DATA PRIVACY PROTECTION

COMPETENCY FRAMEWORK
DICT Regional Office

San Gabriel, Tuguegarao City, Cagayan

September 26, 2023

DISCUSSION POINTS
DAY 1
• R.A. 10173 – Data Privacy Act 2012 Goals, Objectives, Accountability and
Responsibility
• Data Privacy and Information Security Risks Management – Privacy
Impact Assessment Process
Day 2
• DATA PRIVACY AND SECURITY CONTROLS – PRIVACY AND
SECURITY POLICY MAKING
Day 3
• Breach and Security Incident Management
DATA PRIVACY ACT (DPA) What does the DPA do?

OF 2012 IN A NUTSHELL It regulates the collection and

processing of personal information
and sensitive personal information
Data Privacy Act of 2012 protects the privacy rights and
information security of person or individual identified as:
How does the DPA regulate the
Data Subject - whose personal, sensitive personal, or collection and processing of personal
privileged information is processed by an information and data?
communication system in the government and in the
It imposes requirements and obligations on
private sector. personal data controllers and processors and
grant rights to data subjects

Personal Data Controllers and Processors

Non-compliance can trigger
penalties & sanctions
✔ Can only collect and process data if criterion for lawful processing is
present
✔ Must observe the general data principles of transparency, legitimate
purpose, and proportionality when collecting and processing
personal data
✔ Are subject to certain obligations (including the need to observe
rights of the data subjects)
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 ACCOUNTABLE AND
RESPONSIBLE
The legal liability of data privacy compliance
belongs to:

DATA PROTECTION PERSONAL

OFFICER INFORMATION
PERSONAL
Privacy Oversight PROCESSOR
Organization
INFORMATION Data Processing
CONTROLLER System Service
Business Owner or Provider
Head of the Agency

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
R.A. 10173 –DATA PRIVACY ACT 2012
ACCOUNTABILITY AND RESPONSIBILITY

1. Privacy governance
The data protection
2. Information system registration
obligation of the head of
3. Privacy impact assessment
agency is listed in the
4. Privacy and security policy
National Privacy
5. Personnel training on privacy policy
Commission
6. Storage of personal data
Circular 06-01
7. Access to personal data
8. Transfer of personal data
Security of Personal Data
9. Disposal of personal data
in Government Agencies
10. Data breach management

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PROTECTION OFFICER
1) The responsibility for complying with the Act, its IRR,
issuances by the NPC, and all other applicable laws lies
with the Personal Information Controller (PIC) or Personal
Information Processor (PIP). When necessary, it must be
capable of demonstrating its capacity to comply.

1) A PIC or PIP shall designate an individual or individuals

who shall function as DPO. The DPO shall be accountable
for ensuring the compliance by the PIC or PIP with the
DPA, its IRR, issuances by the NPC, and other applicable
laws and regulations relating to privacy and data
protection.

1) DPO should have expertise in relevant privacy or data

NPC Advisory protection policies and practices.
2017-01
1) He or she should have sufficient understanding of the
processing operations being carried out by the PIC or PIP,
including the latter’s information systems, data security
and/or data protection needs.
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PROTECTION OFFICER
5) The DPO or COP shall act independently in the
performance of his or her functions and shall enjoy
sufficient degree of autonomy.

5) For this purpose, he or she must not receive instructions

from the PIC or PIP regarding the exercise of his or her
tasks.

5) Where the employment of the DPO or COP is based on a

contract, the term or duration thereof should at least be
two (2) years to ensure stability.

5) In the government or public sector, the DPO or COP may

NPC Advisory be a career or appointive position.
2017-01
5) A PIC or PIP may outsource or subcontract the functions
of its DPO or COP.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PROTECTION OFFICER
Monitoring Responsibilities
1) Collect information to identify the processing operations,
activities, measures, projects, programs, or systems of
the PIC or PIP, and maintain a record thereof.

1) Analyze and check the compliance of processing

activities, including the issuance of security clearances to
and compliance by third-party service providers;

1) Inform, advise, and issue recommendations to the PIC or

PIP;

1) Ascertain renewal of accreditations or certifications

necessary to maintain the required standards in personal
NPC Advisory data processing; and
2017-01
1) Advice the PIC or PIP as regards the necessity of
executing a Data Sharing Agreement with third parties
and ensure its compliance with the law.
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 EVIDENCE OF PRIVACY COMPLIANCE

1) Data privacy violation prevented or responded

Privacy violation is illegal or unwanted act that endangers the privacy rights of a person and security
of personal data.

