Abstract image of a woman sitting on books and studying on a laptop

All_you_need_to Know_About_the_Data_Privacy_Act.pdf

J
JakeAldrinDegala1

The document summarizes the key requirements for complying with the Philippines' Data Privacy Act of 2012. It outlines the structure and objectives of the law, as well as the obligations and penalties for personal information controllers and processors. The main compliance obligations include appointing a data protection officer, adhering to privacy principles when processing data, maintaining security of data, reporting breaches within 72 hours, and registering with the National Privacy Commission. Non-compliance could result in penalties such as fines and imprisonment.

Government & Nonprofit
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
All you need to know about the Data Privacy Act of 2012 01 June 2017 Government CIO Summit Las Casas Filipinas De Acuzar
Republic Act No. 10173 August 15, 2012 SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”. SECTION. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.
Compliance Commitment to Comply Capacity to Comply
What can happen to you personally?  Sec. 22. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein…  Sec. 34. Extent of Liability. If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.
Punishable Act Jail Term Fine (Pesos) Access due to negligence 1y to 3y ꟷ 3y to 6y 500k to 4m Unauthorized processing 1y to 3y ꟷ 3y to 6y 500k to 4m Improper disposal 6m to 2y ꟷ 3y to 6y 100k to 1m Unauthorized purposes 18m to 5y ꟷ 2y to 7y 500k to 2m Intentional breach 1y to 3y 500k to 2m Concealing breach 18m to 5y 500k to 1m Malicious disclosure 18m to 5y 500k to 1m Unauthorized disclosure 1y to 3y ꟷ 3y to 5y 500k to 2m Combination of acts 3y to 6y 1m to 5m
Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Structure of RA 10173, the Data Privacy Act Section 22-24. Provisions Specific to Government Section 25-37. Penalties Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors
Definitions Personal Information Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. – RA. 10173, Section 3.g
Definitions Personal Information Sensitive Personal Information Sensitive personal information refers to personal information: (1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified. – RA. 10173, Section 3.l
“Personal Information Controllers” those who decide what data is collected and how it is processed (example: Bank X, Hospital Y). “Personal Information Processors” those who process data as instructed by the controllers (example: shared services, IT vendor, external lab). Key Definitions PIC PIP
2016 Series (issued) Data Privacy Act of 2012 IRRs (promulgated 2016) Circular 16-01 Gov’t Agencies Circular 16-02 Data Sharing Circular 16-03 Breach Mgmt Circular 16-04 Rules Procedure 2017 Series The Obligations which must be complied with by PICs and PIPs Advisory 17-01 DPO Guidelines Draft Circular DOH-Regulated Draft Circular BSP-Supervised
How should you comply? R.A. 10173, Data Privacy Act of 2012  SEC. 20 (a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.  Sectors can craft their own “privacy codes” to address relevant industry issues and practices. For government, Circulars 16-01 and 16-02 are part of our “sectoral code”.
Obligations of PICs/PIPs Uphold the rights of data subjects Appoint a DPO/Compliance Officer Process according to Privacy Principles Establish Data Protection framework Setup Breach Reporting Procedure Register systems with the NPC
#1: Uphold the rights of data subjects Legal Basis: Sec. 16-18 and 38, IRR 17-24, 34-37 What compliance looks like  Data subjects are apprised of their rights through a privacy notice  Data subjects know who to complain to if their rights are violated  Complaints are acted upon quickly What negligence looks like  No privacy notice when data is collected  No contact details on how to lodge a complaint  Complaints take a long time to be remedied
#2: Appoint a DPO (Data Protection Officer) Legal Basis: Sec. 21, IRR 50, Circ. 16-01, Advisory 17-01 Sec. 21 (b) The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act.
#2: Appoint a DPO (Data Protection Officer) Legal Basis: Sec. 21, IRR 50, Circ. 16-01, Advisory 17-01 What compliance looks like  Notarized appointment or designation of a DPO, filed with the NPC  Evidence of actions taken on basis of DPO recommendations  Contact details on website (if any)  Continuing education program What negligence looks like  No DPO  Lack of interaction between DPO and top management, between DPO and functional units  Inaction on complaints from data subjects  Non-reporting to NPC
#3: Data Processing adheres to Transparency, Legitimate Purpose, and Proportionality Legal Basis: Sec. 11-15, IRR 21-23 and 43-45, Circ. 16-01 and 16-02 What compliance looks like  Privacy policies cascaded throughout the organization and updated as needed  Data handlers have security clearance and privacy training  Privacy notice where appropriate, e.g. on website  Data sharing agreements in place  Privacy impact assessments conducted and up-to-date  Service providers in compliance What negligence looks like  Privacy policy sits on shelf  No security clearance or privacy training for data handlers  No privacy notice when collecting personal data  Overcollection  Data sharing without agreements  No privacy impact assessments  No compliance obligations for service providers
