MESSAGE FROM THE PRESIDENT

1
2
 Preface

The National Privacy Commission (NPC) started strong in 2016

as we introduced the Data Privacy Act (DPA) to the public. The
DPAs Implementing Rules and Regulations (IRR), as well as four
NPC Circulars were formulated and approved, upon consultation
with stakeholders. Over 250 representatives from the public and
private sector were convened during the December summit titled
Privacy.Gov.PH: Government at the Forefront of Protecting the
Filipino in the Digital World. We likewise held data privacy
briefings with various organizations, produced knowledge
materials, and built our online presence. Brick by brick, we started
creating awareness about data privacy in our first year.

To sustain this momentum as we move forward, the NPC is set to ensure compliance with the
DPA among personal information controllers (PICs) and personal information processors
(PIPs). We realize that to succeed in this endeavor, the NPC needs to make compliance easy
and simple. We have lined up ways to do this, one of which is this toolkit.

The 2017 NPC Privacy Toolkit equips and guides PICs, PIPs, and Data Protection Officers
(DPOs) through the process of complying with the law and building an organizational culture
protective of individuals data privacy rights. It outlines the Five (5) Pillars of Data Privacy
Accountability and Compliance, namely: 1) Commit to comply appoint a DPO; 2) Know
your risks conduct a Privacy Risk Assessment; 3) Be accountable Develop your Privacy
Management Program and Craft your Privacy Manual; 4) Demonstrate your compliance
implement Privacy and Data Protection measures, and 5) Be prepared for breach regularly
exercise your Breach Reporting Procedures. Guidelines, templates, samples and forms were
included in this toolkit to help you perform these tasks.

Materials on the NPC registration process as well as on the practical things that government
and even private sector DPOs should watch out for were also incorporated to further gear up
PICs, PIPs and DPOs. The kit also contains all NPC Circulars and the DPAs IRR, for users
comprehensive reference.

Rest assured that the NPC will intensify its efforts like the development of this toolkit, to help
you and have you as our partners in making privacy work for everyone. Kung di tayo kikilos,
sino ang kikilos? Kung di ngayon, kailan pa?. The time to act is now. Together, I am certain
that we can make data privacy practices in the Philippines citizen-centered, globally in-tune,
pragmatic yet future-oriented.

RAYMUND ENRIQUEZ LIBORO

Privacy Commissioner

3
 TABLE OF CONTENTS

Message from the President ................................................................................................. 1

Message from the DICT Secretary ...................................................................................... 2
Preface by the Privacy Commissioner................................................................................ 3

A. Data Privacy Threats: Things to Watch Out for as a DPO ...................................... 13

Internal weaknesses .............................................................................................................. 14
Employee negligence ............................................................................................................ 15
Weak information security policy ...................................................................................... 15
Malicious attacks ................................................................................................................... 16
Phishing .................................................................................................................................. 16
Malware.................................................................................................................................. 17
Denial-of-service ................................................................................................................... 18
Man-in-the-middle ................................................................................................................ 19
Emerging attack platforms .................................................................................................. 19
Mobile ..................................................................................................................................... 19
Cloud ...................................................................................................................................... 20
Internet of Things .................................................................................................................. 20
Combatting data privacy threats ........................................................................................ 20

B. Five Pillars of Data Privacy Accountability and Compliance ................................ 22

I. Commit to Comply: Appoint a Data Protection Officer .............................................. 23

NPC Advisory No. 2017-01: Designation of a Data Protection Officer .............................. 23

Preamble............................................................................................................................... 23
Scope ..................................................................................................................................... 24
Definition of Terms ............................................................................................................. 24
General Principle ................................................................................................................ 26
Mandatory Designation ..................................................................................................... 26
General Qualifications........................................................................................................ 27
Position of the DPO or the COP........................................................................................ 27
Independence, Autonomy and Conflict of Interest ....................................................... 27
Duties and Responsibilities of the DPO and the COP ................................................... 28
General Obligations of the PIC or PIP relative to the DPO or COP ............................ 29
Outsourcing or Subcontracting of Functions .................................................................. 29
Protections ........................................................................................................................... 30
Publication and Communication of Contact Details ..................................................... 30
Weight of Opinion .............................................................................................................. 30
Accountability ..................................................................................................................... 30

II. Know your risks: Conduct a Privacy Risk or Impact Assessment ......................... 32

NPC Advisory No. 2017-0: Guidelines on Privacy Impact Assessment ........................... 32

Preamble............................................................................................................................... 32
Scope ..................................................................................................................................... 33
Definition of Terms ............................................................................................................. 33

4
 General Principles ............................................................................................................... 35
Key Considerations ................................................................................................. 36
Objectives ................................................................................................................. 36
Responsibility ...................................................................................................................... 37
Stakeholder Involvement ................................................................................................... 37
Structure and Form ............................................................................................................. 38
Planning a PIA .................................................................................................................... 39
Preparatory Activities ........................................................................................................ 39
Conduct of the PIA ............................................................................................................. 40
Documentation and Review .............................................................................................. 42
Compliance and Accountability ....................................................................................... 42

Privacy Impact Assessment - Template ................................................................................. 44

I. Project/System Description ....................................................................... 44
a. Description ...................................................................................................... 44
b. Scope of the PIA ............................................................................................. 44
II. Threshold Analysis ................................................................................................ 44
III. Stakeholder(s) Engagement.................................................................................. 45
IV. Personal data Flows............................................................................................... 45
V. Privacy Impact Analysis ....................................................................................... 47
VI. Privacy Risk Management .................................................................................... 51
VII. Recommended Privacy Solutions ........................................................................ 53
VIII. Sign off and Action Plan ....................................................................................... 54

III. Be Accountable: Write your Privacy Management Program and Privacy Manual
Privacy Management Program Guide .............................................................................. 54
Checklist ................................................................................................................................. 63
Privacy Manual Guide ......................................................................................................... 68

IV. Demonstrate your compliance: Implement Privacy and Data Protection

Measures................................................................................................................................. 77
The 10 Point Privacy Accountability and Compliance Framework
Data Privacy Accountability and Compliance Framework ................................................. 77
1. Establishing Data Privacy Governance ....................................................................... 78
2. Privacy Risk Assessment ............................................................................................... 78
3. Preparing Your Organizations Data Privacy Rules .................................................. 79
4. Privacy in Day to Day Data Life Cycle Operations ................................................... 79
5. Managing Personal Data Security Risks ..................................................................... 91
6. Data Breach Management ............................................................................................. 98
7. Managing Third Party Risks ........................................................................................ 99
8. Managing Human Resources...................................................................................... 100
9. Continuing Assessment and Development .............................................................. 103
10. Managing Privacy Ecosystem ..................................................................................... 104

Data Privacy Compliance Guidelines .............................................................................

V. Be prepared for breach: Regularly exercise your Breach Reporting Procedure 106

5
C. Registration .................................................................................................................... 115
NPC Circular 17-01 ............................................................................................................. 116
Registration of Data Processing Systems ......................................................................... 131

Annexes ................................................................................................................................ 132

Data Privacy Act of 2012 Implementing Rules and Regulation ................................... 133

Rule I. Preliminary Provisions................................................................................................... 133

Section 1. Title ................................................................................................................................ 133
Section 2. Policy ............................................................................................................................. 133
Section 3. Definitions .................................................................................................................... 133

Rule II. Scope of Application ..................................................................................................... 136

Section 4. Scope .............................................................................................................................. 136
Section 5. Special Cases ............................................................................................................... 136
Section 6. Protection Afforded to Data Subjects ................................................................... 138
Section 7. Protection Afforded to Journalists and their Sources...................................... 138

Rule III. National Privacy Commission .................................................................................. 138

Section 8. Mandate ........................................................................................................................ 138
Section 9. Functions ...................................................................................................................... 138
Section 10. Administrative Issuances ...................................................................................... 141
Section 11. Reports and Public Information .......................................................................... 142
Section 12. Confidentiality of Personal Data ......................................................................... 142
Section 13. Organizational Structure ....................................................................................... 142
Section 14. Secretariat ................................................................................................................... 142
Section 15. Effect of Lawful Performance of Duty .............................................................. 143
Section 16. Magna Carta for Science and Technology Personnel .................................... 143

Rule IV. Data Privacy Principles ............................................................................................... 143

Section 17. General Principles.................................................................................................... 143
Section 18. Principles of Transparency, Legitimate Purpose and Proportionality..... 144
Section 19. Principles in Collection, Processing and Retention ....................................... 144
o Collection must be for a specified and legitimate purpose.................................. 144
o Personal Data shall be processed fairly and lawfully ............................................ 145
o Processing should ensure data quality ...................................................................... 145
o Personal data shall not be retained longer than necessary .................................. 145
o Any authorized further processing shall have adequate safeguards ............... 145
Section 20. Principles for Data Sharing ................................................................................... 146

Rule V. Lawful Processing of Personal Data ......................................................................... 147

Section 21. Lawful Processing of Personal Information..................................................... 147
Section 22. Lawful Processing of Sensitive Personal Information and Privileged
Information ..................................................................................................................................... 148
Section 23. Extension of Privileged Communication .......................................................... 148

6
Section 24. Surveillance of Subjects and Interception of Recording of
Communications .......................................................................................................................... 149

Rule VI. Security Measures for Protection of Personal Data ............................................ 149
Section 25. Data Privacy and Security ..................................................................................... 149
Section 26. Organizational Security ......................................................................................... 149
Section 27. Physical Security ...................................................................................................... 151
Section 28. Technical Security .................................................................................................... 152
Section 29. Appropriate Level of Security.............................................................................. 152

Rule VII. Security of Sensitive Personal Information in Government ........................ 153

Section 30. Responsibility of Heads of Agencies ............................................................ 153
Section 31. Requirements Relating to Access by Agency Personnel to Sensitive
Personal Information .......................................................................................................... 153
Section 32. Implementation of Security Requirements .................................................. 154
Section 33. Applicability to Government Contractors ................................................... 154

Rule VIII. Rights of Data Subject ...................................................................................... 155

Section 34. Rights of the Data Subject .............................................................................. 155
o Right to be informed ............................................................................................... 155
o Right to object .......................................................................................................... 155
o Right to access ......................................................................................................... 156
o Right to rectification ............................................................................................... 156
o Right to erasure or blocking .................................................................................. 156
o Right to damages..................................................................................................... 157
Section 35. Transmissibility of Rights of the Data Subject ........................................... 157
Section 36. Right to Data Portability ............................................................................... 157
Section 37. Limitation on Rights ....................................................................................... 157

Rule IX. Data Breach Notification ..................................................................................... 158

Section 38. Data Breach Notification ................................................................................ 158
Section 39. Contents of Notification ................................................................................. 158
Section 40. Delay of Notification....................................................................................... 158
Section 41. Breach Report ................................................................................................ 159
Section 42. Procedure for Notification ............................................................................. 159

Rule X. Outsourcing and Subcontracting Agreements ................................................. 159

Section 43. Subcontract of Personal Data......................................................................... 159
Section 44. Agreements for Outsourcing ........................................................................ 159
Section 45. Duty of Personal Information Processor ...................................................... 161

Rule XI. Registration and Compliance Requirements ................................................... 161

Section 46. Enforcement of the Data Privacy Act ........................................................... 161
Section 47. Registration of Data Processing Systems ..................................................... 161
Section 48. Notification for Automated Processing Operations .................................. 162
Section 49. Review by the Commission .......................................................................... 163

7
Rule XII. Rules on Accountability .................................................................................... 163
Section 50. Accountability for Transfer of Personal Information................................. 163
Section 51. Accountability for Violation of the Act, these Rules and other issuances
................................................................................................................................................ 164

Rule XIII. Penalties ............................................................................................................ 164

Section 52. Unauthorized Processing of Personal Information and Sensitive Personal
Information .......................................................................................................................... 164
Section 53. Accessing Personal Information and Sensitive Personal Information Due
to Negligence ....................................................................................................................... 165
Section 54. Improper Disposal of Personal Information and Sensitive Personal
Information .......................................................................................................................... 165
Section 55. Processing of Personal Information and Sensitive Personal Information
for Unauthorized Purposes ............................................................................................... 165
Section 56. Unauthorized Access or Intentional Breach ................................................ 166
Section 57. Concealment of Security Breaches Involving Sensitive Personal
Information .......................................................................................................................... 166
Section 58. Malicious Disclosure ....................................................................................... 166
Section 59. Unauthorized Disclosure ............................................................................... 166
Section 60. Combination or Series of Acts ....................................................................... 167
Section 61. Extent of Liability ............................................................................................ 167
Section 62. Large-Scale ....................................................................................................... 167
Section 63. Offense Committed by Public Officer .......................................................... 167
Section 64. Restitution ........................................................................................................ 168
Section 65. Fines and Penalties .......................................................................................... 168

Rule XIV. Miscellaneous Provisions................................................................................. 168

Section 66. Appeal ............................................................................................................... 168
Section 67. Period for Compliance .................................................................................... 168
Section 68. Appropriations Clause ................................................................................... 168
Section 69. Interpretation ................................................................................................... 169
Section 70. Separability Clause ......................................................................................... 169
Section 71. Repealing Clause ............................................................................................. 169
Section 72. Effectivity Clause ............................................................................................ 169

NPC Memorandum Circulars ........................................................................................... 170

NPC Circular 16-01: Security of Personal Data in Government Agencies ................. 170

Rule I. General Provisions ................................................................................................. 171

Section 1. Scope ................................................................................................................... 171
Section 2. Purpose ............................................................................................................... 171
Section 3. Definition of Terms ........................................................................................... 171
Section 4. General Obligations .......................................................................................... 172
Section 5. Privacy Impact Assessment ............................................................................. 172

8
Section 6. Control Framework for Data Protection ........................................................ 173

Rule II. Storage of Personal Data ...................................................................................... 173

Section 7. General Rule ....................................................................................................... 173
Section 8. Encryption of Personal Data ............................................................................ 174
Section 9. Restricted Access ............................................................................................... 174
Section 10. Service Provider as Personal Information Processor ................................. 174
Section 11. Audit ................................................................................................................. 174
Section 12. Recommended Independent Verification or Certification ........................ 174
Section 13. Archives ............................................................................................................ 174

Rule III. Agency Access to Personal Data....................................................................... 175

Section 14. Access to Modification of Databases ............................................................ 175
Section 15. Security Clearance ........................................................................................... 175
Section 16. Contractors, Consultants and Service Providers ........................................ 175
Section 17. Acceptable Use Policy..................................................................................... 175
Section 18. Online Access to Personal Data..................................................................... 175
Section 19. Local Copies of Personal Data Accessed Online ........................................ 175
Section 20. Authorized Devices ........................................................................................ 176
Section 21. Remote Disconnection or Deletion ............................................................... 176
Section 22. Paper-based Filing System ............................................................................. 176
Section 23. Personal Data Sharing Agreements .............................................................. 176

Rule IV. Transfer of Personal Data ................................................................................... 176

Section 24. Emails ................................................................................................................ 176
Section 25. Personal Productivity Software .................................................................... 176
Section 26. Portable Media ................................................................................................. 176
Section 27. Removable Physical Media ............................................................................ 177
Section 28. Fax Machines ................................................................................................... 177
Section 29. Transmittal ....................................................................................................... 177

Rule V. Disposal of Personal Data .................................................................................... 178

Section 30. Archival Obligations ....................................................................................... 178
Section 31. Procedures ........................................................................................................ 178
Section 32. Third Party Service Providers ....................................................................... 178

Rule VI. Miscellaneous Provisions ................................................................................... 178

Section 33. Data Breach Management .............................................................................. 178
Section 34. Penalties ............................................................................................................ 178
Section 35. Amendments .................................................................................................... 178
Section 36. Transitory Period............................................................................................. 178
Section 37. Separability Clause ......................................................................................... 178
Section 38. Repealing Clause ............................................................................................. 178
Section 39. Effectivity.......................................................................................................... 178

NPC Circular 16-02: Data Sharing Agreements Involving Government Agencies ... 180

9
Section 1. General Principle ............................................................................................... 180
Section 2. Scope ................................................................................................................... 181
Section 3. Definition of Terms ........................................................................................... 181
Section 4. Consent ............................................................................................................... 183
Section 5. Data Privacy Principles .................................................................................... 183
Section 6. Content of a Data Sharing Agreement ........................................................... 183
Section 7. Online Access ..................................................................................................... 184
Section 8. Transfer of Personal Data ................................................................................. 184
Section 9. Responsibility of the Parties ............................................................................ 185
Section 10. Accountability for Cross-border Transfer of Personal Data ..................... 185
Section 11. Prior Consultation ........................................................................................... 185
Section 12. Security of Personal Data ............................................................................... 185
Section 13. Review by the Commission ........................................................................... 185
Section 14. Mandatory Periodic Review .......................................................................... 185
Section 15. Revisions and Amendments .......................................................................... 186
Section 16. Termination ...................................................................................................... 186
Section 17. Return, Destruction, or Disposal of Transferred Personal Data ............... 186
Section 18. Penalties ............................................................................................................ 186
Section 19. Transitory Period............................................................................................. 186
Section 20. Repealing Clause ............................................................................................. 187
Section 21. Separability Clause ......................................................................................... 187
Section 22. Effectivity.......................................................................................................... 187

NPC Circular 16-03: Personal Data Breach Management ............................................. 189

Rule I. General Provisions ................................................................................................ 190

Section 1. Scope ................................................................................................................... 190
Section 2. Purpose ............................................................................................................... 190
Section 3. Definition of Terms ........................................................................................... 190

Rule II. Guidelines for Personal Data Breach Management ......................................... 192
Section 4. Security Incident Management Policy ........................................................... 192
Section 5. Data Breach Response Team ............................................................................ 192

Rule III. Guidelines for the Prevention of Personal Data Breach ................................. 193
Section 6. Preventive or Minimization Measures ........................................................... 193
Section 7. Availability, Integrity and Confidentiality of Personal Data...................... 193

Rule IV. Guidelines for Incident Response Policy and Procedures ............................. 194
Section 8. Policies and Procedures.................................................................................... 194
Section 9. Documentation .................................................................................................. 195
Section 10. Regular Review................................................................................................ 195

Rule V. Procedure for Personal Data Breach Notification and Other Requirements 195
Section 11. When notification is required ........................................................................ 195

10
Section 12. Public Information .......................................................................................... 196
Section 13. Determination of the Need to Notify ........................................................... 196
Section 14. Discovery of Vulnerability ............................................................................. 196
Section 15. Who should notify .......................................................................................... 199
Section 16. Reporting by Personal Information Processors .......................................... 197
Section 17. Notification of the Commission .................................................................... 197
Section 18. Notification of Data Subjects ......................................................................... 199
Section 19. Exemption from Notification Requirements ............................................... 200
Section 20. Failure to Notify .............................................................................................. 200
Section 21. Investigation of a Breach or a Security Incidents ....................................... 201
Section 22. Reportorial Requirements .............................................................................. 201
Section 23. Notification and Reporting to the National Privacy Commission ........... 201
Section 24. Separability Clause ......................................................................................... 201
Section 25. Effectivity.......................................................................................................... 201

Summary .............................................................................................................................. 203

NPC Circular 16-04: Rules of Procedure of the National Privacy Commission ....... 204

Rule I. Preliminary Provisions .......................................................................................... 204

Section 1. General Principles ............................................................................................. 204
Section 2. Scope and Coverage .......................................................................................... 204

Rule II. Complaints for Violations of the Data Privacy Act .......................................... 204
Section 3. Section 3. Who May File Complaints ............................................................. 204
Section 4. Exhaustion of Remedies ................................................................................... 205
Section 5. Filing Fees ........................................................................................................... 205
Section 6. Printed Copies ................................................................................................... 205
Section 7. Where to File ...................................................................................................... 205
Section 8. Electronic Filing ................................................................................................. 206
Section 9. Parties to the Complaint ................................................................................... 206
Section 10. Form and Contents of the Complaint........................................................... 206

Rule III. Procedure in Complaints .................................................................................... 207

Section 11. Evaluation ........................................................................................................ 207
Section 12. Outright Dismissal .......................................................................................... 208
Section 13. Order to Confer for Discovery ...................................................................... 208
Section 14. Discovery .......................................................................................................... 208
Section 15. Order to Submit Comment ............................................................................ 210
Section 16. Investigation; Examination of Systems and Procedures ........................... 210
Section 17. Failure to Submit Comment .......................................................................... 210
Section 18. Recommendation of the Investigating Officer ............................................ 210
Section 19. Temporary Ban on Processing Personal Data ............................................. 210
Section 20. Permanent Ban on Processing Personal Data ............................................. 212
Section 21. Action on the Recommendations of the Investigating Officer ................. 212
Section 22. Rendition of Decision ..................................................................................... 212

11
Rule IV. Complaints of the National Privacy Commission .......................................... 213
Section 23. Own Initiative ................................................................................................ 213
Section 24. Uniform Procedure ......................................................................................... 213

Rule V. Alternative Modes of Dispute Resolution ......................................................... 213

Section 25. Alternative Modes of Dispute Resolution ................................................... 213
Section 26. Mediation Officer ............................................................................................ 213
Section 27. Failure to Reach Settlement ........................................................................... 213

Rule VI. Requests for Advisory Opinion ......................................................................... 213

Section 28. Advisory Opinions .......................................................................................... 213
Section 29. Uniform Procedure ......................................................................................... 214

Rule VII. Appeals ................................................................................................................ 214

Section 30. Appeal ............................................................................................................... 214

Rule VIII. General Provisions ............................................................................................ 214

Section 31. Confidentiality ................................................................................................. 214
Section 32. Application of Rules of Court........................................................................ 215
Section 33. Interpretation ................................................................................................... 215
Section 34. Separability Clause ......................................................................................... 215
Section 35. Effectivity.......................................................................................................... 215

Key Questions...................................................................................................................... 216

12
 A.

Data Privacy Threats:

Things to watch out for as a DPO

13
Things to watch out for as a DPO

Our generation saw a tectonic shift in what creates value in societies and economies.
This, following the emergence of the digital economy as a driver of global growth.
Data has come to replace oil as the greatest currency, prompting economists to hail it
as the new oil. Braving this new frontier are innovative governments and
businesses. They utilized personal data to improve existing services, products and
policies. In so doing, they ended up generating better alternatives and new leads for
future growth. For the first time in history, we are able to use personal data to build a
society responsive to the needs of all. Unfortunately, along with the good came the
bad. And so we see today how criminals can hijack personal data for malicious ends.

Threats to data privacy come from various actors. They include state-sponsored,
hacktivists and commercial actors. State-sponsored actors usually target organizations
with proprietary data such as those involved in technology, pharmaceuticals or
finance. They aim to gain sustained access to an organizations IT infrastructure. On
the other hand, hacktivists are generally viewed as those who use technology hacking
to promote a political agenda and effect social change. Commercial or fraud-oriented
actors are threat actors primarily interested in money. Highly equipped and
knowledgeable, they include identity thieves and personal data marketers.

Thus, the practice of information security becomes essential in ensuring personal data
protection. By definition, information security is the process of protecting physical
and electronic information from unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction.

However, information security has become a tough job for organizations.

Technological advancements that interconnect the world in an unprecedented degree,
also brings with it countless types of threats. Threats that undermine privacy arise
every day while organizations still address threats which have long been existing. As
the online realm infinitely evolves, organizations shields should always be up and
constantly upgraded.

Thus, the NPC lists the following items that you, as a DPO should currently be on the
look out for to secure your organizations information and avoid data breaches. This
section underscores not only the common attacks but also the internal factors that
makes organizations vulnerable to these attacks, as well as the emerging platforms
used by perpetrators.

Internal weaknesses

Organizations can sometimes get too concerned with investing in the most updated
and best information security software there is. What they fail to realize, however, is
that any software becomes useless when vulnerabilities within the organization are
not addressed.

14
Employee negligence

Employees serve as one of, if not the primary asset of any organization. But they may
also be an organizations major security weakness. The 2016 Ponemon Institute Study
found that employee negligence accounts for 25% of data breaches, globally.

Without even resorting to sophisticated methods, perpetrators can use your unwitting
employees as "portal" for their attacks. Considering organizations use of advanced
security software, social engineering still proves to be a very cost-effective tactic for
perpetrators. All they need do is identify and target the weakest link in the
organizations security chain, who are none other than your careless employees.

Some of the common mistakes employees make include having weak password,
email, social media and web browsing practices. Cybercriminals exploit employees
who do not use passwords, who use simple and short passwords, who use the same
password across different services and accounts, and those who carelessly share
passwords with others. Employees clicking on suspicious email links, social media
content and website advertisements are also the easiest entry points to perpetuate
malicious attacks discussed in the succeeding sections. Organizations also get exposed
by employees poor security habits outside work such as the use of unsecured
personal device to access work-related data, and the connection to unsecured wi-fi
networks.

Careless handling of data also results in self-inflicted data breaches. An example

would be the Woolworths Data Breach, which forced management to cancel over $1
million in gift cards after someone within the Australian grocery chain accidentally
email a spreadsheet containing customer information and redeemable codes for
around 8,000 gift cards to over 1,000 customers.

Employees also put their organizations at risk when they disregard well-crafted ICT
standards and even the organizations IT team. Critical errors under this category
include doing unauthorized system changes, plugging unknown devices,
downloading software and disabling security featuresall without the IT teams
knowledge.

Weak or lack of information security policy

To avoid data breaches, it is desirable that an organization's information security

policies be always at par with emerging technology trends. Due to fast-paced changes,
it is highly possible that no standards exist yet for handling these nascent practices.
One such trend is the so-called Bring Your Own Device or BYOD.

Organizations allow BYOD in a desire to reduce costs and increase productivity, given
the new-found IT self-sufficiency among employees. The setup allows employees to
work and access corporate data using their own device, be it a laptop, ultrabook, tablet
or smartphone. This frees up organizations from so much hardware, software, and

15
device maintenance expenses. Presumably, it also empowers and motivates
employees, given the ease, mobility, and flexibility of access that it makes possible.
Organizations expect the resulting convenience and employee satisfaction to drive
productivity levels up.

However, without adequate standards and employee preparations in place, BYOD

puts corporate data at risk. This, especially in the absence of clear policies on who can
access which data, and on what to do in case a personal device gets lost, stolen or
compromised,

The lack of standards on the use of thumb drives or USB flash drives also poses a
risk. It is a favorite storage device of perpetrators as it is small and concealable.
Perpetrators can easily steal corporate data through these devices or use them to
install malicious programs in computers.

Unrestricted access to certain corporate data also jeopardizes an organizations

security. For instance, access to sensitive employee information should be exclusive to
the human resources department. This would make it harder for perpetrators to turn
an employee into a portal of attack.

Malicious attacks

Phishing

This is a type of social engineering attack where cybercriminals pose as legitimate

representatives of reputable organizations. The intent is to trick employees into
divulging sensitive information that may result in data breach, identity theft and
financial loss. Perpetrators carry this out through email, instant messages, phone calls,
chat rooms, SMS, fake banner ads, message boards, fake job search sites and browser
toolbars.

Phishing.org enumerates the common features of phishing emails as follows:

Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing

statements are designed to attract peoples attention immediately. For instance,
many claim that you have won an iPhone, a lottery, or some other lavish prize. Just
don't click on any suspicious emails. Remember that if it seems too good to be true,
it probably is!

Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast
because the super deals are only for a limited time. Some of them will even tell you
that you have only a few minutes to respond. When you come across these kinds
of emails, it's best to just ignore them. Sometimes, they will tell you that your
account will be suspended unless you update your personal details immediately.
Most reliable organizations give ample time before they terminate an account and

16
 they never ask patrons to update personal details over the Internet. When in doubt,
visit the source directly rather than clicking a link in an email.

Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you
the actual URL where you will be directed upon clicking on it. It could be
completely different or it could be a popular website with a misspelling, for
instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look
carefully.

Attachments - If you see an attachment in an email you weren't expecting or that

doesn't make sense, don't open it! They often contain payloads like ransomware or
other viruses. The only file type that is always safe to click on is a .txt file.

Unusual Sender - Whether it looks like it's from someone you don't know or
someone you do know, if anything seems out of the ordinary, unexpected, out of
character or just suspicious in general don't click on it!

Malware

Malware is short for malicious software which includes computer viruses, worms,
Trojan horses, rootkit, ransomware, spyware, adware, scareware, among others. It is
meant to infiltrate and infect computers to compromise device, disrupt service, steal
data or monitor user activities. The common types of malware are described below:

Malware Type Description

Virus a type of malware that attaches itself to the program,
executes itself and replicates itself by infecting other
programs; may crash systems, acquire hard disk space or
CPU time, spam email contacts, access private info, corrupt
files or wipe data
Worm similar to viruses but do not require a host program to
spread and damage your computers
Trojan horse a malware that masquerades as a legitimate and harmless
program; do not replicate themselves
Rootkit an application or set of applications that enables
administrator-level access to the victims system while
actively hiding its presence making it difficult to detect;
allows perpetrator to execute files, access logs, monitor user
activity and change computers configuration
Ransomware blocks victims access to their files by locking the systems
screen or encrypting victims files; requires victims to pay a
ransom to get back their files through a decrypt key

17
Spyware a malware that collects information about victims surfing
habits, browsing history and other personal information,
and passes this information to third parties through the
internet
attached and downloaded with other software, designed to
Adware display unwanted advertisements in the form of pop-up
windows; may collect marketing-type data about you to
customize advertisements displayed
Scareware a malware that deceives victims to download and purchase
fake and potentially dangerous software using intimidating,
unsettling and fear messages

Denial-of-service

A denial-of-service or DoS attack seeks to disrupt a networks service and make it

unavailable to its intended and legitimate users. This is done by flooding the network
with useless traffic until it overwhelms the resources and crashes the system.
Zeltser.com lists the following as common motives behind DoS attacks:

Extortion via a threat of a DoS attack: The attacker might aim to directly profit from
his perceived ability to disrupt the victims services by demanding payment to
avoid the disruption.

Turf wars and fights between online gangs: Groups and individuals in engaged on
Internet-based malicious activities might use DoS as weapons against each others
infrastructure and operations, catching legitimate businesses in the crossfire.

Anticompetitive business practices: Cyber-criminals sometimes offer DoS services to

take out competitors websites or otherwise disrupt their operations.

Punishment for undesired actions: A DoS attack might aim to punish the victim for
refusing an extortion demand or for causing disruption to the attackers business
model (e.g., spam-sending operations).

Expression of anger and criticism: Attackers might use the DoS attack as a way of
criticizing the company or government organization for exhibiting undesirable
political or geopolitical, economic or monetary behaviors.

Training ground for other attacks: Attackers sometimes might target the organization
when fine-tuning DoS tools and capabilities for future attacks, which will be
directed at other victims.

18
 Distraction from other malicious actions: Adversaries might perform a DoS attack just
to draw your attention away from other intrusion activities that they perform
elsewhere in your environment.

Self-induced: Some downtime and service disruptions are the result of the non-
malicious actions that the organizations employees took by mistake (e.g., a server
configuration problem).

No apparent reason at all: Unfortunately, many DoS victims never learn what
motivated the attack.

In 2016, the largest DoS attacks were recorded. One hit the servers of Dyn that brought
down Twitter, the Guardian, Netflix, Reddit, CNN, among other sites in Europe and
US. This was carried out through a distributed DoS (DDoS) that utilized multiple
devices infected with a special malware, called botnet. A botnet is a group of inter-
connected devices infected with malware to enable perpetrators to control the devices
without the owners knowledge. Around 100,000 malicious endpoints were estimated
to have powered this 1.2Tbps-strong attack.

Man-in-the-middle

This is an attack designed to intercept communication between two parties, say a

consumer and a website, in an attempt to impersonate both parties and steal valuable
personal information.

It takes advantage of the weaknesses in the authentication protocols used by the

parties. MITM, usually used to commit financial fraud, may be done via Wi-Fi
connection, browser, mobile, app, cloud or through any networked device.

Emerging attack platforms

Mobile

As a widely-used platform even in the workplace, mobile serves as a huge attack

surface for perpetrators. The breadth of data found in mobile devices contact
information, photos, emails and other sensitive data, also makes them a primary
attack target. The relative security weakness of mobile compared to personal
computers increases its vulnerability.

Symantec estimated that the overall volume of malicious Android apps grew by 105
percent in 2016 at 18.4 million. Meanwhile, the iOS operating system remains to be
rarely attacked, but experienced one in 2016 through the Pegasus spyware. Clicking
the malicious link sent via text message jailbreaks the phone and injects the malware
into it. Pegasus accesses messages, calls and emails, and also gathers app information
from services like Gmail, Facebook, Skype and WhatsApp.

19
Cloud

Similar to BYOD, cloud adoption in organizations has been on the rise. It is seen as a
cost-efficient and effective measure to meet heightened computing needs. As cloud
shifts organizations data and applications over high-capacity networks hosted in the
internet, it helps reduce infrastructure and maintenance cost and improve
manageability. However, it also serves as a new and easily accessible threat surface
for perpetrators.

The borderless nature of cloud computing allows threat actors to easily bypass
organization-wide security policies. Clouds dependence on third party applications
also increases users exposure to malware. In its 2016 report, the Cloud Security
Alliance identified 12 critical cloud issues including: data breaches; weak identity,
credential and access management; insecure application program interfaces; system
and application vulnerabilities; account hijacking; malicious insiders; advanced
persistent threats; data loss, insufficient due diligence; abuse and nefarious use of
cloud services; DOS; and shared technology issues.

Internet of things

The internet of things or IoT is the concept of interconnectedness of physical devices

ranging from cellphones, cars, ovens, washing machines, headphones, lamps, to
wearable devices, via the internet. It espouses people-people, people-things and
things-things relationships, intended to improve efficiency and promote a smart
approach in doing things.

While the IoT opens the world to countless opportunities, it also presents serious
challenges. One is the perceived weak security of most IoT devices, which are
protected by factory default or hardcoded user names and passwords. The largest
DDoS attacks in 2016 using Mirai, as discussed in the previous section, exploited IoT
devices and converted them into bots. The seemingly harmless webcams produced by
Chinese electronics firm Xiong Mai Technologies primarily powered the 1.2Tbps-
strong attack on Dyn. Citizens become unaware

Combating data privacy threats

The National Privacy Commission has devised various means to address the above
threats. These means are integrated into the Five Pillars of Data Privacy
Accountability and Compliance, as discussed in the succeeding sections. This
framework is not only meant to combat data privacy threats, but to also help personal
information controllers and processors comply with the Data Privacy Act of 2012.

20
Encompassing organizational, physical and technical measures, the framework is
aimed at helping develop an organizational culture protective of privacy.

21
 B.

Five Pillars of
Data Privacy Accountability &
Compliance

22
I. Commit to Comply:
Appoint a Data Protection Officer

NPC Advisory No. 2017-01

DATE : 14 MARCH 2017

SUBJECT : DESIGNATION OF DATA PROTECTION OFFICERS

Preamble

WHEREAS, Article II, Section 24 of the 1987 Constitution provides that the State recognizes
the vital role of communication and information in nation-building. At the same time, Article
II, Section 11 thereof stresses that the State values the dignity of every human person and
guarantees full respect for human rights. Finally, Article XIII, Section 21 states that Congress
shall give highest priority to the enactment of measures that protect and enhance the right of
the people to human dignity;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012
(DPA), provides that it is the policy of the State to protect the fundamental human right of
privacy of communication while ensuring free flow of information to promote innovation and
growth. The State also recognizes its inherent obligation to ensure that personal information
in information and communications systems in the government and in the private sector are
secured and protected;

WHEREAS, Section 21(b) of the DPA and Section 50(b) of its Implementing Rules and
Regulations (IRR) provide that personal information controllers (PICs) shall designate an
individual or individuals who are accountable for the organizations compliance with this Act.
Section 14 of the DPA and Section 45 of the IRR also require personal information processors
(PIPs) to comply with all the requirements of the Act and other applicable laws, including
issuances by the NPC;

WHEREAS, pursuant to Section 26(a) of the IRR, any natural or juridical person or other body
involved in the processing of personal data shall designate an individual or individuals who
shall function as data protection officer (DPO), compliance officer, or shall otherwise be
accountable for ensuring compliance with applicable laws and regulations for the protection
of data privacy and security;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission (NPC) is
charged with the administration and implementation of the provisions of the law, which
includes ensuring compliance with the provisions of the DPA and with international
standards for data protection, and carrying out efforts to formulate and implement plans and
policies that strengthen the protection of personal information in the country, in coordination
with other government agencies and the private sector;

WHEREAS, Section 4 of NPC Circular 2016-01 declares that a government agency engaged in
the processing of personal data shall, through its head of agency, designate a DPO;

23
WHEREAS, in consideration of the foregoing premises, the NPC hereby issues this Advisory
that prescribes the guidelines for the designation of a DPO:

Scope

These Guidelines shall apply to all natural or juridical persons, or any other body in the
government or private sector engaged in the processing of personal data within and outside
of the Philippines, subject to the applicable provisions of the DPA, its IRR, and issuances by
the NPC.

Definition of Terms

Whenever used in this Advisory, the following terms shall have their respective meanings as
hereinafter set forth:

a. Act or DPA refers to Republic Act No. 10173, otherwise known as the Data Privacy
Act of 2012;

b. Commission or NPC refers to the National Privacy Commission;

c. Compliance Officer for Privacy or COP refers to an individual or individuals who

shall perform some of the functions of a DPO, as provided in this Advisory;

d. Conflict of Interest refers to a scenario wherein a DPO is charged with performing

tasks, duties, and responsibilities that may be opposed to or could affect his
performance as DPO. This includes, inter alia, holding a position within the PIC or PIP
that leads him to determine the purposes and the means of the processing of personal
data. The term shall be liberally construed relative to the provisions of this Advisory;

e. Data Sharing Agreement refers to a contract, joint issuance, or any similar document
that contains the terms and conditions of a data sharing arrangement between two or
more parties: Provided, that only personal information controllers shall be made parties
to a data sharing agreement;

f. Data Subject refers to an individual whose personal, sensitive personal, or

privileged information is processed;

g. Government Agency refers to a government branch, body, or entity, including

national government agencies, bureaus, or offices, constitutional commissions, local
government units, government-owned and controlled corporations, government
financial institutions, state colleges and universities;

h. Personal data refers to all types of personal information, including privileged

information;

i. Personal information refers to any information whether recorded in a material form

or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with
other information would directly and certainly identify an individual;

24
j. Personal information controller or PIC refers to a person or organization who
controls the collection, holding, processing or use of personal information, including
a person or organization who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or her behalf. The term
excludes:

1.) a person or organization who performs such functions as instructed by another

person or organization; or
2.) an individual who collects, holds, processes or uses personal information in
connection with the individuals personal, family or household affairs.

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

k. Personal information processor or PIP refers to any natural or juridical person or

any other body to whom a PIC may outsource or instruct the processing of personal
data pertaining to a data subject;

l. Privacy by Design is an approach to the development and implementation of

projects, programs, and processes that integrates into the latters design or structure
safeguards that are necessary to protect and promote privacy, such as appropriate
organizational, technical, and policy measures;

m. Privacy Impact Assessment is a process undertaken and used to evaluate and

manage the impact on privacy of a particular project, program, process or measure;

n. Privileged Information refers to any and all forms of data which, under the Rules of
Court and other pertinent laws, constitute privileged communication;

o. Processing refers to any operation or any set of operations performed upon personal
data including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure
or destruction of data;

p. Sensitive Personal Information refers to personal information:

1.) About an individuals race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

2.) About an individuals health, education, genetic or sexual life of a person, or to

any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;

3.) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or current health records, licenses
or its denials, suspension or revocation, and tax returns; and

4.) Specifically established by an executive order or an act of Congress to be kept

classified.

25
 General Principles

These Guidelines shall be governed by the following general principles:

a. The responsibility for complying with the Act, its IRR, issuances by the NPC, and all
other applicable laws lies with the PIC or PIP.1 When necessary, it must be capable of
demonstrating its capacity to comply.

b. The DPO or COP shall act independently in the performance of his or her functions,
and shall enjoy sufficient degree of autonomy. For this purpose, he or she must not
receive instructions2 from the PIC or PIP regarding the exercise of his or her tasks.

c. The DPO or COP is bound by secrecy or confidentiality concerning the performance

of his or her tasks.

Mandatory Designation

A PIC or PIP shall designate an individual or individuals who shall function as DPO. The
DPO shall be accountable for ensuring the compliance by the PIC or PIP with the DPA, its
IRR, issuances by the NPC, and other applicable laws and regulations relating to privacy and
data protection.

In certain cases, a PIC or PIP is allowed to designate a compliance officer for privacy (COP):

a. Local Government Units (LGUs). Each LGU shall designate a DPO. However, a
component city, municipality, or barangay is allowed to designate a COP, provided
that the latter shall be under the supervision of the DPO of the corresponding province,
city, or municipality that that component city, municipality or barangay forms part of.

b. Government Agencies. Each government agency shall designate a DPO. Where a

government agency has regional, provincial, district, city, municipal offices, or any
other similar sub-units, it may designate or appoint a COP for each sub-unit. The COPs
shall be under the supervision of the DPO.

c. Private Sector. Where a private entity has branches, sub-offices, or any other component
units, it may also appoint or designate a COP for each component unit.

Subject to the approval of the NPC, a group of related companies may appoint or
designate the DPO of one of its members to be primarily accountable for ensuring the
compliance of the entire group with all data protection policies. Where such common
DPO is allowed by the NPC, the other members of the group must still have a COP, as
defined in this Advisory.

1 RA 10173, 21(a), and 14.

2 e.g., what results should be achieved, how to investigate a complaint, whether to consult the NPC, what view or
interpretation of the law to take relative to a specific data protection issue, etc.

