August 1, 2017

THE NCMB DATA PRIVACY MANUAL

BACKGROUND
Republic Act No. 10173 entitled, "An Act Protecting Individual
Personal Information in Information and Communications Systems
in the Government and the Private Sector, Creating for this Purpose
a National Privacy Commission, and for Other Purposes," or simply,
Data Privacy Act of 2012 (DPA), is the law that gives form to the declared
policy of the State to protect the fundamental human right of privacy and
communication. While the State recognizes the vital role of information and
communications technology in nation-building, it also acknowledges its
inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are
secured and protected.
The Act serves the following purposes:
1. Â Protects the privacy of individuals while ensuring free flow of
information to promote innovation and growth;
2. Â Regulates the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of personal data;
and
3. Â Ensures that the Philippines complies with international
standards set for data protection through the National Privacy
Commission.
Approved into law last August 15, 2012, the DPA created the National
Privacy Commission (NPC) which is tasked to monitor its implementation. It
covers the processing of personal information and sensitive personal
information and sets, as its basic premise, the grant of direct consent by a
data subject before data processing of personal information be allowed.
INTRODUCTION
The National Conciliation and Mediation Board (NCMB), in its
commitment to uphold, respect, and value data privacy rights, hereby
adopts this Data Privacy Manual in compliance with the DPA, its
Implementing Rules and Regulations, and other relevant policies, including
issuances of the NPC. All personal data collected from all its officials,
personnel, and clients shall be processed in adherence to the general
principles of transparency, legitimate purpose, and proportionality.
The Manual outlines our data protection and security measures and
may guide you in exercising your rights under the DPA.
DEFINITION OF TERMS
For purposes of this Manual the following terms are defined as follows:
 1. Â Data Subject refers to an individual whose personal, sensitive
personal or privileged information is processed by NCMB. It may
refer to its officials, employees, and clients.
2. Â Personal Data refers to all types of personal information.
3. Â Personal Data Breach refers to a breach of security leading to
the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to personal data
transmitted, stored, or otherwise processed.
4. Â Personal Information refers to any information, whether
recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put
together with other information would directly and certainly
identify an individual.
5. Â Personal Information Controller refers to a natural or juridical
person, or any other body who controls the processing, of
personal data, or instructs another to process personal data on
his behalf.
6. Â Personal Information Processor refers to any natural of juridical
person or any other body to whom a personal information
controller may outsource or instruct the processing of personal
data pertaining to a data subject.
7. Â "Processing" refers to any operation or any set of operations
performed upon personal information including, but not limited to
the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking,
erasure or destruction of data.
8. Â Sensitive personal information refers to personal information:
1. Â About an individual's race, ethnic origin, marital status,
age, color, and religious, philosophical or political
affiliations;
2. Â About an individual's health, education, genetic or sexual
life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such
individual, the disposal of such proceedings, or the
sentence of any court in such proceedings;
3. Â Issued by government agencies peculiar to an individual
which includes, but is not limited to, social security
numbers, previous or current health records, licenses or its
denials, suspension or revocation, and tax returns; and
4. Â Specifically established by an executive order or an act of
Congress to be kept classified.
SCOPE AND LIMITATIONS
 This Privacy Manual applies to all NCMB Central and Regional Branches
officials and employees including all project and agency-based employees. It
likewise covers software developers and electronic service providers of the
Board.
PROCESSING OF PERSONAL DATA
A. Â Collection
The collection of both personal information and sensitive personal
information is done by lawful means and for a lawful purpose and is directly
related and necessary in the achievement of the Board's vision and mission.
Personal information of clients is limited to full name, address and
cellular/telephone numbers. These are obtained openly and straightforwardly
without any hidden motive through the clients' filling up of official forms.
These forms are essential in the provision of service to clients.
Similarly, personal data of the Board's officials and employees
(including project and/or agency-based employees), applicants to vacant
positions, and Accredited Voluntary Arbitrators (AVAs) are obtained through
the requisite Personal Data Sheet (PDS) and by accomplishing forms
essential in training and other developmental interventions.
B. Â Use
Personal data collected shall be used by the Board solely for reportage
and documentation purposes. In all this, the individual is not deemed