“Transparency” – no surprises in how the data collected is being processed “Legitimate purpose” – required by law and not contrary to public morals “Proportionality” – collect only what’s needed and commensurate to the benefits Principles
#4: Maintain Confidentiality, Integrity, Availability Legal Basis: Sec. 20.a-e, Sec. 22 and 24, IRR 25-29, Circ. 16-01 Sec. 20 (c) “The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation.” How will you know what are “the risks represented by the processing”?
#4: Maintain Confidentiality, Integrity, Availability Legal Basis: Sec. 20.a-e, Sec. 22 and 24, IRR 25-29, Circ. 16-01 What compliance looks like  Data protection risks identified, and the appropriate up-to-date controls are in place to manage these risks  Data protection policies cascaded throughout the org’n and updated as needed  Frequent monitoring and vulnerability scanning  Regular security and business continuity drills are conducted  Service providers in compliance What negligence looks like  Generic controls in place  Controls not updated for new risks/threats  Controls are not complied with  Lax cyber-hygiene practices  No compliance obligations for service providers  No periodic drills or monitoring  No venue for data subjects to access or correct/rectify their own data
Circular 16-01, Sections 7 to 13 Processing of Personal Data “Owned” Data Center • Covered as PIC • Subject to NPC Audit (Sec. 11) • AES-256 Encrypted (Sec. 8) • Access control system (Sec. 9) • Archives are also covered (Sec. 13) • ISO 27001/27002 “Non-owned” Data Center • Covered as PIP (sec. 10) • Subject to NPC Audit (Sec. 11) • ISO 27018 (Sec. 12) • AES-256 Encrypted (Sec. 8) • Archives are also covered (Sec. 13) • Contract subject to review (Sec. 7) • If data is stored outside the country, geographic location must be specified in contract (IRR, Sec. 44.a)
ISO 27001 vs 27018 Benefits 27001 – your data is stored in your own data center • You have a clear picture of what your information security risks are • You can identify a set of controls to manage your risks • You can monitor the ongoing implementation and deployment of the selected controls 27018 – your data is stored in someone else’s data center • You have control over which country your data will be stored in • Your data won’t be used for marketing or advertising without your consent • You will be notified of legal requests for data disclosure
A. Limit access to data to authorized users, devices, and programs (Circular 16-01, Sections 14 to 21) B. Apply similar security and access controls to non-digitized files/media (Circular 16-01, Section 22) C. Use secure channels when transferring personal data (Circular 16-01, Sections 24 to 29) D. Observe proper procedures for disposal/archiving of personal data (Circular 16-01, Sections 30 to 32) Other recommendations
#5: Report Breach within 72 hours Legal Basis: Sec. 20.f and 30, IRR 38-42 and 57, Circ. 16-03 IRR Sec. 38 (a) The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.
#5: Report Breach within 72 hours Legal Basis: Sec. 20.f and 30, IRR 38-42 and 57, Circ. 16-03 What compliance looks like  Formation of a data breach response team with clearly defined roles and responsibilities  Clearly defined and up-to-date incident response procedure that covers assessment, mitigation, notification and recovery actions  Regular breach drills are conducted  Service providers in compliance What negligence looks like  No response team or procedures  No drills  No compliance obligations for service providers  No post-breach reports  No notification within 72 hours (an act punishable by 18 months to 5 years of imprisonment and and a fine of 500,000 to 1,000,000 pesos)
Finally: Register with the NPC Legal Basis: Sec. 24, IRR 33 and 46-49 What compliance looks like  Registration with the NPC is up-to- date and contains all necessary compliance documentation  Registration includes all automated processing operations that would have legal effect on the data subject  Annual report summarizing documented security incidents and personal data breaches  Service providers in compliance What negligence looks like  No registration  Out-of-date registration  No compliance obligations for service providers
Designating a DPO is the first essential step towards compliance. You cannot register your systems with the NPC unless you have a DPO. You cannot report your compliance activities unless you go through your DPO.
When should you comply? Yesterday. Obligations in the DPA and the IRR. September 2017. Additional Requirements in the IRR: Registration of Data Processing Systems and Automated Processing, 72-hour Breach Notification, Annual Incident Reporting October 2017. Security requirements in Circular 16-01 for Government Agencies.
PRIVACY.GOV.PH facebook.com/privacy.gov.ph twitter.com/privacyph info@privacy.gov.ph Thank you!