26
 d. Other Analogous Cases. PICs or PIPs that are under similar or analogous circumstances
may also seek the approval of the NPC for the appointment or designation of a COP,
in lieu of a DPO.

An individual PIC or PIP shall be a de facto DPO.

General Qualifications

The DPO should possess specialized knowledge and demonstrate reliability necessary for the
performance of his or her duties and responsibilities. As such, the DPO should have expertise
in relevant privacy or data protection policies and practices. He or she should have sufficient
understanding of the processing operations being carried out by the PIC or PIP, including the
latters information systems, data security and/or data protection needs.

Knowledge by the DPO of the sector or field of the PIC or PIP, and the latters internal
structure, policies, and processes is also useful.

The minimum qualifications for a COP shall be proportionate to his or her functions, as
provided in this Advisory.

Position of the DPO or COP

The DPO or COP should be a full-time or organic employee of the PIC or PIP.

In the government or public sector, the DPO or COP may be a career or appointive position.

In the private sector, the DPO or COP should ideally be a regular or permanent position.3
Where the employment of the DPO or COP is based on a contract, the term or duration thereof
should at least be two (2) years to ensure stability.

In the event the position of DPO or COP is left vacant,4 the PIC or PIP should provide for the
appointment, reappointment, or hiring of his or her replacement within a reasonable period
of time. The PIC or PIP may also require the incumbent DPO or COP to occupy such position
in an holdover capacity until the appointment or hiring of a new DPO or COP, in accordance
with the PIC or PIPs internal policies or the provisions of the appropriate contract.

3 Consultants and project, seasonal, probationary, or casual employees should not be designated as
DPOs.

4 In the event of resignation, incapacity, or death of the DPO, or, where the term of the DPO is fixed or is
coterminous with the appointing authority, in the case of government agencies, or based on a contract, in the case
of private sector entities.

27
 Independence, Autonomy
And Conflict of Interest

A DPO or COP must be independent in the performance of his or her functions, and should
be accorded a significant degree of autonomy by the PIC or PIP.

In his or her capacity as DPO or COP, an individual may perform (or be assigned to perform)
other tasks or assume other functions5 that do not give rise to any conflict of interest.

Duties and Responsibilities

Of the DPO and COP

A DPO shall, inter alia:

a. monitor the PICs or PIPs compliance with the DPA, its IRR, issuances by the NPC
and other applicable laws and policies. For this purpose, he or she may:

1.) collect information to identify the processing operations, activities, measures,

projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
2.) analyze and check the compliance of processing activities, including the issuance
of security clearances to and compliance by third-party service providers;
3.) inform, advise, and issue recommendations to the PIC or PIP;
4.) ascertain renewal of accreditations or certifications necessary to maintain the
required standards in personal data processing; and
5.) advice the PIC or PIP as regards the necessity of executing a Data Sharing
Agreement with third parties, and ensure its compliance with the law;

b. ensure the conduct of Privacy Impact Assessments relative to activities, measures,

projects, programs, or systems of the PIC or PIP;

c. advice the PIC or PIP regarding complaints and/or the exercise by data subjects of
their rights (e.g., requests for information, clarifications, rectification or deletion of
personal data);

d. ensure proper data breach and security incident management by the PIC or PIP,
including the latters preparation and submission to the NPC of reports and other
documentation concerning security incidents or data breaches within the prescribed
period;

e. inform and cultivate awareness on privacy and data protection within the
organization of the PIC or PIP, including all relevant laws, rules and regulations and
issuances of the NPC;

f. advocate for the development, review and/or revision of policies, guidelines, projects
and/or programs of the PIC or PIP relating to privacy and data protection, by adopting
a privacy by design approach;

5 The designated DPO may also occupy some other position in the organization (e.g., legal counsel, risk
management officer, etc.).

28
 g. serve as the contact person of the PIC or PIP vis--vis data subjects, the NPC and other
authorities in all matters concerning data privacy or security issues or concerns and
the PIC or PIP;

h. cooperate, coordinate and seek advice of the NPC regarding matters concerning data
privacy and security; and
i. perform other duties and tasks that may be assigned by the PIC or PIP that will further
the interest of data privacy and security and uphold the rights of the data subjects.

Except for items (a) to (c), a COP shall perform all other functions of a DPO. Where
appropriate, he or she shall also assist the supervising DPO in the performance of the latters
functions.

The DPO or COP must have due regard for the risks associated with the processing operations
of the PIC or PIP, taking into account the nature, scope, context and purposes of processing.
Accordingly, he or she must prioritize his or her activities and focus his or her efforts on issues
that present higher data protection risks.

General Obligations of the PIC or PIP

Relative to the DPO or COP

The PIC or PIP should:

a. effectively communicate to its personnel, the designation of the DPO or COP and his
or her functions;

b. allow the DPO or COP to be involved from the earliest stage possible in all issues
relating to privacy and data protection;

c. provide sufficient time and resources (financial, infrastructure, equipment, training,

and staff) necessary for the DPO or COP to keep himself or herself updated with the
developments in data privacy and security and to carry out his or her tasks effectively
and efficiently;

d. grant the DPO or COP appropriate access to the personal data it is processing,
including the processing systems;

e. where applicable, invite the DPO or COP to participate in meetings of senior and
middle management to represent the interest of privacy and data protection;

f. promptly consult the DPO or COP in the event of a personal data breach or security
incident; and

g. ensure that the DPO or COP is made a part of all relevant working groups that deal
with personal data processing activities conducted inside the organization, or with
other organizations.

29
 Outsourcing or Subcontracting of Functions

A PIC or PIP may outsource or subcontract the functions of its DPO or COP. However, to the
extent possible, the DPO or COP must oversee the performance of his or her functions by the
third-party service provider or providers. The DPO or COP shall also remain the contact
person of the PIC or PIP vis--vis the NPC.

Protections

To strengthen the autonomy of the DPO or COP and ensure the independent nature of his or
her role in the organization, a PIC or PIP should not directly or indirectly penalize or dismiss
the DPO or COP for performing his or her tasks. It is not necessary that the penalty is actually
imposed or meted out. A mere threat is sufficient if it has the effect of impeding or preventing
the DPO or COP from performing his or her tasks. However, nothing shall preclude the
legitimate application of labor, administrative, civil or criminal laws against the DPO or COP,
based on just or authorized grounds

Publication and Communication

Of Contact Details

To ensure that its own personnel, the data subjects, the NPC, or any other concerned party, is
able to easily, directly, and confidentially contact the DPO or COP, a PIC or PIP must publish
the DPOs or COPs contact details in, at least, the following materials:

a. website;
b. privacy notice;
c. privacy policy; and
d. privacy manual or privacy guide

A PIC or PIP may introduce or offer additional means of communicating (e.g., telefax, social
media platforms, etc.) with its DPO or COP.

For this purpose, the contact details of the DPO or COP should include the following
information:

a. title or designation
b. postal address
c. a dedicated telephone number
d. a dedicated email address

The name or names of the DPO or COP need not be published. However, it should be made
available upon request by a data subject or the NPC.

Weight of Opinion

The opinion of the DPO or COP must be given due weight. In case of disagreement, and
should the PIC or PIP choose not to follow the advice of the DPO or COP, it is recommended,
as good practice, to document the reasons therefor.

30
 Accountability

While the responsibility of complying with the DPA, its IRR, issuances by the NPC, and other
applicable laws remains with the PIC or PIP, malfeasance, misfeasance, or nonfeasance on the
part of the DPO or COP relative to his designated functions may still be a ground for
administrative, civil, or criminal liability, in accordance with all applicable laws.

Approved:

(Sgd.) RAYMUND E. LIBORO

Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: 14 March 2017

31
II. Know your risks:
Conduct a Privacy Impact Assessment

NPC Advisory No. 2017-03

DATE : 31 July 2017

SUBJECT : GUIDELINES ON PRIVACY IMPACT ASSESSMENTS

Preamble
WHEREAS, Article II, Section 11 of the 1987 Constitution declares that the State values the
dignity of every human person and guarantees full respect for human rights, and Article XIII,
Section 21 states that Congress shall give highest priority to the enactment of measures that
protect and enhance the right of the people to human dignity. At the same time, enshrined in
jurisprudence is the recognition of the right to privacy as a right fully deserving of
constitutional protection;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012
(DPA), provides that it is the policy of the State to protect the fundamental human right of
privacy of communication while ensuring free flow of information to promote innovation and
growth. The State also recognizes its inherent obligation to ensure that personal information
in information and communications systems in the government and in the private sector are
secured and protected;

WHEREAS, Section 20(c) of the DPA and Section 29 of its Implementing Rules and
Regulations (IRR) provide that the determination of the appropriate level of security for an
agency or organization processing personal data shall take into account the nature of the
personal information to be protected, the risks represented by the processing to the rights and
freedoms of data subjects, the size of the organization and complexity of its operations, current
data privacy best practices, and the cost of security implementation;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission (NPC) is
mandated to administer and implement the provisions of the DPA, monitor and ensure
compliance of the country with international standards set for data protection, and coordinate
with government agencies and the private sector on efforts to formulate and implement plans
and policies that strengthen the protection of personal information in the country;

32
WHEREAS, Sections 4, 5, and 6 of NPC Circular 2016-01 requires government agencies to
conduct a Privacy Impact Assessment (PIA) for each program, process, or measure within the
agency that involves personal data. At the same time, Section 6 of NPC Circular 2016-03
recommends the conduct of a PIA as part of any organizations security incident management
policy.

WHEREFORE, in consideration of the foregoing premises, the NPC hereby issues this
Advisory that prescribes guidelines for the conduct of a Privacy Impact Assessment:

Scope
This Advisory shall apply to all natural or juridical persons, or any other body in the
government or private sector engaged in the processing of personal data within and outside
of the Philippines, subject to the applicable provisions of the DPA, its IRR, and other relevant
issuances of the NPC

Definition of Terms
For the purpose of this Advisory, the following terms are defined, as follows:

A. Act or DPA refers to Republic Act No. 10173, otherwise known as the Data
Privacy Act of 2012;

B. Commission or NPC refers to the National Privacy Commission;

C. Compliance Officer for Privacy or COP refers to an individual that performs

some of the functions of a DPO, as provided in NPC Advisory No. 17-01;

D. Control Framework refers to a comprehensive enumeration of measures a PIC or

PIP has established for the protection of personal data against natural dangers such
as accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse, unlawful destruction, alteration and contamination;

E. Data Protection Officer or DPO refers to an individual designated by the head

of agency or organization to be accountable for its compliance with the Act, its IRR,
and other issuances of the Commission: Provided, that, except where allowed
otherwise by law or the Commission, the individual must be an organic employee
of the government agency or private entity: Provided further, that a government
agency or private entity may have more than one DPO;

F. IRR refers to the Implementing Rules and Regulations of the DPA;

33
G. Personal data refers to all types of personal information, including privileged
information;

H. Personal information refers to any information whether recorded in a material

form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an
individual;

I. Personal information controller or PIC refers to a person or organization who

controls the collection, holding, processing or use of personal information, including
a person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her behalf. The
term excludes:

1.) a person or organization who performs such functions as instructed by another

person or organization; or
2.) an individual who collects, holds, processes or uses personal information in
connection with the individuals personal, family or household affairs;

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

J. Personal information processor or PIP refers to any natural or juridical person

or any other body to whom a PIC may outsource or instruct the processing of
personal data pertaining to a data subject;

K. Privacy Impact Assessment is a process undertaken and used to evaluate and

manage impacts on privacy of a particular program, project, process, measure,
system or technology product of a PIC or PIP program, project, process, measure,
system or technology product of a PIC or PIP. It takes into account the nature of the
personal data to be protected, the personal data flow, the risks to privacy and
security posed by the processing, current data privacy best practices, the cost of
security implementation, and, where applicable, the size of the organization, its
resources, and the complexity of its operations;

L. Privacy Management Program refers to a process intended to embed privacy and

data protection in the strategic framework and daily operations of a personal
information controller or personal information processor, maintained through
organizational commitment and oversight of coordinated projects and activities.

M. Privileged Information refers to any and all forms of data which, under the Rules
of Court and other pertinent laws, constitute privileged communication;

34
 N. Processing refers to any operation or any set of operations performed upon
personal data including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data;

O. Risk refers to the potential of an incident to result in harm or danger to a data

subject or organization;

P. Risk Rating refers to a function of the probability and impact of an event;

Q. Sensitive Personal Information refers to personal information:

1.) About an individuals race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;

2.) About an individuals health, education, genetic or sexual life of a person, or

to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence
of any court in such proceedings;

3.) Issued by government agencies peculiar to an individual which includes, but

not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and

4.) Specifically established by an executive order or an act of Congress to be kept

classified;

R. Threat refers to a potential cause of an unwanted incident, which may result in

harm or danger to a data subject, system, or organization;

S. Vulnerability refers to a weakness of a data processing system that makes it

susceptible to threats and other attacks.

General Principles
A Privacy Impact Assessment (PIA) helps a PIC and PIP navigate the process of
understanding the personal data flows in the organization. It identifies and provides an
assessment of various privacy risks, and proposes measures intended to address them.

The identification of risks and the use of a control framework for risk management should
consider existing laws, regulations, and issuances relevant to privacy and data protection, as
well as the rights of data subjects. The most appropriate standard recognized by the sector or
industry of the PIC or PIP, as well as that of the information and communications technology
industry shall also be considered.

35
 Key Considerations
In general, a PIA should be undertaken for every processing system of a PIC or PIP that
involves personal data. It may also be carried out vis--vis the entire organization of the PIC
or PIP with the involvement or participation of the different process owners and stakeholders.

A PIA should be conducted for both new and existing systems, programs, projects,
procedures, measures, or technology products that involve or impact processing personal
data. For new processing systems, it should be undertaken prior to their adoption, use, or
implementation. Changes in the governing law or regulations, or those adopted within the
organization or its industry may likewise require the conduct of a PIA, particularly if such
changes affect personal data processing.

A PIC may require a PIP or a service or product provider to conduct a PIA. For this purpose,
the report prepared by the PIP or the service or product provider may be considered by the
PIC in determining whether the former is able to provide a comparable level of protection to
the processing of personal data.

A PIC or PIP may choose to conduct a single PIA for multiple data processing systems that
involve the same personal data and pose similar risks. A single PIA may also be conducted
on a data processing system where two or more PICs or PIPs are involved.

The PIC or PIP may forego the conduct of a PIA only if it determines that the processing
involves minimal risks to the rights and freedoms of individuals, taking into account
recommendations from the DPO. In making this determination, the PIC or PIP should
consider the size and sensitivity of the personal data being processed, the duration and extent
of processing, the likely impact of the processing to the life of data subject and possible harm
in case of a personal data breach.

Objectives
The conduct of a PIA is intended to:

A. identify, assess, evaluate, and manage the risks represented by the processing of
personal data;

B. assist the PIC or PIP in preparing the records of its processing activities, and in
maintaining its privacy management program;

C. facilitate compliance by the PIC or PIP with the DPA, its IRR, and other applicable
issuances of the NPC, by determining:

36
 a. its adherence to the principles of transparency, legitimate purpose and
proportionality;
b. its existing organizational, physical and technical security measures relative to
its data processing systems;
c. the extent by which it upholds the rights of data subjects; and

D. aid the PIC or PIP in addressing privacy risks by allowing it to establish a control
framework;

In conducting a PIA, it is important that its results are properly documented in a report that
includes information on stakeholder involvement, proposed measures for privacy risk
management, and the process through which the results of the PIA will be communicated to
internal and external stakeholders.

Responsibility
The PIC or PIP is primarily accountable for the conduct of a PIA. This responsibility remains
even when it elects to outsource or subcontract the actual conduct of the activity. For this
purpose, the PIC or PIP may lay down a policy, which establishes the circumstances under
which a PIA shall be carried out, including the personnel involved, the resources available,
and the review process that will be undertaken.

A recommendation for the conduct of a PIA may also come from the DPO of the PIC or PIP.
Part of the functions of a DPO is to ensure the conduct of PIA relative to activities, measures,
projects, programs, or systems of the PIC or PIP. In case of disagreement between the DPO
and its principal on the conduct of a PIA, this should be properly documented, particularly
the reason for the conflicting views.

The extent of the involvement of the DPO in the PIA is left to the discretion of the PIC or PIP.
The PIC or PIP may allow the DPO to actively take part in the PIA, or it may simply consult
and seek his or her recommendations based on the results of the PIA.

Where the PIC or PIP has a COP, the involvement of the latter in the PIA shall also be
determined by the PIC or PIP.

Stakeholder Involvement
Stakeholder involvement is important in the conduct of a PIA. This may be accomplished
through their direct participation in the process, through consultations in a public forum or
focus group discussions, or through the use of surveys and feedback forms.

37
Stakeholders may be involved in the whole process, or may be consulted for specific stages,
such as in preparatory stage, during risk analysis and evaluation, or after the process during
review that leads up to the preparation of the report.

The results of a PIA should be communicated to the stakeholders via a written report.

Structure and Form

There is no prescribed standard or format for a PIA. As such, the PIC or PIP may determine
the structure and form of the PIA that it will use. It is not precluded from utilizing any existing
methodology, 6 provided the latter is acceptable based on the following criteria:7

1. It provides a systematic description of the personal data flow and processing

activities of the PIC or PIP. This includes:

1.) purpose of the processing, including, where applicable, the legitimate interest
pursued by the PIC or PIP;
2.) data inventory identifying the types of personal data held by the PIC or PIP;
3.) sources of personal data and procedures for collection;
4.) functional description of personal data processing, including a list of all
information repositories holding personal data and their location, and types of
media used for storage;
5.) transfers of personal data to another agency, company, or organization,
including transfers outside the country, if any;
6.) storage and disposal method of personal data;
7.) accountable and responsible persons involved in the processing of personal
data; and
8.) existing organizational, physical and technical security measures

2. It includes an assessment of the adherence by the PIC or PIP to the data privacy
principles, the implementation of security measures, and the provision of
mechanisms for the exercise by data subjects of their rights under the DPA.

3. It identifies and evaluates the risks posed by a data processing system to the rights
and freedoms of affected data subjects, and proposes measures that address them.

1.) Risk identification. Risks include natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination.

6 Acceptable methodologies include ISO/IEC 29134, which provides standards for the conduct of the PIA.

7This takes into consideration Art 29 Data Protection Working Party Guidelines on Data Protection Impact
Assessment (DPIA) and determining whether processing is likely to result in a high risk for the purposes of
Regulation 2016/679 (4 April 2017) and the provisions of the DPA.

38
 2.) Risks evaluation based on impact and likelihood. The severity or extent of the
impact of a breach or privacy violation on the rights and freedoms of data
subjects must be determined. The probability of the risk happening and the
sources of such risk should also be taken into consideration.
3.) Remedial measures. Based on an assessment of risks, measures should be
proposed on how to address and manage the said risks.

4. It is an inclusive process, in that it ensures the involvement of interested parties and

secures inputs from the DPO and data subjects.

Planning a PIA
The following should be considered when planning the conduct of a PIA:
1. The PIC or PIP should signify its commitment to the conduct of a PIA. This means:
a. deciding on the need for a PIA;
b. assigning a person responsible for the whole process;
c. providing resources to accomplish the objectives of the PIA; and
d. issuing a clear directive for its conduct.

2. The program, project, process, measure, system or technology product on which a

PIA will be conducted should be identified. The scope of the PIA must be clearly
delineated.

3. The process owners, participants, and the persons in charge of conducting the PIA,
including the preparation of its report, should be identified. When the scope of the
PIA is determined to be broad and/or comprehensive, a taskforce or secretariat may
be necessary. The PIC or PIP may also outsource the conduct of the PIA, but great
care should be taken in evaluating the adequacy and propriety of the methodology
that will be utilized, and the expected outputs.

4. The PIC or PIP should determine how internal and external stakeholders will be
involved.

5. Other matters that should be established:

1.) objectives, schedules, and available resources;

2.) means of communicating the results of the PIA to stakeholders; and
3.) procedure for integrating the recommendations of the PIA into the control
framework of the organization.

Preparatory Activities
The following should be considered in the preparatory activities leading up to the conduct of
a PIA:
1. There should be records of the processing activities of the PIC or PIP, and an

39
 inventory of the personal data involved in such activities. For this purpose, a
personal data flow should be created, starting from the collection of personal data,
all the way up to its deletion or disposal, including storage. The process owners may
be assigned to provide these documents prior to conduct of the PIA.

2. A preliminary assessment should be undertaken to determine baseline information,

including existing policies and security measures of the organization. It is critical
that this be carried out in coordination with the different units or offices of the
organization, such as those in charge of compliance, quality management, records
and information management, information technology, administration and
planning, customer relations, and legal concerns.

3. Stakeholders may be consulted during the preparatory stage to identify their

concerns, expectations, and perception of the risks posed by the processing activities
of the organization. Existing reports may be considered, such as customer
satisfaction surveys, internal audits, and other assessment activities.

4. The objectives, scope, and methodology of the PIA should be established. A control
framework should be selected. For agencies that process the personal data records
of more than one thousand (1,000) individuals, including agency personnel, the
Commission recommends the use of the ISO/IEC 27002 and ISO/IEC 29151 control
set as the minimum standard to assess any gaps in the agencys control framework.

5. The detailed plan for the conduct of the PIA should be prepared, including:

1.) schedules and timelines for the completion of preparatory activities, conduct
of the PIA, and reporting or publication of results;
2.) approval of resource and budget allocations;
3.) participants and methods for stakeholder involvement;
4.) documentation and review process;
5.) other supporting documents.

Conduct of the PIA

The following should be considered in the conduct of a PIA:
1. The records of processing activities, the personal data inventory, and the personal
data flows should all be evaluated to determine whether additional information are
necessary for the proper conduct of a PIA. Taken together, these constitute the
baseline information, along with the following:

1.) purpose and legal basis of the processing activities, including data sharing and
other forms of data transfers.;
2.) persons responsible for processing personal data, including a list of those
individuals with access thereto;
3.) list of all information repositories and technology products used;
4.) sources and recipients of personal data; and

40
 5.) existing policies, procedures and security measures relevant to personal data
protection.

2. Once baseline information is complete, the processing activities should be evaluated

against the legal obligations of the PIC or PIP, and the latters chosen control
framework.

3. The control framework should adhere to the data privacy principles. It should
implement security measures and establish procedures for the proper exercise by
data subjects of their rights. Privacy and data protection measures, whether planned
and existing, should be considered.

4. The data processing systems of the PIC or PIP should be assessed to determine if
there are gaps at any stage of the processing. There is a gap when:

1.) there is a violation of any data privacy principle;

2.) the organizational, physical, and technical security measures are inadequate to
safeguard the confidentiality, availability, and/or integrity of personal data; or
3.) the exercise of data subjects of their rights is not possible or restricted without
legal basis.

5. Gaps should be evaluated to determine the risks involved to personal data, possible
threats, and existing vulnerabilities of the systems. Risks include the following:

1.) unauthorized or unlawful processing;

2.) confidentiality breach;
3.) integrity breach;
4.) availability breach; and
5.) violations of rights of data subjects

6. Risks, in turn, should be assessed to determine whether the breach or privacy

violation it poses is likely to happen. The assessment should consider the processing
operations of the PIC or PIP, vulnerabilities and threats, as well as existing
safeguards, if any. A determination of how the risk will affect the rights and
freedoms of data subjects should be done based on the amount and nature of
personal data involved, and the impact of possible harm.

7. Measures to address the risks identified should be proposed. They may mitigate,
accept, avoid, or transfer the risks posed by the processing, by taking into account
the likelihood and impact of a breach or privacy violation, the available resources of
the organization to address the risks, current data privacy best practices, and
industry or sector standards. The proposed measures should include:

1.) risks and strategies for risk management;

2.) implementing activities, including definite plans and specific projects;

41
 3.) controlling mechanisms to monitor, review, and support implementation;
4.) proposed time frame, expected completion, or schedules;
5.) responsible and accountable persons; and
6.) necessary and available resources.

8. Involvement of stakeholders should be documented.

9. The report featuring the results of the PIA should be reviewed before being finalized
and approved. It should include the proposed measures that should serve as basis
for implementing changes in the organization (e.g., new policies and procedures,
security measures to strengthen data processing systems, etc.). The report should
also include recommendations as to when the PIA will be updated and reviewed.

10. Results of the PIA should be reported to management and communicated to internal
and external stakeholders. The PIC or PIP can limit the information provided to the
public based on its legitimate interests, such as the legal, business operation, or
security risks that disclosure may give rise to.

Documentation and Review

A PIA requires documentation and procedures for review. Its results should be contained in
a corresponding report.

The PIC or PIP must maintain a record of all its PIA reports. When a report contains
information that are privileged or confidential, the PIC or PIP may prepare a PIA Summary
that can be made available to data subjects upon request. Other means of communicating the
results of the PIA to internal and external stakeholders should be considered, such as
publishing key findings or result summaries in the PIC or PIP website, through newsletters,
annual reports, and other similar materials.

A PIA should be evaluated every year. This, however, does not preclude the conduct of a new
PIA on the same data processing system, when so required by significant changes required
by law or policy, and other similar circumstances.

Compliance and Accountability

The conduct of a PIA is one of the ways a PIC or PIP is able to demonstrate its compliance
with the DPA, its IRR, and related issuances of the NPC. It also represents a proactive
approach to the management of risks represented by personal data processing by ensuring
that the rights of data subjects are protected.

42
In the event a personal data breach occurs, or a complaint is filed by a data subject against the
PIC or PIP, the conduct of a PIA shall be considered in evaluating if the PIC or PIP exercised
due diligence in the processing of personal data.

When the NPC determines that a processing system of a PIC or PIP poses a significant risk to
the rights and freedoms of data subjects, it may request for a copy of the PIA report regarding
such system. When so requested, such copy shall also be made available to the Commission
for compliance monitoring purposes.

Approved:

[SGD] RAYMUND E. LIBORO

Privacy Commissioner

[SGD] IVY D. PATDU [SGD] DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: 31 July 2017

43
Privacy Impact Assessment Template

I. Project/System Description
a. Description
Describe the program, project, process, measure, system or technology product and its context. Define
and specify what it intends to achieve Consider the pointers below to help you describe the project.

Brief Description of the project/system

Describe the process of the projects
Describe the scope and extent
Any links with existing programs or other projects
The system/projects overall aims (purpose of the project/system)
What is the project/system aims to achieve?
What are the benefits for the organizations and data subjects?
Any related documents to support the projects/system
Project/System Requirements Specification
Project/System Design Specification
Or any related documents

b. Scope of the PIA

This section should explain, what part or phase of the program the PIA covers and, where necessary for
clarity, what it does not cover.

What will the PIA cover?

What areas are outside scope?
Is this just a desk-top information gathering exercise, do I have to get information from a wide variety
of sources?
Who needs to be involved and when will they be available?
Where does the PIA need to fit in the overall project plan and timelines?
Who will make decisions about the issues identified by the PIA? What information do they need and how
long will it take to get sign-off from them?
Do I need to consult with anyone (for instance the individuals whose personal information the project
will involve)? When and how should this happen?
Are there any third parties involved and how long do I need to allow for them to play their part?

II. Threshold Analysis

The following questions are intended to help you decide whether a PIA is necessary. Answering yes to any of these questions
is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need
to.

a. Will the project or system involve the collection of new information about individuals?
O No O Yes
b. Is the information about individuals sensitive in nature and likely to raise privacy
concerns or expectations e.g. health records, criminal records or other information
people would consider particularly private?
O No O Yes
c. Are you using information about individuals for a purpose it is not currently used for,
or in a way it is not currently used?
O No O Yes

44
 d. Will the initiative require you to contact individuals in ways which they may find
intrusive?
O No O Yes
e. Will information about individuals be disclosed to organizations or people who have
not previously had routine access to the information?
O No O Yes
f. Does the initiative involve you using new technology which might be perceived as
being privacy intrusive (e.g. biometrics or facial recognition)?
O No O Yes
g. Will the initiative result in you making decisions or taking action against individuals
in ways which can have a significant impact on them?
O No O Yes
h. Are the personal data collected prior to August 2016?
O No O Yes

III. Stakeholder(s) Engagement

State all project stakeholders, consulted in conducting PIA. Identify which part they were involved. (Describe
how stakeholders were engaged in the PIA process)

Name Role Involvement Inputs/Recommendations

*add additional row if needed

IV. Personal Data Flows

Identify the personal data involved and describe the data flow from collection to disposal by answering the
following questions below:

What personal data are being or will be processed by this project/system?

List all personal data (e.g. Personal Full Name, address, gender, phone number, etc.,) and state which is/are the
sensitive personal information (e.g. race, ethnicity, marital status, health, genetic, government issued numbers).

All the information stated above will be in accordance to the next section.
Collection
1. State who collected or will be collecting the personal information and/or sensitive
information.

45
2. How the personal information/sensitive personal information is collected and from whom
it was collected?
If personal information is collected from some source other than the individual?

3. What is/are the purpose(s) of collecting the personal data?

Be clear about the purpose of collecting the information
Are you collecting what you only need?

4. How was or will the consent be obtained?

Do individuals have the opportunity and/or right to decline to provide data?
What happen if they decline?

Storage
1. Where is it currently being stored?
Is it being stored in a physical server or in the cloud?

2. Is it being stored in other country?

If it is subject to a cross-border transfer, specify what country or countries.

3. Is the storage of data being outsourced?

Specify if the storing process is being done in-house or is it handled by a service provider

Usage
1. How will the data being used or what is the purpose of its processing?
Describe how the collected information is being used or will be used
Specify the processing activities where the personal information is being used.

Retention
1. How long are the data being retained? And Why?
State the length of period the data is being retained?
What is the basis of retaining the data that long? Specify the reason(s)

46
 2. The data is being retained by the organization or is it being outsourced?
Specify if the data retention process is being done in-house or is it handled by a service provider

Disclosure/Sharing
1. To whom it is being disclosed to?

2. Is it being disclosed outside the organization? Why is it being disclosed?

Specify if the personal information is being shared outside the organization
What are the reasons for disclosing the personal information

Disposal/Destruction
1. How will the data be disposed?
Describe the process of disposing the personal information

2. Who will facilitate the destruction of the data?

State if the process is being managed in-house or if it is a third party

V. Privacy Impact Analysis

Each program, project or means for collecting personal information should be tested for consistency with the
following Data Privacy Principles (as identified in Rule IV, Implementing Rules and Regulations of Republic
Act No. 10173, known as the Data Privacy Act of 2012). Respond accordingly with the questions by checking
either the Yes or No column and/or listing the what the questions may indicate.

Transparency Yes No

1 Are data subjects aware of the nature, purpose, and extent of the processing
of his or her personal data?
2 Are data subjects aware of the risks and safeguards involved in the
processing of his or her personal data?
3 Are data subjects aware of his or her rights as a data subject and how these
can be exercised?
Below are the rights of the data subjects:
Right to be informed
Right to object
Right to access
Right to correct

47
 Right for erasure or blocking
Right to file a complaint
Right to damages
Right to data portability
4 Is there a document available for public review that sets out the policies for
the management of personal data?
Please identify document(s) and provide link where available
____________________________________________________________
____________________________________________________________

5 Are there steps in place to allow an individual to know what personal data
it holds about them and its purpose of collection, usage and disclosure?
6 Are the data subjects aware of the identity of the personal information
controller or the organization/entity processing their personal data?
7 Are the data subjects provided information about how to contact the
organizations Data Protection Officer (DPO)?
Legitimate Purpose Yes No

1 Is the processing of personal data compatible with a declared and specified

purpose which are not contrary to law, morals, or public policy?
2 Is the processing of personal data authorized by a specific law or regulation,
or by the individual through express consent?
Proportionality Yes No

1 Is the processing of personal data adequate, relevant, suitable, necessary

and not excessive in relation to a declared and specified purpose?
2 Is the processing of personal data necessary to fulfill the purpose of the
processing and no other means are available?

Collection Yes No

1 Is the collection of personal data for a declared, specified and legitimate

purpose?
2 Is individual consent secured prior to the collection and processing of
personal data?
If no, specify the reason
___________________________________________________________
___________________________________________________________
3 Is consent time-bound in relation to the declared, specified and legitimate
purpose?
4 Can consent be withdrawn?
5 Are all the personal data collected necessary for the program?
6 Are the personal data anonymized or de-identified?
7 Is the collection of personal data directly from the individual?
8 Is there authority for collecting personal data about the individual from
other sources?
9 Is it necessary to assign or collect a unique identifier to individuals to enable
your organization to carry out the program?

48
 10 Is it necessary to collect a unique identifier of another agency?
e.g. SSS number, PhilHealth, TIN, Pagibig, etc.,
Use and Disclosure Yes No

1 Will Personal data only be used or disclosed for the primary purpose?

2 Are the uses and disclosures of personal data for a secondary purpose
authorized by law or the individual?
Data Quality Yes No

1 Please identify all steps taken to ensure that all data that is collected, used or
disclosed will be accurate, complete and up to date:
1.1 - Information was obtained from a reputable source such as another
government agency
1.2 - The system is regularly tested for accuracy
1.3 - Periodic reviews of the information
1.4 - A disposal schedule in place that deletes information that is over the
retention period
1.5 - Staff are trained in the use of the tools and receive periodic updates
1.6 - Reviews of audit trails are undertaken regularly
1.7 - Independent oversight
1.8 - Incidents are reviewed for lessons learnt and systems/processes
updated appropriately
1.9 Others, please specify
____________________________________________________________
____________________________________________________________

Data Security Yes No

1 Do you have appropriate and reasonable organizational, physical and

technical security measures in place?
organizational measures - refer to the systems environment, particularly to the individuals
carrying them out. Implementing the organizational data protection policies aim to maintain
the availability, integrity, and confidentiality of personal data against any accidental or
unlawful processing (i.e. access control policy, employee training, surveillance, etc.,)
physical measures refers to policies and procedures shall be implemented to monitor and
limit access to and activities in the room, workstation or facility, including guidelines that
specify the proper use of and access to electronic media (i.e. locks, backup protection,
workstation protection, etc.,)
technical measures - involves the technological aspect of security in protecting personal
information (i.e. encryption, data center policies, data transfer policies, etc.,)
Organizational Security: Yes No

- Have you appointed a data protection officer or compliance officer?

- Are there any data protection and security measure policies in place?
- Do you have an inventory of processing systems? Will you include this
project/system?

49
 - Are the users/staffs that will process personal data through this
project/system under strict confidentiality if the personal data are not
intended for public disclosure?
- If the processing is delegated to a Personal Information Processor
Have you review the contract with the personal information processor?
Physical Security: Yes No

- Are there policies and procedures to monitor and limit the access to this
project/system?
- Are the duties, responsibilities and schedule of the individuals that will
handle the personal data processing clearly defined?
- Are there policies and procedures to prevent destruction of files
generated by this project/system?
Technical Security: Yes No

- Is there a security policy with respect to the processing of personal data?

- Do you have policies and procedures to restore the availability and
access to personal data when an incident happens?
- Do/Will you regularly test, assess and evaluate the effectiveness of the
security measures of this project/system?
- Are the personal data processed by this project/system encrypted while
in transit or at rest?
2 The program has taken reasonable steps to protect the personal data it holds
from misuse and loss and from unauthorized access, modification or
disclosure?
3 If yes, which of the following has the program undertaken to protect
personal data across the information lifecycle:
3.1 - Identifying and understanding information types
3.2 - Assessing and determining the value of the information
3.3 - Identifying the security risks to the information
3.4 - Applying security measures to protect the information
3.5 - Managing the information risks.
Disposal Yes No

1 The program will take reasonable steps to destroy or de-identify personal

data if it is no longer needed for any purpose.
If YES, please list the steps
_______________________________________________________
_______________________________________________________

Cross-border Data Flows (optional) Yes No

1 The program will transfer personal data to an organization or person

outside of the Philippines
If YES, please describe:
_________________________________________________________

50
 _________________________________________________________
_________________________________________________________

2 Personal data will only be transferred to someone outside of the Philippines

if any of the following apply:
a. The individual consents to the transfer
b. The organization reasonably believes that the recipient is subject to laws or a contract
enforcing information handling principles substantially similar to the DPA of 2012
c. The transfer is necessary for the performance of a contract between the individual
and the organization
d. The transfer is necessary as part of a contract in the interest of the individual between
the organization and a third party
e. The transfer is for the benefit of the individual;

3 The organization has taken reasonable steps so that the information

transferred will be stored, used, disclosed and otherwise processed
consistently with the DPA of 2012
If YES, please describe steps:
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________

VI. Privacy Risk Management

For the purpose of this section, a risk refers to the potential of an incident to result in harm or danger to a data
subject or organization. Risks are those that could lead to the unauthorized collection, use, disclosure or access to
personal data. It includes risks that the confidentiality, integrity and availability of personal data will not be
maintained, or the risk that processing will violate rights of data subjects or privacy principles (transparency,
legitimacy and proportionality).

The first step in managing risks is to identify them, including threats and vulnerabilities, and by evaluating its
impact and probability.

The following definitions are used in this section

51
 Risk the potential for loss, damage or destruction as a result of a threat exploiting a vulnerability;

Threat "a potential cause of an unwanted incident, which may result in harm to a system or

Impact

Rating Types Description

The data subjects will either not be affected or may encounter a few inconveniences, which
1 Negligible
they will overcome without any problem.

The data subject may encounter significant inconveniences, which they will be able to
2 Limited
overcome despite a few difficulties.

The data subjects may encounter significant inconveniences, which they should be able to
3 Significant
overcome but with serious difficulties.

The data subjects may encounter significant inconveniences, or even irreversible,

4 Maximum
consequences, which they may not overcome.

Probability

1 Unlikely Not expected, but there is a slight possibility it may occur at some time.

2 Possible Casual occurrence. It might happen at some time.

3 Likely Frequent occurrence. There is a strong possibility that it might occur.

4 Almost Certain Very likely. It is expected to occur in most circumstances.

organization;

Vulnerability a weakness of an asset or group of assets that can be exploited by one or more threats;

Impact - severity of the injuries that might arise if the event does occur (can be ranked from trivial
injuries to major injuries); and

Probability - chance or probability of something happening;

Select the appropriate level or criteria of impact and probability to better assess the risk. Kindly refer to the table
below for the criteria.
Note: Try to itemized your risks by designating a reference number. This will be used as a basis on the next sections (VII.
Recommended Privacy Solutions and VIII. Sign off and Action Plan). Also, base the risks on the violation of privacy principles,
rights of data subjects and confidentiality, integrity and availability of personal data.

Ref Threats/Vulnerabilities Impact Probability Risk Rating

#

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

52
 * 1 2 3 4 1 2 3 4

*add additional row if needed

Kindly follow the formula below for getting the Risk Rating:

Risk Rating = Impact x Probability

Kindly refer to the table below for the criteria.

Rating Types

1 Negligible

2-3 Low Risk

4-9 Medium Risk

10-16 High Risk

Figure 1

VII. Recommended Privacy Solutions

From the risks stated in the previous section, identify the recommended solution or mitigation measures. You can
cite your existing controls to treat the risks in the same column.

Ref# Recommended Solutions (Please provide justification) Approved

(Y/N)

53
 *

*add additional row if needed

VIII. Sign off and Action Plan

State the approved solutions based on the stated solution on the last section. Indicate the person who approved
and its completion date.

Ref# Approved Solution Approved by Completion

Date

*add additional row if needed

Signatures

Program/Process Owner Signature Date

Data Protection Officer Signature Date

Head of the Organization Signature Date

III. Be Accountable:
Develop a Privacy Management Program and Privacy Manual

Privacy Management Program Guide

The digital age undeniably made the world interconnected. At the same time, it entailed
extensive use of our personal data in corporate, professional and personal transactions. It may
have resulted in efficient and optimized processes but it exposed us to various security risks.

Over a billion records of personal identifiable information have been stolen in recent years
worldwide. Organizations incurred an average cost of $4 million due to data breaches in 2016,
according to an IBM and Ponemon Institute Study. In the Philippines alone, a security breach
at the Commission on Elections exposed the personal information of about 55 million voters.

54
The losses and dangers from data breach prompted global waves of data protection policies.
In 2012, the Philippines legislated Republic Act No. 10173, also known as the Data Privacy Act
(DPA). It created the National Privacy Commission (NPC) to safeguard our fundamental right
to privacy while supporting the free flow of information as the backbone of the new digital
economy. The NPC was established in 2016 and is now set to implement the DPA.

With this, government and private organizations covered by the DPAthe personal
information controllers (PICs) and personal information processors (PIPs), probably have
several questions in mind. How do we comply with the provisions of the law? How do we
not commit any data privacy violation? Where do we start? The simplest answer is to have a
Privacy Management Program (PMP) in place.

A Privacy Management Program is a holistic approach to privacy and data protection,

important for all agencies, companies or other organization involved in the processing of
personal data. It is a process intended to embed privacy and data protection in the strategic
framework and daily operations of a personal information controller or personal information
processor. The Privacy Management Program is maintained through organizational
commitment and oversight of coordinated projects and activities implemented throughout
the agency, company or organization, that allows efficient use of available resources,
implements control measures to assure privacy and data protection, and puts in place a
system for review to allow for improvements responsive to data privacy best practices and
technological developments.
A Privacy Management Program is an acknowledgement by the PIC or PIP8 of their
accountability for complying with the requirements of the Act and their responsibility for
personal data under their control or custody.9 The Act mandates that PICs and PIPs ensure
implementation of data privacy principles,10 security measures, 11 and procedures for data
subjects to exercise their rights.12 The objective of a Privacy Management Program is to pave
the way for changes within the organization that will: strengthen data processing systems to
minimize the costs of personal data breaches; allow meaningful use of information for the
benefit of both the organization and the data subjects; and manage the challenges of the digital
age to safeguard the right to information privacy.
But creating, implementing and enhancing a Privacy Management Program is no easy task. It
takes thorough planning to ensure all pertinent aspects of your operations are considered and
that protection of customers and employees information comes first.