identified as the data shall be presented in statistics form. The Board shall
ensure no manipulation of personal data and that the same shall not be used
against any individual.
C. Storage, Retention and Destruction
NCMB shall ensure that personal data under its custody are protected
against any accidental or unlawful destruction, alteration and disclosure as
well as against any other unlawful processing. It shall implement appropriate
security measures in storing collected personal information, depending on
the nature of the information. The retention period of personal information
gathered shall be as follows:
NCMB officials and employees — 1 year after superseded
Former NCMB officials and employees — Subject to CSC Memorandum
Circular No. 8, s. 2007
Accredited Voluntary Arbitrators — 15 years after separation
Applicants to vacancies — 1 year
Clients — 10 years
After said period, all hard and soft copies of personal information shall
be disposed and destroyed, through secured means.
D. Â Access
Access to personal data of officials and employees of NCMB and
applicants to vacancies shall be limited to the DPO or COP, Chief of the
Administrative Division, its regional counterpart, the Administrative Officer V,
and the Administrative Assistant II. At no time should anyone be given
access to the personal files of other employees.
For personal data of clients, only the DPO, Director of the Technical
Services Department and the heads and staff of the three Technical
Divisions shall have access to the same.
E. Â Disclosure and Sharing
All employees and personnel of the Board shall maintain the
confidentiality and secrecy of all personal data that come to their knowledge
and possession, even after resignation, termination of contract, or other
contractual relations. Personal data under the custody of the NCMB shall be
disclosed only pursuant to a lawful purpose, and to authorized recipients of
such data.
SECURITY MEASURES
The NCMB shall implement reasonable and appropriate physical,
technical, and organizational measures for the protection of personal data.
These security measures aim to maintain the availability, integrity, and
confidentiality of personal data and protect them against natural dangers
such as accidental loss or destruction, and human dangers such as unlawful
access, fraudulent misuse, unlawful destruction, alteration and
contamination.
A. Â Organization Security Measures
1. Â Data Protection Officer
  The Director of the Internal Services Department of the Board
shall be the designated Data Protection Officer (DOP).
  The Directors of the Regional Branches shall appoint among
the staff a Compliance Officer for Privacy (COP).
2. Â Functions of the DOP/COP
  Listed hereunder are the functions and responsibilities of the
DPO and COP:
1. Â Monitor the Personal Information Controller's (PIC) or
Personal Information Processor's (PIP) compliance with the
DPA, its IRR, issuances by the NPC, and other applicable
laws and policies. As such he/she may:
a. Â Collect information to identify the processing
operations, activities, measures, projects,
programs, or systems of the PIC or PIP, and
maintain a record thereof;
b. Â Analyze and check the compliance of processing
activities, including the issuance of security
clearances to and compliance by third-party
service providers;
 c. Â Inform, advise, and issue recommendations to
the PIC or PIP;
d. Â Ascertain renewal of accreditations or
certifications necessary to maintain the required
standards in personal data processing; and
e. Â Advice the PIC n or PIP as regards the necessity
of executing a Data Sharing Agreement with third
parties, and ensure its compliance with the law;
2. Â Ensure the conduct of Privacy Impact Assessments
relative to activities, measures, projects, programs, or
systems of the PIC or PIP;
3. Â Advise the PIC or PIP regarding complaints and/or the
exercise by data subjects of their rights ( e.g., requests for
information, clarifications, rectification or deletion of
personal data);
4. Â Ensure proper data breach and security incident
management by the PIC or PIP, including the latter's
preparation and submission to the NPC of reports and other
documentation concerning security incidents or data
breaches within the prescribed period;
5. Â Inform and cultivate awareness on privacy and data
protection within your organization, including all relevant
laws, rules and regulations and issuances of the NPC;
6. Â Advocate for the development, review and/or revision of
policies, guidelines, projects and/or programs of the PIC or
PIP relating to privacy and data protection, by adopting a
privacy by design approach;
7. Â Serve as the contact person of the PIC or PIP vis-Ã -vis
data subjects, the NPC and other authorities in all matters
concerning data privacy or security issues or concerns and
the PIC or PIP;
8. Â Cooperate, coordinate and seek advice of the NPC
regarding matters concerning data privacy and security;
and
9. Â Perform other duties and tasks that may be assigned by
the PIC or PIP that will further the interest of data privacy
and security and uphold the rights of the data subjects.
  Except for items (1) to (3), a COP shall perform all other
functions of a DPO. Where appropriate, he or she shall also assist
the supervising DPO in the performance of the latter's functions.
3. Â Conduct of Trainings and Recording and Documentation of
Activities Carried out by the DPO or by the Board