Section 25 Unauthorized processing Section 30 Concealment of breach

Section 26 Negligence in access
Section 27 Improper disposal
Section 28 Unauthorized purpose
Section 29 Unauthorized access or intentional
breach
Section 31 Malicious disclosure
Section 32 Unauthorized disclosure
Section 33 Combination of acts

2) Rights of the data subject respected

Right to be Informed Right to file a Complaint
Right to Damages Right to Access
Right to data Portability Right to Rectify
Right to Object Right to Erasure or blocking

3) Data privacy and security measures implemented

Organizational Security Measures Technical Security Measures Physical Security Measures
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
CONSENT Criterial for Lawful Processing

• The data subject agrees to the collection and

processing of personal information • Data Subject has given consent
✔ Freely given • Compliance with Legal or Contractual
Obligation
✔ Specific Personal
• Protection of the data subject and
Information
✔ Informed indication of will another person
• Evidenced by written, electronic or recorded • Public purposes
• Legitimate interests
means:
✔ Signature
✔ Opt-in box/clicking an icon • Consent of the data subject
• Provided by law
✔ Sending a confirmation email
• Protection of life and health
✔ Oral confirmation Sensitive • Lawful and non-commercial objectives
• Opt-in: silence, pre-ticked boxes or inactivity does Personal of public organizations
Information • Medical treatment
not constitute consent.
• Protection of rights and interests in
court, legal claims, or when provided to
Do you always need consent? the government

1) No. Consent is just one criterion for lawful

processing of both personal and sensitive Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
RISK ASSESSMENT CONCEPT
Identify risk sources, areas of impacts, events and causes, and their
RISK IDENTIFICATION potential consequences.

It involves the development of understanding of the risk,

RISK ANALYSIS consideration of the causes and risk sources, their positive and
negative consequences, the likelihood that those consequences
can occur.

It assist in decision making about which risks need treatment

RISK EVALUATION and priority for treatment implementation.

It is an administrative, legal, physical, operational, and technical

RISK TREATMENT remedy, mitigation, countermeasure or safeguard against the
potential risks.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
WHAT IS PRIVACY IMPACT? (ISO 29134)
1) It is any thing that
has effect on the PRIVACY IMPACT ASSESSMENT
data privacy of 1) An instrument to assess the potential impacts on data
personal privacy and security of the filing system, automation,
information technology platform, program, software module, device or
other project that is defined to act the collection,
security of a data
processing, retention, sharing and disposal of a data
subject
subject’s personal data.

1) It is result that 1) It is a process at the initiation of data processing system

comes from a data project to ensure privacy by design. It continues until, and
processing system even after, the project has been deployed.
found to conform
1) A consultation with stakeholders, for taking actions as
or violate the rules
necessary in order to treat data privacy and protection risk.
and standards of
safeguarding data 1) A report that documents on the measures to be taken for
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What reasons to cause Privacy Impact Assessment?

The developed, acquired and operated data processing system collects personal data

A change in applicable privacy related laws and regulations, internal policy and standards,
information system operation, purposes and means for processing data, new or changed data flows

A new or prospective technology, service or other initiative where personal information is, or to
be, processed

A decision that sensitive personal information is going to be processed

A data privacy violation complaint is made against a system operation

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Who conducts Privacy Impact Assessment?

PERSONAL INFORMATION PERSONAL INFORMATION

CONTROLLER PROCESSOR
a data processing supplier has
has the responsibility to
the responsibility to conduct
conduct privacy impact
privacy impact assessment in all
assessment and may
its project and program
request a personal
associated with the processing of
information processor to
personal data as required by law
act on the PIC’s behalf.
and as agreed with a personal
information controller.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Critical Steps in Doing Privacy Impact Assessment

ADOPT a
privacy and
SCOPE the security risks
privacy impact criteria and the
JUSTIFY the IDENTIFY the
assessment by corresponding
conduct of stakeholders to
identifying and measurement
privacy impact participate in
describing that determine
assessment with creating privacy
system context the indicators
a privacy impact
and and rating of
threshold assessment
configuration threat,
analysis report
with impact to vulnerabilities
privacy and control in
the impact
assessment.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Critical Steps in Doing Privacy Impact Assessment

FILL-OUT the Privacy

EXECUTE the privacy
Impact Assessment
PLAN the assessment and security risks
Report template of the
activities identification, analysis,
National Privacy
and evaluation
Commission