8Data Privacy Act Sec.14 (The personal information processor shall comply with all the requirements of this Act
and other applicable laws.).

9 Data Privacy Act Sec. 21 (Each personal information controller is responsible for personal information under its
control or custody), 21(a)(The personal information controller is accountable for complying with the requirements
of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while
the information are being processed by a third party).

10 Data Privacy Act Sec. 11 (The personal information controller must ensure implementation of personal
information processing principles set out herein.)

11Data Privacy Act Sec. 20 (The personal information controller must implement reasonable and appropriate
organizational, physical and technical measures.)

12 Data Privacy Act Secs. 16-19 (Rights of Data Subjects).

55
The NPC came up with a Guide to help you in this undertaking. It is meant to see PICs and
PIPs through the whole exercise of developing and maintaining a Privacy Management
Program. Given the fast-changing landscape of data protection, this Guide will be updated
whenever necessary.

Why create a Privacy Management Program?

It puts everyone on the same page. A PMP provides an easier way to explain to the
management and staff: why are we doing this, what are the results we expect, what are the
benefits of those results, and what do we need to do to get there. With this, you will smoothly
get everyone on board.

Compliance with the Act becomes more manageable. As a PMP outlines everything that
stakeholders need to know about the what(s) and how(s) of data privacy, there is a reduced
likelihood you will violate the DPA and incur penalties.

It gives PICs and PIPs competitive advantage. Implementing a PMP shows your
organizations commitment to protect the personal information of your customers. This, in
turn, leads to increased trust and higher patronage.

It saves PICs and PIPs from avoidable expenses. Clean up costs during personal data
breaches may be prevented through a strong PMP. Further, it helps safeguard the reputation
of organizations and individuals as well.

Key Components of a Privacy Management Program

A strong PMP has Organizational Commitment and Program Controls at its foundation.

1. Organizational Commitment
PICs and PIPs (both public and private) should develop and maintain a PMP intended to
allow the agency, company or organization to give effect to the data privacy principles of
the Data Privacy Act of 2012 (RA 10173), to put in place security measures for data
protection, and to provide a means for data subjects to exercise their rights. This means
creating a governance structure, built on the acknowledgment by the PICs and PIPs of
their accountability for privacy and data protection. From top management, the
responsibility for compliance should be shared by all those involved in the processing of
personal data, driven by an organizational commitment to cultivate a culture of privacy.
The PMP, through its program controls, shall allow privacy and data protection to be
incorporated in the daily operations of the PIC or PIP.

1.1. Buy-in from the Top

Top management support is key to a successful PMP and essential for the emergence of
a culture of privacy in the PIC or PIP.

The PIC or PIP, through head of agency or Board, shall drive the urgency within the
organization to comply with the Data Privacy Act, its IRR and related issuances of the

56
NPC. The commitment to comply may be demonstrated by maintaining a Privacy
Management Program, and allocating resources to ensure its successful implementation.

The PMP is a means to implement control measures for privacy and data protection and
to put in place a review system for assessment and continuous improvement of the
program. Through the PMP, privacy and data protection will be embedded in the
organizations policies, procedures, projects and other activities.
.
This means that top management should:

appoint the Data Protection Officer(s);

endorse a set of program controls; and
report to the Board, as appropriate, on the program.

1.2. Data Protection Officer

A PIC or PIP shall designate an individual or individuals who shall function as DPO. The
DPO shall be accountable for ensuring the compliance by the PIC or PIP with the DPA,
its IRR, issuances by the NPC, and other applicable laws and regulations relating to
privacy and data protection. The DPO shall be responsible for structuring, designing and
managing the privacy management program, including compliance monitoring, risk
assessment, policy and procedure development, capacity building and data subject
assistance.
Please refer to NPC Advisory 17-01: Designation of Data Protection Officers for the list of
functions of a DPO.

PICs and PIPs face competing interests and personal data protection is one program of
many. Personal data protection should be seen not just as legal compliance but also in
terms of improving processes, customer/citizen relationship management, and
reputation. The importance of the PMP should be recognized at all levels. It is important
to build it into every major function involving the use of personal data, including
product/service development, customer services or public relations initiatives. The
responsibility for complying with the Data Privacy Act shall be cascaded to process
owners, and the organizations personnel.

The Data Protection Officer should be a full time or regular employee. Where
employment is based on contract, the term should be for at least two years. In larger
organizations with complex operations, or those where data processing is high risk, the
Data Protection Officer may need to be supported by dedicated staff. Resources should
be channeled to provide the DPO with training, equipment, and time to allow fulfillment
of functions.

1.3. Reporting

The PIC or PIP should establish internal reporting mechanisms to ensure that the privacy
management program is structured and whether it is functioning as expected. In larger

57
 organizations, the audience for this information is likely to be top management, and in
turn, top management reports to the board of directors. All reporting mechanisms should
be reflected in the PIC or PIPs program controls.

PICs and PIPs should establish internal audit and assurance program to monitor
compliance with the Data Privacy Act. This could include the form of customer/citizen
and employee feedback (for smaller organizations) and third-party verifications (for
larger organizations). Should the PIC or PIP be subject to an inquiry, an inspection or an
investigation, these reports may be helpful in demonstrating the organizations
compliance with the law.

However, there is more to reporting. There will be times when escalation of personal data
issues should be considered (e.g., when there is a security breach or in case of complaints).
Escalation means both involving people of relevant responsibility and ensuring that the
needed persons in the PIC or PIP are included in the resolution of the issue. In large PICs
and PIPs, this could include, for example, representatives from technical, legal and
corporate communications streams. How and when to escalate should be clearly defined
and explained to employees. To ensure that related processes are being followed, PICs
and PIPs may need to monitor whether the necessary steps are being taken when
triggered. They may find it useful to conduct test runs, for example, for their personal
data breach identification, escalation and containment protocols.

An effective reporting program has the following characteristics:

clearly defines its reporting structure (in terms of reporting on its overall compliance
activities) as well as employee reporting structures in the event of a complaint or a
potential breach;
tests and reports on the results of its internal reporting structures; and
documents all of its reporting structures.

2. Program Controls

These ensure that what is mandated in the governance structure is implemented by the
PIC or PIP. Program controls will assist the Data Protection Officer in monitoring
compliance with the Data Privacy Act, and in evaluating the privacy management
program within the organization.

2.1. Records of Processing Activities

PICs and PIPs should know what kinds of personal data it holds, how the personal data
is being used, and whether it really needs those data at all.

Understanding and documenting the types of personal data that a PIC or PIP collects and
where it is held (e.g. whether the data has been passed to any PIP) are important. This
will affect the type of consent they obtain from individuals and how the data is protected;
and it will make it easier to assist individuals in exercising their data access and correction
rights. This will also assist the PIC or PIP in complying with registration requirements.
Every component of an accountable, effective PMP begins with personal data inventory.

58
Every PIC and PIP should document:
the kinds of personal data it holds and where it is held (i.e. within the PIC or by the
PIP; and
the reason(s) why it is collecting, using or disclosing personal data.

2.2. Risk Assessment Tools

Proper use of risk assessment tools can help prevent problems. The NPC recommends the
conduct of Privacy Impact Assessments for programs, projects, processes and technology
use that involve processing of personal data. The conduct of a PIA assists the PIC or PIP
in managing privacy risks and in determining the appropriate level of security required
by its personal data processing.

Risk assessments should be conducted throughout the PIC or PIP. Fixing a personal data
problem after the fact can be costly. Therefore, it is vital that careful consideration of the
purposes for a particular initiative, product or service, and an assessment that minimizes
any personal data impacts is done.

2.3. Policies and Procedures

The key components of the PMP should be included in a Privacy Manual or other internal
policies that address obligations and requirements under the law. These policies should
be made available to all employees and updated periodically.

PICs and PIPs should develop internal policies that addresses the obligations under the
law to adhere to data privacy principles, put in place security measures, and provide
procedures for data subjects to exercise their rights. These policies should be develop to
put in place controls at every stage of the personal data life cycle from collection to
storage or disposal. These policies should be documented and should show how they
connect to the legal requirements.

The key policies that PICs and PIPs should have in place includes:

Collection of personal data;

Use of personal data including the requirements for consent;
Retention and Disposal of personal data;
Data quality assurance;
Security of personal data;
Data Sharing and cross-border transfers
Transparency of their personal data policies and practices; and
Access to and correction of personal data and other data subject rights.

PICs and PIPs should also consider incorporating the personal data compliance
requirements in their other policies such as contract management policies, procurement
policies, human resources policies and policies dealing with the disclosure of personal
data to regulatory bodies, law enforcement agencies and other government agencies.

59
2.4. Security Measures

The PIC or PIP should have in place organizational, physical and technical security
measures for purpose of maintaining the confidentiality, integrity and availability of
personal data. These measures should include:

(1) Safeguards to protect its computer network against accidental, unlawful or

unauthorized usage or interference with or hindering of their functioning or availability;

(2) A security policy with respect to the processing of personal information;

(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and

(4) Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a security
breach.

For organizations that handle personal data for more than 1,000 individuals, NPC
recommends the use of the ISO/IEC 27002 control set as the minimum standard to assess
any gaps in your control framework.

2.5. Capacity Building

In order for the PMP to be effective, relevant employees should be made aware of
personal data protection generally and to be conversant with the PIC or PIPs policies and
practices for compliance with the law. Those who handle personal data directly may need
additional training specifically tailored to their roles. Training and education need to be
current and relevant.

Employees will be able to better protect personal data when they are able to recognize a
matter as one that involves personal data protection. Even if PICs and PIPs have very
sound policies and program controls but employees do not follow them, the PMP has
broken down. Employees should be reminded to comply with the PIC or PIPs policies
and program controls as an integral part of their duties.

There are many ways for PICs and PIPs to deliver training and general personal data
protection education. Examples include small group sessions, one-on-one training,
monthly e-newsletters, or inserting modules within training on organization policies. The
PIC or PIP should document its training processes and measure participation and success.

For personal data protection training and education to be effective, it should:

be given to new employees and periodically thereafter;

cover the policies and procedures established by the PIC or PIP;
be delivered in an appropriate and effective manner, based on organizational needs;
and
circulate essential information to relevant employees as soon as practical if an urgent
need arises.

60
2.6. Registration and Notification Requirements

The PMP should ensure compliance with the notification and reporting requirements
under the Data Privacy Act. These include:

a. Registration of personal data processing systems operating in the country when the
PIC or PIP employs at least 250 employees, when processing involves sensitive personal
information of at least one thousand (1,000) individuals, when processing is not
occasional, or when processing poses a risk to the rights and freedoms of data subjects.

b. Notification of automated processing operations where the processing becomes the

sole basis of making decisions that would significantly affect the data subject;

c. Breach notification and annual report of the summary of documented security

incidents and personal data breaches;

2.7. Breach Management

Personal data breaches are expensive and could lead to loss of trust.

PICs and PIPs should have policies and procedures in place to prevent or minimize the
occurrence of a personal data breach, including a security incident policy. The PIC or
PIP should constitute a data breach response team with clear reporting lines and at least
one member with the capacity to make decisions in case of a breach. There must be an
incident response procedure that includes guidance on when to notify the NPC or data
subjects, and when to involve external agencies such as law enforcement.

In handling personal data breach, PICs and PIPs should consider the circumstances of the
breach, and decide whether any of the persons identified in NPC Circular No. 16-03
should be notified.

2.8. PIP Management

Personal data handling by the PIP is another key area to consider.

The types of obligations to be imposed on PIP should include the following:

security measures to be taken by the PIP;
timely return, destruction or deletion of the personal data no longer required;
prohibition against other use and disclosure;
prohibition (absolute or qualified) against sub-contracting to other service provider;
reporting of irregularity;
measures to ensure contract staffs compliance with the agreed obligations;
PICs right to audit and inspect; and
consequences for violation of the contract.

For additional guidelines, please refer to Rule X. Outsourcing and Subcontracting

Agreements, of the IRR.

61
 2.9. Communication

PICs and PIPs should take all practical steps to ensure employees and customers/citizens
can ascertain their personal data policies and practices.
Communication should be clear and easily understandable and not simply a reiteration
of the Data Privacy Act. In general, it should:

provide enough information so that the public knows the purpose of the collection,
use and disclosure of personal data and how long it is retained;
include information on who to contact with questions or concerns; and
be made easily available to individuals.

Individuals should be made aware of their ability to access their personal data held by
the PIC or PIP, and how to request correction or to enquire about the PICs or PIPs
compliance with the law.

Continuing Assessment and Revision

In order to properly protect personal data and meet legal obligations, PICs and PIPs
should monitor, assess and revise their privacy management framework to ensure it
remains relevant and effective.

1. Develop an Oversight and Review Plan

An oversight and review plan will help PICs and PIPs keep its PMP on track and up-to-
date.

The Data Protection Officer should monitor data processing systems and ensure conduct
of PIAs when necessary. The policies of the PIC or PIP should include procedures for
documentation, regular review, evaluation, and updating of the privacy and security
policies and practices in the organization. The oversight and review plan should establish
performance measures and include a schedule of when the policies and other program
controls will be reviewed.

The DPO should also develop an oversight and review plan on a periodic basis that sets
out how and when the PMP's effectiveness will be monitored and assessed. Depending
on the PIC or PIPs compliance and control infrastructure, such plan may be covered in
its overall oversight and review system.

2. Assess and Revise Program Controls

The effectiveness of program controls should be monitored, periodically audited, and

where necessary, revised.

Monitoring, an ongoing process, should address the following questions:

What are the latest threats and risks?

Are the program controls addressing new threats and reflecting the latest complaint
or audit findings, or guidance of the National Privacy Commission?
Are new services being offered that involve increased collection, use or disclosure of
personal data?

62
 Is training necessary? If yes, is it taking place? Is it effective? Are policies and
procedures being followed? And, Is the training program up to date?

If problems are found during the monitoring process, concerns will need to be
documented and addressed by the appropriate officials. Critical issues should be brought
to the attention of top management.

For critical or high-risk processes, periodic internal or external audits are important ways
to assess the effectiveness of a PIC or PIPs PMP. Otherwise, it is recommended that the
Data Protection Officer should conduct periodic assessments to ensure key processes are
being respected. Through whatever means appropriate, PICs and PIPs need to put in
place practical measures to ensure that employees or contractors are following the
mandated policies and program controls.

Each PIC and PIP will need to decide how to structure its own privacy management
program, taking into consideration a number of factors, including the size of the PIC or
PIP, its business/mandate, and the amount and sensitivity of the personal data it handles.

PICs and PIPs should conduct assessments of their program controls in a focused,
continuous and thorough manner.

Based on the results of the assessment process, the Data Protection Officer should
consider whether to take action to update and revise the program controls. This is a
critical responsibility. The changes should be communicated to employees either as they
are made or in refresher education and training modules, as appropriate.

CHECKLISTS

KEY COMPONENTS OF A PRIVACY MANAGEMENT PROGRAM

ORGANIZATIONAL COMMITMENT

MANAGEMENT BUY IN

The PIC or PIP, through head of agency or Board, resolves to

acknowledge the need to comply with the Data Privacy Act and
related issuances of the NPC, and to acknowledge its
accountability for the protection of personal data under its control
or custody.

The PIC or PIP maintains a Privacy Management Program to

implement control measures for privacy and data protection and

63
 to put in place a review system for assessment and continuous
improvement of the program.

There are policies, procedures, projects and activities intended to

embed privacy and data protection in the organizations daily
operations.

ACCOUNTABLE AND RESPONSIBLE PERSONS

The PIC or PIP, through head of agency or Board, designates or

appoints a Data Protection Officer or a DPO team.

The PIC or PIP, through head of agency or Board, provides

resources for the DPO to effectively perform its functions.
For the full list of functions, see NPC Advisory 17-01.

The responsibility for complying with the Data Privacy Act has
been assigned to DPO, process owners, and the organizations
personnel.

REPORTING MECHANISMS

The DPO is assured of means to report to senior management,

head of agency or Board. The DPO shall report on monitoring
activities, Privacy Impact Assessment reports, and the advice and
recommendations made to the PIC or PIP.

There is a reporting system for DPA compliance activities, PIAs,

audits and security assessments, breach management, complaints,
the exercise of data subject rights, review processes and means to
measure effectiveness of Privacy Management Program. This
should include reporting to senior management, and the internal
and external stakeholders.

PROGRAM CONTROLS

Records of Processing Activities

There is an inventory of personal data and data
processing systems, including data flow and transfers
outside the country.

64
Risk Assessment

Privacy impact assessment conducted in accordance with

a PIA plan.

Process in place for regularly testing, assessing, and

evaluating the effectiveness of security measures

Policies and Procedures

There is a privacy manual containing key components of

the Privacy Management Program
There are policies and procedures to govern the
processing of personal data from collection to storage or
disposal. These include policies and procedures:
On Adhering to Data Privacy Principles
On Implementing security measures
For the data subjects to exercise their rights
For the documentation, review and updating of the
Privacy Management Program
Security Measures
The organization implements organizational, physical and
technical security measures to maintain the
confidentiality, integrity and availability of personal data.
Capacity Building
There is capacity building, orientation or training
programs for employees, agents or representatives,
regarding privacy or security policies.
Data Protection Officer provided time, resources,
equipment and training to be updated with developments
in data privacy and security
Knowledge building on privacy and data protection
supported through privacy awareness projects or by
making resource materials available

Registration and Notification

The organization complies with Reporting and
notification requirements
Data Processing Systems have been registered
Breach Management
A Breach Management Program is in place, including
personal data breach notification and annual report on
breaches and security incident
For the full list, see NPC Circular 16-03.

Personal Information Processor and Third Party Management (for

PICs)
Transfers of personal data shall be covered by data
sharing agreements when applicable.
Contractual and other means are used to assure protection
for personal data being processed by a third party.

65
 Outsourcing contracts and agreements with PIPs
reviewed (For contract considerations, refer to Rule X of
the IRR.)

Communication
Any information and communication relating to the
processing of personal data should be easy to access and
understand, using clear and plain language.
Privacy Notices are maintained
Procedures in place to address complaints and to allow
for the exercise of data subject rights

66
CONTINUING ASSESSMENT AND DEVELOPMENT

Oversight and Review Plan

The Data Protection Officer should monitor data processing

systems and ensure conduct of PIAs when necessary.

Policies provide for documentation, regular review, evaluation,

and updating of the privacy and security policies and practices
in the organization.

Assess and Revise Program Controls

Organization conducts and updates PIAs regularly, and when

there are new programs, projects and products, a change in law
or regulation, or other changes within the organization.

Privacy Management Program is regularly assessed and revised,

taking into account PIAs, effectiveness of implementation, and
data privacy best practices.

Organization monitors emerging technologies, new threats and

risks to data processing systems, international data protection
standards, and the legal and ICT environment.

References:
Office of the Privacy Commissioner for Personal Data, Hong Kong, Privacy Management
Program, A Best Practice Guide available at
https://www.pcpd.org.hk/pmp/files/PMP_guide_e.pdf (last accessed June 12, 2017).
Data Privacy Act of 2012 and its Implementing Rules and Regulations (Philippines)

67
Privacy Manual Guide

Background

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect
personal data in information and communications systems both in the government and the
private sector.

It ensures that entities or organizations processing personal data establish policies, and
implement measures and procedures that guarantee the safety and security of personal data
under their control or custody, thereby upholding an individuals data privacy rights. A
personal information controller or personal information processor is instructed to implement
reasonable and appropriate measures to protect personal data against natural dangers such
as accidental loss or destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal
information processor is expected to produce a Privacy Manual. The Manual serves as a
guide or handbook for ensuring the compliance of an organization or entity with the DPA,
its Implementing Rules and Regulations (IRR), and other relevant issuances of the National
Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols
that need to be observed and carried out within the organization for specific circumstances
(e.g., from collection to destruction), directed toward the fulfillment and realization of the
rights of data subjects.

I. INTRODUCTION

This section lays down the basis of the Manual. Hence, it should provide an overview of the
DPA, its IRR and other policies that relate to data protection and which are relevant issuances
to the industry or sector of the organization, as well as the transactions it regularly carries out.

In brief, it should discuss how the organization complies with the data privacy principles, and
upholds the rights of the data subjects, both of which are laid out in the DPA.

It is important that this portion impresses upon the user or reader why it is necessary for the
organization to have a Privacy Manual.

Example:

This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the
Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other
relevant policies, including issuances of the National Privacy Commission. This
organization respects and values your data privacy rights, and makes sure that all
personal data collected from you, our clients and customers, are processed in adherence
to the general principles of transparency, legitimate purpose, and proportionality.

This Manual shall inform you of our data protection and security measures, and may serve
as your guide in exercising your rights under the DPA.

68
II. DEFINITION OF TERMS

Terms used in the Manual must be defined for consistency and uniformity in usage. This
portion will make sure of that, and allow users of the Manual to understand the words,
statements, and concepts used in the document.

Examples:

Data Subject refers to an individual whose personal, sensitive personal or privileged

information is processed by the organization. It may refer to officers, employees,
consultants, and clients of this organization.

Personal Information refers to any information whether recorded in a material form

or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.

Processing refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data.

III. SCOPE AND LIMITATIONS

This section defines the coverage of the Manual. Given that the document is essentially an
internal issuance and is meant for the use and application of the organizations staff or
personnel, that fact should be emphasized here.

Note that it would be useful to develop a separate Privacy Manual meant for external use or
for persons who deal with the organization. Certain information may be omitted from that
version, particularly those that relate to internal policies or processes that are relevant only to
personnel of the organization.

Example:

All personnel of this organization, regardless of the type of employment or contractual

arrangement, must comply with the terms set out in this Privacy Manual.

IV. PROCESSING OF PERSONAL DATA

This section lays out the various data life cycles (or processing systems) in existence within
the organizationfrom the collection of personal data, to their actual use, storage or retention,
and destruction.

A. Collection (e.g. type of data collected, mode of collection, person collecting

information, etc.)

69
 Example:
This company collects the basic contact information of clients and customers,
including their full name, address, email address, contact number, together with the
products that they would like to purchase. The sales representative attending to
customers will collect such information through accomplished order forms.

B. Use

Example:
Personal data collected shall be used by the company for documentation purposes, for
warranty tracking vis--vis purchased items, and for the inventory of products.

C. Storage, Retention and Destruction (e.g. means of storage, security measures, form of
information stored, retention period, disposal procedure, etc.)

Example:
This company will ensure that personal data under its custody are protected against
any accidental or unlawful destruction, alteration and disclosure as well as against any
other unlawful processing. The company will implement appropriate security
measures in storing collected personal information, depending on the nature of the
information. All information gathered shall not be retained for a period longer than
one (1) year. After one (1) year, all hard and soft copies of personal information shall
be disposed and destroyed, through secured means.

D. Access (e.g. personnel authorized to access personal data, purpose of access, mode of
access, request for amendment of personal data, etc.)

Example:
Due to the sensitive and confidential nature of the personal data under the custody of
the company, only the client and the authorized representative of the company shall
be allowed to access such personal data, for any purpose, except for those contrary to
law, public policy, public order or morals.

E. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure
of policy and processes, outsourcing and subcontracting, etc.).

Example:
All employees and personnel of the company shall maintain the confidentiality and
secrecy of all personal data that come to their knowledge and possession, even after
resignation, termination of contract, or other contractual relations. Personal data under
the custody of the company shall be disclosed only pursuant to a lawful purpose, and
to authorized recipients of such data.

V. SECURITY MEASURES

As a personal information controller or personal information processor, an organization must

implement reasonable and appropriate physical, technical and organizational measures for

70
the protection of personal data. Security measures aim to maintain the availability, integrity
and confidentiality of personal data and protect them against natural dangers such as
accidental loss or destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration, and contamination. In this section, you give a general
description of those measures.

A. Organizational Measures

Every personal information controller and personal information processor must also
consider the human aspect of data protection. The provisions under this section shall
include the following:

1. Conduct of Privacy Impact Assessment (PIA)

Example:
The organization shall conduct a Privacy Impact Assessment (PIA) relative to all
activities, projects and systems involving the processing of personal data. It may
choose to outsource the conduct a PIA to a third party.

2. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)

Example:
The designated Data Protection Officer is Mr. Juan Dela Cruz, who is concurrently
serving as the Executive Director of the organization.

3. Functions of the DPO, COP and/or any other responsible personnel with similar
functions

Example:
The Data Protection Officer shall oversee the compliance of the organization with
the DPA, its IRR, and other related policies, including the conduct of a Privacy
Impact Assessment, implementation of security measures, security incident and
data breach protocol, and the inquiry and complaints procedure.

4. Duty of Confidentiality

Example:
All employees will be asked to sign a Non-Disclosure Agreement. All employees
with access to personal data shall operate and hold personal data under strict
confidentiality if the same is not intended for public disclosure.

5. Conduct of trainings or seminars to keep personnel, especially the Data Protection

Officer updated vis--vis developments in data privacy and security

Example:
The organization shall sponsor a mandatory training on data privacy and security
at least once a year. For personnel directly involved in the processing of personal
data, management shall ensure their attendance and participation in relevant
trainings and orientations, as often as necessary.

71
 6. Review of Privacy Manual

Example:
This Manual shall be reviewed and evaluated annually. Privacy and security
policies and practices within the organization shall be updated to remain
consistent with current data privacy best practices.

7. Recording and documentation of activities carried out by the DPO, or the

organization itself, to ensure compliance with the DPA, its IRR and other relevant
policies.

Example:
There shall be a detailed and accurate documentation of all activities, projects and
processing systems of the company, to be carried out by the Risk Management
Officer, in coordination with the Data Protection Officer.

B. Physical Measures

This portion shall feature the procedures intended to monitor and limit access to the
facility containing the personal data, including the activities therein. It shall provide for
the actual design of the facility, the physical arrangement of equipment and furniture, the
permissible modes of transfer, and the schedule and means of retention and disposal of
data, among others. To ensure that mechanical destruction, tampering and alteration of
personal data under the custody of the organization are protected from man-made
disasters, power disturbances, external access, and other similar threats, provisions like
the following must be included in the Manual:

1. Format of data to be collected

Example:
Personal data in the custody of the organization may be in digital/electronic
format and paper-based/physical format.

2. Storage type and location (e.g. filing cabinets, electronic storage system, personal
data room/separate room or part of an existing room);

Example:
All personal data being processed by the organization shall be stored in a data
room, where paper-based documents are kept in locked filing cabinets while the
digital/electronic files are stored in computers provided and installed by the
company.

3. Access procedure of agency personnel

Example:
Only authorized personnel shall be allowed inside the data room. For this purpose,
they shall each be given a duplicate of the key to the room. Other personnel may
be granted access to the room upon filing of an access request form with the Data
Protection Officer and the latters approval thereof.

72
 4. Monitoring and limitation of access to room or facility

Example:
All personnel authorized to enter and access the data room or facility must fill out
and register with the online registration platform of the organization, and a
logbook placed at the entrance of the room. They shall indicate the date, time,
duration, and purpose of each access.

5. Design of office space/work station

Example:
The computers are positioned with considerable spaces between them to maintain
privacy and protect the processing of personal data.

6. Persons involved in processing, and their duties and responsibilities

Example:
Persons involved in processing shall always maintain confidentiality and integrity
of personal data. They are not allowed to bring their own gadgets or storage device
of any form when entering the data storage room.

7. Modes of transfer of personal data within the organization, or to third parties

Example:
Transfers of personal data via electronic mail shall use a secure email facility with
encryption of the data, including any or all attachments. Facsimile technology shall
not be used for transmitting documents containing personal data.

8. Retention and disposal procedure

Example:

The organization shall retain the personal data of a client for one (1) year from the
data of purchase. Upon expiration of such period, all physical and electronic copies
of the personal data shall be destroyed and disposed of using secure technology.

C. Technical Measures

Each personal information controller and personal information processor must implement
technical security measures to make sure that there are appropriate and sufficient
safeguards to secure the processing of personal data, particularly the computer network
in place, including encryption and authentication processes that control and limit access.
They include the following, among others:

1. Monitoring for security breaches

Example:
The organization shall use an intrusion detection system to monitor security
breaches and alert the organization of any attempt to interrupt or disturb the
system.

73
 2. Security features of the software/s and application/s used

Example:
The organization shall first review and evaluate software applications before the
installation thereof in computers and devices of the organization to ensure the
compatibility of security features with overall operations.

3. Process for regularly testing, assessment and evaluation of effectiveness of security

measures

Example:
The organization shall review security policies, conduct vulnerability assessments
and perform penetration testing within the company on regular schedule to be
prescribed by the appropriate department or unit.

4. Encryption, authentication process, and other technical security measures that

control and limit access to personal data

Example:
Each personnel with access to personal data shall verify his or her identity using a
secure encrypted link and multi-level authentication.

VI. BREACH AND SECURITY INCIDENTS

Every personal information controller or personal information processor must develop and
implement policies and procedures for the management of a personal data breach, including
security incidents. This section must adequately describe or outline such policies and
procedures, including the following:

1. Creation of a Data Breach Response Team

Example:
A Data Breach Response Team comprising of five (5) officers shall be responsible for
ensuring immediate action in the event of a security incident or personal data breach.
The team shall conduct an initial assessment of the incident or breach in order to
ascertain the nature and extent thereof. It shall also execute measures to mitigate the
adverse effects of the incident or breach.

2. Measures to prevent and minimize occurrence of breach and security incidents

Example:
The organization shall regularly conduct a Privacy Impact Assessment to identify risks
in the processing system and monitor for security breaches and vulnerability scanning
of computer networks. Personnel directly involved in the processing of personal data
must attend trainings and seminars for capacity building. There must also be a
periodic review of policies and procedures being implemented in the organization.

74
 3. Procedure for recovery and restoration of personal data

Example:
The organization shall always maintain a backup file for all personal data under its
custody. In the event of a security incident or data breach, it shall always compare the
backup with the affected file to determine the presence of any inconsistencies or
alterations resulting from the incident or breach.

4. Notification protocol

Example:
The Head of the Data Breach Response Team shall inform the management of the need
to notify the NPC and the data subjects affected by the incident or breach within the
period prescribed by law. Management may decide to delegate the actual notification
to the head of the Data Breach Response Team.

5. Documentation and reporting procedure of security incidents or a personal data

breach

Example:
The Data Breach Response Team shall prepare a detailed documentation of every
incident or breach encountered, as well as an annual report, to be submitted to
management and the NPC, within the prescribed period.

VII. INQUIRIES AND COMPLAINTS

Every data subject has the right to reasonable access to his or her personal data being
processed by the personal information controller or personal information processor. Other
available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2)
right to request the suspension, withdrawal, blocking, removal or destruction of personal
data; and (3) right to complain and be indemnified for any damages sustained due to
inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal
data. Accordingly, there must be a procedure for inquiries and complaints that will specify
the means through which concerns, documents, or forms submitted to the organization shall
be received and acted upon. This section shall feature such procedure.

Example:

Data subjects may inquire or request for information regarding any matter relating to the
processing of their personal data under the custody of the organization, including the data
privacy and security policies implemented to ensure the protection of their personal data.
They may write to the organization at [email protected] and briefly discuss the
inquiry, together with their contact details for reference.

Complaints shall be filed in three (3) printed copies, or sent to [email protected].

The concerned department or unit shall confirm with the complainant its receipt of the
complaint.

75
VIII. EFFECTIVITY

This section indicates the period of effectivity of the Manual, as well as any other document
that the organization may issue, and which has the effect of amending the provisions of the
Manual.

Example:

The provisions of this Manual are effective this __ day of _______, 2017, until revoked or
amended by this company, through a Board Resolution.

IX. ANNEXES

It is considered best practice that an organization provides copies of its policies, sample forms
or templates that are useful or related to the implementation or enforcement of the provisions
of the DPA.
Examples:
1. Consent Form
2. Inquiry Summary Form
3. Access Request Form
4. Privacy Notice
5. Request for Correction or Erasure

76
IV. Demonstrate your compliance:
Implement Privacy and Data Protection Measures
Data Privacy Accountability and Compliance Framework

A. Choose A DPO T. Data Breach

Management
Security Incident
Policy
Incident Response
Procedure
Breach
Documentation

B. Register U. Third Parties

C. Record of Processing Legal Basis for
Activities Disclosure
D. Conduct Risk Data Sharing
Assessment Agreements
Cross Border
Transfer Agreements

E. Privacy Management V. Trainings and

Program Certifications
F. Privacy Manual W. Security Clearance

G. Privacy Notice X. Continuing Assessment

H-O. Data Subject Rights and Development
P. Data Life Cycle Regular Risk
Assessment
Review Contracts
Internal Assessments
Review PMP
Accreditations

Q. Organizational Y. New technologies and

R. Physical standards
S. Technical Z. New legal requirements
Data Center
Encryption
Access Control
Policy

77
 I. Governance

A. Choose a DPO
Compliance to the DPA starts by choosing or designating a data protection officer for your
organization. This person or other body shall be accountable for ensuring compliance with
applicable laws and regulations for the protection of data privacy and security. The NPC
issued an advisory on designating a DPO.
(please refer to page 23)

II. Risk Assessment

A. Register
The Registration system is one of the means by which the NPC can ensure compliance of
personal information controllers and personal information processors with the act. This will
also assist both the NPC and those involved in processing of personal data in upholding the
rights of a data subject.

(please refer to page 116)

B. Records of Processing Activities

In the Section 1 of the Implementing Rules and Regulations (IRR) of the Data Privacy Act
(DPA), the term processing refers to any operation or any set or operations performed upon
personal data including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data. In general terms, it is changing information in any manner detectable by
any witness or observer. It may be performed through automated means, or manual
processing, if the personal data are contained or intended to be contained in a filing system.
The processing activities have its data life cycle where it starts from collection of the personal
data and will and must end at the disposal. Every personal information controller and
personal information processor must maintain or keep track of their processing activities.
They must firmly identify the duties and responsibilities of the individuals who currently
have access and will have access to personal and sensitive personal information. This should
apply to any internal and external processing activities that collect, use, store and dispose (or
any equivalent processing activity) personal information. This can help every organization
keep track of the purpose of each activity and its alignment to the organizations objectives.
The record should contain the purpose of the processing of personal data, description of
categories of data subjects, personal data and recipients of information that will be involved
with the processing, information of the data flow, security measures that are in place, and
name and contact details of any individual or individuals accountable for ensuring data
protection of the systems. To know more about this, you may refer to Section 26.c of the IRR
of DPA of 2012.

78
 C. Conduct Risk or Impact Assessment

This section describes the privacy risks youve identified through the PIA process and how
you propose to mitigate and manage those risks. It can be useful to link this back to the
privacy principles to show why these risks and the proposed actions are relevant.
(please refer to page 32)

III. Organization

D. Privacy Management Program

A Privacy Management Program is a holistic approach to privacy and data protection,

important for all agencies, companies or other organization involved in the processing of
personal data. It is a process intended to embed privacy and data protection in the strategic
framework and daily operations of a personal information controller or personal
information processor.
(please refer to page 54)

E. Privacy Manual
The Privacy Manual serves as a guide or handbook for ensuring the compliance of an
organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and
other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the
privacy and data protection protocols that need to be observed and carried out within the
organization for specific circumstances (e.g., from collection to destruction), directed toward
the fulfillment and realization of the rights of data subjects.
(please refer to page 54)

IV. Day to Day

G. Privacy Notice

It is a statement made to a data subject that describes how the organization collects, uses,
retains and discloses personal information. A privacy notice is sometimes referred to as a
privacy statement, a fair processing statement, or privacy policy.

As a privacy notice aims to empower the public and tell individuals what, how and why
personal data is being collected from them, it should be highly readable to be effective.
However, recent researches reveal that only a few actually read privacy notices.

With the average privacy notice taking ten minutes to read (at most 42 minutes), it is of no
surprise that only 16% of internet users take the time to read them, based on the Internet

79
Societys Global Internet User Survey. The figure may even be lower in the Philippines where
the concept of data privacy is just emerging.

This prompted the NPC to compile the following tips on how to effectively craft your privacy
notice.

Easy-to-read

Privacy notices should be concise and written in plain language as you write for a diverse
audience. A segment of your audience may not be familiar with data privacy. Thus, it is
important to communicate the content clearly. If legal and/or technical terms are to be used,
hyperlink these to a definition.

The notice should be concise, direct, and affirmative. Use short sentences in active voice for
easier understanding. If you are enumerating several items, use bullet points. Each section of
the notice should have an informative heading to accurately describe what follows.

Transparent

To reduce legal risks, privacy commitments in your notices should be aligned with your actual
privacy practices. Various resources reveal that while notices should try to avoid using bold
statements, they should not also be too generic. Notices should cover both current and
prospective privacy practices, which necessitates strategic planning involving everyone in the
organization.

The key is to conduct factual and legal due diligence. According to the International
Association of Privacy Professional, factual due diligence allows you to determine what
information your organization uses. The legal due diligence allows you to determine what
laws govern the use of that information.

The conduct of a privacy impact assessment may already encompass both factual and legal
due diligence.

Frequently Asked Questions

1. What is the difference between a Privacy Notice and a Privacy Policy?

Privacy Policy: An internal statement that governs an organization or entitys

handling practices of personal information. It is directed at the users of the personal
information. A privacy policy instructs employees on the collection and the use of the
data, as well as any specific rights the data subjects may have.

Privacy Notice: A statement made to a data subject that describes how the
organization collects, uses, retains and discloses personal information. A privacy notice is
sometimes referred to as a privacy statement, a fair processing statement or sometimes a
privacy policy.

80
2. Why do websites need Privacy Notice?

Websites need Privacy Notice because the DPA says that the data subject is entitled to be
informed whether personal information pertaining to him or her, shall be, are being or have
been processed.

3. What if my website doesn't have a Privacy Notice?

If the National Privacy Commission (NPC) issues an enforcement notice requesting that
you either place a Privacy Notice on your site, or cease processing data, failure to comply
could result in prosecution with a possible penalty of P4,000,000.

Generally, Section 65 of the DPA says that Violations of the Act, these Rules, other
issuances and orders of the NPC, shall, upon notice and hearing, be subject to
compliance and enforcement orders, cease and desist orders, temporary or permanent
ban on the processing of personal data, or payment of fines, in accordance with a
schedule to be published by the NPC.

4. How do I know if my website requires a Privacy Notice?

If your site does any of the following, a Privacy Notice is required:

Collects personal data (visitors filling in web forms, feedback forms, etc).
Uses cookies or web beacons.
Covertly collects personal data (IP addresses, e- mail addresses.)

5. What information should be contained within a Privacy Notice?

1. SERVICE DESCRIPTION

The organization shall provide an overview of the service or services within scope of a
notification.

It is important for data subjects to understand the nature of a service and the processing of the
personal information collected, so that they can provide a meaningful consent. For brevity of
the notice a meaningful name or short phrase for each service may be used but it should be
possible (e.g. via a hyperlink) to associate that name or phrase with an overview of the service
sufficient for data subjects to provide meaningful consent.

2. IDENTIFICATION OF THE PERSONAL INFORMATION CONTROLLER

The organization shall provide information specific enough for the data subject to
determine who the Personal Information Controller is.

81
While who you are may be obvious to some visitors to your site, you should make
sure that you are clearly identifiable. An organizations name on its own is of little
value in this context. Identification should ideally include complete and useful contact
details. Useful details would include an e- mail address and postal address that a
visitor may use if he/she wishes to discuss any matters relating to the processing of
personal data on your website.

3. PERSONAL INFORMATION THAT ARE COLLECTED

a) The organization shall provide information that allows data subjects to understand what
personal information attributes are to be collected, even where the collection of the particular
personal information attributes is obvious.

Rather than using generic language such as We collect your personal information,
the organization should provide the list of specific personal information attributes consisting
the personal information that are collected (e.g., We collect your name, address and
telephone number.) even if it is obvious what the collected information is.

b) The organization shall specify which personal information attributes are mandatory for
provision of the service or services.

c) The organization should present the actual personal information attribute value to be
collected before collection where it is feasible.

Where it is not feasible to present actual personal information attribute value to be

collected, the organization should provide a clear example of the attribute values being
collected with the associated personal information attribute name (e.g., instead of referring to
telephone number, organization should state telephone number (01-234-5678) so that the
data subject can understand what is referred to by the personal information attribute name
and what kind of values are going to be sent.

Where personal information controller collects the personal information from the data
subject through their Smartphone or Identity provider, the actual value can be shown to the
data subject with the notice before being transferred to the personal information controller.

Showing actual personal information attribute values helps the data subjects to determine if
they want to provide them to the personal information controller especially in the case that
they have multiple values of them. For example, for phone number, the data subject may be
fine to provide his work telephone number but not his personal mobile number.

4. COLLECTION METHOD

a) The organization shall inform the data subject the collection methods of personal
information attributes. If the collection methods are different depending on the
personal information attribute, the organization shall inform the data subject which
collection method is applied to each personal information attribute. When a same
collection method is applied to multiple personal information attributes, then
personal information attributes can be grouped together under each collection
method. However, if privacy impact of one or more personal information attributes in

82
the group is markedly higher from others according to general assessment of impact
to the corresponding population of data subjects, then it should be communicated
separately so that the data subject becomes aware of the fact.

