DATA PRIVACY MANUAL

I. Background

Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA) aims to
protect personal data in information and communications system both in the government and
the private sector

It ensures that entities or organizations processing personal data establish policies and
implement measures and procedures that guarantee the safety and security of personal data
under their control or custody, thereby upholding an individual’s data privacy rights. A personal
information controller or personal information processor is instructed to implement reasonable
and appropriate measures to protect personal data against natural dangers such as accidental
loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration, and contamination.

To inform its personnel of such measures, each personal information controller or personal
information processor is expected to produce a Privacy Manual. The manual serves as a guide
or handbook for ensuring the compliance of an organization or entity with the DPA, its
Implementing Rules and Regulations (IRR), and other relevant issuances of the National
Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that
need to be observed and carried out within the organization for specific circumstances (e.g.,
from collection to destruction), directed toward the fulfilment and realization of the rights of data
subjects.

II. Introduction

In 2022, the Community-Based Monitoring System (CBMS) was implemented in various Local
Government Units (LGUs), pursuant to RA 11315 or the CBMS Act. The CBMS refers to an
organized technology-based system of collecting, processing and validating necessary
disaggregated data that may be used for planning, program implementation, and impact
monitoring at the local level. The said implementation was spearheaded by the Philippine
Statistics Authority (PSA).

As the CBMS involves generation of data at the local level, the LGU shall ensure the integrity
and safety of the gathered information against unnecessary leakage and access by
unauthorized persons. Hence, the Privacy Manual Shall serve as a guide for proper protection
and security of the data collected and processed for the CBMS in the City of Digos.

This manual is adopted in compliance with the Data Privacy Act of 2012, its IRR, and other
relevant policies, including issuances of the NPC. The City of Digos respects and values the
data privacy rights, and makes sure that all personal data collected from its constituents are
processed in adherence to the general principles of transparency, legitimate purpose, and
proportionality.

This Manual shall provide the data protection and security measures and may serve as guide in
exercising data subjects’ rights under the DPA.
III. Definition of Terms

 Compliance officer for Privacy (COP)- refers to an individual or individuals who perform
some of the functions of a Data Protection Officer (DPA).
 Data Protection Officer (DPO)- refers to an individual designated by the head of agency
or organization to be accountable for its compliance with the Act, its IRR, and issuances
of the Commission: Provided, that, except were allowed otherwise by law or the
Commission, the individual must be an organic employee of the government agency or
private entity: Provide further, that a government agency or private entity may have more
than one DPO.
 Data subject- refers to an individual whose personal, sensitive personal or privileged
information is processed by the organization. It may refer to officers, employees,
consultants, and clients of this organization.
 Personal Data- refers to all types of personal information, including privileged
information.
 Personal Information- refers to any information whether recorded in a material form or
not, from which the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify and individual.
 Processing- refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or
destruction of data.
 Personal Information Controller (PIC) - refers to a natural or juridical person, or any other
body who controls the processing of personal data, or instruct another to process
personal data on its behalf.

There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing.

For purpose of this Manual, the Head of the Agency or the Local Chief Executive (LCE)
shall be automatically designated as the PIC.

 Personal Information Processor (PIP)- refers to any natural or juridical person or any
other body to whom a PIC may outsource or instruct the processing of personal data
pertaining to a data subject.
 Privacy Impact Assessment (PIA)- is a process undertaken and used to evaluate and
manage impacts on privacy of a particular program, project, process, measure, system
or technology product of a PIC or PIP program, project, process, measure, system or
technology product of a PIC or PIP. It takes into account the nature of the personal data
to be protected, the personal data flow, the risks to privacy and security posed by the
processing, current data privacy best practices, the cost of security implementation, and,
 where applicable, the size of the organization, its resources, and the complexity of its
operations;
 Sensitive personal information- refers to personal information defined in Section 3 (I) of
the Data Privacy Act of 2012.

IV. Scope and Limitations

All personnel of the City of Digos, regardless of the type and/or status of employment or
contractual arrangement, must comply with the terms set out in this Privacy Manual.

V. Processing of Personal Data

A. Collection
The City of Digos collects and processes personal information and sensitive personal
information of the data subject including the name, address, contact details, household
information on education, economic characteristics, community engagement, health,
food security, financial inclusion, etc. through a Computer-Assisted Personal Interview
(CAPI) for the implementation of the CBMS.

B. Use
All data shall solely be used for documentation, analysis, processing, and guide in policy
direction for effective delivery of basic services.

C. Storage, Retention, and Destruction

The City of Digos shall ensure that personal data under its custody are protected against
any accidental or unlawful destruction alteration, and disclosure as well as against any
other unlawful processing. Appropriate security measures in storing collected personal
information, depending on the nature of the information shall be implemented. The
storage, retention, and destruction of data shall be complied with the standard protocols
of the CBMS.

The City of Digos shall store the CBMS data in a secured location taking into
consideration the provisions of RA 11315 and other related laws. Data may be disposed
in accordance with the provisions of the RA 11315 and other relevant issuances related
thereto.

