

Policies and Procedures

• There is a privacy manual containing key components of the Privacy


Management Program
• There are policies and procedures to govern the processing of personal data
from collection to storage or disposal. These include policies and procedures:
»» On Adhering to Data Privacy Principles
»» On Implementing security measures
»» For the data subjects to exercise their rights
»» For the documentation, review and updating of the Privacy Management
Program

50
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

Security Measures

• The organization implements organizational, physical and technical security


measures to maintain the confidentiality, integrity and availability of personal
data.

Capacity Building

• There is capacity building, orientation or training programs for employees,


agents or representatives, regarding privacy or security policies.
• Data Protection Officer provided time, resources, equipment and training to
be updated with developments in data privacy and security
• Knowledge building on privacy and data protection supported through privacy
awareness projects or by making resource materials available

Registration and Notification

• The organization complies with Reporting and notification requirements


• Data Processing Systems have been registered

Breach Management

• A Breach Management Program is in place, including personal data breach


notification and annual report on breaches and security incident
For the full list, see NPC Circular 16-03.

Personal Information Processor and Third Party Management (for PICs)

• Transfers of personal data shall be covered by data sharing agreements when


applicable.
• Contractual and other means are used to assure protection for personal data
being processed by a third party.
• Outsourcing contracts and agreements with PIPs reviewed (For contract
considerations, refer to Rule X of the IRR.)

Communication

• Any information and communication relating to the processing of personal


data should be easy to access and understand, using clear and plain language.
• Privacy Notices are maintained
• Procedures in place to address complaints and to allow for the exercise of data
subject rights

51
NPC PRIVACY TOOLKIT

CONTINUING ASSESSMENT AND DEVELOPMENT

Oversight and Review Plan

The Data Protection Officer should monitor data processing systems and ensure
conduct of PIAs when necessary.

Policies provide for documentation, regular review, evaluation, and updating of


the privacy and security policies and practices in the organization.

Organization conducts and updates PIAs regularly, and when there are new
programs, projects and products, a change in law or regulation, or other changes
within the organization.

Privacy Management Program is regularly assessed and revised, taking into


account PIAs, effectiveness of implementation, and data privacy best practices.

Organization monitors emerging technologies, new threats and risks to data


processing systems, international data protection standards, and the legal and
ICT environment.

References:

Office of the Privacy Commissioner for Personal Data, Hong Kong, Privacy Management Program, A Best
Practice Guide available at https://www.pcpd.org.hk/pmp/files/PMP_guide_e.pdf (last accessed June 12, 2017).
Data Privacy Act of 2012 and its Implementing Rules and Regulations (Philippines)

52
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

PRIVACY MANUAL GUIDE


Background

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal
data in information and communications systems both in the government and the private sector.

It ensures that entities or organizations processing personal data establish policies, and implement
measures and procedures that guarantee the safety and security of personal data under their control
or custody, thereby upholding an individual’s data privacy rights. A personal information controller
or personal information processor is instructed to implement reasonable and appropriate measures to
protect personal data against natural dangers such as accidental loss or destruction, and human dangers
such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal information
processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for
ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and
Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also
encapsulates the privacy and data protection protocols that need to be observed and carried out within
the organization for specific circumstances (e.g., from collection to destruction), directed toward the
fulfillment and realization of the rights of data subjects.

I. INTRODUCTION

This section lays down the basis of the Manual. Hence, it should provide an overview of the DPA, its
IRR and other policies that relate to data protection and which are relevant issuances to the industry
or sector of the organization, as well as the transactions it regularly carries out.

In brief, it should discuss how the organization complies with the data privacy principles, and upholds
the rights of the data subjects, both of which are laid out in the DPA.

It is important that this portion impresses upon the user or reader why it is necessary for the organization
to have a Privacy Manual.

Example:

This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data
Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies,
including issuances of the National Privacy Commission. This organization respects and values
your data privacy rights, and makes sure that all personal data collected from you, our clients
and customers, are processed in adherence to the general principles of transparency, legitimate
purpose, and proportionality.

This Manual shall inform you of our data protection and security measures, and may serve as
your guide in exercising your rights under the DPA.

II. DEFINITION OF TERMS

Terms used in the Manual must be defined for consistency and uniformity in usage. This portion will
make sure of that, and allow users of the Manual to understand the words, statements, and concepts

53
NPC PRIVACY TOOLKIT

used in the document.

Examples:

“Data Subject” – refers to an individual whose personal, sensitive personal or privileged


information is processed by the organization. It may refer to officers, employees, consultants,
and clients of this organization.

“Personal Information” – refers to any information whether recorded in a material form or not,
from which the identity of an individual is apparent or can be reasonably and directly ascertained
by the entity holding the information, or when put together with other information would
directly and certainly identify an individual.

“Processing” – refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data.

III. SCOPE AND LIMITATIONS

This section defines the coverage of the Manual. Given that the document is essentially an internal
issuance and is meant for the use and application of the organization’s staff or personnel, that fact
should be emphasized here.

Note that it would be useful to develop a separate Privacy Manual meant for external use or for persons
who deal with the organization. Certain information may be omitted from that version, particularly
those that relate to internal policies or processes that are relevant only to personnel of the organization.

Example:

All personnel of this organization, regardless of the type of employment or contractual
arrangement, must comply with the terms set out in this Privacy Manual.

IV. PROCESSING OF PERSONAL DATA DATA

This section lays out the various data life cycles (or processing systems) in existence within the
organization—from the collection of personal data, to their actual use, storage or retention, and
destruction.

A. Collection (e.g. type of data collected, mode of collection, person collecting information, etc.)

Example:

This company collects the basic contact information of clients and customers, including their full
name, address, email address, contact number, together with the products that they would like to
purchase. The sales representative attending to customers will collect such information through
accomplished order forms.

54
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

B. Use

Example:

Personal data collected shall be used by the company for documentation purposes, for warranty
tracking vis-à-vis purchased items, and for the inventory of products.

C. Storage,
. Retention and Destruction (e.g. means of storage, security measures, form of information
stored, retention period, disposal procedure, etc.)
Example:

This company will ensure that personal data under its custody are protected against any
accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful
processing. The company will implement appropriate security measures in storing collected
personal information, depending on the nature of the information. All information gathered
shall not be retained for a period longer than one (1) year. After one (1) year, all hard and soft
copies of personal information shall be disposed and destroyed, through secured means.

D. Access (e.g. personnel authorized to access personal data, purpose of access, mode of access,
request for amendment of personal data, etc.)

Example:

Due to the sensitive and confidential nature of the personal data under the custody of the
company, only the client and the authorized representative of the company shall be allowed to
access such personal data, for any purpose, except for those contrary to law, public policy, public
order or morals.

E. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure of policy
and processes, outsourcing and subcontracting, etc.).

Example:

All employees and personnel of the company shall maintain the confidentiality and secrecy of all
personal data that come to their knowledge and possession, even after resignation, termination
of contract, or other contractual relations. Personal data under the custody of the company shall
be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

V. SECURITY MEASURES

As a personal information controller or personal information processor, an organization must implement


reasonable and appropriate physical, technical and organizational measures for the protection of
personal data. Security measures aim to maintain the availability, integrity and confidentiality of
personal data and protect them against natural dangers such as accidental loss or destruction, and
human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and
contamination. In this section, you give a general description of those measures.

55
NPC PRIVACY TOOLKIT

A. Organizational Measures

Every personal information controller and personal information processor must also consider the
human aspect of data protection. The provisions under this section shall include the following:
1. Conduct of Privacy Impact Assessment (PIA)

Example:

The organization shall conduct a Privacy Impact Assessment (PIA) relative to all activities,
projects and systems involving the processing of personal data. It may choose to outsource
the conduct a PIA to a third party.

2. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)

Example:

The designated Data Protection Officer is Mr. Juan Dela Cruz, who is concurrently serving
as the Executive Director of the organization.

3. Functions of the DPO, COP and/or any other responsible personnel with similar functions

Example:

The Data Protection Officer shall oversee the compliance of the organization with the DPA,
its IRR, and other related policies, including the conduct of a Privacy Impact Assessment,
implementation of security measures, security incident and data breach protocol, and the
inquiry and complaints procedure.

4. Duty of Confidentiality

Example:

All employees will be asked to sign a Non-Disclosure Agreement. All employees with access
to personal data shall operate and hold personal data under strict confidentiality if the
same is not intended for public disclosure.

5. Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer
updated vis-à-vis developments in data privacy and security

Example:

The organization shall sponsor a mandatory training on data privacy and security at least
once a year. For personnel directly involved in the processing of personal data, management
shall ensure their attendance and participation in relevant trainings and orientations, as
often as necessary.

6. Review of Privacy Manual

56
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

Example:

This Manual shall be reviewed and evaluated annually. Privacy and security policies and
practices within the organization shall be updated to remain consistent with current data
privacy best practices.

7. Recording and documentation of activities carried out by the DPO, or the organization itself,
to ensure compliance with the DPA, its IRR and other relevant policies.

Example:

There shall be a detailed and accurate documentation of all activities, projects and
processing systems of the company, to be carried out by the Risk Management Officer, in
coordination with the Data Protection Officer.

B. Physical Measures

This portion shall feature the procedures intended to monitor and limit access to the facility
containing the personal data, including the activities therein. It shall provide for the actual design
of the facility, the physical arrangement of equipment and furniture, the permissible modes of
transfer, and the schedule and means of retention and disposal of data, among others. To ensure
that mechanical destruction, tampering and alteration of personal data under the custody of the
organization are protected from man-made disasters, power disturbances, external access, and
other similar threats, provisions like the following must be included in the Manual:

1. Format of data to be collected

Example:

Personal data in the custody of the organization may be in digital/electronic format and
paper-based/physical format.

2. Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/
separate room or part of an existing room);

Example:

All personal data being processed by the organization shall be stored in a data room, where
paper-based documents are kept in locked filing cabinets while the digital/electronic files
are stored in computers provided and installed by the company.

3. Access procedure of agency personnel

Example:

Only authorized personnel shall be allowed inside the data room. For this purpose, they
shall each be given a duplicate of the key to the room. Other personnel may be granted
access to the room upon filing of an access request form with the Data Protection Officer
and the latter’s approval thereof.

57
NPC PRIVACY TOOLKIT

4. Monitoring and limitation of access to room or facility

Example:

All personnel authorized to enter and access the data room or facility must fill out and
register with the online registration platform of the organization, and a logbook placed
at the entrance of the room. They shall indicate the date, time, duration, and purpose of
each access.

5. Design of office space/work station

Example:

The computers are positioned with considerable spaces between them to maintain privacy
and protect the processing of personal data.

6. Persons involved in processing, and their duties and responsibilities

Example:

Persons involved in processing shall always maintain confidentiality and integrity of


personal data. They are not allowed to bring their own gadgets or storage device of any
form when entering the data storage room.

7. Modes of transfer of personal data within the organization, or to third parties

Example:

Transfers of personal data via electronic mail shall use a secure email facility with encryption
of the data, including any or all attachments. Facsimile technology shall not be used for
transmitting documents containing personal data.

8. Retention and disposal procedure

Example:

The organization shall retain the personal data of a client for one (1) year from the data
of purchase. Upon expiration of such period, all physical and electronic copies of the
personal data shall be destroyed and disposed of using secure technology.

C. Technical Measures

Each personal information controller and personal information processor must implement
technical security measures to make sure that there are appropriate and sufficient safeguards to
secure the processing of personal data, particularly the computer network in place, including
encryption and authentication processes that control and limit access. They include the following,
among others:

1. Monitoring for security breaches

58
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

Example:

The organization shall use an intrusion detection system to monitor security breaches and
alert the organization of any attempt to interrupt or disturb the system.

2. Security features of the software/s and application/s used

Example:

The organization shall first review and evaluate software applications before the installation
thereof in computers and devices of the organization to ensure the compatibility of security
features with overall operations.

3. Process for regularly testing, assessment and evaluation of effectiveness of security measures

Example:

The organization shall review security policies, conduct vulnerability assessments and
perform penetration testing within the company on regular schedule to be prescribed by
the appropriate department or unit.
4. Encryption, authentication process, and other technical security measures that control and
limit access to personal data

Example:

Each personnel with access to personal data shall verify his or her identity using a secure
encrypted link and multi-level authentication.

VI. BREACH AND SECURITY INCIDENTS

Every personal information controller or personal information processor must develop and implement
policies and procedures for the management of a personal data breach, including security incidents.
This section must adequately describe or outline such policies and procedures, including the following:

1. Creation of a Data Breach Response Team

Example:

A Data Breach Response Team comprising of five (5) officers shall be responsible for ensuring
immediate action in the event of a security incident or personal data breach. The team shall
conduct an initial assessment of the incident or breach in order to ascertain the nature and
extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or
breach.

2. Measures to prevent and minimize occurrence of breach and security incidents

Example:

The organization shall regularly conduct a Privacy Impact Assessment to identify risks in the

59
NPC PRIVACY TOOLKIT

processing system and monitor for security breaches and vulnerability scanning of computer
networks. Personnel directly involved in the processing of personal data must attend trainings
and seminars for capacity building. There must also be a periodic review of policies and
procedures being implemented in the organization.

3. Procedure for recovery and restoration of personal data

Example:

The organization shall always maintain a backup file for all personal data under its custody.
In the event of a security incident or data breach, it shall always compare the backup with the
affected file to determine the presence of any inconsistencies or alterations resulting from the
incident or breach.

4. Notification protocol

Example:

The Head of the Data Breach Response Team shall inform the management of the need to
notify the NPC and the data subjects affected by the incident or breach within the period
prescribed by law. Management may decide to delegate the actual notification to the head of
the Data Breach Response Team.

5. Documentation and reporting procedure of security incidents or a personal data breach

Example:

The Data Breach Response Team shall prepare a detailed documentation of every incident
or breach encountered, as well as an annual report, to be submitted to management and the
NPC, within the prescribed period.

VII. INQUIRIES AND COMPLAINTS

Every data subject has the right to reasonable access to his or her personal data being processed by
the personal information controller or personal information processor. Other available rights include:
(1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension,
withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be
indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data. Accordingly, there must be a procedure for inquiries
and complaints that will specify the means through which concerns, documents, or forms submitted
to the organization shall be received and acted upon. This section shall feature such procedure.

Example:

Data subjects may inquire or request for information regarding any matter relating to the
processing of their personal data under the custody of the organization, including the data
privacy and security policies implemented to ensure the protection of their personal data. They
may write to the organization at [email protected] and briefly discuss the inquiry, together
with their contact details for reference.

60
CHAPTER II FIVE PILLARS: 3. WRITE YOUR PMP & PM

Complaints shall be filed in three (3) printed copies, or sent to [email protected]. The
concerned department or unit shall confirm with the complainant its receipt of the complaint.

VIII. EFFECTIVITY

This section indicates the period of effectivity of the Manual, as well as any other document that the
organization may issue, and which has the effect of amending the provisions of the Manual.

Example:

The provisions of this Manual are effective this __ day of _______, 2017, until revoked or amended
by this company, through a Board Resolution.

IX. ANNEXES

It is considered best practice that an organization provides copies of its policies, sample forms or
templates that are useful or related to the implementation or enforcement of the provisions of the DPA.

Examples:

1. Consent Form
2. Inquiry Summary Form
3. Access Request Form
4. Privacy Notice
5. Request for Correction or Erasure

61
4. DEMONSTRATE YOUR COMPLIANCE:
IMPLEMENT PRIVACY & DATA PROTECTION
MEASURES

Data Privacy Accountability and Compliance Framework

t. Data Breach Management


»Security
» Policy
»Data
» Breach Response
a. Choose a DPO Team
»Incident
» Response
Procedure
»Document
»
»Breach
» Notification

b. Register u. Third Parties:


c. Records of processing »Legal
» Basis for Disclosure
activities »Data
» Sharing Agreements
d. Conduct Risk »Cross
» Border Transfer
Assessment Agreement

e. Privacy Management
v. Training and Certifications
Program
w. Security Clearance
f. Privacy Manual

x. Continuing Assessment
g. Privacy Notice and Development
h-o. Data Subject Rights »Regular
» Risk Assessment
p. Data Life Cycle »Review
» Contracts
»Internal
» Assessments
»Review
» PMP
»Accreditations
»

q. Organization
r. Physical
s. Technical y. New Technologies and
»Data
» Center Standards
»Encryption
» z. New Legal Requirements
»Access
» Control Policy
»Vulnerability
»
Assessment and
Penetration Testing

62
NPC PRIVACY TOOLKIT

I. Governance

a. Choose a DPO

Compliance to the DPA starts by choosing or designating a data protection officer for your
organization. This person or other body shall be accountable for ensuring compliance with
applicable laws and regulations for the protection of data privacy and security. The NPC issued
an advisory on designating a DPO.

(please refer to page 11)

II. Risk Assessment

b. Register

The Registration system is one of the means by which the NPC can ensure compliance of
personal information controllers and personal information processors with the act. This will
also assist both the NPC and those involved in processing of personal data in upholding the
rights of a data subject.

(please refer to page 101)

c. Records of Processing Activities

In the Section 1 of the Implementing Rules and Regulations (IRR) of the Data Privacy Act
(DPA), the term “processing” refers to any operation or any set or operations performed upon
personal data including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data. In general terms, it is changing information in any manner detectable by
any witness or observer. It may be performed through automated means, or manual processing,
if the personal data are contained or intended to be contained in a filing system.

The processing activities have its data life cycle where it starts from collection of the personal
data and will and must end at the disposal. Every personal information controller and personal
information processor must maintain or keep track of their processing activities. They must
firmly identify the duties and responsibilities of the individuals who currently have access
and will have access to personal and sensitive personal information. This should apply to any
internal and external processing activities that collect, use, store and dispose (or any equivalent
processing activity) personal information. This can help every organization keep track of the
purpose of each activity and its alignment to the organization’s objectives.

The record should contain the purpose of the processing of personal data, description of
categories of data subjects, personal data and recipients of information that will be involved
with the processing, information of the data flow, security measures that are in place, and name
and contact details of any individual or individuals accountable for ensuring data protection
of the systems. To know more about this, you may refer to Section 26.c of the IRR of DPA of
2012.

63
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

d. Conduct Risk or Impact Assessment

This section describes the privacy risks you’ve identified through the PIA process and how you
propose to mitigate and manage those risks. It can be useful to link this back to the privacy
principles to show why these risks and the proposed actions are relevant.

(please refer to page 19)

III. Organization

e. Privacy Management Program

A Privacy Management Program is a holistic approach to privacy and data protection, important
for all agencies, companies or other organization involved in the processing of personal data.
It is a process intended to embed privacy and data protection in the strategic framework and
daily operations of a personal information controller or personal information processor.

(please refer to page 41)

f. Privacy Manual

The Privacy Manual serves as a guide or handbook for ensuring the compliance of an
organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and
other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the
privacy and data protection protocols that need to be observed and carried out within the
organization for specific circumstances (e.g., from collection to destruction), directed toward
the fulfillment and realization of the rights of data subjects.

(please refer to page 53)

IV. Day to Day

g. Privacy Notice

It is a statement made to a data subject that describes how the organization collects, uses,
retains and discloses personal information. A privacy notice is sometimes referred to as a
privacy statement, a fair processing statement, or privacy policy.

As a privacy notice aims to empower the public and tell individuals what, how and why personal
data is being collected from them, it should be highly readable to be effective. However, recent
researches reveal that only a few actually read privacy notices.

With the average privacy notice taking ten minutes to read (at most 42 minutes), it is of no
surprise that only 16% of internet users take the time to read them, based on the Internet
Society’s Global Internet User Survey. The figure may even be lower in the Philippines where
the concept of data privacy is just emerging.

This prompted the NPC to compile the following tips on how to effectively craft your privacy

64
NPC PRIVACY TOOLKIT

notice.

Easy-to-read

Privacy notices should be concise and written in plain language as you write for a diverse
audience. A segment of your audience may not be familiar with data privacy. Thus, it is
important to communicate the content clearly. If legal and/or technical terms are to be used,
hyperlink these to a definition.

The notice should be concise, direct, and affirmative. Use short sentences in active voice for
easier understanding. If you are enumerating several items, use bullet points. Each section of
the notice should have an informative heading to accurately describe what follows.

Transparent

To reduce legal risks, privacy commitments in your notices should be aligned with your
actual privacy practices. Various resources reveal that while notices should try to avoid using
bold statements, they should not also be too generic. Notices should cover both current and
prospective privacy practices, which necessitates strategic planning involving everyone in the
organization.

The key is to conduct factual and legal due diligence. According to the International Association
of Privacy Professional, factual due diligence allows you to determine what information your
organization uses. The legal due diligence allows you to determine what laws govern the use of
that information.
The conduct of a privacy impact assessment may already encompass both factual and legal due
diligence.

The conduct of a privacy impact assessment may already encompass both factual and legal due
diligence.

Frequently Asked Questions regarding Privacy Notice

1. What is the difference between a Privacy Notice and a Privacy Policy?

Privacy Policy: An internal statement that governs an organization or entity’s handling practices
of personal information. It is directed at the users of the personal information. A privacy
policy instructs employees on the collection and the use of the data, as well as any specific
rights the data subjects may have.

Privacy Notice: A statement made to a data subject that describes how the organization collects,
uses, retains and discloses personal information. A privacy notice is sometimes referred to as a
privacy statement, a fair processing statement or sometimes a privacy policy.

2. Why do websites need a Privacy Notice?

Websites need Privacy Notice because the DPA says that the data subject is entitled to be
informed whether personal information pertaining to him or her, shall be, are being or have

65
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

been processed.

3. What if my website doesn’t have a Privacy Notice?

If the National Privacy Commission (NPC) issues an enforcement notice requesting that you
either place a Privacy Notice on your site, or cease processing data, failure to comply could
result in prosecution with a possible penalty of P4,000,000.

Generally, Section 65 of the DPA says that Violations of the Act, these Rules, other issuances
and orders of the NPC, shall, upon notice and hearing, be subject to compliance and
enforcement orders, cease and desist orders, temporary or permanent ban on the processing of
personal data, or payment of fines, in accordance with a schedule to be published by the NPC.

4. How do I know if my website requires a Privacy Notice?

If your site does any of the following, a Privacy Notice is required:

• Collects personal data (visitors filling in web forms, feedback forms, etc).
• Uses cookies or web beacons.
• Covertly collects personal data (IP addresses, e- mail addresses.)

5. What information should be contained within a Privacy Notice?

1. SERVICE DESCRIPTION

The organization shall provide an overview of the service or services within scope of a
notification.

It is important for data subjects to understand the nature of a service and the processing of
the personal information collected, so that they can provide a meaningful consent. For brevity
of the notice a meaningful name or short phrase for each service may be used but it should be
possible (e.g. via a hyperlink) to associate that name or phrase with an overview of the service
sufficient for data subjects to provide meaningful consent.

2. IDENTIFICATION OF THE PERSONAL INFORMATION CONTROLLER

The organization shall provide information specific enough for the data subject to determine
who the Personal Information Controller is.

While who you are may be obvious to some visitors to your site, you should make sure that
you are clearly identifiable. An organization’s name on its own is of little value in this context.
Identification should ideally include complete and useful contact details. Useful details would
include an e- mail address and postal address that a visitor may use if he/she wishes to discuss
any matters relating to the processing of personal data on your website.

3. PERSONAL INFORMATION THAT ARE COLLECTED

a. The organization shall provide information that allows data subjects to understand what

66
NPC PRIVACY TOOLKIT

personal information attributes are to be collected, even where the collection of the particular
personal information attributes is obvious.

Rather than using generic language such as “We collect your personal information”, the
organization should provide the list of specific personal information attributes consisting
the personal information that are collected (e.g., “We collect your name, address and
telephone number.”) even if it is obvious what the collected information is.

b. The organization shall specify which personal information attributes are mandatory for
provision of the service or services.

c. The organization should present the actual personal information attribute value to be
collected before collection where it is feasible.

Where it is not feasible to present actual personal information attribute value to be collected,
the organization should provide a clear example of the attribute values being collected with
the associated personal information attribute name (e.g., instead of referring to “telephone
number”, organization should state “telephone number (01-234-5678) so that the data
subject can understand what is referred to by the personal information attribute name and
what kind of values are going to be sent.

Where personal information controller collects the personal information from the data
subject through their Smartphone or Identity provider, the actual value can be shown to the
data subject with the notice before being transferred to the personal information controller.

Showing actual personal information attribute values helps the data subjects to determine if
they want to provide them to the personal information controller especially in the case that
they have multiple values of them. For example, for phone number, the data subject may be
fine to provide his work telephone number but not his personal mobile number.

4. COLLECTION METHOD

a. The organization shall inform the data subject the collection methods of personal
information attributes. If the collection methods are different depending on the personal
information attribute, the organization shall inform the data subject which collection
method is applied to each personal information attribute. When a same collection method
is applied to multiple personal information attributes, then personal information attributes
can be grouped together under each collection method. However, if privacy impact of
one or more personal information attributes in the group is markedly higher from others
according to general assessment of impact to the corresponding population of data subjects,
then it should be communicated separately so that the data subject becomes aware of the
fact.

This is to prevent the “hide a tree in a forest” attack where the attacker buries the high impact
personal information attributes in benign ones to trick the data subject to give consent.

b. The organization shall provide clear explanations of all (obvious or non-obvious) personal
information collection methods.

There are direct and indirect personal information collection methods. The direct collection

67
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

method collects personal information from the data subject.

The indirect collection method collects personal information by observing or inferring new
personal information based on existing available personal information or other available
information.

5. TIMING OF COLLECTION

The organization shall give notice about when personal information will be collected, including
where personal information is intended to be collected long after the notification to data
subject.

6. PURPOSE/S FOR WHICH PERSONAL INFORMATION WILL BE COLLECTED


AND USED

a. The organization shall specify the purpose of collection of personal information with
specificity and explain how it will be used in a manner that allows the data subject to
clearly and readily understand the purpose. If the purpose of the use varies among the
personal information attributes being collected, the organization shall clearly mark which
purpose applies to which personal information attribute.

b. The organization shall provide the purpose for each personal information attributes in the
notice.

c. The organization shall order the presentation of personal information uses in its notices
accord ing to its general assessment of impact to the corresponding population of data
subjects, highest impact first.

7. STORAGE AND TRANSMISSION OF PERSONAL INFORMATION

The organization should specify the data protection measures on storage, transmission and
reception of the personal information. All personal data that are digitally processed must
be encrypted, whether at rest or in transit. For this purpose, the Commission recommends
Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate
encryption standard.

8. METHOD OF USE

The organization should provide notification to the data subject whether the personal
information will be used as is, or if the personal information will be subject to additional
processing before being used for the stated purposes. If the organization intends to process the
personal information in some way prior to using it for the stated purposes, they shall provide
relevant information to the data subject as to what that processing will have.

9. LOCATION OF PERSONAL INFORMATION

The organization shall specify the location where personal information will be stored and
processed. The granularity of location (e.g. country, state, province) shall be appropriate to the
relevant jurisdiction. If multiple locations are involved, each location shall be specified.

68
NPC PRIVACY TOOLKIT

10. THIRD PARTY TRANSFER

a. The organization shall give notice of whether or not personal information will be transferred
to a third party.

b. If an organization transfers personal information to a third party, it shall provide notification


to the data subject of whom the recipient is. Although the organization needs to identify
and give notice of individual third party recipients, it may specify a group of recipients
using clearly defined criteria where appropriate.

c. If an organization transfers personal information to a third party, it shall provide


notification to the data subject of the purpose(s) for which the personal information is
being transferred.

Kindly refer to Third Parties for more information.

11. RETENTION PERIOD

The organization shall provide information about the retention period and/or disposal / de-
identification schedule of all personal information that it is collecting.

This may be in the form of a specified period (e.g., 5 years) from the date of collection, or a
specified date (e.g., to be disposed of, on 1 January 2019).

12. PARTICIPATION OF DATA SUBJECT

The organization shall provide notification to data subjects of their right to access their personal
information in its possession, as well as their rights for the correction of personal information.
The organization shall give notice of the following aspects of that access:

a. what personal information attributes the data subject can request access to and the means
by which the data subject can make such a request;

b. what information will be required from the data subject in order to authenticate themselves
to an acceptable level of assurance, prior to authorizing access to any personal information
(to avoid the risk of inappropriate disclosure);

c. the timelines within which a request will be acted upon;

d. any fees which may be charged for such access, where the charging of such fees is permitted;

e. the means by which data subjects can challenge the accuracy and completeness of the
personal information and have it amended as appropriate; and

f. where correction of personal information is not possible (e.g., investigation files), the
organization shall explain the reason for refusing to correct the information to the data
subject.

13. INQUIRY

69
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

The organization shall provide the contact information for inquiries regarding the processing
of personal information stated in the notice.

6. Where should I place the Privacy Notice?

A Privacy Notice should be placed in a reasonably obvious position on the homepage.


Typically, privacy statements can be found in the sub navigation menu which is normally
situated in a bottom center position on the homepage alongside other menu items such as
Security Statement, Disclaimer, Terms & Conditions etc.

Placing a statement only on a Home Page may not be sufficient, as links from other web sites
or through search engines may bring a visitor into the site via a page other than the Home
Page. The ideal solution to this problem is to place a link to the Privacy Statement on each
page. Alternatively, a link could be placed on any page on which data are collected, though if
the website uses cookies, effectively this could mean all pages.

7. Can I place the Privacy Notice within a “terms & conditions” document?

A Privacy Notice is a legal requirement and is distinct from terms and conditions, copyright or
disclaimer notices. It should stand alone and be clearly identifiable. In order for a Privacy Notice
to be of value, it must be readily accessible to the user, quickly read and easily understood.