  The NCMB shall sponsor a mandatory training on data privacy
 and security at least once a year. For personnel directly involved
in the processing of personal data, their attendance and
participation in relevant trainings and orientations shall be
ensured as often as necessary.
4. Â Conduct of Privacy Impact Assessment (PIA)
  The Board shall conduct a Privacy Impact Assessment (PIA)
relative to all activities, projects and systems involving the
processing of personal data.
5. Â Duty of Confidentiality
  All employees shall be asked to sign a Non-Disclosure
Agreement. All employees with access to personal data shall
operate and hold personal data under strict confidentiality if the
same is not intended for public disclosure.
6. Â Review of Privacy Manual
  This Manual shall be reviewed and evaluated annually. Privacy
and security policies and practices within the Board shall be
updated to remain consistent with current data privacy best
practices.
B. Â Physical Security Measures
1. Â Format of Data
  Personal data in the custody of the Board may be in
digital/electronic format and paper-based/physical format.
2. Â Storage Type and Location
  All personal data of the Board's officials and staff including
those of its project and agency-based employees in paper based
documents shall be stored in a locked filing cabinet located at the
Personnel Records Room on the 6th floor of the office.
  Papers or documents bearing personal information of clients
shall be kept in locked filing cabinets at the Stock Room at the
5th floor of the office.
  Digital/electronic files shall be stored in computers protected
by passwords and can be accessed only by authorized personnel.
3. Â Access Procedure of Agency Personnel
  Only the DPO, the Chief Administrative Officer, the
Administrative Officer V, and the Administrative Assistant II of the
Administrative Division (the COP and Administrative Officer IV, in
the case of Regional Branches) shall have access to the stored
personal information of current and former NCMB officials and
staff and applicants to vacant positions. For this purpose, they
shall each be given a duplicate of the keys to the filing cabinet
and the Personnel Records Room.
  An official/employee who wishes to see documents on his/her
 personal file (201 File) shall fill up a request form to be approved
by the DPO or by the COP. The Administrative Assistant II in the
Central Office and the Administrative Officer IV (for Regional
Branches) shall secure the requested document/s, have the same
photocopied, and hand this/these over to the official/employee
concerned.
  To protect against inappropriate disclosure of confidential
information, certain records including those containing
confidential information about more than one individual and
medical records shall not be allowed to be accessed.
  An employee cannot invoke his/her right to access his/her 201
File under the law when the personal information is being
processed for the purpose of investigation in relation to any
criminal, administrative, or tax liabilities against him/her.
  Directors and Division Chiefs, other than those expressly
mentioned in the preceding paragraphs, may have access to
personal file information on a need-to-know basis.
  Unclaimed 201 Files of former NCMB employees as well as
their Service Records, duplicate copies of Clearance from
Property and Money Accountabilities and forwarding addresses
and telephone numbers retained at the office in accordance with
CSC Memorandum Circular No. 8, s. 2007 shall be treated in the
same way as the 201 Files of current employees.
  As for the stored personal data of clients, only the Director of
the Technical Services Department and the Heads of the three
Technical Divisions shall have access to the same.
  At no time should authorized official/personnel bring gadgets
or storage device of any form when accessing personal files of
NCMB personnel, applicants, and clients.
4. Â Â Monitoring and Limitation of Access
  All authorized personnel who accessed the stored personal
data must fill out and register access details in a logbook. They
shall indicate the date, time, duration and purpose of each
access.
5. Â Â Design of Office Space/Work Station
    Computers are located at the work stations of
employees such that no computers are placed side by side with
other computers. This is to ensure the protection of processing of
personal data.
6. Â Â Maintenance of Confidentiality
  Persons involved i n processing shall always maintain
confidentiality and integrity of personal data.
7. Â Â Modes of Transfer of Personal Data within the NCMB or to
 Other Parties
  Transfer of personal data via electronic mail shall use a secure
email facility with encryption of the data, including any or all
attachments. Facsimile technology shall not be used for
transmitting documents containing personal data.
8. Â Â Retention and Disp osal Procedure
  The NCMB shall retain personal data in its custody following
the schedule identified in the item Storage, Retention, and
Destruction under the Processing of Data in this Manual. Upon
expiration of such period, all physical and electronic copies of the
personal data shall be destroyed and disposed of using secure
technology.
C. Â Â Technical Security Measures
1. Â Â Monitoring for Security Breaches
  The Board shall procure and install anti-virus software, on an
annual basis, to devises that regularly access the internet
(desktop, laptop, apple and android devices).
