O N

S I
IS
PRIVACY OMM
C
MANAGEMENT I V AC Y
R
PROGRAM
NA L P
T I O
NA
MR. JONATHAN RUDOLPH Y. RAGSAG
E Security and Technology Standards Division
T H
Data

O F National Privacy Commission

T Y
ER
OP
PR
 5 PILLARS OF COMPLIANCE I O N
ISS
1 3 5COMM
C Y
Commit to Comply: Write Your Plan:
I V A Be Prepared for Breach:
REGULARLY EXERCISE

R
APPOINT A DATA CREATE A PRIVACY YOUR BREACH
PROTECTION MANAGEMENT
PROGRAM
L P REPORTING

A
OFFICER PROCEDURE

I ON
2 N A T 4
H E
Know Your Risks:
Be Accountable:

F TCONDUCT A
IMPLEMENT YOUR
PRIVACY AND DATA

Y O PRIVACY RISK
OR IMPACT
PROTECTION

T
MEASURES
ASSESSMENT
R
O PE
PR
 O N
S I
With the passage of Republic Act (RA) No. 10173 otherwise known as
the Data Privacy Act (DPA) of 2012, government and private M IS
organizations covered by the DPA – or the Personal Information
C OM
Y
Controllers (PICs) and Personal Information Processors (PIPs) – are
C
IV
is to have a PRIVACY MANAGEMENT PROGRAM (PMP) in place. A
asking how do they start complying with the law. The simple answer

PR
A L
T I ON
A PMP will lead organizations, both in the public and private
N A
sectors, toward a culture protective of data privacy rights of

H E
individuals as part of their corporate governance

F T
responsibilities.

Y O
R T
O PE
PR
 Privacy Management Program (PMP) O N
I
I SS
M M
A PMP is a holistic approach to privacy and data C Oprotection,
important for all agencies, companies or other C Y organization
involved in processing of personal data. IVA
PR
A L
It minimizes the risks of privacy
O Nbreaches, maximizes the ability
to address underlying A TI
problems, and reduces the damage
arising from breaches. E N
T H
O F
Demonstrates
T Y commitment to building trust with employees and
clientsER
through open and transparent information policies and
O P
practices.
PR
 O N
Importance of a PMP ISS I
M
It puts everyone on the same page.
COM
Y
 A PMP provides an easier way to explain to the management and staff:
C
 why is the organization doing this;
IV A
 what are the results we expect;
PR
 what are the benefits of those results
A L
ON
 what do organizations need to do to get there.
I
 This will ensure that everyone are on board.
T
N A
Compliance with H
the Act E
becomes more manageable.
T F
Y O
 A PMP reduces the likelihood that organizations will violate the law, its
IRR, NPC Circulars and Advisories and all other Commission issuances
R T
as it outlines the WHATs and HOWs of data privacy.
P E
R O
P
 O N
Importance of a PMP ISS I
M
C OM
It gives PICs and PIPs competitive advantage.
C Y
IV A
 Implementing a PMP shows your organization’s commitment to protect the
R
personal information of your customers and clientele. This will, in turn, lead to
P
increased trust and higher patronage.
A L
T I ON
It saves PICs and PIPs from A avoidable expenses.
Ncan lead to prevention of “clean-up costs” brought
 A strong and robust E
PMP
T
about by personal H
data breaches. Further, it helps safeguard the reputation of
organizationsF
Y O and individuals as well.