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Measuring Impact
• The data subjects may • The data subjects will
encounter significant either not be affected or
inconveniences, which may encounter a few
they should be able to inconveniences, which
overcome but with they will overcome
serious difficulties without any problem

Significant Negligible
(4) (1)

Maximum Limited
(3) (2)
• The data subjects may • The data subject may
encounter significant encounter significant
inconveniences, or even inconveniences, which
irreversible, they will be able to
consequences, which overcome despite a few
they may not overcome difficulties
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Measuring Probability

• Very likely. It is • Not expected, but

expected to occur in there is a slight
most circumstances possibility it may occur
at some time.
Almost
Certain Unlikely
(1)
(4)

Likely Possible
(3) (2)
• Frequent occurrence. • Casual occurrence. It
There is a strong might happen at
possibility that it some time.
might occur

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY RISKS MAP
IMPACT PRIVACY AND SECURITY RISKS MAP

4
Unauthorized Unauthorized
MAXIMUM Malicious disclosure
processing purpose

3
Unauthorized Negligence in Combination of
SIGNIFICANT Intentional breach
disclosure access acts

2
Unauthorized
LIMITED Improper disposal
access

1
Concealment of
NEGLIGIBLE
breach

1 2 3 4
PROBABILITY UNLIKELY POSSIBLE LIKELY ALMOST CERTAIN

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DISCUSSION POINTS
DAY 1
• R.A. 10173 – Data Privacy Act 2012 Goals, Objectives, Accountability and
Responsibility
• Data Privacy and Information Security Risks Management – Privacy
Impact Assessment Process
Day 2
• DATA PRIVACY AND SECURITY CONTROLS – PRIVACY AND
SECURITY POLICY MAKING
Day 3
• Breach and Security Incident Management
POLICY MAKING
Intentions and direction of an organization, as formally
expressed by its top management.
POLICY
(ISO 27000 -3.53)

Overall intention and direction, rules and commitment,

as formally expressed by the personal information
PRIVACY POLICY controller related to the processing of personal
information in a particular setting (ISO 29100 -2.16)

Preservation of confidentiality , integrity and

INFORMATION SECURITY availability of information (ISO 27000 -3.28)

Document specifying authorized ways for realizing

SECURITY IMPLEMENTATION security
STANDARD
(ISO 27000 -3.73)
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 STATUTORY GOALS
R.A. 10173 Chapter 1 Section 2 1. Protect the fundamental human right
of privacy, of communication while
ensuring free flow of information to
promote innovation and growth.
R.A. 10173
Implementing Rules
and Regulations

2. Ensure that personal

National Privacy Commission
Advisory- Circular Issuances,
and Case Resolution
information in information and
communications systems in the
government and in the private
sector are secured and
protected.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
POLICY CONCERN OF R.A. 10173

PERSONAL INFORMATION CONTROLLER

1) Implements reasonable and appropriate
organizational, physical, and technical
security measures for the protection of
personal data.

1) Takes steps to ensure that any natural

person acting under their authority and who
has access to personal data, does not
process them except upon their
instructions, or as required by law.
Policy
Making
R.A. 10173 IRR Rule VI
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
POLICY CONCERN OF R.A. 10173

HEAD OF THE AGENCY

The agency through the head of the
agency has to create privacy and data
protection policies, taking into account
the privacy impact assessments, as
well as Sections 25 to 29 of the IRR.

Policy
Making
NPC Circular 16-01
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
POLICY CONCERN OF R.A. 10173
DATA PROTECTION OFFICER
1) Monitor the PIC’s or PIP’s compliance with the DPA,
its IRR, issuances by the NPC and other applicable
laws and policies.

1) Inform and cultivate awareness on privacy and

data protection within the organization of the PIC
or PIP, including all relevant laws, rules and
regulations and issuances of the NPC.

1) Advocate for the development, review and/or

revision of policies, guidelines, projects and/or
programs of the PIC or PIP relating to privacy and
Policydata protection, by adopting a privacy by design
approach.
Making
NPC Advisory 2017-01
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
POLICY CONCERN OF R.A. 10173