More Related Content

PPSX
Jamaica's Data Protection Act: Compliance required from the business community
Emerson Bryan
 
PPTX
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
PDF
Examples of international privacy legislation
Ulf Mattsson
 
PDF
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
Dr. Oliver Massmann
 
PDF
2014-04-16 Protection of Personal Information Act Readiness Workshop
Paul Jacobson
 
PDF
Bahrain-Personal-Data-Protection-Law.pdf
DaviesParker
 
PPTX
Data Privacy Act in the Philippines
Shirley Ingles-Cruz
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
Jamaica's Data Protection Act: Compliance required from the business community
Emerson Bryan
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
Examples of international privacy legislation
Ulf Mattsson
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
Dr. Oliver Massmann
 
2014-04-16 Protection of Personal Information Act Readiness Workshop
Paul Jacobson
 
Bahrain-Personal-Data-Protection-Law.pdf
DaviesParker
 
Data Privacy Act in the Philippines
Shirley Ingles-Cruz
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 

Similar to All_you_need_to Know_About_the_Data_Privacy_Act.pdf (20)

PPTX
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
PPTX
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
PDF
Information Security: The Trinidad & Tobago Legal Context
Jason Nathu
 
PDF
DPIA step by step process approach and methodology
HishamMohammed46
 
PDF
Regulatory compliance 2018
ProColombia
 
PPTX
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
PDF
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
PDF
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
PPTX
Draft Bill on the Protection of Personal Data
Renato Monteiro
 
PDF
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
REVULN
 
PDF
State Responsibility As a Data Controller for the Protection of Personal Data...
AHRP Law Firm
 
PDF
GDPR - The new era of data protection
Interlogica
 
PPTX
Hexagon presentation light.pptx
PabRonaldCalanoc1
 
PPTX
General Data Protection Regulation (GDPR) | Privacy Law in India |
Bivas Chatterjee
 
PDF
China-PIPL.pdf
DaviesParker
 
PDF
Philippine Data Privacy Act of 2012 (RA 10173)
Kirk Go
 
PPTX
Data protection regulation
Greg Ezeilo
 
PPT
Data protection in_india
Altacit Global
 
PPTX
Privacy in India: Legal issues
Sagar Rahurkar
 
PDF
The Summary Guide to Compliance with the Kenya Data Protection Law
Owako Rodah
 
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
Information Security: The Trinidad & Tobago Legal Context
Jason Nathu
 
DPIA step by step process approach and methodology
HishamMohammed46
 
Regulatory compliance 2018
ProColombia
 
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Draft Bill on the Protection of Personal Data
Renato Monteiro
 
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
REVULN
 
State Responsibility As a Data Controller for the Protection of Personal Data...
AHRP Law Firm
 
GDPR - The new era of data protection
Interlogica
 
Hexagon presentation light.pptx
PabRonaldCalanoc1
 
General Data Protection Regulation (GDPR) | Privacy Law in India |
Bivas Chatterjee
 
China-PIPL.pdf
DaviesParker
 
Philippine Data Privacy Act of 2012 (RA 10173)
Kirk Go
 
Data protection regulation
Greg Ezeilo
 
Data protection in_india
Altacit Global
 
Privacy in India: Legal issues
Sagar Rahurkar
 
The Summary Guide to Compliance with the Kenya Data Protection Law
Owako Rodah
 

Recently uploaded (20)

PDF
PPT Item # 7 - Proposed Budget and Tax Rate
ahcitycouncil
 
PDF
Bridging Nations Through Mobility: Indonesia’s Vision for Transportation Dipl...
Dr. Zar RDJ
 
