Scribd
Upload
45 views

Data Privacy Notes

The document discusses key concepts in data privacy including privacy versus confidentiality, the rights of data subjects, and the data privacy principles. It also outlines responsibilities like designating a data protection officer and the data lifecycle of acquisition, storage, use and destruction of personal data.

Uploaded by

Mica Capistrano
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
45 views

Data Privacy Notes

The document discusses key concepts in data privacy including privacy versus confidentiality, the rights of data subjects, and the data privacy principles. It also outlines responsibilities like designating a data protection officer and the data lifecycle of acquisition, storage, use and destruction of personal data.

Uploaded by

Mica Capistrano
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

DATA PRIVACY NOTES

The Concepts of Data Privacy (RA 10173)

PRIVACY VS CONFIDENTIALITY

Privacy – About people and our sense of being in control of others access to ourselves
or to information about ourselves.
Confidentiality – Treatment of identifiable private information that has been disclosed to
others

Privacy Confidentiality
State of being away from public attention. State where certain information in kept
secret.
Is about individuals Is about information
It is a Personal choice Professional obligation
Right Agreement
Restricts the public from accessing Restricts unauthorized people from
personal data accessing confidential data.

The data protection principle states that personal data must be process fairly and for
limited purposes.

The Right of Privacy

 The Right to be left alone – the most comprehensive of rights, and the right
most valued by a free people.
 The right of individuals to control the collection and use of information about
themselves.

Legal Aspects of Right of Privacy

√ Protection from unreasonable intrusion upon one’s isolation


√ Protection from appropriation of one’s name or likeness
√ Protection from unreasonable publicity given to one’s private life
√ Protection from publicity that unreasonably places one in a false light before the public
What is the Data Privacy Act of 2012?

• SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of
2012”.
• Republic Act 10173 - the Data Privacy Act of 2012 AN ACT PROTECTING
INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE
SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY
COMMISSION, AND FOR OTHER PURPOSES
• The National Privacy Commission (NPC) is a body that is mandated to
administer and implement this law. The functions of the NPC include:
– rule-making,
– advisory,
– public education,
– compliance and monitoring,
– investigations and complaints,
– and enforcement.
Main author of R.A 10173 and the NPC Commissioners
- Senator Angara
KEY ROLES IN THE DATA PRIVACY ACT

• Data Subjects
– Refers to an individual whose, sensitive personal, or privileged information
is processed personal
• Personal Information Controller (PIC)
– Controls the processing of personal data, or instructs another to process
personal data on its behalf.
• Personal Information Processor (PIP)
– Organization or individual whom a personal information controller may
outsource or instruct the processing of personal data pertaining to a data
subject
• Data Protection Officer (DPO)
– Responsible for the overall management of compliance to DPA
• National Privacy Commission
– Independent body mandated to administer and implement the DPA of
2012, and to monitor and ensure compliance of the country with
international standards set for personal data protection

Examples of Breaches and Live Cases


1. COMELeak (1 and 2)
2. BPI – consent form
3. Hospital – unsecure storage records
4. Student transferred by her parent without her knowledge
5. Clinical record of a student to disclose with her parents
6. List of top students/passers
7. Known Fastfood delivery – disclosing personal info of clients
8. No Data sharing agreement (DSA) between and among Schools and Universities
9. Cedula in malls
10. Security issues in buildings – logbook
11. Profiling of customers from a mall
12. Unjustifiable collection of personal data of a school
13. No Privacy Notice
14. Use of USB
15. Privacy notice
16. Use of USB
17. Personal laptop stolen
18. Lost a CD in transit
19. An error in viewing of student records in the online system
20. Use of re-cycled papers
21. Raffle stubs
22. Universities and Colleges websites with weak authentication
23. Personal Records stolen from home of an employee
24. Photocopiers re-sold without wiping the hard drives
25. Release of CCTV Footage
26. Hard drives sold online
27. Password hacked/revealed
28. Unencrypted Data

Privacy Commissioner and Chairman RAYMUND E. LIBORO


RIGHTS OF THE DATA SUBJECT

Personal Information
- refers to any information whether recorded in a material form or not, from
which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put
together with other information would directly and certainly identify an
individual.