PRIVACY
is freedom from intrusion into the
private life or affairs of an individual
or person, when that intrusion
results from undue or illegal
gathering and use of data about that
individual.
Policy
(ISO 2382 – IT Vocabulary)
Making
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL DATA PROCESSING PRIVACY PROTECTION
Privacy Protection Requirements Management Results
1. Personal data and processing system Registry of personal data, filing
visibility system, automation program
Data privacy rights policy,
2. Respect data privacy rights
process, notification, consent
Inventory of process, system ,
3. Regulated personal data processing
technology and risks assessment
lifecycle of personal information and
and system data privacy by
sensitive personal information
design
4. Data privacy principles in personal data Data processing privacy policy
processing system and system conformity test
5. Privacy lawful criteria in processing
Statutory and regulatory registry
personal information
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL DATA PROCESSING PRIVACY PROTECTION
Privacy Protection Requirements Management Results
6. Conditions to process sensitive personal Privacy policy and system
information conformity test
Data sharing agreement, and
7. Accountability in personal data sharing
security measures
Organization, physical and
8. Security measures in personal technical measures – policy, role,
information protection activities, product, services and
technology
9. Breach and Privacy violation and Breach reporting and case
corresponding penalties management
10. Supplier Relationship – Privacy and
Privacy and Security Agreements
Security
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
POLICY CONCERN OF R.A. 10173

PRIVACY PROTECTION
represents the definitive act of
respecting the person's rights of
privacy and the security of personal
data that are being collected,
processed, retained, shared, and
disposed by the personal
information controller and processor
Policy
of business or government.
Making
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL DATA TO PROTECT
PERSONAL DATA
✔ Represent a set of
information that identifies an
individual or person who is
called a DATA SUBJECT
✔ Refers to all types of
personal information
This can be:
• Personal Information
• Sensitive Personal
Information
PERSONAL INFORMATION
information which can directly identify an
individual
SENSITIVE PERSONAL INFORMATION
considered as closer to the core of one’s
identity and they can shape and define
an individual
PRIVILEGED INFORMATION
refers to certain kinds of communication
which can not be used as evidence in
court
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Personal Data Category
1. Name
2. Identification number
3. Location data
4. Online identifier
5. Digital identifier
6. Genetic Data
7. Health Data
8. Research Data
9. Physical factor
10. Physiological factor
11. Mental factor
12. Economic factor
13. Cultural factor
14. Social identity factors
Given name, middle name, surname, alias
License number, tax number
Address, GPS location
e-mail, IP address
Biometric, CCTV data
DNA test result
Diagnostic report
Research question, enumerator interview logs
Height, weight, sex
Body chemistry
Intellectual aptitude test results
Salary, debts, property
Nationality, tribe
Club membership, titles, legal record
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 SENSITIVE PERSONAL
INFORMATION (RA 10173 sec 3L)
1 2 3 4

individual’s race, ethnic specifically

Individual’s health, Issued by government
origin, marital status, established by an
education, genetic or sexual agencies peculiar to an
age, color, and religious, executive order or an
life of a person, or to any individual which includes, but
philosophical or political act of Congress to be
proceeding for any offense not limited to, social security
affiliations kept classified
committed or alleged to have numbers, previous or current
been committed by such health records, licenses or its
person, the disposal of such denials, suspension or
proceedings, or the sentence revocation, and tax returns;
of any court in such
proceedings