PPTX
2019.05.19.AMS_.Sermonsssssssssssss.pptx
LAWRENCEJEREMYBRIONE
 
PDF
The Council of Europe Landscape Convention: A key instrument for an innovativ...
Pere Sala i Martí
 
PDF
Item # 8 - Staff Report on Pool Pocket Park
ahcitycouncil
 
PPTX
PPT for Meeting with CM 18.08.2025complete (1).pptx
OoMinisterSocialWelf
 
PPTX
Community Contracting Protocol, DLG, MOHCA
2403031047055
 
PPTX
Introduction to the NAP Process and NAP Global Network
NAP Global Network
 
PPTX
IMPLEMENTING GUIDELINES OF SUSTAINABLE LIVELIHOOD PROGRAM -SLP MC 22 ORIENTAT...
rvcrizaldo2021
 
PDF
PPT Items # 3&4 - Residential Haunted House
ahcitycouncil
 
PPTX
Avoiding Suspensions and Disallowances in Audit.pptx
nierealexis
 
PPTX
Nasarawa_Youth_Unemployment_Proposal.pptx
AbdulkareemAlhassan3
 
PDF
PPT Item # 8 - Pool Pocket Staff Report
ahcitycouncil
 
PPTX
IMPLEMENTING RULES AND REGULATIONS OF REPUBLIC ACT NO. 11058 ENTITLED “AN ACT...
JerlynEBermudez
 
PDF
The Landscape Catalogues of Catalonia. From landscape characterization to action
Pere Sala i Martí
 
PPTX
Presentation on CGIAR’s Policy Innovation Program _18.08.2025 FE.pptx
Ahmed Ali
 
PPTX
Water-Energy-Food (WEF) Nexus interventions, policy, and action in the MENA r...
Ahmed Ali
 
PPTX
Civil Society Engagement in National Adaptation Plan Processes
NAP Global Network
 
PDF
The Landscape Observatory of Catalonia. A Journey of Fifteen Years
Pere Sala i Martí
 
PDF
The Landscape Observatory of Catalonia. Some projects and challenges
Pere Sala i Martí
 
PPT Item # 7 - Proposed Budget and Tax Rate
ahcitycouncil
 
Bridging Nations Through Mobility: Indonesia’s Vision for Transportation Dipl...
Dr. Zar RDJ
 
2019.05.19.AMS_.Sermonsssssssssssss.pptx
LAWRENCEJEREMYBRIONE
 
The Council of Europe Landscape Convention: A key instrument for an innovativ...
Pere Sala i Martí
 
Item # 8 - Staff Report on Pool Pocket Park
ahcitycouncil
 
PPT for Meeting with CM 18.08.2025complete (1).pptx
OoMinisterSocialWelf
 
Community Contracting Protocol, DLG, MOHCA
2403031047055
 
Introduction to the NAP Process and NAP Global Network
NAP Global Network
 
IMPLEMENTING GUIDELINES OF SUSTAINABLE LIVELIHOOD PROGRAM -SLP MC 22 ORIENTAT...
rvcrizaldo2021
 
PPT Items # 3&4 - Residential Haunted House
ahcitycouncil
 
Avoiding Suspensions and Disallowances in Audit.pptx
nierealexis
 
Nasarawa_Youth_Unemployment_Proposal.pptx
AbdulkareemAlhassan3
 
PPT Item # 8 - Pool Pocket Staff Report
ahcitycouncil
 
IMPLEMENTING RULES AND REGULATIONS OF REPUBLIC ACT NO. 11058 ENTITLED “AN ACT...
JerlynEBermudez
 
The Landscape Catalogues of Catalonia. From landscape characterization to action
Pere Sala i Martí
 
Presentation on CGIAR’s Policy Innovation Program _18.08.2025 FE.pptx
Ahmed Ali
 
Water-Energy-Food (WEF) Nexus interventions, policy, and action in the MENA r...
Ahmed Ali
 
Civil Society Engagement in National Adaptation Plan Processes
NAP Global Network
 
The Landscape Observatory of Catalonia. A Journey of Fifteen Years
Pere Sala i Martí
 
The Landscape Observatory of Catalonia. Some projects and challenges
Pere Sala i Martí
 