8. How often should I review the Privacy Statement?

It should only be necessary to conduct a review if there is some change to on-line processes.
However, some mechanism should be in place to notify the appropriate staff member to
initiate a review if:

• There is a change to data processing on the website


• There is a planned/actual redevelopment of the website
• There is a new web hosting arrangement
• There are suggestions / comments received from site users.

In any case, the Privacy Notice should be reviewed in the context of an internal audit procedure,
which also should review the organizational Privacy Policy, at least on an regular basis. For
more information, kindly refer to Continuity.

9. I am not an IT person, what are cookies?

A cookie is a block of data that a web server places on a user’s PC. Typically, it is used to
ease navigation through the site. However, it is also a useful means of the website identifying
the user, tracking the user’s path through the site, and identifying repeat visits to the site by
the same user (or same user’s machine). This can then lead to a website owner being able to
profile an individual user’s browsing habits - and all potentially done without the knowledge,
or consent, of the user.

10. How do I know if my web site uses cookies?

70
NPC PRIVACY TOOLKIT

This should be a question you address to the person who has developed your website, or to
whomever maintains it for you. Most browsers can be set to prevent cookies being downloaded
onto a PC. If you set your browser to block cookies, then visit your own site, you may get an
error message displayed if your site is attempting to download a cookie. Alternatively, you can
look into the “cookie” or “Temporary Internet” folder of your PC and see if you can identify a
cookie placed by your site. Cookies often, but not always, contain site names.

11. Do I need to submit my Privacy Notice to the National Privacy Commission for approval?

Not required.

References:
• https://iapp.org/resources/glossary/
• https://iapp.org/news/a/2012-09-13-best-practices-in-drafting-plain-language-and-layered-privacy/
• https://iapp.org/news/a/need-to-write-a-solid-privacy-notice-a-few-tips/
• https://www.ftc.gov/tips-advice/business-center/guidance/getting-noticed-writing-effective-financial-
privacy-notices
• https://www.dataprotection.ie/docs/PrivStatements/290.htm
• ISO/IEC WD 29184 Information technology — Security techniques — User friendly online privacy
notices and consent, December 4, 2016

h. The right to be informed

As a data subject, you have the right to be informed that your personal data shall be, are being
or have been processed.

The right to be informed is a basic right as it empowers you as a data subject to consider other
actions to protect your data privacy and assert your other privacy rights.

This right also requires personal information controllers (PICs) to notify you if within a specific
period of time if your data has been compromised, i.e. in the case of a personal data breach.

i. The right to access

Concomitant to your right to be informed, you also have a right to gain reasonable access to
your personal data.

You may request access to the following:

• Contents of your personal data that were processed;


• Sources from which they were obtained;
• Names and addresses of the recipients of your data;
• Manner by which such data were processed;
• Reasons for disclosure to recipients, if there were any;
• Information on automated processes where the data will or likely to be made as the sole basis
for any decision which would significantly affect you;
• Date when your data was last accessed and modified; and
• Name and address of the personal information controller.

71
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

j. The right to object

You have a right to object to the processing of your personal data, including processing for
direct marketing, automated processing or profiling.
You likewise have the right to be notified and given an opportunity to withhold consent to the
processing in case of changes to the information given to you regarding the processing of your
information.

k. The right to erasure or blocking

Under the law, you have the right to suspend, withdraw or order the blocking, removal or
destruction of your personal data. You can exercise this right upon discovery and substantial
proof of the any of the following:

1. Your personal data is incomplete, outdated, false, or unlawfully obtained;


2. It is being used for purposes you did not authorize;
3. The data is no longer necessary for the purposes for which they were collected;
4. You decided to withdraw consent, or you object to its processing, and there is no overriding
legal ground for its processing;
5. The data concerns personal information prejudicial to the data subject — unless justified by
freedom of speech, of expression, or of the press; or otherwise authorized;
6. The processing is unlawful; or
7. The personal information controller, or the personal information processor, violated your
rights as a data subject.

l. The right to damages

You may claim compensation if you suffered damages due to inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal data, considering any violation of
your rights and freedoms as data subject.

m. The right to file a complaint

If you are the subject of a privacy violation or personal data breach, or who are otherwise
personally affected by a violation of the DPA, may file complaints with the NPC.

n. The right to rectification

You have the right to dispute any inaccuracy or error in your personal data and have the
personal information controller correct it immediately, unless the request is vexatious or
unreasonable. Once corrected, the PIC should ensure that your access to both new and
retracted information, and simultaneous receipt of the new and the retracted information by
the intended recipients thereof.

o. The right to data portability

Where your personal information is processed by electronic means, you have a right to obtain
from the personal information controller a copy of your personal data a copy of such data in

72
NPC PRIVACY TOOLKIT

an electronic or structured format that is commonly used and allows for further use.

The purpose of this right is to empower you and give you more control over your personal
data. This right, which applies subject to certain conditions, supports user choice, user control
and consumer empowerment.

It enables the free flow of your personal information across organizations according to your
preference. This is important especially now that several organizations and services can reuse
the same data.

Data portability allows you to manage your personal data, and to transmit your data from
one personal information controller to another. As such, it promotes competition that fosters
better services for the public.

p. Data Life Cycle

In Section 11 of the DPA, the processing of personal information shall be allowed, subject
to compliance with the requirements of this Act and other laws allowing disclosure of
information to the public and adherence to the principles of transparency, legitimate purpose
and proportionality. Data Life Cycle is composed of creation and collection, storage and
transmission, use and distribution, retention, and disposal and destruction.

Creation and Collection

In Section 11.a of the DPA, personal information must be collected for specified and legitimate
purposes determined and declared before, or as soon as reasonably practicable after collection,
and later processed in a way compatible with such declared, specified and legitimate purposes
only.

In Section 19.a of the Implementing Rules and Regulations of the DPA, Personal Information
Controllers (PICs) or Personal Information Processors (PIPs) must keep in mind the following
general principles for collecting personal data:

1. Consent is required prior to the collection and processing of personal data, subject to
exemptions provided by the Act and other applicable laws and regulations. When consent
is required, it must be time-bound in relation to the declared, specified and legitimate
purpose. Consent given may be withdrawn.

2. The data subject must be provided specific information regarding the purpose and extent
of processing, including, where applicable, the automated processing of his or her personal
data for profiling, or processing for direct marketing, and data sharing.

3. Purpose should be determined and declared before, or as soon as reasonably practicable,


after collection.

4. Only personal data that is necessary and compatible with declared, specified, and legitimate
purpose shall be collected.

Most common way to make sure that there is transparency is through privacy notice.

73
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

(please refer to page 125)

Use

In Section 11 of the DPA, b. personal information must be processed fairly and lawfully; c.
personal information must be accurate, relevant and, where necessary for purposes for which it
is to be used the processing of personal information, kept up to date; inaccurate or incomplete
data must be rectified, supplemented, destroyed or their further processing restricted; and
d. Adequate and not excessive in relation to the purposes for which they are collected and
processed.

(please refer to page 125)

PICs or PIPs should uphold the rights of the data subject, including the right to refuse,
withdraw consent, or object. It shall likewise be transparent, and allow the data subject
sufficient information to know the nature and extent of processing. The use of personal data
must be in a manner compatible with declared, specified, and legitimate purpose.

(please refer to page 125)

Storage

Data Storage is a general term for how information is kept in a digital format. To ensure
protection of personal data against unauthorized or unlawful processing, PICs or PIPs should
implement reasonable and appropriate security measures for the protection of personal data.
Such security measures can be through encrypting data and having secured data center.

(please refer to page 125)

Retention

What does DPA say about retention of personal data?

In Section 11.e of the DPA, personal information must be retained only for as long as necessary
for the fulfillment of the purposes for which data was obtained, or for the establishment,
exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.

In addition, Section 11.f likewise provides that personal information must be kept in a form
which permits identification of data subjects for no longer than is necessary for the purposes
for which the data were collected and processed: Provided, That personal information collected
for other purposes may be processed for historical, statistical or scientific purposes, and in
cases laid down in law may be stored for longer periods: Provided, further, That adequate
safeguards are guaranteed by said laws authorizing their processing.

Finally, Section 19.e.3 of the IRR provides that personal data shall not be retained in perpetuity
in contemplation of a possible future use yet to be determined.

74
NPC PRIVACY TOOLKIT

(please refer to page 126)

Disposal

What does Data Privacy Act say about disposal of personal data?

Section 19.d.3 of the IRR states that personal data shall be disposed or discarded in a secure
manner that would prevent further processing, unauthorized access, or disclosure to any other
party or public, or prejudice the interests of the data subjects.

Further, NPC Circular 16-01 on Security of Personal Data in Government Agencies provides
that procedures must be established regarding the following:

• disposal of files that contain personal data, whether such files are stored on paper, film,
optical or magnetic media;
• secure disposal of computer equipment, such as disk servers, desktop computers and mobile
phones at end-of-life, especially storage media: Provided, that the procedure shall include the
use of degaussers, erasers, and physical destruction devices; and
• disposal of personal data stored offsite.

The circular further provides that government agencies may engage a service provider to carry
out the disposal of personal data under its control or custody.

(please refer to page 126)

What are my responsibilities when disposing personal data?

It is the organization’s duty to make sure that data will be disposed properly in a way that the
data should be unreadable (for paper) or irretrievable (for digital records). The organization
should categorize whether the data they have are high-risk or low-risk. It is recommended that
the appropriate data disposal method be used.

V. Data Security

75
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

V. Data Security

q. Organizational

It is most commonly known that the weakest link in the security of most organizations is
human factor and not technology. Even though that it is an obvious weak point, it is frequently
overlooked. Designing security measures starts by developing and establishing policies, rules,
procedures or guidelines to ensure data protection within the organization. Organizational
measures also refer to the system’s environment, particularly to the individuals carrying
them out. Implementing the organizational data protection policies aim to maintain the
availability, integrity, and confidentiality of personal data against any accidental or unlawful
processing. The security policies and procedures will be applied from the collection up to
its disposal of personal information. Section 26 of the IRR of the DPA directs personal
information controllers and personal information processors to comply with the guidelines
for organizational security.

(please refer to page 129)

r. Physical

Physical security must be implemented properly to prevent unauthorized access. Similar to


the “human” factor in data protection, this element is also often overlooked. Hacking into
the network system is not the only way that personal or sensitive personal information can be
taken or used against an organization or any individual. Designing and implementing physical
security must be taken seriously and instituted. Its main focus is to protect physical assets
through office designs and layout, environmental components, emergency response readiness,
accessibility to the public, security against natural disasters and any other relevant points.

Over the past years, threats to physical security have been significantly increasing. Now that we live
in the 21st century, technological advancements have increasing vulnerabilities. Safeguarding
personal information (both in digital and paper format) transmitted in networks and systems
has been difficult, with emerging mobile or remote users being able to take their devices out
of the secured facilities. This is one of the main reasons for the increasing cost of physical
security. Managing it through time, becomes tougher because of emerging technologies. The
NPC released guidelines in managing physical security for personal information controllers
and personal information processors because of their importance.

(please see page 131)

s. Technical

Technical security involves the technological aspect of security in protecting personal


information. It includes protecting the network, encrypting personal information in storage
and in transit, mitigating data transfer risks, implementing software system designs and having
efficient access control policies. The NPC has issued technical security guidelines for the
personal information controllers and personal information processors, specifically for Data
Center, Encryption and Access Control Policy.

(please refer to page 132)

76
NPC PRIVACY TOOLKIT

»» Data Center

What is a Data Center?

A data center is a facility housing electronic equipment used for data processing, data storage,
and communications networking. It is a centralized repository, which may be physical or
virtual, may be analog or digital, used for the storage, management, and dissemination of data
including personal data.
The NPC requires personal information controllers and personal information processors
to implement reasonable and appropriate organizational, physical, and technical security
measures for the protection of personal data.

For government agencies, personal data shall be stored in a data center, which may or may not
be owned and controlled by such agency, provided, that the agency must be able to demonstrate
to the Commission how its control framework for data protection, and/or, where applicable,
that of its service provider, shall ensure compliance with the Act. Where a service provider
is engaged, the Commission may require the agency to submit its contract with its service
provider for review.

In addition, the Commission reserves the right to audit a government agency’s data center, or,
where applicable, that of its service provider.

What are the recommended best practices for data center security?

1. Include security and compliance objectives as part of the data center design and ensure
the security team is involved from day one. Security controls should be developed for each
modular component of the data center—servers, storage, data and network—united by a
common policy environment.

2. Ensure that approach taken will not limit availability and scalability of resources.

3. Develop and enforce policies that are context, identity and application-aware for least
complexity, and the most flexibility and scalability. Ensure that they can be applied
consistently across physical, virtual and cloud environments. This, along with replacing
physical with secure trust zones, will provide seamless and secure user access to applications
at all times, regardless of the device used to connect to resources in the data center.

4. Choose security technologies that are virtualization-aware or enabled, with security working
at the network level rather than the server. Network security should be integrated at the
hypervisor level to discover existing and new virtual machines and to follow those devices
as they are moved or scaled up so that policy can be dynamically applied and enforced.

5. Monitor everything continuously at the network level to be able to look at all assets
(physical and virtual) that reside on the local area network (even those that are offline)
and all inter-connections between them. This monitoring should be done on a continuous
basis and should be capable of tracking dynamic network fabrics. Monitor for missing
patches, application, or configuration changes that can introduce vulnerabilities which can
be exploited.

77
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

6. Look for integrated families of products with centralized management that are integrated
with or aware of the network infrastructure, or common monitoring capabilities for unified
management of risk, policy controls, and network security. This will also give detailed
reports across all controls that provide the audit trail necessary for risk management,
governance, and compliance objectives. Integrated families of products need not necessarily
be procured from just one vendor. Look for those that leverage the needed capabilities of
a strong ecosystem of partnerships to provide a consolidated solution across all data center
assets.

7. Consider future as well as current needs and objectives at the design stage such as whether
access to public cloud environments is required.

8. Define policies and profiles that can be segmented and monitored in multi-tenant
environments. Consider security technologies that provide secure gateway connections to
public cloud resources.

What are the security requirements for a computer system?

1. Secure user authentication protocols including:

a. Control of user IDs and other identifiers;


b. Reasonably secure method of assigning and selecting passwords, or use of unique
identifier technologies, such as biometrics or token devices;
c. Control of data security passwords to ensure that such passwords are kept in a location
and/or format that does not compromise the security of the data they protect;
d. Restricting access to active users and active user accounts only; and
e. Blocking access to user identification after multiple unsuccessful attempts to gain access
or the limitation placed on access for the particular system;

2. Secure access control measures that:

a. Restrict access to records and files containing personal information to those who need
such information to perform their job duties; and
b. Assign unique identifications plus passwords, which are not vendor supplied default
passwords, to each person with computer access, that are reasonably designed to
maintain the integrity of the security of the access controls;

3. Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to
be transmitted wirelessly;

4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;

5. Encryption of all personal information stored on laptops or other portable devices;

6. For files containing personal information on a system that is connected to the Internet, there
must be reasonably up-to-date firewall protection and operating system security patches,
reasonably designed to maintain the integrity of the personal information;

78
NPC PRIVACY TOOLKIT

7. Reasonably up-to-date versions of system security agent software which must include malware
protection and reasonably up-to-date patches and virus definitions, or a version of such
software that can still be supported with up-to-date patches and virus definitions, and is set
to receive the most current security updates on a regular basis;

8. Education and training of employees on the proper use of the computer security system and
the importance of personal information security.

»» Encryption

What does the Commission say about encryption?


In relation to off-site access by government personnel to sensitive personal information,
Section 23 of the DPA provides that any technology used to store, transport, or access
sensitive personal information for purposes of off-site access approved shall be secured
using the most secure encryption standard recognized by the Commission.

What should be encrypted?

All personal data that are digitally processed must be encrypted, whether it is at rest or in
transit. According to Section 8 of Memorandum Circulars 16-01, the Commission recommends
Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate
e ncryption standard.

Emails

Email has become an essential tool for communication. Most of us use emails for either
business or personal use, often to transmit files and information, which would inevitably
include personal data.

Section 24 of NPC Circular No. 16-01 provides that a government agency that transfers
personal data by email must either ensure that the data is encrypted, or use a secure email
facility that facilitates the encryption of the data, including any attachments. Passwords should
be sent on a separate email. It is also recommended that agencies utilize systems that scan
outgoing emails and attachments for keywords that would indicate the presence of personal
data and, if appropriate, prevent its transmission.

Portable Media

Using portable devices can increase the risk of data loss (when a physical device is lost), data
exposure (when data is exposed to the public or a third party), and increased exposure to
network-based attacks to and from any system the device is connected to. Reports say that 25%
of malware is spread today through USB devices. Thus, there is a need to reduce these risks
associated with the use of portable media.

Section 26 of NPC Circular No. 16-01 provides that a government agency that uses portable
media, such as disks or USB drives, to store or transfer personal data must ensure that the data
is encrypted. Agencies that use laptops to store personal data must utilize full disk encryption.

Links (URL)

79
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

Agencies and organizations that utilize online access to process personal data should employ
an identity authentication method that uses a secured encrypted link.

Reference:

https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120
https://resilience.enisa.europa.eu/article-13/guideline-for-minimum-security-measures/Article_13a_
ENISA_Technical_Guideline_On_Security_Measures_v2_0.pdf

»» Access Control Policy

What is access control policy?

Having all the latest software security tools does not mean that your system is safe from any
attacks. Continuous improvement in security of information and data processing systems is a
fundamental management responsibility.

All applications and processing systems that deal with personal and sensitive personal
information should include some form of authorization which is also known as access control
policy. As systems grow in size and complexity, access control is a special concern for systems
and applications that are distributed across multiple computers.

Access Control Policy sets requirements of credentials and identification that specify how
access to computers, systems, or applications is managed, and who may access the information
in most circumstances. Authentication, authorization, audit, and access approval are the
common aspects of access control policy.

What are the best practices in implementing access control policy?

Personal information controllers and processors are responsible and accountable for protecting
the personal data that is being processed.

This may be done by managing the areas, distribution, and life-cycle of authentication and
authorization of your organization’s processes. Access to any personal data must always be
protected, controlled, and managed with sufficient security policies.

Physical and systematic approach in creating and managing access control should also be
established by the management. Also, the small to large scale applications of the personal
information controllers and personal information processors should be taken into consideration
in the design and implementation of the policy.

What does the Commission say about implementing access control policy?

Personal information controllers and personal information processors are obliged to implement
appropriate organizational, physical, and technical security measures for the protection of the
personal data that they process.

Specifically for government agencies, Section 9 of NPC Circular 16-01 provides that access to

80
NPC PRIVACY TOOLKIT

all data centers owned and controlled by a government agency shall be restricted to agency
personnel that have the appropriate security clearance and enforced by an access control
system that records when, where, and by whom the data centers are accessed.

Furthermore, Section 25 of the said circular mandates all government agencies to implement
access controls to prevent agency personnel from printing or copying personal data to personal
productivity software like word processors and spreadsheets that do not have any security or
access controls in place.

VI. Breaches

t. Data Breach Management

»» Security Incident Policy

The Security Incident Management Policy


All personal information controllers (PICs) and personal information processors (PIP)
must implement a security incident management policy. This policy is for managing
security incidents, including data breaches.

»» Data Breach Response Team

NPC Circular 16-03 Sec. 5


A personal information controller or personal information processor shall constitute a
data breach response team, which shall have at least one (1) member with the authority to
make immediate decision regarding critical action, if necessary. The team may include the
Data Protection Officer.

»» Incident Response Procedure

NPC Circular 16-03 Sec. 8


The personal information controller or personal information processor shall implement
policies and procedures for guidance of its data breach response team and other personnel
in the event of a security incident.

»» Breach Documentation

NPC Circular 16-03 Sec. 8


All action taken by a personal information controller or personal information processor
shall be properly documented. Reports should include:

a. Description of the personal data breach, its root cause and circumstances regarding its
discovery;

b. Actions and decisions of the incident response team;

c. Outcome of the breach management, and difficulties encountered; and

81
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

d. Compliance with notification requirements and assistance provided to affected data


subjects.

»» Breach Notification

IRR Sec. 38. Data Breach Notification

a. The Commission and affected data subjects shall be notified by the personal
information controller within 72 hours upon knowledge of or reasonable belief by
the personal information controller or personal information processor that a security
breach requiring notification has occurred.

b. Notification of security breach shall be required when sensitive personal information or


other information that may, under the circumstances, be used to enable identity fraud
are reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes that such unauthorized
acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

c. Depending on the nature of the incident, or if there is delay or failure to notify, the
Commission may investigate the circumstances surrounding the information security
breach. Investigations may include on-site examination of systems and procedures.

VII. Third Parties

u. Third Parties

a. Legal Basis of Disclosure

Sharing of personal information between two entities without any proof or documentary
evidence such as data sharing agreement is a big red flag in ensuring data protection. An
agreement between two parties is required when sharing personal information especially
sensitive personal information. It is an evidence of accountability that ensures the protection
of personal data. Organizations should always check the legal basis of sharing the information
to other controllers.

There are government agencies or entities that are mandated by law to collect personal
information. This is very particular to agencies that are required to collect and share personal
information to other agencies or entities to achieve their mandated functions. But this does
not mean that they do not need a data sharing agreement. It is essential to acknowledge and
manage the concerns regarding confidentiality, costs gained in data sharing, and legitimacy
of the request. Personal information controllers and personal information processors should
prioritize the protection of the rights of the data subjects and follow the principles of specific,
freely given, and informed consent.

b. Data Sharing Agreements

What is a Data Sharing Agreement?

A data sharing agreement refers to a contract, joint issuance, or any similar document that

82
NPC PRIVACY TOOLKIT

contains the terms and conditions of a data sharing arrangement between two or more parties.
Only personal information controllers shall be made parties to a data sharing agreement.
Where a data sharing agreement involves the actual transfer of personal data or a copy from
one party to another, such transfer shall comply with the security requirements imposed by
the Philippine Data Privacy Act, its IRR, and all applicable issuances of the National Privacy
Commission.

What are the things I should see on a Data Sharing Agreement?

• Purpose
• Identity of all PICs party to the agreement
• Term or duration of the agreement
• Operational details of the sharing or transfer of personal data
• General description of the security measures for the protection of personal data, including
the policy for retention or disposal of records
• Inform how a data subject can obtain a copy of the data sharing agreement
• Details on online access
• Specify the PIC responsible for addressing any information request, or any complaint filed by
a data subject, and/or any investigation by the Commission
• Identify the method that shall be adopted for the secure return, destruction, or disposal of
the shared data
• Other terms and conditions

c. Cross Border Transfer Agreement

Globally, there is a general recognition that there should be some law regarding cross-border
data transfers, but a wide variety of approaches to this issue exist, and there is no single global
model for managing it. At the national level, some countries have no restrictions at all on the
transfer of personal information to a foreign jurisdiction.

IRR Sec. 50

says that a personal information controller shall be responsible for any personal data under its
control or custody, including information that have been outsourced or transferred to a personal
information processor or a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation. This includes contracting with other
data privacy authorities of other countries for cross-border application and implementation of
respective privacy laws;

VIII. Manage HR

v. Trainings and Certifications

IRR Sec. 26. enjoins personal information controllers and personal information processors
to provide capacity building, orientation or training programs regarding privacy or security
policies for employees, agents or representatives, particularly those who will have access to
personal data.

In addition, NPC Circular No. 16-01 provides that one of the general obligations of a

83
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

government agency engaged in the processing of personal data is to conduct a mandatory,


agency-wide training on privacy and data protection policies once a year. A similar training
shall be provided during all agency personnel orientations.

Note that capacity building of personnel to ensure knowledge of data breach management
principles, and internal procedures for responding to security incidents is also required under
NPC Circular No. 16-03 – Personal Data Breach Management.

Likewise, NPC Advisory No. 17-01 on the Designation of DPOs, provides that all personal
information controllers or processors should provide sufficient time and resources, including
training, necessary for the DPO or COP to keep himself or herself updated with the
developments in data privacy and security and to carry out his or her tasks effectively and
efficiently.

Recommended Certifications

Currently, there is no certification process for an organization’s compliance with the DPA.

Nonetheless, it is advisable for organizations to obtain certifications or accreditations such


as those prescribed by the International Standards Organization (ISO), specifically the ISO
27000 family - Information Security Management Systems (ISMS):

• ISO/IEC 27001:2013. Information technology -- Security techniques -- Information


security management systems – Requirements. This specifies the requirements for
establishing, implementing, maintaining and continually improving an information
security management system within the context of the organization. It also includes
requirements for the assessment and treatment of information security risks tailored
to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are
generic and are intended to be applicable to all organizations, regardless of type, size or
nature.

• ISO/IEC 27002:2013. Information technology -- Security techniques -- Code of practice


for information security controls. This gives guidelines for organizational information
security standards and information security management practices including the
selection, implementation and management of controls taking into consideration the
organization’s information security risk environment(s).

• ISO/IEC 27018:2014. Information technology -- Security techniques -- Code of practice


for protection of personally identifiable information (PII) in public clouds acting as
PII processors. This establishes commonly-accepted control objectives, controls, and
guidelines for implementing measures to protect personal information in accordance
with the privacy principles in ISO/IEC 29100, which, in turn, concerns public cloud
computing environments. It also specifies guidelines based on ISO/IEC 27002, taking
into account the regulatory requirements for the protection of personal information that
might be applicable within the context of the information security risk environment(s)
of a (public) cloud service provider. It may be used by organizations of any type and
size, including public and private companies, government entities, and non-profit
organizations, which provide information processing services as personal information
processors via cloud computing under contract to other organizations.

84
NPC PRIVACY TOOLKIT

The Commission does not require certifications for key personnel of personal
information controllers or personal information processors, such as the latter’s Data
Protection Officer or Compliance Officer for Privacy.

However, it is considered best practice across jurisdictions for organizations to properly


equip their personnel with appropriate trainings that enable them to fulfill their specific
roles and functions. Some international certifications or trainings commonly considered
for this purpose include the following:

• Certified Information Systems Auditor (CISA). CISA is a globally recognized certification


for IS audit control, assurance, and security professionals. A person’s CISA certification
attests to his or her audit experience, skills, and knowledge. It demonstrates one’s ability
to assess vulnerabilities, report on compliance, and institute controls within a particular
enterprise.

• Certified Information Security Manager (CISM). A management-focused CISM certification


that promotes international security practices and recognizes the individual who manages,
designs, and oversees and assesses an enterprise’s information security.

• Certified in the Governance of Enterprise IT (CGEIT). This certification recognizes a wide


range of professionals for their knowledge and application of enterprise IT governance
principles and practices. A CGEIT certified professional has demonstrated his or her
ability to bring IT governance into an organization, as well as his or her complete grasp
of the complex subject. Thus, he is able to enhance the value of an enterprise.

• Certified Information Systems Security Professionals (CISSP). The ideal credential for those
with proven deep technical and managerial competence, skills, experience, and credibility
to design, engineer, implement, and manage the overall information security program
of their organization, thereby protecting it from the growing number of sophisticated
attacks.

GIAC Security Essentials (GSEC). Designed for professionals seeking to demonstrate their
understanding of information security terminology and concepts, and their possession
of skills and technical expertise necessary for “hands-on” security roles. GSEC credential
holders are presumed to demonstrate a knowledge and technical skills in various
areas (e.g., identifying and preventing common and wireless attacks, access controls,
authentication, password management, DNS, cryptography fundamentals, ICMP, IPv6,
public key infrastructure, Linux, network mapping, and network protocols).
Project Management Professional (PMP). This certification is touted as the most important
industry-recognized certification for project managers. It signifies that the holder speaks
and understands the global language of project management. It connects him or her to a
community of professionals, organizations and experts worldwide. Indeed, unlike other
certifications that focus on a particular geography or domain, the PMP is truly global
and enables its holder to work in virtually any industry, with any methodology, and in
any location.

While not explicitly required, certifications and/or accreditations allow for a more
efficient verification and monitoring process on the part of the Commission.

85
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

w. Security Clearance

A security clearance allows authorized access to personal information that would otherwise
be forbidden. In Section 23 of the DPA, requirements relating to access by agency personnel
to sensitive personal Information a. On-site and Online Access – Except as may be allowed
through guidelines to be issued by the Commission, no employee of the government shall have
access to sensitive personal information on government property or through online facilities
unless the employee has received a security clearance from the head of the source agency.

To ensure confidentiality of personal data, PIC or PIP shall only grant security clearance to
an employee when the performance of his or her official functions directly depends on and
cannot otherwise be performed unless access to the personal data is allowed.

Non-Disclosure Agreement (NDA)

One common way to protect confidential information given to another party is the use of
Non-Disclosure Agreement (NDA). A non-disclosure agreement is a legal contract between
at least two parties that outlines confidential material, knowledge, or information that the
parties wish to share with one another for certain purposes. It should contain a few specific
parts: definitions and exclusions of confidential information; obligations form all involved
people or parties; and time periods.

IX. Continuity

x. Continuing Assessment and Development

»» Regular Risk Assessment

Necessity, convenience and continuous improvement are the forefathers of invention.


These usher the introduction and adaptation of new systems by organizations to execute
necessary business functions. It is imperative to conduct a Privacy Impact Assessment to
all data processing systems that are classified as “High” and have “Unreasonable” impact
assessment.

A Privacy Impact Assessment to data processing systems in an organization should not be


a onetime affair. This shall be conducted regularly, maintaining later updates or upgrades
with additional functionality likely to impact the personal information that are handled.
Kindly refer to Privacy Impact Assessment for more information.

NPC Circular 16-01 Sec. 4b

Says that conduct a Privacy Impact Assessment for each program, process or measure
within the agency that involves personal data, Provided, that such assessment shall be
updated as necessary.