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY RIGHTS ON PERSONAL DATA (R.A. 10173 IRR RULE VIII)
Privacy Rights of Data Subject Respect Indicators
1. The right to be informed Notification and consent
Written or recorded agreement to process
2. The right to give consent
personal data
3. The right to access Permission to view and participate
4. The right to object Ability to withhold or refuse
5. The right to erasure or Permission to withdraw and delete
blocking personal data
Permission to check accuracy and to
6. The right to rectify
correct
Ability to request and download personal
7. The right to data portability
data
8. The right to complain Rules of procedure to file complaint
9. The right to claim damages Rule of procedure to claim damages
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)
Principles of Transparency, Legitimate Purpose and Proportionality
1. Transparency The data subject must be aware of the nature, purpose, and extent
of the processing of his or her personal data, including the risks and
safeguards involved, the identity of personal information controller,
his or her rights as a data subject, and how these can be exercised.
Any information and communication relating to the processing of
personal data should be easy to access and understand, using clear
and plain language.
2. Legitimate The processing of information shall be compatible with a declared
purpose and specified purpose which must not be contrary to law, morals, or
public policy.
The processing of information shall be adequate, relevant, suitable,
3. Proportionality necessary, and not excessive in relation to a declared and specified
purpose. Personal data shall be processed only if the purpose of the
processing could not reasonably be fulfilled by other means.
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)
General principles in collection, processing and retention
1. Collection must be for a Consent is required prior to the collection and processing of
declared, specified, and personal data, subject to exemptions provided by the Act and
legitimate purpose. other applicable laws and regulations. When consent is
required, it must be time-bound in relation to the declared,
specified and legitimate purpose. Consent given may be
withdrawn.
The data subject must be provided specific information
regarding the purpose and extent of processing, including,
where applicable, the automated processing of his or her
personal data for profiling, or processing for direct marketing,
and data sharing.
Purpose should be determined and declared before, or as
soon as reasonably practicable, after collection.
Only personal data that is necessary and compatible with
declared, specified, and legitimate purpose shall be collected.
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)
2. Personal data shall be Processing shall uphold the rights of the data subject, including the
processed fairly and lawfully. right to refuse, withdraw consent, or object. It shall likewise be
transparent and allow the data subject sufficient information to know
the nature and extent of processing.
Information provided to a data subject must always be in clear and
plain language to ensure that they are easy to understand and access.
Processing must be in a manner compatible with declared, specified,
and legitimate purpose.
Processed personal data should be adequate, relevant, and limited to
what is necessary in relation to the purposes for which they are
processed.
Processing shall be undertaken in a manner that ensures appropriate
privacy and security safeguards.
3. Processing should ensure Personal data should be accurate and where necessary for declared,
data quality. specified and legitimate purpose, kept up to date.
Inaccurate or incomplete data must be rectified, supplemented,
destroyed or their further processing restricted.
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)
4. Personal Data shall not be Retention of personal data shall only for as long as necessary:
retained longer than necessary (a) for the fulfillment of the declared, specified, and legitimate
purpose, or when the processing relevant to the purpose has
been terminated;
(b) for the establishment, exercise or defense of legal claims; or
(c) for legitimate business purposes, which must be consistent
with standards followed by the applicable industry or approved
by appropriate government agency.
Retention of personal data shall be allowed in cases provided
by law.
Personal data shall be disposed or discarded in a secure
manner that would prevent further processing, unauthorized
access, or disclosure to any other party or the public, or
prejudice the interests of the data subjects.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)
5. Any authorized further Personal data originally collected for a declared, specified, or
processing shall have adequate legitimate purpose may be processed further for historical,
safeguards. statistical, or scientific purposes, and, in cases laid down in law, may
be stored for longer periods, subject to implementation of the
appropriate organizational, physical, and technical security
measures required by the Act in order to safeguard the rights and
freedoms of the data subject.
Personal data which is aggregated or kept in a form which does not
permit identification of data subjects may be kept longer than
necessary for the declared, specified, and legitimate purpose.
Personal data shall not be retained in perpetuity in contemplation of
a possible future use yet to be determined.

General Principles for Data Sharing

1. Data sharing shall be allowed when Provided, that there are adequate safeguards for
it is expressly authorized by law: data privacy and security, and processing adheres
to principle of transparency, legitimate purpose and
proportionality
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)
General Principles for Data Sharing
2. Data Sharing shall be 1) Consent for data sharing shall be required even when the data is to shared with an
allowed in the private affiliate or mother company, or similar relationships.
sector if the data subject 2) Data sharing for commercial purposes, including direct marketing, be covered by a data
consents to data sharing, sharing agreement.
and the following 3) The data subject shall be provided with the following information p to collection or
conditions are complied before data is shared:
with: • Identity of the personal information controllers or personal information processors that
will be given access to the personal data
• Purpose of data sharing;
• Categories of personal data concerned;
• Intended recipients or categories of recipients of the personal data
• Existence of the rights of data subjects, including the right to access and correction, and
the right to object.
• Other information that would sufficiently notify the data subject of the nature and
extent of data sharing and the manner of processing.
4) Further processing of shared data shall adhere to the data privacy principles laid down
in the Act, these Rules, and other issuances of the Commission.

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY PRINCIPLES OF PERSONAL DATA PROCESSING (Rule V)

3. Data collected from When the personal data is publicly available, or has the consent of the
parties other than the data subject for purpose of research: Provided, that adequate
data subject for purpose safeguards are in place, and no decision directly affecting the
of research data subject shall be made on the basis of the data collected or
shall be allowed processed. The rights of the data subject shall be upheld without
compromising research integrity.
4. Data sharing between 1. Any or all government agencies party to the agreement shall comply
government agencies for with the Act, these Rules, and all other issuances of the Commission,
the purpose of a public including putting in place adequate safeguards for data privacy and
function or provision of a security.
public service shall be 2. The data sharing agreement shall be subject to review of the
covered a data sharing Commission, on its own initiative or upon complaint of data subject
agreement

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 PRIVACY VIOLATION
Privacy violation represents activities in the
personal data