All_you_need_to Know_About_the_Data_Privacy_Act.pdf

  • 1. All you need to know about the Data Privacy Act of 2012 01 June 2017 Government CIO Summit Las Casas Filipinas De Acuzar
  • 2. Republic Act No. 10173 August 15, 2012 SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”. SECTION. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.
  • 4. What can happen to you personally?  Sec. 22. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein…  Sec. 34. Extent of Liability. If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.
  • 5. Punishable Act Jail Term Fine (Pesos) Access due to negligence 1y to 3y ꟷ 3y to 6y 500k to 4m Unauthorized processing 1y to 3y ꟷ 3y to 6y 500k to 4m Improper disposal 6m to 2y ꟷ 3y to 6y 100k to 1m Unauthorized purposes 18m to 5y ꟷ 2y to 7y 500k to 2m Intentional breach 1y to 3y 500k to 2m Concealing breach 18m to 5y 500k to 1m Malicious disclosure 18m to 5y 500k to 1m Unauthorized disclosure 1y to 3y ꟷ 3y to 5y 500k to 2m Combination of acts 3y to 6y 1m to 5m
  • 6. Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Structure of RA 10173, the Data Privacy Act Section 22-24. Provisions Specific to Government Section 25-37. Penalties Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors
  • 7. Definitions Personal Information Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. – RA. 10173, Section 3.g
  • 8. Definitions Personal Information Sensitive Personal Information Sensitive personal information refers to personal information: (1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified. – RA. 10173, Section 3.l
  • 9. “Personal Information Controllers” those who decide what data is collected and how it is processed (example: Bank X, Hospital Y). “Personal Information Processors” those who process data as instructed by the controllers (example: shared services, IT vendor, external lab). Key Definitions PIC PIP
  • 10. 2016 Series (issued) Data Privacy Act of 2012 IRRs (promulgated 2016) Circular 16-01 Gov’t Agencies Circular 16-02 Data Sharing Circular 16-03 Breach Mgmt Circular 16-04 Rules Procedure 2017 Series The Obligations which must be complied with by PICs and PIPs Advisory 17-01 DPO Guidelines Draft Circular DOH-Regulated Draft Circular BSP-Supervised
  • 11. How should you comply? R.A. 10173, Data Privacy Act of 2012  SEC. 20 (a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.  Sectors can craft their own “privacy codes” to address relevant industry issues and practices. For government, Circulars 16-01 and 16-02 are part of our “sectoral code”.
  • 12. Obligations of PICs/PIPs Uphold the rights of data subjects Appoint a DPO/Compliance Officer Process according to Privacy Principles Establish Data Protection framework Setup Breach Reporting Procedure Register systems with the NPC
  • 13. #1: Uphold the rights of data subjects Legal Basis: Sec. 16-18 and 38, IRR 17-24, 34-37 What compliance looks like  Data subjects are apprised of their rights through a privacy notice  Data subjects know who to complain to if their rights are violated  Complaints are acted upon quickly What negligence looks like  No privacy notice when data is collected  No contact details on how to lodge a complaint  Complaints take a long time to be remedied
  • 14. #2: Appoint a DPO (Data Protection Officer) Legal Basis: Sec. 21, IRR 50, Circ. 16-01, Advisory 17-01 Sec. 21 (b) The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act.
  • 15. #2: Appoint a DPO (Data Protection Officer) Legal Basis: Sec. 21, IRR 50, Circ. 16-01, Advisory 17-01 What compliance looks like  Notarized appointment or designation of a DPO, filed with the NPC  Evidence of actions taken on basis of DPO recommendations  Contact details on website (if any)  Continuing education program What negligence looks like  No DPO  Lack of interaction between DPO and top management, between DPO and functional units  Inaction on complaints from data subjects  Non-reporting to NPC
  • 16. #3: Data Processing adheres to Transparency, Legitimate Purpose, and Proportionality Legal Basis: Sec. 11-15, IRR 21-23 and 43-45, Circ. 16-01 and 16-02 What compliance looks like  Privacy policies cascaded throughout the organization and updated as needed  Data handlers have security clearance and privacy training  Privacy notice where appropriate, e.g. on website  Data sharing agreements in place  Privacy impact assessments conducted and up-to-date  Service providers in compliance What negligence looks like  Privacy policy sits on shelf  No security clearance or privacy training for data handlers  No privacy notice when collecting personal data  Overcollection  Data sharing without agreements  No privacy impact assessments  No compliance obligations for service providers