D. Access
Due to the sensitive and confidential nature of the personal data under the custody of
the City of Digos, only its authorized personnel shall be allowed to access such personal
data, for any purpose, expect for investigations in relation to any criminal, administrative
or tax liabilities of a data subject, and those contrary to law, public policy, public order, or
morals.

E. Disclosure and Sharing

 All employees and personnel of the City of Digos shall maintain the confidentiality,
integrity, and availability of all personal data that come to their knowledge and
possession, even after resignation, termination of service or contract, or other
contractual relations. Personal data under the custody of the city shall be disclosed only
pursuant to a lawful purpose, and to authorized recipients of such data.

VI. Security measures

Security measures aim to maintain the availability, integrity, and confidentiality of personal data
and protect them against natural dangers such as accidental loss or destruction, and human
dangers such as unlawful access, fraudulent use, unlawful destruction, alteration, and
contamination.

A. Organization security measures

1. Conduct of privacy impact assessment (PIA)

The City of Digos shall conduct a privacy impact assessment (PIA) relative to ll activities,
projects, and systems involving the processing of personal data. The city may choose to
outsource the conduct of a PIA to a third party.

A PIA should be conducted for both new and existing systems, programs, projects,
procedures, measures, or technology products that involve or impact processing
personal data. For new processing systems, it should be undertaken prior to their
adoption, use, or implementation.

2. Designation of the Data Protection officer (DPO), and Compliance Officer for Privacy
(COP)

Pursuant to national privacy commission advisory No. 2022-04, each LGU shall
designate a DPO. However, a component city, municipality, or barangay is allowed to
designate a COP, provided that the latter shall be under the supervision of the DPO of
the corresponding province, city, or municipality that the component city, municipality, or
barangay forms part of.

3. Functions of the DPO, COP and/or any other responsible personnel with similar
functions

The DPO shall oversee the compliance of the city with the DPA, its IRR, and other
related policies, including the implementation of security measures, security incident and
data breach protocol, and the inquiry or complaints procedure.

The DPO shall also ensure the conduct of PIA relative to activities, measures projects,
programs, or system pursuant to the provisions of relevant NPC circular.

The compliance officer for privacy shall assist the DPO in the management and
protection of the data, and equipment.
4. Duty of confidentiality

All personnel who shall have access to the personal data shall be asked to execute an
oath of data privacy, as well as a non-disclosure agreement (NDA). The personnel shall
operate and hold personal data under strict confidentiality if the same is not intended for
public disclosure. The oath of data privacy and the NDA shall be kept by both parties.

All employees and personnel of the LGU, its agents or representative shall maintain the
confidentiality of all personal data that come to their knowledge and possession, even
after their resignation, termination of contract, or other contractual relations.

5. Attendance to trainings or seminars to be updated on the developments in data

privacy and security

The City of Digos is required to attend and participate in the training on data privacy and
security in relation to CBMS conducted by the PSA.

The City of Digos shall conduct training on data privacy and security at least once a
year. For personnel directly involved in the processing of personal data, the
city/municipality shall ensure their attendance and participation in relevant trainings and
orientations.

6. Review of privacy manual

This privacy manual shall be reviewed and evaluated annually. Privacy and security
policies and practices within the City of Digos shall be updated to remain consistent with
current data privacy best practices.

7. Recording and documentation of activities carried out by the DPO, or the City of
Digos, to ensure compliance with the DPA, its IRR and other relevant policies.

The DPO shall designated personnel who shall record and be in custody of all activities
to ensure compliance with the DPS, its IRR and other relevant policies.

B. Physical security measures

1. Format of data to be collected

Personal data in the custody of the City of Digos may be in digital/electronic format and
printed paper-based/physical format.

2. Storage type and location

Storage device/s shall be in the custody of the DPO. All data processed shall be stored
in a secured room, where paper-based documents are kept in locked filing cabinets.

Digital/electronics files shall be stored in a server or desktop computer (dedicated for

CBMS use only) for the CBMS database with anti-virus and security features.
3. Access procedure of authorized personnel

Only authorized personnel shall be allowed access to the data device/s and the allotted
data room.

Accountable assigned personnel for that purpose, shall be given a key to the security
storage cabinet. Other personnel may be granted access to the room upon the filing of
an access request form (refer to Annex C) subject to the approval of the DPO.

4. Monitoring and limitation of access to room or facility

All personnel requesting data from device/s or facilities must fill out a data request form
and register with an access request logbook. The data, time, duration, and purpose of
each access shall be indicated in the form.

The access to the room or facility shall be approved by the DPO.

5. Design of office space/workstation

The data computer/devices shall be positioned with considerable spaces between them
to maintain privacy and protect the processing of personal data.

6. Persons involved in processing, and their duties and responsibilities

Persons involved in processing shall always maintain confidentially and integrity of

personal data. Bringing of own gadgets or storage device of any form when entering the
data room and when using the server or computers allocated for the CBMS database
shall not be allowed.

