1

Л
Republic of the Philippines
1.^ ^ лгап ■ZT^
E3
NATIONAL POLICE COMMISSION ,
NATIONAL HEADQUARTERS, PHILIPPINE NATIONAL POLICE '
DIRECTORATE FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY MANAGEMENT
Camp BGen Rafael T. Crame, Quezon City
D1CTM{D)-240717-0193
MEMORANDUM

FOR See Distribution

FROM TDICTM/Data Protection Officer

SUBJECT : Function of Data Processing System Owner as Personal

Information Controller (PIC)
DATE
JÍT 17 :

1. Reference: NPC Advisory No. 2017-01 dated March 14, 2017 entitled,
“Designation of Data Protection Officers”
2. This pertains to the NPC Circular No. 2017-01 states that;

“Personal information Controller or PIC refers to a person or organization who controls

the collection, holding, processing or use of personal information, including a person
or organization who instructs another person or organization to collect, hold, process,
use, transfer or disclose personal information on his or her behalf. The term excludes;
a. a person or organization who performs such functions as instructed
by another person or organization; or

b. an individual who collects, holds, processes or uses personal information

in connection with the individual’s personal, family or household affairs.
There is control if the natural or juridical person or any other body decides on
what information is collected, or the purpose or extent of its processing.

3. Relative to this, the National Privacy Commission (NPC) Circular No. 2017-
01 clearly defines the roles and responsibilities of the Personal Information Controller
(PIC), aiding the organization to comply with regulations to properly manage the
personal information.

4. Thus, it is crucial for the owner of each Data Processing System (DPS)
within the PNP to assume the role of PIC for their respective system that controls and
manages the processing of Personal Identifiable Information (PII). Hence, it is
incumbent upon the Director/Chief of each PNP office/unit to fulfill the function of PIC.

5. Further, be reminded that Data Processing involved not only automated but
also the manual processes. Hence, compliance with the following memorandum
circulars and Standard Operation Procedure (SOP) must be fully followed;

a. Memorandum Circular 2021-179 “Privacy Management Program

Guidelines and Procedures in Compliance with Data Privacy Act 2012”

130 9001:2015

A
TUVRhelnland
Msnagemeni
System

reiTTIFIED www.il IV «от

ID »000016059
BACONC PILIPINAS
‘Sa Bagong Pilipinas, Ang Gusto ng Pulis, Ligtas Ka!
 b. Memorandum Circular 2023-012 “Guidelines and Procedures in the
Conduct of Privacy Impact Assessment"

c. Standard Operating Procedure (SOP) No 2023-01” Technical Security

1)

Measures in Safeguarding Data

6. Be reminded on the penalty provision under Data Privacy Act 2012.(Please

see Attached copy)

7. For information.

О A BAZAR
ior General-li'

Distribution:
IG, IAS
Cmdr, APCs
D-Staff
P-Staff
D. NSUs
RD, PROS

Copy furnished:
Command Group
SPA toSILG

150 9001:2015
Management
System
«
TÙVRheInland
:bRTIPIEt) WMWTitv.CO>n
Ю S0000I6069
BACOMC PILIPINAS

‘Sa Bagong Pilipinas, Ang Gusto ng Puiis, Ligias Kal

 1
%

Republic от the Philippines

NATIONAL POLICE COMMISSION 4Г
NATIONAL HEADQUARTERS, PHILIPPINE NATIONAL POLICE
DIRECTORATE FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY MANAGEMENT \^!Ш|
К
Camp BGen Rafael T. Crame, Quezon City
DICTM(D)-221121-01
7 ¿ i Ij Í - >
MEMORANDUM DATE

FOR : CPNP

TADCA 8 2023
TDCO CPNP A рас ■Í) AS30539

T..4et \UU^ I
TCDS^ fl ? 2023 A530539

FROM : TDICTM

SUBJECT ; Memorandum Circular re Privacy Impact Assessment

Guidelines and Procedures in Compliance with Data Privacy
Act 2012

DATE
● NOV 2 2 2022

1. References;
a. Republic Act 10173 “Data Privacy Act of 2012;

b. National Privacy Commission (NPC) Advisory No. 2017-03 entitled

"Guidelines on Privacy Impact Assessments"; and

c. NPC Privacy Toolkit - Privacy Impact Assessment Guide.

2. Relative to the above references, piease be informed that this Directorate

has consolidated all the comments and recommendations from the different
Directorates for the crafting of Memorandum Circular on Privacy Impact Assessment
Guidelines and Procedures in Compliance with Data Privacy Act 2012

3. in this regard, request approval and signature on the attached Memorandum

Circular.

