Scribd
Upload
174 views8 pages

Data Privacy Protection Guide for Subjects

1. The document discusses the rights and responsibilities of data subjects under the Data Privacy Act of 2012 in the Philippines. It outlines the rules and standards that data subjects can use to assess an organization's compliance with data privacy laws. 2. As a data subject, one can test an organization's data privacy protection by asking questions about their policies, processes, and practices based on the requirements in the Act and its Implementing Rules and Regulations. 3. A data protection officer is expected to have expertise on privacy laws to address a data subject's conformity testing questions and understandings of an organization's personal data protection compliance.

Uploaded by

John J. Macasio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
174 views8 pages

Data Privacy Protection Guide for Subjects

1. The document discusses the rights and responsibilities of data subjects under the Data Privacy Act of 2012 in the Philippines. It outlines the rules and standards that data subjects can use to assess an organization's compliance with data privacy laws. 2. As a data subject, one can test an organization's data privacy protection by asking questions about their policies, processes, and practices based on the requirements in the Act and its Implementing Rules and Regulations. 3. A data protection officer is expected to have expertise on privacy laws to address a data subject's conformity testing questions and understandings of an organization's personal data protection compliance.

Uploaded by

John J. Macasio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
  • Introduction to Data Privacy
  • Data Privacy Competency Guide
  • Competency Questions and Compliance
  • Conformity Test Questions
  • Responsibilities and Standards
  • Training and Knowledge Assurance

DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

R.A. 10173, known as the Data Privacy Act of 2012 is primarily about the citizen of the Philippines called
"data subject" exercising the rights of data privacy.

Data privacy protection is a legitimate interest of a "Data Subject," who is referred to as any person or
individual whose personal information and sensitive information are collected, retained, processed, disclosed and
disposed of by a data processing system controlled by a business owner or head of an agency.

There is no appointment paper or term limit requirement for the "Data Subject" to ensure the
implementation of the law. No knowledge certification is required for the rights to be exercised related to the
processing of personal data. As long as the data subject is identified though his or her personal information,
sensitive personal information and privileged information, the rights to data privacy and the security of personal
information

Any person or individual simply exercises the right to make a complaint and the right to claim damages in
accordance with the determined, described, documented and demonstrated rules and standards of R.A. 10173.

In doing so, the implementing rules and regulations provide the organizational, physical and technical criteria in
order for a "Data Subject" to examine the impact of a business or government's information and communication
system to data privacy protection - DPA IRR Rule VI & VII.

In Rule VI -section 29, the National Privacy Commission is made responsible to "monitor the compliance of natural
or juridical person or other body involved in the processing of personal data, specifically their security measures,
with the guidelines provided in these Rules and subsequent issuances of the Commission."

The Data Privacy Act of 2012 obligates any person, individual or entity who controls and executes the personal
data gathering, storage, use, access, sharing and deletion to implement and report the pieces of evidence that
control their violation of data privacy that is penalized under the law -DPA IRR Rule XIII

The reporting tool to establish the privacy and security risks in the information and communication system of
government and private sector is called "Privacy Impact Asessment." The risks remediation action is a documented
and openly shared guidance identified as "Privacy Management Program Manual."

The "Data Subject" of any business enterprise may call the attention of the Personal Information Controller or
Processor through a Data Protection Officer on the following accountability to protect data privacy based on NPC
2017-01

1. Compliance with the Data Privacy Act 2012, 2016 implementing rules and regulations, issuances by the National
Privacy Commission and other applicable laws and policies

2. Conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the
Personal Information Controller or Personal Information Processor

3. Complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications,
rectification or deletion of personal data)

4. Proper data breach and security incident management by Personal Information Controller or Personal
Information Processor
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

5. Inform and cultivate awareness on privacy and data protection within the organization of the Personal
Information Controller or Personal Information Processor, including all relevant laws, rules and regulations, and
issuances of the National Privacy Commission.

6. Development, review and/or revision of policies, guidelines, projects and/or programs of the Personal
Information Controller or Personal Information Processor relating to privacy and data protection, by adopting a
privacy by design approach.

7. Contact person of the Personal Information Controller or Personal Information Processor vis-à-vis data subjects,
the National Privacy Commission and other authorities in all matters concerning data privacy or security issues or
concerns and the PIC or PIP

8. Cooperate, coordinate and seek the advice of the National Privacy Commission regarding matters concerning
data privacy and security

The "Data Subject" of any government agency may also call the attention of the Head of Agency on the following
obligations to protect data privacy based on NPC Circular 16-01:

1. Designate a Data Protection Officer

2. Conduct a Privacy Impact Assessment for each program, process or measure within the agency that involves
personal data. The assessment shall be updated as necessary.

3. Create privacy and data protection policies, taking into account the privacy impact assessments, as well as
Sections 25 to 29 of the Implementing Rules and Regulations.

4. Conduct mandatory, agency-wide training on privacy and data protection policies once a year. Similar training
shall be provided during all agency personnel orientations.

