Pamantasan ng Lungsod ng Valenzuela

Tongco St. Maysan, Valenzuela City

College of Engineering and Information Technology

COMPANY / ORGANIZATION / BUSINESS NAME

SYSTEM / CAPSTONE TITLE

A Privacy Manual Proposal Presented to

The Faculty of Pamantansan ng Lungsod ng Valenzuela
Information Technology Department

In Partial Fulfillment
of the Requirements for the Course in
Information Assurance and Security

First Name Middle Initial Last Name

BSIT _____
March 2024
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

Background

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect
personal data in information and communications systems both in the government and the
private sector.

It ensures that entities or organizations processing personal data establish policies, and
implement measures and procedures that guarantee the safety and security of personal data
under their control or custody, thereby upholding an individual’s data privacy rights. A
personal information controller or personal information processor is instructed to implement
reasonable and appropriate measures to protect personal data against natural dangers such as
accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal
information processor is expected to produce a Privacy Manual. The Manual serves as a
guide or handbook for ensuring the compliance of an organization or entity with the DPA, its
Implementing Rules and Regulations (IRR), and other relevant issuances of the National
Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols
that need to be observed and carried out within the organization for specific circumstances
(e.g., from collection to destruction), directed toward the fulfillment and realization of the
rights of data subject.

Introduction

This section lays down the basis of the Manual. Hence, it should provide an overview of the
DPA, its IRR and other policies that relate to data protection and which are relevant issuances
to the industry or sector of the organization, as well as the transactions it regularly carries out.

In brief, it should discuss how the organization complies with the data privacy principles, and
upholds the rights of the data subjects, both of which are laid out in the DPA.

It is important that this portion impresses upon the user or reader why it is necessary for the
organization to have a Privacy Manual.

Example:

 This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173
or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and
other relevant policies, including issuances of the National Privacy Commission. This
organization respects and values your data privacy rights, and makes sure that all
personal data collected from you, our clients and customers, are processed in
adherence to the general principles of transparency, legitimate purpose, and
proportionality.
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

This Manual shall inform you of our data protection and security measures, and may
serve as your guide in exercising your rights under the DPA.

Definition of Terms

Terms used in the Manual must be defined for consistency and uniformity in usage. This
portion will make sure of that, and allow users of the Manual to understand the words,
statements, and concepts used in the document.

Examples:

 “Data Subject” – refers to an individual whose personal, sensitive personal or

privileged information is processed by the organization. It may refer to officers,
employees, consultants, and clients of this organization.
 “Personal Information” – refers to any information whether recorded in a material
form or not, from which the identity of an individual is apparent or can be reasonably
and directly ascertained by the entity holding the information, or when put together
with other information would directly and certainly identify an individual.
 “Processing” refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation, blocking,
erasure or destruction of data.

Scope and Limitations

This section defines the coverage of the Manual. Given that the document is essentially an
internal issuance and is meant for the use and application of the organization’s staff or
personnel, that fact should be emphasized here.

Note that it would be useful to develop a separate Privacy Manual meant for external use or
for persons who deal with the organization. Certain information may be omitted from that
version, particularly those that relate to internal policies or processes that are relevant only to
personnel of the organization.

Examples:

 All personnel of this organization, regardless of the type of employment or

contractual arrangement, must comply with the terms set out in this Privacy Manual.

Processing of Personal Data

 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

This section lays out the various data life cycles (or processing systems) in existence within
the organization—from the collection of personal data, to their actual use, storage or
retention, and destruction.

A. Collection (e.g. type of data collected, mode of collection, person collecting

information, etc.)

Example:

o This company collects the basic contact information of clients and customers,
including their full name, address, email address, contact number, together
with the products that they would like to purchase. The sales representative
attending to customers will collect such information through accomplished
order forms.
B. Use

Example:

o Personal data collected shall be used by the company for documentation

purposes, for warranty tracking vis-à-vis purchased items, and for the
inventory of products.
C. Storage, Retention and Destruction (e.g. means of storage, security measures, form of
information stored, retention period, disposal procedure, etc.)

Example:

o This company will ensure that personal data under its custody are protected
against any accidental or unlawful destruction, alteration and disclosure as
well as against any other unlawful processing. The company will implement
appropriate security measures in storing collected personal information,
depending on the nature of the information. All information gathered shall not
be retained for a period longer than one (1) year. After one (1) year, all hard
and soft copies of personal information shall be disposed and destroyed,
through secured means.

D. Access (e.g. personnel authorized to access personal data, purpose of access, mode of
access, request for amendment of personal data, etc.)