This is to prevent the "hide a tree in a forest" attack where the attacker buries the high
impact personal information attributes in benign ones to trick the data subject to give
consent.

b) The organization shall provide clear explanations of all (obvious or non-obvious)

personal information collection methods.

There are direct and indirect personal information collection methods. The direct
collection method collects personal information from the data subject.

The indirect collection method collects personal information by observing or inferring

new personal information based on existing available personal information or other
available information.

5. TIMING OF COLLECTION

The organization shall give notice about when personal information will be collected,
including where personal information is intended to be collected long after the
notification to data subject.

6. PURPOSE/S FOR WHICH PERSONAL INFORMATION WILL BE COLLECTED

AND USED

a) The organization shall specify the purpose of collection of personal information

with specificity and explain how it will be used in a manner that allows the data
subject to clearly and readily understand the purpose. If the purpose of the use varies
among the personal information attributes being collected, the organization shall
clearly mark which purpose applies to which personal information attribute.

b) The organization shall provide the purpose for each personal information
attributes in the notice.

c) The organization shall order the presentation of personal information uses in its
notices according to its general assessment of impact to the corresponding population
of data subjects, highest impact first.

7. STORAGE AND TRANSMISSION OF PERSONAL INFORMATION

The organization should specify the data protection measures on storage,

transmission and reception of the personal information. All personal data that are
digitally processed must be encrypted, whether at rest or in transit. For this purpose,
the Commission recommends Advanced Encryption Standard with a key size of 256
bits (AES-256) as the most appropriate encryption standard.

83
 8. METHOD OF USE

The organization should provide notification to the data subject whether the personal
information will be used as is, or if the personal information will be subject to
additional processing before being used for the stated purposes. If the organization
intends to process the personal information in some way prior to using it for the stated
purposes, they shall provide relevant information to the data subject as to what that
processing will have.

9. LOCATION OF PERSONAL INFORMATION

The organization shall specify the location where personal information will be stored
and processed. The granularity of location (e.g. country, state, province) shall be
appropriate to the relevant jurisdiction. If multiple locations are involved, each
location shall be specified.

10. THIRD PARTY TRANSFER

a) The organization shall give notice of whether or not personal information will be
transferred to a third party.

b) If an organization transfers personal information to a third party, it shall provide

notification to the data subject of whom the recipient is. Although the organization
needs to identify and give notice of individual third party recipients, it may specify a
group of recipients using clearly defined criteria where appropriate.

c) If an organization transfers personal information to a third party, it shall provide

notification to the data subject of the purpose(s) for which the personal information is
being transferred.

Kindly refer to Third Parties for more information.

11. RETENTION PERIOD

The organization shall provide information about the retention period and/or
disposal / de-identification schedule of all personal information that it is collecting.

This may be in the form of a specified period (e.g., 5 years) from the date of collection,
or a specified date (e.g., to be disposed of, on 1 January 2019).

12. PARTICIPATION OF DATA SUBJECT

The organization shall provide notification to data subjects of their right to access their
personal information in its possession, as well as their rights for the correction of
personal information. The organization shall give notice of the following aspects of
that access:

84
a) what personal information attributes the data subject can request access to and the
means by which the data subject can make such a request;

b) what information will be required from the data subject in order to authenticate
themselves to an acceptable level of assurance, prior to authorizing access to any
personal information (to avoid the risk of inappropriate disclosure);

c) the timelines within which a request will be acted upon;

d) any fees which may be charged for such access, where the charging of such fees is
permitted;

e) the means by which data subjects can challenge the accuracy and completeness of
the personal information and have it amended as appropriate; and

f) where correction of personal information is not possible (e.g., investigation files),

the organization shall explain the reason for refusing to correct the information to the
data subject.

13. INQUIRY

The organization shall provide the contact information for inquiries regarding the
processing of personal information stated in the notice.

6. Where should I place the Privacy Notice?

A Privacy Notice should be placed in a reasonably obvious position on the homepage.

Typically, privacy statements can be found in the sub navigation menu which is normally
situated in a bottom center position on the homepage alongside other menu items such as
Security Statement, Disclaimer, Terms & Conditions etc.

Placing a statement only on a Home Page may not be sufficient, as links from other web sites
or through search engines may bring a visitor into the site via a page other than the Home
Page. The ideal solution to this problem is to place a link to the Privacy Statement on each
page. Alternatively, a link could be placed on any page on which data are collected, though
if the website uses cookies, effectively this could mean all pages.

7. Can I place the Privacy Notice within a "terms & conditions" document?

A Privacy Notice is a legal requirement and is distinct from terms and conditions, copyright
or disclaimer notices. It should stand alone and be clearly identifiable. In order for a Privacy
Notice to be of value, it must be readily accessible to the user, quickly read and easily
understood.

8. How often should I review the Privacy Statement?

It should only be necessary to conduct a review if there is some change to on-line processes.

85
However, some mechanism should be in place to notify the appropriate staff member to
initiate a review if:

There is a change to data processing on the website

There is a planned/actual redevelopment of the website
There is a new web hosting arrangement
There are suggestions / comments received from site users.

In any case, the Privacy Notice should be reviewed in the context of an internal audit
procedure, which also should review the organizational Privacy Policy, at least on an
regular basis. For more information, kindly refer to Continuity.

9. I am not an IT person, what are cookies?

A cookie is a block of data that a web server places on a user's PC. Typically, it is used to
ease navigation through the site. However, it is also a useful means of the website
identifying the user, tracking the user's path through the site, and identifying repeat visits to
the site by the same user (or same user's machine). This can then lead to a website owner
being able to profile an individual user's browsing habits - and all potentially done without
the knowledge, or consent, of the user.

10. How do I know if my web site uses cookies?

This should be a question you address to the person who has developed your website, or to
whomever maintains it for you. Most browsers can be set to prevent cookies being
downloaded onto a PC. If you set your browser to block cookies, then visit your own site,
you may get an error message displayed if your site is attempting to download a cookie.
Alternatively, you can look into the "cookie" or "Temporary Internet" folder of your PC and
see if you can identify a cookie placed by your site. Cookies often, but not always, contain
site names.

11. Do I need to submit my Privacy Notice to the National Privacy Commission for
approval?

Not required

References:

https://iapp.org/resources/glossary/
https://iapp.org/news/a/2012-09-13-best-practices-in-drafting-plain-language-
and-layered-privacy/
https://iapp.org/news/a/need-to-write-a-solid-privacy-notice-a-few-tips/
https://www.ftc.gov/tips-advice/business-center/guidance/getting-noticed-
writing-effective-financial-privacy-notices
https://www.dataprotection.ie/docs/PrivStatements/290.htm

86
 ISO/IEC WD 29184 Information technology Security techniques User
friendly online privacy notices and consent, December 4, 2016

H-O. Data Subject Rights

h. The right to be informed

As a data subject, you have the right to be informed that your personal data
shall be, are being or have been processed.

The right to be informed is a basic right as it empowers you as a data subject to consider other
actions to protect your data privacy and assert your other privacy rights.

This right also requires personal information controllers (PICs) to notify you if within a
specific period of time if your data has been compromised, i.e. in the case of a personal data
breach.

i. The right to access

Concomitant to your right to be informed, you also have a right to gain reasonable access to
your personal data.
You may request access the of following:

Contents of your personal data that were processed;

Sources from which they were obtained;
Names and addresses of the recipients of your data;
Manner by which such data were processed;
Reasons for disclosure to recipients, if there were any;
Information on automated processes where the data will or likely to be made as the
sole basis for any decision which would significantly affect you;
Date when your data was last accessed and modified; and
Name and address of the personal information controller.

j. The right to object

You have a right to object to the processing of your personal data, including processing for
direct marketing, automated processing or profiling.
You likewise have the right to be notified and given an opportunity to withhold consent to
the processing in case of changes to the information given to you regarding the processing of
your information.

k. The right to erasure or blocking

Under the law, you have the right to suspend, withdraw or order the blocking, removal or
destruction of your personal data. You can exercise this right upon discovery and substantial
proof of the any of the following:

87
 1. Your personal data is incomplete, outdated, false, or unlawfully obtained;
2. It is being used for purposes you did not authorize;
3. The data is no longer necessary for the purposes for which they were collected;
4. You decided to withdraw consent, or you object to its processing, and there is no
overriding legal ground for its processing;
5. The data concerns personal information prejudicial to the data subject unless
justified by freedom of speech, of expression, or of the press; or otherwise authorized;
6. The processing is unlawful; or
7. The personal information controller, or the personal information processor, violated
your rights as a data subject.

l. The right to damages

You may claim compensation if you suffered damages due to inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data, considering any
violation of your rights and freedoms as data subject.

m. The right to file a complaint

If you are the subject of a privacy violation or personal data breach, or who are otherwise
personally affected by a violation of the DPA, may file complaints with the NPC.

n. The right to rectification

You have the right to dispute any inaccuracy or error in your personal data and have the
personal information controller correct it immediately, unless the request is vexatious or
unreasonable. Once corrected, the PIC should ensure that your access to both new and
retracted information, and simultaneous receipt of the new and the retracted information by
the intended recipients thereof.

o. The right to data portability

Where your personal information is processed by electronic means, you have a right to obtain
from the personal information controller a copy of your personal data a copy of such data in
an electronic or structured format that is commonly used and allows for further use.

The purpose of this right is to empower you and give you more control over your personal
data. This right, which applies subject to certain conditions, supports user choice, user control
and consumer empowerment.

It enables the free flow of your personal information across organizations according to your
preference. This is important especially now that several organizations and services can reuse
the same data.

Data portability allows you to manage your personal data, and to transmit your data from
one personal information controller to another. As such, it promotes competition that fosters
better services for the public.

88
 P. Data Life Cycle

In Section 11 of the DPA, the processing of personal information shall be allowed,

subject to compliance with the requirements of this Act and other laws allowing
disclosure of information to the public and adherence to the principles of
transparency, legitimate purpose and proportionality. Data Life Cycle is composed of
creation and collection, storage and transmission, use and distribution, retention, and
disposal and destruction.

Creation and Collection

In Section 11.a of the DPA, personal information must be collected for specified and
legitimate purposes determined and declared before, or as soon as reasonably
practicable after collection, and later processed in a way compatible with such
declared, specified and legitimate purposes only.

In Section 19.a of the Implementing Rules and Regulations of the DPA, Personal Information
Controllers (PICs) or Personal Information Processors (PIPs) must keep in mind the following
general principles for collecting personal data:

1. Consent is required prior to the collection and processing of personal data, subject to
exemptions provided by the Act and other applicable laws and regulations. When
consent is required, it must be time-bound in relation to the declared, specified and
legitimate purpose. Consent given may be withdrawn.
2. The data subject must be provided specific information regarding the purpose and
extent of processing, including, where applicable, the automated processing of his or
her personal data for profiling, or processing for direct marketing, and data sharing.
3. Purpose should be determined and declared before, or as soon as reasonably
practicable, after collection.
4. Only personal data that is necessary and compatible with declared, specified, and
legitimate purpose shall be collected.

Most common way to make sure that there is transparency is through privacy notice.

(please refer to page 149)

Use

In Section 11 of the DPA, b. personal information must be processed fairly and

lawfully; c. personal information must be accurate, relevant and, where necessary for
purposes for which it is to be used the processing of personal information, kept up to
date; inaccurate or incomplete data must be rectified, supplemented, destroyed or
their further processing restricted; and d. Adequate and not excessive in relation to the
purposes for which they are collected and processed.

(please refer to page 149)

89
PICs or PIPs should uphold the rights of the data subject, including the right to refuse,
withdraw consent, or object. It shall likewise be transparent, and allow the data subject
sufficient information to know the nature and extent of processing. The use of personal data
must be in a manner compatible with declared, specified, and legitimate purpose.

(please refer to page 157)

Storage

Data Storage is a general term for how information is kept in a digital format. To
ensure protection of personal data against unauthorized or unlawful processing, PICs
or PIPs should implement reasonable and appropriate security measures for the
protection of personal data. Such security measures can be through encrypting data
and having secured data center. (please refer to page . For encryption and refer to page
for data center)

(please refer to page 149)

Retention

What does DPA say about retention of personal data?

In Section 11.e of the DPA, personal information must be retained only for as long as
necessary for the fulfillment of the purposes for which data was obtained, or for the
establishment, exercise or defense of legal claims, or for legitimate business purposes,
or as provided by law.

In addition, Section 11.f likewise provides that personal information must be kept in a form
which permits identification of data subjects for no longer than is necessary for the purposes
for which the data were collected and processed: Provided, That personal information
collected for other purposes may be processed for historical, statistical or scientific purposes,
and in cases laid down in law may be stored for longer periods: Provided, further, That
adequate safeguards are guaranteed by said laws authorizing their processing.

Finally, Section 19.e.3 of the IRR provides that personal data shall not be retained in perpetuity
in contemplation of a possible future use yet to be determined.

(please refer to page 149)

Disposal
What does Data Privacy Act say about disposal of personal data?
Section 19.d.3 of the IRR states that personal data shall be disposed or discarded in a secure
manner that would prevent further processing, unauthorized access, or disclosure to any
other party or public, or prejudice the interests of the data subjects.
Further, NPC Circular 16-01 on Security of Personal Data in Government Agencies provides
that procedures must be established regarding the following:

90
 disposal of files that contain personal data, whether such files are stored on paper, film,
optical or magnetic media;
secure disposal of computer equipment, such as disk servers, desktop computers and
mobile phones at end-of-life, especially storage media: Provided, that the procedure shall
include the use of degaussers, erasers, and physical destruction devices; and
disposal of personal data stored offsite.
The circular further provides that government agencies may engage a service provider to
carry out the disposal of personal data under its control or custody.
(please refer to page 149)

What are my responsibilities when disposing personal data?

It is the organizations duty to make sure that data will be disposed properly in a way that the
data should be unreadable (for paper) or irretrievable (for digital records). The organization
should categorize whether the data they have are high-risk or low-risk. It is recommended
that the appropriate data disposal method be used.

V. Data Security

Q. Organizational
It is most commonly known that the weakest link in the security of most organizations is
human factor and not technology. Even though that it is an obvious weak point, it is frequently
overlooked. Designing security measures starts by developing and establishing policies, rules,
procedures or guidelines to ensure data protection within the organization. Organizational
measures also refer to the systems environment, particularly to the individuals carrying them
out. Implementing the organizational data protection policies aim to maintain the availability,
integrity, and confidentiality of personal data against any accidental or unlawful processing.

91
The security policies and procedures will be applied from the collection up to its disposal of
personal information. Section 26 of the IRR of the DPA directs personal information
controllers and personal information processors to comply with the guidelines for
organizational security.
(please refer to page 152)

R. Physical

Physical security must be implemented properly to prevent unauthorized access. Similar to

the human factor in data protection, this element is also often overlooked. Hacking into the
network system is not the only way that personal or sensitive personal information can be
taken or used against an organization or any individual. Designing and implementing
physical security must be taken seriously and instituted. Its main focus is to protect physical
assets through office designs and layout, environmental components, emergency response
readiness, accessibility to the public, security against natural disasters and any other relevant
points.
Over the past years, threats to physical security have been significantly increasing. Now that
we live in the 21st century, technological advancements have increasing vulnerabilities.
Safeguarding personal information (both in digital and paper format) transmitted in networks
and systems has been difficult, with emerging mobile or remote users being able to take their
devices out of the secured facilities. This is one of the main reasons for the increasing cost of
physical security. Managing it through time, becomes tougher because of emerging
technologies. The NPC released guidelines in managing physical security for personal
information controllers and personal information processors because of their importance.
(please see page 154)

S. Technical

Technical security involves the technological aspect of security in protecting personal

information. It includes protecting the network, encrypting personal information in storage
and in transit, mitigating data transfer risks, implementing software system designs and
having efficient access control policies. The NPC has issued technical security guidelines for
the personal information controllers and personal information processors, specifically for
Data Center, Encryption and Access Control Policy.
(please refer to page 154)

i. Data Center

What is a Data Center?

A data center is a facility housing electronic equipment used for data processing, data storage,
and communications networking. It is a centralized repository, which may be physical or

92
virtual, may be analog or digital, used for the storage, management, and dissemination of data
including personal data.
The NPC requires personal information controllers and personal information processors to
implement reasonable and appropriate organizational, physical, and technical security
measures for the protection of personal data.
For government agencies, personal data shall be stored in a data center, which may or may
not be owned and controlled by such agency, provided, that the agency must be able to
demonstrate to the Commission how its control framework for data protection, and/or, where
applicable, that of its service provider, shall ensure compliance with the Act. Where a service
provider is engaged, the Commission may require the agency to submit its contract with its
service provider for review.
In addition, the Commission reserves the right to audit a government agency's data center, or,
where applicable, that of its service provider.

What are the recommended best practices for data center security?
1. Include security and compliance objectives as part of the data center design and
ensure the security team is involved from day one. Security controls should be
developed for each modular component of the data centerservers, storage, data and
networkunited by a common policy environment.

2. Ensure that approach taken will not limit availability and scalability of resources.

3. Develop and enforce policies that are context, identity and application-aware for
least complexity, and the most flexibility and scalability. Ensure that they can be
applied consistently across physical, virtual and cloud environments. This, along with
replacing physical with secure trust zones, will provide seamless and secure user
access to applications at all times, regardless of the device used to connect to resources
in the data center.

4. Choose security technologies that are virtualization-aware or enabled, with security

working at the network level rather than the server. Network security should be
integrated at the hypervisor level to discover existing and new virtual machines and
to follow those devices as they are moved or scaled up so that policy can be
dynamically applied and enforced.

5. Monitor everything continuously at the network level to be able to look at all assets
(physical and virtual) that reside on the local area network (even those that are
offline) and all inter-connections between them. This monitoring should be done on
a continuous basis and should be capable of tracking dynamic network fabrics.
Monitor for missing patches, application, or configuration changes that can introduce
vulnerabilities which can be exploited.

6. Look for integrated families of products with centralized management that are
integrated with or aware of the network infrastructure, or common monitoring
capabilities for unified management of risk, policy controls, and network security.
This will also give detailed reports across all controls that provide the audit trail
necessary for risk management, governance, and compliance objectives. Integrated

93
 families of products need not necessarily be procured from just one vendor. Look for
those that leverage the needed capabilities of a strong ecosystem of partnerships to
provide a consolidated solution across all data center assets.

7. Consider future as well as current needs and objectives at the design stage such as
whether access to public cloud environments is required.

8. Define policies and profiles that can be segmented and monitored in multi-tenant
environments. Consider security technologies that provide secure gateway
connections to public cloud resources.

What are the security requirements for a computer system?

1. Secure user authentication protocols including:
a. Control of user IDs and other identifiers;
b. Reasonably secure method of assigning and selecting passwords, or use of unique
identifier technologies, such as biometrics or token devices;
c. Control of data security passwords to ensure that such passwords are kept in a
location and/or format that does not compromise the security of the data they
protect;
d. Restricting access to active users and active user accounts only; and
e. Blocking access to user identification after multiple unsuccessful attempts to gain
access or the limitation placed on access for the particular system;

2. Secure access control measures that:

a. Restrict access to records and files containing personal information to those who
need such information to perform their job duties; and
b. Assign unique identifications plus passwords, which are not vendor supplied
default passwords, to each person with computer access, that are reasonably
designed to maintain the integrity of the security of the access controls;

3. Encryption of all transmitted records and files containing personal information that
will travel across public networks, and encryption of all data containing personal
information to be transmitted wirelessly;

4. Reasonable monitoring of systems, for unauthorized use of or access to personal

information;

5. Encryption of all personal information stored on laptops or other portable devices;

6. For files containing personal information on a system that is connected to the Internet,
there must be reasonably up-to-date firewall protection and operating system security
patches, reasonably designed to maintain the integrity of the personal information;

7. Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or a

94
 version of such software that can still be supported with up-to-date patches and virus
definitions, and is set to receive the most current security updates on a regular basis;

8. Education and training of employees on the proper use of the computer security
system and the importance of personal information security.

ii. Encryption

What does the Commission say about encryption?

In relation to off-site access by government personnel to sensitive personal information,
Section 23 of the DPA provides that any technology used to store, transport, or access sensitive
personal information for purposes of off-site access approved shall be secured using the most
secure encryption standard recognized by the Commission.

What should be encrypted?

All personal data that are digitally processed must be encrypted, whether it is at rest or in
transit. According to Section 8 of Memorandum Circulars 16-01, the Commission recommends
Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate
encryption standard.

Emails
Email has become an essential tool for communication. Most of us use emails for either
business or personal use, often to transmit files and information, which would inevitably
include personal data.
Section 24 of NPC Circular No. 16-01 provides that a government agency that transfers
personal data by email must either ensure that the data is encrypted, or use a secure email
facility that facilitates the encryption of the data, including any attachments. Passwords
should be sent on a separate email. It is also recommended that agencies utilize systems that
scan outgoing emails and attachments for keywords that would indicate the presence of
personal data and, if appropriate, prevent its transmission.

Portable Media
Using portable devices can increase the risk of data loss (when a physical device is lost), data
exposure (when data is exposed to the public or a third party), and increased exposure to
network-based attacks to and from any system the device is connected to. Reports say that
25% of malware is spread today through USB devices. Thus, there is a need to reduce these
risks associated with the use of portable media.
Section 26 of NPC Circular No. 16-01 provides that a government agency that uses portable
media, such as disks or USB drives, to store or transfer personal data must ensure that the
data is encrypted. Agencies that use laptops to store personal data must utilize full disk
encryption.

95
 Links (URL)
Agencies and organizations that utilize online access to process personal data should employ
an identity authentication method that uses a secured encrypted link.

Reference:

https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120
https://resilience.enisa.europa.eu/article-13/guideline-for-minimum-security-
measures/Article_13a_ENISA_Technical_Guideline_On_Security_Measures_v2_0.pdf

iii. Access Control Policy

What is access control policy?

Having all the latest software security tools does not mean that your system is safe from any
attacks. Continuous improvement in security of information and data processing systems is a
fundamental management responsibility.
All applications and processing systems that deal with personal and sensitive personal
information should include some form of authorization which is also known as access control
policy. As systems grow in size and complexity, access control is a special concern for systems
and applications that are distributed across multiple computers.
Access Control Policy sets requirements of credentials and identification that specify how
access to computers, systems, or applications is managed, and who may access the
information in most circumstances. Authentication, authorization, audit, and access approval
are the common aspects of access control policy.

What are the best practices in implementing access control policy?

Personal information controllers and processors are responsible and accountable for
protecting the personal data that is being processed.
This may be done by managing the areas, distribution, and life-cycle of authentication and
authorization of your organizations processes. Access to any personal data must always be
protected, controlled, and managed with sufficient security policies.
Physical and systematic approach in creating and managing access control should also be
established by the management. Also, the small to large scale applications of the personal
information controllers and personal information processors should be taken into
consideration in the design and implementation of the policy.

96
What does the Commission say about implementing access control policy?
Personal information controllers and personal information processors are obliged to
implement appropriate organizational, physical, and technical security measures for the
protection of the personal data that they process.
Specifically for government agencies, Section 9 of NPC Circular 16-01 provides that access to
all data centers owned and controlled by a government agency shall be restricted to agency
personnel that have the appropriate security clearance and enforced by an access control
system that records when, where, and by whom the data centers are accessed.
Furthermore, Section 25 of the said circular mandates all government agencies to implement
access controls to prevent agency personnel from printing or copying personal data to
personal productivity software like word processors and spreadsheets that do not have any
security or access controls in place.

VI. Breaches

T. Data Breach Management

i. Security Incident Policy

The Security Incident Management Policy

All personal information controllers (PICs) and personal information

processors (PIP) must implement a security incident management policy. This
policy is for managing security incidents, including data breaches.

ii. Data Breach Response Team

NPC Circular 16-03 Sec. 5

A personal information controller or personal information processor shall

constitute a data breach response team, which shall have at least one (1)
member with the authority to make immediate decision regarding critical
action, if necessary. The team may include the Data Protection Officer.

iii. Incident Response Procedure

NPC Circular 16-03 Sec. 8

The personal information controller or personal information processor shall

implement policies and procedures for guidance of its data breach response
team and other personnel in the event of a security incident.

97
 iv. Breach Documentation

NPC Circular 16-03 Sec. 8

All action taken by a personal information controller or personal information

processor shall be properly documented. Reports should include:

a. Description of the personal data breach, its root cause and

circumstances regarding its discovery;

b. Actions and decisions of the incident response team;

c. Outcome of the breach management, and difficulties encountered;

and

d. Compliance with notification requirements and assistance

provided to affected data subjects.

v. Breach Notification

IRR Sec. 38. Data Breach Notification

a. The Commission and affected data subjects shall be notified by the
personal information controller within 72 hours upon knowledge of or
reasonable belief by the personal information controller or personal
information processor that a security breach requiring notification has
occurred.
b. Notification of security breach shall be required when sensitive
personal information or other information that may, under the circumstances,
be used to enable identity fraud are reasonably believed to have been
acquired by an unauthorized person, and the personal information controller
or the Commission believes that such unauthorized acquisition is likely to
give rise to a real risk of serious harm to any affected data subject.
c. Depending on the nature of the incident, or if there is delay or
failure to notify, the Commission may investigate the circumstances
surrounding the information security breach. Investigations may include on-
site examination of systems and procedures.

98
VII. Third Parties

U. Third Parties

a. Legal Basis of Disclosure

Sharing of personal information between two entities without any proof or

documentary evidence such as data sharing agreement is a big red flag in
ensuring data protection. An agreement between two parties is required when
sharing personal information especially sensitive personal information. It is an
evidence of accountability that ensures the protection of personal data.
Organizations should always check the legal basis of sharing the information
to other controllers.

There are government agencies or entities that are mandated by law to collect
personal information. This is very particular to agencies that are required to
collect and share personal information to other agencies or entities to achieve
their mandated functions. But this does not mean that they do not need a data
sharing agreement. It is essential to acknowledge and manage the concerns
regarding confidentiality, costs gained in data sharing, and legitimacy of the
request. Personal information controllers and personal information processors
should prioritize the protection of the rights of the data subjects and follow the
principles of specific, freely given, and informed consent.

b. Data Sharing Agreements

What is a Data Sharing Agreement?

A data sharing agreement refers to a contract, joint issuance, or any similar
document that contains the terms and conditions of a data sharing arrangement
between two or more parties. Only personal information controllers shall be
made parties to a data sharing agreement. Where a data sharing agreement
involves the actual transfer of personal data or a copy from one party to
another, such transfer shall comply with the security requirements imposed by
the Philippine Data Privacy Act, its IRR, and all applicable issuances of the
National Privacy Commission.

What are the things I should see on a Data Sharing Agreement?

Purpose
Identity of all PICs party to the agreement
Term or duration of the agreement
Operational details of the sharing or transfer of personal data
General description of the security measures for the protection of personal
data, including the policy for retention or disposal of records
Inform how a data subject can obtain a copy of the data sharing agreement
Details on online access

99
 Specify the PIC responsible for addressing any information request, or any
complaint filed by a data subject, and/or any investigation by the
Commission
Identify the method that shall be adopted for the secure return, destruction,
or disposal of the shared data
Other terms and conditions

c. Cross Border Transfer Agreement

Globally, there is a general recognition that there should be some law regarding cross-
border data transfers, but a wide variety of approaches to this issue exist, and there is no
single global model for managing it. At the national level, some countries have no
restrictions at all on the transfer of personal information to a foreign jurisdiction.

IRR Sec. 50
says that a personal information controller shall be responsible for any personal data under
its control or custody, including information that have been outsourced or transferred to a
personal information processor or a third party for processing, whether domestically or
internationally, subject to cross-border arrangement and cooperation. This includes
contracting with other data privacy authorities of other countries for cross-border
application and implementation of respective privacy laws;

VIII. Manage HR

V. Trainings and Certifications

IRR Sec. 26. enjoins personal information controllers and personal information processors to
provide capacity building, orientation or training programs regarding privacy or security
policies for employees, agents or representatives, particularly those who will have access to
personal data.

In addition, NPC Circular No. 16-01 provides that one of the general obligations of a
government agency engaged in the processing of personal data is to conduct a mandatory,
agency-wide training on privacy and data protection policies once a year. A similar training
shall be provided during all agency personnel orientations.

Note that capacity building of personnel to ensure knowledge of data breach management
principles, and internal procedures for responding to security incidents is also required under
NPC Circular No. 16-03 Personal Data Breach Management.

Likewise, NPC Advisory No. 17-01 on the Designation of DPOs, provides that all personal
information controllers or processors should provide sufficient time and resources, including
training, necessary for the DPO or COP to keep himself or herself updated with the

100
developments in data privacy and security and to carry out his or her tasks effectively and
efficiently.

Recommended Certifications

Currently, there is no certification process for an organizations compliance with the

DPA.

Nonetheless, it is advisable for organizations to obtain certifications or accreditations

such as those prescribed by the International Standards Organization (ISO),
specifically the ISO 27000 family - Information Security Management Systems
(ISMS):

ISO/IEC 27001:2013. Information technology -- Security techniques --

Information security management systems Requirements. This specifies the
requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of the
organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of the organization. The requirements
set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all
organizations, regardless of type, size or nature.

ISO/IEC 27002:2013. Information technology -- Security techniques -- Code of

practice for information security controls. This gives guidelines for organizational
information security standards and information security management practices
including the selection, implementation and management of controls taking into
consideration the organization's information security risk environment(s).

ISO/IEC 27018:2014. Information technology -- Security techniques -- Code of

practice for protection of personally identifiable information (PII) in public clouds acting as
PII processors. This establishes commonly-accepted control objectives, controls, and
guidelines for implementing measures to protect personal information in accordance
with the privacy principles in ISO/IEC 29100, which, in turn, concerns public cloud
computing environments. It also specifies guidelines based on ISO/IEC 27002, taking
into account the regulatory requirements for the protection of personal information
that might be applicable within the context of the information security risk
environment(s) of a (public) cloud service provider. It may be used by organizations
of any type and size, including public and private companies, government entities,
and non-profit organizations, which provide information processing services as
personal information processors via cloud computing under contract to other
organizations.

The Commission does not require certifications for key personnel of personal
information controllers or personal information processors, such as the latters Data
Protection Officer or Compliance Officer for Privacy.

However, it is considered best practice across jurisdictions for organizations to

properly equip their personnel with appropriate trainings that enable them to fulfill
their specific roles and functions. Some international certifications or trainings
commonly considered for this purpose include the following:

101
 Certified Information Systems Auditor (CISA). CISA is a globally
recognized certification for IS audit control, assurance, and security professionals. A
persons CISA certification attests to his or her audit experience, skills, and
knowledge. It demonstrates ones ability to assess vulnerabilities, report on
compliance, and institute controls within a particular enterprise.

Certified Information Security Manager (CISM). A management-focused

CISM certification that promotes international security practices and recognizes the
individual who manages, designs, and oversees and assesses an enterprises
information security.

Certified in the Governance of Enterprise IT (CGEIT). This certification

recognizes a wide range of professionals for their knowledge and application of
enterprise IT governance principles and practices. A CGEIT certified professional has
demonstrated his or her ability to bring IT governance into an organization, as well
as his or her complete grasp of the complex subject. Thus, he is able to enhance the
value of an enterprise.

Certified Information Systems Security Professionals (CISSP). The ideal

credential for those with proven deep technical and managerial competence, skills,
experience, and credibility to design, engineer, implement, and manage the overall
information security program of their organization, thereby protecting it from the
growing number of sophisticated attacks.

GIAC Security Essentials (GSEC). Designed for professionals seeking to

demonstrate their understanding of information security terminology and concepts,
and their possession of skills and technical expertise necessary for hands-on
security roles. GSEC credential holders are presumed to demonstrate a knowledge
and technical skills in various areas (e.g., identifying and preventing common and
wireless attacks, access controls, authentication, password management, DNS,
cryptography fundamentals, ICMP, IPv6, public key infrastructure, Linux, network
mapping, and network protocols).

Project Management Professional (PMP). This certification is touted as the

most important industry-recognized certification for project managers. It signifies
that the holder speaks and understands the global language of project management.
It connects him or her to a community of professionals, organizations and experts
worldwide. Indeed, unlike other certifications that focus on a particular geography
or domain, the PMP is truly global and enables its holder to work in virtually any
industry, with any methodology, and in any location.

While not explicitly required, certifications and/or accreditations allow for a more
efficient verification and monitoring process on the part of the Commission.

102
 W. Security Clearance

A security clearance allows authorized access to personal information that would otherwise be
forbidden. In Section 23 of the DPA, requirements relating to access by agency personnel to
sensitive personal Information a. On-site and Online Access Except as may be allowed
through guidelines to be issued by the Commission, no employee of the government shall have
access to sensitive personal information on government property or through online facilities
unless the employee has received a security clearance from the head of the source agency.
To ensure confidentiality of personal data, PIC or PIP shall only grant security clearance to an
employee when the performance of his or her official functions directly depends on and cannot
otherwise be performed unless access to the personal data is allowed.

Non-Disclosure Agreement (NDA)

One common way to protect confidential information given to another party is the use of Non-
Disclosure Agreement (NDA). A non-disclosure agreement is a legal contract between at least
two parties that outlines confidential material, knowledge, or information that the parties wish
to share with one another for certain purposes. It should contain a few specific parts: definitions
and exclusions of confidential information; obligations form all involved people or parties; and
time periods.

IX. Continuity

X. Continuing Assessment and Development

i. Regular Risk Assessment

Necessity, convenience and continuous improvement are the forefathers of invention. These
usher the introduction and adaptation of new systems by organizations to execute necessary
business functions. It is imperative to conduct a Privacy Impact Assessment to all data
processing systems that are classified as High and have Unreasonable impact
assessment.

A Privacy Impact Assessment to data processing systems in an organization should not be a

onetime affair. This shall be conducted regularly, maintaining later updates or upgrades
with additional functionality likely to impact the personal information that are handled.
Kindly refer to Privacy Impact Assessment for more information.

NPC Circular 16-01 Sec. 4b

Says that conduct a Privacy Impact Assessment for each program, process or measure
within the agency that involves personal data, Provided, that such assessment shall be
updated as necessary.

103
 ii. Review Contracts
To maintain continuity of data protection, it is very important for an organization to
constantly review the contracts that indicate disclosure, sharing, distribution or allocation of
personal data to individuals or other entities. The legal counsel or department of the
organization must re-assess the contents and conditions of the contracts to ensure their
compliance with the DPA. An organization must ensure the parity of data protection risks
between the parties bound by contracts and identify neglected privacy risks that have
substantial impact on the organization. In the end, stakeholders should be informed of the
risks and management decision based on accurate understanding of privacy and data security
risks.
Reference:

https://security.berkeley.edu/services/contract-reviews-0

iii. Internal Assessments

To make compliance with the Act manageable, organizations are advised to schedule regular
compliance monitoring, internal assessments and security audits. The purpose of an internal
assessment is to identify and strategically plan the needed maintenance of an organization to
align it with the DPA. NPC recommends creation of policies on conduct of internal
assessments and security audits.

iv. Review Privacy Management Program (PMP)

Regularly evaluating Privacy Management Program demonstrates accountability of
organizations. The Privacy Management Program is maintained through organizational

104
commitment and oversight of coordinated projects and activities implemented throughout
the agency, company or organization. It allows efficient use of available resources,
implements control measures to assure privacy and data protection, and puts in place a
system for review to allow for improvements responsive to data privacy best practices and
technological developments.
To properly protect personal data and meet legal obligations, PICs and PIPs should monitor,
assess and revise their privacy management framework to ensure it remains relevant and
effective.

(please refer to page. 67)

v. Accreditations

(please refer to page 100 )

X. Privacy Ecosystem

Y. New Technologies and Standards

Z. New Legal Requirements

Monitor Privacy Competency

Technology is fast changing. With new trends in technology that are constantly emerging,
they have their own privacy and legal implications. Keeping up to date can become a chore
that is easy to delay. Below are some tips on how to be updated with the latest trends in
technology.

1. Industry Players

Participate in workshops, summits and various talks held by accredited associations

and government regulators
2. Print Media (Books and Magazines)

Books and magazines are great information resources. Subscribe to monthly digests
on tech magazines for timely reading. While books can be a great resource, make sure the
book is based on the correct version of the technology you are researching.

3. Social Media (Twitter, Facebook, Email Subscription, etc.)

Follow seasoned tech gurus and subscribe for notification on tech news pages,
relevant government pages (National Privacy Commission, Department of Information and
Communications Technology, Cybercrime Investigation and Coordination Center) to be in
the loop for recent trends and advisories in information security, cybercrime and privacy
news.
4. Training

Another great resource is the various forms of training and web based tutorials. If
you can afford to get professional training (either online or in-house), this is probably the

105
best approach. However, this can be costly. Nowadays, many sites offer great tutorials that
get you knee-deep in the latest technologies for free. There are also many web casts available
from various conferences or events where the presenter is conducting a demo on a new
technology. Locate these resources through searches and through your blogs and podcasts.

5. Face-to-Face (user group meetings and technical conferences)

User group meetings and forums are usually technology specific and give you a
chance to meet people locally that are doing what you are doing, learn about what they are
doing, and get great presentations on the latest and greatest happenings in your technology
and various processes. This is also a great way to learn about conferences you can attend or
hear about from those that did attend. These conferences are showcases for the new stuff.

6. Recent Developments

There are many recent developments in technology and privacy-legal area. Strategies
to be updated include by keeping track of local and international Government Issuances,
recent local and international government enforcements, International Standards released by
ISO, International Organizations current practices and relevant frameworks.

V. Be Prepared for Breach:

Regularly exercise your Breach Reporting Procedures

Data Breaches and Security Incidents

Assessment

A security incident is any event or occurrence that affects or tends to affect data protection,
or may compromise the availability, integrity, and confidentiality of personal data. It
includes incidents that may result in a personal data breach, if not for safeguards that have
been put in place.

A data breach is a kind of security incident. It happens when there is a breach of security
leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of,
or access to, personal data transmitted, stored, or otherwise processed.

There are three kinds of data breaches:

availability breach results from the accidental loss or unlawful destruction of

personal data;
integrity breach results from the unauthorized alteration of personal data; and
confidentiality breach results from the unauthorized disclosure of or access to
personal data.

106
The Security Incident Management Policy

All personal information controllers (PICs) and personal information processors (PIP) must
implement a security incident management policy. This policy is for managing security
incidents, including data breaches.

In drafting your security incident management policy and personal data breach management
procedure, the following must be included:

creation of a security incident response team, with members that have clearly defined
responsibilities, to ensure timely action in the event of a security incident or personal
data breach;
implementation of organizational, physical and technical security measures, and
personal data privacy policies intended to prevent or minimize the occurrence of a
personal data breach and assure the timely discovery of a security incident;
implementation of an incident response procedure intended to contain a security
incident or personal data breach, and restore the integrity of the information and
communications system;
mitigation of possible harm and negative consequences to a data subject in the event
of a personal data breach; and
compliance with the DPA, its IRR, and all related issuances by the NPC pertaining to
personal data breach notification.

The Security Incident Management Policy must also include measures intended to prevent or
minimize the occurrence of a personal data breach. These measures include:

conduct of a privacy impact assessment to identify attendant risks in the

processing of personal data. It shall take into account the size and sensitivity of the
personal data being processed, the impact and likely harm of a personal data
breach;
data governance policy that ensures adherence to the principles of
transparency, legitimate purpose, and proportionality;
implementation of appropriate security measures that protect the availability,
integrity and confidentiality of personal data being processed;
regular monitoring for security breaches and vulnerability scanning of
computer networks;
capacity building of personnel to ensure knowledge of data breach
management principles, and internal procedures for responding to security
incidents;
procedure for the regular review of policies and procedures, including the
testing, assessment, and evaluation of the effectiveness of the security measures.

The Security Incident Response Team

The Security Incident Response Team is responsible for:

implementing security incident management policy of the PIC or PIP;

managing security incidents and personal data breaches; and
compliance by the PIC or PIP with the relevant provisions of the Act, its IRR,
and all related issuances by the Commission on personal data breach management.

107
Although the functions of the Security Incident Response Team may be outsourced, and there
is no precise formula for its composition, its members must, as a collective unit, be ready to
assess and evaluate a security incident, restore integrity to the information and
communications system, mitigate and remedy any resulting damage, and comply with
reporting requirements.

Annual Reports

PICs and PIPs are required to submit their Annual Report, where all security incidents and
personal data breaches must be documented through written reports, including those not
covered by the notification requirements.

In the event of a personal data breach, a report shall include:

a) the facts surrounding the incident;

b) the effects of such incident; and
c) the remedial action taken by the PIC. For other security incidents not involving
personal data, a report containing aggregated data shall constitute sufficient
documentation.

Any or all reports shall be made available when requested by the Commission: Provided,
that a summary of all reports shall be submitted to the Commission annually, comprised of
general information including the:

1) number of incidents and breach encountered; and

2) information classified according to their impact on the availability, integrity, or
confidentiality of personal data.

Mandatory Notification

Not all data breaches have to be reported to the NPC. Only when these are all present are the
PICs (or PIPs, as the case may be) required to notify:

there is a breach of sensitive personal information or other information that

may, under the circumstances, be used to enable identity fraud;
the data is reasonably believed to have been acquired by an unauthorized
person; and
either the PIC or the NPC believes that the data breach is likely to give rise to
a real risk of serious harm to the affected data subject.

If there is doubt as to whether notification is indeed necessary, consider:

(1) the likelihood of harm or negative consequences on the affected data subjects;
(2) how notification, particularly of the data subjects, could reduce the risks arising from
the personal data breach reasonably believed to have occurred; and
(3) if the data involves:
information that would likely affect national security, public safety, public
order, or public health;
at least one hundred (100) individuals;

108
 information required by all applicable laws or rules to be confidential; or
personal data of vulnerable groups.