(1) Collection
(2) Retention
(3) Use
(4) Disclosure
(5) Disposal

that undermine

Privacy Privacy Security

Rights Principles Measures
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 DATA PRIVACY
VIOLATIONS
1. Unauthorized processing
2. Negligence in access
3. Improper disposal
4. Unauthorized purpose
5. Unauthorized access
6. Intentional breach
7. Concealed breach
8. Malicious disclosure
9. Unauthorized disclosure
10. Combined violations

Impact: imprisonment and fines –Data Privacy Act of 2012

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
 DATA PRIVACY DATA SUBJECT
Represents the exercise of data
NATIONAL PRIVACY
COMMISSION
STAKEHOLDERS privacy rights and main party to
associate personal data to be
Creates
compliance;
regulation; monitor
educate the public;
protected with privacy and security enforces rules; and resolve cases
on data privacy

DATA PROTECTION OFFICER PERSONAL INFORMATION

Perform the oversight function for the PROCESSOR
PERSONAL INFORMATION Performs the instruction to
Personal Information Controller to achieve
the mandated accountability and CONTROLLER process personal information
Directs and rules the based on privacy processing
responsibility on data privacy
processing of personal agreement with a Personal
information with set Information Controller
limitations on data privacy

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PRIVACY STAKEHOLDERS

THIRD PARTY OF DATA

COMPLIANCE OFFICER FOR
SHARING
PRIVACY
IT AND INFRASTRUCTURE
Assist in the oversight Responsible for the
SERVICE PROVIDERS transferred or shared
function to direct,
compliance, to monitor Provision of the technical data to be used in
breach events, to resolve and measures to secure personal compliance with data
report privacy security information protection in the privacy regulation
incidents location, hardware, software,
and services of personal data
processing
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
INFORMATION SECURITY
The preservation of the confidentiality, integrity,
and availability of information.

CONFIDENTIALITY Authority
is enforced to keep secrecy and privacy of personal data

Trust
INTEGRITY is assured in the accuracy, completeness, immediacy, usefulness,
and reliability of personal data

Accessibility
AVAILABILITY is guaranteed in the connectivity, uptime, reach ability,
location, protection, and speed of personal information
exchange

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PRIVACY REGULATED PRIVACY & SECURITY POLICIES
INFORMATION PROCESSING REFERENCES
1. Privacy Governance
2. Privacy Regulation & Policies
Collection RA 10173 2016
1. 3. Privacy Rights Processes
Retention Implementing
2. 4. Privacy Principles
Use Rules and
3. 5. Criteria Lawful Processing
Sharing Regulation
4. 6. Condition SPI Processing
5. Disposal 7. Privacy Impact Assessment
National Privacy
8. Privacy Management System
Commission
9. Privacy Breach Management
advisory,
10. ISO 29100 Privacy Controls
circulars and
11. ISO 27701 ISMS Controls
case resolution
12. ISO 27017-18 Cloud Security
issuances
& Privacy

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
INVENTORY OF DATA AND APPLICATION SYSTEM
Business Data Data Information Data Share Processing
Business Process
Function and Collect, Store, Processing Collected And Control
Unit
Authority Use, Share System Stored Data Compliance
Official name of The name of the Name the category Name of the filing Identify the Identity the law,
the business process and of data being system if the data category of data regulation,
function database owner in created, collected, are being processed collected and advisories, and
carrying out the stored, use, reuse, manually stored by the agreement that
activities required share, disclose, business unit make valid the
for a mandated and disposed in Name of the that by authority, scope,
results of the achieving the information and regulation and input, process,
business function legitimate purpose communication agreement must output, location,
of business system if data are be shared to quality, quantity,
process being processed legitimate 3rd time, security,
with digital party privacy and cost
technology. of data and
application system
Administration Human Resource Personal Recruitment and CSC –Personal -CSC Rules
Management Information Hiring System Data Sheet -GSIS membership
GSIS –Personal policy
Information