R T
P E
O
PR
 N
KEY COMPONENTS ISS I O
M
COM
Y
AC
 ORGANIZATIONAL COMMITMENT
I V
PR
A
 PROGRAM CONTROLS L
N O
T I
N A
 H E
CONTINUING ASSESSMENT and REVISION
F T
Y O
R T
P E
R O
P
 O N
S I
MIS
C OM
YC
ORGANIZATIONAL I V A
PR
COMMITMENT A L
O N
T I
N A
H E
OFT
TY
R
OPE
PR
 O N
Management Buy-In ISS I
M
 Top management support is a pivotalC key to a OM
C Y
successful writing of a PMP and Aessential for the
R
emergence of a culture of privacy I
inVthe PIC or PIP.
 This means Management must: L P
A N
TI O
N A
1. Designate a Data Protection Officer (DPO) or a Compliance Officer for
E
Privacy (COP) as the case may be;
H
T
2. Endorse a set of Program Controls; and
F
O
3. Report to the Board, as appropriate, on the program
Y
R T
OPE
PR
 O N
Accountable and Responsible Persons
S I
S I
M M
• The Data Protection Officer (DPO) is entrusted to manage
management program. C O the privacy

C Y
1 2 3 I V A
• He shall be responsible in ensuring compliance
4 5
with the law (RA 10173), its
R
Implementing Rules and Regulations (IRR), Circulars and Advisories
other Commission issuances relatingPto data privacy and protection.
and all

A L
O N a significant degree of autonomy in
DPO • Must be independent and
T I with
A
performing his/her duties.
N
H Eother duties or assume other functions as long as it will not
F T of interest.
• May perform
create conflict
O
YNPC Advisory 17-01 (Designation of Data Protection Officers)
R T
See:

P E
R O
P
 O N
Reporting Mechanisms ISS I
M
C OM
• Establish internal reporting mechanisms to ensure that the PMP is
C Y
structured and whether it is functioning as expected.

IV A
TOP MANAGEMENT 
PR
BOARD OF DIRECTORS

A L
• PICs and PIPs should establishN
T I O
monitor compliance with personal
internal audit and assurance program to
data protection policies which can take
N A
the form of customer/citizen and employee feedback (for small
organizations) andEthird-party verifications (for large organizations).
T H
O F
T Y
E R
OP
PR
 O N
Characteristics of an effective reporting program: SI
I S
M
C OM
1. clearly defines its reporting structure
C Y (in terms of
1 reporting on its overall compliance
2 3 I V A
4 activities) as well as
5
employee reporting structuresR in case of complaints or
a potential breach
A LP
T
2. tests and reports
ON
Ion the results of its internal reporting
NA
structures; and
E
T H
3. O F
documents all its reporting structures.
T Y
ER
OP
PR
 O N
S I
MIS
COM
CY
IV A
PROGRAM CONTROLS
AL
PR
O N
ATI
E N
T H
OF
TY
R
OPE
PR
 O N
Records of Processing Activities ISSI
M M
 PICs and PIPs should know:
C O
i. what kinds of data it holds
C Y
1 2 3
ii. how the personal data is being used
I 4
V A 5
PR
iii. whether or not the PIC or PIP really need those data.
A L
 Knowing, understanding Iand O Ndocumenting all these things is
important as this will: AT
N
• affect the type ofECONSENT the PIC or PIP needs to obtain from its Data
Subjects T H
O
• the mannerF on how the data is to be protected
T
• makeY easier to assist individuals in exercising their data access and
ERcorrection rights
O P
PR
 O N
S I
M IS
C OM
C Y
IV A
PR
A L
T I ON
N A
H E
F T
Y O
R T
PE
Source: http://blog.thomasbrand.xyz/wp-content/uploads/2017/08/datainventory-
744x519.png

R O
P
 O N
Risk Assessment ISS I
M
OM
 Risk assessments should be conducted for allC new projects
Y
involving personal data and on any newCcollection, use or
disclosure of personal data. I V A
PR
AL
 PICs and PIPs should develop
O N a process for identifying and
T I
mitigating leakage and security risks which could include the use
NA
of privacy impact assessments
E
(PIAs).
T H
O F
T Y
ER
OP
PR
 O N
S I
MIS
COM
CY
1 2 3 A
IV 4 5
PR
A L
T ION
NA
HE
F T
Y O
R T
OPE
PR
 O N
Policies and Procedures ISS I
M
M that address
PICs and PIPs should develop and document internal O