The failure to notify the NPC or the public may make you criminally liable for Concealment
of Security Breaches Involving Sensitive Personal Information, which carries a penalty of
imprisonment from one year and six months, to five years, and a fine of Five Hundred
Thousand Pesos (500,000.00) to One Million Pesos (1,000,000.00).

This crime is committed by those, having knowledge of the security breach and with an
obligation to inform the NPC of the fact of such a breach, either intentionally or by omission
fails to inform the NPC that the breach has happened.

Aside from notifying the NPC, the PIC shall also notify the affected data subjects upon
knowledge of, or when there is reasonable belief that a personal data breach has occurred. The
obligation to notify remains with the PIC even if the processing of information is outsourced
or subcontracted to a PIP.

The Commission shall be notified within seventy-two (72) hours upon knowledge of or the
reasonable belief by the PIC or PIP that a personal data breach has occurred.

Generally, there shall be no delay in notification however, the notification may only be
delayed to the extent necessary to determine:

the scope of the breach;

to prevent further disclosures; or
to restore reasonable integrity to the information and communications system.

There can be no delay in the notification if the breach involves at least one hundred (100) data
subjects, or the disclosure of sensitive personal information will harm or adversely affect the
data subject. In either case, the Commission must be notified within the 72-hour period based
on available information.

The full report of the personal data breach must be submitted within five (5) days from
notification, unless the PIC is granted additional time by the Commission to comply.

The following information must be included in any Data Breach notification:

nature of the Breach. There must be, at the very least, a description of:
(a) the nature of the breach;
(b) a chronology of events, and
(c) an estimate of the number of data subjects affected;

personal data involved. stating the description of sensitive personal

information or other information involved.

remedial Measures. there must be:

(a) description of the measures taken or proposed to be taken to address the
breach;
(b) actions being taken to secure or recover the personal data that were
compromised;

109
 (c) actions performed or proposed to mitigate possible harm or negative
consequences, and limit the damage or distress to those affected by the incident;
(d) action being taken to inform the data subjects affected by the incident, or
reasons for any delay in the notification; and
(e) measures being taken to prevent a recurrence of the incident.

Name and contact details - of the Data Protection Officer or contact person
designated by the PIC to provide additional information.

Under the Data Privacy Act, the data subject has the right to be notified. Upon knowledge of,
or reasonable belief that a personal data breach has occurred, the PIC must notify the data
subject within 72 hours, which:

may be made on the basis of available information within the 72-hour period
if the personal data breach is likely to give rise to a real risk to the rights and
freedoms of data subjects;
shall have the same content as those made to the National Privacy
Commission, but shall include instructions on how data subjects will get further
information; and
shall include recommendations on how to minimize risks resulting from
breach and to secure any form of assistance.

The notification may be supplemented with additional information at a later stage on the basis
of further investigation.

The notification of affected data subjects shall be done individually, using secure means of
communication, whether written or electronic. Whenever individual notification is not
possible or would require a disproportionate effort, the PIC may seek the approval of the
Commission to use alternative means of notification.

The notification requirement is not absolute; the NPC can allow the postponement of
notification when it may hinder the progress of a criminal investigation.

The Subsequent Investigation

The NPC will consider these factors in its investigation following the occurrence of a data
breach:
security measures that have been implemented and applied to the personal
data at the time the personal data breach was reasonably believed to have
occurred, including measures that would prevent use of the personal data by any
person not authorized to access it;
subsequent measures that have been taken by the PIC or PIP to ensure that the
risk of harm or negative consequence to the data subjects will not materialize;
age or legal capacity of affected data subjects; provided, that in the case of
minors or other individuals without legal capacity, notification may be done
through their legal representatives; and
compliance with the law and existence of good faith in the collection of
personal information.

110
In investigation of a breach or a security incident, the Commission may investigate a breach
or security incident depending on the nature, or in case of failure or delay in the notification.

The investigation will:

include an on-site examination of systems and procedures;

require the cooperation of concerned parties, or compel appropriate action
therefrom to protect the interests of data subjects, if necessary; and
will be governed by the Rules of Procedure of the Commission.

The Data Privacy Compliance Guidelines

Compliance Checklist Evidence of Compliance

1. Establish Data Privacy Governance

Designate a Data Protection Officer Designation/ Appointment

Papers/ Contract of the DPO
and/or DPO team
Other means to demonstrate
compliance

2. Risk Assessment

Maintain records of processing Records of Processing Activities

activities, including inventory of Website or other visible
personal data, data flow and announcement showing contact
transfers outside country details of DPO
Register Data Processing Systems NPC Notification of completing
(Phase I) Phase I Registration
Conduct a Risk Assessment PIA Report
Other means to demonstrate
compliance

3. Maintain Organization Commitment

Implement and Maintain a Privacy Privacy Manual

Management Program List of activities on privacy and
Develop a Privacy Manual and data protection
complaints mechanism List of key personnel assigned
responsibilities for privacy and
data protection within the
organization
Other means to demonstrate
compliance
4. Privacy and Data Protection in Day to Day
Operations
Have visible and accessible Privacy Privacy Notice in Website and/or
Notices with contact details of DPO within organization (where
collection of personal data occurs)

111
 Develop, Review or Maintain Consent forms for collection and
Policies and Procedures for use of personal data
processing of personal data from List of Policies and Procedures in
collection to retention or disposal place that relate to privacy and
(procedure for obtaining consent) data protection (may be in privacy
Establish procedures or platform manual)
for data subjects to exercise their Policies and Procedure in dealing
rights (access, be informed, object, with requests for information from
correction, erasure, file a complaint, parties other than the data subjects
be indemnified, data portability) (media, law enforcement,
Register Data Processing Systems representatives)
(Phase II) Retention and Disposal Schedules
Comply with notification and Policies and Procedure for data
reporting requirements subjects to exercise rights (may be
in Privacy Manual)
Data subjects informed of rights
through privacy notices, and other
means
Form or platform for data subjects
to request copy of their personal
information and request correction
Procedure for addressing
complaints of data subjects
Certificate of registration and
notification
Other means to demonstrate
compliance
5. Manage Security Risks

Maintain Organizational Security Data Center and Storage area with

Measures (Policies and procedures limited physical access
in place) Report on technical security
Maintain Physical Security measures and information security
Measures (Physical Access and tools in place
Security, Design and Firewalls used
Infrastructure) Encryption used for transmission
Maintain Technical Security Encryption used for storage
Measures (Firewalls, Encryption, Access Policy for onsite, remote
Access Policy, Security of Data and online access
Storage, other Information security Audit logs
tools) Back-up solutions
Report of Internal Security Audit
or other internal assessments
Certifications or accreditations
maintained
Other means to demonstrate
compliance
6. Data Breach Management

112
 Implement safeguards to prevent Schedule of breach drills
or minimize personal data breach Number of Trainings conducted
(Breach drills, security policy) for internal personnel on breach
Constitute Data Breach Response management
Team Personnel Order constituting the
Maintain and Review Incident Data Breach Response Team
Response Policy and Procedure Incident Response Policy and
Document Security incidents and Procedure (may be in Privacy
personal data breaches Manual)
Comply with Breach Notification Record of Security incidents and
requirements personal data breaches, including
notification for personal data
breaches
Other means to demonstrate
compliance
7. Manage Third Party Risks

Execute Data Sharing Agreements Data Sharing Agreements

Review or enter into contracts and List of recipients of personal data
other agreements for transfers of (PIPs, other PICs, service
personal data, including cross providers, government agencies)
border transfers to ensure Review of Contracts with PIPs
comparable level of data protection, Review of Contracts for cross-
DPA compliance, and security of border transfers
transfers Other means to demonstrate
Review or enter into outsourcing compliance
contracts with PIPs, to ensure
comparable level of data protection
and DPA compliance
Establish and document legal basis
for disclosures of personal data
made to third parties
8. Human Resources Management
Regularly train personnel regarding No. of employees who attended
privacy or security policies. trainings on privacy and data
Ongoing training and capacity protection
building for Data Protection Officer Commitment to comply with Data
DPOs work towards certifications Privacy Act as part of Code of
and applies for membership in Conduct or through written
DPO organizations document to be part of employee
Non-Disclosure Agreements for files
personnel handling Data Certificate of Training of DPO
Security Clearance issued for those Certifications of DPOs
handling personal data NDAs or confidentiality agreements
Security Clearance Policy
Other means to demonstrate
compliance

113
9. Continuing Assessment and Development

Schedule Regular Risk Assessment Policy for Conduct of PIA (may be

Review Forms, Contracts, Policies in manual)
and Procedures on a regular basis Policy on conduct of Internal
Schedule Regular Compliance Assessments and Security Audits
monitoring, internal assessments Privacy Manual contains policy for
and security audits regular review
Review, Validate and Revise List of activities to evaluate Privacy
Privacy Manual Management program (survey of
Regularly evaluate Privacy customer, personnel assessment)
Management program Other means to demonstrate
compliance
10. Manage Privacy Ecosystem

Monitor emerging technologies, No. of trainings and conferences

new risks of data processing, and attended on privacy and data
the privacy ecosystem protection
Keep track of data privacy best Policy papers, legal or position
practices, sector specific standards, papers, or other research
and international data protection initiatives on emerging
standards technologies, data privacy best
Attend trainings and conferences practices, sector specific
Seek guidance and legal opinion on standards, and international data
new NPC issuances or protection standards
requirements No. of management meetings
which included privacy and data
protection in the agenda
Other means to demonstrate
compliance

114
 C.
Registration

115
NPC Circular 17-01

DATE : 31 July 2017

TO : ALL PERSONAL INFORMATION CONTROLLERS AND

PERSONAL INFORMATION PROCESSORS

SUBJECT : REGISTRATION OF DATA PROCESSING SYSTEMS AND

NOTIFICATIONS REGARDING AUTOMATED DECISION-
MAKING

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State
recognizes the vital role of communication and information in nation-building. At the same
time, Article II, Section 11 thereof emphasizes that the State values the dignity of every human
person and guarantees full respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act
of 2012 (DPA), provides that it is the policy of the State to protect the fundamental human
right of privacy of communication while ensuring free flow of information to promote
innovation and growth. The State also recognizes its inherent obligation to ensure that
personal information in information and communications systems in the government and in
the private sector are secure and protected;

WHEREAS, Section 16 of the DPA and Section 34 of its Implementing Rules and
Regulations (IRR) provide that data subjects shall be furnished with and given access to their
personal data that are being processed in data processing systems, as well as the purpose,
scope, method, and manner of such processing, including the existence of automated decision-
making;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission

(NPC) is charged with the administration and implementation of the provisions of the law,
which includes ensuring the compliance by personal information controllers (PICs) with the
provisions thereof, publishing a compilation of an agencys system of records and notices, and
carrying out efforts to formulate and implement plans and policies that strengthen the
protection of personal data, in coordination with other government agencies and private
entities;

WHEREAS, Section 9 of the IRR provides that, among the NPCs functions, is to
develop, promulgate, review, or amend rules and regulations for the effective implementation
of the DPA;

116
 WHEREAS, Section 24 of the DPA states that, when entering into any contract that
may involve accessing or requiring sensitive personal information from at least one thousand
(1,000) individuals, a government agency shall require the contractor and its employees to
register their personal information processing system with the NPC in accordance with the
DPA and to comply with the laws provisions. Furthermore, Section 14 of the law mandates
that personal information processors (PIPs) shall also comply with all requirements of the
DPA and other applicable laws;

WHEREAS, in line with Sections 46 and 47 of the IRR, a PIC or PIP that employs fewer
than two hundred fifty (250) persons shall not be required to register unless the processing it
carries out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional,
or includes sensitive personal information of at least one thousand (1,000) individuals.
Moreover, Section 48 thereof declares that a PIC carrying out any automated processing
operation that is intended to serve a single or several related purposes must notify the NPC
when said operation becomes the sole basis for making decisions about a data subject, and
when such decision would significantly affect the data subject;

WHEREFORE, in consideration of these premises, the NPC hereby issues this Circular
governing the registration of data processing systems and notifications regarding automated
decision-making:

RULE I.
PRELIMINARY PROVISIONS

SECTION 1. Scope. The provisions of this Circular shall apply to any natural or juridical
person in the government or private sector processing personal data and operating in the
Philippines, subject to the relevant provisions of the DPA, its IRR, and other applicable
issuances of the NPC.

SECTION 2. Purpose. This Circular establishes the framework for registration of data
processing systems in the Philippines and imposes other requirements for the purpose of
achieving the following objectives:

A. ensure that PICs and PIPs keep a record of their data processing activities;

117
 B. make information about data processing systems operating in the country accessible
to both the Commission, for compliance monitoring, and data subjects, to facilitate
the exercise of their rights under the DPA; and

C. promote transparency and public accountability in the processing of personal data.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are
defined, as follows:

A. Act or DPA refers to Republic Act No. 10173, otherwise known as the Data
Privacy Act of 2012;

B. Automated Decision-making refers to a wholly or partially automated processing

operation that serves as the sole basis for making decisions that would significantly
affect a data subject. It includes the process of profiling based on an individuals
economic situation, political or religious beliefs, behavioral or marketing activities,
electronic communication data, location data, and financial data, among others;

C. Commission or NPC refers to the National Privacy Commission;

D. Compliance Officer for Privacy or COP refers to an individual that performs

some of the functions of a DPO, as provided in NPC Advisory No. 17-01;

E. Core Activity refers to a key operation or process carried out by a PIC or PIP to
achieve its mandate or function: Provided, that processing of personal data forms an
integral and necessary part of such operations or processes;

F. Data Processing System refers to a structure and procedure by which personal data
is collected and further processed in an information and communications system or
relevant filing system, including the purpose and intended output of the processing;

G. Data Protection Officer or DPO refers to an individual designated by the head

of agency or organization to be accountable for its compliance with the Act, its IRR,
and other issuances of the Commission: Provided, that, except where allowed
otherwise by law or the Commission, the individual must be an organic employee of
the government agency or private entity: Provided further, that a government agency
or private entity may have more than one DPO;

H. Data sharing is the disclosure or transfer to a third party of personal data under
the control or custody of a PIC: Provided, that a PIP may be allowed to make such
disclosure or transfer if it is upon the instructions of the PIC concerned.

118
 The term excludes outsourcing, or the disclosure or transfer of personal data by a PIC
to a PIP;

I. Data Subject refers to an individual whose personal, sensitive personal, or

privileged information is processed;

J. Encryption Method refers to the technique that renders data or information

unreadable, ensures that it is not altered in transit, and verifies the identity of its
sender;

K. Filing system refers to any set of information relating to a natural or juridical

person to the extent that, although the information is not processed by equipment
operating automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular person is
readily accessible;

L. Government Agency refers to a government branch, body, or entity, including

national government agencies, bureaus, or offices, constitutional commissions, local
government units, government-owned and controlled corporations, government
financial institutions, state colleges and universities;

M. Head of agency refers to: (1) the head of the government entity or body, for national
government agencies, constitutional commissions or offices, or branches of the
government; (2) the governing board or its duly authorized official for government-
owned and -controlled corporations, government financial institutions, and state
colleges and universities; (3) the local chief executive, for local government units;

N. Head of organization refers to the head or decision-making body of a private entity

or organization;

O. Information and Communications System refers to a system for generating,

sending, receiving, storing or otherwise processing electronic data messages, or
electronic documents, and includes the computer system or other similar device by
which data is recorded, transmitted, or stored, and any procedure related to the
recording, transmission or storage of electronic data, electronic message, or electronic
document;

P. IRR refers to the Implementing Rules and Regulations of the DPA;

Q. Personal data refers to all types of personal information;

R. Personal information refers to any information, whether recorded in a material

form or not, from which the identity of an individual is apparent or can be reasonably

119
 and directly ascertained by the entity holding the information, or when put together
with other information would directly and certainly identify an individual;

S. Personal information controller or PIC refers to a natural or juridical person, or

any other body who controls the processing of personal data, or instructs another to
process personal data on its behalf. The term excludes:

1. a natural or juridical person, or any other body, who performs such functions as
instructed by another person or organization; or
2. a natural person who processes personal data in connection with his or her
personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

T. Personal information processor or PIP refers to any natural or juridical person

or any other body to whom a PIC may outsource or instruct the processing of
personal data pertaining to a data subject;

U. Private entity or organization refers to any natural or juridical person that is not
a unit of the government, including, but not limited to, a corporation, partnership,
company, non-profit organization or any other legal entity;

V. Privileged information refers to all forms of data, which, under the Rules of Court
and other pertinent laws, constitute privileged communication;

W. Profiling refers to any form of automated processing of personal data consisting

of the use of personal data, such as a individuals economic situation, political or
religious beliefs, behavioral or marketing activities, personal preferences, electronic
communication data, location data, and financial data, among others, in order to
evaluate, analyze, or predict his or her performance, qualities, and behavior, among
others;

X. Sensitive personal information refers to personal information:

1. about an individuals race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. about an individuals health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;
3. issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or current health records, licenses
or its denials, suspension or revocation, and tax returns; and
4. specifically established by an executive order or an act of Congress to be kept
classified.

120
SECTION 4. General Principles. This Circular shall be governed by the following general
principles:

A. Registration of its data processing systems with the Commission shall be one of the
means through which a PIC or PIP demonstrates its compliance with the DPA, its
IRR, and other relevant issuances of the NPC.

B. Registration information submitted by a PIC or PIP to the Commission are presumed

to contain all required information on its data processing systems that are active or
existing during the validity of such registration. Any information excluded
therefrom are deemed nonexistent.

C. Unless otherwise provided in this Circular, any information, file, or document

submitted by a PIC or PIP to the Commission shall be kept confidential.

D. Any doubt in the interpretation of the provisions of this Circular shall be liberally
interpreted in a manner that would uphold the rights and interests of data subjects.

RULE II.
REGISTRATION OF DATA PROCESSING SYSTEMS

SECTION 5. Mandatory Registration. A PIC or PIP shall register its data processing systems
if it is processing personal data and operating in the country under any of the following
conditions:

A. the PIC or PIP employs at least two hundred fifty (250) employees;

B. the processing includes sensitive personal information of at least one thousand

(1,000) individuals;

C. the processing is likely to pose a risk to the rights and freedoms of data subjects.
Processing operations that pose a risk to data subjects include those that involve:

i. information that would likely affect national security, public safety, public
order, or public health;
ii. information required by applicable laws or rules to be confidential;
iii. vulnerable data subjects like minors, the mentally ill, asylum seekers, the
elderly, patients, those involving criminal offenses, or in any other case where
an imbalance exists in the relationship between a data subject and a PIC or PIP;
iv. automated decision-making; or

121
 v. profiling;

D. the processing is not occasional: Provided, that processing shall be considered

occasional if it is only incidental to the mandate or function of the PIC or PIP, or, it
only occurs under specific circumstances and is not regularly performed. Processing
that constitutes a core activity of a PIC or PIP, or is integral thereto, will not be
considered occasional:

In determining the existence of the foregoing conditions, relevant factors, such as the number
of employees, or the records of individuals whose sensitive personal information are being
processed, shall only be considered if they are physically located in the Philippines.

Data processing systems that involve automated decision-making shall, in all instances, be
registered with the Commission. For all other data processing systems operating under the
conditions set out in subsections C and D, the Commission shall determine the specific sectors,
industries, or entities that shall be covered by mandatory registration. Appendix 1 of this
Circular shall feature the initial list. It shall be regularly reviewed and updated by the
Commission through subsequent issuances.

SECTION 6. Voluntary Registration. An application for registration by a PIC or PIP whose

data processing system does not operate under any of the conditions set out in the next
preceding Section shall be accepted as a voluntary registration.

SECTION 7. When to Register. A PIC or PIP covered by this Circular shall register its personal
data processing system within two (2) months of the commencement of such system.

SECTION 8. Authority to Register. A PIC or PIP shall file its application for registration
through its designated or appointed DPO: Provided, that where a PIC or PIP has several DPOs,
only one shall be authorized to file the application of the PIC or PIP: Provided further, that
where the same individual assumes the role of DPO for two or more PICs or PIPs, he or she
shall be allowed to file the applications of all his or her principals.

SECTION 9. Registration Process. A PIC or PIP shall register through the Commissions
official website in two (2) phases:

122
 A. Phase I. A PIC or PIP, through its DPO, shall accomplish the prescribed application
form, and submit the same to the Commission together with all supporting
documents. Upon review and validation of the submission, the Commission shall
provide the PIC or PIP via email an access code, which shall allow it to proceed to
Phase II of the registration process.

B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall
proceed to the online registration platform and provide all relevant information
regarding its data processing systems. The Commission shall notify the PIC or PIP
via email to confirm the latters successful completion of the registration process:

Provided, that registration may be done in person at the office of the Commission in the event
that online access is not available.

SECTION 10. Application Form. An application for registration filed by a PIC or PIP must be
duly-notarized and accompanied by the following documents:

A. For government agencies:

1.) certified true copy of the Special/Office Order, or any similar document,
designating or appointing the DPO of the PIC or PIP; and
2.) where applicable, a copy of the charter of the government entity, or any similar
document identifying its mandate, powers, and/or functions.

B. For private entities:

1.) duly-notarized Secretarys Certificate authorizing the appointment or

designation of DPO, or any other document that demonstrates the validity of
the appointment or designation.
2.) certified true copy of the following documents, where applicable:
a.) General Information Sheet or any similar document;
b.) Certificate of Registration (SEC Certificate, DTI Certification of Business
Name or Sole Proprietorship) or any similar document; and/or
c.) Franchise, license to operate, or any similar document.

SECTION 11. Online Registration Platform. In the Commissions online registration

platform, a PIC or PIP shall provide the following registration information:

A. name and contact details of the PIC or PIP, head of agency or organization, and DPO;

B. purpose or mandate of the government agency or private entity;

123
 C. identification of all existing policies relating to data governance, data privacy, and
information security, and other documents that provide a general description of
privacy and security measures for data protection;

D. attestation regarding certifications attained by the PIC or PIP, including its relevant
personnel, that are related to personal data processing;

E. brief description of data processing system or systems:

1.) name of the system;

2.) purpose or purposes of the processing;
3.) whether processing is being done as a PIC, PIP, or both;
4.) whether the system is outsourced or subcontracted, and if so, the name and
contact details of the PIP;
5.) description of the category or categories of data subjects, and their personal
data or categories thereof;
6.) recipients or categories of recipients to whom the personal data might be
disclosed; and
7.) whether personal data is transferred outside of the Philippines;

F. notification regarding any automated decision-making operation.

This same set of information shall be given when registration is done in person at the office of
the Commission.

SECTION 12. Certificate of Registration. The Commission shall issue a certificate of

registration in favor of a PIC or PIP that has successfully completed the registration process:
Provided, that such certificate shall only be considered as proof of registration and not a
verification of the contents thereof.

SECTION 13. Validity. A certificate of registration, once issued, shall be valid only until the
8th day of March of the next following year: Provided, that the certificate may be revoked by
the Commission at any time upon service of a Notice of Revocation to the PIC or PIP.

SECTION 14. Verification. The Commission may, at any time, verify any or all registration
information provided by a PIC or PIP through on-site examination of its data processing
systems. Policies and documents identified in the registration, including proof of certifications
attained, shall be made available to the Commission upon request.

124
SECTION 15. Amendments or Updates. Amendments or updates to registration information,
including significant changes in the description of registered data processing systems, shall
be made within two (2) months from the date such changes take into effect. For this purpose,
a significant change shall include:

A. name and contact details of the PIC or PIP, head of agency or organization, and DPO;

B. a new or additional data processing system;

C. an amendment or update to the description of a registered data processing system,

particularly:

1.) purpose or purposes of processing;

2.) description of the category or categories of data subjects, and of their personal
data or categories thereof;
3.) recipients or categories of recipients to whom the personal data might be
disclosed;

D. a new or additional automated decision-making process;

Amendments or updates to the registration information may be undertaken through the

online registration platform, subject to the approval of the Commission: Provided, that where
the change consists of the appointment or designation of a new DPO, the submission of the
appropriate supporting document must be undertaken.

SECTION 16. Non-Registration. A PIC or PIP shall be considered as unregistered under the
following circumstances:

A. failure to register with the Commission;

B. expiration and non-renewal of certificate of registration;
C. rejection or disapproval of an application for registration, or an application for
renewal of registration; or
D. revocation of the certificate of registration.

SECTION 17. Renewal. A PIC or PIP may file an application for the renewal of its certificate
of registration within two (2) months prior to, but not later than the 8 th day of March every
year. Any registration relative to which no application for renewal has been filed within the
prescribed period is deemed revoked: Provided, that a PIC or PIP may be allowed to file an
application for renewal beyond the prescribed period upon approval of the Commission, and

125
only for good cause shown. For this purpose, the PIC or PIP shall notify the Commission of
its intention to renew its registration and the reason for its delay.

SECTION 18. Reasonable Fees. To recover administrative costs, the Commission may require
the payment of reasonable fees for registration, renewal, and other purposes in accordance
with a schedule that shall be provided in a separate issuance.

RULE III.
REGISTRY OF DATA PROCESSING SYSTEMS

SECTION 19. Maintenance of Registry. The Commission shall maintain a registry of data
processing systems in electronic format.

SECTION 20. Public Access to Registry. Any person may inspect the registry during regular
office hours: Provided, that the Commission shall regulate such access to protect the legitimate
interests of PICs and PIPs.

Subject to reasonable fees and regulations that may be prescribed by the Commission, any
person may also secure a duly certified copy of any entry from the registry relating to a
particular PIC or PIP.

SECTION 21. Amendments to Registry. Amendments or updates to the registry shall be made
by the Commission every two (2) months, or as often as necessary, in order to incorporate
changes to the registration information filed by PICs or PIPs.

SECTION 22. Removal from Registry. The registration information of a PIC or PIP may be
removed by the Commission from the registry on any of the following grounds:

A. Incomplete registration;
B. Expiration and non-renewal of registration;
C. Revocation of certificate of registration; or

126
 D. Expired and void registration.

SECTION 23. Non-inclusion of Confidential Information. Information classified by the

Constitution or any statute as confidential shall not be included in the registry.

RULE IV.
NOTIFICATIONS REGARDING
AUTOMATED DECISION-MAKING

SECTION 24. Notification of Automated Decision-Making. A PIC or PIC that carries out any
automated decision-making operation shall notify the Commission via the mandatory
registration process.

SECTION 25. When to Notify. Notifications regarding automated decision-making shall be

included in the registration information that will be provided by a PIC or PIP, as indicated in
Section 11 of this Circular, or through amendments or updates to such registration
information, as per Section 15 of this Circular, within the prescribed periods.

SECTION 26. Availability of Additional Information. Upon request by the Commission, a

PIC or PIP shall make available additional information and supporting documents pertaining
to its automated decision-making operation, including:

1. consent forms or manner of obtaining consent;

2. retention period for the data collected and processed;
3. methods and logic utilized for automated processing; and
4. possible decisions relating to the data subject based on the processed data,
particularly if they would significantly affect his or her rights and freedoms.

127
 RULE VII.
SANCTIONS AND PENALTIES

SECTION 27. Revocation of Certificate of Registration. The Commission may revoke the
registration of a PIC or PIP on any of the following grounds:

A. failure to comply with any of the provisions of the DPA, its IRR, or any relevant
issuances of the Commission;

B. failure to comply with any order, conditions, or restrictions imposed by the

Commission;

C. loss of authority to operate or conduct business, due to the revocation of its license,
permit, franchise, or any other similar requirement provided by law;

D. cessation of operations or of personal data processing;

E. lack of capacity to process personal data in accordance with the DPA; or

F. issuance by the Commission of a temporary or permanent ban on data processing

against the PIC or PIP: Provided, that in the case of a temporary ban, such prohibition
is still in effect at the time of filing of the application for renewal of registration:

Provided, that, prior to revocation, the Commission shall give the PIC or PIP an opportunity to
explain why its certificate of registration should not be revoked.

SECTION 28. Notice of Revocation. Where the registration of a PIC or PIP is revoked, the
Commission shall issue a Notice of Revocation of Registration, which shall be served upon
the PIC or PIP.

SECTION 29. Penalties and Fines. A PIC or PIP whose certificate of registration has been
revoked or that is determined to have violated the registration requirements provided in this
Circular may, upon notice and hearing, be subject to compliance and enforcement orders,
cease and desist orders, temporary or permanent bans on the processing of personal data, or
payment of fines in accordance with a schedule to be issued by the Commission. For this
purpose, the registration requirements shall pertain to the provisions on mandatory
registration, amendments and updates, and renewal of registration.

128
Under the voluntary registration system, failure to comply by a PIC or PIP with the
requirements on amendments and renewal, shall render its certificate of registration void.

SECTION 30. Cease and Desist Order. When the Commission, upon notice and hearing, has
determined that a PIC or PIP failed to disclose its automated decision-making operation
through the appropriate notification processes set out in this Circular, it shall cause the service
upon the PIC or PIP a Cease and Desist Order on the processing of personal data: Provided,
that this is without prejudice to any other administrative, civil, or criminal penalties that the
PIC or PIP may incur under the DPA and other applicable laws.

RULE VII.
MISCELLANEOUS PROVISIONS

SECTION 31. Transitory Period. Notwithstanding the deadline for registration provided in
the IRR, all PICs and PIPs covered by this Circular shall complete Phase I of the registration
process by 9 September 2017. Phase II of the registration may be completed until 8 March 2018.

SECTION 32. Repealing Clause. All other issuances contrary to or inconsistent with the
provisions of this Circular are deemed repealed or modified accordingly.

SECTION 33. Separability Clause. If any portion or provision of this Circular is declared null
and void or unconstitutional, the other provisions not affected thereby shall continue to be in
force and effect.

SECTION 34. Effectivity. This Circular shall take effect fifteen (15) days after its publication
in the Official Gazette or two (2) newspapers of general circulation.

Approved

RAYMUND E. LIBORO
Privacy Commissioner

IVY D. PATDU DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

129
Appendix 1. Initial determination of the National Privacy Commission on sectors or
institutions requiring Registration of Data Processing Systems

The following sectors or institutions are considered PICs or PIPs involved in the processing
of personal data that is likely to pose a risk to the rights and freedoms of data subjects, and/or
where the processing is not occasional:

1. Government Agencies
2. Banking Sector and other BSP Supervised Financial Institutions
3. Business Process Outsourcing Sector
4. Education Sector
5. Insurance Sector
6. Telecommunication companies
7. Hospitals, Multispecialty clinics and Diagnostic Centers
8. PIC or PIP with Data Processing Systems involving automated decision-making

This list may be updated or modified by subsequent issuances of the Commission.

The PIC or PIP should register if it is included in the list, if it employs at least 250 persons, or
if it is processing at least 1,000 records involving sensitive personal information.

130
131
Annexes

132
DPAs Implementing Rules and Regulations

Implementing Rules and Regulations

of Republic Act No. 10173

Pursuant to the mandate of the National Privacy Commission to administer and implement
the provisions of the Data Privacy Act of 2012, and to monitor and ensure compliance of the
country with international standards set for data protection, the following rules and
regulations are hereby promulgated to effectively implement the provisions of the Act:

Rule I. Preliminary Provisions

Section 1. Title. These rules and regulations shall be known as the Implementing Rules and
Regulations of the Data Privacy Act of 2012, or the Rules.
Section 2. Policy. These Rules further enforce the Data Privacy Act and adopt generally
accepted international principles and standards for personal data protection. They safeguard
the fundamental human right of every individual to privacy while ensuring free flow of
information for innovation, growth, and national development. These Rules also recognize
the vital role of information and communications technology in nation-building and enforce
the States inherent obligation to ensure that personal data in information and
communications systems in the government and in the private sector are secured and
protected.
Section 3. Definitions. Whenever used in these Rules, the following terms shall have the
respective meanings hereafter set forth:
a. Act refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012;

b. Commission refers to the National Privacy Commission;

c. Consent of the data subject refers to any freely given, specific, informed indication
of will, whereby the data subject agrees to the collection and processing of his or her
personal, sensitive personal, or privileged information. Consent shall be evidenced
by written, electronic or recorded means. It may also be given on behalf of a data
subject by a lawful representative or an agent specifically authorized by the data
subject to do so;

d. Data subject refers to an individual whose personal, sensitive personal, or

privileged information is processed;

e. Data processing systems refers to the structure and procedure by which personal
data is collected and further processed in an information and communications

133
 system or relevant filing system, including the purpose and intended output of the
processing;

f. Data sharing is the disclosure or transfer to a third party of personal data under
the custody of a personal information controller or personal information processor.
In the case of the latter, such disclosure or transfer must have been upon the
instructions of the personal information controller concerned. The term excludes
outsourcing, or the disclosure or transfer of personal data by a personal information
controller to a personal information processor;

g. Direct marketing refers to communication by whatever means of any advertising

or marketing material which is directed to particular individuals;

h. Filing system refers to any set of information relating to natural or juridical

persons to the extent that, although the information is not processed by equipment
operating automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular
individual is readily accessible;

i. Information and communications system refers to a system for generating,

sending, receiving, storing, or otherwise processing electronic data messages or
electronic documents, and includes the computer system or other similar device by
which data is recorded, transmitted, or stored, and any procedure related to the
recording, transmission, or storage of electronic data, electronic message, or
electronic document;

j. Personal data refers to all types of personal information;

k. Personal data breach refers to a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed;

l. Personal information refers to any information, whether recorded in a material

form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an
individual;

m. Personal information controller refers to a natural or juridical person, or any other

body who controls the processing of personal data, or instructs another to process
personal data on its behalf. The term excludes:

1. A natural or juridical person, or any other body, who performs such functions
as instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her
personal, family, or household affairs;

134
 There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

n. Personal information processor refers to any natural or juridical person or any

other body to whom a personal information controller may outsource or instruct the
processing of personal data pertaining to a data subject;

o. Processing refers to any operation or any set of operations performed upon

personal data including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data. Processing may be performed through
automated means, or manual processing, if the personal data are contained or are
intended to be contained in a filing system;

p. Profiling refers to any form of automated processing of personal data consisting

of the use of personal data to evaluate certain personal aspects relating to a natural
person, in particular to analyze or predict aspects concerning that natural person's
performance at work, economic situation, health, personal preferences, interests,
reliability, behavior, location or movements;

q. Privileged information refers to any and all forms of data, which, under the Rules
of Court and other pertinent laws constitute privileged communication;

r. Public authority refers to any government entity created by the Constitution or

law, and vested with law enforcement or regulatory authority and functions;

s. Security incident is an event or occurrence that affects or tends to affect data

protection, or may compromise the availability, integrity and confidentiality of
personal data. It includes incidents that would result to a personal data breach, if not
for safeguards that have been put in place;

t. Sensitive personal information refers to personal information:

1. About an individuals race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
2. About an individuals health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the
sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but
is not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept
classified.

135
 Rule II. Scope of Application

Section 4. Scope. The Act and these Rules apply to the processing of personal data by any
natural and juridical person in the government or private sector. They apply to an act done or
practice engaged in and outside of the Philippines if:

a. The natural or juridical person involved in the processing of personal data is found
or established in the Philippines;

b. The act, practice or processing relates to personal data about a Philippine citizen or
Philippine resident;

c. The processing of personal data is being done in the Philippines; or

d. The act, practice or processing of personal data is done or engaged in by an entity

with links to the Philippines, with due consideration to international law and comity,
such as, but not limited to, the following:

1. Use of equipment located in the country, or maintains an office, branch or

agency in the Philippines for processing of personal data;
2. A contract is entered in the Philippines;
3. A juridical entity unincorporated in the Philippines but has central
management and control in the country;
4. An entity that has a branch, agency, office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal data;
5. An entity that carries on business in the Philippines;
6. An entity that collects or holds personal data in the Philippines.

Section 5. Special Cases. The Act and these Rules shall not apply to the following specified
information, only to the minimum extent of collection, access, use, disclosure or other
processing necessary to the purpose, function, or activity concerned:

a. Information processed for purpose of allowing public access to information that fall
within matters of public concern, pertaining to:

1. Information about any individual who is or was an officer or employee of

government that relates to his or her position or functions, including:
(a) The fact that the individual is or was an officer or employee of the
government;
(b) The title, office address, and office telephone number of the individual;
(c) The classification, salary range, and responsibilities of the position held
by the individual; and
(d) The name of the individual on a document he or she prepared in the
course of his or her employment with the government;

136
 2. Information about an individual who is or was performing a service under
contract for a government institution, but only in so far as it relates to such
service, including the name of the individual and the terms of his or her
contract;

3. Information relating to a benefit of a financial nature conferred on an

individual upon the discretion of the government, such as the granting of a
license or permit, including the name of the individual and the exact nature of
the benefit: Provided, that they do not include benefits given in the course of an
ordinary transaction or as a matter of right;

b. Personal information processed for journalistic, artistic or literary purpose, in order

to uphold freedom of speech, of expression, or of the press, subject to requirements
of other applicable law or regulations;

c. Personal information that will be processed for research purpose, intended for a
public benefit, subject to the requirements of applicable laws, regulations, or ethical
standards;

d. Information necessary in order to carry out the functions of public authority, in

accordance with a constitutionally or statutorily mandated function pertaining to
law enforcement or regulatory function, including the performance of the functions
of the independent, central monetary authority, subject to restrictions provided by
law. Nothing in this Act shall be construed as having amended or repealed Republic
Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act
No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act
No. 9510, otherwise known as the Credit Information System Act (CISA);

e. Information necessary for banks, other financial institutions under the jurisdiction
of the independent, central monetary authority or Bangko Sentral ng Pilipinas, and
other bodies authorized by law, to the extent necessary to comply with Republic Act
No. 9510 (CISA), Republic Act No. 9160, as amended, otherwise known as the Anti-
Money Laundering Act, and other applicable laws;

f. Personal information originally collected from residents of foreign jurisdictions in

accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines. The burden of
proving the law of the foreign jurisdiction falls on the person or body seeking
exemption. In the absence of proof, the applicable law shall be presumed to be the
Act and these Rules:

Provided, that the non-applicability of the Act or these Rules do not extend to personal
information controllers or personal information processors, who remain subject to the
requirements of implementing security measures for personal data protection: Provided
further, that the processing of the information provided in the preceding paragraphs shall be
exempted from the requirements of the Act only to the minimum extent necessary to achieve
the specific purpose, function, or activity.

137
Section 6. Protection afforded to Data Subjects.

a. Unless directly incompatible or inconsistent with the preceding sections in relation

to the purpose, function, or activities the non-applicability concerns, the personal
information controller or personal information processor shall uphold the rights of
data subjects, and adhere to general data privacy principles and the requirements of
lawful processing.

b. The burden of proving that the Act and these Rules are not applicable to a particular
information falls on those involved in the processing of personal data or the party
claiming the non-applicability.

c. In all cases, the determination of any exemption shall be liberally interpreted in favor
of the rights and interests of the data subject.

Section 7. Protection Afforded to Journalists and their Sources.

a. Publishers, editors, or duly accredited reporters of any newspaper, magazine or

periodical of general circulation shall not be compelled to reveal the source of any
news report or information appearing in said publication if it was related in any
confidence to such publisher, editor, or reporter.

b. Publishers, editors, or duly accredited reporters who are likewise personal information
controllers or personal information processors within the meaning of the law are still
bound to follow the Data Privacy Act and related issuances with regard to the
processing of personal data, upholding rights of their data subjects and maintaining
compliance with other provisions that are not incompatible with the protection
provided by Republic Act No. 53.