86
NPC PRIVACY TOOLKIT

LOW MEDIUM HIGH

Sensitive Personal
Type of Data No personal data Personal Information
Information

Less than 1,000


Volume Less than 250 records 1,000 or more records
records

includes other
Origin Filipino citizens only
nationalities

Onsite as well as
Access Limited to onsite External parties
offsite

Time of access Less than 8 hours 8 to 12 hours 24 hours

Number of users Less than 50 Less than 250 250 or more

Response requirement None Sub-minute Sub-second

Storage media Non-digital All digital Mixed

Storage location One-site Multiple sites

Big data projects No plans when 3 years currently operating

»» Internal Assessments

To make compliance with the Act manageable, organizations are advised to schedule
regular compliance monitoring, internal assessments and security audits. The purpose of
an internal assessment is to identify and strategically plan the needed maintenance of an
organization to align it with the DPA. NPC recommends creation of policies on conduct
of internal assessments and security audits.

»» Review Privacy Management Program (PMP)

Regularly evaluating Privacy Management Program demonstrates accountability of


organizations. The Privacy Management Program is maintained through organizational
commitment and oversight of coordinated projects and activities implemented throughout
the agency, company or organization. It allows efficient use of available resources,
implements control measures to assure privacy and data protection, and puts in place a
system for review to allow for improvements responsive to data privacy best practices and
technological developments.

87
CHAPTER II FIVE PILLARS: 4. IMPLEMENT PDPM

To properly protect personal data and meet legal obligations, PICs and PIPs should
monitor, assess and revise their privacy management framework to ensure it remains
relevant and effective.

(please refer to page. 50)

»» Accreditations

(please refer to page 79 )

X. Privacy Ecosystem

y. New Technologies and Standards

z. New Legal requirements

88
NPC PRIVACY TOOLKIT

Monitor Privacy Competency

Technology is fast changing. With new trends in technology that are constantly emerging, they have
their own privacy and legal implications. Keeping up to date can become a chore that is easy to delay.
Below are some tips on how to be updated with the latest trends in technology.

1. Industry Players

Participate in workshops, summits and various talks held by accredited associations and
government regulators

2. Print Media (Books and Magazines)

Books and magazines are great information resources. Subscribe to monthly digests on tech
magazines for timely reading. While books can be a great resource, make sure the book is based
on the correct version of the technology you are researching.

3. Social Media (Twitter, Facebook, Email Subscription, etc.)

Follow seasoned tech gurus and subscribe for notification on tech news pages, relevant
government pages (National Privacy Commission, Department of Information and
Communications Technology, Cybercrime Investigation and Coordination Center) to be in
the loop for recent trends and advisories in information security, cybercrime and privacy news.

4. Training

Another great resource is the various forms of training and web based tutorials. If you
can afford to get professional training (either online or in-house), this is probably the best
approach. However, this can be costly. Nowadays, many sites offer great tutorials that get you
knee-deep in the latest technologies for free. There are also many web casts available from
various conferences or events where the presenter is conducting a demo on a new technology.
Locate these resources through searches and through your blogs and podcasts.

5. Face-to-Face (user group meetings and technical conferences)

User group meetings and forums are usually technology specific and give you a chance to meet
people locally that are doing what you are doing, learn about what they are doing, and get great
presentations on the latest and greatest happenings in your technology and various processes.
This is also a great way to learn about conferences you can attend or hear about from those
that did attend. These conferences are showcases for the “new stuff”.

6. Recent Developments

There are many recent developments in technology and privacy-legal area. Strategies to be
updated include by keeping track of local and international Government Issuances, recent
local and international government enforcements, International Standards released by ISO,
International Organizations’ current practices and relevant frameworks.

89
5. BE PREPARED FOR BREACH:
REGULARLY EXERCISE YOUR
BREACH REPORTING PROCEDURE

Data Breaches and Security Incidents

Assessment

A security incident is any event or occurrence that affects or tends to affect data protection, or may
compromise the availability, integrity, and confidentiality of personal data. It includes incidents that may
result in a personal data breach, if not for safeguards that have been put in place.

A data breach is a kind of security incident. It happens when there is a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal
data transmitted, stored, or otherwise processed.

There are three kinds of data breaches:

• Availability Breach – results from the accidental loss or unlawful destruction of personal data;
• Integrity Breach – results from the unauthorized alteration of personal data; and
• Confidentiality Breach – results from the unauthorized disclosure of or access to personal data.

The Security Incident Management Policy

All personal information controllers (PICs) and personal information processors (PIP) must implement
a security incident management policy. This policy is for managing security incidents, including data
breaches.

In drafting your security incident management policy and personal data breach management procedure,
the following must be included:

• Creation of a security incident response team, with members that have clearly defined
responsibilities, to ensure timely action in the event of a security incident or personal data
breach;
• Implementation of organizational, physical and technical security measures, and personal
data privacy policies intended to prevent or minimize the occurrence of a personal data
breach and assure the timely discovery of a security incident;
• Implementation of an incident response procedure intended to contain a security incident
or personal data breach, and restore the integrity of the information and communications
system;
• Mitigation of possible harm and negative consequences to a data subject in the event of a
personal data breach; and
• Compliance with the DPA, its IRR, and all related issuances by the NPC pertaining to
personal data breach notification.

The Security Incident Management Policy must also include measures intended to prevent or minimize
the occurrence of a personal data breach. These measures include:

• Conduct of a privacy impact assessment to identify attendant risks in the processing of personal
data. It shall take into account the size and sensitivity of the personal data being processed,

90
NPC PRIVACY TOOLKIT

the impact and likely harm of a personal data breach;


• Data governance policy that ensures adherence to the principles of transparency, legitimate
purpose, and proportionality;
• Implementation of appropriate security measures that protect the availability, integrity and
confidentiality of personal data being processed;
• Regular monitoring for security breaches and vulnerability scanning of computer networks;
• Capacity building of personnel to ensure knowledge of data breach management principles, and
internal procedures for responding to security incidents;
• Procedure for the regular review of policies and procedures, including the testing, assessment, and
evaluation of the effectiveness of the security measures.

The Security Incident Response Team

The Security Incident Response Team is responsible for:

• Implementing security incident management policy of the PIC or PIP;


• Managing security incidents and personal data breaches; and
• Compliance by the PIC or PIP with the relevant provisions of the Act, its IRR, and all related
issuances by the Commission on personal data breach management.

Although the functions of the Security Incident Response Team may be outsourced, and there is
no precise formula for its composition, its members must, as a collective unit, be ready to assess and
evaluate a security incident, restore integrity to the information and communications system, mitigate and
remedy any resulting damage, and comply with reporting requirements.

Annual Reports

PICs and PIPs are required to submit their Annual Report, where all security incidents and personal
data breaches must be documented through written reports, including those not covered by the
notification requirements.

In the event of a personal data breach, a report shall include:

a. the facts surrounding the incident;

b. the effects of such incident; and

c. the remedial action taken by the PIC. For other security incidents not involving personal
data, a report containing aggregated data shall constitute sufficient documentation.

Any or all reports shall be made available when requested by the Commission: Provided, that a summary of
all reports shall be submitted to the Commission annually, comprised of general information including
the:

1. number of incidents and breach encountered; and

2. information classified according to their impact on the availability, integrity, or confidentiality


of personal data.

Not all data breaches have to be reported to the NPC. Only when these are all present are the PICs (or

91
CHAPTER II FIVE PILLARS: 5. REGULARLY EXERCISE YOUR BRP

PIPs, as the case may be) required to notify:

• there is a breach of sensitive personal information or other information that may, under the
circumstances, be used to enable identity fraud;
• the data is reasonably believed to have been acquired by an unauthorized person; and
• either the PIC or the NPC believes that the data breach is likely to give rise to a real risk of
serious harm to the affected data subject.

If there is doubt as to whether notification is indeed necessary, consider:

1. the likelihood of harm or negative consequences on the affected data subjects;


2. how notification, particularly of the data subjects, could reduce the risks arising from the
personal data breach reasonably believed to have occurred; and
3. if the data involves:
• information that would likely affect national security, public safety, public order, or public
health;
• at least one hundred (100) individuals;
• information required by all applicable laws or rules to be confidential; or
• personal data of vulnerable groups.

The failure to notify the NPC or the public may make you criminally liable for Concealment of
Security Breaches Involving Sensitive Personal Information, which carries a penalty of imprisonment
from one year and six months, to five years, and a fine of Five Hundred Thousand Pesos (₱500,000.00)
to One Million Pesos (₱1,000,000.00).

This crime is committed by those, having knowledge of the security breach and with an obligation to
inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the
NPC that the breach has happened.

Aside from notifying the NPC, the PIC shall also notify the affected data subjects upon knowledge of,
or when there is reasonable belief that a personal data breach has occurred. The obligation to notify remains
with the PIC even if the processing of information is outsourced or subcontracted to a PIP.

The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable
belief by the PIC or PIP that a personal data breach has occurred.

Generally, there shall be no delay in notification however, the notification may only be delayed to the extent
necessary to determine:

• the scope of the breach;


• to prevent further disclosures; or
• to restore reasonable integrity to the information and communications system.

There can be no delay in the notification if the breach involves at least one hundred (100) data subjects,
or the disclosure of sensitive personal information will harm or adversely affect the data subject. In
either case, the Commission must be notified within the 72-hour period based on available information.

The full report of the personal data breach must be submitted within five (5) days from notification,
unless the PIC is granted additional time by the Commission to comply.
The following information must be included in any Data Breach notification:

92
NPC PRIVACY TOOLKIT

• Nature of the Breach. – There must be, at the very least, a description of:

a. the nature of the breach;


b. a chronology of events, and
c. an estimate of the number of data subjects affected;

• Personal data involved. – stating the description of sensitive personal information or other
information involved.

• Remedial Measures. – there must be:


a. description of the measures taken or proposed to be taken to address the breach;

b. actions being taken to secure or recover the personal data that were compromised;(c)
actions performed or proposed to mitigate possible harm or negative consequences, and
limit the damage or distress to those affected by the incident;

c. action being taken to inform the data subjects affected by the incident, or reasons for any
delay in the notification; and

d. measures being taken to prevent a recurrence of the incident.

• Name and contact details - of the Data Protection Officer or contact person designated by the
PIC to provide additional information.

Under the Data Privacy Act, the data subject has the right to be notified. Upon knowledge
of, or reasonable belief that a personal data breach has occurred, the PIC must notify the data
subject within 72 hours, which:

• may be made on the basis of available information within the 72-hour period if the personal
data breach is likely to give rise to a real risk to the rights and freedoms of data subjects;
• shall have the same content as those made to the National Privacy Commission, but shall
include instructions on how data subjects will get further information; and
• shall include recommendations on how to minimize risks resulting from breach and to
secure any form of assistance.

The notification may be supplemented with additional information at a later stage on the basis
of further investigation.

The notification of affected data subjects shall be done individually, using secure means of
communication, whether written or electronic. Whenever individual notification is not possible
or would require a disproportionate effort, the PIC may seek the approval of the Commission to
use alternative means of notification.

The notification requirement is not absolute; the NPC can allow the postponement of notification
when it may hinder the progress of a criminal investigation.

93
CHAPTER II FIVE PILLARS: 5. REGULARLY EXERCISE YOUR BRP

The Subsequent Investigation

The NPC will consider these factors in its investigation following the occurrence of a data breach:

• Security measures that have been implemented and applied to the personal data at the time
the personal data breach was reasonably believed to have occurred, including measures that
would prevent use of the personal data by any person not authorized to access it;
• Subsequent measures that have been taken by the PIC or PIP to ensure that the risk of harm or
negative consequence to the data subjects will not materialize;
• Age or legal capacity of affected data subjects; provided, that in the case of minors or other
individuals without legal capacity, notification may be done through their legal representatives;
and
• Compliance with the law and existence of good faith in the collection of personal information.

In investigation of a breach or a security incident, the Commission may investigate a breach


or security incident depending on the nature, or in case of failure or delay in the notification.
The investigation will:

• include an on-site examination of systems and procedures;


• require the cooperation of concerned parties, or compel appropriate action therefrom to
protect the interests of data subjects, if necessary; and
• will be governed by the Rules of Procedure of the Commission.

The Data Privacy Accountability and Compliance Checklist

Compliance Checklist Evidence of Compliance

1. Establish Data Privacy Governance

Designate a Data Protection Officer Designation/Appointment Papers/


Contract of the DPO and/or DPO
team

Other means to demonstrate


compliance

94
NPC PRIVACY TOOLKIT

2. Privacy Risk Assessment

Maintain records of processing Records of Processing Activities


activities, including inventory of
personal data, data flow and transfers Website or other visible announcement
outside country showing contact details of DPO

Register Data Processing Systems NPC Notification of completing Phase


I Registration
Conduct a Risk Assessment
PIA Report

Other means to demonstrate


compliance

3. Maintain Organization Commitment


Implement and maintain a privacy Privacy Manual
management program
List of activities on privacy and data
Develop a privacy manual and protection
complaints mechanism
List of key personnel assigned
responsibilities for privacy and data
protection within the organization

Other means to demonstrate


compliance

95
CHAPTER II FIVE PILLARS: 5. REGULARLY EXERCISE YOUR BRP

4. Privacy and Data Protection in day to day


operations

Have visible and accessible Privacy Privacy Notice in Website and/or


Notices with contact details of DPO within organization (where collection
of personal data occurs)
Develop, Review or Maintain Policies
and Procedures for processing of Consent forms for collection and use
personal data from collection to of personal data
retention or disposal (procedure for
obtaining consent) List of Policies and Procedures in
place that relate to privacy and data
Establish procedures or platform protection (may be in privacy manual)
for data subjects to exercise their
rights (access, be informed, object, Policies and Procedure in dealing with
correction, erasure, file a complaint, be requests for information from parties
indemnified, data portability) other than the data subjects (media,
law enforcement, representatives)
Register Data Processing Systems
(Phase II) Data subjects informed of rights
through privacy notices, and other
Comply with notification and means
reporting requirements
Form or platform for data subjects
to request copy of their personal
information and request correction

Procedure for addressing complaints of


data subjects

Certificate of registration and


notification

Other means to demonstrate


compliance

96
NPC PRIVACY TOOLKIT

5. Manage Security Risks

Maintain Organizational Security Data Center and Storage area with


Measures (Policies and procedures in limited physical access
place)
Report on technical security measures
Maintain Physical Security Measures and information security tools in place
(Physical Access and Security, Design
and Infrastructure) Firewalls used

Maintain Technical Security Measures Encryption used for transmission


(Firewalls, Encryption, Access Policy,
Security of Data Storage, other Encryption used for storage
Information security tools)
Access Policy for onsite, remote and
Know your vulnerabilities online access
(Vulnerability Assessments and
Penetration Testing) Audit logs

Back-up solutions

Report of Internal Security Audit or


other internal assessments

Certifications or accreditations
maintained

Vulnerability Assessment

Penetration Testing for applications


and network

Other means to demonstrate


compliance

97
CHAPTER II FIVE PILLARS: 5. REGULARLY EXERCISE YOUR BRP

6. Data Breach Management

Implement safeguards to prevent or Schedule of breach drills


minimize personal data breach (Breach
drills, security policy) Number of Trainings conducted
for internal personnel on breach
Constitute Data Breach Response management
Team
Personnel Order constituting the Data
Maintain and Review Incident Breach Response Team
Response Policy and Procedure
Incident Response Policy and
Document Security incidents and Procedure (may be in Privacy Manual)
personal data breaches
Record of Security incidents and
Comply with Breach Notification personal data breaches, including
requirements notification for personal data breaches

Other means to demonstrate


compliance

7. Manage Third Party Risks

Execute Data Sharing Agreements Data Sharing Agreements

Review or enter into contracts and List of recipients of personal data


other agreements for transfers of (PIPs, other PICs, service providers,
personal data, including cross border government agencies)
transfers to ensure comparable level of
data protection, DPA compliance, and Review of Contracts with PIPs
security of transfers
Review of Contracts for cross-border
Review or enter into outsourcing transfers
contracts with PIPs, to ensure
comparable level of data protection Other means to demonstrate
and DPA compliance compliance

Establish and document legal basis for


disclosures of personal data made to
third parties

98
NPC PRIVACY TOOLKIT

8. Human Resources Management

Regularly train personnel regarding No. of employees who attended


privacy or security policies. trainings on privacy and data
protection
Ongoing training and capacity building
for Data Protection Officer Commitment to comply with Data
Privacy Act as part of Code of Conduct
DPOs work towards certifications or through written document to be
and applies for membership in DPO part of employee files
organizations
Certificate of Training of DPO
Non-Disclosure Agreements for
personnel handling Data Certifications of DPOs

Security Clearance issued for those NDAs or confidentiality agreements


handling personal data
Security Clearance Policy

Other means to demonstrate


compliance

9. Continuing Assessment and Development

Schedule Regular Risk Assessment Policy for Conduct of PIA (may be in


manual)
Review Forms, Contracts, Policies and
Procedures on a regular basis Policy on conduct of Internal
Assessments and Security Audits
Schedule Regular Compliance
monitoring, internal assessments and Privacy Manual contains policy for
security audits regular review

Review, Validate and Revise Privacy List of activities to evaluate Privacy


Manual Management program (survey of
customer, personnel assessment)
Regularly evaluate Privacy Management
program Other means to demonstrate
compliance

99
CHAPTER II FIVE PILLARS: 5. REGULARLY EXERCISE YOUR BRP

10. Manage Privacy Ecosystem

Monitor emerging technologies, new No. of trainings and conferences


risks of data processing, and the privacy attended on privacy and data
ecosystem protection

Keep track of data privacy best Policy papers, legal or position papers,
practices, sector specific standards, and or other research initiatives on
international data protection standards emerging technologies, data privacy
best practices, sector specific standards,
Attend trainings and conferences and international data protection
standards
Seek guidance and legal opinion on
new NPC issuances or requirements No. of management meetings which
included privacy and data protection in
the agenda

Other means to demonstrate


compliance

100
CHAPTER III REGISTRATION
CHAPTER III REGISTRATION

NPC Circular 17-01

DATE : 31 July 2017


TO : ALL PERSONAL INFORMATION CONTROLLERS AND PERSONAL
INFORMATION PROCESSORS
SUBJECT : REGISTRATION OF DATA PROCESSING SYSTEMS AND
NOTIFICATIONS REGARDING AUTOMATED DECISION-MAKING

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State recognizes the
vital role of communication and information in nation-building. At the same time, Article II, Section
11 thereof emphasizes that the State values the dignity of every human person and guarantees full
respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012
(DPA), provides that it is the policy of the State to protect the fundamental human right of privacy
of communication while ensuring free flow of information to promote innovation and growth. The
State also recognizes its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secure and protected;

WHEREAS, Section 16 of the DPA and Section 34 of its Implementing Rules and Regulations (IRR)
provide that data subjects shall be furnished with and given access to their personal data that are
being processed in data processing systems, as well as the purpose, scope, method, and manner of such
processing, including the existence of automated decision-making;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission (NPC) is charged
with the administration and implementation of the provisions of the law, which includes ensuring
the compliance by personal information controllers (PICs) with the provisions thereof, publishing a
compilation of an agency’s system of records and notices, and carrying out efforts to formulate and
implement plans and policies that strengthen the protection of personal data, in coordination with
other government agencies and private entities;

WHEREAS, Section 9 of the IRR provides that, among the NPC’s functions, is to develop, promulgate,
review, or amend rules and regulations for the effective implementation of the DPA;

WHEREAS, Section 24 of the DPA states that, when entering into any contract that may involve
accessing or requiring sensitive personal information from at least one thousand (1,000) individuals, a
government agency shall require the contractor and its employees to register their personal information
processing system with the NPC in accordance with the DPA and to comply with the law’s provisions.
Furthermore, Section 14 of the law mandates that personal information processors (PIPs) shall also
comply with all requirements of the DPA and other applicable laws;

WHEREAS, in line with Sections 46 and 47 of the IRR, a PIC or PIP that employs fewer than two
hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely
to pose a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive personal
information of at least one thousand (1,000) individuals. Moreover, Section 48 thereof declares that
a PIC carrying out any automated processing operation that is intended to serve a single or several
related purposes must notify the NPC when said operation becomes the sole basis for making decisions
about a data subject, and when such decision would significantly affect the data subject;

WHEREFORE, in consideration of these premises, the NPC hereby issues this Circular governing the

102
NPC PRIVACY TOOLKIT

registration of data processing systems and notifications regarding automated decision-making:

RULE I.
PRELIMINARY PROVISIONS

SECTION 1. Scope. The provisions of this Circular shall apply to any natural or juridical person in the
government or private sector processing personal data and operating in the Philippines, subject to the
relevant provisions of the DPA, its IRR, and other applicable issuances of the NPC.

SECTION 2. Purpose. This Circular establishes the framework for registration of data processing
systems in the Philippines and imposes other requirements for the purpose of achieving the following
objectives:

A. ensure that PICs and PIPs keep a record of their data processing activities;

B. make information about data processing systems operating in the country accessible to both
the Commission, for compliance monitoring, and data subjects, to facilitate the exercise of
their rights under the DPA; and

C. promote transparency and public accountability in the processing of personal data.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are defined, as
follows:

A. “Act” or “DPA” refers to Republic Act No. 10173, otherwise known as the Data Privacy Act
of 2012;

B. “Automated Decision-making” refers to a wholly or partially automated processing operation


that serves as the sole basis for making decisions that would significantly affect a data subject.
It includes the process of profiling based on an individual’s economic situation, political or
religious beliefs, behavioral or marketing activities, electronic communication data, location
data, and financial data, among others;

C. “Commission” or “NPC” refers to the National Privacy Commission;

D. “Compliance Officer for Privacy” or “COP” refers to an individual that performs some of the
functions of a DPO, as provided in NPC Advisory No. 17-01;

E. “Core Activity” refers to a key operation or process carried out by a PIC or PIP to achieve
its mandate or function: Provided, that processing of personal data forms an integral and
necessary part of such operations or processes;

F. “Data Processing System” refers to a structure and procedure by which personal data is
collected and further processed in an information and communications system or relevant
filing system, including the purpose and intended output of the processing;

G. “Data Protection Officer” or “DPO” refers to an individual designated by the head of


agency or organization to be accountable for its compliance with the Act, its IRR, and other
issuances of the Commission: Provided, that, except where allowed otherwise by law or
the Commission, the individual must be an organic employee of the government agency or

103
CHAPTER III REGISTRATION

private entity: Provided further, that a government agency or private entity may have more
than one DPO;

H. “Data sharing” is the disclosure or transfer to a third party of personal data under the control
or custody of a PIC: Provided, that a PIP may be allowed to make such disclosure or transfer
if it is upon the instructions of the PIC concerned.
The term excludes outsourcing, or the disclosure or transfer of personal data by a PIC to a
PIP;

I. “Data Subject” refers to an individual whose personal, sensitive personal, or privileged


information is processed;

J. “Encryption Method” refers to the technique that renders data or information unreadable,
ensures that it is not altered in transit, and verifies the identity of its sender;

K. “Filing system” refers to any set of information relating to a natural or juridical person to the
extent that, although the information is not processed by equipment operating automatically
in response to instructions given for that purpose, the set is structured, either by reference
to individuals or by reference to criteria relating to individuals, in such a way that specific
information relating to a particular person is readily accessible;

L. “Government Agency” refers to a government branch, body, or entity, including national


government agencies, bureaus, or offices, constitutional commissions, local government
units, government-owned and controlled corporations, government financial institutions,
state colleges and universities;

M. “Head of agency” refers to: (1) the head of the government entity or body, for national
government agencies, constitutional commissions or offices, or branches of the government;
(2) the governing board or its duly authorized official for government-owned and -controlled
corporations, government financial institutions, and state colleges and universities; (3) the
local chief executive, for local government units;

N. “Head of organization” refers to the head or decision-making body of a private entity or


organization;

O.“Information and Communications System” refers to a system for generating, sending,


receiving, storing or otherwise processing electronic data messages, or electronic documents,
and includes the computer system or other similar device by which data is recorded,
transmitted, or stored, and any procedure related to the recording, transmission or storage
of electronic data, electronic message, or electronic document;

P. “IRR” refers to the Implementing Rules and Regulations of the DPA;

Q.“Personal data” refers to all types of personal information;

R. “Personal information” refers to any information, whether recorded in a material form


or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual;

104
NPC PRIVACY TOOLKIT

S. “Personal information controller” or “PIC” refers to a natural or juridical person, or any


other body who controls the processing of personal data, or instructs another to process
personal data on its behalf. The term excludes:

1. a natural or juridical person, or any other body, who performs such functions as
instructed by another person or organization; or
2. a natural person who processes personal data in connection with his or her personal,
family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information
is collected, or the purpose or extent of its processing;

T. “Personal information processor” or “PIP” refers to any natural or juridical person or


any other body to whom a PIC may outsource or instruct the processing of personal data
pertaining to a data subject;
U. “Private entity” or “organization” refers to any natural or juridical person that is not a unit
of the government, including, but not limited to, a corporation, partnership, company, non-
profit organization or any other legal entity;

V. “Privileged information” refers to all forms of data, which, under the Rules of Court and
other pertinent laws, constitute privileged communication;

W. “Profiling” refers to any form of automated processing of personal data consisting of the
use of personal data, such as a individual’s economic situation, political or religious beliefs,
behavioral or marketing activities, personal preferences, electronic communication data,
location data, and financial data, among others, in order to evaluate, analyze, or predict his
or her performance, qualities, and behavior, among others;

X. Sensitive personal information refers to personal information:

1. about an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. about an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;
3. issued by government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and
4. specifically established by an executive order or an act of Congress to be kept classified.

SECTION 4. General Principles. This Circular shall be governed by the following general principles:

A. Registration of its data processing systems with the Commission shall be one of the means
through which a PIC or PIP demonstrates its compliance with the DPA, its IRR, and other
relevant issuances of the NPC.

B. Registration information submitted by a PIC or PIP to the Commission are presumed to


contain all required information on its data processing systems that are active or existing
during the validity of such registration. Any information excluded therefrom are deemed
nonexistent.

105
CHAPTER III REGISTRATION

C. Unless otherwise provided in this Circular, any information, file, or document submitted by
a PIC or PIP to the Commission shall be kept confidential.

D. Any doubt in the interpretation of the provisions of this Circular shall be liberally interpreted
in a manner that would uphold the rights and interests of data subjects.

RULE II.
REGISTRATION OF DATA PROCESSING SYSTEMS

SECTION 5. Mandatory Registration. A PIC or PIP shall register its data processing systems if it is
processing personal data and operating in the country under any of the following conditions:

A. the PIC or PIP employs at least two hundred fifty (250) employees;

B. the processing includes sensitive personal information of at least one thousand (1,000)
individuals;

C. the processing is likely to pose a risk to the rights and freedoms of data subjects. Processing
operations that pose a risk to data subjects include those that involve:

i. information that would likely affect national security, public safety, public order, or
public health;
ii. information required by applicable laws or rules to be confidential;
iii. vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients,
those involving criminal offenses, or in any other case where an imbalance exists in the
relationship between a data subject and a PIC or PIP;
iv. automated decision-making; or
v. profiling;

D. the processing is not occasional: Provided, that processing shall be considered occasional if
it is only incidental to the mandate or function of the PIC or PIP, or, it only occurs under
specific circumstances and is not regularly performed. Processing that constitutes a core
activity of a PIC or PIP, or is integral thereto, will not be considered occasional:

In determining the existence of the foregoing conditions, relevant factors, such as the number
of employees, or the records of individuals whose sensitive personal information are being
processed, shall only be considered if they are physically located in the Philippines.

Data processing systems that involve automated decision-making shall, in all instances, be
registered with the Commission. For all other data processing systems operating under the
conditions set out in subsections C and D, the Commission shall determine the specific
sectors, industries, or entities that shall be covered by mandatory registration. Appendix 1
of this Circular shall feature the initial list. It shall be regularly reviewed and updated by the
Commission through subsequent issuances.

SECTION 6. Voluntary Registration. An application for registration by a PIC or PIP whose data
processing system does not operate under any of the conditions set out in the next preceding Section
shall be accepted as a voluntary registration.

SECTION 7. When to Register. A PIC or PIP covered by this Circular shall register its personal data

106
NPC PRIVACY TOOLKIT

processing system within two (2) months of the commencement of such system.

SECTION 8. Authority to Register. A PIC or PIP shall file its application for registration through its
designated or appointed DPO: Provided, that where a PIC or PIP has several DPOs, only one shall be
authorized to file the application of the PIC or PIP: Provided further, that where the same individual
assumes the role of DPO for two or more PICs or PIPs, he or she shall be allowed to file the applications
of all his or her principals.

SECTION 9. Registration Process. A PIC or PIP shall register through the Commission’s official website
in two (2) phases:

A. Phase I. A PIC or PIP, through its DPO, shall accomplish the prescribed application form,
and submit the same to the Commission together with all supporting documents. Upon
review and validation of the submission, the Commission shall provide the PIC or PIP via
email an access code, which shall allow it to proceed to Phase II of the registration process.

B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall proceed
to the online registration platform and provide all relevant information regarding its data
processing systems. The Commission shall notify the PIC or PIP via email to confirm the
latter’s successful completion of the registration process:

Provided, that registration may be done in person at the office of the Commission in the event
that online access is not available.

SECTION 10. Application Form. An application for registration filed by a PIC or PIP must be duly-
notarized and accompanied by the following documents:

A. For government agencies:

1. certified true copy of the Special/Office Order, or any similar document, designating or
appointing the DPO of the PIC or PIP; and
2. where applicable, a copy of the charter of the government entity, or any similar document
identifying its mandate, powers, and/or functions.