Example:

o Due to the sensitive and confidential nature of the personal data under the
custody of the company, only the client and the authorized representative of
the company shall be allowed to access such personal data, for any purpose,
except for those contrary to law, public policy, public order or morals.
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

E. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure
of policy and processes, outsourcing and subcontracting, etc.)

Example:

o All employees and personnel of the company shall maintain the confidentiality
and secrecy of all personal data that come to their knowledge and possession,
even after resignation, termination of contract, or other contractual relations.
Personal data under the custody of the company shall be disclosed only
pursuant to a lawful purpose, and to authorized recipients of such data.

Security Measures

As a personal information controller or personal information processor, an organization must

implement reasonable and appropriate physical, technical and organizational measures for the
protection of personal data. Security measures aim to maintain the availability, integrity and
confidentiality of personal data and protect them against natural dangers such as accidental
loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination. In this section, you give a general description of
those measures.

A. Organization Security Measures

Every personal information controller and personal information processor must also
consider the human aspect of data protection. The provisions under this section shall
include the following:

1. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)

Example:

 The designated Data Protection Officer is Mr. Juan Dela Cruz, who is
concurrently serving as the Executive Director of the organization.

2. Functions of the DPO, COP and/or any other responsible personnel with
similar functions

Example:

 The Data Protection Officer shall oversee the compliance of the

organization with the DPA, its IRR, and other related policies,
including the conduct of a Privacy Impact Assessment, implementation
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

of security measures, security incident and data breach protocol, and

the inquiry and complaints procedure.

3. Conduct of trainings or seminars to keep personnel, especially the Data

Protection Officer updated vis-à-vis developments in data privacy and security

Example:

 The organization shall sponsor a mandatory training on data privacy

and security at least once a year. For personnel directly involved in the
processing of personal data, management shall ensure their attendance
and participation in relevant trainings and orientations, as often as
necessary.

4. Conduct of Privacy Impact Assessment (PIA)

Example:

 The organization shall conduct a Privacy Impact Assessment (PIA)

relative to all activities, projects and systems involving the processing
of personal data. It may choose to outsource the conduct a PIA to a
third party.

5. Recording and documentation of activities carried out by the DPO, or the

organization itself, to ensure compliance with the DPA, its IRR and other
relevant policies.

Example:

 The organization shall sponsor a mandatory training on data privacy

and security at least once a year. For personnel directly involved in the
processing of personal data, management shall ensure their attendance
and participation in relevant trainings and orientations, as often as
necessary.

6. Duty of Confidentiality

Example:
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

 All employees will be asked to sign a Non-Disclosure Agreement. All

employees with access to personal data shall operate and hold personal
data under strict confidentiality if the same is not intended for public
disclosure.

7. Review of Privacy Manual

Example:

 This Manual shall be reviewed and evaluated annually. Privacy and

security policies and practices within the organization shall be updated
to remain consistent with current data privacy best practices.

B. Physical Security Measures

This portion shall feature the procedures intended to monitor and limit access to the
facility containing the personal data, including the activities therein. It shall provide
for the actual design of the facility, the physical arrangement of equipment and
furniture, the permissible modes of transfer, and the schedule and means of retention
and disposal of data, among others. To ensure that mechanical destruction, tampering
and alteration of personal data under the custody of the organization are protected
from man-made disasters, power disturbances, external access, and other similar
threats, provisions like the following must be included in the Manual:

1. Format of data to be collected

Example:

 Personal data in the custody of the organization may be in

digital/electronic format and paper-based/physical format.

2. Storage type and location (e.g. filing cabinets, electronic storage system,
personal data room/separate room or part of an existing room)

Example:

 All personal data being processed by the organization shall be stored in

a data room, where paper-based documents are kept in locked filing
cabinets while the digital/electronic files are stored in computers
provided and installed by the company.
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

3. Access procedure of agency personnel

Example:

 Only authorized personnel shall be allowed inside the data room. For
this purpose, they shall each be given a duplicate of the key to the
room. Other personnel may be granted access to the room upon filing
of an access request form with the Data Protection Officer and the
latter’s approval thereof.

4. Monitoring and limitation of access to room or facility

Example:

 All personnel authorized to enter and access the data room or facility
must fill out and register with the online registration platform of the
organization, and a logbook placed at the entrance of the room. They
shall indicate the date, time, duration and purpose of each access.

5. Design of office space/work station

Example:

 The computers are positioned with considerable spaces between them

to maintain privacy and protect the processing of personal data.

6. Persons involved in processing, and their duties and responsibilities

Example:

 Persons involved in processing shall always maintain confidentiality

and integrity of personal data. They are not allowed to bring their own
gadgets or storage device of any form when entering the data storage
room.

7. Modes of transfer of personal data within the organization, or to third parties

Example:
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

 Transfers of personal data via electronic mail shall use a secure email
facility with encryption of the data, including any or all attachments.
Facsimile technology shall not be used for transmitting documents
containing personal data.