Y C
obligations under the law and which should be make available
policies
to all employees
and periodically updated.
A C
1 2 3 I V 4 5
R develop internal policies that give
 PRIVACY MANUAL - PICs and PIPs should
L P
be documented and should show
N A
effect to the data protection principles in the law. The internal policies should
how they connect to the legal requirements.
I
These policies include the
T O
following:
• COLLECTION of
• ACCURACYN
A personal data

Source: ncmb.gov.ph E and RETENTION of personal data

Hpersonal data including the requirements for consent
T
• USE of
• F
Y O SECURITY of personal data

R T • TRANSPARENCY of their personal data policies and practices; and

P E • ACCESS to and CORRECTION of personal data

R O
P
 O N
Security Measures ISS I
M
OM
• The PIC or PIP should have in place organizational, physical and technical security measures

These measures should include: Y C

for purpose of maintaining the confidentiality, integrity and availability of personal data.

AC
IV
1. Safeguards to protect its computer network against accidental, unlawful or
R
unauthorized usage or interference with or hindering of their functioning or availability;
P
A L
T I ON
2. A security policy with respect to the processing of personal information

N A
E
3. A process for identifying and accessing reasonably foreseeable vulnerabilities in its
H
F T
computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach; and

Y O
R T
PE
4. Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a security breach.
R O
P
 O N
Capacity Building ISS I
M
C OM
 Orientation or training programs regarding privacy or security policies
should be provided to employees. C Y
1 2 3 A
IV 4 5
PR
 Additional training specifically tailored to their roles should be given to
A L
those who handle personal data. The training and education should be
current and relevant.
T I ON
N A
H E
F T
Y O
R T
OPE
PR
 O N
Registration and Notification RequirementsSI
I S
M M
O
requirements under the Data Privacy Act. These include: Y C
The PMP should ensure compliance with the notification and reporting

A C
a.
I V
Registration of personal data processing systems operating in the
R employees, when
country when the PIC or PIP employs at least 250
L P
processing involves sensitive personal information of at least one thousand
(1,000) individuals, when processing is N A
not occasional, or when processing
T I
poses a risk to the rights and freedoms O of data subjects.
N A
b. Notification of T H E
automated processing operations where the
processing becomesO F the sole basis of making decisions that would
T Y the data subject;
significantly affect
E R
O P
Pc.R Breach notification and annual report of the summary of documented
security incidents and personal data breaches;
 O N
Breach Management ISS I
M
C OM
Y
C and an officer or
I A
 PICs and PIPs should have a procedure in place
V
a designated team responsible for managing a personal data
breach. PR
L
A
N external reporting of the breach
 Responsibilities for internalIO
and
should be clear. A T
E N
T H
 In handling personal data breach, PICs and PIPs should consider
O F
the circumstances of the breach and decide whether any of the
T
personsY identified in NPC Circular No. 16-03 should be notified.
E R
OP
PR
 O N
PIP Management ISS I
M
OM
 The types of obligations to be imposed on PIP should include the following:
• SECURITY MEASURES to be taken
Y C
C
• Timely RETURN, DESTRUCTION or DELETION of the personal data no
A
longer required
R IV
P
• Prohibition against other USE and DISCLOSURE
L
A
• Prohibition (absolute or qualified) against SUB-CONTRACTING to other
service provider
• REPORTING of irregularity T I ON
N A
• MEASURES to ensure contract staff’s compliance with the agreed
obligations H E
F T
• PICs right to AUDIT and INSPECT
Y O
• CONSEQUENCES for violation of the contract
R T
OPEFor additional guidelines you may refer to “Rule X.
Outsourcing and Sub-contracting

PR Agreements” of the Implementing Rules and Regulations (IRR)