5. Register its data processing systems with the Commission in cases where the processing involves personal data
of at least one thousand (1,000) individuals, taking into account Sections 46 to 49 of the Implementing Rules and
Regulations

6. Cooperate with the Commission when the agency’s privacy and data protection policies are subjected to review
and assessment, in terms of their compliance with the requirements of the Act, its IRR, and all issuances by the
Commission.

With the regulator's compliance list on data privacy protection, the "Data Subject" who is identified as an
employee, personnel, customer, guest, beneficiary or citizen has a valid "story to tell" on how the privacy and
security of personal data are protected or to be failed by the business enterprise or government agency in
accordance with established rules and standards.

A data subject monitoring data privacy law compliance from the online location of customer
experience.
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

The capability to test the conformity of a data processing system against the known privacy and
security rules and standards differentiate the value of what a business enterprise and
government agency claim as complied data privacy protection.

Leadership, management and personnel of true compliance with Data Privacy Act of 2012 have
clear, consistent and complete response to data privacy protection conformity test.

The designated Data Protection Officer is expected to have mastery of the essential knowledge
on data privacy protection to deliver and support the critical results of privacy monitoring,
mentoring and oversight.

The following conformity test questions on privacy and security rules and standards simply
provide direct, definitive, accurate and complete understanding of personal data protection
compliance requirements

1. Is there an openly shared contact information for a data subject to communicate with the
Personal Information Controller and Data Protection Officer of the business enterprise and
government agency as defined in DPA IRR Rule XII and NPC Advisory 2017-01?

2. Is there a published matrix of roles and accountability to associate personal data control,
processing, 3rd party, privacy oversight, and data subject as defined in DPA IRR Rule I II, VI, VIII,
X, & XII, and NPC Advisory 2017-01 and NPR Circular 16-01?

3. Is there a registration of information system and configuration items associated to personal


data processing as defined in DPA IRR Rule XI and NPC Circular 17-01?

4. Is there a subscribed and maintained data privacy and security policies based on published
implementing rules and regulations of R.A. 10173, NPC issuance, advisory opinions and resolved
cases, and cited data privacy protection and information security in agreement with DPA IRR
Rule I section 2?

5. Is there a published process that enables a data subject to exercise data privacy rights as
defined in DPA IRR Rule VIII?

6. Are the lawful criteria to process personal information, sensitive personal information and
priviledge information applied in the enterprise or agency processing of personal data as
defined by DPA IRR Rule V?

7. Are the data processing systems assessed, designed, tested and operated based on privacy
principles and security controls that ensure data privacy protection as defined by DPA IRR Rule
IV & VI, cited international standards, and NPC Advisory 2017-3?
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

8. Are the organizational, physical and technical context of data processing secured to protect
personal data as defined by Rule VI & Rule VII and cited industry practice standards?

9. Are the 3rd party of sourcing data processing system program, project and operation
obligated to a privacy and security policies and agreements as defined in DPA IRR Rule X and
industry practice standards?

10. Are the privacy and security breach managed in accordance with DPA IRR Rule IX and NPC
Circular 16-03?

11. Is there is a published procedure for a data subject to file privacy violation complaint and to
claim damages in accordance with DPA IRR Rule XIII and NPC Circular 16-04?

12. Are the data privacy and security risks in data processing system project and operation
managed in accordance with the risks criteria provided by R.A. 10173 and cited control
standards, and privacy impact assessment is reported in accordance with NPC Advisory 2017-3,
and methodology standards?

Communication of risks and of the right things to do is made clear and simple with
demonstrated conformity of understanding, decision and work to valid and verifiable rules and
standards of data privacy protection acceptance criteria.

The written manual on privacy management of a business enterprise or government agency is


meaning ful to understanding, decision and work of personnel and service providers when the
content represent the agreed valid and verifiable policies, process, results, and enablers to
deliver the "what to achieve-maintain and what to prevent-eliminate" in the protection of data
privacy and security of personal information.

A designated Data Protection Officer is made qualified in the demonstrated activities and
results in passing the data privacy and security conformity test.A data subject monitoring data
privacy law compliance from the online location of customer experience.

The capability to test the conformity of a data processing system against the known privacy and
security rules and standards differentiate the value of what a business enterprise and
government agency claim as complied data privacy protection.

Leadership, management and personnel of true compliance with Data Privacy Act of 2012 have
clear, consistent and complete response to data privacy protection conformity test.

The designated Data Protection Officer is expected to have mastery of the essential knowledge
on data privacy protection to deliver and support the critical results of privacy monitoring,
mentoring and oversight.
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

The following conformity test questions on privacy and security rules and standards simply
provide direct, definitive, accurate and complete understanding of personal data protection
compliance requirements

1. Is there an openly shared contact information for a data subject to communicate with the
Personal Information Controller and Data Protection Officer of the business enterprise and
government agency as defined in DPA IRR Rule XII and NPC Advisory 2017-01?

2. Is there a published matrix of roles and accountability to associate personal data control,
processing, 3rd party, privacy oversight, and data subject as defined in DPA IRR Rule I II, VI, VIII,
X, & XII, and NPC Advisory 2017-01 and NPR Circular 16-01?

3. Is there a registration of information system and configuration items associated to personal


data processing as defined in DPA IRR Rule XI and NPC Circular 17-01?