B. For private entities:

1. duly-notarized Secretary’s Certificate authorizing the appointment or designation of


DPO, or any other document that demonstrates the validity of the appointment or
designation.
2. certified true copy of the following documents, where applicable:
a.) General Information Sheet or any similar document;
b.) Certificate of Registration (SEC Certificate, DTI Certification of Business Name or
Sole Proprietorship) or any similar document; and/or
c.) Franchise, license to operate, or any similar document.

SECTION 11. Online Registration Platform. In the Commission’s online registration platform, a PIC or
PIP shall provide the following registration information:

A. Name and contact details of the PIC or PIP, head of agency or organization, and DPO;

107
CHAPTER III REGISTRATION

B. Purpose or mandate of the government agency or private entity;

C. Identification of all existing policies relating to data governance, data privacy, and information
security, and other documents that provide a general description of privacy and security
measures for data protection;

D. Attestation regarding certifications attained by the PIC or PIP, including its relevant
personnel, that are related to personal data processing;

E. Brief description of data processing system or systems:

1. Name of the system;


2. Purpose or purposes of the processing;
3. Whether processing is being done as a PIC, PIP, or both;
4. Whether the system is outsourced or subcontracted, and if so, the name and contact
details of the PIP;
5. Description of the category or categories of data subjects, and their personal data or
categories thereof;
6. Recipients or categories of recipients to whom the personal data might be disclosed; and
7. Whether personal data is transferred outside of the Philippines;

F. Notification regarding any automated decision-making operation.


This same set of information shall be given when registration is done in person at the office
of the Commission.

SECTION 12. Certificate of Registration. The Commission shall issue a certificate of registration in favor
of a PIC or PIP that has successfully completed the registration process: Provided, that such certificate
shall only be considered as proof of registration and not a verification of the contents thereof.

SECTION 13. Validity. A certificate of registration, once issued, shall be valid only until the 8th day of
March of the next following year: Provided, that the certificate may be revoked by the Commission at
any time upon service of a Notice of Revocation to the PIC or PIP.

SECTION 14. Verification. The Commission may, at any time, verify any or all registration information
provided by a PIC or PIP through on-site examination of its data processing systems. Policies and
documents identified in the registration, including proof of certifications attained, shall be made
available to the Commission upon request.

SECTION 15. Amendments or Updates. Amendments or updates to registration information, including


significant changes in the description of registered data processing systems, shall be made within two
(2) months from the date such changes take into effect. For this purpose, a significant change shall
include:

A. Name and contact details of the PIC or PIP, head of agency or organization, and DPO;

B. A new or additional data processing system;

C. An amendment or update to the description of a registered data processing system, particularly:

1. Purpose or purposes of processing;

108
NPC PRIVACY TOOLKIT

2. Description of the category or categories of data subjects, and of their personal data
or categories thereof;
3. Recipients or categories of recipients to whom the personal data might be disclosed;

D. A new or additional automated decision-making process;

Amendments or updates to the registration information may be undertaken through the


online registration platform, subject to the approval of the Commission: Provided, that where
the change consists of the appointment or designation of a new DPO, the submission of the
appropriate supporting document must be undertaken.

SECTION 16. Non-Registration. A PIC or PIP shall be considered as unregistered under the following
circumstances:

A. Failure to register with the Commission;


B. Expiration and non-renewal of certificate of registration;

C. Rejection or disapproval of an application for registration, or an application for renewal of


registration; or

D. Revocation of the certificate of registration.

SECTION 17. Renewal. A PIC or PIP may file an application for the renewal of its certificate of
registration within two (2) months prior to, but not later than the 8th day of March every year. Any
registration relative to which no application for renewal has been filed within the prescribed period is
deemed revoked: Provided, that a PIC or PIP may be allowed to file an application for renewal beyond
the prescribed period upon approval of the Commission, and only for good cause shown. For this
purpose, the PIC or PIP shall notify the Commission of its intention to renew its registration and the
reason for its delay.
SECTION 18. Reasonable Fees. To recover administrative costs, the Commission may require the
payment of reasonable fees for registration, renewal, and other purposes in accordance with a schedule
that shall be provided in a separate issuance.

RULE III.
REGISTRY OF DATA PROCESSING SYSTEMS

SECTION 19. Maintenance of Registry. The Commission shall maintain a registry of data processing
systems in electronic format.

SECTION 20. Public Access to Registry. Any person may inspect the registry during regular office hours:
Provided, that the Commission shall regulate such access to protect the legitimate interests of PICs
and PIPs.

Subject to reasonable fees and regulations that may be prescribed by the Commission, any person may
also secure a duly certified copy of any entry from the registry relating to a particular PIC or PIP.

SECTION 21. Amendments to Registry. Amendments or updates to the registry shall be made by the
Commission every two (2) months, or as often as necessary, in order to incorporate changes to the
registration information filed by PICs or PIPs.

109
CHAPTER III REGISTRATION

SECTION 22. Removal from Registry. The registration information of a PIC or PIP may be removed by
the Commission from the registry on any of the following grounds:

A. Incomplete registration;

B. Expiration and non-renewal of registration;

C. Revocation of certificate of registration; or

D. Expired and void registration.

SECTION 23. Non-inclusion of Confidential Information. Information classified by the Constitution or


any statute as confidential shall not be included in the registry.

RULE IV.
NOTIFICATIONS REGARDING
AUTOMATED DECISION-MAKING

SECTION 24. Notification of Automated Decision-Making. A PIC or PIC that carries out any automated
decision-making operation shall notify the Commission via the mandatory registration process.

SECTION 25. When to Notify. Notifications regarding automated decision-making shall be included
in the registration information that will be provided by a PIC or PIP, as indicated in Section 11 of this
Circular, or through amendments or updates to such registration information, as per Section 15 of this
Circular, within the prescribed periods.

SECTION 26. Availability of Additional Information. Upon request by the Commission, a PIC or PIP
shall make available additional information and supporting documents pertaining to its automated
decision-making operation, including:

1. Consent forms or manner of obtaining consent;


2. Retention period for the data collected and processed;
3. Methods and logic utilized for automated processing; and
4. Possible decisions relating to the data subject based on the processed data, particularly if they
would significantly affect his or her rights and freedoms.

RULE V.
SANCTIONS AND PENALTIES

SECTION 27. Revocation of Certificate of Registration. The Commission may revoke the registration of
a PIC or PIP on any of the following grounds:

A. Failure to comply with any of the provisions of the DPA, its IRR, or any relevant issuances
of the Commission;

B. Failure to comply with any order, conditions, or restrictions imposed by the Commission;

C. Loss of authority to operate or conduct business, due to the revocation of its license, permit,
franchise, or any other similar requirement provided by law;

110
NPC PRIVACY TOOLKIT

D. Cessation of operations or of personal data processing;

E. Lack of capacity to process personal data in accordance with the DPA; or

F. Issuance by the Commission of a temporary or permanent ban on data processing against


the PIC or PIP: Provided, that in the case of a temporary ban, such prohibition is still in
effect at the time of filing of the application for renewal of registration:

Provided, that, prior to revocation, the Commission shall give the PIC or PIP an opportunity
to explain why its certificate of registration should not be revoked.

SECTION 28. Notice of Revocation. Where the registration of a PIC or PIP is revoked, the Commission
shall issue a Notice of Revocation of Registration, which shall be served upon the PIC or PIP.

SECTION 29. Penalties and Fines. A PIC or PIP whose certificate of registration has been revoked
or that is determined to have violated the registration requirements provided in this Circular may,
upon notice and hearing, be subject to compliance and enforcement orders, cease and desist orders,
temporary or permanent bans on the processing of personal data, or payment of fines in accordance
with a schedule to be issued by the Commission. For this purpose, the registration requirements
shall pertain to the provisions on mandatory registration, amendments and updates, and renewal of
registration.

Under the voluntary registration system, failure to comply by a PIC or PIP with the requirements on
amendments and renewal, shall render its certificate of registration void.

SECTION 30. Cease and Desist Order. When the Commission, upon notice and hearing, has determined
that a PIC or PIP failed to disclose its automated decision-making operation through the appropriate
notification processes set out in this Circular, it shall cause the service upon the PIC or PIP a Cease
and Desist Order on the processing of personal data: Provided, that this is without prejudice to any
other administrative, civil, or criminal penalties that the PIC or PIP may incur under the DPA and
other applicable laws.
RULE VI.
MISCELLANEOUS PROVISIONS

SECTION 31. Transitory Period. Notwithstanding the deadline for registration provided in the IRR,
all PICs and PIPs covered by this Circular shall complete Phase I of the registration process by 9
September 2017. Phase II of the registration may be completed until 8 March 2018.

SECTION 32. Repealing Clause. All other issuances contrary to or inconsistent with the provisions of
this Circular are deemed repealed or modified accordingly.

SECTION 33. Separability Clause. If any portion or provision of this Circular is declared null and void
or unconstitutional, the other provisions not affected thereby shall continue to be in force and effect.

SECTION 34. Effectivity. This Circular shall take effect fifteen (15) days after its publication in the
Official Gazette or two (2) newspapers of general circulation.

111
CHAPTER III REGISTRATION

Approved:

RAYMUND E. LIBORO
Privacy Commissioner

IVY D. PATDU DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

112
NPC PRIVACY TOOLKIT

Appendix 1.

Re: Initial determination of the National Privacy Commission on sectors or institutions requiring
Registration of Data Processing Systems under Sections 5(C) and 5(D) of NPC Circular 17-01 on the
“Registration of Data Processing Systems and Notifications regarding automated decision-making.”

The sectors or institutions provided herein that are processing personal data and operating in
the country are subject to mandatory registration as provided in Sections 5(C) and 5(D) of NPC
Circular 17-01. ALL OTHER PICS OR PIPS SHOULD REGISTER IF IT EMPLOYS AT LEAST
250 PERSONS OR PROCESSING AT LEAST 1,000 RECORDS INVOLVING SENSITIVE
PERSONAL INFORMATION.

The National Privacy Commission determines, for the limited purpose of mandatory registration under
NPC Circular 17-01, that the following sectors or institutions are considered PICs or PIPs involved in
the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects
and/or where the processing is not occasional:

1. Government ranches, bodies or entities, including national government agencies, bureaus


or offices, constitutional commissions, local government units, government-owned and-
controlled corporations.
2. Banks and non-bank, financial institutions, including pawnshops Non-stock Savings and
Loan Associations (NSSLAS)
3. Telecommunications networks, internet service providers and other entities or organizations
providing similar services
4. Business Processing Outsourcing companies
5. Universities, colleges and other institutions of higher learning, all other schools and training
institutions
6. Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities,
diagnostic or therapeutic facilities, specialized out patient facilities, and other organizations
processing genetic data
7. Providers of insurance undertakings, including life and non-life companies, pre-need
companies and insurance brokers
8. Business involved mainly in direct marketing, networking, and companies providing reward
cards and loyalty programs
9. Pharmaceutical companies engaged in research
10. Personal information processors processing personal data for a personal information
controller included in the preceding items, and data processing systems involving automated
decision-making.

113
CHAPTER III REGISTRATION

SAMPLE FORM

Republic of the Philippines


National Privacy Commission
REGISTRATION OF DATA PROCESSING SYSTEM
DATA PROTECTION OFFICER – DPO

Note: The personal information submitted herein shall be used for the initial phase of the Data Processing System Online Registration and supporting documents should be
attached along with this form. Once this form has been validated by the NPC, you will be given an access code via email and SMS to continue with your registration with the online
system. You may find the list of supporting documents in our guidelines forwarded to you via email and posted in our website.
All the information submitted herein shall be used for the purpose stated above and other legitimate interest of NPC as mandated by law. Information that are matters of public
interest may be disclosed to the public. Rest assured that security controls are implemented to protect all the information in this document.

PERSONAL INFORMATION CONTROLLER / PERSONAL INFORMATION PROCESSOR


NAME OF ORGANIZATION

WEBSITE (URL) EMAIL ADDRESS

COMPANY ADDRESS CONTACT NO.

HEAD OF THE ORGANIZATION


LAST NAME EMAIL ADDRESS

FIRST NAME CONTACT NO.

MIDDLE INITIAL

OFFICIAL DESIGNATION

DATA PROTECTION OFFICER


LAST NAME EMAIL ADDRESS

FIRST NAME TEL. NO.

MIDDLE INITIAL MOBILE. NO.

OFFICIAL DESIGNATION DATE OF DESIGNATION AS DPO

SWORN STATEMENT

I declare under oath that this Registration Form is accomplished by Data Protection Officer, and is a true, correct and complete statement and pursuant to the
provision of the pertinent laws, rules and regulations of the Republic of the Philippines. I also authorize the National Privacy Commission to verify/validate the
contents stated herein.

_______________________________________ _______________________________________
Head of Agency Data Protection Officer
(Signature over Printed Name) (Signature over Printed Name)

SUBSCRIBE and SWORN to before me, this ___________________, who exhibited to me (his/her) Government Issued ID No. _________________________
issued at ________________________________ on _____________________________.

Notary Public
Doc. No. ;
Page No. ;
Book No. ;
Series of ;

*** TO BE FILLED UP BY NPC-COMPLIANCE AND MONITORING DIVISION ***


NPC ACCESS CODE APPROVED BY (SIGNATURE OVER PRINTED NAME)

DATE GIVEN (MM/DD/YYYY)

114
ANNEXES
DPA’s Implementing Rules and Regulations

Implementing Rules and Regulations of Republic Act No. 10173

Pursuant to the mandate of the National Privacy Commission to administer and implement the
provisions of the Data Privacy Act of 2012, and to monitor and ensure compliance of the country
with international standards set for data protection, the following rules and regulations are hereby
promulgated to effectively implement the provisions of the Act:

Rule I. Preliminary Provisions

Section 1. Title. These rules and regulations shall be known as the “Implementing Rules and Regulations
of the Data Privacy Act of 2012”, or the “Rules”.

Section 2. Policy. These Rules further enforce the Data Privacy Act and adopt generally accepted
international principles and standards for personal data protection. They safeguard the fundamental
human right of every individual to privacy while ensuring free flow of information for innovation,
growth, and national development. These Rules also recognize the vital role of information and
communications technology in nation-building and enforce the State’s inherent obligation to ensure
that personal data in information and communications systems in the government and in the private
sector are secured and protected.

Section 3. Definitions. Whenever used in these Rules, the following terms shall have the respective
meanings hereafter set forth:

a. “Act” refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012;

b. “Commission” refers to the National Privacy Commission;

c. “Consent of the data subject” refers to any freely given, specific, informed indication of
will, whereby the data subject agrees to the collection and processing of his or her personal,
sensitive personal, or privileged information. Consent shall be evidenced by written,
electronic or recorded means. It may also be given on behalf of a data subject by a lawful
representative or an agent specifically authorized by the data subject to do so;

d. “Data subject” refers to an individual whose personal, sensitive personal, or privileged


information is processed;

e. “Data processing systems” refers to the structure and procedure by which personal data is
collected and further processed in an information and communications system or relevant
filing system, including the purpose and intended output of the processing;

f. “Data sharing” is the disclosure or transfer to a third party of personal data under the
custody of a personal information controller or personal information processor. In the
case of the latter, such disclosure or transfer must have been upon the instructions of the
personal information controller concerned. The term excludes outsourcing, or the disclosure
or transfer of personal data by a personal information controller to a personal information
processor;

g. “Direct marketing” refers to communication by whatever means of any advertising or


marketing material which is directed to particular individuals;

116
NPC PRIVACY TOOLKIT

h. “Filing system” refers to any set of information relating to natural or juridical persons to the
extent that, although the information is not processed by equipment operating automatically
in response to instructions given for that purpose, the set is structured, either by reference
to individuals or by reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible;

i. “Information and communications system” refers to a system for generating, sending,


receiving, storing, or otherwise processing electronic data messages or electronic documents,
and includes the computer system or other similar device by which data is recorded,
transmitted, or stored, and any procedure related to the recording, transmission, or storage
of electronic data, electronic message, or electronic document;

j. “Personal data” refers to all types of personal information;

k. “Personal data breach” refers to a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed;

l. “Personal information” refers to any information, whether recorded in a material form


or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual;

m. “Personal information controller” refers to a natural or juridical person, or any other body
who controls the processing of personal data, or instructs another to process personal data
on its behalf. The term excludes:

1. A natural or juridical person, or any other body, who performs such functions as
instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her personal,
family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information
is collected, or the purpose or extent of its processing;

n. “Personal information processor” refers to any natural or juridical person or any other body
to whom a personal information controller may outsource or instruct the processing of
personal data pertaining to a data subject;

o. “Processing” refers to any operation or any set of operations performed upon personal data
including, but not limited to, the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of
data. Processing may be performed through automated means, or manual processing, if the
personal data are contained or are intended to be contained in a filing system;

p. “Profiling” refers to any form of automated processing of personal data consisting of the use
of personal data to evaluate certain personal aspects relating to a natural person, in particular
to analyze or predict aspects concerning that natural person’s performance at work, economic
situation, health, personal preferences, interests, reliability, behavior, location or movements;

q. “Privileged information” refers to any and all forms of data, which, under the Rules of Court

117
ANNEXES

and other pertinent laws constitute privileged communication;

r. “Public authority” refers to any government entity created by the Constitution or law, and
vested with law enforcement or regulatory authority and functions;

s. “Security incident” is an event or occurrence that affects or tends to affect data protection,
or may compromise the availability, integrity and confidentiality of personal data. It includes
incidents that would result to a personal data breach, if not for safeguards that have been
put in place;

t. Sensitive personal information refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such
individual, the disposal of such proceedings, or the sentence of any court in such
proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not
limited to, social security numbers, previous or current health records, licenses or its
denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.

Rule II. Scope of Application

Section 4. Scope. The Act and these Rules apply to the processing of personal data by any natural and
juridical person in the government or private sector. They apply to an act done or practice engaged in
and outside of the Philippines if:

a. The natural or juridical person involved in the processing of personal data is found or
established in the Philippines;

b. The act, practice or processing relates to personal data about a Philippine citizen or Philippine
resident;

c. The processing of personal data is being done in the Philippines; or

d. The act, practice or processing of personal data is done or engaged in by an entity with links
to the Philippines, with due consideration to international law and comity, such as, but not
limited to, the following:

1. Use of equipment located in the country, or maintains an office, branch or agency in the
Philippines for processing of personal data;
2. A contract is entered in the Philippines;
3. A juridical entity unincorporated in the Philippines but has central management and
control in the country;
4. An entity that has a branch, agency, office or subsidiary in the Philippines and the
parent or affiliate of the Philippine entity has access to personal data;
5. An entity that carries on business in the Philippines;
6. An entity that collects or holds personal data in the Philippines.

118
NPC PRIVACY TOOLKIT

Section 5. Special Cases. The Act and these Rules shall not apply to the following specified information,
only to the minimum extent of collection, access, use, disclosure or other processing necessary to the
purpose, function, or activity concerned:

a. Information processed for purpose of allowing public access to information that fall within
matters of public concern, pertaining to:

1. Information about any individual who is or was an officer or employee of government


that relates to his or her position or functions, including:

a. The fact that the individual is or was an officer or employee of the government;
b. The title, office address, and office telephone number of the individual;
c. The classification, salary range, and responsibilities of the position held by the
individual; and
d. The name of the individual on a document he or she prepared in the course of his
or her employment with the government;

2. Information about an individual who is or was performing a service under contract for a
government institution, but only in so far as it relates to such service, including the name
of the individual and the terms of his or her contract;

3. Information relating to a benefit of a financial nature conferred on an individual upon


the discretion of the government, such as the granting of a license or permit, including
the name of the individual and the exact nature of the benefit: Provided, that they do
not include benefits given in the course of an ordinary transaction or as a matter of right;

b. Personal information processed for journalistic, artistic or literary purpose, in order to


uphold freedom of speech, of expression, or of the press, subject to requirements of other
applicable law or regulations;

c. Personal information that will be processed for research purpose, intended for a public
benefit, subject to the requirements of applicable laws, regulations, or ethical standards;

d. Information necessary in order to carry out the functions of public authority, in accordance
with a constitutionally or statutorily mandated function pertaining to law enforcement or
regulatory function, including the performance of the functions of the independent, central
monetary authority, subject to restrictions provided by law. Nothing in this Act shall be
construed as having amended or repealed Republic Act No. 1405, otherwise known as the
Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign
Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit
Information System Act (CISA);

e. Information necessary for banks, other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas, and other bodies
authorized by law, to the extent necessary to comply with Republic Act No. 9510 (CISA),
Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act,
and other applicable laws;

f. Personal information originally collected from residents of foreign jurisdictions in accordance


with the laws of those foreign jurisdictions, including any applicable data privacy laws,

119
ANNEXES

which is being processed in the Philippines. The burden of proving the law of the foreign
jurisdiction falls on the person or body seeking exemption. In the absence of proof, the
applicable law shall be presumed to be the Act and these Rules:

Provided, that the non-applicability of the Act or these Rules do not extend to personal
information controllers or personal information processors, who remain subject to the
requirements of implementing security measures for personal data protection: Provided
further, that the processing of the information provided in the preceding paragraphs shall be
exempted from the requirements of the Act only to the minimum extent necessary to achieve
the specific purpose, function, or activity.

Section 6. Protection afforded to Data Subjects.

a. Unless directly incompatible or inconsistent with the preceding sections in relation to the
purpose, function, or activities the non-applicability concerns, the personal information
controller or personal information processor shall uphold the rights of data subjects, and
adhere to general data privacy principles and the requirements of lawful processing.

b. The burden of proving that the Act and these Rules are not applicable to a particular
information falls on those involved in the processing of personal data or the party claiming
the non-applicability.

c. In all cases, the determination of any exemption shall be liberally interpreted in favor of the
rights and interests of the data subject.

Section 7. Protection Afforded to Journalists and their Sources.

a. Publishers, editors, or duly accredited reporters of any newspaper, magazine or periodical


of general circulation shall not be compelled to reveal the source of any news report or
information appearing in said publication if it was related in any confidence to such publisher,
editor, or reporter.

b. Publishers, editors, or duly accredited reporters who are likewise personal information
controllers or personal information processors within the meaning of the law are still
bound to follow the Data Privacy Act and related issuances with regard to the processing of
personal data, upholding rights of their data subjects and maintaining compliance with other
provisions that are not incompatible with the protection provided by Republic Act No. 53.

Rule III. National Privacy Commission

Section 8. Mandate. The National Privacy Commission is an independent body mandated to administer
and implement the Act, and to monitor and ensure compliance of the country with international
standards set for personal data protection.

Section 9. Functions. The National Privacy Commission shall have the following functions:

a. Rule Making. The Commission shall develop, promulgate, review or amend rules and
regulations for the effective implementation of the Act. This includes:

1. Recommending organizational, physical and technical security measures for personal


data protection, encryption, and access to sensitive personal information maintained

120
NPC PRIVACY TOOLKIT

by government agencies, considering the most appropriate standard recognized by the


information and communications technology industry, as may be necessary;

2. Specifying electronic format and technical standards, modalities and procedures for
data portability, as may be necessary;
3. Issuing guidelines for organizational, physical, and technical security measures for
personal data protection, taking into account the nature of the personal data to be
protected, the risks presented by the processing, the size of the organization and complexity
of its operations, current data privacy best practices, cost of security implementation,
and the most appropriate standard recognized by the information and communications
technology industry, as may be necessary;

4. Consulting with relevant regulatory agencies in the formulation, review, amendment, and
administration of privacy codes, applying the standards set out in the Act, with respect to
the persons, entities, business activities, and business sectors that said regulatory bodies
are authorized to principally regulate pursuant to law;

5. Proposing legislation, amendments or modifications to Philippine laws on privacy or


data protection, as may be necessary;

6. Ensuring proper and effective coordination with data privacy regulators in other
countries and private accountability agents;
7. Participating in international and regional initiatives for data privacy protection.

b. Advisory. The Commission shall be the advisory body on matters affecting protection of
personal data. This includes:

1. Commenting on the implication on data privacy of proposed national or local statutes,


regulations or procedures, issuing advisory opinions, and interpreting the provisions of
the Act and other data privacy laws;

2. Reviewing, approving, rejecting, or requiring modification of privacy codes voluntarily


adhered to by personal information controllers, which may include private dispute
resolution mechanisms for complaints against any participating personal information
controller, and which adhere to the underlying data privacy principles embodied in the
Act and these Rules;

3. Providing assistance on matters relating to privacy or data protection at the request of


a national or local agency, a private entity or any person, including the enforcement of
rights of data subjects;

4. Assisting Philippine companies doing business abroad to respond to data protection


laws and regulations.

c. Public Education. The Commission shall undertake necessary or appropriate efforts to


inform and educate the public of data privacy, data protection, and fair information rights
and responsibilities. This includes:

1. Publishing, on a regular basis, a guide to all laws relating to data protection;

121
ANNEXES

2. Publishing a compilation of agency system of records and notices, including index and
other finding aids;

3. Coordinating with other government agencies and the private sector on efforts to
formulate and implement plans and policies to strengthen the protection of personal
data in the country;
d. Compliance and Monitoring. The Commission shall perform compliance and monitoring
functions to ensure effective implementation of the Act, these Rules, and other issuances.
This includes:

1. Ensuring compliance by personal information controllers with the provisions of the Act;

2. Monitoring the compliance of all government agencies or instrumentalities as regards


their security and technical measures, and recommending the necessary action in order
to meet minimum standards for protection of personal data pursuant to the Act;

3. Negotiating and contracting with other data privacy authorities of other countries for
cross-border application and implementation of respective privacy laws;

4. Generally performing such acts as may be necessary to facilitate cross-border enforcement


of data privacy protection;

5. Managing the registration of personal data processing systems in the country, including
the personal data processing system of contractors and their employees entering into
contracts with government agencies that involves accessing or requiring sensitive personal
information of at least one thousand (1,000) individuals.

e. Complaints and Investigations. The Commission shall adjudicate on complaints and


investigations on matters affecting personal data: Provided, that In resolving any complaint
or investigation, except where amicable settlement is reached by the parties, the Commission
shall act as a collegial body. This includes:

1. Receiving complaints and instituting investigations regarding violations of the Act, these
Rules, and other issuances of the Commission, including violations of the rights of data
subjects and other matters affecting personal data;

2. Summoning witnesses, and requiring the production of evidence by a subpoena duces tecum
for the purpose of collecting the information necessary to perform its functions under the
Act: Provided, that the Commission may be given access to personal data that is subject of
any complaint;

3. Facilitating or enabling settlement of complaints through the use of alternative dispute


resolution processes, and adjudicating on matters affecting any personal data;

4. Preparing reports on the disposition of complaints and the resolution of any investigation
it initiates, and, in cases it deems appropriate, publicizing such reports;

f. Enforcement. The Commission shall perform all acts as may be necessary to effectively
implement the Act, these Rules, and its other issuances, and to enforce its Orders, Resolutions
or Decisions, including the imposition of administrative sanctions, fines, or penalties. This

122
NPC PRIVACY TOOLKIT

includes:

1. Issuing compliance or enforcement orders;

2. Awarding indemnity on matters affecting any personal data, or rights of data subjects;

3. Issuing cease and desist orders, or imposing a temporary or permanent ban on the
processing of personal data, upon finding that the processing will be detrimental to
national security or public interest, or if it is necessary to preserve and protect the rights
of data subjects;

4. Recommending to the Department of Justice (DOJ) the prosecution of crimes and


imposition of penalties specified in the Act;

5. Compelling or petitioning any entity, government agency, or instrumentality, to abide by


its orders or take action on a matter affecting data privacy;

6. Imposing administrative fines for violations of the Act, these Rules, and other issuances
of the Commission.

g. Other functions. The Commission shall exercise such other functions as may be necessary to
fulfill its mandate under the Act.

Section 10. Administrative Issuances. The Commission shall publish or issue official directives and
administrative issuances, orders, and circulars, which include:

a. Rules of procedure in the exercise of its quasi-judicial functions, subject to the suppletory
application of the Rules of Court;

b. Schedule of administrative fines and penalties for violations of the Act, these Rules, and
issuances or Orders of the Commission, including the applicable fees for its administrative
services and filing fees;

c. Procedure for registration of data processing systems, and notification;

d. Other administrative issuances consistent with its mandate and other functions.

Section 11. Reports and Information. The Commission shall report annually to the President and
Congress regarding its activities in carrying out the provisions of the Act, these Rules, and its other
issuances. It shall undertake all efforts it deems necessary or appropriate to inform and educate the
public of data privacy, data protection, and fair information rights and responsibilities.

Section 12. Confidentiality of Personal Data. Members, employees, and consultants of the Commission
shall ensure at all times the confidentiality of any personal data that come to their knowledge and
possession: Provided, that such duty of confidentiality shall remain even after their term, employment,
or contract has ended.

Section 13. Organizational Structure. The Commission is attached to the Department of Information
and Communications Technology for policy and program coordination in accordance with Section
38(3) of Executive Order No. 292, series of 1987, also known as the Administrative Code of 1987. The
Commission shall remain completely independent in the performance of its functions.

123
ANNEXES

The Commission shall be headed by a Privacy Commissioner, who shall act as Chairman of the
Commission. The Privacy Commissioner must be at least thirty-five (35) years of age and of good
moral character, unquestionable integrity and known probity, and a recognized expert in the field of
information technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges,
and emoluments equivalent to the rank of Secretary.

The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners. One shall be
responsible for Data Processing Systems, while the other shall be responsible for Policies and Planning.
The Deputy Privacy Commissioners must be recognized experts in the field of information and
communications technology and data privacy. They shall enjoy the benefits, privileges, and emoluments
equivalent to the rank of Undersecretary.

Section 14. Secretariat. The Commission is authorized to establish a Secretariat, which shall assist in
the performance of its functions. The Secretariat shall be headed by an Executive Director and shall
be organized according to the following offices:

a. Data Security and Compliance Office;

b. Legal and Enforcement Office;

c. Finance and Administrative Office;

d. Privacy Policy Office;

e. Public Information and Assistance Office.