4. Further recommend approval of para 3.

OCPNP
iiDœ 23 P528796 VALERIANQ^DE LEON
Police Mai0r Generali.

‘Life is Beautiful... Kaligtasan Nyo, Sagot Ko. >ng-tulong Tayo. OtMS |f

isoîaot;2ois
ManayKiiift»!
2022 I II IÎ "
System OTCDS T13686J
TUVRKelnlAnri

u IftTiFtKO-
if WWWrifVrftITl
ID 90000160^3
 Л
Republic of the Philippines
NATIONAL POLICE COMMISSION
NATIONAL HEADQUARTERS, PHILIPPINE NATIONAL POLICE
OFFICE OF THE CHIEF, PNP
Camp BGen Rafael T Crame, Quezon City

FEB 2 2 2023
DICTM(D)-221121-01
MEMORANDUM CIRCULAR
NO.:?0?3-0 12
GUIDELINES AND PROCEDURES IN THE CONDUCT
OF PRIVACY IMPACT ASSESSMENT

1. REFERENCES:
a. 1987 Philippine Constitution;
b. Republic Act (RA) No. 10173 entitled. “An Act Protecting Individual
Personal Information in Information Communications Systems in the
Government and the Private Sector, creating for this Purpose a National
Privacy Commission, and for other Purposes" also known as the “Data
Privacy Act of 2012”;
c. implementing Rules and Regulations (IRR) of the Data Privacy Act of
2012;
d. RA No, 10175 also known as “Cybercrime Prevention Act of 2012";
e. Executive Order (EO) No. 2, s. 2016 entitled, “Operationalizing in the
Executive Branch the People’s Constitutional Right to Information and
the State Policies to Full Public Disclosure and Transparency in the
Public Ser\'ice and Providing Guidelines Therefor”;
f. National Privacy Commission (NPC) Circular No.», 2016-01 entitled,
"Security of Persona! Data in Government Agencies
g- NPC Circular No. 2016-02 entitled. “Data Sharing Agreements Involving
Government Agencies";
h. NPC Circular No. 2016-03 entitled, "Personal Data Breach
Management”;
I NPC Advisory No. 2017-02 entitled, “Access to Personal Data Sheet of
Government Personnel";
j- NPC Advisory No. 2017-03 entitled. “Guidelines on Privacy Impact
Assessments”;
k. PNP People’s Freedom of Information (FOI) Manual PNPM-DPL-DS-5-
1-18;
I. DPRM Letter Order No. 680 dated March 11, 2019 entitled, “Designation
of Data Protection Officer (DPO) and Compliance to Privacy Officers”;
and]
m. PNP Memorandum Circular (MC) 2021-179 dated November 19, 2021
entitled. “Privacy Management Program Guidelines and Procedures in
Compliance with Data Privacy Act 2012.”

2. RATIONALE:

The Philippine National Police (PNP) adheres to the policy of the State to
protect the fundamental human right of privacy of communication while ensuring the

‘Life is Beautiful... Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 1 of 12

 Ref. No: DICTM(D)- 221121-01

free flow of information to promote innovation and growth. Sections 4,5, and 6 of NPC
Circular 2016-01 require government agencies to conduct a Privacy impact
Assessment (PIA) for each program, process, or measure within the agency that
involves personal data. At the same time. Section 6 of NPC Circular 2016-03
recommends the conduct of a PIA as part of any organization's security incident
management policy.

3. SITUATION:

The PNP as a government agency and enforcer of all legitimate orders,

laws, rules, and regulations has not yet established a protocol in the conduct of PIA.
Since 2016, NPC has already recommended that all organizations shall include the
Р1Л in their security management policy.

On December 1, 2020, the Data Privacy Division (DPD) under the DICTM
was established to oversee all PNP compliances pertaining to data privacy and to
formulate policies and guidelines to protect all data in the PNP.

In January 2022, there were allegations of another data leak in the

Commission on Elections (COMELEC), following the two previous cases that
happened in 2013 and 2016. After two months of investigation, the Senate confirmed
the said allegations, stating that the latest leak was committed by an employee of
COMELEC who deliberately sold the content of his computer system to the culprits.
Without any reservations, the COMELEC further confirmed the said incident in their
April 2022 press release.

The PNP is already managing numerous information systems, which involve

personal data collection of our clients, some of which are already compromised such
as e-Sumbong, DRDIGS, and Cyberweb, hence, the PIA must be conducted.

The PNP. with the mandate to serve and protect, and engaged in the
processing of personal data of its personnel and stakeholders, shall adhere to the
provisions of the DPA, its IRR, and other relevant issuances of the NPC.