4. Is there a subscribed and maintained data privacy and security policies based on published
implementing rules and regulations of R.A. 10173, NPC issuance, advisory opinions and resolved
cases, and cited data privacy protection and information security in agreement with DPA IRR
Rule I section 2?

5. Is there a published process that enables a data subject to exercise data privacy rights as
defined in DPA IRR Rule VIII?

6. Are the lawful criteria to process personal information, sensitive personal information and
priviledge information applied in the enterprise or agency processing of personal data as
defined by DPA IRR Rule V?

7. Are the data processing systems assessed, designed, tested and operated based on privacy
principles and security controls that ensure data privacy protection as defined by DPA IRR Rule
IV & VI, cited international standards, and NPC Advisory 2017-3?

8. Are the organizational, physical and technical context of data processing secured to protect
personal data as defined by Rule VI & Rule VII and cited industry practice standards?

9. Are the 3rd party of sourcing data processing system program, project and operation
obligated to a privacy and security policies and agreements as defined in DPA IRR Rule X and
industry practice standards?

10. Are the privacy and security breach managed in accordance with DPA IRR Rule IX and NPC
Circular 16-03?
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

11. Is there is a published procedure for a data subject to file privacy violation complaint and to
claim damages in accordance with DPA IRR Rule XIII and NPC Circular 16-04?

12. Are the data privacy and security risks in data processing system project and operation
managed in accordance with the risks criteria provided by R.A. 10173 and cited control
standards, and privacy impact assessment is reported in accordance with NPC Advisory 2017-3,
and methodology standards?

Communication of risks and of the right things to do is made clear and simple with
demonstrated conformity of understanding, decision and work to valid and verifiable rules and
standards of data privacy protection acceptance criteria.

The written manual on privacy management of a business enterprise or government agency is


meaning ful to understanding, decision and work of personnel and service providers when the
content represent the agreed valid and verifiable policies, process, results, and enablers to
deliver the "what to achieve-maintain and what to prevent-eliminate" in the protection of data
privacy and security of personal information.

A designated Data Protection Officer is made qualified in the demonstrated activities and
results in passing the data privacy and security conformity test.

A data subject observing the compliance status for a Data Protection Officer and demonstrated
competency for the responsibility.

The appointment of a Data Protection Officer is an obligation assigned to the Personal


Information Controller and Personal Information Processor of a business enterprise and
government agency.

The mandatory designation is made as a rule in 2017 by the National Privacy Commission
through NPC Advisory No. 2017-01 – Designation of Data Protection Officers.

The question of understanding to act the role is the set of competencies to deliver and support
the enumerated responsibilities.

(1) Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other
applicable laws and policies.

(2) Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects,
programs, or systems of the PIC or PIP
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

(3) Advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their
rights (e.g., requests for information, clarifications, rectification or deletion of personal data

(4) Ensure proper data breach and security incident management by the PIC or PIP, including
the latter’s preparation and submission to the NPC of reports and other documentation
concerning security incidents or data breaches within the prescribed period

(5) Inform and cultivate awareness on privacy and data protection within the organization of
the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC

(6) Advocate for the development, review and/or revision of policies, guidelines, projects
and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy
by design approach

(7) Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other
authorities in all matters concerning data privacy or security issues or concerns and the PIC or
PIP

(8) Cooperate, coordinate and seek the advice of the NPC regarding matters concerning data
privacy and security
Perform other duties and tasks that may be assigned by the PIC or PIP that will further the
interest of data privacy and security and uphold the rights of the data subjects.

The Data Protection Officer is directed to give due regard to the risks associated with the
processing operation of the personal information controller and personal information
processor. Activities are prioritized on issues that present higher data protection risks.

The Data Protection Officer is considered as independent, autonomous, and no conflict of


interest.

No conflict of interest is not fully determined by the NPC advisory. Guidance is found in EU
GDPR to mean:

(1) A DPO should not also be a controller of processing activities (for example if she is head of
Human resources)
The DPO should not be an employee on a short or fixed-term contract

(2) A DPO should not report to a direct superior (rather than top management)

(3) A DPO should have responsibility for managing her own budget.

Given the mandated performance objectives of a Data Protection Officer, the questions remain:
DATA PRIVACY PROTECTION COMPETENCY GUIDE BY A DATA SUBJECT

"What is the shared, and valid competency standards of the data privacy protection oversight?"

What knowledge is assured to prevent the Personal Information Controller and Personal
Information Processor to violate data privacy as enumerated in NPC complaint assisted form,
and to show compliance evidence as required by NPC compliance check?

The required knowledge and skills make the Data Protection Officer deliver the following

(1) Data privacy and security policies development and enforcement

(2) Privacy impact assessment and remediation plan based on established security measures

(3) Security incident and breach management

(4) Complaint rules of procedures

(5) Personnel training on data privacy and security policies.

6) System project privacy by design acceptance criteria,

The appointed Data Protection Officer may find a clear definition and description of the role,
accountability, and responsibility in cited normative reference for the understanding.
https://ec.europa.eu/…/image/do…/2016-51/wp243_en_40855.pdf…

You might also like