8. Retention and disposal procedure

Example:

 The organization shall retain the personal data of a client for one (1)
year from the data of purchase. Upon expiration of such period, all
physical and electronic copies of the personal data shall be destroyed
and disposed of using secure technology.

C. Technical Security Measures

Each personal information controller and personal information processor must

implement technical security measures to make sure that there are appropriate and
sufficient safeguards to secure the processing of personal data, particularly the
computer network in place, including encryption and authentication processes that
control and limit access. They include the following, among others:

1. Monitoring for security breaches

Example:

 The organization shall use an intrusion detection system to monitor

security breaches and alert the organization of any attempt to interrupt
or disturb the system.

2. Security features of the software/s and application/s used

Example:

 The organization shall first review and evaluate software applications

before the installation thereof in computers and devices of the
organization to ensure the compatibility of security features with
overall operations.
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

3. Process for regularly testing, assessment and evaluation of effectiveness of

security measures

Example:

 The organization shall review security policies, conduct vulnerability

assessments and perform penetration testing within the company on
regular schedule to be prescribed by the appropriate department or
unit.

4. Encryption, authentication process, and other technical security measures that

control and limit access to personal data

Example:

 Each personnel with access to personal data shall verify his or her
identity using a secure encrypted link and multi-level authentication.

Breach and Security Incidents

Every personal information controller or personal information processor must develop and
implement policies and procedures for the management of a personal data breach, including
security incidents. This section must adequately describe or outline such policies and
procedures, including the following:

1. Creation of a Data Breach Response Team

Example:

o A Data Breach Response Team comprising of five (5) officers shall be

responsible for ensuring immediate action in the event of a security incident or
personal data breach. The team shall conduct an initial assessment of the
incident or breach in order to ascertain the nature and extent thereof. It shall
also execute measures to mitigate the adverse effects of the incident or breach.

2. Measures to prevent and minimize occurrence of breach and security incidents

Example:
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

o The organization shall regularly conduct a Privacy Impact Assessment to

identify risks in the processing system and monitor for security breaches and
vulnerability scanning of computer networks. Personnel directly involved in
the processing of personal data must attend trainings and seminars for capacity
building. There must also be a periodic review of policies and procedures
being implemented in the organization.

3. Procedure for recovery and restoration of personal data

Example:

o The organization shall always maintain a backup file for all personal data
under its custody. In the event of a security incident or data breach, it shall
always compare the backup with the affected file to determine the presence of
any inconsistencies or alterations resulting from the incident or breach.

4. Notification protocol

Example:

o The Head of the Data Breach Response Team shall inform the management of
the need to notify the NPC and the data subjects affected by the incident or
breach within the period prescribed by law. Management may decide to
delegate the actual notification to the head of the Data Breach Response Team.

5. Documentation and reporting procedure of security incidents or a personal data

breach

Example:

o The Data Breach Response Team shall prepare a detailed documentation of

every incident or breach encountered, as well as an annual report, to be
submitted to management and the NPC, within the prescribed period.

Inquiries and Complaints

Every data subject has the right to reasonable access to his or her personal data being
processed by the personal information controller or personal information processor. Other
available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2)
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

right to request the suspension, withdrawal, blocking, removal or destruction of personal

data; and (3) right to complain and be indemnified for any damages sustained due to
inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal
data. Accordingly, there must be a procedure for inquiries and complaints that will specify
the means through which concerns, documents, or forms submitted to the organization shall
be received and acted upon. This section shall feature such procedure.

Example:

 Data subjects may inquire or request for information regarding any matter relating to
the processing of their personal data under the custody of the organization, including
the data privacy and security policies implemented to ensure the protection of their
personal data. They may write to the organization at [email protected] and
briefly discuss the inquiry, together with their contact details for reference.

Complaints shall be filed in three (3) printed copies, or sent

to [email protected]. The concerned department or unit shall confirm with
the complainant its receipt of the complaint.

Effectivity

This section indicates the period of effectivity of the Manual, as well as any other document
that the organization may issue, and which has the effect of amending the provisions of the
Manual.

Example:

 The provisions of this Manual are effective this __ day of _______, 2024, until
revoked or amended by this company, through a Board Resolution.

Annexes

This section indicates the period of effectivity of the Manual, as well as any other document
that the organization may issue, and which has the effect of amending the provisions of the
Manual.

Example:

1. Consent Form
2. Inquiry Summary Form
 Pamantasan ng Lungsod ng Valenzuela
Tongco St. Maysan, Valenzuela City
College of Engineering and Information Technology

3. Access Request Form

4. Privacy Notice
5. Request for Correction or Erasure