Majority of the members of the Secretariat, in so far as practicable, must have served for at least five
(5) years in any agency of the government that is involved in the processing of personal data including,
but not limited to, the following offices: Social Security System (SSS), Government Service Insurance
System (GSIS), Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine
Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC), Department of
Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine Postal Corporation (Philpost).

The organizational structure shall be subject to review and modification by the Commission, including
the creation of new divisions and units it may deem necessary, and shall appoint officers and employees
of the Commission in accordance with civil service law, rules, and regulations.

Section 15. Effect of Lawful Performance of Duty. The Privacy Commissioner, the Deputy Commissioners,
or any person acting on their behalf or under their direction, shall not be civilly liable for acts done in
good faith in the performance of their duties: Provided, that they shall be liable for willful or negligent
acts, which are contrary to law, morals, public policy, and good customs, even if they acted under orders
or instructions of superiors: Provided further, that in case a lawsuit is filed against them in relation to
the performance of their duties, where such performance is lawful, he or she shall be reimbursed by
the Commission for reasonable costs of litigation.

Section 16. Magna Carta for Science and Technology Personnel. Qualified employees of the Commission
shall be covered by Republic Act No. 8349, which provides a magna carta for scientists, engineers,
researchers, and other science and technology personnel in the government.

124
NPC PRIVACY TOOLKIT

Rule IV. Data Privacy Principles

Section 17. General Data Privacy Principles. The processing of personal data shall be allowed, subject to
compliance with the requirements of the Act and other laws allowing disclosure of information to the
public, and adherence to the principles of transparency, legitimate purpose, and proportionality.

Section 18. Principles of Transparency, Legitimate Purpose and Proportionality. The processing of personal
data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.

a. Transparency. The data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data, including the risks and safeguards involved, the
identity of personal information controller, his or her rights as a data subject, and how these
can be exercised. Any information and communication relating to the processing of personal
data should be easy to access and understand, using clear and plain language.

b. Legitimate purpose. The processing of information shall be compatible with a declared and
specified purpose which must not be contrary to law, morals, or public policy.

c. Proportionality. The processing of information shall be adequate, relevant, suitable, necessary,


and not excessive in relation to a declared and specified purpose. Personal data shall be
processed only if the purpose of the processing could not reasonably be fulfilled by other
means.

Section 19. General principles in collection, processing and retention. The processing of personal data shall
adhere to the following general principles in the collection, processing, and retention of personal data:

a. Collection must be for a declared, specified, and legitimate purpose.

1. Consent is required prior to the collection and processing of personal data, subject
to exemptions provided by the Act and other applicable laws and regulations. When
consent is required, it must be time-bound in relation to the declared, specified and
legitimate purpose. Consent given may be withdrawn.

2. The data subject must be provided specific information regarding the purpose and
extent of processing, including, where applicable, the automated processing of his or her
personal data for profiling, or processing for direct marketing, and data sharing.

3. Purpose should be determined and declared before, or as soon as reasonably practicable,


after collection.

4. Only personal data that is necessary and compatible with declared, specified, and
legitimate purpose shall be collected.

b. Personal data shall be processed fairly and lawfully.

1. Processing shall uphold the rights of the data subject, including the right to refuse,
withdraw consent, or object. It shall likewise be transparent, and allow the data subject
sufficient information to know the nature and extent of processing.

2. Information provided to a data subject must always be in clear and plain language to

125
ANNEXES

ensure that they are easy to understand and access.

3. Processing must be in a manner compatible with declared, specified, and legitimate


purpose.

4. Processed personal data should be adequate, relevant, and limited to what is necessary
in relation to the purposes for which they are processed.

5. Processing shall be undertaken in a manner that ensures appropriate privacy and security
safeguards.

c. Processing should ensure data quality.

1. Personal data should be accurate and where necessary for declared, specified and
legitimate purpose, kept up to date.

2. Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further


processing restricted.

d. Personal Data shall not be retained longer than necessary.

1. Retention of personal data shall only for as long as necessary:

a. for the fulfillment of the declared, specified, and legitimate purpose, or when the
processing relevant to the purpose has been terminated;
b. for the establishment, exercise or defense of legal claims; or
c. for legitimate business purposes, which must be consistent with standards followed
by the applicable industry or approved by appropriate government agency.

2. Retention of personal data shall be allowed in cases provided by law.

3. Personal data shall be disposed or discarded in a secure manner that would prevent
further processing, unauthorized access, or disclosure to any other party or the public,
or prejudice the interests of the data subjects.

e. Any authorized further processing shall have adequate safeguards.

1. Personal data originally collected for a declared, specified, or legitimate purpose may be
processed further for historical, statistical, or scientific purposes, and, in cases laid down
in law, may be stored for longer periods, subject to implementation of the appropriate
organizational, physical, and technical security measures required by the Act in order to
safeguard the rights and freedoms of the data subject.

2. Personal data which is aggregated or kept in a form which does not permit identification
of data subjects may be kept longer than necessary for the declared, specified, and
legitimate purpose.

3. Personal data shall not be retained in perpetuity in contemplation of a possible future


use yet to be determined.

126
NPC PRIVACY TOOLKIT

Section 20. General Principles for Data Sharing. Further Processing of Personal Data collected from a
party other than the Data Subject shall be allowed under any of the following conditions:

a. Data sharing shall be allowed when it is expressly authorized by law: Provided, that there
are adequate safeguards for data privacy and security, and processing adheres to principle of
transparency, legitimate purpose and proportionality.

b. Data Sharing shall be allowed in the private sector if the data subject consents to data sharing,
and the following conditions are complied with:

1. Consent for data sharing shall be required even when the data is to be shared with an
affiliate or mother company, or similar relationships;

2. Data sharing for commercial purposes, including direct marketing, shall be covered by
a data sharing agreement.

a. The data sharing agreement shall establish adequate safeguards for data privacy and
security, and uphold rights of data subjects.
b. The data sharing agreement shall be subject to review by the Commission, on its own
initiative or upon complaint of data subject;

3. The data subject shall be provided with the following information prior to collection or
before data is shared:

a. Identity of the personal information controllers or personal information processors


that will be given access to the personal data;
b. Purpose of data sharing;
c. Categories of personal data concerned;
d. Intended recipients or categories of recipients of the personal data;
e. Existence of the rights of data subjects, including the right to access and correction,
and the right to object;
f. Other information that would sufficiently notify the data subject of the nature and
extent of data sharing and the manner of processing.
4. Further processing of shared data shall adhere to the data privacy principles laid down
in the Act, these Rules, and other issuances of the Commission.

c. Data collected from parties other than the data subject for purpose of research shall be
allowed when the personal data is publicly available, or has the consent of the data subject for
purpose of research: Provided, that adequate safeguards are in place, and no decision directly
affecting the data subject shall be made on the basis of the data collected or processed. The
rights of the data subject shall be upheld without compromising research integrity.

d. Data sharing between government agencies for the purpose of a public function or provision
of a public service shall be covered a data sharing agreement.

1. Any or all government agencies party to the agreement shall comply with the Act, these
Rules, and all other issuances of the Commission, including putting in place adequate
safeguards for data privacy and security.

2. The data sharing agreement shall be subject to review of the Commission, on its own
initiative or upon complaint of data subject.

127
ANNEXES

Rule V. Lawful Processing of Personal Data

Section 21. Criteria for Lawful Processing of Personal Information. Processing of personal information is
allowed, unless prohibited by law. For processing to be lawful, any of the following conditions must be
complied with:

a. The data subject must have given his or her consent prior to the collection, or as soon as
practicable and reasonable;

b. The processing involves the personal information of a data subject who is a party to a
contractual agreement, in order to fulfill obligations under the contract or to take steps at
the request of the data subject prior to entering the said agreement;

c. The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject;

d. The processing is necessary to protect vitally important interests of the data subject, including
his or her life and health;

e. The processing of personal information is necessary to respond to national emergency or to


comply with the requirements of public order and safety, as prescribed by law;

f. The processing of personal information is necessary for the fulfillment of the constitutional
or statutory mandate of a public authority; or

g. The processing is necessary to pursue the legitimate interests of the personal information
controller, or by a third party or parties to whom the data is disclosed, except where such
interests are overridden by fundamental rights and freedoms of the data subject, which
require protection under the Philippine Constitution.

Section 22. Sensitive Personal Information and Privileged Information. The processing of sensitive personal
and privileged information is prohibited, except in any of the following cases:

a. Consent is given by data subject, or by the parties to the exchange of privileged information,
prior to the processing of the sensitive personal information or privileged information, which
shall be undertaken pursuant to a declared, specified, and legitimate purpose;

b. The processing of the sensitive personal information or privileged information is provided


for by existing laws and regulations: Provided, that said laws and regulations do not require
the consent of the data subject for the processing, and guarantee the protection of personal
data;

c. The processing is necessary to protect the life and health of the data subject or another
person, and the data subject is not legally or physically able to express his or her consent prior
to the processing;

d. The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations provided that:

1. Processing is confined and related to the bona fide members of these organizations or
their associations;
2. The sensitive personal information are not transferred to third parties; and

128
NPC PRIVACY TOOLKIT

3. Consent of the data subject was obtained prior to processing;

e. The processing is necessary for the purpose of medical treatment: Provided, that it is carried
out by a medical practitioner or a medical treatment institution, and an adequate level of
protection of personal data is ensured; or

f. The processing concerns sensitive personal information or privileged information necessary


for the protection of lawful rights and interests of natural or legal persons in court proceedings,
or the establishment, exercise, or defense of legal claims, or when provided to government or
public authority pursuant to a constitutional or statutory mandate.

Section 23. Extension of Privileged Communication. Personal information controllers may invoke the
principle of privileged communication over privileged information that they lawfully control or
process. Subject to existing laws and regulations, any evidence gathered from privileged information
is inadmissible.

When the Commission inquires upon communication claimed to be privileged, the personal
information controller concerned shall prove the nature of the communication in an executive session.
Should the communication be determined as privileged, it shall be excluded from evidence, and the
contents thereof shall not form part of the records of the case: Provided, that where the privileged
communication itself is the subject of a breach, or a privacy concern or investigation, it may be disclosed
to the Commission but only to the extent necessary for the purpose of investigation, without including
the contents thereof in the records.

Section 24. Surveillance of Suspects and Interception of Recording of Communications. Section 7 of Republic
Act No. 9372, otherwise known as the “Human Security Act of 2007”, is hereby amended to include
the condition that the processing of personal data for the purpose of surveillance, interception, or
recording of communications shall comply with the Data Privacy Act, including adherence to the
principles of transparency, proportionality, and legitimate purpose.

Rule VI. Security Measures for the Protection of Personal Data

Section 25. Data Privacy and Security. Personal information controllers and personal information
processors shall implement reasonable and appropriate organizational, physical, and technical security
measures for the protection of personal data.

The personal information controller and personal information processor shall take steps to ensure that
any natural person acting under their authority and who has access to personal data, does not process
them except upon their instructions, or as required by law.
The security measures shall aim to maintain the availability, integrity, and confidentiality of personal
data and are intended for the protection of personal data against any accidental or unlawful destruction,
alteration, and disclosure, as well as against any other unlawful processing. These measures shall be
implemented to protect personal data against natural dangers such as accidental loss or destruction,
and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and
contamination.

Section 26. Organizational Security Measures. Where appropriate, personal information controllers and
personal information processors shall comply with the following guidelines for organizational security:

a. Compliance Officers. Any natural or juridical person or other body involved in the processing

129
ANNEXES

of personal data shall designate an individual or individuals who shall function as data
protection officer, compliance officer or otherwise be accountable for ensuring compliance
with applicable laws and regulations for the protection of data privacy and security.

b. Data Protection Policies. Any natural or juridical person or other body involved in the
processing of personal data shall implement appropriate data protection policies that provide
for organization, physical, and technical security measures, and, for such purpose, take into
account the nature, scope, context and purposes of the processing, as well as the risks posed
to the rights and freedoms of data subjects.

1. The policies shall implement data protection principles both at the time of the
determination of the means for processing and at the time of the processing itself.

2. The policies shall implement appropriate security measures that, by default, ensure
only personal data which is necessary for the specified purpose of the processing are
processed. They shall determine the amount of personal data collected, including the
extent of processing involved, the period of their storage, and their accessibility.

3. The polices shall provide for documentation, regular review, evaluation, and updating of
the privacy and security policies and practices.

c. Records of Processing Activities. Any natural or juridical person or other body involved
in the processing of personal data shall maintain records that sufficiently describe its data
processing system, and identify the duties and responsibilities of those individuals who will
have access to personal data. Records should include:

1. Information about the purpose of the processing of personal data, including any intended
future processing or data sharing;

2. A description of all categories of data subjects, personal data, and recipients of such
personal data that will be involved in the processing;

3. General information about the data flow within the organization, from the time of
collection, processing, and retention, including the time limits for disposal or erasure of
personal data;

4. A general description of the organizational, physical, and technical security measures in


place;

5. The name and contact details of the personal information controller and, where
applicable, the joint controller, the its representative, and the compliance officer or
Data Protection Officer, or any other individual or individuals accountable for ensuring
compliance with the applicable laws and regulations for the protection of data privacy
and security.

d. Management of Human Resources. Any natural or juridical person or other entity involved
in the processing of personal data shall be responsible for selecting and supervising its
employees, agents, or representatives, particularly those who will have access to personal
data.

The said employees, agents, or representatives shall operate and hold personal data under

130
NPC PRIVACY TOOLKIT

strict confidentiality if the personal data are not intended for public disclosure. This
obligation shall continue even after leaving the public service, transferring to another
position, or upon terminating their employment or contractual relations. There shall
be capacity building, orientation or training programs for such employees, agents or
representatives, regarding privacy or security policies.

e. Processing of Personal Data. Any natural or juridical person or other body involved in the
processing of personal data shall develop, implement and review:

1. A procedure for the collection of personal data, including procedures for obtaining
consent, when applicable;
2. Procedures that limit the processing of data, to ensure that it is only to the extent
necessary for the declared, specified, and legitimate purpose;

3. Policies for access management, system monitoring, and protocols to follow during
security incidents or technical problems;

4. Policies and procedures for data subjects to exercise their rights under the Act;

5. Data retention schedule, including timeline or conditions for erasure or disposal of


records.

f. Contracts with Personal Information Processors. The personal information controller,


through appropriate contractual agreements, shall ensure that its personal information
processors, where applicable, shall also implement the security measures required by the Act
and these Rules. It shall only engage those personal information processors that provide
sufficient guarantees to implement appropriate security measures specified in the Act and
these Rules, and ensure the protection of the rights of the data subject.

Section 27. Physical Security Measures. Where appropriate, personal information controllers and personal
information processors shall comply with the following guidelines for physical security:

a. Policies and procedures shall be implemented to monitor and limit access to and activities
in the room, workstation or facility, including guidelines that specify the proper use of and
access to electronic media;

b. Design of office space and work stations, including the physical arrangement of furniture
and equipment, shall provide privacy to anyone processing personal data, taking into
consideration the environment and accessibility to the public;

c. The duties, responsibilities and schedule of individuals involved in the processing of personal
data shall be clearly defined to ensure that only the individuals actually performing official
duties shall be in the room or work station, at any given time;

d. Any natural or juridical person or other body involved in the processing of personal data
shall implement Policies and procedures regarding the transfer, removal, disposal, and re-use
of electronic media, to ensure appropriate protection of personal data;

e. Policies and procedures that prevent the mechanical destruction of files and equipment shall
be established. The room and workstation used in the processing of personal data shall, as

131
ANNEXES

far as practicable, be secured against natural disasters, power disturbances, external access,
and other similar threats.

Section 28. Guidelines for Technical Security Measures. Where appropriate, personal information
controllers and personal information processors shall adopt and establish the following technical
security measures:

a. A security policy with respect to the processing of personal data;

b. Safeguards to protect their computer network against accidental, unlawful or unauthorized


usage, any interference which will affect data integrity or hinder the functioning or availability
of the system, and unauthorized access through an electronic network;

c. The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of
their processing systems and services;

d. Regular monitoring for security breaches, and a process both for identifying and accessing
reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive,
corrective, and mitigating action against security incidents that can lead to a personal data
breach;

e. The ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident;

f. A process for regularly testing, assessing, and evaluating the effectiveness of security measures;

g. Encryption of personal data during storage and while in transit, authentication process, and
other technical security measures that control and limit access.

Section 29. Appropriate Level of Security. The Commission shall monitor the compliance of natural or
juridical person or other body involved in the processing of personal data, specifically their security
measures, with the guidelines provided in these Rules and subsequent issuances of the Commission. In
determining the level of security appropriate for a particular personal information controller or personal
information processor, the Commission shall take into account the nature of the personal data that
requires protection, the risks posed by the processing, the size of the organization and complexity of its
operations, current data privacy best practices, and the cost of security implementation. The security
measures provided herein shall be subject to regular review and evaluation, and may be updated as
necessary by the Commission in separate issuances, taking into account the most appropriate standard
recognized by the information and communications technology industry and data privacy best practices.

Rule VII. Security of Sensitive Personal Information in Government

Section 30. Responsibility of Heads of Agencies. All sensitive personal information maintained by the
government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the
most appropriate standard recognized by the information and communications technology industry,
subject to these Rules and other issuances of the Commission. The head of each government agency or
instrumentality shall be responsible for complying with the security requirements mentioned herein.
The Commission shall monitor government agency compliance and may recommend the necessary
action in order to satisfy the minimum standards.

Section 31. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information.

132
NPC PRIVACY TOOLKIT

a. On-site and Online Access.

1. No employee of the government shall have access to sensitive personal information on


government property or through online facilities unless he or she the employee has received
a security clearance from the head of the source agency. The source agency is the government
agency who originally collected the personal data.

2. A source agency shall strictly regulate access to sensitive personal information under its
custody or control, particularly when it allows online access. An employee of the government
shall only be granted a security clearance when the performance of his or her official functions
or the provision of a public service directly depends on and cannot otherwise be performed
unless access to the personal data is allowed.

3. Where allowed under the next preceding sections, online access to sensitive personal
information shall be subject to the following conditions:

a. An information technology governance framework has been designed and implemented;


b. Sufficient organizational, physical and technical security measures have been established;
c. The agency is capable of protecting sensitive personal information in accordance with
data privacy practices and standards recognized by the information and communication
technology industry;
d. The employee of the government is only given online access to sensitive personal
information necessary for the performance of official functions or the provision of a
public service.

b. Off-site access.

1. Sensitive personal information maintained by an agency may not be transported or accessed


from a location off or outside of government property, whether by its agent or employee,
unless the head of agency has ensured the implementation of privacy policies and appropriate
security measures. A request for such transportation or access shall be submitted to and
approved by the head of agency. The request must include proper accountability mechanisms
in the processing of data.

2. The head of agency shall approve requests for off-site access in accordance with the following
guidelines:

a. Deadline for Approval or Disapproval. The head of agency shall approve or disapprove
the request within two (2) business days after the date of submission of the request.
Where no action is taken by the head of agency, the request is considered disapproved;
b. Limitation to One thousand (1,000) Records. Where a request is approved, the head of
agency shall limit the access to not more than one thousand (1,000) records at a time,
subject to the next succeeding paragraph.
c. Encryption. Any technology used to store, transport or access sensitive personal
information for purposes of off-site access approved under this subsection shall be secured
by the use of the most secure encryption standard recognized by the Commission.

Section 32. Implementation of Security Requirements. Notwithstanding the effective date of these Rules,
the requirements in the preceding sections shall be implemented before any off-site or online access
request is approved. Any data sharing agreement between a source agency and another government

133
ANNEXES

agency shall be subject to review of the Commission on its own initiative or upon complaint of data
subject.

Section 33. Applicability to Government Contractors. In entering into any contract with a private service
provider that may involve accessing or requiring sensitive personal information from one thousand
(1,000) or more individuals, a government agency shall require such service provider and its employees
to register their personal data processing system with the Commission in accordance with the Act
and these Rules. The service provider, as personal information processor, shall comply with the other
provisions of the Act and these Rules, particularly the immediately preceding sections, similar to a
government agency and its employees.

Rule VIII. Rights of Data Subjects

Section 34. Rights of the Data Subject. The data subject is entitled to the following rights:

a. Right to be informed.

1. The data subject has a right to be informed whether personal data pertaining to him
or her shall be, are being, or have been processed, including the existence of automated
decision-making and profiling.

2. The data subject shall be notified and furnished with information indicated hereunder
before the entry of his or her personal data into the processing system of the personal
information controller, or at the next practical opportunity:

a. Description of the personal data to be entered into the system;


b. Purposes for which they are being or will be processed, including processing for direct
marketing, profiling or historical, statistical or scientific purpose;
c. Basis of processing, when processing is not based on the consent of the data subject;
d. Scope and method of the personal data processing;
e. The recipients or classes of recipients to whom the personal data are or may be disclosed;
f. Methods utilized for automated access, if the same is allowed by the data subject, and
the extent to which such access is authorized, including meaningful information about
the logic involved, as well as the significance and the envisaged consequences of such
processing for the data subject;
g. The identity and contact details of the personal data controller or its representative;
h. The period for which the information will be stored; and
i. The existence of their rights as data subjects, including the right to access, correction, and
object to the processing, as well as the right to lodge a complaint before the Commission.

b. Right to object. The data subject shall have the right to object to the processing of his or her
personal data, including processing for direct marketing, automated processing or profiling.
The data subject shall also be notified and given an opportunity to withhold consent to the
processing in case of changes or any amendment to the information supplied or declared to
the data subject in the preceding paragraph.

When a data subject objects or withholds consent, the personal information controller shall
no longer process the personal data, unless:

1. The personal data is needed pursuant to a subpoena;

134
NPC PRIVACY TOOLKIT

2. The collection and processing are for obvious purposes, including, when it is necessary
for the performance of or in relation to a contract or service to which the data subject is a
party, or when necessary or desirable in the context of an employer-employee relationship
between the collector and the data subject; or

3. The information is being collected and processed as a result of a legal obligation.

c. Right to Access. The data subject has the right to reasonable access to, upon demand, the
following:

1. Contents of his or her personal data that were processed;


2. Sources from which personal data were obtained;
3. Names and addresses of recipients of the personal data;
4. Manner by which such data were processed;
5. Reasons for the disclosure of the personal data to recipients, if any;
6. Information on automated processes where the data will, or is likely to, be made as the
sole basis for any decision that significantly affects or will affect the data subject;
7. Date when his or her personal data concerning the data subject were last accessed and
modified; and
8. The designation, name or identity, and address of the personal information controller.

d. Right to rectification. The data subject has the right to dispute the inaccuracy or error in
the personal data and have the personal information controller correct it immediately and
accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data
has been corrected, the personal information controller shall ensure the accessibility of both
the new and the retracted information and the simultaneous receipt of the new and the
retracted information by the intended recipients thereof: Provided, That recipients or third
parties who have previously received such processed personal data shall be informed of its
inaccuracy and its rectification, upon reasonable request of the data subject.

e. Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw
or order the blocking, removal or destruction of his or her personal data from the personal
information controller’s filing system.

1. This right may be exercised upon discovery and substantial proof of any of the following:

a. The personal data is incomplete, outdated, false, or unlawfully obtained;


b. The personal data is being used for purpose not authorized by the data subject;
c. The personal data is no longer necessary for the purposes for which they were collected;
d. The data subject withdraws consent or objects to the processing, and there is no other
legal ground or overriding legitimate interest for the processing;
e. The personal data concerns private information that is prejudicial to data subject, unless
justified by freedom of speech, of expression, or of the press or otherwise authorized;
f. The processing is unlawful;
g. The personal information controller or personal information processor violated the
rights of the data subject.

2. The personal information controller may notify third parties who have previously received
such processed personal information.

135
ANNEXES

f. Right to damages. The data subject shall be indemnified for any damages sustained due to
such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of
personal data, taking into account any violation of his or her rights and freedoms as data
subject.

Section 35. Transmissibility of Rights of the Data Subject. The lawful heirs and assigns of the data subject
may invoke the rights of the data subject to which he or she is an heir or an assignee, at any time after
the death of the data subject, or when the data subject is incapacitated or incapable of exercising the
rights as enumerated in the immediately preceding section.

Section 36. Right to Data Portability. Where his or her personal data is processed by electronic means
and in a structured and commonly used format, the data subject shall have the right to obtain from
the personal information controller a copy of such data in an electronic or structured format that
is commonly used and allows for further use by the data subject. The exercise of this right shall
primarily take into account the right of data subject to have control over his or her personal data being
processed based on consent or contract, for commercial purpose, or through automated means. The
Commission may specify the electronic format referred to above, as well as the technical standards,
modalities, procedures and other rules for their transfer.

Section 37. Limitation on Rights. The immediately preceding sections shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical research and, on the
basis of such, no activities are carried out and no decisions are taken regarding the data subject:
Provided, that the personal data shall be held under strict confidentiality and shall be used only for the
declared purpose. The said sections are also not applicable to the processing of personal data gathered
for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary
to achieve the purpose of said research or investigation.

Rule IX. Data Breach Notification.

Section 38. Data Breach Notification.

a. The Commission and affected data subjects shall be notified by the personal information
controller within seventy-two (72) hours upon knowledge of, or when there is reasonable
belief by the personal information controller or personal information processor that, a
personal data breach requiring notification has occurred.

b. Notification of personal data breach shall be required when sensitive personal information
or any other information that may, under the circumstances, be used to enable identity fraud
are reasonably believed to have been acquired by an unauthorized person, and the personal
information controller or the Commission believes that such unauthorized acquisition is
likely to give rise to a real risk of serious harm to any affected data subject.

c. Depending on the nature of the incident, or if there is delay or failure to notify, the Commission
may investigate the circumstances surrounding the personal data breach. Investigations may
include on-site examination of systems and procedures.

Section 39. Contents of Notification. The notification shall at least describe the nature of the breach,
the personal data possibly involved, and the measures taken by the entity to address the breach. The
notification shall also include measures taken to reduce the harm or negative consequences of the
breach, the representatives of the personal information controller, including their contact details, from

136
NPC PRIVACY TOOLKIT

whom the data subject can obtain additional information about the breach, and any assistance to be
provided to the affected data subjects.

Section 40. Delay of Notification. Notification may be delayed only to the extent necessary to determine
the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the
information and communications system.

a. In evaluating if notification is unwarranted, the Commission may take into account


compliance by the personal information controller with this section and existence of good
faith in the acquisition of personal data.

b. The Commission may exempt a personal information controller from notification where,
in its reasonable judgment, such notification would not be in the public interest, or in the
interest of the affected data subjects.

c. The Commission may authorize postponement of notification where it may hinder the
progress of a criminal investigation related to a serious breach.

Section 41. Breach Report.

a. The personal information controller shall notify the Commission by submitting a report,
whether written or electronic, containing the required contents of notification. The report
shall also include the name of a designated representative of the personal information
controller, and his or her contact details.

b. All security incidents and personal data breaches shall be documented through written
reports, including those not covered by the notification requirements. In the case of personal
data breaches, a report shall include the facts surrounding an incident, the effects of such
incident, and the remedial actions taken by the personal information controller. In other
security incidents not involving personal data, a report containing aggregated data shall
constitute sufficient documentation. These reports shall be made available when requested
by the Commission. A general summary of the reports shall be submitted to the Commission
annually.

Section 42. Procedure for Notification. The Procedure for breach notification shall be in accordance with
the Act, these Rules, and any other issuance of the Commission.

Rule X. Outsourcing and Subcontracting Agreements

Section 43. Subcontract of Personal Data. A personal information controller may subcontract or outsource
the processing of personal data: Provided, that the personal information controller shall use contractual
or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality,
integrity and availability of the personal data processed, prevent its use for unauthorized purposes, and
generally, comply with the requirements of the Act, these Rules, other applicable laws for processing of
personal data, and other issuances of the Commission.

Section 44. Agreements for Outsourcing. Processing by a personal information processor shall be
governed by a contract or other legal act that binds the personal information processor to the personal
information controller.

137
ANNEXES

a. The contract or legal act shall set out the subject-matter and duration of the processing,
the nature and purpose of the processing, the type of personal data and categories of data
subjects, the obligations and rights of the personal information controller, and the geographic
location of the processing under the subcontracting agreement.

b. The contract or other legal act shall stipulate, in particular, that the personal information
processor shall:

1. Process the personal data only upon the documented instructions of the personal
information controller, including transfers of personal data to another country or an
international organization, unless such transfer is authorized by law;

2. Ensure that an obligation of confidentiality is imposed on persons authorized to process


the personal data;

3. Implement appropriate security measures and comply with the Act, these Rules, and
other issuances of the Commission;

4. Not engage another processor without prior instruction from the personal information
controller: Provided, that any such arrangement shall ensure that the same obligations
for data protection under the contract or legal act are implemented, taking into account
the nature of the processing;

5. Assist the personal information controller, by appropriate technical and organizational


measures and to the extent possible, fulfill the obligation to respond to requests by data
subjects relative to the exercise of their rights;

6. Assist the personal information controller in ensuring compliance with the Act, these
Rules, other relevant laws, and other issuances of the Commission, taking into account
the nature of processing and the information available to the personal information
processor;
7. At the choice of the personal information controller, delete or return all personal data
to the personal information controller after the end of the provision of services relating
to the processing: Provided, that this includes deleting existing copies unless storage is
authorized by the Act or another law;

8. Make available to the personal information controller all information necessary to


demonstrate compliance with the obligations laid down in the Act, and allow for and
contribute to audits, including inspections, conducted by the personal information
controller or another auditor mandated by the latter;

9. Immediately inform the personal information controller if, in its opinion, an instruction
infringes the Act, these Rules, or any other issuance of the Commission.