  • 17. “Transparency” – no surprises in how the data collected is being processed “Legitimate purpose” – required by law and not contrary to public morals “Proportionality” – collect only what’s needed and commensurate to the benefits Principles
  • 18. #4: Maintain Confidentiality, Integrity, Availability Legal Basis: Sec. 20.a-e, Sec. 22 and 24, IRR 25-29, Circ. 16-01 Sec. 20 (c) “The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation.” How will you know what are “the risks represented by the processing”?
  • 19. #4: Maintain Confidentiality, Integrity, Availability Legal Basis: Sec. 20.a-e, Sec. 22 and 24, IRR 25-29, Circ. 16-01 What compliance looks like  Data protection risks identified, and the appropriate up-to-date controls are in place to manage these risks  Data protection policies cascaded throughout the org’n and updated as needed  Frequent monitoring and vulnerability scanning  Regular security and business continuity drills are conducted  Service providers in compliance What negligence looks like  Generic controls in place  Controls not updated for new risks/threats  Controls are not complied with  Lax cyber-hygiene practices  No compliance obligations for service providers  No periodic drills or monitoring  No venue for data subjects to access or correct/rectify their own data
  • 20. Circular 16-01, Sections 7 to 13 Processing of Personal Data “Owned” Data Center • Covered as PIC • Subject to NPC Audit (Sec. 11) • AES-256 Encrypted (Sec. 8) • Access control system (Sec. 9) • Archives are also covered (Sec. 13) • ISO 27001/27002 “Non-owned” Data Center • Covered as PIP (sec. 10) • Subject to NPC Audit (Sec. 11) • ISO 27018 (Sec. 12) • AES-256 Encrypted (Sec. 8) • Archives are also covered (Sec. 13) • Contract subject to review (Sec. 7) • If data is stored outside the country, geographic location must be specified in contract (IRR, Sec. 44.a)
  • 21. ISO 27001 vs 27018 Benefits 27001 – your data is stored in your own data center • You have a clear picture of what your information security risks are • You can identify a set of controls to manage your risks • You can monitor the ongoing implementation and deployment of the selected controls 27018 – your data is stored in someone else’s data center • You have control over which country your data will be stored in • Your data won’t be used for marketing or advertising without your consent • You will be notified of legal requests for data disclosure
  • 22. A. Limit access to data to authorized users, devices, and programs (Circular 16-01, Sections 14 to 21) B. Apply similar security and access controls to non-digitized files/media (Circular 16-01, Section 22) C. Use secure channels when transferring personal data (Circular 16-01, Sections 24 to 29) D. Observe proper procedures for disposal/archiving of personal data (Circular 16-01, Sections 30 to 32) Other recommendations
  • 23. #5: Report Breach within 72 hours Legal Basis: Sec. 20.f and 30, IRR 38-42 and 57, Circ. 16-03 IRR Sec. 38 (a) The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.
  • 24. #5: Report Breach within 72 hours Legal Basis: Sec. 20.f and 30, IRR 38-42 and 57, Circ. 16-03 What compliance looks like  Formation of a data breach response team with clearly defined roles and responsibilities  Clearly defined and up-to-date incident response procedure that covers assessment, mitigation, notification and recovery actions  Regular breach drills are conducted  Service providers in compliance What negligence looks like  No response team or procedures  No drills  No compliance obligations for service providers  No post-breach reports  No notification within 72 hours (an act punishable by 18 months to 5 years of imprisonment and and a fine of 500,000 to 1,000,000 pesos)
  • 25. Finally: Register with the NPC Legal Basis: Sec. 24, IRR 33 and 46-49 What compliance looks like  Registration with the NPC is up-to- date and contains all necessary compliance documentation  Registration includes all automated processing operations that would have legal effect on the data subject  Annual report summarizing documented security incidents and personal data breaches  Service providers in compliance What negligence looks like  No registration  Out-of-date registration  No compliance obligations for service providers
  • 26. Designating a DPO is the first essential step towards compliance. You cannot register your systems with the NPC unless you have a DPO. You cannot report your compliance activities unless you go through your DPO.
  • 27. When should you comply? Yesterday. Obligations in the DPA and the IRR. September 2017. Additional Requirements in the IRR: Registration of Data Processing Systems and Automated Processing, 72-hour Breach Notification, Annual Incident Reporting October 2017. Security requirements in Circular 16-01 for Government Agencies.