7. Modes of transfer of personal data within the organization, or to third parties

To protect personal information, transfer of personal data via electronic mail shall use a
secure email facility with encryption of the data, including any or all attachments. Use of
facsimile technology for transmitting documents containing CBMS data shall not be
allowed.

Transferring of data using storage devices (e.g., USB, external drives, etc.) shall not be
allowed. All USB ports or data transfer ports found in the data storage
computers/devices shall not be deactivated for additional protection.

Transferring data using wireless data transfer (e.g., WIFI, Bluetooth, etc.) shall not be
allowed. The data storage computers/devices shall not be connected in any way to any
wireless networks.

Only a printed copy of the specific data requested via a request form shall be allowed.

8. Retention and disposal procedure

All information gathered by the City of Digos shall not be retained in perpetuity. The City
of Digos shall retain the personal data in its custody within the period prescribed by law.

It shall ensure that all personal data gathered shall be disposed of properly in a manner
that data should be unreadable or irretrievable to prevent further processing,
unauthorized access, or disclosure to any party or public, or prejudice the interests of the
data subjects.

C. Technical security measures

1. Monitoring for security breaches

The City of Digos shall use an intrusion detection system to monitor security breaches
and alert the City of Digos of any attempt to interrupt or disturb the system if available.

2. Security features of the software/s and application/s used

The City of Digos shall first review and evaluate software applications before the
installation thereof in the allocated server or computer/devices for the CBMS database to
ensure the compatibility of security features with overall operations.

3. Process for regularly testing, assessment, and evaluation of effectiveness of security

measures

The City of Digos shall review security policies, conduct vulnerability assessments, and
reform penetration testing within the city on a regular schedule to be prescribed by the
appropriate department or unit.

4. Encryption, authentication process, and other technical security measures that control
and limit access and limit access to personal data.

The DPO shall create a strong password for the Information and Communication
Technology (ICT) Equipment and shall be shared only to authorized personnel that
executed a NDA. Each personnel with access to CBMS data shall verify his or her
identity to authorized personnel (DPO and COP) through the request form in Annex C.

Computer /devices password shall be set by the DPO and shared only to the authorized
personnel that signed an NDA. Each personnel with access to the CBMS data shall
verify his or her identity to authorized personnel (DPO and COP) with a filled-up request.

VII. Breach and Security Incidents

1. Creation of a Data Breach Response Team

A Data Breach Response Team (DBRT) comprising of five (5) personnel (headed by a
representative from the (1) City Mayor’s Office, and composed of members from: (2)
Information Office, (3) Legal Office, (4) Planning and Development Office, and (5)
Information Technology Office) shall be constituted.
The DBRT shall be responsible in ensuring immediate action in the event of a security
incident or personal data breach.

The team shall conduct an initial assessment of the incident or breach in order to
ascertain the nature and extent thereof. It shall also implemented measures to mitigate
the adverse effects of the incident or breach.

2. Measures to prevent and minimize occurrence of breach and security incidents

The City of Digos shall regularly conduct a PIA to identify risks in the processing system
and monitor for security breaches and vulnerability scanning of computer networks.
Personnel directly involved in the processing of personal data must attend training and
seminars for capacity building. There must also be a periodic review of policies and
procedures being implemented in the organization.

3. Procedure for recovery and restoration of personal data

The City of Digos shall always maintain a backup file (server, desktop, or cloud drive
intended for CBMS use only) for all personal data under its custody. In the event of a
security incident or data breach, it shall always compare the backup with the affected file
to determine the presence of any inconsistencies or alterations resulting from the
incident or breach.

4. Notified protocol

The head of the DBRT shall inform its members of the need to notify the NPC, the PSA,
and the data subjects affected by the incident or breach within the period prescribed by
law. The head may also decide to delegate the actual notification to any of the members
of the DBRT.

5. Documentation and reporting procedure of security incidents or a personal data

breach.

The members of the DBRT shall prepare a detailed documentation of every incident or
breach encountered, as well as an annual report, to be submitted to the City Mayor,
PSA, and the NPC within the prescribed period.

VIII. Inquiries and Complaints

Data subjects may inquire or request for information regarding any matter relating to the
processing of their personal data under the custody of the city/municipality, including the
data privacy and security policies implemented to ensure the protection of their personal
data. They may write to the city through the email address [email protected]
and briefly discuss the inquiry, together with their contact details for reference.

Complaints shall be filed in three (3) printed copies, or sent to through the email address
[email protected]. The concerned department or unit shall confirm with the
complainant its receipt of the complaint.
IX. Effectively

The provisions of this Manual are effective this 16 th of December, 2022, until revoked or
amended by the city government.

X. Annexes (to be drafted by the LGU)

A. Consent Form
B. Inquiry Summary Form
C. Access Request Form
D. Privacy Notice
E. Request for Correction or Erasure