Sensitive personal information


- Refers to personal information about an individual’s:
 race
 ethnic origin
 marital status
 age
 color
 religious
 philosophical or political affiliations
 health
 education
 genetics
 sexual life
 any proceeding to any offense committed or alleged to have been
committed,
 the disposal of such proceedings
 the sentence of any court in such proceedings
- also includes information issued by government agencies peculiar to an
individual which includes, but not limited to:
 social security numbers, previous or current health records, licenses
or its denials, suspension or revocation, and tax returns; and
specifically established by an executive order or an act of Congress
to be kept classified.
PERSONAL DATA LIFECYCLE
Acquisition – storage – use – transfer destruction

Retention/disposal should be based on:


1. law
2. industry best practice
3. business needs

Key considerations when listing your personal data:


- what personal data you collect?
- in what form and through which channels?
- For what purpose you collect personal data?
- How is it used?
- Who is this data shared with internally and externally?
- Who is authorized to access this data?
- Where do you keep your data?
- How long do you keep your data?
- How do you dispose this data?
TRANSPARENCY – “The consent regime”
Principle of Transparency
A data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data, including the risks and safeguards involved, the
identity of personal information controller, his or her rights as a data subject, and how
these can be exercised. Any information and communication relating to the processing
of personal data should be easy to access and understand, using clear and plain
language.
- You are not hiding why you are collecting the data
- Example: ask to fill up in school or in research when you are asked to
answer the survey

Principle of Legitimate Purpose


the processing of information shall be compatible with declared and specified purpose,
which must not be contrary to law, morals, or public policy.
- The purpose to which your data will be used should have been declared and
specified

Principle of Proportionality
The processing of information shall be adequate, relevant, suitable, necessary, and not
excessive in relation to a declared and specified purpose. Personal data shall be
processed only if the purpose of the processing could not reasonably be fulfilled by
other means.
Avoid this mentality:
- “just in case we need it”
- “this is what we always do”

THE FIVE PILLARS OF COMPLIANCE


 Commit to Comply: Appoint a Data Protection Officer (DPO)
 Know Your Risk: Conduct a Privacy Impact Assessment (PIA)
 Be Accountable: Create your Privacy Management Program and
Privacy Manual (IRR WITHIN THE SCHOOL)
 Demonstrate your Compliance: Implement your privacy and data
protection (PDP) measures
 Be Prepared for Breach: Regularly exercise your Breach Reporting
Procedures (BRP)
The Data Privacy Principles
Personal data shall be:
1. Processed fairly and lawfully
2. Processed only for specified, lawful, and compatible purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Kept for no longer than necessary
6. Processed in accordance with the rights of data subjects
7. Kept secure
8. Shared to other PICs only if there is a DSA

OTHER SECURITY MEASURES


 Shredding all confidential waste
 Using strong passwords
 Installing a firewall and virus checker on your computers
 Encrypting any personal information held electronically
 Disabling any ‘auto-complete’ settings
 Holding telephone calls in private areas
 Checking the security of storage systems
 Keeping devices under lock and key when not in use
 Not leaving papers and devices lying around

12 OFFLINE MEASURES TO KEEP YOUR PHYSICAL DATA SECURE


 Lock rooms containing confidential information when not in use
 Make sure employees don’t write their passwords down
 Use swipe cards or keypads to access the office
 Use CCTV cameras to monitor your office space
 Shield keyboards when inputting passwords
 Shred confidential waste
 Use forensic property marking equipment and spray systems to mark assets
 Use anti-climb paint on exterior walls and drains
 Install an alarm system
 Place bars on ground floor windows
 Hide valuable equipment from view when not in the office
 Assign a limited number of trustworthy employees as key safe holders

Designating a DPO is the first essential step. You cannot register with the NPC
unless you have a DPO.
“Compliance to Data Privacy Act is not a one-shot initiative. It is a discipline and
culture that must be embedded on a continuous basis within the organization.”
- CULTURE OF PRIVACY IN THE PHILIPPINES

You might also like