Rule III. National Privacy Commission

Section 8. Mandate. The National Privacy Commission is an independent body mandated to

administer and implement the Act, and to monitor and ensure compliance of the country with
international standards set for personal data protection.
Section 9. Functions. The National Privacy Commission shall have the following functions:

a. Rule Making. The Commission shall develop, promulgate, review or amend rules
and regulations for the effective implementation of the Act. This includes:

1. Recommending organizational, physical and technical security measures for

personal data protection, encryption, and access to sensitive personal
information maintained by government agencies, considering the most
appropriate standard recognized by the information and communications
technology industry, as may be necessary;

138
 2. Specifying electronic format and technical standards, modalities and
procedures for data portability, as may be necessary;

3. Issuing guidelines for organizational, physical, and technical security

measures for personal data protection, taking into account the nature of the
personal data to be protected, the risks presented by the processing, the size of
the organization and complexity of its operations, current data privacy best
practices, cost of security implementation, and the most appropriate standard
recognized by the information and communications technology industry, as
may be necessary;

4. Consulting with relevant regulatory agencies in the formulation, review,

amendment, and administration of privacy codes, applying the standards set
out in the Act, with respect to the persons, entities, business activities, and
business sectors that said regulatory bodies are authorized to principally
regulate pursuant to law;

5. Proposing legislation, amendments or modifications to Philippine laws on

privacy or data protection, as may be necessary;

6. Ensuring proper and effective coordination with data privacy regulators in

other countries and private accountability agents;

7. Participating in international and regional initiatives for data privacy

protection.

b. Advisory. The Commission shall be the advisory body on matters affecting

protection of personal data. This includes:

1. Commenting on the implication on data privacy of proposed national or local

statutes, regulations or procedures, issuing advisory opinions, and
interpreting the provisions of the Act and other data privacy laws;

2. Reviewing, approving, rejecting, or requiring modification of privacy codes

voluntarily adhered to by personal information controllers, which may include
private dispute resolution mechanisms for complaints against any
participating personal information controller, and which adhere to the
underlying data privacy principles embodied in the Act and these Rules;

3. Providing assistance on matters relating to privacy or data protection at the

request of a national or local agency, a private entity or any person, including
the enforcement of rights of data subjects;

4. Assisting Philippine companies doing business abroad to respond to data

protection laws and regulations.

c. Public Education. The Commission shall undertake necessary or appropriate efforts

to inform and educate the public of data privacy, data protection, and fair
information rights and responsibilities. This includes:

139
 1. Publishing, on a regular basis, a guide to all laws relating to data protection;

2. Publishing a compilation of agency system of records and notices, including

index and other finding aids;

3. Coordinating with other government agencies and the private sector on efforts
to formulate and implement plans and policies to strengthen the protection of
personal data in the country;

d. Compliance and Monitoring. The Commission shall perform compliance and

monitoring functions to ensure effective implementation of the Act, these Rules, and
other issuances. This includes:

1. Ensuring compliance by personal information controllers with the provisions

of the Act;

2. Monitoring the compliance of all government agencies or instrumentalities as

regards their security and technical measures, and recommending the
necessary action in order to meet minimum standards for protection of
personal data pursuant to the Act;

3. Negotiating and contracting with other data privacy authorities of other

countries for cross-border application and implementation of respective
privacy laws;

4. Generally performing such acts as may be necessary to facilitate cross-border

enforcement of data privacy protection;

5. Managing the registration of personal data processing systems in the country,

including the personal data processing system of contractors and their
employees entering into contracts with government agencies that involves
accessing or requiring sensitive personal information of at least one thousand
(1,000) individuals.

e. Complaints and Investigations. The Commission shall adjudicate on complaints and

investigations on matters affecting personal data: Provided, that In resolving any
complaint or investigation, except where amicable settlement is reached by the
parties, the Commission shall act as a collegial body. This includes:

1. Receiving complaints and instituting investigations regarding violations of the

Act, these Rules, and other issuances of the Commission, including violations
of the rights of data subjects and other matters affecting personal data;

2. Summoning witnesses, and requiring the production of evidence by a

subpoena duces tecum for the purpose of collecting the information necessary
to perform its functions under the Act: Provided, that the Commission may be
given access to personal data that is subject of any complaint;

140
 3. Facilitating or enabling settlement of complaints through the use of alternative
dispute resolution processes, and adjudicating on matters affecting any
personal data;

4. Preparing reports on the disposition of complaints and the resolution of any

investigation it initiates, and, in cases it deems appropriate, publicizing such
reports;

f. Enforcement. The Commission shall perform all acts as may be necessary to

effectively implement the Act, these Rules, and its other issuances, and to enforce its
Orders, Resolutions or Decisions, including the imposition of administrative
sanctions, fines, or penalties. This includes:

1. Issuing compliance or enforcement orders;

2. Awarding indemnity on matters affecting any personal data, or rights of data

subjects;

3. Issuing cease and desist orders, or imposing a temporary or permanent ban on

the processing of personal data, upon finding that the processing will be
detrimental to national security or public interest, or if it is necessary to
preserve and protect the rights of data subjects;

4. Recommending to the Department of Justice (DOJ) the prosecution of crimes

and imposition of penalties specified in the Act;

5. Compelling or petitioning any entity, government agency, or instrumentality,

to abide by its orders or take action on a matter affecting data privacy;

6. Imposing administrative fines for violations of the Act, these Rules, and other
issuances of the Commission.

g. Other functions. The Commission shall exercise such other functions as may be
necessary to fulfill its mandate under the Act.

Section 10. Administrative Issuances. The Commission shall publish or issue official
directives and administrative issuances, orders, and circulars, which include:

a. Rules of procedure in the exercise of its quasi-judicial functions, subject to the

suppletory application of the Rules of Court;

b. Schedule of administrative fines and penalties for violations of the Act, these Rules,
and issuances or Orders of the Commission, including the applicable fees for its
administrative services and filing fees;

c. Procedure for registration of data processing systems, and notification;

141
 d. Other administrative issuances consistent with its mandate and other functions.

Section 11. Reports and Information. The Commission shall report annually to the President
and Congress regarding its activities in carrying out the provisions of the Act, these Rules,
and its other issuances. It shall undertake all efforts it deems necessary or appropriate to
inform and educate the public of data privacy, data protection, and fair information rights
and responsibilities.

Section 12. Confidentiality of Personal Data. Members, employees, and consultants of the
Commission shall ensure at all times the confidentiality of any personal data that come to their
knowledge and possession: Provided, that such duty of confidentiality shall remain even after
their term, employment, or contract has ended.

Section 13. Organizational Structure. The Commission is attached to the Department of

Information and Communications Technology for policy and program coordination in
accordance with Section 38(3) of Executive Order No. 292, series of 1987, also known as the
Administrative Code of 1987. The Commission shall remain completely independent in the
performance of its functions.

The Commission shall be headed by a Privacy Commissioner, who shall act as Chairman of
the Commission. The Privacy Commissioner must be at least thirty-five (35) years of age and
of good moral character, unquestionable integrity and known probity, and a recognized
expert in the field of information technology and data privacy. The Privacy Commissioner
shall enjoy the benefits, privileges, and emoluments equivalent to the rank of Secretary.

The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners. One
shall be responsible for Data Processing Systems, while the other shall be responsible for
Policies and Planning. The Deputy Privacy Commissioners must be recognized experts in the
field of information and communications technology and data privacy. They shall enjoy the
benefits, privileges, and emoluments equivalent to the rank of Undersecretary.

Section 14. Secretariat. The Commission is authorized to establish a Secretariat, which shall
assist in the performance of its functions. The Secretariat shall be headed by an Executive
Director and shall be organized according to the following offices:

142
 a. Data Security and Compliance Office;
b. Legal and Enforcement Office;
c. Finance and Administrative Office;
d. Privacy Policy Office;
e. Public Information and Assistance Office.

Majority of the members of the Secretariat, in so far as practicable, must have served for at
least five (5) years in any agency of the government that is involved in the processing of
personal data including, but not limited to, the following offices: Social Security System (SSS),
Government Service Insurance System (GSIS), Land Transportation Office (LTO), Bureau of
Internal Revenue (BIR), Philippine Health Insurance Corporation (PhilHealth), Commission
on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of Justice (DOJ),
and Philippine Postal Corporation (Philpost).

The organizational structure shall be subject to review and modification by the Commission,
including the creation of new divisions and units it may deem necessary, and shall appoint
officers and employees of the Commission in accordance with civil service law, rules, and
regulations.

Section 15. Effect of Lawful Performance of Duty. The Privacy Commissioner, the Deputy
Commissioners, or any person acting on their behalf or under their direction, shall not be
civilly liable for acts done in good faith in the performance of their duties: Provided, that they
shall be liable for willful or negligent acts, which are contrary to law, morals, public policy,
and good customs, even if they acted under orders or instructions of superiors: Provided
further, that in case a lawsuit is filed against them in relation to the performance of their duties,
where such performance is lawful, he or she shall be reimbursed by the Commission for
reasonable costs of litigation.

Section 16. Magna Carta for Science and Technology Personnel. Qualified employees of the
Commission shall be covered by Republic Act No. 8349, which provides a magna carta for
scientists, engineers, researchers, and other science and technology personnel in the
government.

Rule IV. Data Privacy Principles

Section 17. General Data Privacy Principles. The processing of personal data shall be
allowed, subject to compliance with the requirements of the Act and other laws allowing
disclosure of information to the public, and adherence to the principles of transparency,
legitimate purpose, and proportionality.

143
Section 18. Principles of Transparency, Legitimate Purpose and Proportionality. The
processing of personal data shall be allowed subject to adherence to the principles of
transparency, legitimate purpose, and proportionality.

a. Transparency. The data subject must be aware of the nature, purpose, and extent of
the processing of his or her personal data, including the risks and safeguards
involved, the identity of personal information controller, his or her rights as a data
subject, and how these can be exercised. Any information and communication
relating to the processing of personal data should be easy to access and understand,
using clear and plain language.

b. Legitimate purpose. The processing of information shall be compatible with a

declared and specified purpose which must not be contrary to law, morals, or public
policy.

c. Proportionality. The processing of information shall be adequate, relevant, suitable,

necessary, and not excessive in relation to a declared and specified purpose. Personal
data shall be processed only if the purpose of the processing could not reasonably
be fulfilled by other means.

Section 19. General principles in collection, processing and retention. The processing of
personal data shall adhere to the following general principles in the collection, processing,
and retention of personal data:

a. Collection must be for a declared, specified, and legitimate purpose.

1. Consent is required prior to the collection and processing of personal data,

subject to exemptions provided by the Act and other applicable laws and
regulations. When consent is required, it must be time-bound in relation to the
declared, specified and legitimate purpose. Consent given may be withdrawn.

2. The data subject must be provided specific information regarding the purpose
and extent of processing, including, where applicable, the automated
processing of his or her personal data for profiling, or processing for direct
marketing, and data sharing.

3. Purpose should be determined and declared before, or as soon as reasonably

practicable, after collection.

4. Only personal data that is necessary and compatible with declared, specified,
and legitimate purpose shall be collected.

144
b. Personal data shall be processed fairly and lawfully.

1. Processing shall uphold the rights of the data subject, including the right to
refuse, withdraw consent, or object. It shall likewise be transparent, and allow
the data subject sufficient information to know the nature and extent of
processing.

2. Information provided to a data subject must always be in clear and plain

language to ensure that they are easy to understand and access.

3. Processing must be in a manner compatible with declared, specified, and

legitimate purpose.

4. Processed personal data should be adequate, relevant, and limited to what is

necessary in relation to the purposes for which they are processed.

5. Processing shall be undertaken in a manner that ensures appropriate privacy

and security safeguards.

c. Processing should ensure data quality.

1. Personal data should be accurate and where necessary for declared, specified
and legitimate purpose, kept up to date.

2. Inaccurate or incomplete data must be rectified, supplemented, destroyed or

their further processing restricted.

d. Personal Data shall not be retained longer than necessary.

1. Retention of personal data shall only for as long as necessary:

(a) for the fulfillment of the declared, specified, and legitimate purpose, or
when the processing relevant to the purpose has been terminated;
(b) for the establishment, exercise or defense of legal claims; or
(c) for legitimate business purposes, which must be consistent with
standards followed by the applicable industry or approved by
appropriate government agency.

2. Retention of personal data shall be allowed in cases provided by law.

3. Personal data shall be disposed or discarded in a secure manner that would

prevent further processing, unauthorized access, or disclosure to any other
party or the public, or prejudice the interests of the data subjects.

e. Any authorized further processing shall have adequate safeguards.

1. Personal data originally collected for a declared, specified, or legitimate

purpose may be processed further for historical, statistical, or scientific
purposes, and, in cases laid down in law, may be stored for longer periods,
subject to implementation of the appropriate organizational, physical, and

145
 technical security measures required by the Act in order to safeguard the rights
and freedoms of the data subject.

2. Personal data which is aggregated or kept in a form which does not permit
identification of data subjects may be kept longer than necessary for the
declared, specified, and legitimate purpose.

3. Personal data shall not be retained in perpetuity in contemplation of a possible

future use yet to be determined.

Section 20. General Principles for Data Sharing. Further Processing of Personal Data collected
from a party other than the Data Subject shall be allowed under any of the following
conditions:

a. Data sharing shall be allowed when it is expressly authorized by law: Provided, that
there are adequate safeguards for data privacy and security, and processing adheres
to principle of transparency, legitimate purpose and proportionality.

b. Data Sharing shall be allowed in the private sector if the data subject consents to data
sharing, and the following conditions are complied with:

1. Consent for data sharing shall be required even when the data is to be shared
with an affiliate or mother company, or similar relationships;

2. Data sharing for commercial purposes, including direct marketing, shall be

covered by a data sharing agreement.

(a) The data sharing agreement shall establish adequate safeguards for data
privacy and security, and uphold rights of data subjects.
(b) The data sharing agreement shall be subject to review by the
Commission, on its own initiative or upon complaint of data subject;

3. The data subject shall be provided with the following information prior to
collection or before data is shared:

(a) Identity of the personal information controllers or personal information

processors that will be given access to the personal data;
(b) Purpose of data sharing;
(c) Categories of personal data concerned;
(d) Intended recipients or categories of recipients of the personal data;
(e) Existence of the rights of data subjects, including the right to access and
correction, and the right to object;
(f) Other information that would sufficiently notify the data subject of the
nature and extent of data sharing and the manner of processing.

4. Further processing of shared data shall adhere to the data privacy principles
laid down in the Act, these Rules, and other issuances of the Commission.

146
 c. Data collected from parties other than the data subject for purpose of research shall
be allowed when the personal data is publicly available, or has the consent of the
data subject for purpose of research: Provided, that adequate safeguards are in place,
and no decision directly affecting the data subject shall be made on the basis of the
data collected or processed. The rights of the data subject shall be upheld without
compromising research integrity.

d. Data sharing between government agencies for the purpose of a public function or
provision of a public service shall be covered a data sharing agreement.

1. Any or all government agencies party to the agreement shall comply with the
Act, these Rules, and all other issuances of the Commission, including putting
in place adequate safeguards for data privacy and security.

2. The data sharing agreement shall be subject to review of the Commission, on

its own initiative or upon complaint of data subject.

Rule V. Lawful Processing of Personal Data

Section 21. Criteria for Lawful Processing of Personal Information. Processing of personal
information is allowed, unless prohibited by law. For processing to be lawful, any of the
following conditions must be complied with:

a. The data subject must have given his or her consent prior to the collection, or as soon
as practicable and reasonable;

b. The processing involves the personal information of a data subject who is a party to
a contractual agreement, in order to fulfill obligations under the contract or to take
steps at the request of the data subject prior to entering the said agreement;

c. The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject;

d. The processing is necessary to protect vitally important interests of the data subject,
including his or her life and health;

e. The processing of personal information is necessary to respond to national

emergency or to comply with the requirements of public order and safety, as
prescribed by law;

f. The processing of personal information is necessary for the fulfillment of the

constitutional or statutory mandate of a public authority; or

g. The processing is necessary to pursue the legitimate interests of the personal

information controller, or by a third party or parties to whom the data is disclosed,

147
 except where such interests are overridden by fundamental rights and freedoms of
the data subject, which require protection under the Philippine Constitution.

Section 22. Sensitive Personal Information and Privileged Information. The processing of
sensitive personal and privileged information is prohibited, except in any of the following
cases:

a. Consent is given by data subject, or by the parties to the exchange of privileged

information, prior to the processing of the sensitive personal information or
privileged information, which shall be undertaken pursuant to a declared, specified,
and legitimate purpose;

b. The processing of the sensitive personal information or privileged information is

provided for by existing laws and regulations: Provided, that said laws and
regulations do not require the consent of the data subject for the processing, and
guarantee the protection of personal data;

c. The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express his
or her consent prior to the processing;

d. The processing is necessary to achieve the lawful and noncommercial objectives of

public organizations and their associations provided that:

1. Processing is confined and related to the bona fide members of these

organizations or their associations;

2. The sensitive personal information are not transferred to third parties; and

3. Consent of the data subject was obtained prior to processing;

e. The processing is necessary for the purpose of medical treatment: Provided, that it is
carried out by a medical practitioner or a medical treatment institution, and an
adequate level of protection of personal data is ensured; or

f. The processing concerns sensitive personal information or privileged information

necessary for the protection of lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise, or defense of legal claims, or
when provided to government or public authority pursuant to a constitutional or
statutory mandate.

Section 23. Extension of Privileged Communication. Personal information controllers may

invoke the principle of privileged communication over privileged information that they
lawfully control or process. Subject to existing laws and regulations, any evidence gathered
from privileged information is inadmissible.

148
When the Commission inquires upon communication claimed to be privileged, the personal
information controller concerned shall prove the nature of the communication in an executive
session. Should the communication be determined as privileged, it shall be excluded from
evidence, and the contents thereof shall not form part of the records of the case: Provided, that
where the privileged communication itself is the subject of a breach, or a privacy concern or
investigation, it may be disclosed to the Commission but only to the extent necessary for the
purpose of investigation, without including the contents thereof in the records.

Section 24. Surveillance of Suspects and Interception of Recording of Communications.

Section 7 of Republic Act No. 9372, otherwise known as the "Human Security Act of 2007, is
hereby amended to include the condition that the processing of personal data for the purpose
of surveillance, interception, or recording of communications shall comply with the Data
Privacy Act, including adherence to the principles of transparency, proportionality, and
legitimate purpose.

Rule VI. Security Measures for the Protection of Personal Data

Section 25. Data Privacy and Security. Personal information controllers and personal
information processors shall implement reasonable and appropriate organizational, physical,
and technical security measures for the protection of personal data.

The personal information controller and personal information processor shall take steps to
ensure that any natural person acting under their authority and who has access to personal
data, does not process them except upon their instructions, or as required by law.

The security measures shall aim to maintain the availability, integrity, and confidentiality of
personal data and are intended for the protection of personal data against any accidental or
unlawful destruction, alteration, and disclosure, as well as against any other unlawful
processing. These measures shall be implemented to protect personal data against natural
dangers such as accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse, unlawful destruction, alteration and contamination.

Section 26. Organizational Security Measures. Where appropriate, personal information

controllers and personal information processors shall comply with the following guidelines
for organizational security:

a. Compliance Officers. Any natural or juridical person or other body involved in the
processing of personal data shall designate an individual or individuals who shall
function as data protection officer, compliance officer or otherwise be accountable

149
 for ensuring compliance with applicable laws and regulations for the protection of
data privacy and security.

b. Data Protection Policies. Any natural or juridical person or other body involved in
the processing of personal data shall implement appropriate data protection policies
that provide for organization, physical, and technical security measures, and, for
such purpose, take into account the nature, scope, context and purposes of the
processing, as well as the risks posed to the rights and freedoms of data subjects.

1. The policies shall implement data protection principles both at the time of the
determination of the means for processing and at the time of the processing
itself.

2. The policies shall implement appropriate security measures that, by default,

ensure only personal data which is necessary for the specified purpose of the
processing are processed. They shall determine the amount of personal data
collected, including the extent of processing involved, the period of their
storage, and their accessibility.

3. The polices shall provide for documentation, regular review, evaluation, and
updating of the privacy and security policies and practices.

c. Records of Processing Activities. Any natural or juridical person or other body

involved in the processing of personal data shall maintain records that sufficiently
describe its data processing system, and identify the duties and responsibilities of
those individuals who will have access to personal data. Records should include:

1. Information about the purpose of the processing of personal data, including

any intended future processing or data sharing;

2. A description of all categories of data subjects, personal data, and recipients of

such personal data that will be involved in the processing;

3. General information about the data flow within the organization, from the time
of collection, processing, and retention, including the time limits for disposal
or erasure of personal data;

4. A general description of the organizational, physical, and technical security

measures in place;

5. The name and contact details of the personal information controller and, where
applicable, the joint controller, the its representative, and the compliance
officer or Data Protection Officer, or any other individual or individuals
accountable for ensuring compliance with the applicable laws and regulations
for the protection of data privacy and security.

d. Management of Human Resources. Any natural or juridical person or other entity

involved in the processing of personal data shall be responsible for selecting and
supervising its employees, agents, or representatives, particularly those who will
have access to personal data.

150
 The said employees, agents, or representatives shall operate and hold personal data
under strict confidentiality if the personal data are not intended for public
disclosure. This obligation shall continue even after leaving the public service,
transferring to another position, or upon terminating their employment or
contractual relations. There shall be capacity building, orientation or training
programs for such employees, agents or representatives, regarding privacy or
security policies.

e. Processing of Personal Data. Any natural or juridical person or other body involved
in the processing of personal data shall develop, implement and review:

1. A procedure for the collection of personal data, including procedures for

obtaining consent, when applicable;

2. Procedures that limit the processing of data, to ensure that it is only to the
extent necessary for the declared, specified, and legitimate purpose;

3. Policies for access management, system monitoring, and protocols to follow

during security incidents or technical problems;

4. Policies and procedures for data subjects to exercise their rights under the Act;

5. Data retention schedule, including timeline or conditions for erasure or

disposal of records.

f. Contracts with Personal Information Processors. The personal information

controller, through appropriate contractual agreements, shall ensure that its
personal information processors, where applicable, shall also implement the security
measures required by the Act and these Rules. It shall only engage those personal
information processors that provide sufficient guarantees to implement appropriate
security measures specified in the Act and these Rules, and ensure the protection of
the rights of the data subject.

Section 27. Physical Security Measures. Where appropriate, personal information controllers
and personal information processors shall comply with the following guidelines for physical
security:

a. Policies and procedures shall be implemented to monitor and limit access to and
activities in the room, workstation or facility, including guidelines that specify the
proper use of and access to electronic media;

b. Design of office space and work stations, including the physical arrangement of
furniture and equipment, shall provide privacy to anyone processing personal data,
taking into consideration the environment and accessibility to the public;

c. The duties, responsibilities and schedule of individuals involved in the processing of

personal data shall be clearly defined to ensure that only the individuals actually
performing official duties shall be in the room or work station, at any given time;

151
 d. Any natural or juridical person or other body involved in the processing of personal
data shall implement Policies and procedures regarding the transfer, removal,
disposal, and re-use of electronic media, to ensure appropriate protection of personal
data;

e. Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established. The room and workstation used in the processing of
personal data shall, as far as practicable, be secured against natural disasters, power
disturbances, external access, and other similar threats.

Section 28. Guidelines for Technical Security Measures. Where appropriate, personal
information controllers and personal information processors shall adopt and establish the
following technical security measures:

a. A security policy with respect to the processing of personal data;

b. Safeguards to protect their computer network against accidental, unlawful or

unauthorized usage, any interference which will affect data integrity or hinder the
functioning or availability of the system, and unauthorized access through an
electronic network;

c. The ability to ensure and maintain the confidentiality, integrity, availability, and
resilience of their processing systems and services;

d. Regular monitoring for security breaches, and a process both for identifying and
accessing reasonably foreseeable vulnerabilities in their computer networks, and for
taking preventive, corrective, and mitigating action against security incidents that
can lead to a personal data breach;

e. The ability to restore the availability and access to personal data in a timely manner
in the event of a physical or technical incident;

f. A process for regularly testing, assessing, and evaluating the effectiveness of security
measures;

g. Encryption of personal data during storage and while in transit, authentication

process, and other technical security measures that control and limit access.

Section 29. Appropriate Level of Security. The Commission shall monitor the compliance of
natural or juridical person or other body involved in the processing of personal data,
specifically their security measures, with the guidelines provided in these Rules and
subsequent issuances of the Commission. In determining the level of security appropriate for
a particular personal information controller or personal information processor, the
Commission shall take into account the nature of the personal data that requires protection,

152
the risks posed by the processing, the size of the organization and complexity of its operations,
current data privacy best practices, and the cost of security implementation. The security
measures provided herein shall be subject to regular review and evaluation, and may be
updated as necessary by the Commission in separate issuances, taking into account the most
appropriate standard recognized by the information and communications technology
industry and data privacy best practices.

Rule VII. Security of Sensitive Personal Information in Government

Section 30. Responsibility of Heads of Agencies. All sensitive personal information

maintained by the government, its agencies, and instrumentalities shall be secured, as far as
practicable, with the use of the most appropriate standard recognized by the information and
communications technology industry, subject to these Rules and other issuances of the
Commission. The head of each government agency or instrumentality shall be responsible for
complying with the security requirements mentioned herein. The Commission shall monitor
government agency compliance and may recommend the necessary action in order to satisfy
the minimum standards.

Section 31. Requirements Relating to Access by Agency Personnel to Sensitive Personal

Information.

a. On-site and Online Access.

1. No employee of the government shall have access to sensitive personal

information on government property or through online facilities unless he or
she the employee has received a security clearance from the head of the source
agency. The source agency is the government agency who originally collected
the personal data.

2. A source agency shall strictly regulate access to sensitive personal information

under its custody or control, particularly when it allows online access. An
employee of the government shall only be granted a security clearance when
the performance of his or her official functions or the provision of a public
service directly depends on and cannot otherwise be performed unless access
to the personal data is allowed.

3. Where allowed under the next preceding sections, online access to sensitive
personal information shall be subject to the following conditions:
(a) An information technology governance framework has been designed
and implemented;
(b) Sufficient organizational, physical and technical security measures have
been established;
(c) The agency is capable of protecting sensitive personal information in
accordance with data privacy practices and standards recognized by the
information and communication technology industry;

153
 (d) The employee of the government is only given online access to sensitive
personal information necessary for the performance of official functions
or the provision of a public service.

b. Off-site access.

1. Sensitive personal information maintained by an agency may not be

transported or accessed from a location off or outside of government property,
whether by its agent or employee, unless the head of agency has ensured the
implementation of privacy policies and appropriate security measures. A
request for such transportation or access shall be submitted to and approved
by the head of agency. The request must include proper accountability
mechanisms in the processing of data.

2. The head of agency shall approve requests for off-site access in accordance with
the following guidelines:
(a) Deadline for Approval or Disapproval. The head of agency shall approve
or disapprove the request within two (2) business days after the date of
submission of the request. Where no action is taken by the head of
agency, the request is considered disapproved;
(b) Limitation to One thousand (1,000) Records. Where a request is
approved, the head of agency shall limit the access to not more than one
thousand (1,000) records at a time, subject to the next succeeding
paragraph.
(c) Encryption. Any technology used to store, transport or access sensitive
personal information for purposes of off-site access approved under this
subsection shall be secured by the use of the most secure encryption
standard recognized by the Commission.

Section 32. Implementation of Security Requirements. Notwithstanding the effective date of

these Rules, the requirements in the preceding sections shall be implemented before any off-
site or online access request is approved. Any data sharing agreement between a source
agency and another government agency shall be subject to review of the Commission on its
own initiative or upon complaint of data subject.

Section 33. Applicability to Government Contractors. In entering into any contract with a
private service provider that may involve accessing or requiring sensitive personal
information from one thousand (1,000) or more individuals, a government agency shall
require such service provider and its employees to register their personal data processing
system with the Commission in accordance with the Act and these Rules. The service
provider, as personal information processor, shall comply with the other provisions of the Act
and these Rules, particularly the immediately preceding sections, similar to a government
agency and its employees.

154
 Rule VIII. Rights of Data Subjects

Section 34. Rights of the Data Subject. The data subject is entitled to the following rights:

a. Right to be informed.

1. The data subject has a right to be informed whether personal data pertaining
to him or her shall be, are being, or have been processed, including the
existence of automated decision-making and profiling.

2. The data subject shall be notified and furnished with information indicated
hereunder before the entry of his or her personal data into the processing
system of the personal information controller, or at the next practical
opportunity:

(a) Description of the personal data to be entered into the system;

(b) Purposes for which they are being or will be processed, including
processing for direct marketing, profiling or historical, statistical or
scientific purpose;
(c) Basis of processing, when processing is not based on the consent of the
data subject;
(d) Scope and method of the personal data processing;
(e) The recipients or classes of recipients to whom the personal data are or
may be disclosed;
(f) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized, including
meaningful information about the logic involved, as well as the
significance and the envisaged consequences of such processing for the
data subject;
(g) The identity and contact details of the personal data controller or its
representative;
(h) The period for which the information will be stored; and
(i) The existence of their rights as data subjects, including the right to access,
correction, and object to the processing, as well as the right to lodge a
complaint before the Commission.

b. Right to object. The data subject shall have the right to object to the processing of his
or her personal data, including processing for direct marketing, automated
processing or profiling. The data subject shall also be notified and given an
opportunity to withhold consent to the processing in case of changes or any
amendment to the information supplied or declared to the data subject in the
preceding paragraph.

When a data subject objects or withholds consent, the personal information

controller shall no longer process the personal data, unless:

1. The personal data is needed pursuant to a subpoena;

155
 2. The collection and processing are for obvious purposes, including, when it is
necessary for the performance of or in relation to a contract or service to which
the data subject is a party, or when necessary or desirable in the context of an
employer-employee relationship between the collector and the data subject; or

3. The information is being collected and processed as a result of a legal

obligation.

c. Right to Access. The data subject has the right to reasonable access to, upon demand,
the following:

1. Contents of his or her personal data that were processed;

2. Sources from which personal data were obtained;

3. Names and addresses of recipients of the personal data;

4. Manner by which such data were processed;

5. Reasons for the disclosure of the personal data to recipients, if any;

6. Information on automated processes where the data will, or is likely to, be

made as the sole basis for any decision that significantly affects or will affect
the data subject;

7. Date when his or her personal data concerning the data subject were last
accessed and modified; and

8. The designation, name or identity, and address of the personal information

controller.

d. Right to rectification. The data subject has the right to dispute the inaccuracy or error
in the personal data and have the personal information controller correct it
immediately and accordingly, unless the request is vexatious or otherwise
unreasonable. If the personal data has been corrected, the personal information
controller shall ensure the accessibility of both the new and the retracted information
and the simultaneous receipt of the new and the retracted information by the
intended recipients thereof: Provided, That receipients or third parties who have
previously received such processed personal data shall be informed of its inaccuracy
and its rectification, upon reasonable request of the data subject.

e. Right to Erasure or Blocking. The data subject shall have the right to suspend,
withdraw or order the blocking, removal or destruction of his or her personal data
from the personal information controllers filing system.

1. This right may be exercised upon discovery and substantial proof of any of the
following:
(a) The personal data is incomplete, outdated, false, or unlawfully obtained;
(b) The personal data is being used for purpose not authorized by the data
subject;

156
 (c) The personal data is no longer necessary for the purposes for which they
were collected;
(d) The data subject withdraws consent or objects to the processing, and
there is no other legal ground or overriding legitimate interest for the
processing;
(e) The personal data concerns private information that is prejudicial to data
subject, unless justified by freedom of speech, of expression, or of the
press or otherwise authorized;
(f) The processing is unlawful;
(g) The personal information controller or personal information processor
violated the rights of the data subject.

2. The personal information controller may notify third parties who have
previously received such processed personal information.

f. Right to damages. The data subject shall be indemnified for any damages sustained
due to such inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data, taking into account any violation of his or her
rights and freedoms as data subject.

Section 35. Transmissibility of Rights of the Data Subject. The lawful heirs and assigns of the
data subject may invoke the rights of the data subject to which he or she is an heir or an
assignee, at any time after the death of the data subject, or when the data subject is
incapacitated or incapable of exercising the rights as enumerated in the immediately
preceding section.

Section 36. Right to Data Portability. Where his or her personal data is processed by
electronic means and in a structured and commonly used format, the data subject shall have
the right to obtain from the personal information controller a copy of such data in an electronic
or structured format that is commonly used and allows for further use by the data subject.
The exercise of this right shall primarily take into account the right of data subject to have
control over his or her personal data being processed based on consent or contract, for
commercial purpose, or through automated means. The Commission may specify the
electronic format referred to above, as well as the technical standards, modalities, procedures
and other rules for their transfer.

Section 37. Limitation on Rights. The immediately preceding sections shall not be applicable
if the processed personal data are used only for the needs of scientific and statistical research
and, on the basis of such, no activities are carried out and no decisions are taken regarding the
data subject: Provided, that the personal data shall be held under strict confidentiality and shall
be used only for the declared purpose. The said sections are also not applicable to the
processing of personal data gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the

157
data subject shall only be to the minimum extent necessary to achieve the purpose of said
research or investigation.

Rule IX. Data Breach Notification.

Section 38. Data Breach Notification.

a. The Commission and affected data subjects shall be notified by the personal
information controller within seventy-two (72) hours upon knowledge of, or when
there is reasonable belief by the personal information controller or personal
information processor that, a personal data breach requiring notification has
occurred.

b. Notification of personal data breach shall be required when sensitive personal

information or any other information that may, under the circumstances, be used to
enable identity fraud are reasonably believed to have been acquired by an
unauthorized person, and the personal information controller or the Commission
believes that such unauthorized acquisition is likely to give rise to a real risk of
serious harm to any affected data subject.

c. Depending on the nature of the incident, or if there is delay or failure to notify, the
Commission may investigate the circumstances surrounding the personal data
breach. Investigations may include on-site examination of systems and procedures.

Section 39. Contents of Notification. The notification shall at least describe the nature of the
breach, the personal data possibly involved, and the measures taken by the entity to address
the breach. The notification shall also include measures taken to reduce the harm or negative
consequences of the breach, the representatives of the personal information controller,
including their contact details, from whom the data subject can obtain additional information
about the breach, and any assistance to be provided to the affected data subjects.

Section 40. Delay of Notification. Notification may be delayed only to the extent necessary to
determine the scope of the breach, to prevent further disclosures, or to restore reasonable
integrity to the information and communications system.

a. In evaluating if notification is unwarranted, the Commission may take into account

compliance by the personal information controller with this section and existence of
good faith in the acquisition of personal data.

158
 b. The Commission may exempt a personal information controller from notification
where, in its reasonable judgment, such notification would not be in the public
interest, or in the interest of the affected data subjects.

c. The Commission may authorize postponement of notification where it may hinder

the progress of a criminal investigation related to a serious breach.

Section 41. Breach Report.

a. The personal information controller shall notify the Commission by submitting a

report, whether written or electronic, containing the required contents of
notification. The report shall also include the name of a designated representative
of the personal information controller, and his or her contact details.

b. All security incidents and personal data breaches shall be documented through
written reports, including those not covered by the notification requirements. In the
case of personal data breaches, a report shall include the facts surrounding an
incident, the effects of such incident, and the remedial actions taken by the personal
information controller. In other security incidents not involving personal data, a
report containing aggregated data shall constitute sufficient documentation. These
reports shall be made available when requested by the Commission. A general
summary of the reports shall be submitted to the Commission annually.

Section 42. Procedure for Notification. The Procedure for breach notification shall be in
accordance with the Act, these Rules, and any other issuance of the Commission.

Rule X. Outsourcing and Subcontracting Agreements

Section 43. Subcontract of Personal Data. A personal information controller may subcontract
or outsource the processing of personal data: Provided, that the personal information controller
shall use contractual or other reasonable means to ensure that proper safeguards are in place,
to ensure the confidentiality, integrity and availability of the personal data processed, prevent
its use for unauthorized purposes, and generally, comply with the requirements of the Act,
these Rules, other applicable laws for processing of personal data, and other issuances of the
Commission.

Section 44. Agreements for Outsourcing. Processing by a personal information processor shall
be governed by a contract or other legal act that binds the personal information processor to
the personal information controller.

159
a. The contract or legal act shall set out the subject-matter and duration of the
processing, the nature and purpose of the processing, the type of personal data and
categories of data subjects, the obligations and rights of the personal information
controller, and the geographic location of the processing under the subcontracting
agreement.

b. The contract or other legal act shall stipulate, in particular, that the personal
information processor shall:

1. Process the personal data only upon the documented instructions of the
personal information controller, including transfers of personal data to another
country or an international organization, unless such transfer is authorized by
law;

2. Ensure that an obligation of confidentiality is imposed on persons authorized

to process the personal data;

3. Implement appropriate security measures and comply with the Act, these
Rules, and other issuances of the Commission;

4. Not engage another processor without prior instruction from the personal
information controller: Provided, that any such arrangement shall ensure that
the same obligations for data protection under the contract or legal act are
implemented, taking into account the nature of the processing;

5. Assist the personal information controller, by appropriate technical and

organizational measures and to the extent possible, fulfill the obligation to
respond to requests by data subjects relative to the exercise of their rights;

6. Assist the personal information controller in ensuring compliance with the Act,
these Rules, other relevant laws, and other issuances of the Commission, taking
into account the nature of processing and the information available to the
personal information processor;

7. At the choice of the personal information controller, delete or return all

personal data to the personal information controller after the end of the
provision of services relating to the processing: Provided, that this includes
deleting existing copies unless storage is authorized by the Act or another law;

8. Make available to the personal information controller all information necessary

to demonstrate compliance with the obligations laid down in the Act, and
allow for and contribute to audits, including inspections, conducted by the
personal information controller or another auditor mandated by the latter;

9. Immediately inform the personal information controller if, in its opinion, an

instruction infringes the Act, these Rules, or any other issuance of the
Commission.

160
Section 45. Duty of personal information processor. The personal information processor shall
comply with the requirements of the Act, these Rules, other applicable laws, and other
issuances of the Commission, in addition to obligations provided in a contract, or other legal
act with a personal information controller.

Rule XI. Registration and Compliance Requirements

Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the Commission
to administer and implement the Act, and to ensure the compliance of personal information
controllers with its obligations under the law, the Commission requires the following:

a. Registration of personal data processing systems operating in the country that

involves accessing or requiring sensitive personal information of at least one
thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government agencies;

b. Notification of automated processing operations where the processing becomes the

sole basis of making decisions that would significantly affect the data subject;

c. Annual report of the summary of documented security incidents and personal data
breaches;

d. Compliance with other requirements that may be provided in other issuances of the
Commission.

Section 47. Registration of Personal Data Processing Systems. The personal information
controller or personal information processor that employs fewer than two hundred fifty (250)
persons shall not be required to register unless the processing it carries out is likely to pose a
risk to the rights and freedoms of data subjects, the processing is not occasional, or the
processing includes sensitive personal information of at least one thousand (1,000)
individuals.

a. The contents of registration shall include:

1. The name and address of the personal information controller or personal

information processor, and of its representative, if any, including their contact
details;

2. The purpose or purposes of the processing, and whether processing is being

done under an outsourcing or subcontracting agreement;

3. A description of the category or categories of data subjects, and of the data or

categories of data relating to them;

161
 4. The recipients or categories of recipients to whom the data might be disclosed;

5. Proposed transfers of personal data outside the Philippines;

6. A general description of privacy and security measures for data protection;

7. Brief description of the data processing system;

8. Copy of all policies relating to data governance, data privacy, and information
security;

9. Attestation to all certifications attained that are related to information and

communications processing; and

10. Name and contact details of the compliance or data protection officer, which
shall immediately be updated in case of changes.

b. The procedure for registration shall be in accordance with these Rules and other
issuances of the Commission.

Section 48. Notification of Automated Processing Operations. The personal information

controller carrying out any wholly or partly automated processing operations or set of such
operations intended to serve a single purpose or several related purposes shall notify the
Commission when the automated processing becomes the sole basis for making decisions
about a data subject, and when the decision would significantly affect the data subject.

a. The notification shall include the following information:

1. Purpose of processing;

2. Categories of personal data to undergo processing;

3. Category or categories of data subject;

4. Consent forms or manner of obtaining consent;

5. The recipients or categories of recipients to whom the data are to be disclosed;

6. The length of time the data are to be stored;

7. Methods and logic utilized for automated processing;

8. Decisions relating to the data subject that would be made on the basis of
processed data or that would significantly affect the rights and freedoms of data
subject; and

9. Names and contact details of the compliance or data protection officer.

162
 b. No decision with legal effects concerning a data subject shall be made solely on the
basis of automated processing without the consent of the data subject.

Section 49. Review by the Commission. The following are subject to the review of the
Commission, upon its own initiative or upon the filing of a complaint by a data subject:

a. Compliance by a personal information controller or personal information processor

with the Act, these Rules, and other issuances of the Commission;

b. Compliance by a personal information controller or personal information processor

with the requirement of establishing adequate safeguards for data privacy and
security;

c. Any data sharing agreement, outsourcing contract, and similar contracts involving
the processing of personal data, and its implementation;

d. Any off-site or online access to sensitive personal data in government allowed by a

head of agency;

e. Processing of personal data for research purposes, public functions, or commercial

activities;

f. Any reported violation of the rights and freedoms of data subjects;

g. Other matters necessary to ensure the effective implementation and administration

of the Act, these Rules, and other issuances of the Commission.

Rule XII. Rules on Accountability

Section 50. Accountability for Transfer of Personal Data. A personal information controller
shall be responsible for any personal data under its control or custody, including information
that have been outsourced or transferred to a personal information processor or a third party
for processing, whether domestically or internationally, subject to cross-border arrangement
and cooperation.

a. A personal information controller shall be accountable for complying with the

requirements of the Act, these Rules, and other issuances of the Commission. It shall
use contractual or other reasonable means to provide a comparable level of
protection to the personal data while it is being processed by a personal information
processor or third party.

163
 b. A personal information controller shall designate an individual or individuals who
are accountable for its compliance with the Act. The identity of the individual or
individuals so designated shall be made known to a data subject upon request.

Section 51. Accountability for Violation of the Act, these Rules and Other Issuances of the
Commission.

a. Any natural or juridical person, or other body involved in the processing of personal
data, who fails to comply with the Act, these Rules, and other issuances of the
Commission, shall be liable for such violation, and shall be subject to its
corresponding sanction, penalty, or fine, without prejudice to any civil or criminal
liability, as may be applicable.

b. In cases where a data subject files a complaint for violation of his or her rights as
data subject, and for any injury suffered as a result of the processing of his or her
personal data, the Commission may award indemnity on the basis of the applicable
provisions of the New Civil Code.

c. In case of criminal acts and their corresponding personal penalties, the person who
committed the unlawful act or omission shall be recommended for prosecution by
the Commission based on substantial evidence. If the offender is a corporation,
partnership, or any juridical person, the responsible officers, as the case may be, who
participated in, or by their gross negligence, allowed the commission of the crime,
shall be recommended for prosecution by the Commission based on substantial
evidence.

Rule XIII. Penalties

Section 52. Unauthorized Processing of Personal Information and Sensitive Personal

Information.

a. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of
not less than Five hundred thousand pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be imposed on persons who process personal
information without the consent of the data subject, or without being authorized
under the Act or any existing law.

b. A penalty of imprisonment ranging from three (3) years to six (6) years and a fine of
not less than Five hundred thousand pesos (Php500,000.00) but not more than Four
million pesos (Php4,000,000.00) shall be imposed on persons who process sensitive
personal information without the consent of the data subject, or without being
authorized under the Act or any existing law.