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
INVENTORY OF DATA AND APPLICATION SYSTEM
Application
Business Related System
System of Development Database 3rd Party Service
Function For Data
Information Technology Technology Provider
Process Sharing
Processing
Official name of The name of the Name the kind of Name the kind of Identify the Identity how
the business information application database business entity system is
process to achieve processing system development technology being and the system developed,
the legitimate that is used to technology to used, and brand that are operated and
purpose of the create, collect, design, code, test, specification necessary for the maintain.
information to be store, transmit, release, maintain data sharing of
created use, share, the information information Who are the party
present, and and collection and involving in the
dispose data communication use service provision.
system
Administration Recruitment and Java Technology Open Source MYSQL CSC Information In-house
Human Resource Hiring System System development and
Management GSIS ILMAAMS support
Financial Financial Excel Worksheet Excel File Finance – In-house
Accounting Accounting Ledger Cashiering development and
System support
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL INFORMATION PROCESSING RESPONSIBILITY FLOW
DATA SUBJECT PI CONTROLLER PI PROCESSOR THIRD-PARTY

Execute
Receive, Accept and Instruct Processing of Personal Data
Provide Request for Personal Data Share
Processing Privacy
For Personal Information Retained or
Agreement
Receive
Collected
Personal
Personal Collect Information
Information Of
Data Disclosure or
Privacy Sharing Agreement
Regulations Retain
Informed
Consent Policies
Access Controls
Block Agreements Use
Erase
Change
Maintain Disclose Personal
Personal Information
Complain Information
Transfer Inventory
Claim Dispose

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL DATA
COLLECTION AND RETENTION PROCESS
Input
Request to
Give Personal Data
Personal Information
DATA SUBJECT

View
Consent Or
Requirement Block
Change
Correct
Request
Read Notification Delete
Copy

Data Privacy
PI CONTROLLER

Privacy Regulation, Instruct Collection Yes Rights

No
Policy and and Retention of Principles
Controls Personal Data Capture & Store
Rules

Yes
PI PROCESSOR

Data Execute Ready for

Processing Personal Data Personal
Data Store
use and
Agreement Collection and disclosure
Retention

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL DATA
USE AND DISCLOSURE PROCESS
Input View
Give Personal Data Block
Personal Information
DATA SUBJECT

Consent Or Correct
Requirement
Request Delete
Access Copy
Read Notification Complain

Data
PI CONTROLLER

Privacy Regulation, Instruct Utilization Yes

Legitimate Use No
Policy and Criteria Lawful
and Sharing of
Controls Processing
Personal Data
Privacy Control

Yes
Data
Execute Display
3rd PARTY

Utilization and Personal Data

Sharing the Use and Processing and Sharing Store
Agreement Sharing of Data Results

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PERSONAL DATA DISPOSAL PROCESS
Give Input
Personal Information
DATA SUBJECT

Consent Request View

Requirement Copy
Access
Complain
Read Notification

Data
PI CONTROLLER

Privacy Regulation, Instruct Disposal of Yes

Disposal No
Policy and Condition
Stored
Controls Retention Rule
Personal Information
Responsible

Yes
Data Execute
the Disposal or
3rd PARTY

Retention and
Disposal Destruction of File Shredded
Agreement Personal Data and Media
Media Destroyed