  The IT Administrator shall regularly read the firewall logs to
monitor security breaches and alert the Board of any
unauthorized attempt to access the NCMB network.
2. Â Â Security Features of the Software/s and Application/s Used
  The Research and Information Division (RID) shall first review
and evaluate software applications before the deployment
thereof in computers and devises of the Board to ensure
compatibility of security features with the data privacy policies.
  On existing software applications, which involves processing of
personal data of NCMB employees, the following shall be
observed:
•   The end user, with the technical assistance of the IT
Unit of the RID, shall evaluate and assess the security
protocols of the system with regards to saving, backup, and
data recovery. If such protocol runs counter with the data
privacy principles stated in the Data Privacy Act of 2012,
remedial steps should made to correct such flaws.
•   The RID, during its IT semestral maintenance
activities, shall check software applications installed in all IT
hardware and devices for compliance with the Board's data
privacy policy. If a software/application is found to be a
security risk that it may disturb or interrupt the normal
operations of the NCMB network, the IT technical personnel
shall notify the end user of the risk and the
software/application shall immediately be uninstalled. The
IT personnel shall thereafter prepare an incident report.
 3. Â Â Process for Regularly Testing, Assessment and Evaluation of
Effectiveness of Security Measures
The IT Unit of the RID shall make regular penetration testing of the
firewall appliance from outside the Board's premises and from
within to conduct vulnerability assessment of the same.
BREACH AND SECURITY INCIDENTS
A. Â Creation of a Data Breach Response Team
A Data Breach Response Team comprising of the DPO, the Technical
Services Director, the Chief Administrative Officer, and all IT personnel of the
RID, under the direct supervision of the Deputy Executive Director for
Internal Services is responsible for ensuring immediate action in the event of
a security incident or personal data breach. The team shall conduct an initial
assessment of the incident or breach in order to ascertain the nature and
extent thereof. It shall also execute measures to mitigate the adverse effects
of the incident or breach.
B. Â Measures to Prevent and Minimize Occurrence of Breach and
Security Incidents
The Data Breach Response Team shall regularly conduct a Privacy
Impact Assessment to identify risks in the processing system and monitor for
security breaches and vulnerability scanning of computer networks.
Personnel directly involved in the processing of personal data shall attend
trainings and seminars for capacity building. A periodic review of policies
and procedures being implemented in the Board shall be undertaken.
C. Â Procedure for Recovery and Restoration of Personal Data
The NCMB shall always maintain a backup file for all personal data
under its custody. In the event of a security incident or data breach, it shall
always compare the backup with the affected file to determine the presence
of any inconsistencies or alterations resulting from the incident or breach.
D. Â Notification Protocol
The Head of the Data Breach Response Team shall inform the
Executive Director of the need to notify the National Privacy Commission
(NPC) and the data subjects affected by the incident or breach within 72
hours from knowledge thereof.
E. Â Documentation and Reporting Procedure of Security Incidents
or a Personal Data Breach
The Data Breach Response Team shall prepare a detailed
documentation of every incident or breach encountered, as well as an
annual report, to be submitted to the Executive Director and the NPC within
the prescribed period. The report shall contain the following:
1. Â Description of the nature of the breach;
2. Â Personal data possibly involved;
3. Â Measures undertaken by the team to address the breach and
 reduce the harm or its negative consequences; and
4. Â Names of the personal information controller, including contact
details, from whom the data subject can obtain additional
information about the breach and any assistance to be provided
to the affected data subjects.
RIGHTS, INQUIRIES AND COMPLAINTS OF DATA SUBJECTS
Every data subject has the right to:
1. Â Be notified and furnished with his or her information before
entry into the processing system within 48 hours when such data
shall be used for direct marketing, profiling or historical or
scientific purpose. Notification shall be made through an Office
Memoranda and/or email.
2. Â View and recommend corrections to his or her data being
processed. The data subject may also write or email the Board at
[email protected] with a brief discussion of the inquiry and/or
correction/s together with his/her contact details for reference.
3. Â Complain and be indemnified for any damages sustained when
the data subject's recommendations for corrections to his or her
data was not acted upon which resulted in damages due to
inaccurate, incomplete, outdated and false information,
unlawfully obtained or unauthorized use of personal data.
Complaints shall be filed in three printed copies, or sent to
[email protected]. The department or division concerned shall
confirm with the complainant its receipt of the complaint.
EFFECTIVITY
This Manual takes effect on 01 August 2017 until revoked or amended.
Â
ANNEX A