164
Section 53. Accessing Personal Information and Sensitive Personal Information Due to
Negligence.

a. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of
not less than Five hundred thousand pesos (Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence,
provided access to personal information without being authorized under the Act or
any existing law.

b. A penalty of imprisonment ranging from three (3) years to six (6) years and a fine of
not less than Five hundred thousand pesos (Php500,000.00) but not more than Four
million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence,
provided access to sensitive personal information without being authorized under
the Act or any existing law.

Section 54. Improper Disposal of Personal Information and Sensitive Personal Information.

a. A penalty of imprisonment ranging from six (6) months to two (2) years and a fine
of not less than One hundred thousand pesos (Php100,000.00) but not more than Five
hundred thousand pesos (Php500,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard, or abandon the personal information of
an individual in an area accessible to the public or has otherwise placed the personal
information of an individual in its container for trash collection.

b. A penalty of imprisonment ranging from one (1) year to three (3) years and a fine of
not less than One hundred thousand pesos (Php100,000.00) but not more than One
million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or
negligently dispose, discard or abandon the sensitive personal information of an
individual in an area accessible to the public or has otherwise placed the sensitive
personal information of an individual in its container for trash collection.

Section 55. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes.

a. A penalty of imprisonment ranging from one (1) year and six (6) months to five (5)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than One million pesos (Php1,000,000.00) shall be imposed on persons
processing personal information for purposes not authorized by the data subject, or
otherwise authorized under the Act or under existing laws.

165
 b. A penalty of imprisonment ranging from two (2) years to seven (7) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons processing
sensitive personal information for purposes not authorized by the data subject, or
otherwise authorized under the Act or under existing laws.

Section 56. Unauthorized Access or Intentional Breach. A penalty of imprisonment ranging

from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who knowingly and unlawfully, or violating data confidentiality and security data
systems, breaks in any way into any system where personal and sensitive personal
information are stored.

Section 57. Concealment of Security Breaches Involving Sensitive Personal Information. A

penalty of imprisonment ranging from one (1) year and six (6) months to five (5) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One
million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of
a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of
the Act, intentionally or by omission conceals the fact of such security breach.

Section 58. Malicious Disclosure. Any personal information controller or personal

information processor, or any of its officials, employees or agents, who, with malice or in bad
faith, discloses unwarranted or false information relative to any personal information or
sensitive personal information obtained by him or her, shall be subject to imprisonment
ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00).

Section 59. Unauthorized Disclosure.

a. Any personal information controller or personal information processor, or any of its

officials, employees, or agents, who discloses to a third party personal information
not covered by the immediately preceding section without the consent of the data
subject, shall be subject to imprisonment ranging from one (1) year to three (3) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than One million pesos (Php1,000,000.00).

b. Any personal information controller or personal information processor, or any of its

officials, employees or agents, who discloses to a third party sensitive personal

166
 information not covered by the immediately preceding section without the consent
of the data subject, shall be subject to imprisonment ranging from three (3) years to
five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00).

Section 60. Combination or Series of Acts. Any combination or series of acts as defined in
Sections 52 to 59 shall make the person subject to imprisonment ranging from three (3) years
to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more
than Five million pesos (Php5,000,000.00).

Section 61. Extent of Liability. If the offender is a corporation, partnership or any juridical
person, the penalty shall be imposed upon the responsible officers, as the case may be, who
participated in, or by their gross negligence, allowed the commission of the crime. Where
applicable, the court may also suspend or revoke any of its rights under this Act.

If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be
deported without further proceedings after serving the penalties prescribed.

If the offender is a public official or employee and he or she is found guilty of acts penalized
under Sections 54 and 55 of these Rules, he or she shall, in addition to the penalties prescribed
herein, suffer perpetual or temporary absolute disqualification from office, as the case may
be.

Section 62. Large-Scale. The maximum penalty in the corresponding scale of penalties
provided for the preceding offenses shall be imposed when the personal data of at least one
hundred (100) persons are harmed, affected, or involved, as the result of any of the above-
mentioned offenses.

Section 63. Offense Committed by Public Officer. When the offender or the person responsible
for the offense is a public officer, as defined in the Administrative Code of 1987, in the exercise
of his or her duties, he or she shall likewise suffer an accessory penalty consisting of
disqualification to occupy public office for a term double the term of the criminal penalty
imposed.

167
Section 64. Restitution. Pursuant to the exercise of its quasi-judicial functions, the
Commission shall award indemnity to an aggrieved party on the basis of the provisions of the
New Civil Code. Any complaint filed by a data subject shall be subject to the payment of filing
fees, unless the data subject is an indigent.

Section 65. Fines and Penalties. Violations of the Act, these Rules, other issuances and orders
of the Commission, shall, upon notice and hearing, be subject to compliance and enforcement
orders, cease and desist orders, temporary or permanent ban on the processing of personal
data, or payment of fines, in accordance with a schedule to be published by the Commission.

Rule XIV. Miscellaneous Provisions

Section 66. Appeal. Appeal from final decisions of the Commission shall be made to the
proper courts in accordance with the Rules of Court, or as may be prescribed by law.

Section 67. Period for Compliance. Any natural or juridical person or other body involved in
the processing of personal data shall comply with the personal data processing principles and
standards of personal data privacy and security already laid out in the Act.

Personal information controllers and Personal Information processors shall register with the
Commission their data processing systems or automated processing operations, subject to
notification, within one (1) year after the effectivity of these Rules. Any subsequent issuance
of the Commission, including those that implement specific standards for data portability,
encryption, or other security measures shall provide the period for its compliance.

For a period of one (1) year from the effectivity of these Rules, a personal information
controller or personal information processor may apply for an extension of the period within
which to comply with the issuances of the Commission. The Commission may grant such
request for good cause shown.

Section 68. Appropriations Clause. The Commission shall be provided with appropriations
for the performance of its functions which shall be included in the General Appropriations
Act.

168
Section 69. Interpretation. Any doubt in the interpretation of any provision of this Act shall
be liberally interpreted in a manner that would uphold the rights and interests of the
individual about whom personal data is processed.

Section 70. Separability Clause. If any provision or part hereof is held invalid or
unconstitutional, the remainder of these Rules or the provision not otherwise affected shall
remain valid and subsisting.

Section 71. Repealing Clause. Except as otherwise expressly provided in the Act or these
Rules, all other laws, decrees, executive orders, proclamations and administrative regulations
or parts thereof inconsistent herewith are hereby repealed or modified accordingly.

Section 72. Effectivity Clause. These Rules shall take effect fifteen (15) days after its
publication in the Official Gazette.

Approved:

RAYMUND E. LIBORO
Privacy Commissioner

IVY D. PATDU DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

Promulgated: August 24, 2016

169
NPC Memorandum Circulars

NPC Circular 16-01

DATE : 10 October 2016

TO : ALL HEADS OF GOVERNMENT BRANCHES, BODIES

OR ENTITIES, INCLUDING NATIONAL
GOVERNMENT AGENCIES, BUREAUS OR OFFICES,
CONSTITUTIONAL COMMISSIONS, LOCAL
GOVERNMENT UNITS, GOVERNMENT-OWNED AND
CONTROLLED CORPORATIONS, STATE COLLEGE
AND UNIVERSITIES

SUBJECT : SECURITY OF PERSONAL DATA IN GOVERNMENT

AGENCIES

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State
recognizes the vital role of communication and information in nation-building. At the same
time, Article II, Section 11 thereof emphasizes that the State values the dignity of every human
person and guarantees full respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act
of 2012, provides that it is the policy of the State to protect the fundamental human right of
privacy of communication while ensuring free flow of information to promote innovation and
growth. The State also recognizes its inherent obligation to ensure that personal information
in information and communications systems in the government and in the private sector are
secured and protected;

WHEREAS, pursuant to Section 7 of the Data Privacy Act of 2012, the National Privacy
Commission is charged with the administration and implementation of the provisions of the
law, which includes ensuring the compliance by personal information controllers with the
provisions of the Act and with international standards for data protection, and carrying out
efforts to formulate and implement plans and policies that strengthen the protection of
personal information in the country, in coordination with other government agencies and the
private sector;

WHEREAS, under Section 22 of the Data Privacy Act of 2012, the head of each
government agency or instrumentality is responsible for complying with the security
requirements mentioned in the law. This includes ensuring all sensitive personal information
maintained by his or her agency are secured, as far as practicable, with the use of the most
appropriate standard recognized by the information and communications technology
industry, and as recommended by the Commission;

WHEREAS, under Section 23 of the Data Privacy Act of 2012, the Commission may
issue guidelines relating to access by agency personnel to sensitive personal information;

170
 WHEREAS, Section 9 of the Implementing Rules and Regulations of the Data Privacy
Act of 2012 provides that, among the Commissions functions, is to develop, promulgate,
review or amend rules and regulations for the effective implementation of the Act;

WHEREFORE, in consideration of these premises, the National Privacy Commission

hereby issues this Circular governing the security of personal data in government agencies.

RULE I.
GENERAL PROVISIONS

SECTION 1. Scope. These Rules shall apply to all government agencies engaged in the
processing of personal data.

SECTION 2. Purpose. These Rules are hereby issued to assist government agencies engaged
in the processing of personal data to meet their legal obligations under Republic Act No.
10173, also known as the Data Privacy Act of 2012, and its corresponding Implementing Rules
and Regulations.

A government agency may use these Rules to issue and implement more detailed policies and
procedures, which reflect its specific operating requirements.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are
defined, as follows:

A. Acceptable Use Policy shall refer to a document or set of rules stipulating controls
or restrictions that agency personnel must agree to for access to their agencys
network, facilities, equipment, or services;

B. Act refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of
2012 (DPA);

C. Agency Personnel refers to all officials, officers, employees or consultants of a

government agency, including those covered by job orders or contracts of services;

D. Commission refers to the National Privacy Commission (NPC);

E. Data Center refers to a centralized repository, which may be physical or virtual,

may be analog or digital, used for the storage, management, and dissemination of
data including personal data;

F. Data Protection Officer refers to an individual designated by the head of agency

to be accountable for the agencys compliance with the Act: Provided, that the
individual must be an organic employee of the government agency: Provided further,
that a government agency may have more than one data protection officer;

G. Government Agency refers to a government branch or body or entity, including

national government agencies, bureaus, or offices, constitutional commissions, local

171
 government units, government-owned and controlled corporations, government
financial institutions, state colleges and universities;

H. Head of Agency refers to: (1) the head of the government entity or body, for
national government agencies, constitutional commissions or offices, or branches of
the government; (2) the governing board or its duly authorized official for
government owned and controlled corporations, government financial institutions,
and state colleges and universities; (3) the local chief executive, for local government
units;

I. Implementing Rules and Regulations or IRR shall pertain to Implementing

Rules and Regulations of Republic Act No. 10173, otherwise known as the Data
Privacy Act of 2012;

J. Personal Data shall refer to all types of personal information, including those
pertaining to agency personnel;

K. Privacy Impact Assessment is a process undertaken and used by a government

agency to evaluate and manage privacy impacts;

L. System Management Tool is a software system that facilitates the administration

of user passwords and access rights.

SECTION 4. General Obligations. A government agency engaged in the processing of

personal data shall observe the following duties and responsibilities:

A. through its head of agency, designate a Data Protection Officer;

B. conduct a Privacy Impact Assessment for each program, process or measure within
the agency that involves personal data, Provided, that such assessment shall be
updated as necessary;

C. create privacy and data protection policies, taking into account the privacy impact
assessments, as well as Sections 25 to 29 of the IRR;

D. conduct a mandatory, agency-wide training on privacy and data protection policies

once a year: Provided, that a similar training shall be provided during all agency
personnel orientations.

E. register its data processing systems with the Commission in cases where processing
involves personal data of at least one thousand (1,000) individuals, taking into
account Sections 46 to 49 of the IRR;

F. cooperate with the Commission when the agencys privacy and data protection
policies are subjected to review and assessment, in terms of their compliance with
the requirements of the Act, its IRR, and all issuances by the Commission.

SECTION 5. Privacy Impact Assessment. A government agency engaged in the processing

of personal data shall ensure that its conduct of a privacy impact assessment is proportionate

172
or consistent with the size and sensitivity of the personal data being processed, and the risk
of harm from the unauthorized processing of that data.

The Privacy Impact Assessment shall include the following:

A. a data inventory identifying:

1.) the types of personal data held by the agency, including records of its own
employees;
2.) list of all information repositories holding personal data, including their
location;
3.) types of media used for storing the personal data; and
4.) risks associated with the processing of the personal data;

B. a systematic description of the processing operations anticipated and the purposes

of the processing, including, where applicable, the legitimate interest pursued by the
agency;

C. an assessment of the necessity and proportionality of the processing in relation to

the purposes of the processing; and

D. an assessment of the risks to the rights and freedoms of data subjects.

SECTION 6. Control Framework for Data Protection. The risks identified in the privacy
impact assessment must be addressed by a control framework, which is a comprehensive
enumeration of the measures intended to address the risks, including organizational, physical
and technical measures to maintain the availability, integrity and confidentiality of personal
data and to protect the personal data against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination.

The contents of a control framework shall take into account, among others, the following:

A. nature of the personal data to be protected;

B. risks represented by the processing, the size of the organization and complexity of
its operations;
C. current data privacy best practices; and
D. cost of security implementation.

For agencies that process the personal data records of more than one thousand (1,000)
individuals, including agency personnel, the Commission recommends the use of the
ISO/IEC 27002 control set as the minimum standard to assess any gaps in the agencys control
framework.

RULE II.
STORAGE OF PERSONAL DATA

SECTION 7. General Rule. Personal data being processed by a government agency shall be
stored in a data center, which may or may not be owned and controlled by such agency:

173
Provided, that the agency must be able to demonstrate to the Commission how its control
framework for data protection, and/or, where applicable, that of its service provider, shall
ensure compliance with the Act: Provided further, that where a service provider is engaged, the
Commission may require the agency to submit its contract with its service provider for review.

SECTION 8. Encryption of Personal Data. All personal data that are digitally processed must
be encrypted, whether at rest or in transit. For this purpose, the Commission recommends
Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate
encryption standard.

Passwords or passphrases used to access personal data should be of sufficient strength to

deter password attacks. A password policy should be issued and enforced through a system
management tool.

SECTION 9. Restricted Access. Access to all data centers owned and controlled by a
government agency shall be restricted to agency personnel that have the appropriate security
clearance. This should be enforced by an access control system that records when, where, and
by whom the data centers are accessed. Access records and procedures shall be reviewed by
agency management regularly.

SECTION 10. Service Provider as Personal Information Processor. When a government

agency engages a service provider for the purpose of storing personal data under the agencys
control or custody, the service provider shall function as a personal information processor and
comply with all the requirements of the Act, its IRR and all applicable issuances by the
Commission.

SECTION 11. Audit. The Commission reserves the right to audit a government agency's data
center, or, where applicable, that of its service provider.

Independent verification or certification by a reputable third party may also be accepted by

the Commission.

SECTION 12. Recommended Independent Verification or Certification. The Commission

recommends ISO/IEC 27018 as the most appropriate certification for the service or function
provided by a service provider under this Rule.

SECTION 13. Archives. The requirements of this Rule shall also apply to personal data that a
government agency has stored for archival purposes.

174
 RULE III.
AGENCY ACCESS TO PERSONAL DATA

SECTION 14. Access to or Modification of Databases. Only programs developed or licensed

by a government agency shall be allowed to access and modify databases containing the
personal data under the control or custody of that agency.

SECTION 15. Security Clearance. A government agency shall strictly regulate access to
personal data under its control or custody. It shall grant access to agency personnel, through
the issuance of a security clearance by the head of agency, only when the performance of
official functions or the provision of a public service directly depends on such access or cannot
otherwise be performed without such access.

A copy of each security clearance must be filed with the agencys Data Protection Officer.

SECTION 16. Contractors, Consultants and Service Providers. Access to personal data by
independent contractors, consultants, and service providers engaged by a government agency
shall be governed by strict procedures contained in formal contracts, which provisions must
comply with the Act, its IRR, and all applicable issuances by the Commission. The terms of
the contract and undertakings given should be subject to review and audit to ensure
compliance.

SECTION 17. Acceptable Use Policy. Each government agency shall have an up-to-date
Acceptable Use Policy regarding the use by agency personnel of information and
communications technology. The policy shall be explained to all agency personnel who shall
use such technology in relation to their functions. Each user shall agree to such policy and, for
this purpose, sign the appropriate agreement or document, before being allowed access to and
used of the technology.

SECTION 18. Online Access to Personal Data. Agency personnel who access personal data
online shall authenticate their identity via a secure encrypted link and must use multi-factor
authentication. Their access rights must be defined and controlled by a system management
tool.

SECTION 19. Local Copies of Personal Data Accessed Online. A government agency shall
adopt and utilize technologies that prevent personal data accessible online to authorized
agency personnel from being copied to a local machine. The agency shall also provide for the
automatic deletion of temporary files that may be stored on a local machine by its operating
system.

Where possible, agency personnel shall not be allowed to save files to a local machine. They
shall be directed to only save files to their allocated network drive.

175
Drives and USB ports on local machines may also be disabled as a security measure. A
government agency may also consider prohibiting the use of cameras in areas where personal
data is displayed or processed.

SECTION 20. Authorized Devices. A government agency shall ensure that only known
devices, properly configured to the agencys security standards, are authorized to access
personal data. The agency shall also put in place solutions, which only allow authorized
media to be used on its computer equipment.

SECTION 21. Remote Disconnection or Deletion. A government agency shall adopt and use
technologies that allow the remote disconnection of a mobile device owned by the agency, or
the deletion of personal data contained therein, in event such mobile device is lost. A
notification system for such loss must also be established.

SECTION 22. Paper-based Filing System. If personal data is stored in paper files or any
physical media, the government agency shall maintain a log, from which it can be ascertained
which file was accessed, including when, where, and by whom. Such log shall also indicate
whether copies of the file were made. Agency management shall regularly review the log
records, including all applicable procedures.

SECTION 23. Personal Data Sharing Agreements. Access by other parties to personal data
under the control or custody of a government agency shall be governed by data sharing
agreements that will be covered by a separate issuance of the Commission.

RULE IV.
TRANSFER OF PERSONAL DATA

SECTION 24. Emails. A government agency that transfers personal data by email must either
ensure that the data is encrypted, or use a secure email facility that facilitates the encryption
of the data, including any attachments. Passwords should be sent on a separate email. It is
also recommended that agencies utilize systems that scan outgoing emails and attachments
for keywords that would indicate the presence of personal data and, if appropriate, prevent
its transmission.

SECTION 25. Personal Productivity Software. A government agency shall implement access
controls to prevent agency personnel from printing or copying personal data to personal
productivity software like word processors and spreadsheets that do not have any security or
access controls in place.

SECTION 26. Portable Media. A government agency that uses portable media, such as disks
or USB drives, to store or transfer personal data must ensure that the data is encrypted.
Agencies that use laptops to store personal data must utilize full disk encryption.

176
SECTION 27. Removable Physical media. Where possible, the manual transfer of personal
data, such as through the use of removable physical media like compact discs, shall not be
allowed: Provided, that if such mode of transfer is unavoidable or necessary, authentication
technology, such as one-time PINs, shall be implemented.

SECTION 28. Fax Machines. Facsimile technology shall not be used for transmitting
documents containing personal data.

SECTION 29. Transmittal. A government agency that transmits documents or media

containing personal data by mail or post shall make use of registered mail or, where
appropriate, guaranteed parcel post service. It shall establish procedures that ensure that such
documents or media are delivered only to the person to whom they are addressed, or his or
her authorized representative: Provided, that similar safeguards shall be adopted relative to
documents or media transmitted between offices or personnel within the agency.

RULE V.
DISPOSAL OF PERSONAL DATA

SECTION 30. Archival Obligations. A government agency must be aware of its legal
obligations as set out in Republic Act No. 9470, also known as the National Archives of the
Philippines Act of 2007. Personal data records, as well as incoming and outgoing emails, of
enduring value may be archived pursuant to such Act.

SECTION 31. Procedures. Procedures must be established regarding:

A. disposal of files that contain personal data, whether such files are stored on paper,
film, optical or magnetic media;
B. secure disposal of computer equipment, such as disk servers, desktop computers
and mobile phones at end-of-life, especially storage media: Provided, that the
procedure shall include the use of degaussers, erasers, and physical destruction
devices; and
C. disposal of personal data stored offsite.

SECTION 32. Third-Party Service Providers. A government agency may engage a service
provider to carry out the disposal of personal data under its control or custody: Provided, that
the service provider shall contractually agree to the agencys data protection procedures and
ensure that the confidentiality of all personal data is protected.

177
 RULE VI.
MISCELLANEOUS PROVISIONS

SECTION 33. Data Breach Management. The appropriate guidelines for managing data
breaches will be the subject of a separate issuance by the Commission.

SECTION 34. Penalties. Violations of these Rules, shall, upon notice and hearing, be subject
to compliance and enforcement orders, cease and desist orders, temporary or permanent ban
on the processing of personal data, or payment of fines, in accordance with a schedule to be
published by the Commission.

Failure to comply with the provisions of this Circular may be a ground for administrative and
disciplinary sanctions against any erring public officer or employee in accordance with
existing laws or regulations.
The commencement of any action under this Circular is independent and without prejudice
to the filing of any action with the regular courts or other quasi-judicial bodies.

SECTION 35. Amendments. These Rules shall be subject to regular review by the
Commission. Any amendment thereto shall be subject to the necessary consultations with the
concerned stakeholders.

SECTION 36. Transitory Period. Government agencies shall be given a period of one (1) year
transitory period from the effectivity of these Rules to comply with the requirements provided
herein.

SECTION 37. Separability Clause. If any portion or provision of these Rules is declared null
and void or unconstitutional, the other provisions not affected thereby shall continue to be in
force and effect.

SECTION 38. Repealing Clause. All other rules, regulations, and issuances contrary to or
inconsistent with the provisions of these Rules are deemed repealed or modified accordingly.

SECTION 39. Effectivity. These Rules shall take effect fifteen (15) days after its publication
in the Official Gazette.

178
Approved:

(Sgd.) RAYMUND E. LIBORO

Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

179
NPC Circular 16-02

DATE : 10 October 2016

TO : ALL HEADS OF GOVERNMENT BRANCHES, BODIES OR ENTITIES,

INCLUDING NATIONAL GOVERNMENT AGENCIES, BUREAUS OR
OFFICES, CONSTITUTIONAL COMMISSIONS, LOCAL
GOVERNMENT UNITS, GOVERNMENT-OWNED AND
CONTROLLED CORPORATIONS, STATE COLLEGE AND
UNIVERSITIES; HEADS OF PRIVATE ENTITIES

SUBJECT : DATA SHARING AGREEMENTS INVOLVING GOVERNMENT

AGENCIES

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State
recognizes the vital role of communication and information in nation-building. At the same
time, Article II, Section 11 thereof emphasizes that the State values the dignity of every human
person and guarantees full respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act
of 2012, provides that it is the policy of the State to protect the fundamental human right of
privacy of communication while ensuring free flow of information to promote innovation and
growth. The State also recognizes its inherent obligation to ensure that personal information
in information and communications systems in the government and in the private sector are
secured and protected;

WHEREAS, Section 20 of the Implementing Rules and Regulations of the Data Privacy
Act of 2012 provides that further processing of personal data collected from a party other than
the data subject shall be allowed under certain conditions;

WHEREAS, pursuant to Section 7 of the Data Privacy Act of 2012, the National Privacy
Commission is charged with the administration and implementation of the provisions of the
law, which includes ensuring the compliance by personal information controllers with the
provisions of the Act, and carrying out efforts to formulate and implement plans and policies
that strengthen the protection of personal information in the country, in coordination with
other government agencies and the private sector;

WHEREAS, Section 9 of the Implementing Rules and Regulations of the Data Privacy
Act of 2012 provides that, among the Commissions functions, is to develop, promulgate,
review or amend rules and regulations for the effective implementation of the Act;

WHEREFORE, in consideration of these premises, the National Privacy Commission

hereby issues this Circular governing data sharing agreements involving government
agencies:

SECTION 1. General Principle. To facilitate the performance of a public function or the

provision of a public service, a government agency may share or transfer personal data under
its control or custody to a third party through a data sharing agreement: Provided, that nothing

180
in this Circular shall be construed as prohibiting or limiting the sharing or transfer of any
personal data that is already authorized or required by law.

SECTION 2. Scope. The provisions of this Circular shall only apply to personal data under
the control or custody of a government agency that is being shared with or transferred to a
third party, for the purpose of performing a public function, or providing of a public service:
Provided, that it shall also cover personal data under the control or custody of a private entity
that is being shared with or transferred to a government agency: Provided further, that where
the personal data is in the custody of a personal information processor, the sharing or transfer
of personal data shall only be allowed if it is pursuant to the instructions of the personal
information controller concerned.

Data sharing agreements exclusively between private entities, or those for purpose of
research, shall be in accordance with the Implementing Rules and Regulations of the Data
Privacy Act of 2012, or other issuances of the National Privacy Commission.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are
defined, as follows:

A. Act refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of
2012;

B. Commission refers to the National Privacy Commission (NPC);

C. Data Protection Officer refers to an individual designated by the head of agency,

or the head of a private entity, to be accountable for the agencys or entitys
compliance with the Act, its IRR, and other issuances of the Commission: Provided,
that the individual must be an organic employee of the government agency or
private entity: Provided further, that a government agency or private entity may have
more than one data protection officer;

D. Data sharing is the disclosure or transfer to a third party of personal data under
the control or custody of a personal information controller: Provided, that a personal
information processor may be allowed to make such disclosure or transfer if it is
upon the instructions of the personal information controller concerned.

The term excludes outsourcing, or the disclosure or transfer of personal data by a

personal information controller to a personal information processor;

E. Data Sharing Agreement refers to a contract, joint issuance, or any similar

document that contains the terms and conditions of a data sharing arrangement
between two or more parties: Provided, that only personal information controllers
shall be made parties to a data sharing agreement;

F. Data Subject refers to an individual whose personal, sensitive personal, or

privileged information is processed;

181
G. Encryption Method refers to the technique that renders data or information
unreadable, ensures that it is not altered in transit, and verifies the identity of its
sender;

H. Government Agency refers to a government branch, body, or entity, including

national government agencies, bureaus, or offices, constitutional commissions, local
government units, government-owned and controlled corporations, government
financial institutions, state colleges and universities;

I. Head of agency refers to: (1) the head of the government entity or body, for
national government agencies, constitutional commissions or offices, or branches of
the government; (2) the governing board or its duly authorized official for
government owned and controlled corporations, government financial institutions,
and state colleges and universities; (3) the local chief executive, for local government
units;

J. Head of a private entity refers to the head or decision-making body of a private

entity;

K. IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173,
otherwise known as the Data Privacy Act of 2012;

L. Middleware refers to any software or program that facilitates the exchange of data
between two applications or programs that are either within the same environment,
or are located in different hardware or network environments;

M. Personal data refers to all types of personal information;

N. Personal information controller refers to a natural or juridical person, or any other

body who controls the processing of personal data, or instructs another to process
personal data on its behalf. The term excludes:

1. A natural or juridical person, or any other body, who performs such

functions as instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her
personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;

For the purpose of this Circular, each party to a data sharing agreement shall be
considered a personal information controller.

O. Personal information processor refers to any natural or juridical person or any

other body to whom a personal information controller may outsource or instruct the
processing of personal data pertaining to a data subject;

P. Private entity refers to any natural or juridical person that is not a unit of the
government including, but not limited to, a corporation, partnership, company, non-
profit organization or any other legal entity.

182
SECTION 4. Consent. The personal information controller charged with the collection of
personal data directly from the data subject, on its own or through a personal information
processor, shall obtain the consent of the data subject prior to collection and processing, except
where such consent is not required for the lawful processing of personal data, as provided by
law.

The personal information controller may request an advisory opinion from the Commission
in determining whether the data sharing requires consent from the data subject.

The data subject shall be provided with the following information prior to collection or before
his or her personal data is shared:

A. Identity of the personal information controllers or personal information processors

that will be given access to the personal data;
B. Purpose of data sharing;
C. Categories of personal data concerned;
D. Intended recipients or categories of recipients of the personal data;
E. Existence of the rights of data subjects, including the right to access and correction,
and the right to object; and
F. Other information that would sufficiently notify the data subject of the nature and
extent of data sharing and the manner of processing.

SECTION 5. Data Privacy Principles. Data sharing shall adhere to the data privacy
principles laid down in the Act, the IRR, this Circular, and all applicable issuances of the
Commission.

SECTION 6. Content of a Data Sharing Agreement. A data sharing agreement shall be in

writing and must comply with the following conditions:

A. It shall specify, with due particularity, the purpose or purposes of the data sharing
agreement, including the public function or public service the performance or
provision of which the agreement is meant to facilitate: Provided, that if the purpose
includes the grant of online access to personal data, or if access is open to the public
or private entities, these shall also be clearly specified in the agreement.

B. It shall identify all personal information controllers that are party to the agreement,
and for every party, specify:

1. the type of personal data to be shared under the agreement;

2. any personal information processor that will have access to or process the
personal data, including the types of processing it shall be allowed to perform;
3. how the party may use or process the personal data, including, but not limited
to, online access;
4. the remedies available to a data subject, in case the processing of personal data
violates his or her rights, and how these may be exercised;
5. the designated data protection officer or compliance officer.

183
 C. It shall specify the term or duration of the agreement, which may be renewed on the
ground, that the purpose or purposes of such agreement continues to exist: Provided,
that in no case shall such term or any subsequent extensions thereof exceed five (5)
years, without prejudice to entering into a new data sharing agreement.

D. It shall contain an overview of the operational details of the sharing or transfer of

personal data under the agreement. Such overview must adequately explain to a
data subject and the Commission the need for the agreement, and the procedure that
the parties intend to observe in implementing the same.

E. It shall include a general description of the security measures that will ensure the
protection of the personal data of data subjects, including the policy for retention or
disposal of records.

F. It shall state how a copy of the agreement may be accessed by a data subject: Provided,
that the government agency may redact or prevent the disclosure of any detail or
information that could endanger its computer network or system, or expose to harm
the integrity, availability or confidentiality of personal data under its control or
custody. Such information may include the program, middleware and encryption
method in use, as provided in the next succeeding paragraph.

G. If a personal information controller shall grant online access to personal data under
its control or custody, it shall specify the following information:

1. Justification for allowing online access;

2. Parties that shall be granted online access;
3. Types of personal data that shall be made accessible online;
4. Estimated frequency and volume of the proposed access; and
5. Program, middleware and encryption method that will be used.

H. It shall specify the personal information controller responsible for addressing any
information request, or any complaint filed by a data subject and/or any
investigation by the Commission: Provided, that the Commission shall make the final
determination as to which personal information controller is liable for any breach or
violation of the Act, its IRR, or any applicable issuance of the Commission.

I. It shall identify the method that shall be adopted for the secure return, destruction
or disposal of the shared data and the timeline therefor.

J. It shall specify any other terms or conditions that the parties may agree on.

SECTION 7. Online Access. Where a government agency grants online access to personal data
under its control or custody, such access must be done via a secure encrypted link. The
government agency concerned must deploy middleware that shall have full control over such
online access.
SECTION 8. Transfer of Personal Data. Where a data sharing agreement involves the actual
transfer of personal data or a copy thereof from one party to another, such transfer shall
comply with the security requirements imposed by the Act, its IRR, and all applicable
issuances of the Commission.

184
SECTION 9. Responsibility of the Parties. All parties to a data sharing agreement shall
comply with the Act, its IRR, and all applicable issuances of the Commission, including
putting in place adequate safeguards for data privacy and security. The designated data
protection officer shall be accountable for ensuring such compliance.

In the case of a government agency, the head of agency shall be responsible for complying
with the security requirements provided in the Act, its IRR and all applicable issuances of the
Commission.

SECTION 10. Accountability for Cross-border Transfer of Personal Data. Each party to a
data sharing agreement shall be responsible for any personal data under its control or custody,
including those it has outsourced or subcontracted to a personal information processor. This
extends to personal data it shares with or transfers to a third party located outside the
Philippines, subject to cross-border arrangement and cooperation.

SECTION 11. Prior Consultation. Prior to the execution of a data sharing agreement, the
parties thereto may consult with and invite comments thereon from:

A. the Commission;

B. any person or organization that the parties to the proposed data sharing agreement
recognize as representing the interests of the classes of data subjects whose personal
data will be shared under the proposed agreement; and

C. any other person or organization whose view or opinion the parties to the proposed
data sharing agreement deem necessary.

Failure to conduct prior consultation by the parties shall not invalidate a data sharing
agreement: Provided, however, that in the event of a breach or a reported violation of the Act,
its IRR, or any issuance by the Commission, the latter shall take into account the conduct of
such consultation in evaluating the circumstances surrounding the violation.

SECTION 12. Security of Personal Data. Data sharing shall only be allowed where there are
adequate safeguards for data privacy and security. The parties to a data sharing agreement
shall use contractual or other reasonable means to ensure that personal data is covered by a
consistent level of protection when it is shared or transferred.

SECTION 13. Review by the Commission. A data sharing agreement shall be subject to a
review by the Commission, on its own initiative or upon a complaint by a data subject.

SECTION 14. Mandatory Periodic Review. The terms and conditions of a data sharing
agreement shall be subject to a mandatory review by the parties thereto upon the expiration
of its term, and any subsequent extensions thereof. The parties shall document and include in
its records:

185
 A. reason for terminating the agreement or, in the alternative, for renewing its term;
and
B. in case of renewal, any changes made to the terms and conditions of the agreement.

SECTION 15. Revisions and Amendments. Revisions or amendments to a data sharing

agreement while it is still in effect shall follow the same procedure observed in the creation of
a new agreement.

SECTION 16. Termination. A data sharing agreement may be terminated:

A. upon the expiration of its term, or any valid extension thereof;

B. upon the agreement by all parties;
C. upon a breach of its provisions by any of the parties; or
D. where there is disagreement, upon a finding by the Commission that its continued
operation is no longer necessary, or is contrary to public interest or public policy.

Nothing in this Section shall prevent the Commission from ordering motu proprio the
termination of any data sharing agreement when a party is determined to have breached any
of its provisions, or when the agreement is in violation of the Act, its IRR, or any applicable
issuance by the Commission.

SECTION 17. Return, Destruction, or Disposal of Transferred Personal Data. Unless

otherwise provided by the data sharing agreement, all personal data transferred to other
parties by virtue of such agreement shall be returned, destroyed, or disposed of, upon the
termination of the agreement.

SECTION 18. Penalties. Violations of these Rules shall, upon notice and hearing, be subject
to compliance and enforcement orders, cease and desist orders, temporary or permanent ban
on the processing of personal data, or payment of fines in accordance with the schedule to be
published by the Commission.

Failure to comply with the provisions of this Circular may be a ground for administrative and
disciplinary sanctions against any erring public officer or employee in accordance with
existing laws or regulations.

The commencement of any action under this Circular is independent and without prejudice
to the filing of any action with the regular courts or other quasi-judicial bodies.

SECTION 19. Transitory Period. Upon the effectivity of this Circular, all existing data sharing
arrangements shall be reviewed by the concerned parties to determine compliance with its
provisions.

Where an existing data sharing arrangement is not covered by any written contract, joint
issuance, or any similar document, the parties thereto shall execute or enter into the
appropriate agreement pursuant to the provisions of this Circular.

186
Where an existing data sharing agreement is evidenced by a contract, joint issuance, or any
similar document, but fails to comply with the provisions of this Circular, the parties thereto
shall make the necessary revisions or amendments.

An existing data sharing agreement found to be compliant with this Circular, except for the
requirements set out in Section 4 (Consent) hereof, shall be allowed to continue until the
expiration of such agreement or within two (2) years from the effectivity of this Circular,
whichever is earlier, subject to the immediately succeeding paragraph: Provided, that any
renewal or extension of such agreement shall comply with all the provisions of this Circular.

In all cases, the personal information controller that collected the personal data directly from
the data subjects shall, at the soonest practicable time, notify and provide the data subjects
whose personal data were shared or transferred without their consent with all the information
set out in Section 4 (Consent) of this Circular: Provided, that where individual notification is
not possible or would require a disproportionate effort, the personal information controller
may seek the approval of the Commission to use alternative means of notification: Provided,
further, that the personal information controller shall establish means through which the data
subjects can exercise their rights and obtain more detailed information relating to the data
sharing agreement.

If an existing data sharing arrangement is not for the purpose of performing a public function
or providing a public service, the parties thereto shall immediately terminate the sharing or
transfer of personal data. Any or all related contracts predicated on the existence of such
arrangement shall likewise be terminated for being contrary to law.

SECTION 20. Repealing Clause. All other issuances contrary to or inconsistent with the
provisions of this Circular are deemed repealed or modified accordingly.

SECTION 21. Separability Clause. If any portion or provision of this Circular is declared null
and void or unconstitutional, the other provisions not affected thereby shall continue to be in
force and effect.

SECTION 22. Effectivity. This Circular shall take effect fifteen (15) days after its publication
in the Official Gazette.

187
Approved:

(Sgd.) RAYMUND E. LIBORO

Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

188
NPC Circular 16-03

DATE : 15 December 2016

SUBJECT : PERSONAL DATA BREACH MANAGEMENT

WHEREAS, the Philippine Constitution guarantees respect for the right to privacy,
including information privacy, accorded recognition as inherent in the freedoms enjoyed by
every Filipino, and at the same time, Article II, Section 11 of the Constitution emphasizes that
the State values the dignity of every human person and guarantees full respect for human
rights;

WHEREAS, Article II, Section 24, of the Constitution provides that the State recognizes
the vital role of communication and information in nation-building, and Section 2 of Republic
Act No. 10173, also known as the Data Privacy Act of 2012, provides that it is the policy of the
State to protect the fundamental human right of privacy of communication while ensuring
free flow of information to promote innovation and growth;

WHEREAS, there are increasing incidents of personal data breaches that impact both
public and private entities, entailing significant economic and legal costs for those involved
in processing of personal data and putting at risk data subjects for identity theft, crimes and
other harm, and that in order to afford protection of personal data, reasonable and appropriate
organizational, physical and technical measures should be implemented;

WHEREAS, Section 20(f) of the Act requires prompt notification of the National
Privacy Commission and affected data subjects when sensitive personal information or other
information that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, which may likely give
rise to a real risk of serious harm to any affected data subject;

WHEREAS, in order to ensure compliance of the country and all personal information
controllers and personal information processors with the law and international standards set
for data protections, and to safeguard against accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing, the management of personal
data breach should include prevention, incident response, mitigation and compliance with
notification requirements;

WHEREFORE, in consideration of these premises, the National Privacy Commission

hereby issues this Circular governing personal data breach management.

189
 RULE I.
GENERAL PROVISIONS

SECTION 1. Scope. These Rules apply to any natural and juridical person in the government
or private sector processing personal data in or outside of the Philippines, subject to the
relevant provisions of the Act and its Implementing Rules and Regulations.

SECTION 2. Purpose. These Rules provide the framework for personal data breach
management and the procedure for personal data breach notification and other requirements.

SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are
defined, as follows:

A. Act refers to Republic Act No. 10173, otherwise known as the Data Privacy Act of
2012;

B. Commission refers to the National Privacy Commission;

C. Data Protection Officer refers to an individual designated by the head of agency

to be accountable for the agencys compliance with the Act: Provided, that the
individual must be an organic employee of the government agency: Provided further,
that a government agency may have more than one data protection officer;

D. IRR refers to the Implementing Rules and Regulations of Republic Act No. 10173,
otherwise known as the Data Privacy Act of 2012;

E. Personal data refers to all types of personal information;

F. Personal data breach refers to a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed. A personal data breach
may be in the nature of:

1. An availability breach resulting from loss, accidental or unlawful destruction

of personal data;
2. Integrity breach resulting from alteration of personal data; and/or
3. A confidentiality breach resulting from the unauthorized disclosure of or
access to personal data.

G. Personal information controller refers to a natural or juridical person, or any other

body that controls the processing of personal data, or instructs another to process
personal data on its behalf. The term excludes:

190
 1. A natural or juridical person, or any other body that performs such functions
as instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her
personal, family, or household affairs;

There is control if the natural or juridical person, or any other body, decides on what
information is collected, or the purpose or extent of its processing;

H. Personal information processor refers to any natural or juridical person or any

other body to whom a personal information controller may outsource or instruct the
processing of personal data pertaining to a data subject;

I. Privacy Impact Assessment is a process undertaken and used by a government

agency to evaluate and manage privacy impacts.

J. Security incident is an event or occurrence that affects or tends to affect data

protection, or may compromise the availability, integrity, and confidentiality of
personal data. It shall include incidents that would result to a personal data breach,
if not for safeguards that have been put in place;

K. Security Incident Management Policy refer to policies and procedures

implemented by a personal information controller or personal information processor
to govern the actions to be taken in case of a security incident or personal data
breach;

L. Sensitive personal information refers to personal information:

1. About an individuals race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
2. About an individuals health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence
of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns, and
4. Specifically established by an executive order or an act of Congress to be kept
classified.