Section 45. Duty of personal information processor. The personal information processor shall comply
with the requirements of the Act, these Rules, other applicable laws, and other issuances of the
Commission, in addition to obligations provided in a contract, or other legal act with a personal
information controller.

138
NPC PRIVACY TOOLKIT

Rule XI. Registration and Compliance Requirements

Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the Commission to
administer and implement the Act, and to ensure the compliance of personal information controllers
with its obligations under the law, the Commission requires the following:

a. Registration of personal data processing systems operating in the country that involves
accessing or requiring sensitive personal information of at least one thousand (1,000)
individuals, including the personal data processing system of contractors, and their personnel,
entering into contracts with government agencies;

b. Notification of automated processing operations where the processing becomes the sole basis
of making decisions that would significantly affect the data subject;

c. Annual report of the summary of documented security incidents and personal data breaches;

d. Compliance with other requirements that may be provided in other issuances of the
Commission.

Section 47. Registration of Personal Data Processing Systems. The personal information controller or
personal information processor that employs fewer than two hundred fifty (250) persons shall not
be required to register unless the processing it carries out is likely to pose a risk to the rights and
freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal
information of at least one thousand (1,000) individuals.

a. The contents of registration shall include:

1. The name and address of the personal information controller or personal information
processor, and of its representative, if any, including their contact details;

2. The purpose or purposes of the processing, and whether processing is being done under
an outsourcing or subcontracting agreement;

3. A description of the category or categories of data subjects, and of the data or categories
of data relating to them;

4. The recipients or categories of recipients to whom the data might be disclosed;

5. Proposed transfers of personal data outside the Philippines;

6. A general description of privacy and security measures for data protection;

7. Brief description of the data processing system;

8. Copy of all policies relating to data governance, data privacy, and information security;

9. Attestation to all certifications attained that are related to information and


communications processing; and

10. Name and contact details of the compliance or data protection officer, which shall
immediately be updated in case of changes.

139
ANNEXES

b. The procedure for registration shall be in accordance with these Rules and other issuances
of the Commission.

Section 48. Notification of Automated Processing Operations. The personal information controller
carrying out any wholly or partly automated processing operations or set of such operations intended
to serve a single purpose or several related purposes shall notify the Commission when the automated
processing becomes the sole basis for making decisions about a data subject, and when the decision
would significantly affect the data subject.

a. The notification shall include the following information:

1. Purpose of processing;
2. Categories of personal data to undergo processing;
3. Category or categories of data subject;
4. Consent forms or manner of obtaining consent;
5. The recipients or categories of recipients to whom the data are to be disclosed;
6. The length of time the data are to be stored;
7. Methods and logic utilized for automated processing;
8. Decisions relating to the data subject that would be made on the basis of processed data
or that would significantly affect the rights and freedoms of data subject; and
9. Names and contact details of the compliance or data protection officer.

b. No decision with legal effects concerning a data subject shall be made solely on the basis of
automated processing without the consent of the data subject.

Section 49. Review by the Commission. The following are subject to the review of the Commission, upon
its own initiative or upon the filing of a complaint by a data subject:

a. Compliance by a personal information controller or personal information processor with the


Act, these Rules, and other issuances of the Commission;

b. Compliance by a personal information controller or personal information processor with the


requirement of establishing adequate safeguards for data privacy and security;

c. Any data sharing agreement, outsourcing contract, and similar contracts involving the
processing of personal data, and its implementation;

d. Any off-site or online access to sensitive personal data in government allowed by a head of
agency;

e. Processing of personal data for research purposes, public functions, or commercial activities;

f. Any reported violation of the rights and freedoms of data subjects;

g. Other matters necessary to ensure the effective implementation and administration of the
Act, these Rules, and other issuances of the Commission.

Rule XII. Rules on Accountability

Section 50. Accountability for Transfer of Personal Data. A personal information controller shall be
responsible for any personal data under its control or custody, including information that have been

140
NPC PRIVACY TOOLKIT

outsourced or transferred to a personal information processor or a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and cooperation.

a. A personal information controller shall be accountable for complying with the requirements
of the Act, these Rules, and other issuances of the Commission. It shall use contractual or
other reasonable means to provide a comparable level of protection to the personal data
while it is being processed by a personal information processor or third party.

b. A personal information controller shall designate an individual or individuals who are


accountable for its compliance with the Act. The identity of the individual or individuals so
designated shall be made known to a data subject upon request.

Section 51. Accountability for Violation of the Act, these Rules and Other Issuances of the Commission.

a. Any natural or juridical person, or other body involved in the processing of personal data,
who fails to comply with the Act, these Rules, and other issuances of the Commission, shall
be liable for such violation, and shall be subject to its corresponding sanction, penalty, or
fine, without prejudice to any civil or criminal liability, as may be applicable.

b. In cases where a data subject files a complaint for violation of his or her rights as data
subject, and for any injury suffered as a result of the processing of his or her personal data,
the Commission may award indemnity on the basis of the applicable provisions of the New
Civil Code.

c. In case of criminal acts and their corresponding personal penalties, the person who committed
the unlawful act or omission shall be recommended for prosecution by the Commission
based on substantial evidence. If the offender is a corporation, partnership, or any juridical
person, the responsible officers, as the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime, shall be recommended for prosecution by
the Commission based on substantial evidence.

Rule XIII. Penalties

Section 52. Unauthorized Processing of Personal Information and Sensitive Personal Information.

a. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who process personal information without
the consent of the data subject, or without being authorized under the Act or any existing
law.

b. A penalty of imprisonment ranging from three (3) years to six (6) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos
(Php4,000,000.00) shall be imposed on persons who process sensitive personal information
without the consent of the data subject, or without being authorized under the Act or any
existing law.

Section 53. Accessing Personal Information and Sensitive Personal Information Due to Negligence.

a. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos

141
ANNEXES

(Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to


personal information without being authorized under the Act or any existing law.

b. A penalty of imprisonment ranging from three (3) years to six (6) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos
(Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to
sensitive personal information without being authorized under the Act or any existing law.

Section 54. Improper Disposal of Personal Information and Sensitive Personal Information.

a. A penalty of imprisonment ranging from six (6) months to two (2) years and a fine of not
less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred
thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently
dispose, discard, or abandon the personal information of an individual in an area accessible
to the public or has otherwise placed the personal information of an individual in its
container for trash collection.

b. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not
less than One hundred thousand pesos (Php100,000.00) but not more than One million
pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose,
discard or abandon the sensitive personal information of an individual in an area accessible
to the public or has otherwise placed the sensitive personal information of an individual in
its container for trash collection.

Section 55. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes.

a. A penalty of imprisonment ranging from one (1) year and six (6) months to five (5) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal
information for purposes not authorized by the data subject, or otherwise authorized under
the Act or under existing laws.

b. A penalty of imprisonment ranging from two (2) years to seven (7) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons processing sensitive personal information
for purposes not authorized by the data subject, or otherwise authorized under the Act or
under existing laws.

Section 56. Unauthorized Access or Intentional Breach. A penalty of imprisonment ranging from one (1)
year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly
and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any
system where personal and sensitive personal information are stored.

Section 57. Concealment of Security Breaches Involving Sensitive Personal Information. A penalty of
imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than
Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00)
shall be imposed on persons who, after having knowledge of a security breach and of the obligation to
notify the Commission pursuant to Section 20(f) of the Act, intentionally or by omission conceals the
fact of such security breach.

142
NPC PRIVACY TOOLKIT

Section 58. Malicious Disclosure. Any personal information controller or personal information processor,
or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or
false information relative to any personal information or sensitive personal information obtained by
him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One
million pesos (Php1,000,000.00).

Section 59. Unauthorized Disclosure.

a. Any personal information controller or personal information processor, or any of its officials,
employees, or agents, who discloses to a third party personal information not covered by
the immediately preceding section without the consent of the data subject, shall be subject
to imprisonment ranging from one (1) year to three (3) years and a fine of not less than
Five hundred thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00).

b. Any personal information controller or personal information processor, or any of its officials,
employees or agents, who discloses to a third party sensitive personal information not
covered by the immediately preceding section without the consent of the data subject, shall
be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00).

Section 60. Combination or Series of Acts. Any combination or series of acts as defined in Sections 52
to 59 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and
a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos
(Php5,000,000.00).

Section 61. Extent of Liability. If the offender is a corporation, partnership or any juridical person, the
penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or
by their gross negligence, allowed the commission of the crime. Where applicable, the court may also
suspend or revoke any of its rights under this Act.

If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported
without further proceedings after serving the penalties prescribed.

If the offender is a public official or employee and he or she is found guilty of acts penalized under
Sections 54 and 55 of these Rules, he or she shall, in addition to the penalties prescribed herein, suffer
perpetual or temporary absolute disqualification from office, as the case may be.

Section 62. Large-Scale. The maximum penalty in the corresponding scale of penalties provided for the
preceding offenses shall be imposed when the personal data of at least one hundred (100) persons are
harmed, affected, or involved, as the result of any of the above-mentioned offenses.

Section 63. Offense Committed by Public Officer. When the offender or the person responsible for the
offense is a public officer, as defined in the Administrative Code of 1987, in the exercise of his or
her duties, he or she shall likewise suffer an accessory penalty consisting of disqualification to occupy
public office for a term double the term of the criminal penalty imposed.

Section 64. Restitution. Pursuant to the exercise of its quasi-judicial functions, the Commission shall

143
ANNEXES

award indemnity to an aggrieved party on the basis of the provisions of the New Civil Code. Any
complaint filed by a data subject shall be subject to the payment of filing fees, unless the data subject
is an indigent.

Section 65. Fines and Penalties. Violations of the Act, these Rules, other issuances and orders of the
Commission, shall, upon notice and hearing, be subject to compliance and enforcement orders, cease
and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines,
in accordance with a schedule to be published by the Commission.

Rule XIV. Miscellaneous Provisions

Section 66. Appeal. Appeal from final decisions of the Commission shall be made to the proper courts
in accordance with the Rules of Court, or as may be prescribed by law.

Section 67. Period for Compliance. Any natural or juridical person or other body involved in the
processing of personal data shall comply with the personal data processing principles and standards of
personal data privacy and security already laid out in the Act.

Personal information controllers and Personal Information processors shall register with the
Commission their data processing systems or automated processing operations, subject to notification,
within one (1) year after the effectivity of these Rules. Any subsequent issuance of the Commission,
including those that implement specific standards for data portability, encryption, or other security
measures shall provide the period for its compliance.

For a period of one (1) year from the effectivity of these Rules, a personal information controller or
personal information processor may apply for an extension of the period within which to comply with
the issuances of the Commission. The Commission may grant such request for good cause shown.

Section 68. Appropriations Clause. The Commission shall be provided with appropriations for the
performance of its functions which shall be included in the General Appropriations Act.

Section 69. Interpretation. Any doubt in the interpretation of any provision of this Act shall be liberally
interpreted in a manner that would uphold the rights and interests of the individual about whom
personal data is processed.

Section 70. Separability Clause. If any provision or part hereof is held invalid or unconstitutional, the
remainder of these Rules or the provision not otherwise affected shall remain valid and subsisting.

Section 71. Repealing Clause. Except as otherwise expressly provided in the Act or these Rules, all
other laws, decrees, executive orders, proclamations and administrative regulations or parts thereof
inconsistent herewith are hereby repealed or modified accordingly.

Section 72. Effectivity Clause. These Rules shall take effect fifteen (15) days after its publication in the
Official Gazette.

144
NPC PRIVACY TOOLKIT

Approved:

RAYMUND E. LIBORO
Privacy Commissioner

IVY D. PATDU DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

Promulgated: August 24, 2016

145
NPC Memorandum Circulars
NPC Circular 16-01

DATE : 10 October 2016
TO : ALL HEADS OF GOVERNMENT BRANCHES, BODIES OR
ENTITIES, INCLUDING NATIONAL GOVERNMENT AGENCIES,
BUREAUS OR OFFICES, CONSTITUTIONAL COMMISSIONS,
LOCAL GOVERNMENT UNITS, GOVERNMENT-OWNED AND
–CONTROLLED CORPORATIONS, STATE COLLEGE AND
UNIVERSITIES
SUBJECT : SECURITY OF PERSONAL DATA IN GOVERNMENT AGENCIES

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State recognizes the
vital role of communication and information in nation-building. At the same time, Article II, Section
11 thereof emphasizes that the State values the dignity of every human person and guarantees full
respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012, provides
that it is the policy of the State to protect the fundamental human right of privacy of communication
while ensuring free flow of information to promote innovation and growth. The State also recognizes
its inherent obligation to ensure that personal information in information and communications
systems in the government and in the private sector are secured and protected;

WHEREAS, pursuant to Section 7 of the Data Privacy Act of 2012, the National Privacy Commission
is charged with the administration and implementation of the provisions of the law, which includes
ensuring the compliance by personal information controllers with the provisions of the Act and with
international standards for data protection, and carrying out efforts to formulate and implement plans
and policies that strengthen the protection of personal information in the country, in coordination
with other government agencies and the private sector;

WHEREAS, under Section 22 of the Data Privacy Act of 2012, the head of each government agency
or instrumentality is responsible for complying with the security requirements mentioned in the law.
This includes ensuring all sensitive personal information maintained by his or her agency are secured,
as far as practicable, with the use of the most appropriate standard recognized by the information and
communications technology industry, and as recommended by the Commission;

WHEREAS, under Section 23 of the Data Privacy Act of 2012, the Commission may issue guidelines
relating to access by agency personnel to sensitive personal information;

WHEREAS, Section 9 of the Implementing Rules and Regulations of the Data Privacy Act of 2012
provides that, among the Commission’s functions, is to develop, promulgate, review or amend rules
and regulations for the effective implementation of the Act;

WHEREFORE, in consideration of these premises, the National Privacy Commission hereby issues
this Circular governing the security of personal data in government agencies.

146
NPC PRIVACY TOOLKIT

RULE I.
GENERAL PROVISIONS

SECTION 1. Scope. These Rules shall apply to all government agencies engaged in the processing of
personal data.

SECTION 2. Purpose. These Rules are hereby issued to assist government agencies engaged in the
processing of personal data to meet their legal obligations under Republic Act No. 10173, also known
as the Data Privacy Act of 2012, and its corresponding Implementing Rules and Regulations.

A government agency may use these Rules to issue and implement more detailed policies and procedures,
which reflect its specific operating requirements.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are defined, as
follows:

A. “Acceptable Use Policy” shall refer to a document or set of rules stipulating controls or
restrictions that agency personnel must agree to for access to their agency’s network, facilities,
equipment, or services;

B. “Act” refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012
(DPA);

C. “Agency Personnel” refers to all officials, officers, employees or consultants of a government


agency, including those covered by job orders or contracts of services;

D. “Commission” refers to the National Privacy Commission (NPC);

E. “Data Center” refers to a centralized repository, which may be physical or virtual, may be
analog or digital, used for the storage, management, and dissemination of data including
personal data;

F. “Data Protection Officer” refers to an individual designated by the head of agency to be


accountable for the agency’s compliance with the Act: Provided, that the individual must be
an organic employee of the government agency: Provided further, that a government agency
may have more than one data protection officer;

G.“Government Agency” refers to a government branch or body or entity, including national


government agencies, bureaus, or offices, constitutional commissions, local government
units, government-owned and controlled corporations, government financial institutions,
state colleges and universities;

H.“Head of Agency” refers to: (1) the head of the government entity or body, for national
government agencies, constitutional commissions or offices, or branches of the government;
(2) the governing board or its duly authorized official for government owned and controlled
corporations, government financial institutions, and state colleges and universities; (3) the
local chief executive, for local government units;

I. Implementing Rules and Regulations” or “IRR” shall pertain to Implementing Rules and
Regulations of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;

147
ANNEXES

J. “Personal Data” shall refer to all types of personal information, including those pertaining
to agency personnel;

K. “Privacy Impact Assessment” is a process undertaken and used by a government agency to


evaluate and manage privacy impacts;

L. “System Management Tool” is a software system that facilitates the administration of user
passwords and access rights.

SECTION 4. General Obligations. A government agency engaged in the processing of personal data
shall observe the following duties and responsibilities:

A. through its head of agency, designate a Data Protection Officer;

B. conduct a Privacy Impact Assessment for each program, process or measure within the agency
that involves personal data, Provided, that such assessment shall be updated as necessary;

C. create privacy and data protection policies, taking into account the privacy impact assessments,
as well as Sections 25 to 29 of the IRR;

D. conduct a mandatory, agency-wide training on privacy and data protection policies once a year:
Provided, that a similar training shall be provided during all agency personnel orientations.

E. register its data processing systems with the Commission in cases where processing involves
personal data of at least one thousand (1,000) individuals, taking into account Sections 46
to 49 of the IRR;

F. cooperate with the Commission when the agency’s privacy and data protection policies are
subjected to review and assessment, in terms of their compliance with the requirements of
the Act, its IRR, and all issuances by the Commission.

SECTION 5. Privacy Impact Assessment. A government agency engaged in the processing of personal
data shall ensure that its conduct of a privacy impact assessment is proportionate or consistent with the
size and sensitivity of the personal data being processed, and the risk of harm from the unauthorized
processing of that data.

The Privacy Impact Assessment shall include the following:

A. a data inventory identifying:

1. the types of personal data held by the agency, including records of its own employees;
2. list of all information repositories holding personal data, including their location;
3. types of media used for storing the personal data; and
4. risks associated with the processing of the personal data;

B. a systematic description of the processing operations anticipated and the purposes of the
processing, including, where applicable, the legitimate interest pursued by the agency;

C. an assessment of the necessity and proportionality of the processing in relation to the

148
NPC PRIVACY TOOLKIT

purposes of the processing; and

D. an assessment of the risks to the rights and freedoms of data subjects.

SECTION 6. Control Framework for Data protection. The risks identified in the privacy impact assessment
must be addressed by a control framework, which is a comprehensive enumeration of the measures
intended to address the risks, including organizational, physical and technical measures to maintain
the availability, integrity and confidentiality of personal data and to protect the personal data against
natural dangers such as accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse, unlawful destruction, alteration and contamination.

The contents of a control framework shall take into account, among others, the following:

A. nature of the personal data to be protected;


B. risks represented by the processing, the size of the organization and complexity of its
operations;
C. current data privacy best practices; and
D. cost of security implementation.

For agencies that process the personal data records of more than one thousand (1,000) individuals,
including agency personnel, the Commission recommends the use of the ISO/IEC 27002 control set
as the minimum standard to assess any gaps in the agency’s control framework.

RULE II.
STORAGE OF PERSONAL DATA

SECTION 7. General Rule. Personal data being processed by a government agency shall be stored
in a data center, which may or may not be owned and controlled by such agency: Provided, that the
agency must be able to demonstrate to the Commission how its control framework for data protection,
and/or, where applicable, that of its service provider, shall ensure compliance with the Act: Provided
further, that where a service provider is engaged, the Commission may require the agency to submit its
contract with its service provider for review.

SECTION 8. Encryption of Personal Data. All personal data that are digitally processed must be
encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced
Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard.

Passwords or passphrases used to access personal data should be of sufficient strength to deter password
attacks. A password policy should be issued and enforced through a system management tool.

SECTION 9. Restricted Access.

Access to all data centers owned and controlled by a government agency shall be restricted to agency
personnel that have the appropriate security clearance. This should be enforced by an access control
system that records when, where, and by whom the data centers are accessed. Access records and
procedures shall be reviewed by agency management regularly.

SECTION 10. Service Provider as Personal Information Processor. When a government agency engages
a service provider for the purpose of storing personal data under the agency’s control or custody,
the service provider shall function as a personal information processor and comply with all the

149
ANNEXES

requirements of the Act, its IRR and all applicable issuances by the Commission.

SECTION 11. Audit. The Commission reserves the right to audit a government agency’s data center,
or, where applicable, that of its service provider.

Independent verification or certification by a reputable third party may also be accepted by the
Commission.

SECTION 12. Recommended Independent Verification or Certification. The Commission recommends


ISO/IEC 27018 as the most appropriate certification for the service or function provided by a service
provider under this Rule.

SECTION 13. Archives. The requirements of this Rule shall also apply to personal data that a
government agency has stored for archival purposes.

RULE III.
AGENCY ACCESS TO PERSONAL DATA

SECTION 14. Access to or Modification of Databases. Only programs developed or licensed by a


government agency shall be allowed to access and modify databases containing the personal data
under the control or custody of that agency.

SECTION 15. Security Clearance. A government agency shall strictly regulate access to personal data
under its control or custody. It shall grant access to agency personnel, through the issuance of a security
clearance by the head of agency, only when the performance of official functions or the provision of a
public service directly depends on such access or cannot otherwise be performed without such access.

A copy of each security clearance must be filed with the agency’s Data Protection Officer.

SECTION 16. Contractors, Consultants and Service Providers. Access to personal data by independent
contractors, consultants, and service providers engaged by a government agency shall be governed by
strict procedures contained in formal contracts, which provisions must comply with the Act, its IRR,
and all applicable issuances by the Commission. The terms of the contract and undertakings given
should be subject to review and audit to ensure compliance.

SECTION 17. Acceptable Use Policy. Each government agency shall have an up-to-date Acceptable Use
Policy regarding the use by agency personnel of information and communications technology. The
policy shall be explained to all agency personnel who shall use such technology in relation to their
functions. Each user shall agree to such policy and, for this purpose, sign the appropriate agreement or
document, before being allowed access to and used of the technology.

SECTION 18. Online Access to Personal Data. Agency personnel who access personal data online shall
authenticate their identity via a secure encrypted link and must use multi-factor authentication. Their
access rights must be defined and controlled by a system management tool.

SECTION 19. Local Copies of Personal Data Accessed Online. A government agency shall adopt and
utilize technologies that prevent personal data accessible online to authorized agency personnel from
being copied to a local machine. The agency shall also provide for the automatic deletion of temporary
files that may be stored on a local machine by its operating system.

150
NPC PRIVACY TOOLKIT

Where possible, agency personnel shall not be allowed to save files to a local machine. They shall be
directed to only save files to their allocated network drive.

Drives and USB ports on local machines may also be disabled as a security measure. A government
agency may also consider prohibiting the use of cameras in areas where personal data is displayed or
processed.

SECTION 20. Authorized Devices. A government agency shall ensure that only known devices,
properly configured to the agency’s security standards, are authorized to access personal data. The
agency shall also put in place solutions, which only allow authorized media to be used on its computer
equipment.

SECTION 21. Remote Disconnection or Deletion. A government agency shall adopt and use technologies
that allow the remote disconnection of a mobile device owned by the agency, or the deletion of personal
data contained therein, in event such mobile device is lost. A notification system for such loss must
also be established.

SECTION 22. Paper-based Filing System. If personal data is stored in paper files or any physical media,
the government agency shall maintain a log, from which it can be ascertained which file was accessed,
including when, where, and by whom. Such log shall also indicate whether copies of the file were made.
Agency management shall regularly review the log records, including all applicable procedures.

SECTION 23. Personal Data Sharing Agreements. Access by other parties to personal data under the
control or custody of a government agency shall be governed by data sharing agreements that will be
covered by a separate issuance of the Commission.

RULE IV.
TRANSFER OF PERSONAL DATA

SECTION 24. Emails. A government agency that transfers personal data by email must either ensure
that the data is encrypted, or use a secure email facility that facilitates the encryption of the data,
including any attachments. Passwords should be sent on a separate email. It is also recommended that
agencies utilize systems that scan outgoing emails and attachments for keywords that would indicate
the presence of personal data and, if appropriate, prevent its transmission.

SECTION 25. Personal Productivity Software. A government agency shall implement access controls to
prevent agency personnel from printing or copying personal data to personal productivity software like
word processors and spreadsheets that do not have any security or access controls in place.

SECTION 26. Portable Media. A government agency that uses portable media, such as disks or USB
drives, to store or transfer personal data must ensure that the data is encrypted. Agencies that use
laptops to store personal data must utilize full disk encryption.

SECTION 27. Removable Physical media. Where possible, the manual transfer of personal data, such as
through the use of removable physical media like compact discs, shall not be allowed: Provided, that if
such mode of transfer is unavoidable or necessary, authentication technology, such as one-time PINs,
shall be implemented.

SECTION 28. Fax Machines. Facsimile technology shall not be used for transmitting documents
containing personal data.

151
ANNEXES

SECTION 29. Transmittal. A government agency that transmits documents or media containing
personal data by mail or post shall make use of registered mail or, where appropriate, guaranteed parcel
post service. It shall establish procedures that ensure that such documents or media are delivered only
to the person to whom they are addressed, or his or her authorized representative: Provided, that
similar safeguards shall be adopted relative to documents or media transmitted between offices or
personnel within the agency.

RULE V.
DISPOSAL OF PERSONAL DATA

SECTION 30. Archival Obligations. A government agency must be aware of its legal obligations as set
out in Republic Act No. 9470, also known as the National Archives of the Philippines Act of 2007.
Personal data records, as well as incoming and outgoing emails, of enduring value may be archived
pursuant to such Act.

SECTION 31. Procedures. Procedures must be established regarding:

A. disposal of files that contain personal data, whether such files are stored on paper, film,
optical or magnetic media;
B. secure disposal of computer equipment, such as disk servers, desktop computers and mobile
phones at end-of-life, especially storage media: Provided, that the procedure shall include the
use of degaussers, erasers, and physical destruction devices; and
C. disposal of personal data stored offsite.

SECTION 32. Third-Party Service Providers. A government agency may engage a service provider to carry
out the disposal of personal data under its control or custody: Provided, that the service provider shall
contractually agree to the agency’s data protection procedures and ensure that the confidentiality of all
personal data is protected.

RULE VI.
MISCELLANEOUS PROVISIONS

SECTION 33. Data Breach Management. The appropriate guidelines for managing data breaches will
be the subject of a separate issuance by the Commission.

SECTION 34. Penalties. Violations of these Rules, shall, upon notice and hearing, be subject to
compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the
processing of personal data, or payment of fines, in accordance with a schedule to be published by the
Commission.

Failure to comply with the provisions of this Circular may be a ground for administrative and
disciplinary sanctions against any erring public officer or employee in accordance with existing laws or
regulations.
The commencement of any action under this Circular is independent and without prejudice to the
filing of any action with the regular courts or other quasi-judicial bodies.

SECTION 35. Amendments. These Rules shall be subject to regular review by the Commission. Any
amendment thereto shall be subject to the necessary consultations with the concerned stakeholders.

SECTION 36. Transitory Period. Government agencies shall be given a period of one (1) year transitory

152
NPC PRIVACY TOOLKIT

period from the effectivity of these Rules to comply with the requirements provided herein.

SECTION 37. Separability Clause. If any portion or provision of these Rules is declared null and void
or unconstitutional, the other provisions not affected thereby shall continue to be in force and effect.

SECTION 38. Repealing Clause. All other rules, regulations, and issuances contrary to or inconsistent
with the provisions of these Rules are deemed repealed or modified accordingly.

SECTION 39. Effectivity. These Rules shall take effect fifteen (15) days after its publication in the
Official Gazette.

Approved:

(Sgd.) RAYMUND E. LIBORO


Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

153
ANNEXES

NPC Circular 16-02

DATE : 10 October 2016


TO : ALL HEADS OF GOVERNMENT BRANCHES, BODIES OR
ENTITIES, INCLUDING NATIONAL GOVERNMENT AGENCIES,
BUREAUS OR OFFICES, CONSTITUTIONAL COMMISSIONS,
LOCAL GOVERNMENT UNITS, GOVERNMENT-OWNED AND
–CONTROLLED CORPORATIONS, STATE COLLEGE AND
UNIVERSITIES; HEADS OF PRIVATE ENTITIES
SUBJECT : DATA SHARING AGREEMENTS INVOLVING GOVERNMENT
AGENCIES

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State recognizes the
vital role of communication and information in nation-building. At the same time, Article II, Section
11 thereof emphasizes that the State values the dignity of every human person and guarantees full
respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012, provides
that it is the policy of the State to protect the fundamental human right of privacy of communication
while ensuring free flow of information to promote innovation and growth. The State also recognizes
its inherent obligation to ensure that personal information in information and communications
systems in the government and in the private sector are secured and protected;

WHEREAS, Section 20 of the Implementing Rules and Regulations of the Data Privacy Act of 2012
provides that further processing of personal data collected from a party other than the data subject
shall be allowed under certain conditions;

WHEREAS, pursuant to Section 7 of the Data Privacy Act of 2012, the National Privacy Commission
is charged with the administration and implementation of the provisions of the law, which includes
ensuring the compliance by personal information controllers with the provisions of the Act, and
carrying out efforts to formulate and implement plans and policies that strengthen the protection of
personal information in the country, in coordination with other government agencies and the private
sector;

WHEREAS, Section 9 of the Implementing Rules and Regulations of the Data Privacy Act of 2012
provides that, among the Commission’s functions, is to develop, promulgate, review or amend rules
and regulations for the effective implementation of the Act;

WHEREFORE, in consideration of these premises, the National Privacy Commission hereby issues
this Circular governing data sharing agreements involving government agencies:

SECTION 1. General Principle. To facilitate the performance of a public function or the provision
of a public service, a government agency may share or transfer personal data under its control or
custody to a third party through a data sharing agreement: Provided, that nothing in this Circular
shall be construed as prohibiting or limiting the sharing or transfer of any personal data that is already
authorized or required by law.

SECTION 2. Scope. The provisions of this Circular shall only apply to personal data under the control
or custody of a government agency that is being shared with or transferred to a third party, for the

154
NPC PRIVACY TOOLKIT

purpose of performing a public function, or providing of a public service: Provided, that it shall also
cover personal data under the control or custody of a private entity that is being shared with or
transferred to a government agency: Provided further, that where the personal data is in the custody of
a personal information processor, the sharing or transfer of personal data shall only be allowed if it is
pursuant to the instructions of the personal information controller concerned.