4. PURPOSE:

This PNP MC sets forth the guidelines and procedures in the conduct of
PIA.

The objective of the PIA is to ensure that all PNP offices/units managing
automated or unautomated data processing, data recording, and all activities involving
personal data, shall adhere to and comply with the issuances of NPC to secure the
confidentiality, integrity, and availability of data, including the conduct of PIA.

5. DEFINITION OF TERMS:

a. Act or DPA - refers to RA No. 10173, otherwise known as the Data

Privacy Act of 2012;

b. Commission or NPC - refers to the National Privacy Commission;

'Life is Beauiifui... Kaiigtasan Nyo, Sagot Ko. TuiongAuiong Tayo. Page 2 of 12

 Ref. No: ОЮТМР)-221121-01

С. CciTiplisncê to Prívscy Offlcoí (CPC) ' refers to ЗП individuel thet

performs some of the functions of a DPO, as provided in NPC Advisory
No. 17-01;

d. Control Framework - refers to a comprehensive enumeration of

measures a PIC or PIP has established for the protection of personal
data against natural dangers such as accidental loss or destruction, and
human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration, and contamination;

e. Data Protection Officer (DPO) - refers to an individual designated by

the head of agency or organization to be accountable for its compliance
with the Act, its IRR, and other issuances of the Commission: Pmvided,
that, except when allowed otherwise by law or the Commission, the
individual must be an organic personnel of the government agency or
private entity: Pmvided further, that a government agency or private
entity may have more than one DPO;

f. IRR - refers to the Implementing Rules and Regulations of the DPA;

g. Personal Data - refers to all types of persona! information, including

privileged information;

h. Personal Information - refers to any information whether recorded in a

material form or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding the
information or when put together with other information would directly
and certainly identify an Individual;

i. Persona! Information Controller (PIC) - refers to a person or

organization who controls the collection, holding, processing or use of
personal information, including a person or organization who instructs
another person or organization to collect, hold, process, use, transfer or
disclose personal information on his or her behalf. The term excludes:
1) a person or organization who performs such functions as instructed
uy OilWLilOl pblOWM ÜI l|

2) an individual who collects, holds, processes, or uses personal

information in connection with the individual’s personal, family, or
household affairs;
¡H 1/^01
j. Persona! Information Processor (PSP) - refers to any natural or jur*lOiwCii
person or any other body to whom a PIC may outsource or instruct the
processing of personal data pertaining to a data subject;

k. Privacy Impact Assessment (PIA) - is a process undertaken and used

to evaluate and manage impacts on the privacy of a particular program,
project, process, measure, system, or technology product of a PIC or
PIP. It takes into account the nature of the personal data to be protected,
the personal data flow, the risks to privacy and security posed by the

‘Life is Beautiful... Kaiigtasan Nyo, iiagot Ко. luiong-tuiong layo. Page 3 of 12

 Ref. No: DICTM(D)- 221121-01

processing, current data privacy best practices, the cost of security

implementation, and, when applicable, the size of the organization, its
resources, and the complexity of its operations;

I. Privacy Management Program - refers to a process intended to embed

privacy and data protection in the strategic framework and daily
operations of a personal information controller or personal information
processor, maintained through organizational commitment and oversight
of coordinated projects and activities;

m. Privileged Information - refers to any and all forms of data which, under
the Rules of Court and other pertinent laws, constitute privileged
communication;

n. Processing ● refers to any operation or any set of operations performed

upon personal data including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation,
use, consolidation, blocking, erasure, or destruction of data;

Л piejr - refers to the potential of an incident to result in harm or danger to

a data subject or organization;

p. Risk Rating - refers to a function of the probability and impact of an

event;

g. SensstiVe Persona! iitiw rmaticn - refers to persona! information;

1) About an individual's race, ethnic origin, marital status, age, color,
and religious, philosophical, or political affiliations;

2) About an individual’s health, education, genetic or sexual life, or to

any proceeding for any offense committed or alleged to have been
coirirnitteu by such person, the disposal of such proceedings, or the
sentence of any court in such proceedings;

3) Issued by government agencies peculiar to an individual which

includes, but not limited to, social security numbers, previous or
current health records, licenses or its denials, suspension or
revocation, and tax returns; and

4) Specifically established by an executive order or an act of Congress

to be kept classified.

Г. Threat -refers to a potential cause of an unwanted incident, which may

result in harm or danger to a data subject, system, or organization;

s. Vulnerability - refers to a weakness of a data processing system that

makes it susceptible to threats and other attacks.