 O N
Communication ISS I
M
 Communication should be clear Cand OM
easily
C Y
A
understandable and not simply a reiteration of the Data
Privacy Act. In general it should: RIV
L P
A
N so that the public knows the
I
 Provide enough information
T O
A
purpose of the collection, use and disclosure of personal data
and how long itEisN
retained;
T H
 Include information on who to contact with questions or
O F
concerns; and
RBeTYmade easily available to individuals
OPE
PR
 O N
S I
M IS
COM
Y
CONTINUING I V AC
PR
ASSESSMENT NA L and
I O
REVISION
NA
T
H E
F T
Y O
R T
P E
R O
P
 O N
OVERSIGHT and REVIEW PLAN ISS I
M
• Develop Oversight and Review Plan C OM
YC and up-to-date.
 This will help PICs and PIPs keep its PMP onAtrack
R I V
L P
periodic basis that setsOout
A
 The DPO should develop an Oversight and Review Plan on a
N how and when the PMP’s
T I and assessed.
effectiveness will be monitored
N A
H E
 The oversightT and review plan should establish performance
F include a schedule of when the policies and other
measuresOand
T
programY controls will be reviewed.
E R
OP
PR
 O N
ASSESS and REVISE PROGRAM CONTROLSSI
I S
M M
• Updates and Revision C O
 The effectiveness of program controls should C Y be monitored
regularly, audited periodically and where I V A necessary, revised
accordingly. P R
A L
O N
 The monitoring should address T I the following questions:
N A and risks?
• What are the latest threats
• Are the program H E
controls addressing new threats and reflecting the latest
complaint or T
• Are new O F audit findings?
services being offered involve increased collection, use or
T Y of personal data?
disclosure
• R
E
O P Is training necessary? If yes, is it taking place? Is it effective? Are policies

PR
and procedures being followed? Is the training up-to-date?
 O N
ASSESS and REVISE PROGRAM CONTROLSSI
I S
MM
C O
 Review and Monitoring C Y
I V A
• Schedule Regular PIA R
P and Procedures on a
L
• Review Forms, Contracts, Policies,
A
regular basis
O N
T I Privacy Manual.
• Review, Validate and
N ARevise

H E
F T
Y O
R T
P E
O
PR
 O N
S I
M IS
COM
Y
Data Privacy Accountability
I V AC
R
and A L P
N
Compliance
A T I Framework
O
E N
T H
OF
TY
R
OPE
PR
 THE DATA PRIVACY ACCOUNTABILITY
AND COMPLIANCE FRAMEWORK
O N
S I
M IS
C OM
C Y
A
II. RISK
I. GOVERNANCE III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY

IV
ASSESSMENT

R
Q. Organizational
A. Choose a DPO B. Register E. Privacy G. Privacy Notice

P
R. Physical
C. Records of Management H-O. Data Subject S. Technical

L
 Data Center
processing Program Rights

A
 Encryption

ON
activities F. Privacy Manual P. Data Life Cycle  Access Control Policy

D. Conduct PIA

T I
N A
E
TH
X. PRIVACY
VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY

F
ECOSYSTEM

Y O
T. Data Breach
Management;
U. Third Parties;
 Legal Basis for
V. Trainings and
Certifications
X. Continuing
Assessment and
Y. New technologies

T
 Security Policy Disclosure Development and standards

R  Data Breach  Data Sharing

W. Security  Regular PIA Z. New legal

P E Response Team
 Incident
Agreements Clearance  Review Contracts
 Internal Assessments
requirements

O
 Cross Border
Response  Review PMP

R
Transfer Agreement
Procedure  Accreditations

P  Document
 Breach
Notification
 PrivacyPH O N
S I
M IS
OM
privacy.gov.ph
Y C
09451534299
A C
www.privacy.gov.ph
09399638715
R I V
L P
Address:
or
A
Email us at
TION5 Floor, Delegation Building,
th

[email protected]
E NA
[email protected]
Philippine International Convention
Center (PICC) Complex, Roxas
T H
[email protected] Boulevard, Manila

O F
T Y
ER
O P
PR
 O N
S I
MIS
COM
CY
IV A
PR
AL
T ION
NA
HE
F T
Y O
R T
OPE
PR