Data sharing agreements exclusively between private entities, or those for purpose of research, shall be
in accordance with the Implementing Rules and Regulations of the Data Privacy Act of 2012, or other
issuances of the National Privacy Commission.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are defined, as
follows:

A. “Act” refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;

B. “Commission” refers to the National Privacy Commission (NPC);

C. “Data Protection Officer” refers to an individual designated by the head of agency, or the
head of a private entity, to be accountable for the agency’s or entity’s compliance with the
Act, its IRR, and other issuances of the Commission: Provided, that the individual must
be an organic employee of the government agency or private entity: Provided further, that a
government agency or private entity may have more than one data protection officer;

D. “Data sharing” is the disclosure or transfer to a third party of personal data under the control
or custody of a personal information controller: Provided, that a personal information
processor may be allowed to make such disclosure or transfer if it is upon the instructions of
the personal information controller concerned.

The term excludes outsourcing, or the disclosure or transfer of personal data by a personal
information controller to a personal information processor;

E. “Data Sharing Agreement” refers to a contract, joint issuance, or any similar document that
contains the terms and conditions of a data sharing arrangement between two or more
parties: Provided, that only personal information controllers shall be made parties to a data
sharing agreement;

F. “Data Subject” refers to an individual whose personal, sensitive personal, or privileged


information is processed;

G.“Encryption Method” refers to the technique that renders data or information unreadable,
ensures that it is not altered in transit, and verifies the identity of its sender;

H.“Government Agency” refers to a government branch, body, or entity, including national


government agencies, bureaus, or offices, constitutional commissions, local government
units, government-owned and controlled corporations, government financial institutions,
state colleges and universities;

I. “Head of agency” refers to: (1) the head of the government entity or body, for national
government agencies, constitutional commissions or offices, or branches of the government;
(2) the governing board or its duly authorized official for government owned and controlled

155
ANNEXES

corporations, government financial institutions, and state colleges and universities; (3) the
local chief executive, for local government units;

J. “Head of a private entity” refers to the head or decision-making body of a private entity;

K. “IRR” refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise
known as the Data Privacy Act of 2012;

L. “Middleware” refers to any software or program that facilitates the exchange of data between
two applications or programs that are either within the same environment, or are located in
different hardware or network environments;

M. “Personal data” refers to all types of personal information;

N. “Personal information controller” refers to a natural or juridical person, or any other body
who controls the processing of personal data, or instructs another to process personal data
on its behalf. The term excludes:

1. A natural or juridical person, or any other body, who performs such functions as
instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her personal,
family, or household affairs;

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

For the purpose of this Circular, each party to a data sharing agreement shall be
considered a personal information controller.

O.“Personal information processor” refers to any natural or juridical person or any other body
to whom a personal information controller may outsource or instruct the processing of
personal data pertaining to a data subject;

P. “Private entity” refers to any natural or juridical person that is not a unit of the government
including, but not limited to, a corporation, partnership, company, non-profit organization
or any other legal entity.

SECTION 4. Consent. The personal information controller charged with the collection of personal
data directly from the data subject, on its own or through a personal information processor, shall
obtain the consent of the data subject prior to collection and processing, except where such consent is
not required for the lawful processing of personal data, as provided by law.

The personal information controller may request an advisory opinion from the Commission in
determining whether the data sharing requires consent from the data subject.

The data subject shall be provided with the following information prior to collection or before his or
her personal data is shared:

A. Identity of the personal information controllers or personal information processors that will
be given access to the personal data;

156
NPC PRIVACY TOOLKIT

B. Purpose of data sharing;


C. Categories of personal data concerned;
D. Intended recipients or categories of recipients of the personal data;
E. Existence of the rights of data subjects, including the right to access and correction, and the
right to object; and
F. Other information that would sufficiently notify the data subject of the nature and extent of
data sharing and the manner of processing.

SECTION 5. Data Privacy Principles. Data sharing shall adhere to the data privacy principles laid down
in the Act, the IRR, this Circular, and all applicable issuances of the Commission.

SECTION 6. Content of a Data Sharing Agreement. A data sharing agreement shall be in writing and
must comply with the following conditions:

A. It shall specify, with due particularity, the purpose or purposes of the data sharing agreement,
including the public function or public service the performance or provision of which the
agreement is meant to facilitate: Provided, that if the purpose includes the grant of online
access to personal data, or if access is open to the public or private entities, these shall also
be clearly specified in the agreement.

B. It shall identify all personal information controllers that are party to the agreement, and for
every party, specify:

1. the type of personal data to be shared under the agreement;


2. any personal information processor that will have access to or process the personal data,
including the types of processing it shall be allowed to perform;
3. how the party may use or process the personal data, including, but not limited to, online
access;
4. the remedies available to a data subject, in case the processing of personal data violates
his or her rights, and how these may be exercised;
5. the designated data protection officer or compliance officer.

C. It shall specify the term or duration of the agreement, which may be renewed on the ground,
that the purpose or purposes of such agreement continues to exist: Provided, that in no case
shall such term or any subsequent extensions thereof exceed five (5) years, without prejudice
to entering into a new data sharing agreement.

D. It shall contain an overview of the operational details of the sharing or transfer of personal
data under the agreement. Such overview must adequately explain to a data subject and
the Commission the need for the agreement, and the procedure that the parties intend to
observe in implementing the same.

E. It shall include a general description of the security measures that will ensure the protection
of the personal data of data subjects, including the policy for retention or disposal of records.

F. It shall state how a copy of the agreement may be accessed by a data subject: Provided, that
the government agency may redact or prevent the disclosure of any detail or information that
could endanger its computer network or system, or expose to harm the integrity, availability
or confidentiality of personal data under its control or custody. Such information may include
the program, middleware and encryption method in use, as provided in the next succeeding

157
ANNEXES

paragraph.

G.If a personal information controller shall grant online access to personal data under its
control or custody, it shall specify the following information:

1. Justification for allowing online access;


2. Parties that shall be granted online access;
3. Types of personal data that shall be made accessible online;
4. Estimated frequency and volume of the proposed access; and
5. Program, middleware and encryption method that will be used.

H.It shall specify the personal information controller responsible for addressing any information
request, or any complaint filed by a data subject and/or any investigation by the Commission:
Provided, that the Commission shall make the final determination as to which personal
information controller is liable for any breach or violation of the Act, its IRR, or any applicable
issuance of the Commission.

I. It shall identify the method that shall be adopted for the secure return, destruction or disposal
of the shared data and the timeline therefor.

J. It shall specify any other terms or conditions that the parties may agree on.

SECTION 7. Online Access. Where a government agency grants online access to personal data under
its control or custody, such access must be done via a secure encrypted link. The government agency
concerned must deploy middleware that shall have full control over such online access.

SECTION 8. Transfer of Personal Data. Where a data sharing agreement involves the actual transfer of
personal data or a copy thereof from one party to another, such transfer shall comply with the security
requirements imposed by the Act, its IRR, and all applicable issuances of the Commission.

SECTION 9. Responsibility of the Parties. All parties to a data sharing agreement shall comply with the
Act, its IRR, and all applicable issuances of the Commission, including putting in place adequate
safeguards for data privacy and security. The designated data protection officer shall be accountable
for ensuring such compliance.

In the case of a government agency, the head of agency shall be responsible for complying with the
security requirements provided in the Act, its IRR and all applicable issuances of the Commission.

SECTION 10. Accountability for Cross-border Transfer of Personal Data. Each party to a data sharing
agreement shall be responsible for any personal data under its control or custody, including those it
has outsourced or subcontracted to a personal information processor. This extends to personal data
it shares with or transfers to a third party located outside the Philippines, subject to cross-border
arrangement and cooperation.

SECTION 11. Prior Consultation. Prior to the execution of a data sharing agreement, the parties thereto
may consult with and invite comments thereon from:

A. the Commission;

B. any person or organization that the parties to the proposed data sharing agreement recognize

158
NPC PRIVACY TOOLKIT

as representing the interests of the classes of data subjects whose personal data will be shared
under the proposed agreement; and

C. any other person or organization whose view or opinion the parties to the proposed data
sharing agreement deem necessary.

Failure to conduct prior consultation by the parties shall not invalidate a data sharing agreement:
Provided, however, that in the event of a breach or a reported violation of the Act, its IRR, or any
issuance by the Commission, the latter shall take into account the conduct of such consultation in
evaluating the circumstances surrounding the violation.

SECTION 12. Security of Personal Data. Data sharing shall only be allowed where there are adequate
safeguards for data privacy and security. The parties to a data sharing agreement shall use contractual
or other reasonable means to ensure that personal data is covered by a consistent level of protection
when it is shared or transferred.

SECTION 13. Review by the Commission. A data sharing agreement shall be subject to a review by the
Commission, on its own initiative or upon a complaint by a data subject.

SECTION 14. Mandatory Periodic Review. The terms and conditions of a data sharing agreement shall
be subject to a mandatory review by the parties thereto upon the expiration of its term, and any
subsequent extensions thereof. The parties shall document and include in its records:

A. reason for terminating the agreement or, in the alternative, for renewing its term; and
B. in case of renewal, any changes made to the terms and conditions of the agreement.

SECTION 15. Revisions and Amendments. Revisions or amendments to a data sharing agreement while
it is still in effect shall follow the same procedure observed in the creation of a new agreement.

SECTION 16. Termination. A data sharing agreement may be terminated:

A. upon the expiration of its term, or any valid extension thereof;


B. upon the agreement by all parties;
C. upon a breach of its provisions by any of the parties; or
D. where there is disagreement, upon a finding by the Commission that its continued operation
is no longer necessary, or is contrary to public interest or public policy.

Nothing in this Section shall prevent the Commission from ordering motu proprio the termination
of any data sharing agreement when a party is determined to have breached any of its provisions, or
when the agreement is in violation of the Act, its IRR, or any applicable issuance by the Commission.

SECTION 17. Return, Destruction, or Disposal of Transferred Personal Data. Unless otherwise provided by
the data sharing agreement, all personal data transferred to other parties by virtue of such agreement
shall be returned, destroyed, or disposed of, upon the termination of the agreement.

SECTION 18. Penalties. Violations of these Rules shall, upon notice and hearing, be subject to
compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the
processing of personal data, or payment of fines in accordance with the schedule to be published by
the Commission.

159
ANNEXES

Failure to comply with the provisions of this Circular may be a ground for administrative and
disciplinary sanctions against any erring public officer or employee in accordance with existing laws or
regulations.

The commencement of any action under this Circular is independent and without prejudice to the
filing of any action with the regular courts or other quasi-judicial bodies.

SECTION 19. Transitory Period. Upon the effectivity of this Circular, all existing data sharing
arrangements shall be reviewed by the concerned parties to determine compliance with its provisions.

Where an existing data sharing arrangement is not covered by any written contract, joint issuance,
or any similar document, the parties thereto shall execute or enter into the appropriate agreement
pursuant to the provisions of this Circular.

Where an existing data sharing agreement is evidenced by a contract, joint issuance, or any similar
document, but fails to comply with the provisions of this Circular, the parties thereto shall make the
necessary revisions or amendments.

An existing data sharing agreement found to be compliant with this Circular, except for the
requirements set out in Section 4 (Consent) hereof, shall be allowed to continue until the expiration of
such agreement or within two (2) years from the effectivity of this Circular, whichever is earlier, subject
to the immediately succeeding paragraph: Provided, that any renewal or extension of such agreement
shall comply with all the provisions of this Circular.

In all cases, the personal information controller that collected the personal data directly from the data
subjects shall, at the soonest practicable time, notify and provide the data subjects whose personal
data were shared or transferred without their consent with all the information set out in Section
4 (Consent) of this Circular: Provided, that where individual notification is not possible or would
require a disproportionate effort, the personal information controller may seek the approval of the
Commission to use alternative means of notification: Provided, further, that the personal information
controller shall establish means through which the data subjects can exercise their rights and obtain
more detailed information relating to the data sharing agreement.

If an existing data sharing arrangement is not for the purpose of performing a public function or
providing a public service, the parties thereto shall immediately terminate the sharing or transfer
of personal data. Any or all related contracts predicated on the existence of such arrangement shall
likewise be terminated for being contrary to law.

SECTION 20. Repealing Clause. All other issuances contrary to or inconsistent with the provisions of
this Circular are deemed repealed or modified accordingly.

SECTION 21. Separability Clause. If any portion or provision of this Circular is declared null and void
or unconstitutional, the other provisions not affected thereby shall continue to be in force and effect.

SECTION 22. Effectivity. This Circular shall take effect fifteen (15) days after its publication in the
Official Gazette.

160
NPC PRIVACY TOOLKIT

Approved:

(Sgd.) RAYMUND E. LIBORO


Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

161
ANNEXES

NPC Circular 16-03

DATE : 15 December 2016


SUBJECT : PERSONAL DATA BREACH MANAGEMENT

WHEREAS, the Philippine Constitution guarantees respect for the right to privacy, including
information privacy, accorded recognition as inherent in the freedoms enjoyed by every Filipino, and
at the same time, Article II, Section 11 of the Constitution emphasizes that the State values the dignity
of every human person and guarantees full respect for human rights;

WHEREAS, Article II, Section 24, of the Constitution provides that the State recognizes the vital
role of communication and information in nation-building, and Section 2 of Republic Act No. 10173,
also known as the Data Privacy Act of 2012, provides that it is the policy of the State to protect the
fundamental human right of privacy of communication while ensuring free flow of information to
promote innovation and growth;

WHEREAS, there are increasing incidents of personal data breaches that impact both public and
private entities, entailing significant economic and legal costs for those involved in processing of
personal data and putting at risk data subjects for identity theft, crimes and other harm, and that in
order to afford protection of personal data, reasonable and appropriate organizational, physical and
technical measures should be implemented;

WHEREAS, Section 20(f) of the Act requires prompt notification of the National Privacy Commission
and affected data subjects when sensitive personal information or other information that may, under
the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by
an unauthorized person, which may likely give rise to a real risk of serious harm to any affected data
subject;

WHEREAS, in order to ensure compliance of the country and all personal information controllers
and personal information processors with the law and international standards set for data protections,
and to safeguard against accidental or unlawful destruction, alteration and disclosure, as well as against
any other unlawful processing, the management of personal data breach should include prevention,
incident response, mitigation and compliance with notification requirements;

WHEREFORE, in consideration of these premises, the National Privacy Commission hereby issues
this Circular governing personal data breach management.

RULE I.
GENERAL PROVISIONS

SECTION 1. Scope. These Rules apply to any natural and juridical person in the government or private
sector processing personal data in or outside of the Philippines, subject to the relevant provisions of the
Act and its Implementing Rules and Regulations.

SECTION 2. Purpose. These Rules provide the framework for personal data breach management and
the procedure for personal data breach notification and other requirements.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are defined, as
follows:

162
NPC PRIVACY TOOLKIT

A. “Act” refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012;

B. “Commission” refers to the National Privacy Commission;

C. “Data Protection Officer” refers to an individual designated by the head of agency to be


accountable for the agency’s compliance with the Act: Provided, that the individual must be
an organic employee of the government agency: Provided further, that a government agency
may have more than one data protection officer;

D. “IRR” refers to the Implementing Rules and Regulations of Republic Act No. 10173, otherwise
known as the Data Privacy Act of 2012;

E. “Personal data” refers to all types of personal information;

F. “Personal data breach” refers to a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:

1. An availability breach resulting from loss, accidental or unlawful destruction of personal


data;
2. Integrity breach resulting from alteration of personal data; and/or
3. A confidentiality breach resulting from the unauthorized disclosure of or access to
personal data.

G.“Personal information controller” refers to a natural or juridical person, or any other body
that controls the processing of personal data, or instructs another to process personal data
on its behalf. The term excludes:

1. A natural or juridical person, or any other body that performs such functions as
instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her personal,
family, or household affairs;

There is control if the natural or juridical person, or any other body, decides on what
information is collected, or the purpose or extent of its processing;

H.“Personal information processor” refers to any natural or juridical person or any other body
to whom a personal information controller may outsource or instruct the processing of
personal data pertaining to a data subject;

I. “Privacy Impact Assessment” is a process undertaken and used by a government agency to


evaluate and manage privacy impacts.

J. “Security incident” is an event or occurrence that affects or tends to affect data protection,
or may compromise the availability, integrity, and confidentiality of personal data. It shall
include incidents that would result to a personal data breach, if not for safeguards that have
been put in place;

K. “Security Incident Management Policy” refer to policies and procedures implemented by a


personal information controller or personal information processor to govern the actions to

163
ANNEXES

be taken in case of a security incident or personal data breach;

L. “Sensitive personal information” refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns, and
4. Specifically established by an executive order or an act of Congress to be kept classified.

RULE II.
GUIDELINES FOR PERSONAL DATA
BREACH MANAGEMENT

SECTION 4. Security Incident Management Policy. A personal information controller or personal


information processor shall implement policies and procedures for the purpose of managing security
incidents, including personal data breach. These policies and procedures must ensure:

A. Creation of a data breach response team, with members that have clearly defined
responsibilities, to ensure timely action in the event of a security incident or personal data
breach;

B. Implementation of organizational, physical and technical security measures and personal


data privacy policies intended to prevent or minimize the occurrence of a personal data
breach and assure the timely discovery of a security incident;

C. Implementation of an incident response procedure intended to contain a security incident or


personal data breach and restore integrity to the information and communications system;

D. Mitigation of possible harm and negative consequences to a data subject in the event of a
personal data breach; and

E. Compliance with the Act, its IRR, and all related issuances by the Commission pertaining
to personal data breach notification.

SECTION 5. Data Breach Response Team. A personal information controller or personal information
processor shall constitute a data breach response team, which shall have at least one (1) member
with the authority to make immediate decisions regarding critical action, if necessary. The team may
include the Data Protection Officer.

The team shall be responsible for the following:

A. Implementation of the security incident management policy of the personal information


controller or personal information processor;

B. Management of security incidents and personal data breaches; and

164
NPC PRIVACY TOOLKIT

C. Compliance by the personal information controller or personal information processor with


the relevant provisions of the Act, its IRR, and all related issuances by the Commission on
personal data breach management.

The team must be ready to assess and evaluate a security incident, restore integrity to the information
and communications system, mitigate and remedy any resulting damage, and comply with reporting
requirements.

The functions of the Data Breach Response Team may be outsourced. Such outsourcing shall not
reduce the requirements found in the Act, the IRR or related issuance. The Data Protection Officer
shall remain accountable for compliance with applicable laws and regulations.

In cases where the Data Protection Officer is not part of the Data Breach Response Team, the Data
Breach Response Team shall submit a written report addressed to the Data Protection Officer detailing
the actions taken in compliance with these Rules.

RULE III.
GUIDELINES FOR THE PREVENTION
OF PERSONAL DATA BREACH

SECTION 6. Preventive or Minimization Measures. A security incident management policy shall include
measures intended to prevent or minimize the occurrence of a personal data breach. Such safeguards
may include:

A. Conduct of a privacy impact assessment to identify attendant risks in the processing of


personal data. It shall take into account the size and sensitivity of the personal data being
processed, and impact and likely harm of a personal data breach;

B. Data governance policy that ensures adherence to the principles of transparency, legitimate
purpose, and proportionality;

C. Implementation of appropriate security measures that protect the availability, integrity and
confidentiality of personal data being processed;

D. Regular monitoring for security breaches and vulnerability scanning of computer networks;

E. Capacity building of personnel to ensure knowledge of data breach management principles,


and internal procedures for responding to security incidents;

F. Procedure for the regular review of policies and procedures, including the testing, assessment,
and evaluation of the effectiveness of the security measures.

SECTION 7. Availability, Integrity and Confidentiality of Personal Data. The implementation of security
measures shall be in accordance with the Act, its IRR, and other issuances of the Commission. The
security measures should be directed to ensuring the availability, integrity, and confidentiality of the
personal data being processed, and may include:

A. Implementation of back-up solutions;

B. Access control and secure log files;

165
ANNEXES

C. Encryption;

D. Data disposal and return of assets policy.

RULE IV.
GUIDELINES FOR INCIDENT RESPONSE
POLICY AND PROCEDURE

SECTION 8. Policies and Procedures. The personal information controller or personal information
processor shall implement policies and procedures for guidance of its data breach response team and
other personnel in the event of a security incident. These may include:

A. A procedure for the timely discovery of security incidents, including the identification of
person or persons responsible for regular monitoring and evaluation of security incidents;

B. Clear reporting lines in the event of a possible personal data breach, including the identification
of a person responsible for setting in motion the incident response procedure, and who shall
be immediately contacted in the event of a possible or confirmed personal data breach;
C. Conduct of a preliminary assessment for purpose of:

1. Assessing, as far as practicable, the nature and scope of the personal data breach and the
immediate damage
2. Determining the need for notification of law enforcement or external expertise; and
3. Implementing immediate measures necessary to secure any evidence, contain the security
incident and restore integrity to the information and communications system;

D. Evaluation of the security incident or personal data breach as to its nature, extent and cause,
the adequacy of safeguards in place, immediate and long-term damage, impact of the breach,
and its potential harm and negative consequences to affected data subjects;

E. Procedures for contacting law enforcement in case the security incident or personal data
breach involves possible commission of criminal acts;

F. Conduct of investigations that will evaluate fully the security incident or personal data breach;

G.Procedures for notifying the Commission and data subjects when the breach is subject to
notification requirements, in the case of personal information controllers, and procedures
for notifying personal information controllers in accordance with a contract or agreement,
in the case of personal information processors; and

H.Policies and procedures for mitigating the possible harm and negative consequences to a data
subject in the event of a personal data breach. The personal information controller must be
ready to provide assistance to data subjects whose personal data may have been compromised.

SECTION 9. Documentation. All actions taken by a personal information controller or personal


information processor shall be properly documented. Reports should include:

A. Description of the personal data breach, its root cause and circumstances regarding its
discovery;

166
NPC PRIVACY TOOLKIT

B. Actions and decisions of the incident response team;

C. Outcome of the breach management, and difficulties encountered; and

D. Compliance with notification requirements and assistance provided to affected data subjects.

A procedure for post-breach review must be established for the purpose of improving the personal
data breach management policies and procedures of the personal information controller or personal
information processor.

SECTION 10. Regular Review. The incident response policy and procedure shall be subject to regular
revision and review, at least annually, by the Data Protection Officer, or any other person designated
by the Chief Executive Officer or the Head of Agency, as the case may be. The date of the last review
and the schedule for the next succeeding review must always be indicated in the documentation of the
incident response policy and procedure.

RULE V.
PROCEDURE FOR PERSONAL DATA BREACH
NOTIFICATION AND OTHER REQUIREMENTS

SECTION 11. When notification is required. Notification shall be required upon knowledge of or when
there is reasonable belief by the personal information controller or personal information processor
that a personal data breach requiring notification has occurred, under the following conditions:

A. The personal data involves sensitive personal information or any other information that may
be used to enable identity fraud.

For this purpose, “other information” shall include, but not be limited to: data about the financial or
economic situation of the data subject; usernames, passwords and other login data; biometric data;
copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN
number; or other similar information, which may be made the basis of decisions concerning the data
subject, including the grant of rights or benefits.

B. There is reason to believe that the information may have been acquired by an unauthorized
person; and

C. The personal information controller or the Commission believes that the unauthorized
acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

SECTION 12. Public Information. A claim that the data involved in a breach is public information
will not automatically exempt a personal information controller from the notification requirements
provided herein. When the level of availability or publicity of the personal data is altered by a personal
data breach, it shall be considered as a personal data breach requiring notification, subject to the
preceding paragraphs.

SECTION 13. Determination of the Need to Notify. Where there is uncertainty as to the need for
notification, the personal information controller shall take into account, as a primary consideration,
the likelihood of harm or negative consequences on the affected data subjects, and how notification,
particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably
believed to have occurred.

167
ANNEXES

The personal information controller shall also consider if the personal data reasonably believed to
have been compromised involves:

A. Information that would likely affect national security, public safety, public order, or public
health;

B. At least one hundred (100) individuals;

C. Information required by applicable laws or rules to be confidential; or

D. Personal data of vulnerable groups.

SECTION 14. Discovery of Vulnerability. A discovery of a vulnerability in the data processing system that
would allow access to personal data shall prompt the personal information controller or the personal
information processor, as the case may be, to conduct an assessment and determine if a personal data
breach has occurred.

SECTION 15. Who should Notify. The personal information controller shall notify the Commission
and the affected data subjects upon knowledge of, or when there is reasonable belief that a personal data
breach has occurred. The obligation to notify remains with the personal information controller even
if the processing of information is outsourced or subcontracted to a personal information processor.
The personal information controller shall identify the designated data protection officer or other
individual responsible for ensuring its compliance with the notification requirements provided in this
Circular.

SECTION 16. Reporting by Personal Information Processors. To facilitate the timely reporting of a personal
data breach, the personal information controller shall use contractual or other reasonable means to
ensure that it is provided a report by the personal information processor upon the knowledge of, or
reasonable belief that a personal data breach has occurred.

SECTION 17. Notification of the Commission. The personal information controller shall notify the
Commission of a personal data breach subject to the following procedures:

A. When Notification Should be Done. The Commission shall be notified within seventy-two
(72) hours upon knowledge of or the reasonable belief by the personal information controller
or personal information processor that a personal data breach has occurred.

B. Delay in Notification. Notification may only be delayed to the extent necessary to determine
the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to
the information and communications system.

The personal information controller need not be absolutely certain of the scope of the breach
prior to notification. Its inability to immediately secure or restore integrity to the information and
communications system shall not be a ground for any delay in notification, if such delay would be
prejudicial to the rights of the data subjects.

Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal the personal
data breach.

C. When delay is prohibited. There shall be no delay in the notification if the breach involves

168
NPC PRIVACY TOOLKIT

at least one hundred (100) data subjects, or the disclosure of sensitive personal information
will harm or adversely affect the data subject. In both instances, the Commission shall be
notified within the 72-hour period based on available information. The full report of the
personal data breach must be submitted within five (5) days, unless the personal information
controller is granted additional time by the Commission to comply.

D. Content of Notification. The notification shall include, but not be limited to:

1. Nature of the Breach

a. description of how the breach occurred and the vulnerability of the data processing
system that allowed the breach;
b. a chronology of the events leading up to the loss of control over the personal data;
c. approximate number of data subjects or records involved;
d. description or nature of the personal data breach;
e. description of the likely consequences of the personal data breach; and
f. name and contact details of the data protection officer or any other accountable
persons.

2. Personal Data Possibly Involved

a. description of sensitive personal information involved; and


b. description of other information involved that may be used to enable identity fraud.

3. Measures Taken to Address the Breach

a. description of the measures taken or proposed to be taken to address the breach;


b. actions being taken to secure or recover the personal data that were compromised;
c. actions performed or proposed to mitigate possible harm or negative consequences,
and limit the damage or distress to those affected by the incident;
d. action being taken to inform the data subjects affected by the incident, or reasons
for any delay in the notification;
e. the measures being taken to prevent a recurrence of the incident.

The Commission reserves the right to require additional information, if necessary.

E. Form. Notification shall be in the form of a report, whether written or electronic, containing
the required contents of notification: Provided, that the report shall also include the name
and contact details of the data protection officer and a designated representative of the
personal information controller: Provided further, that, where applicable, the manner of
notification of the data subjects shall also be included in the report.

Where notification is transmitted by electronic mail, the personal information controller shall ensure
the secure transmission thereof.

Upon receipt of the notification, the Commission shall send a confirmation to the personal information
controller. A report is not deemed filed without such confirmation. Where the notification is through
a written report, the received copy retained by the personal information controller shall constitute
proof of such confirmation.

169
ANNEXES

SECTION 18. Notification of Data Subjects. The personal information controller shall notify the data
subjects affected by a personal data breach, subject to the following procedures:

A. When should notification be done. The data subjects shall be notified within seventy-two
(72) hours upon knowledge of or reasonable belief by the personal information controller or
personal information processor that a personal data breach has occurred.

The notification may be made on the basis of available information within the 72-hour
period if the personal data breach is likely to give rise to a real risk to the rights and freedoms
of data subjects. It shall be undertaken in a manner that would allow data subjects to take the
necessary precautions or other measures to protect themselves against the possible effects of
the breach. It may be supplemented with additional information at a later stage on the basis
of further investigation.

B. Exemption or Postponement of Notification. If it is not reasonably possible to notify the data


subjects within the prescribed period, the personal information controller shall request the
Commission for an exemption from the notification requirement, or the postponement of
the notification.

A personal information controller may be exempted from the notification requirement where
the Commission determines that such notification would not be in the public interest or in
the interest of the affected data subjects.

The Commission may authorize the postponement of notification where it may hinder
the progress of a criminal investigation related to a serious breach, taking into account
circumstances provided in Section 13 of this Circular, and other risks posed by the personal
data breach.

C. Content of Notification. The notification shall include, but not be limited to:

1. nature of the breach;


2. personal data possibly involved;
3. measures taken to address the breach;
4. measures taken to reduce the harm or negative consequences of the breach;
5. representative of the personal information controller, including his or her contact
details, from whom the data subject can obtain additional information regarding the
breach; and
6. any assistance to be provided to the affected data subjects.

Where it is not possible to provide the foregoing information all at the same time, they may be provided
in phases without undue delay.

D. Form. Notification of affected data subjects shall be done individually, using secure means
of communication, whether written or electronic. The personal information controller shall
take the necessary steps to ensure the proper identity of the data subject being notified, and
to safeguard against further unnecessary disclosure of personal data.