Consent Form

ANNEX B

Access Request Form

ANNEX C

Request for Correction/Erasure Form

DIRECTORY

NCMB-CENTRAL OFFICE4th-6th Floors, Arcadia Building, 860 Quezon Avenue,

 Quezon City

SHIRLEY M. PASCUAL, CESO III CORAZON M. FEGI

Executive Director IV Chief, Voluntary Arbitration Division
(02) 332-4176, 332-4175 (telefax) (02) 332-4178
[email protected] [email protected]

EDMUNDO T. MIRASOL ROSE-MARIA C. MAMAOAG

Deputy Executive Director IV Officer-in-Charge
(02) 332-2689, 332-4177 Administrative Division
[email protected] 332-4180
[email protected]

MARIA TERESITA L. CANCIO EDITHLIANE P. TADEO

Deputy Executive Director IV Chief, Financial Management
(02) 332-4179 (telefax) Division
[email protected] 332-2231
[email protected]

ATTY. RONDA D. MALIMBAN MARIFE E. FAUSTO

Director II, Technical Services Officer-in-Charge
(02) 332-2233 Research and Information Division
[email protected] 332-2232
[email protected]

MARIA CRISTINA O. MANGALIMAN NENITA L. IMPERIAL

Director II, Internal Services Auditor
(02) 412-5148 Commission on Audit
[email protected] 410-8932

MA. YOLANDA P. MIÑORIA Â

Officer-in-Charge
Conciliation-Mediation Division
(02) 332-2209
[email protected]

LOVELYN S. PAPAS Â
Chief, Workplace Relations Enhancement
Division
(02) 415-7888

REGIONAL BRANCHES

Â
TERESITA E. AUDEA EDGAR G. AQUINO
Director II, RCMB-NCR Director II, RCMB III
Ground Floor, DOLE Building, Intramuros, 2nd Floor, PSP Building, Gapan-
Manila 1002 Olongapo Road, Dolores San
527-72-16; 526-42-30 telefax Fernando, Pampanga 2000