191
 RULE II.
GUIDELINES FOR PERSONAL DATA
BREACH MANAGEMENT

SECTION 4. Security Incident Management Policy. A personal information controller or

personal information processor shall implement policies and procedures for the purpose of
managing security incidents, including personal data breach. These policies and procedures
must ensure:

A. Creation of a data breach response team, with members that have clearly defined
responsibilities, to ensure timely action in the event of a security incident or personal
data breach;

B. Implementation of organizational, physical and technical security measures and

personal data privacy policies intended to prevent or minimize the occurrence of a
personal data breach and assure the timely discovery of a security incident;

C. Implementation of an incident response procedure intended to contain a security

incident or personal data breach and restore integrity to the information and
communications system;

D. Mitigation of possible harm and negative consequences to a data subject in the event
of a personal data breach; and

E. Compliance with the Act, its IRR, and all related issuances by the Commission
pertaining to personal data breach notification.

SECTION 5. Data Breach Response Team. A personal information controller or personal

information processor shall constitute a data breach response team, which shall have at least
one (1) member with the authority to make immediate decisions regarding critical action, if
necessary. The team may include the Data Protection Officer.

The team shall be responsible for the following:

A. Implementation of the security incident management policy of the personal

information controller or personal information processor;

B. Management of security incidents and personal data breaches; and

C. Compliance by the personal information controller or personal information

processor with the relevant provisions of the Act, its IRR, and all related issuances
by the Commission on personal data breach management.

192
The team must be ready to assess and evaluate a security incident, restore integrity to the
information and communications system, mitigate and remedy any resulting damage, and
comply with reporting requirements.

The functions of the Data Breach Response Team may be outsourced. Such outsourcing shall
not reduce the requirements found in the Act, the IRR or related issuance. The Data Protection
Officer shall remain accountable for compliance with applicable laws and regulations.

In cases where the Data Protection Officer is not part of the Data Breach Response Team, the
Data Breach Response Team shall submit a written report addressed to the Data Protection
Officer detailing the actions taken in compliance with these Rules.

RULE III.
GUIDELINES FOR THE PREVENTION
OF PERSONAL DATA BREACH

SECTION 6. Preventive or Minimization Measures. A security incident management policy

shall include measures intended to prevent or minimize the occurrence of a personal data
breach. Such safeguards may include:

A. Conduct of a privacy impact assessment to identify attendant risks in the processing

of personal data. It shall take into account the size and sensitivity of the personal
data being processed, and impact and likely harm of a personal data breach;

B. Data governance policy that ensures adherence to the principles of transparency,

legitimate purpose, and proportionality;

C. Implementation of appropriate security measures that protect the availability,

integrity and confidentiality of personal data being processed;

D. Regular monitoring for security breaches and vulnerability scanning of computer

networks;

E. Capacity building of personnel to ensure knowledge of data breach management

principles, and internal procedures for responding to security incidents;

F. Procedure for the regular review of policies and procedures, including the testing,
assessment, and evaluation of the effectiveness of the security measures.

SECTION 7. Availability, Integrity and Confidentiality of Personal Data. The

implementation of security measures shall be in accordance with the Act, its IRR, and other

193
issuances of the Commission. The security measures should be directed to ensuring the
availability, integrity, and confidentiality of the personal data being processed, and may
include:

A. Implementation of back-up solutions;

B. Access control and secure log files;

C. Encryption;

D. Data disposal and return of assets policy.

RULE IV.
GUIDELINES FOR INCIDENT RESPONSE
POLICY AND PROCEDURE

SECTION 8. Policies and Procedures. The personal information controller or personal

information processor shall implement policies and procedures for guidance of its data breach
response team and other personnel in the event of a security incident. These may include:

A. A procedure for the timely discovery of security incidents, including the

identification of person or persons responsible for regular monitoring and
evaluation of security incidents;

B. Clear reporting lines in the event of a possible personal data breach, including the
identification of a person responsible for setting in motion the incident response
procedure, and who shall be immediately contacted in the event of a possible or
confirmed personal data breach;

C. Conduct of a preliminary assessment for purpose of:

1. Assessing, as far as practicable, the nature and scope of the personal data
breach and the immediate damage
2. Determining the need for notification of law enforcement or external expertise;
and
3. Implementing immediate measures necessary to secure any evidence, contain
the security incident and restore integrity to the information and
communications system;

D. Evaluation of the security incident or personal data breach as to its nature, extent and
cause, the adequacy of safeguards in place, immediate and long-term damage,
impact of the breach, and its potential harm and negative consequences to affected
data subjects;

E. Procedures for contacting law enforcement in case the security incident or personal
data breach involves possible commission of criminal acts;

194
 F. Conduct of investigations that will evaluate fully the security incident or personal
data breach;

G. Procedures for notifying the Commission and data subjects when the breach is
subject to notification requirements, in the case of personal information controllers,
and procedures for notifying personal information controllers in accordance with a
contract or agreement, in the case of personal information processors; and

H. Policies and procedures for mitigating the possible harm and negative consequences
to a data subject in the event of a personal data breach. The personal information
controller must be ready to provide assistance to data subjects whose personal data
may have been compromised.
I.
SECTION 9. Documentation. All actions taken by a personal information controller or
personal information processor shall be properly documented. Reports should include:

A. Description of the personal data breach, its root cause and circumstances regarding its
discovery;

B. Actions and decisions of the incident response team;

C. Outcome of the breach management, and difficulties encountered; and

D. Compliance with notification requirements and assistance provided to affected data

subjects.

A procedure for post-breach review must be established for the purpose of improving the
personal data breach management policies and procedures of the personal information
controller or personal information processor.

SECTION 10. Regular Review. The incident response policy and procedure shall be subject
to regular revision and review, at least annually, by the Data Protection Officer, or any other
person designated by the Chief Executive Officer or the Head of Agency, as the case may be.
The date of the last review and the schedule for the next succeeding review must always be
indicated in the documentation of the incident response policy and procedure.

RULE V.
PROCEDURE FOR PERSONAL DATA BREACH
NOTIFICATION AND OTHER REQUIREMENTS

SECTION 11. When notification is required. Notification shall be required upon knowledge
of or when there is reasonable belief by the personal information controller or personal

195
information processor that a personal data breach requiring notification has occurred, under
the following conditions:

A. The personal data involves sensitive personal information or any other information
that may be used to enable identity fraud.

For this purpose, other information shall include, but not be limited to: data about
the financial or economic situation of the data subject; usernames, passwords and
other login data; biometric data; copies of identification documents, licenses or
unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar
information, which may be made the basis of decisions concerning the data subject,
including the grant of rights or benefits.

B. There is reason to believe that the information may have been acquired by an
unauthorized person; and

C. The personal information controller or the Commission believes that the

unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject.

SECTION 12. Public Information. A claim that the data involved in a breach is public
information will not automatically exempt a personal information controller from the
notification requirements provided herein. When the level of availability or publicity of the
personal data is altered by a personal data breach, it shall be considered as a personal data
breach requiring notification, subject to the preceding paragraphs.

SECTION 13. Determination of the Need to Notify. Where there is uncertainty as to the need
for notification, the personal information controller shall take into account, as a primary
consideration, the likelihood of harm or negative consequences on the affected data subjects,
and how notification, particularly of the data subjects, could reduce the risks arising from the
personal data breach reasonably believed to have occurred.
The personal information controller shall also consider if the personal data reasonably
believed to have been compromised involves:

A. Information that would likely affect national security, public safety, public order, or
public health;

B. At least one hundred (100) individuals;

C. Information required by applicable laws or rules to be confidential; or

D. Personal data of vulnerable groups.

SECTION 14. Discovery of Vulnerability. A discovery of a vulnerability in the data

processing system that would allow access to personal data shall prompt the personal

196
information controller or the personal information processor, as the case may be, to conduct
an assessment and determine if a personal data breach has occurred.

SECTION 15. Who should Notify. The personal information controller shall notify the
Commission and the affected data subjects upon knowledge of, or when there is reasonable
belief that a personal data breach has occurred. The obligation to notify remains with the
personal information controller even if the processing of information is outsourced or
subcontracted to a personal information processor.
The personal information controller shall identify the designated data protection officer or
other individual responsible for ensuring its compliance with the notification requirements
provided in this Circular.

SECTION 16. Reporting by Personal Information Processors. To facilitate the timely

reporting of a personal data breach, the personal information controller shall use contractual
or other reasonable means to ensure that it is provided a report by the personal information
processor upon the knowledge of, or reasonable belief that a personal data breach has
occurred.

SECTION 17. Notification of the Commission. The personal information controller shall
notify the Commission of a personal data breach subject to the following procedures:

A. When Notification Should be Done. The Commission shall be notified within seventy-
two (72) hours upon knowledge of or the reasonable belief by the personal
information controller or personal information processor that a personal data breach
has occurred.

B. Delay in Notification. Notification may only be delayed to the extent necessary to

determine the scope of the breach, to prevent further disclosures, or to restore
reasonable integrity to the information and communications system.

The personal information controller need not be absolutely certain of the scope of
the breach prior to notification. Its inability to immediately secure or restore integrity
to the information and communications system shall not be a ground for any delay
in notification, if such delay would be prejudicial to the rights of the data subjects.

Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal

the personal data breach.

C. When delay is prohibited. There shall be no delay in the notification if the breach
involves at least one hundred (100) data subjects, or the disclosure of sensitive
personal information will harm or adversely affect the data subject. In both instances,
the Commission shall be notified within the 72-hour period based on available
information. The full report of the personal data breach must be submitted within
five (5) days, unless the personal information controller is granted additional time
by the Commission to comply.

197
D. Content of Notification. The notification shall include, but not be limited to:

1. Nature of the Breach

a. description of how the breach occurred and the vulnerability of the data
processing system that allowed the breach;
b. a chronology of the events leading up to the loss of control over the
personal data;
c. approximate number of data subjects or records involved;
d. description or nature of the personal data breach;
e. description of the likely consequences of the personal data breach; and
f. name and contact details of the data protection officer or any other
accountable persons.

2. Personal Data Possibly Involved

a. description of sensitive personal information involved; and
b. description of other information involved that may be used to enable
identity fraud.

3. Measures Taken to Address the Breach

a. description of the measures taken or proposed to be taken to address the
breach;
b. actions being taken to secure or recover the personal data that were
compromised;
c. actions performed or proposed to mitigate possible harm or negative
consequences, and limit the damage or distress to those affected by the
incident;
d. action being taken to inform the data subjects affected by the incident, or
reasons for any delay in the notification;
e. the measures being taken to prevent a recurrence of the incident.

The Commission reserves the right to require additional information, if

necessary.

E. Form. Notification shall be in the form of a report, whether written or electronic,

containing the required contents of notification: Provided, that the report shall also
include the name and contact details of the data protection officer and a designated
representative of the personal information controller: Provided further, that, where
applicable, the manner of notification of the data subjects shall also be included in
the report.

Where notification is transmitted by electronic mail, the personal information

controller shall ensure the secure transmission thereof.

Upon receipt of the notification, the Commission shall send a confirmation to the
personal information controller. A report is not deemed filed without such
confirmation. Where the notification is through a written report, the received copy

198
 retained by the personal information controller shall constitute proof of such
confirmation.

SECTION 18. Notification of Data Subjects. The personal information controller shall notify
the data subjects affected by a personal data breach, subject to the following procedures:

A. When should notification be done. The data subjects shall be notified within seventy-
two (72) hours upon knowledge of or reasonable belief by the personal information
controller or personal information processor that a personal data breach has
occurred.

The notification may be made on the basis of available information within the 72-
hour period if the personal data breach is likely to give rise to a real risk to the rights
and freedoms of data subjects. It shall be undertaken in a manner that would allow
data subjects to take the necessary precautions or other measures to protect
themselves against the possible effects of the breach. It may be supplemented with
additional information at a later stage on the basis of further investigation.

B. Exemption or Postponement of Notification. If it is not reasonably possible to notify the

data subjects within the prescribed period, the personal information controller shall
request the Commission for an exemption from the notification requirement, or the
postponement of the notification.

A personal information controller may be exempted from the notification

requirement where the Commission determines that such notification would not be
in the public interest or in the interest of the affected data subjects.

The Commission may authorize the postponement of notification where it may

hinder the progress of a criminal investigation related to a serious breach, taking into
account circumstances provided in Section 13 of this Circular, and other risks posed
by the personal data breach.

C. Content of Notification. The notification shall include, but not be limited to:

1. nature of the breach;

2. personal data possibly involved;
3. measures taken to address the breach;
4. measures taken to reduce the harm or negative consequences of the breach;
5. representative of the personal information controller, including his or her
contact details, from whom the data subject can obtain additional information
regarding the breach; and
6. any assistance to be provided to the affected data subjects.

Where it is not possible to provide the foregoing information all at the same time,
they may be provided in phases without undue delay.

199
 D. Form. Notification of affected data subjects shall be done individually, using secure
means of communication, whether written or electronic. The personal information
controller shall take the necessary steps to ensure the proper identity of the data
subject being notified, and to safeguard against further unnecessary disclosure of
personal data.

The personal information controller shall establish all reasonable mechanisms to

ensure that all affected data subjects are made aware of the breach: Provided, that
where individual notification is not possible or would require a disproportionate
effort, the personal information controller may seek the approval of the Commission
to use alternative means of notification, such as through public communication or
any similar measure through which the data subjects are informed in an equally
effective manner: Provided further, that the personal information controller shall
establish means through which the data subjects can exercise their rights and obtain
more detailed information relating to the breach.

SECTION 19. Exemption from Notification Requirements. The following additional factors
shall be considered in determining whether the Commission may exempt a personal
information controller from notification:

A. Security measures that have been implemented and applied to the personal data at
the time the personal data breach was reasonably believed to have occurred,
including measures that would prevent use of the personal data by any person not
authorized to access it;

B. Subsequent measures that have been taken by the personal information controller or
personal information processor to ensure that the risk of harm or negative
consequence to the data subjects will not materialize;

C. Age or legal capacity of affected data subjects: Provided, that in the case of minors or
other individuals without legal capacity, notification may be done through their
legal representatives.

In evaluating if notification is unwarranted, the Commission may take into account the
compliance by the personal information controller with the law and existence of good faith in
the acquisition of personal data.

SECTION 20. Failure to Notify. In case the personal information controller fails to notify the
Commission or data subjects, or there is unreasonable delay to the notification, the
Commission shall determine if such failure or delay is justified. Failure to notify shall be
presumed if the Commission does not receive notification from the personal information
controller within five (5) days from knowledge of or upon a reasonable belief that a personal
data breach occurred.

200
SECTION 21. Investigation of a Breach or a Security Incident. Depending on the nature of
the incident, or if there is failure or delay in the notification, the Commission may investigate
the circumstances surrounding a personal data breach. Investigations may include on-site
examination of systems and procedures.

If necessary, the Commission shall require the cooperation of concerned parties, or compel
appropriate action therefrom to protect the interests of data subjects.

The investigation under this Section shall be governed by the Rules of Procedure of the
Commission.

Section 22. Reportorial requirements. All security incidents and personal data breaches shall
be documented through written reports, including those not covered by the notification
requirements. In the event of a personal data breach, a report shall include the facts
surrounding the incident, the effects of such incident, and the remedial action taken by the
personal information controller. For other security incidents not involving personal data, a
report containing aggregated data shall constitute sufficient documentation.
Any or all reports shall be made available when requested by the Commission: Provided, that
a summary of all reports shall be submitted to the Commission annually, comprised of general
information including the number of incidents and breach encountered, classified according
to their impact on the availability, integrity, or confidentiality of personal data.

Section 23. Notification and Reporting to the National Privacy Commission. The
requirements pertaining to notification and the submission of reports shall be complied with
through the appropriate submissions to the office of the National Privacy Commission or by
electronic mail ( [email protected] ). The foregoing details may be amended,
subject to a public announcement made through the Commissions website or other
comparable means.

SECTION 24. Separability Clause. If any portion or provision of this Circular is declared null
and void or unconstitutional, the other provisions not affected thereby shall continue to be in
force and effect.

SECTION 25. Effectivity. This Order shall take effect fifteen (15) days after publication in the
Official Gazette or two newspapers of general circulation.

201
Approved:

(Sgd.) RAYMUND E. LIBORO

Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: December 15, 2016

202
 Summary

What is subject to the A security breach that:

notification requirements. 1. Involves sensitive personal information, or
information that may be used to enable identity
fraud
2. There is reason to believe that information have
been acquired by an unauthorized person
3. The unauthorized acquisition is likely to give rise to
a real risk of serious harm

Who should notify. The personal information controller, which controls the
processing of information, even if processing is outsourced
or subcontracted to a third party.

When should notification of Within 72 hours from knowledge of the personal data
Commission be done. breach, based on available information.

Follow up report should be submitted within five (5) days

from knowledge of the breach, unless allowed a longer
period by the Commission.

When should data subjects Within seventy-two (72) hours from knowledge of the
or individuals be notified. breach, unless there is a reason to postpone or omit
notification, subject to approval of the Commission.

What are the contents of In general-

notification to Commission 1. nature of the breach
2. sensitive personal information possibly involved
3. measures taken by the entity to address the breach
4. details of contact person for more information

What are the contents of In general, same contents as notification of Commission but
notification to data subject must include instructions on how data subject will get
further information and recommendations to minimize
risks resulting from breach.

How will notification be Commission may be notified by written or electronic means

done? but the personal information controller must have
confirmation that the notification has been received.

Data subjects or affected individuals shall be notified

individually, by written or electronic means, unless allowed
by the Commission to use alternative means.

Other requirements Cooperate with the Commission where there is an

investigation related to the breach.

Documentation of all security incidents and the submission

of an annual report to the Commission.

203
NPC Circular 16-04

DATE : 15 December 2016

SUBJECT : RULES OF PROCEDURE OF THE NATIONAL PRIVACY COMMISSION

Pursuant to the authority vested in the National Privacy Commission through Section 7 of Republic
Act No. 10173, otherwise known as The Data Privacy Act of 2012, the following Rules of Procedure
of the National Privacy Commission are hereby prescribed and promulgated:

RULE I.
PRELIMINARY PROVISIONS

SECTION 1. General Principles. The National Privacy Commission is an independent body

mandated to administer and implement provisions of the Data Privacy Act, and to monitor
and ensure compliance of the country with international standards set for data protection. The
Commission shall uphold the right to information privacy while supporting free flow of
information.

In the exercise of its quasi-judicial function, the Commission is authorized to receive

complaints and institute investigations. In order to fulfill its mandate, it may compel any
entity, government agency or instrumentality to abide by its orders or take action on a matter
affecting data privacy, and impose sanctions as may be appropriate.

SECTION 2. Scope and Coverage. These rules shall apply to all complaints filed before the
National Privacy Commission or such other grievances, requests for assistance or advisory
opinions, and other matters cognizable by the National Privacy Commission.

RULE II.
COMPLAINTS FOR VIOLATIONS OF THE
DATA PRIVACY ACT

SECTION 3. Who may file complaints. The National Privacy Commission, sua sponte, or
persons who are the subject of a privacy violation or personal data breach, or who are
otherwise personally affected by a violation of the Data Privacy Act, may file complaints for
violations of the Act.

The person who is the subject of the privacy violation or personal data breach, or his or her
duly authorized representative may file the complaint, Provided, that the circumstances of the
authority must be established.

204
Any person who is not personally affected by the privacy violation or personal data breach
may: (a) request for an advisory opinion on matters affecting protection of personal data; or
(b) inform the National Privacy Commission of the data protection concern, which may in its
discretion, conduct monitoring activities on the organization or take such further action as
may be necessary.

SECTION 4. Exhaustion of remedies. No complaint shall be entertained unless:

a. the complainant has informed, in writing, the personal information controller or

concerned entity of the privacy violation or personal data breach to allow for
appropriate action on the same;
b. the personal information controller or concerned entity did not take timely or
appropriate action on the claimed privacy violation or personal data breach, or there
is no response from the personal information controller within fifteen (15) days from
receipt of information from the complaint ; and
c. the complaint is filed within six (6) months from the occurrence of the claimed privacy
violation or personal data breach, or thirty (30) days from the last communiqu with
the personal information controller or concerned entity, whichever is earlier.

The failure to comply with the requirements of this Section shall cause the matter to be
evaluated as a request to the National Privacy Commission for an advisory opinion, and for
the National Privacy Commission to take such further action, as necessary.

The National Privacy Commission may waive any or all of the requirements of this Section,
at its discretion, upon good cause shown, or if the complaint involves a serious violation or
breach of the Data Privacy Act, taking into account the risk of harm to the affected data subject.

SECTION 5. Filing Fees. No complaint or request for advisory opinion shall be entertained
unless the appropriate filing fees have been shown to have been paid, unless: (a) the
complainant is the government, or any agency or instrumentality thereof, including
government-owned and controlled corporations organized and existing under their own
charter, and excluding government-owned and controlled corporations organized and
incorporated under the Corporation Code; (b) the complainant qualifies as an indigent or
pauper litigant as defined under the Rules of Court; or (c) the National Privacy Commission,
in its proper discretion and for good cause shown, waives this requirement.

SECTION 6. Printed Copies. - The complaint, together with the documentary evidence and
affidavits of witnesses, if any, shall be filed in such number as there are respondents, plus two
(2) copies for the file.

SECTION 7. Where to file. A complaint may be filed at any office of the Commission.

205
SECTION 8. Electronic filing. The complaint and its supporting evidence, as well as any
subsequent filings may be filed as electronic documents, pursuant to the provisions of
Republic Act No. 8792, and subject to the right of the Commission to request for hard copies,
or charge fees for the printing thereof, either by e-mail or by submitting the same contained
in a portable electronic data storage device at any office of the Commission.

Whenever practicable, electronic submissions shall be made and digitally signed in .PDF
format, on page sizes compliant with the Efficient Use of Paper Rule.

When submissions are made through portable electronic data storage devices, the provisions
of Section 6 of these Rules shall apply, with one portable data storage device equivalent to one
printed copy, provided, that documents made on such portable data storage devices, if either
the device or any file found therein is detected to be infected with any form of malware, all
the electronic documents on that portable electronic data storage device shall not be
considered as having been filed.

When submissions are made through e-mail, all electronic documents must be submitted to
[email protected], copy furnished any and all other parties to the complaint.

SECTION 9. Parties to the Complaint. The Complaint must specify the identity of the
individual claiming to be subject of a privacy violation or the person so damaged or injured
by a data breach, who shall be referred to as the complainant.

The complainant shall include in his complaint his contact information, and where the
complainant or duly authorized representative may be served with orders, issuances or
communications, including a secure electronic mail address when available.

The complaint must identify the person or organization complained against, who shall be
referred to as the respondent; the mere provision of the means to trace the identity of the party
complained against shall be considered as insufficient identification. The complainant shall
also provide in the complaint: (a) the respondents contact information, where practicable;
and (b) where the respondent may be served with orders, issuances or communications from
the National Privacy Commission.

SECTION 10. Form and Contents of the Complaint. The complaint shall comply with the
requirements of the Efficient Use of Paper Rule (A.M. No. 11-9-4-SC) and other such rules of
formatting as may be provided for by the Supreme Court for use in quasi-judicial agencies.

The form of the complaint must be in writing, verified and under oath, or contained in a sworn
affidavit. A complaint that does not comply with this requirement shall be acted upon only,
at the discretion of the National Privacy Commission, if it merits appropriate consideration

206
on its face, or is of such notoriety that it necessarily contains sufficient leads or particulars to
enable the taking of further action.

The complaint shall include a brief narration of the material facts and supporting
documentary and testimonial evidence, all of which show: (a) the violation of the Data Privacy
Act or related issuances; or (b) the acts or omissions allegedly committed by the respondent
amounting to a privacy violation or personal data breach. The complaint must include any
and all reliefs sought by the complainant.

The supporting documents shall consist of original or certified true copies of any documentary
evidence, and the affidavits of witnesses, if any, including those affidavits necessary to
identify the documents and to substantiate the complaint.

The complainant shall attach any and all correspondence with the respondent on the matter
complained, and include a statement of the action taken by the respondent to address the
complaint, if any.

The failure to comply with the requirements of this Section shall cause the matter to be
evaluated as a request to the National Privacy Commission for an advisory opinion, and for
the National Privacy Commission to take such further action, as necessary.
RULE III.
PROCEDURE IN COMPLAINTS

SECTION 11. Evaluation. Upon receipt of the complaint, the National Privacy Commission
shall assign an investigating officer who shall conduct the proceedings.

The investigating officer shall evaluate the complaint to determine whether its allegations
involve a violation of the Data Privacy Act or related issuances and if based on its allegations,
there is reason to believe that there is a privacy violation or personal data breach.

The investigating officer shall then recommend to the Commission whether the complaint
shall be:

a. dismissed outright for want of palpable merit;

b. referred to the respondent for comment;
c. subject to further monitoring or investigation;
d. treated as a request for an advisory opinion; or
e. indorsed to the proper government agency with jurisdiction over the complaint.

207
SECTION 12. Outright Dismissal. The Commission may dismiss outright any complaint on
the following grounds:

a. The complainant did not give the respondent an opportunity to address the
complaint, unless failure to do so is justified;
b. The complaint is not a violation of the Data Privacy Act or does not involve a
privacy violation or personal data breach;
c. The complaint is filed beyond the period for filing; or
d. There is insufficient information to substantiate the allegations in the complaint or
the parties cannot be identified or traced.

SECTION 13. Order to Confer for Discovery. If, on the face of the complaint, the allegations
are deemed to be sufficient in form and substance, the investigating officer shall issue an
Order for all parties to confer, not later than ten (10) days from receipt of the said Order,
whether discovery of information and of electronically stored information is reasonably likely
to be sought in the proceeding.

A copy of the complaint, together with its supporting evidence, shall be included with the
Order to Confer for Discovery. If discovery of electronically stored information is reasonably
likely to be sought, the parties shall discuss:
a. any issues relating to the preservation of the information;
b. the form in which each type of the information will be produced;
c. the period within which the information will be produced;
d. the method for asserting or preserving claims of privilege or of protection of the
information;
e. the method for asserting or preserving confidentiality and proprietary status of
information relating to a party or person not a party to the proceeding;
f. whether allocation among the parties of the expense of production is appropriate; and
g. any other issue relating thereto.

The agreement will be reduced into a Discovery Conference Report to be signed and
submitted by all parties to the Commission within five (5) days of the conclusion of the
conference.

SECTION 14. Discovery.

a. The National Privacy Commission may issue an Order governing the discovery of
electronically stored information pursuant to:

1. a motion by a party seeking discovery of the information or from which discovery

of the information is sought; or

208
 2. a stipulation of the parties and of any person not a party from which discovery of
the information is sought.

The Order governing the discovery will cover the same matter a discovery conference
report is to address. Absent exceptional circumstances, the National Privacy
Commission may not impose sanctions on a party for failure to provide electronically
stored information lost as a result of the routine, good-faith operation of an electronic
information system.

b. A party may serve on any other party a request for production of electronically stored
information and for permission to inspect, copy, test, or sample the information, copy
furnished the National Privacy Commission. The party on which the said request is
served must serve a response within three (3) working days, or in such timely manner
as to preserve the integrity of the electronically stored information. The response must
state, with respect to every item or category in the request that inspection, copying,
testing, or sampling of the information will be permitted as requested; or any objection
to the request and the reasons for the objection.

The party requesting the production may specify the form in which the electronically
stored information is to be produced. The responding party must state in its response
that form in which it intends to produce each type of the information.

Unless the parties otherwise agree or the investigating officer otherwise orders: (1) If
a request for production does not specify a form for producing a type of electronically
stored information, the responding party shall produce the information in a form in
which it is ordinarily maintained or in a form that is reasonably usable; and (2) a party
need not produce the same electronically stored information in more than one form.

c. A party may object to discovery of electronically stored information from sources that
the party identifies as not reasonably accessible because of undue burden or expense.
In its objection, the party shall identify the reason for the undue burden or expense.

On motion to compel discovery or for a protective order relating to the discovery of

electronically stored information, a party objecting to discovery under the next
preceding paragraph bears the burden of showing that the information is from a
source that is not reasonably accessible because of undue burden or expense.

d. The National Privacy Commission may order discovery of electronically stored

information that is from a source that is not reasonably accessible because of undue
burden or expense if the party requesting discovery shows that the likely benefit of the
proposed discovery outweighs the likely burden or expense, taking into account the
amount in controversy, the resources of the parties, the importance of the issues, and
the importance of the requested discovery in resolving the issues.

If the National Privacy Commission orders discovery of electronically stored

information under the next preceding paragraph, it may set conditions for discovery
of the information, including allocation of the expense of discovery.

209
 e. The National Privacy Commission shall limit the frequency or extent of discovery of
electronically stored information, even from a source that is reasonably accessible, if
the Commission determines that:

1. It is possible to obtain the information from some other source that is more
convenient, less burdensome, or less expensive;
2. The discovery sought is unreasonably cumulative or duplicative;
3. The party seeking discovery has had ample opportunity by discovery in the
proceeding to obtain the information sought; or
4. The likely burden or expense of the proposed discovery outweighs the likely
benefit, taking into account the amount in controversy, the resources of the
parties, the importance of the issues, and the importance of the requested
discovery in resolving the issues.

SECTION 15. Order to Submit Comment. Following the receipt of the Discovery Conference
Report, the investigating officer shall issue an Order directing the respondent or respondents,
as the case may be, to submit within ten (10) days from receipt thereof, a responsive Comment
to the Complaint, together with any supporting documents the respondent or respondents
may have, including the affidavits of any of the respondents witnesses, if any. The
investigating officer, upon his or her discretion, may require the complainant to file a Reply
within ten (10) days after receipt of the Order requiring the filing of a Reply. Such an Order
may also require the respondent to file a Rejoinder within ten (10) days after receipt of the
Reply.

SECTION 16. Investigation; Examination of Systems and Procedures. The investigating

officer shall investigate the circumstances surrounding the privacy violation or personal data
breach. Investigations may include on-site examination of systems and procedures. In the
course of the investigation, the complainant and/or respondent may be required to furnish
additional information, document or evidence, or to produce additional witnesses. The
parties shall have the right to examine the evidence submitted, which he or she may not have
been furnished, and to copy them at his expense.

SECTION 17. Failure to Submit Comment. If the respondent does not file a Comment, the
investigating officer may consider the complaint as submitted for resolution. The respondent
shall, in any event, have access to the evidence on record.

SECTION 18. Recommendation of the Investigating Officer. Upon the termination of the
investigation, the investigating officer shall produce a fact-finding report, which shall include
the results of the investigation, the evidence gathered, and any recommendations. The report
shall be submitted to the Office of the Commissioner.

SECTION 19. Temporary Ban on Processing Personal Data At the commencement of the
complaint or at any time before the decision of the National Privacy Commission becomes
final, a complainant or any proper party may have the National Privacy Commission, acting
through the investigating officer, impose a temporary ban on the processing of personal data,

210
if on the basis of the evidence on record, such a ban is necessary in order to preserve the rights
of the complainant or to protect national security or public interest.

a. A temporary ban on processing personal data may be granted only when: (1) the
application in the complaint is verified and shows facts entitling the complainant to
the relief demanded, or the respondent or respondents fail to appear or submit a
responsive pleading within the time specified for within these Rules; and (2) unless
exempted from the payment of filing fees as provided for in these Rules, the
complainant files with the National Privacy Commission a bond executed to the party
or person so banned from processing personal data in an amount to be fixed by the
investigating officer. Upon approval of the requisite bond, the temporary ban on
processing personal data shall be issued.

b. When an application for a temporary ban on processing personal data is included in a

complaint, the investigating officer shall issue a Notice of Hearing, together with a
copy of the complainants affidavit, the annexes thereto, and receipt of the bond, when
applicable.

When an application for a temporary ban on processing personal data is made by

motion, the investigating officer shall issue a Notice of Hearing, together with a copy
of the receipt of the bond, when applicable.

The Notice of Hearing shall indicate the scheduled date and venue for the hearing, and
that the respondent or respondents, as the case may be, may appoint a representative
to appear at the hearing in order to protect their interests.

The complainant shall shoulder the cost to ensure that this Notice of Hearing is
delivered to the respondent or respondents, as the case may be, within the next
business day, by personal or substituted service, and if personal or substituted service
is impossible, by private courier. Upon service, the complainant shall file an affidavit
of service attesting that service was properly made upon the respondent or
respondents, as the case may be.

c. The temporary ban on processing personal data shall be acted upon only after all the
parties are heard in a summary hearing.

If all the parties can be found in the Philippines, or if service upon a non-resident is
made by substituted service, the summary hearing shall be conducted within the next
business day following the actual receipt of the Notice, as indicated in the affidavit of
service.

If the respondent is a non-resident of the Philippines and only direct service or service
by courier is possible, then the hearing shall be conducted one (1) week after actual
receipt of the Notice.

211
 d. If so issued, the temporary ban on processing personal data shall remain in effect until
the final resolution of the case or upon orders of the Commission or lawful authority.

SECTION 20. Permanent Ban on Processing Personal Data. If after the termination of the
proceedings it appears that the complainant is entitled to have a permanent ban on processing
personal data, the investigating officer shall recommend that the Commission issue an Order
granting a permanent ban on processing personal data.

SECTION 21. Action on the Recommendations of the Investigating Officer. The

Commission shall review the evidence presented, including the fact-finding report and
supporting documents. On the basis of the said review, the National Privacy Commission
may: (1) promulgate a Decision; or (2) order the conduct of a clarificatory hearing, if in its
discretion, additional information is needed to make a Decision. No motion for clarificatory
hearing shall be entertained. In case the Commission finds that a clarificatory hearing is
necessary, the following shall be observed:

a. The parties shall be notified of the schedule for clarificatory hearing at least five (5)
days from schedule;
b. The Commission may require additional information and/or compel attendance of
any person involved in the complaint;
c. The parties shall not directly question the individuals called to testify but may submit
their questions to the Commission for their consideration;
d. The parties may be required to submit their respective memoranda containing their
arguments on the facts and issues for resolution.

SECTION 22. Rendition of decision. The Decision of the Commission shall adjudicate the
issues raised in the complaint on the basis of all the evidence presented and its own
consideration of the law. The decision may include enforcement orders, including: (a) an
award of indemnity on matters affecting personal data protection, or rights of the data subject,
where the indemnity amount to be awarded shall be determined based on the provisions of
the Civil Code; (b) cease and desist orders; (c) the imposition of a temporary or permanent
ban on the processing of personal data, as provided for in these Rules; (d) a recommendation
to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in
the Act; (e) those to compel or petition any entity, government agency or instrumentality to
abide by its orders or take action on a matter affecting data privacy; (f) those to impose fines
for violations of the Act or issuances of the Commission; or (g) any other order to enforce
compliance with the Data Privacy Act.

A copy of the decision shall be served upon the parties, for information and compliance with
any directive contained therein.

212
 RULE IV.
COMPLAINTS OF THE NATIONAL PRIVACY COMMISSION

SECTION 23. Own initiative. Depending on the nature of the incident, in cases of a possible
serious privacy violation or personal data breach, taking into account the risks of harm to a
data subject, the Commission may investigate on its own initiative the circumstances
surrounding the possible violation. Investigations may include on-site examination of systems
and procedures. If necessary, the Commission may use its enforcement powers to order
cooperation of the personal information controller or other persons, with the investigation or
to compel appropriate action to protect the interests of data subjects.

SECTION 24. Uniform procedure. The investigation shall be in accordance with Rule III of
these Rules, provided that the respondent shall be provided a copy of the fact-finding report
and given an opportunity to submit an answer. In cases where the respondent or respondents
fail without justification to submit an answer or appear before the National Privacy
Commission when so ordered, the Commission shall render its decision on the basis of
available information.

RULE V.
ALTERNATIVE MODES OF DISPUTE RESOLUTION

SECTION 25. Alternative modes of dispute resolution. The Commission shall facilitate or
enable settlement through the use of alternative dispute resolution processes, provided that if
the allegations are of a serious nature, taking into account the risks of harm to a data subject,
the Commission may immediately conduct an investigation on its own initiative.

SECTION 26. Mediation officer. The Commission shall assign a mediation officer to assist
the complainant and respondent to reach a settlement agreement provided that no settlement
is allowed for criminal acts. The mediation officer shall identify the issues for resolution and
mediate in order for the parties to reach an amicable settlement. In case the parties reach an
amicable settlement, the mediation officer shall issue a resolution on the agreement between
parties.

SECTION 27. Failure to reach settlement. In case the parties are unable to reach an amicable
settlement, the procedure for the resolution of complaints shall be followed.

RULE VI.
REQUESTS FOR ADVISORY OPINIONS

SECTION 28. Advisory Opinions. An advisory opinion may be issued by the Commission
on matters relating to data privacy or personal data protection, at the instance of any party,
or on any complaint filed, which failed to comply with the requirements of Rule II herein.

213
No request for an advisory opinion shall be entertained unless:

a. the request provides sufficient facts to allow for evaluation of the matter relating to
data privacy or personal data protection;
b. the request relates to novel issues or legitimate concerns that merit further evaluation;
c. the request is not related to any pending case before the National Privacy Commission,
or on any matter that is subject of an ongoing investigation; and
d. the request is not on a matter that has previously been subject of an advisory opinion.

An advisory opinion shall be limited to discussion of the issues and applicable law or
jurisprudence but shall not impose any sanctions or award damages.

SECTION 29. Uniform procedure. Requests for the issuance of an advisory opinion must be
in writing and addressed to the National Privacy Commission. Whenever applicable, the
procedure for the filing of the advisory opinion shall be in accordance with Rule II of these
Rules, provided that the Commission may request for additional information as may be
necessary to evaluate the personal data protection concern.

The requesting party must provide contact details, including a valid electronic mail address,
where the Commission may send its orders or opinions. Advisory opinions issued by the
Commission may be made available to the public.

RULE VII.
APPEALS

SECTION 30. Appeal. The decision of the National Privacy Commission shall become final
and executory fifteen (15) days after the receipt of a copy thereof by the party adversely
affected. One motion for reconsideration may be filed, which shall suspend the running of
the said period. Any appeal from the Decision shall be to the proper courts, in accordance
with law and rules.

RULE VIII.
GENERAL PROVISIONS

SECTION 31. Confidentiality. The Commission may ask for access to personal data that is
subject of any complaint and to collect the information necessary to perform its functions. The
Commission shall ensure confidentiality of any personal data that comes to its knowledge and
possession, provided that any personal data submitted may be transferred to parties who will
be contacted during the handling of the case and may be disclosed to agencies who are

214
authorized to receive information relating to law enforcement, prosecution or review of the
Commission's decisions, subject to the Act and related issuances. Information about the case
may also be used for policy development, public education, case reports and publications.

SECTION 32. Application of Rules of Court. The Rules of Court shall apply in a suppletory
character, and whenever practicable and convenient.

SECTION 33. Interpretation. These rules shall be liberally interpreted in a manner mindful
of the rights and interests of the person about whom personal data is processed.

SECTION 34. Separability Clause. In the event that any provision or part of this Order is
declared unauthorized or rendered invalid, those provisions not affected by such declaration
shall remain valid and in force.

SECTION 35. Effectivity. This Order shall take effect fifteen (15) days after publication in
the Official Gazette or two newspapers of general circulation. They shall govern all cases
brought after they take effect and to further proceedings in cases then pending, except to the
extent that their application would not be feasible or cause injustice to any party.

Approved:

(Sgd.) RAYMUND E. LIBORO

Privacy Commissioner

(Sgd.) IVY D. PATDU (Sgd.) DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner Deputy Privacy Commissioner

Date: December 15, 2016

215
A Guide for the Data Subject

1. Do you have a concern about a privacy violation, personal data breach or matters related to
personal data protection, or any other violation the Data Privacy Act and other issuances of the
National Privacy Commission?

a. Yes. Proceed to the next section (No.2).

b. No. The National Privacy Commission may have no power to act on your complaint. The
Commission can only act on matters that relate to the Data Privacy Act.
c. I am not sure. Request for an Advisory Opinion or request for information (No.5).

2. Does your concern affect you personally or involve your personal data?
a. Yes. If it is a matter affecting your own personal data, you may file a Complaint with the
National Privacy Commission.
b. No. If it is about another person, or is a matter of general concern, request instead for an
Advisory Opinion.

3. How do you file a complaint?

a. First, give an opportunity to the individual or company to address your concerns. Send a
written letter to the individual or company you believe has committed a privacy violation
or personal data breach, and request the said company for appropriate action.
b. If the company does not act on your letter within 15 days, or has failed to take appropriate
action on your concern, you may file your complaint with the Commission. File the
complaint within 30 days from last communication. If you have an important reason why
you think it would be hard to write to the individual company, you may explain this to the
Commission.
c. The complaint should be in an affidavit form and should include:
1. all information relevant to your concern, including any other evidence or affidavits of
witnesses, if any;
2. your communications with the individual or company;
3. the relief you are demanding, whether you want specific action from the individual or
company, or whether you want to claim for damages; and
4. your contact details and contact details of the individual or company.
d. You may file it with the office of the National Privacy Commission, where you may be
asked to pay filing fees, depending on the relief you are asking. You may file it online
through e-mail at [email protected] . In case of electronic mail, wait for
instructions on how filing fees can be filed. If you qualify as an indigent, no filing fee is
necessary.
e. An investigating officer will evaluate your complaint and when sufficient in form and
substance, the Commission may call on you to confer with the respondent on matters like
discovery of evidence or schedules of the proceedings.
f. Upon completion of the investigation, the investigating officer shall refer the case to the
Office of the Commissioner for final decision.

4. How do you request for Advisory Opinion?

a. File your request for advisory opinion in the same manner as a complaint.
b. You request should include all facts necessary for the Commission to evaluate your concern
and render an opinion.
c. Provide the National Privacy Commission a way to contact you.
d. Remember that if your request is for an advisory opinion, the National Privacy
Commission will not award damages.

5. Can I get additional information on this circular? You may request for additional information
on the procedure through [email protected]

216