The personal information controller shall establish all reasonable mechanisms to ensure that all affected
data subjects are made aware of the breach: Provided, that where individual notification is not possible
or would require a disproportionate effort, the personal information controller may seek the approval

170
NPC PRIVACY TOOLKIT

of the Commission to use alternative means of notification, such as through public communication
or any similar measure through which the data subjects are informed in an equally effective manner:
Provided further, that the personal information controller shall establish means through which the
data subjects can exercise their rights and obtain more detailed information relating to the breach.

SECTION 19. Exemption from Notification Requirements. The following additional factors shall be
considered in determining whether the Commission may exempt a personal information controller
from notification:

A. Security measures that have been implemented and applied to the personal data at the time
the personal data breach was reasonably believed to have occurred, including measures that
would prevent use of the personal data by any person not authorized to access it;

B. Subsequent measures that have been taken by the personal information controller or personal
information processor to ensure that the risk of harm or negative consequence to the data
subjects will not materialize;

C. Age or legal capacity of affected data subjects: Provided, that in the case of minors or other
individuals without legal capacity, notification may be done through their legal representatives.

In evaluating if notification is unwarranted, the Commission may take into account the compliance
by the personal information controller with the law and existence of good faith in the acquisition of
personal data.

SECTION 20. Failure to Notify. In case the personal information controller fails to notify the
Commission or data subjects, or there is unreasonable delay to the notification, the Commission shall
determine if such failure or delay is justified. Failure to notify shall be presumed if the Commission does
not receive notification from the personal information controller within five (5) days from knowledge
of or upon a reasonable belief that a personal data breach occurred.

SECTION 21. Investigation of a Breach or a Security Incident. Depending on the nature of the incident,
or if there is failure or delay in the notification, the Commission may investigate the circumstances
surrounding a personal data breach. Investigations may include on-site examination of systems and
procedures.

If necessary, the Commission shall require the cooperation of concerned parties, or compel appropriate
action therefrom to protect the interests of data subjects.

The investigation under this Section shall be governed by the Rules of Procedure of the Commission.

Section 22. Reportorial requirements. All security incidents and personal data breaches shall be
documented through written reports, including those not covered by the notification requirements. In
the event of a personal data breach, a report shall include the facts surrounding the incident, the effects
of such incident, and the remedial action taken by the personal information controller. For other
security incidents not involving personal data, a report containing aggregated data shall constitute
sufficient documentation.

Any or all reports shall be made available when requested by the Commission: Provided, that a summary
of all reports shall be submitted to the Commission annually, comprised of general information
including the number of incidents and breach encountered, classified according to their impact on the

171
ANNEXES

availability, integrity, or confidentiality of personal data.

Section 23. Notification and Reporting to the National Privacy Commission. The requirements pertaining to
notification and the submission of reports shall be complied with through the appropriate submissions
to the office of the National Privacy Commission or by electronic mail ( [email protected].
ph ). The foregoing details may be amended, subject to a public announcement made through the
Commission’s website or other comparable means.

SECTION 24. Separability Clause. If any portion or provision of this Circular is declared null and void
or unconstitutional, the other provisions not affected thereby shall continue to be in force and effect.

SECTION 25. Effectivity. This Order shall take effect fifteen (15) days after publication in the Official
Gazette or two newspapers of general circulation.

Approved:

(Sgd.) RAYMUND E. LIBORO


Privacy Commissioner

IVY D. PATDU DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: December 15, 2016

172
NPC PRIVACY TOOLKIT

SUMMARY

What is subject to the notification A security breach that:


requirements? 1. Involves sensitive personal information, or information
that may be used to enable identity fraud
2. There is reason to believe that information have been
acquired by an unauthorized person
3. The unauthorized acquisition is likely to give rise to a
real risk of serious harm
Who should notify? The personal information controller, which controls
the processing of information, even if processing is
outsourced or subcontracted to a third party.
When should notification of Within 72 hours from knowledge of the personal data
Commission be done? breach, based on available information.

Follow up report should be submitted within five (5)


days from knowledge of the breach, unless allowed a
longer period by the Commission.
When should data subjects or Within seventy-two (72) hours from knowledge of the
individuals be notified? breach, unless there is a reason to postpone or omit
notification, subject to approval of the Commission.
What are the contents of In general-
notification to Commission 1. nature of the breach
2. sensitive personal information possibly involved
3. measures taken by the entity to address the breach
4. details of contact person for more information
What are the contents of In general, same contents as notification of Commission
notification to data subject? but must include instructions on how data subject
will get further information and recommendations to
minimize risks resulting from breach.
How will notification be done? Commission may be notified by written or electronic
means but the personal information controller must have
confirmation that the notification has been received.

Data subjects or affected individuals shall be notified


individually, by written or electronic means, unless
allowed by the Commission to use alternative means.
Other requirements Commission may be notified by written or electronic
means but the personal information controller must have
confirmation that the notification has been received.

Data subjects or affected individuals shall be notified


individually, by written or electronic means, unless
allowed by the Commission to use alternative means.

173
ANNEXES

NPC Circular 16-04

DATE : 15 December 2016


SUBJECT : RULES OF PROCEDURE OF THE NATIONAL PRIVACY COMMISSION

Pursuant to the authority vested in the National Privacy Commission through Section 7 of Republic
Act No. 10173, otherwise known as “The Data Privacy Act of 2012”, the following Rules of Procedure
of the National Privacy Commission are hereby prescribed and promulgated:

RULE I.
PRELIMINARY PROVISIONS

SECTION 1. General Principles. – The National Privacy Commission is an independent body mandated
to administer and implement provisions of the Data Privacy Act, and to monitor and ensure compliance
of the country with international standards set for data protection. The Commission shall uphold the
right to information privacy while supporting free flow of information.

In the exercise of its quasi-judicial function, the Commission is authorized to receive complaints and
institute investigations. In order to fulfill its mandate, it may compel any entity, government agency
or instrumentality to abide by its orders or take action on a matter affecting data privacy, and impose
sanctions as may be appropriate.

SECTION 2. Scope and Coverage. – These rules shall apply to all complaints filed before the National
Privacy Commission or such other grievances, requests for assistance or advisory opinions, and other
matters cognizable by the National Privacy Commission.

RULE II.
COMPLAINTS FOR VIOLATIONS OF THE
DATA PRIVACY ACT

SECTION 3. Who may file complaints. – The National Privacy Commission, sua sponte, or persons who
are the subject of a privacy violation or personal data breach, or who are otherwise personally affected
by a violation of the Data Privacy Act, may file complaints for violations of the Act.

The person who is the subject of the privacy violation or personal data breach, or his or her duly
authorized representative may file the complaint, Provided, that the circumstances of the authority
must be established.

Any person who is not personally affected by the privacy violation or personal data breach may: (a)
request for an advisory opinion on matters affecting protection of personal data; or (b) inform the
National Privacy Commission of the data protection concern, which may in its discretion, conduct
monitoring activities on the organization or take such further action as may be necessary.

SECTION 4. Exhaustion of remedies. – No complaint shall be entertained unless:

a. the complainant has informed, in writing, the personal information controller or concerned
entity of the privacy violation or personal data breach to allow for appropriate action on the
same;

b. the personal information controller or concerned entity did not take timely or appropriate

174
NPC PRIVACY TOOLKIT

action on the claimed privacy violation or personal data breach, or there is no response from
the personal information controller within fifteen (15) days from receipt of information from
the complaint ; and

c. the complaint is filed within six (6) months from the occurrence of the claimed privacy
violation or personal data breach, or thirty (30) days from the last communiqué with the
personal information controller or concerned entity, whichever is earlier.

The failure to comply with the requirements of this Section shall cause the matter to be evaluated as
a request to the National Privacy Commission for an advisory opinion, and for the National Privacy
Commission to take such further action, as necessary.

The National Privacy Commission may waive any or all of the requirements of this Section, at its
discretion, upon good cause shown, or if the complaint involves a serious violation or breach of the
Data Privacy Act, taking into account the risk of harm to the affected data subject.

SECTION 5. Filing Fees. – No complaint or request for advisory opinion shall be entertained unless
the appropriate filing fees have been shown to have been paid, unless: (a) the complainant is the
government, or any agency or instrumentality thereof, including government-owned and controlled
corporations organized and existing under their own charter, and excluding government-owned and
controlled corporations organized and incorporated under the Corporation Code; (b) the complainant
qualifies as an indigent or pauper litigant as defined under the Rules of Court; or (c) the National
Privacy Commission, in its proper discretion and for good cause shown, waives this requirement.

SECTION 6. Printed Copies. - The complaint, together with the documentary evidence and affidavits of
witnesses, if any, shall be filed in such number as there are respondents, plus two (2) copies for the file.

SECTION 7. Where to file. – A complaint may be filed at any office of the Commission.

SECTION 8. Electronic filing. – The complaint and its supporting evidence, as well as any subsequent
filings may be filed as electronic documents, pursuant to the provisions of Republic Act No. 8792,
and subject to the right of the Commission to request for hard copies, or charge fees for the printing
thereof, either by e-mail or by submitting the same contained in a portable electronic data storage
device at any office of the Commission.

Whenever practicable, electronic submissions shall be made and digitally signed in .PDF format, on
page sizes compliant with the Efficient Use of Paper Rule.

When submissions are made through portable electronic data storage devices, the provisions of Section
6 of these Rules shall apply, with one portable data storage device equivalent to one printed copy,
provided, that documents made on such portable data storage devices, if either the device or any file
found therein is detected to be infected with any form of malware, all the electronic documents on that
portable electronic data storage device shall not be considered as having been filed.

When submissions are made through e-mail, all electronic documents must be submitted to complaints@
privacy.gov.ph, copy furnished any and all other parties to the complaint.

SECTION 9. Parties to the Complaint. – The Complaint must specify the identity of the individual
claiming to be subject of a privacy violation or the person so damaged or injured by a data breach, who
shall be referred to as the complainant.

175
ANNEXES

The complainant shall include in his complaint his contact information, and where the complainant
or duly authorized representative may be served with orders, issuances or communications, including
a secure electronic mail address when available.

The complaint must identify the person or organization complained against, who shall be referred
to as the respondent; the mere provision of the means to trace the identity of the party complained
against shall be considered as insufficient identification. The complainant shall also provide in the
complaint: (a) the respondent’s contact information, where practicable; and (b) where the respondent
may be served with orders, issuances or communications from the National Privacy Commission.

SECTION 10. Form and Contents of the Complaint. – The complaint shall comply with the requirements
of the Efficient Use of Paper Rule (A.M. No. 11-9-4-SC) and other such rules of formatting as may be
provided for by the Supreme Court for use in quasi-judicial agencies.

The form of the complaint must be in writing, verified and under oath, or contained in a sworn
affidavit. A complaint that does not comply with this requirement shall be acted upon only, at the
discretion of the National Privacy Commission, if it merits appropriate consideration on its face, or
is of such notoriety that it necessarily contains sufficient leads or particulars to enable the taking of
further action.

The complaint shall include a brief narration of the material facts and supporting documentary and
testimonial evidence, all of which show: (a) the violation of the Data Privacy Act or related issuances;
or (b) the acts or omissions allegedly committed by the respondent amounting to a privacy violation
or personal data breach. The complaint must include any and all reliefs sought by the complainant.

The supporting documents shall consist of original or certified true copies of any documentary
evidence, and the affidavits of witnesses, if any, including those affidavits necessary to identify the
documents and to substantiate the complaint.

The complainant shall attach any and all correspondence with the respondent on the matter complained,
and include a statement of the action taken by the respondent to address the complaint, if any.

The failure to comply with the requirements of this Section shall cause the matter to be evaluated as
a request to the National Privacy Commission for an advisory opinion, and for the National Privacy
Commission to take such further action, as necessary.

RULE III.
PROCEDURE IN COMPLAINTS

SECTION 11. Evaluation. – Upon receipt of the complaint, the National Privacy Commission shall
assign an investigating officer who shall conduct the proceedings.

The investigating officer shall evaluate the complaint to determine whether its allegations involve a
violation of the Data Privacy Act or related issuances and if based on its allegations, there is reason to
believe that there is a privacy violation or personal data breach.

The investigating officer shall then recommend to the Commission whether the complaint shall be:

a. dismissed outright for want of palpable merit;

176
NPC PRIVACY TOOLKIT

b. referred to the respondent for comment;

c. subject to further monitoring or investigation;

d. treated as a request for an advisory opinion; or

e. indorsed to the proper government agency with jurisdiction over the complaint.

SECTION 12. Outright Dismissal. – The Commission may dismiss outright any complaint on the
following grounds:

a. The complainant did not give the respondent an opportunity to address the complaint,
unless failure to do so is justified;

b. The complaint is not a violation of the Data Privacy Act or does not involve a privacy violation
or personal data breach;

c. The complaint is filed beyond the period for filing; or

d. There is insufficient information to substantiate the allegations in the complaint or the


parties cannot be identified or traced.

SECTION 13. Order to Confer for Discovery. – If, on the face of the complaint, the allegations are deemed
to be sufficient in form and substance, the investigating officer shall issue an Order for all parties to
confer, not later than ten (10) days from receipt of the said Order, whether discovery of information
and of electronically stored information is reasonably likely to be sought in the proceeding.

A copy of the complaint, together with its supporting evidence, shall be included with the Order to
Confer for Discovery. If discovery of electronically stored information is reasonably likely to be sought,
the parties shall discuss:

a. any issues relating to the preservation of the information;

b. the form in which each type of the information will be produced;

c. the period within which the information will be produced;

d. the method for asserting or preserving claims of privilege or of protection of the information;

e. the method for asserting or preserving confidentiality and proprietary status of information
relating to a party or person not a party to the proceeding;

f. whether allocation among the parties of the expense of production is appropriate; and

g. any other issue relating thereto.

The agreement will be reduced into a Discovery Conference Report to be signed and submitted by all
parties to the Commission within five (5) days of the conclusion of the conference.

SECTION 14. Discovery.

a. The National Privacy Commission may issue an Order governing the discovery of electronically

177
ANNEXES

stored information pursuant to:

1. a motion by a party seeking discovery of the information or from which discovery of the
information is sought; or
2. a stipulation of the parties and of any person not a party from which discovery of the
information is sought.

The Order governing the discovery will cover the same matter a discovery conference report is to address.
Absent exceptional circumstances, the National Privacy Commission may not impose sanctions on a
party for failure to provide electronically stored information lost as a result of the routine, good-faith
operation of an electronic information system.

b. A party may serve on any other party a request for production of electronically stored
information and for permission to inspect, copy, test, or sample the information, copy
furnished the National Privacy Commission. The party on which the said request is served
must serve a response within three (3) working days, or in such timely manner as to preserve
the integrity of the electronically stored information. The response must state, with respect
to every item or category in the request that inspection, copying, testing, or sampling of the
information will be permitted as requested; or any objection to the request and the reasons
for the objection.

The party requesting the production may specify the form in which the electronically stored information
is to be produced. The responding party must state in its response that form in which it intends to
produce each type of the information.

Unless the parties otherwise agree or the investigating officer otherwise orders: (1) If a request for
production does not specify a form for producing a type of electronically stored information, the
responding party shall produce the information in a form in which it is ordinarily maintained or
in a form that is reasonably usable; and (2) a party need not produce the same electronically stored
information in more than one form.

c. A party may object to discovery of electronically stored information from sources that the
party identifies as not reasonably accessible because of undue burden or expense. In its
objection, the party shall identify the reason for the undue burden or expense.

On motion to compel discovery or for a protective order relating to the discovery of electronically
stored information, a party objecting to discovery under the next preceding paragraph bears the
burden of showing that the information is from a source that is not reasonably accessible because of
undue burden or expense.

d. The National Privacy Commission may order discovery of electronically stored information
that is from a source that is not reasonably accessible because of undue burden or expense
if the party requesting discovery shows that the likely benefit of the proposed discovery
outweighs the likely burden or expense, taking into account the amount in controversy, the
resources of the parties, the importance of the issues, and the importance of the requested
discovery in resolving the issues.

If the National Privacy Commission orders discovery of electronically stored information under the
next preceding paragraph, it may set conditions for discovery of the information, including allocation
of the expense of discovery.

178
NPC PRIVACY TOOLKIT

e. The National Privacy Commission shall limit the frequency or extent of discovery of
electronically stored information, even from a source that is reasonably accessible, if the
Commission determines that:

1. It is possible to obtain the information from some other source that is more convenient,
less burdensome, or less expensive;
2. The discovery sought is unreasonably cumulative or duplicative;
3. The party seeking discovery has had ample opportunity by discovery in the proceeding
to obtain the information sought; or
4. The likely burden or expense of the proposed discovery outweighs the likely benefit,
taking into account the amount in controversy, the resources of the parties, the
importance of the issues, and the importance of the requested discovery in resolving
the issues.

SECTION 15. Order to Submit Comment. – Following the receipt of the Discovery Conference Report,
the investigating officer shall issue an Order directing the respondent or respondents, as the case may be,
to submit within ten (10) days from receipt thereof, a responsive Comment to the Complaint, together
with any supporting documents the respondent or respondents may have, including the affidavits of
any of the respondents’ witnesses, if any. The investigating officer, upon his or her discretion, may
require the complainant to file a Reply within ten (10) days after receipt of the Order requiring the
filing of a Reply. Such an Order may also require the respondent to file a Rejoinder within ten (10)
days after receipt of the Reply.

SECTION 16. Investigation; Examination of Systems and Procedures. – The investigating officer shall
investigate the circumstances surrounding the privacy violation or personal data breach. Investigations
may include on-site examination of systems and procedures. In the course of the investigation, the
complainant and/or respondent may be required to furnish additional information, document or
evidence, or to produce additional witnesses. The parties shall have the right to examine the evidence
submitted, which he or she may not have been furnished, and to copy them at his expense.

SECTION 17. Failure to Submit Comment. – If the respondent does not file a Comment, the
investigating officer may consider the complaint as submitted for resolution. The respondent shall, in
any event, have access to the evidence on record.

SECTION 18. Recommendation of the Investigating Officer. – Upon the termination of the investigation,
the investigating officer shall produce a fact-finding report, which shall include the results of the
investigation, the evidence gathered, and any recommendations. The report shall be submitted to the
Office of the Commissioner.

SECTION 19. Temporary Ban on Processing Personal Data – At the commencement of the complaint or
at any time before the decision of the National Privacy Commission becomes final, a complainant or
any proper party may have the National Privacy Commission, acting through the investigating officer,
impose a temporary ban on the processing of personal data, if on the basis of the evidence on record,
such a ban is necessary in order to preserve the rights of the complainant or to protect national security
or public interest.

a. A temporary ban on processing personal data may be granted only when: (1) the application
in the complaint is verified and shows facts entitling the complainant to the relief demanded,
or the respondent or respondents fail to appear or submit a responsive pleading within the
time specified for within these Rules; and (2) unless exempted from the payment of filing fees

179
ANNEXES

as provided for in these Rules, the complainant files with the National Privacy Commission a
bond executed to the party or person so banned from processing personal data in an amount
to be fixed by the investigating officer. Upon approval of the requisite bond, the temporary
ban on processing personal data shall be issued.

b. When an application for a temporary ban on processing personal data is included in a


complaint, the investigating officer shall issue a Notice of Hearing, together with a copy of
the complainant’s affidavit, the annexes thereto, and receipt of the bond, when applicable.

When an application for a temporary ban on processing personal data is made by motion,
the investigating officer shall issue a Notice of Hearing, together with a copy of the receipt of
the bond, when applicable.

The Notice of Hearing shall indicate the scheduled date and venue for the hearing, and that
the respondent or respondents, as the case may be, may appoint a representative to appear at
the hearing in order to protect their interests.

The complainant shall shoulder the cost to ensure that this Notice of Hearing is delivered to
the respondent or respondents, as the case may be, within the next business day, by personal
or substituted service, and if personal or substituted service is impossible, by private courier.
Upon service, the complainant shall file an affidavit of service attesting that service was
properly made upon the respondent or respondents, as the case may be.

c. The temporary ban on processing personal data shall be acted upon only after all the parties
are heard in a summary hearing.

If all the parties can be found in the Philippines, or if service upon a non-resident is made
by substituted service, the summary hearing shall be conducted within the next business day
following the actual receipt of the Notice, as indicated in the affidavit of service.

If the respondent is a non-resident of the Philippines and only direct service or service by
courier is possible, then the hearing shall be conducted one (1) week after actual receipt of
the Notice.

d. If so issued, the temporary ban on processing personal data shall remain in effect until the
final resolution of the case or upon orders of the Commission or lawful authority.

SECTION 20. Permanent Ban on Processing Personal Data. – If after the termination of the proceedings
it appears that the complainant is entitled to have a permanent ban on processing personal data, the
investigating officer shall recommend that the Commission issue an Order granting a permanent ban
on processing personal data.

SECTION 21. Action on the Recommendations of the Investigating Officer. – The Commission shall review
the evidence presented, including the fact-finding report and supporting documents. On the basis
of the said review, the National Privacy Commission may: (1) promulgate a Decision; or (2) order the
conduct of a clarificatory hearing, if in its discretion, additional information is needed to make a
Decision. No motion for clarificatory hearing shall be entertained. In case the Commission finds that
a clarificatory hearing is necessary, the following shall be observed:

a. The parties shall be notified of the schedule for clarificatory hearing at least five (5) days from
schedule;

180
NPC PRIVACY TOOLKIT

b. The Commission may require additional information and/or compel attendance of any
person involved in the complaint;

c. The parties shall not directly question the individuals called to testify but may submit their
questions to the Commission for their consideration;

d. The parties may be required to submit their respective memoranda containing their
arguments on the facts and issues for resolution.

SECTION 22. Rendition of decision. – The Decision of the Commission shall adjudicate the issues
raised in the complaint on the basis of all the evidence presented and its own consideration of the
law. The decision may include enforcement orders, including: (a) an award of indemnity on matters
affecting personal data protection, or rights of the data subject, where the indemnity amount to be
awarded shall be determined based on the provisions of the Civil Code; (b) cease and desist orders; (c)
the imposition of a temporary or permanent ban on the processing of personal data, as provided for in
these Rules; (d) a recommendation to the Department of Justice (DOJ) the prosecution and imposition
of penalties specified in the Act; (e) those to compel or petition any entity, government agency or
instrumentality to abide by its orders or take action on a matter affecting data privacy; (f) those to
impose fines for violations of the Act or issuances of the Commission; or (g) any other order to enforce
compliance with the Data Privacy Act.

A copy of the decision shall be served upon the parties, for information and compliance with any
directive contained therein.

RULE IV.
COMPLAINTS OF THE NATIONAL PRIVACY COMMISSION

SECTION 23. Own initiative. – Depending on the nature of the incident, in cases of a possible serious
privacy violation or personal data breach, taking into account the risks of harm to a data subject,
the Commission may investigate on its own initiative the circumstances surrounding the possible
violation. Investigations may include on-site examination of systems and procedures. If necessary,
the Commission may use its enforcement powers to order cooperation of the personal information
controller or other persons, with the investigation or to compel appropriate action to protect the
interests of data subjects.

SECTION 24. Uniform procedure. – The investigation shall be in accordance with Rule III of these
Rules, provided that the respondent shall be provided a copy of the fact-finding report and given
an opportunity to submit an answer. In cases where the respondent or respondents fail without
justification to submit an answer or appear before the National Privacy Commission when so ordered,
the Commission shall render its decision on the basis of available information.

RULE V.
ALTERNATIVE MODES OF DISPUTE RESOLUTION

SECTION 25. Alternative modes of dispute resolution. – The Commission shall facilitate or enable
settlement through the use of alternative dispute resolution processes, provided that if the allegations
are of a serious nature, taking into account the risks of harm to a data subject, the Commission may
immediately conduct an investigation on its own initiative.

181
ANNEXES

SECTION 26. Mediation officer. – The Commission shall assign a mediation officer to assist the
complainant and respondent to reach a settlement agreement provided that no settlement is allowed
for criminal acts. The mediation officer shall identify the issues for resolution and mediate in order
for the parties to reach an amicable settlement. In case the parties reach an amicable settlement, the
mediation officer shall issue a resolution on the agreement between parties.

SECTION 27. Failure to reach settlement. – In case the parties are unable to reach an amicable settlement,
the procedure for the resolution of complaints shall be followed.

RULE VI.
REQUESTS FOR ADVISORY OPINIONS

SECTION 28. Advisory Opinions. – An advisory opinion may be issued by the Commission on matters
relating to data privacy or personal data protection, at the instance of any party, or on any complaint
filed, which failed to comply with the requirements of Rule II herein.

No request for an advisory opinion shall be entertained unless:

a. the request provides sufficient facts to allow for evaluation of the matter relating to data
privacy or personal data protection;

b. the request relates to novel issues or legitimate concerns that merit further evaluation;

c. the request is not related to any pending case before the National Privacy Commission, or on
any matter that is subject of an ongoing investigation; and

d. the request is not on a matter that has previously been subject of an advisory opinion.

An advisory opinion shall be limited to discussion of the issues and applicable law or jurisprudence but
shall not impose any sanctions or award damages.

SECTION 29. Uniform procedure. – Requests for the issuance of an advisory opinion must be in
writing and addressed to the National Privacy Commission. Whenever applicable, the procedure for
the filing of the advisory opinion shall be in accordance with Rule II of these Rules, provided that the
Commission may request for additional information as may be necessary to evaluate the personal data
protection concern.

The requesting party must provide contact details, including a valid electronic mail address, where the
Commission may send its orders or opinions. Advisory opinions issued by the Commission may be
made available to the public.

RULE VII.
APPEALS

SECTION 30. Appeal. – The decision of the National Privacy Commission shall become final and
executory fifteen (15) days after the receipt of a copy thereof by the party adversely affected. One
motion for reconsideration may be filed, which shall suspend the running of the said period. Any
appeal from the Decision shall be to the proper courts, in accordance with law and rules.

182
NPC PRIVACY TOOLKIT

RULE VIII.
GENERAL PROVISIONS

SECTION 31. Confidentiality. – The Commission may ask for access to personal data that is subject
of any complaint and to collect the information necessary to perform its functions. The Commission
shall ensure confidentiality of any personal data that comes to its knowledge and possession, provided
that any personal data submitted may be transferred to parties who will be contacted during the
handling of the case and may be disclosed to agencies who are authorized to receive information
relating to law enforcement, prosecution or review of the Commission’s decisions, subject to the Act
and related issuances. Information about the case may also be used for policy development, public
education, case reports and publications.

SECTION 32. Application of Rules of Court. – The Rules of Court shall apply in a suppletory character,
and whenever practicable and convenient.

SECTION 33. Interpretation. – These rules shall be liberally interpreted in a manner mindful of the
rights and interests of the person about whom personal data is processed.

SECTION 34. Separability Clause. – In the event that any provision or part of this Order is declared
unauthorized or rendered invalid, those provisions not affected by such declaration shall remain valid
and in force.

SECTION 35. Effectivity. – This Order shall take effect fifteen (15) days after publication in the Official
Gazette or two newspapers of general circulation. They shall govern all cases brought after they take
effect and to further proceedings in cases then pending, except to the extent that their application
would not be feasible or cause injustice to any party.

Approved:

(Sgd.) RAYMUND E. LIBORO


Privacy Commissioner

IVY D. PATDU DAMIAN DOMINGO O. MAPA


Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: December 15, 2016

183
ANNEXES

A Guide for the Data Subject

1. Do you have a concern about a privacy violation, personal data breach or matters related to
personal data protection, or any other violation the Data Privacy Act and other issuances of
the National Privacy Commission?
a. Yes. Proceed to the next section (No.2).
b. No. The National Privacy Commission may have no power to act on your complaint.
The Commission can only act on matters that relate to the Data Privacy Act.
c. I am not sure. Request for an Advisory Opinion or request for information (No.5).

2. Does your concern affect you personally or involve your personal data?
a. Yes. If it is a matter affecting your own personal data, you may file a Complaint with the
National Privacy Commission.
b. No. If it is about another person, or is a matter of general concern, request instead for
an Advisory Opinion.

3. How do you file a complaint?


a. First, give an opportunity to the individual or company to address your concerns. Send a
written letter to the individual or company you believe has committed a privacy violation
or personal data breach, and request the said company for appropriate action.
b. If the company does not act on your letter within 15 days, or has failed to take appropriate
action on your concern, you may file your complaint with the Commission. File the
complaint within 30 days from last communication. If you have an important reason
why you think it would be hard to write to the individual company, you may explain this
to the Commission.
c. The complaint should be in an affidavit form and should include:
1. all information relevant to your concern, including any other evidence or affidavits
of witnesses, if any;
2. your communications with the individual or company;
3. the relief you are demanding, whether you want specific action from the individual
or company, or whether you want to claim for damages; and
4. your contact details and contact details of the individual or company.
d. You may file it with the office of the National Privacy Commission, where you may be asked
to pay filing fees, depending on the relief you are asking. You may file it online through
e-mail at [email protected] . In case of electronic mail, wait for instructions on
how filing fees can be filed. If you qualify as an indigent, no filing fee is necessary.
e. An investigating officer will evaluate your complaint and when sufficient in form and
substance, the Commission may call on you to confer with the respondent on matters like
discovery of evidence or schedules of the proceedings.
f. Upon completion of the investigation, the investigating officer shall refer the case to the
Office of the Commissioner for final decision.

4. How do you request for Advisory Opinion?


a. File your request for advisory opinion in the same manner as a complaint.
b. You request should include all facts necessary for the Commission to evaluate your
concern and render an opinion.
c. Provide the National Privacy Commission a way to contact you.
d. Remember that if your request is for an advisory opinion, the National Privacy Commission
will not award damages.

184
NPC PRIVACY TOOLKIT

5. Can I get additional information on this circular? You may request for additional information
on the procedure through [email protected]

185

You might also like