Conciliation-Mediation Unit
301-00-48 to 51
Voluntary Arbitration Unit
3160-9545
Workplace Relations and Enhancement
Unit
310-2441
Administrative Unit 310-24-42
Commission on Audit 527-35-73
BRENDA ROSE C. ODSEY
Director II, RCMB-
Cordillera Administrative Region
(074) 442-7292 (t/fax)
3/F Manongdo Bldg., Benitez Court
Magsaysay Avenue, Baguio City 2600
[email protected]
LUCITA D.O. CAUDILLA
Officer-in-Charge, RCMB I
(072) 888-4610 (t/fax)
2nd Floor, Unison Realty Building
Quezon Avenue, City of San Fernando
La Union [email protected] [email protected]
GIL G. CARAGAYAN
Director II, RCMB II
(078) 844-1356
3/F, CRADDOCK Bldg., Diversion Road
San Gabriel Village, Tuguegarao City
3500
[email protected]
REYNALDO S. FONCARDAS
Director II, RCMB V
(052) 480-8467 (t/fax)
2nd Floor, ANST Building
Washington Drive, Legaspi City 4500
[email protected]
ROSEMARIE G. OXINIO
Officer-in-Charge, RCMB VI
District Office 2nd Floor, Room 202
Viosil's Building, M.H. Del Pilar,
Molo, Iloilo City
(033) 332-2199; 0917-3054347
[email protected]
SUSANA A. QUIMPO
Director II, Negros Island Region
No. 6, 10th Lacson Streets Milagros
Building, Bacolod City 6100
(034) 433-0901; 0917-3023412
(045) 961-42-64 (t/fax)
(045) 963-7868
[email protected]
FELICIANO R. ORIHUELA, JR.
Director II, RCMB IV-A
(049) 531-4271; (049) 531-2045
2/F Regon and Sons Building,
National Road, Paciano Rizal,
Calamba City, Laguna 4027
[email protected]
Cavite Extension Office
2/F MYP GBY Building
Bayan Luma 7 Aguinaldo Highway
Imus, Cavite
(046) 476-0807
(046) 471-0615
[email protected]
Cainta Extension Office
2nd Floor, F. Takano Center for
Health
Cainta, Rizal
(02) 656-5213
LOURDES P. ESTIOCO
Director II, RCMB IV-B
(02) 400-2529
G/F, DOLE Building General Luna
cor. Muralla Streets Intramuros,
Manila
[email protected]
ROGEN S. CUMBA
Director II, RCMB IX
(062) 991-2644; (062) 991-2186
3rd Floor, Wee Agro Building
Veterans
Avenue, Zamboanga City 7000
[email protected]
ATTY. LIGAYA R. LUMBAY
Officer-in-Charge, RCMB X
(088) 856-61-23; (088) 881-3123
Maguindanao Masonic Temple
Building
Capistrano-Pacana Street,
Cagayan de Oro City 9000
[email protected]
AERRINE MARIE R. REYES
Officer-in-Charge, RCMB XI
(082) 226-3465 (t/fax) (082) 295-
7083
DCPI Building, Quezon Boulevard
Brgy. 31 Davao City 8000
 GEMMA R. POLOYAPOY
Officer-in-Charge, RCMB VII
(032) 415-7046 (032) 230-7909
(032) 266-8194 (PLDT) (032) 266-8193
6th Floor, Old Insular Life Building
Gen. Maxilom Avenue cor. Gorordo
Avenue,
Cebu City 6000
[email protected]
GEMMA R. POLOYAPOY (Concurrent)
Officer-in-Charge, RCMB VIII
(053) 832-0659
DOLE Compound, Trece Martirez Street,
Tacloban City 6500
[email protected]
 MA. THERESA M. FRANCISCO
n Note from the Publisher: Written as "PIC" in the original documents.
[email protected]
GERIE D. LAMPITCO
Officer-in-Charge, RCMB XII
(083) 228-3438
Door #1 Mezzanine Floor,
Duremdes
Building, Zone 1, Gensan Drive,
Koronadal City, South Cotabato
2nd Floor, Dimalanta Building,
Leopoldo D. Dacera Sr. Avenue
(formerly Mabuhay Road)
Brgy. City Heights, General Santos
City
(083) 552-5758
[email protected]
Officer-in-Charge, RCMB XIII
(085) 342-5871 (t/fax) 342-9131
1st & 2nd Floors, Nimfa Tiu Building,
J.P. Rosales Street, Butuan City
[email protected]