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
RULE AND STANDARD BASED MANAGEMENT OF DATA PRIVACY
Data Privacy Policy Information Security Policy
R.A. 10173 Implementing Rules
ISO 29100 ISO 27001 Annex A
Rule 1 – Policy and Definitions 5.2 Consent and choice A5. Information security policies
Rule 2 – Scope of Application 5.3 Purpose legitimacy and A6. Organization of information
Rule 3 – National Privacy Commission specification security
Rule 4 – Data Privacy Principles 5.4 Collection limitation A7. Human resource security
Rule 5 – Lawful Processing of Personal Data 5.5 Data minimization A8. Asset management
Rule 6 – Security Measures Protection of 5.6 Use, retention and A9. Access control
Personal Data disclosure limitation A10. Cryptography
Rule 7 - Security of Sensitive Personal 5.7 Accuracy and quality A11. Physical and environmental
Information in Government 5.8 Openness, transparency security
Rule 8 - Rights of Data Subject and notice A12. Operations security
Rule 9 - Data Breach Notification 5.9 Individual participation A13. Communications security
Rule 10 – Outsourcing and Subcontracting and access A14. System acquisition,
Rule 11 - Registration and Compliance 5.10 Accountability development and maintenance
Requirements 5.11 Information security A15. Supplier relationship
Rule 12 – Rules on Accountability 5.12 Privacy compliance A16. Information security incident
Rule 13 – Penalties management
Rule 14 – Miscellaneous Provisions A17. Information security aspects of
business continuity management
A18. Compliance
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
RULE AND STANDARD BASED MANAGEMENT OF DATA PRIVACY
Policy Inventory Risks Controls Operation
R.A. 10173 -2016 ISO 10007 – ISO 31000 – Risks R.A. 10173 Security NPC Circular 16-03
Implementing Rules and Configuration Management Measures Personal Data Breach
Regulation Management Management
ISO 27005 – Security ISO 29151 – Privacy
NPC Advisories and Risks Management Controls NYMITY
Circulars Accountability
ISO 27036 – Security Framework
Supplier Relationship
ISO 29100 – Data Privacy NPC Circular 17-01 ISO 29134 – Privacy ISO 27002 – Security ISO 27701 – Privacy
Framework Registration of Impact Assessment Controls Information
Data Processing Management System
ISO 27001 – Information System and ISO 22307 - Finance CSI Security CONTROL
Security Framework Automated Sector Privacy Impact ISO 27035 – Security
System Assessment ISO 27017 – Cloud Incident Management
ISO 29190 – Security
Privacy Management NPC Advisory No. ISO 27032 – Cyber
Capability 2017-03 PIA IS0 27018 – Cloud Security Guidelines
Guidelines Privacy
ISO 29184 – Notification ETSI Security ISO 27550 -Privacy
and Consent Indicators ISO 27045 – Big Data Engineering For
Security and Privacy System Life Cycle
National Cyber Security Processes
Plan 2022 OWASP Vulnerabilities
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PRIVACY RIGHTS AND PROCESSING POLICY
Personal Data Privacy Processing Policy
Data Privacy
Rights Collection Processing Retention Sharing Disposal
(Get) (Use) (Store) (Disclose) (Delete)
1. To be informed 1. Lawful criteria 1. Lawful criteria 1. Lawful criteria 1. Authorized by 1. Lawful criteria
2. To give 2. Transparency 2. Transparency 2. Transparency law 2. Transparency
consent 3. Legitimate 3. Legitimate 3. Legitimate 2. Data subject 3. Legitimate
3. To have purpose purpose purpose consent purpose
accessed 4. Proportionality 4. Proportionality 4. Proportionality 3. Adequate 4. Proportionality
4. To correct 5. Declared, 5. Declared, 5. Declared, Safeguard 5. Declared,
5. To block or specified, and specified, and specified, and 4. For research specified, and
erase legitimate legitimate legitimate using publicly legitimate
6. To complain purpose. purpose. purpose. available data purpose.
7. To claim 6. Fair and lawful; 6. Fair and lawful; 6. Fair and lawful; 5. Data sharing 6. Fair and lawful;
damage 7. Data Quality 7. Data Quality 7. Data Quality agreement 7. Data Quality
8. To transfer 8. Not retained 8. Not retained 8. Not retained 8. Not retained
rights longer longer longer longer
9. To claim data 9. Adequate 9. Adequate 9. Adequate 9. Adequate
portability Safeguard Safeguard Safeguard Safeguard

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
SECURITY MEASURES POLICY
Organizational Security
1. Compliance Officers.
2. Data Protection Policies
3. Records of Processing Activities
4. Processing of Personal Data
5. Personal Information Processor
Contracts
Physical Security Technical Security
1. Policies and Procedures on Limited 1. Security policy in processing
Physical Access personal data
2. Security Design of Office Space and 2. Safeguards to protect computer
Room network again unlawful, illegitimate,
and destructive activities
3. Person Duties, Responsibility and 3. Confidentiality, integrity, availability,
Schedule Information and resilience of the processing
systems and services
4. Policies on transfer, removal, 4. Vulnerability assessment and
disposal, and re-use of electronic regular monitoring for security
media breaches
5. Prevention policies against 5. Ability to restore the availability and
mechanical destruction of files and access to personal data
equipment
6. Regularly testing, assessing, and
evaluating the effectiveness of security
measures
7. Encryption of personal data during
storage and while in transit,
authentication process
Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
DATA PRIVACY AGREEMENT POLICY
PRIVACY AGREEMENT WITH PERSONAL INFORMATION CONTROLLER
DATA SUBJECT DATA PROCESSOR 3RD PARTY DPO
Notification and Data Processing Data Sharing
Appointment Contract
Consent Form Agreement Agreement
1. The purpose 1. Data privacy rights 1. Data sharing 1. Authority
2. The personal data 2. Data processing principles 2. Accountability
3. The data processing privacy principles 2. Outsourcing and 3. Tasks
activities 3. Personal data Subcontracting 4. Deliverables
4. The data processor security measures
and 3rd party 4. Accountability
5. The exercise of 5. Outsourcing or
privacy rights Subcontract
6. The privacy Agreement
compliance
procedures

Copyright notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.