“Life is Beautiful... Kaiigtasan Nyo, SagotKo. Tulong-tulong Tayo." Page 4 of 12

 Ref. No: D1CTMP)> 221121-01

6. GUIDELINES:

a. General Guidelines:

The following guidelines shall be observed by PNP offices/units in

various parts of "data life cycles" or processing systems in order to secure
the confidentiality, integrity, and availability of data as preventive and
minimization procedure in upholding the rights of the data subject and
his/her personal information. See Annex "A”

1) Planning a PIA

The following should be considered when planning the conduct of a

DIA«
I 1ГЧ.

a) The PIC or PIP signify his/her commitment to the conduct of a

PIA. This means:
(1) Decide on the need for a PIA;

(2) Assigning a person responsible for the whole process;

(3) Ensure and facilitate the request for the availability of

resources to accomplish the objectives of the PIA; and

(4) Issue a clear directive for the conduct of PIA.

b) The program, project, process, measure, system, or technology

product on which a PIA will be conducted should be identified.
The scope of the PIA must be clearly defined;

c) The process owners, participants, and the persons in charge of

conducting the PIA, including the preparation of its report, should
be identified. When the scope of the PLA is determined to be
broad and/or comprehensive, a task force or secretariat is
necessary. The PIC or PIP may also outsource the conduct of the
PIA, but great care should be taken in evaluating the adequacy
and propriety of the methodology that will be utilized, and the
expected outputs;

d) The PIC or PIP should determine how internal and external

stakeholders will be involved;

e) Other matters that should be established:

(1) Objectives, schedules, and available resources;

(2) Means of communicating the results of the PIA to

stakeholders; and

(3) Procedure for integrating the recommendations of the PIA into

the control framework of the organization.

"Life is Beautiful... Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 5 of 12

 Ref. No: OICTM(D>- 221121*01

2) Preparatory Activities

The following should be considered in preparing the conduct of a

PIA:

a) There should be records of the processing activities of the PIC or

PIP, and an inventory of the personal data involved in such
activities. For this purpose, a persona! data flow should be
created, starting from the collection of personal data, all the way
up to its deletion or disposal, including storage. The process
owners may be assigned to provide these documents prior to the
conduct of the PIA;
u.\
A preliminary assessment should be undertaken to determine the
baseline information, including the existing policies and security
measures of the PNP. It is critical that this be carried out in
coordination with the different offices/units of the PNP, such as
those in charge of compliance, quality management, records and
information management, information technology, administration
and planning, customer relations, and legal concerns;

c) Stakeholders may be consulted during the preparatory stage to

identify their concerns, expectations, and perception of the risks
posed by the processing activities of the organization. Existing
reports may be considered, such as customer satisfaction
surveys, internal audits, and other assessment activities;

d) The objectives, scope, and methodology of the PIA should be

established. A control framework should be selected. Considering
the volume of the personal data records that the PNP processes,
including the data of PNP personnel, the NPC recommends the
use of the ISO/IEC 27002 and ISO/IEC 29151 control set as the
minimum standard to assess any gaps in the agency’s control
framework;

e) A detailed plan for the conduct of the PIA should be prepared,

including:
(1)Schedules and timelines for the completion of preparatory
activities, conduct of the PIA, and reporting or publication of
results;

(2) Approval of resource and budget allocations;

(3) Participants and methods for stakeholder involvement;

(4) Documentation and review process; and

(5) Other supporting documents.

"Lite is Beautiful... Kaligtasan Nyo, SagotKo. Tulong-tulong Tayo.“ Page 6 of 12

 Ref. No: DICTM(D)-221121-01

3) Conduct of the PIA

The following should be considered in the conduct of a PIA:

a) The records of processing activities, the personal data inventory,

and the personal data flows should all be evaluated to determine
whether additional information is necessary for the proper
Câlinû
conduct of 3 P!A. Taken together, these constitute the ba WWM I iw

information, along with the following:

(1) Purpose and legal basis of the processing activities, including
data sharing and other forms of data transfers;

(2) Persons responsible for processing personal data, including a

list of those individuals With access thereto;

(3) List of all information repositories and technology products

used;

(4) Sources and recipients of personal data; and

(5) Existing policies, procedures, and security measures relevant

to personal data protection,

b) Once baseline information is complete, the processing activities

should be evaluated against the legal obligations of the PIC or
PIP. and the latter’s chosen control framework;

c) The control framework should adhere to the data privacy

principles. It should implement security measures and establish
procedures for the proper exercise by data subjects of their rights.
Privacy and data protection measures, whether planned or
existing, should be considered;

d) The data processing systems of the PIC or PIP should be

assessed to determine if there are gaps at any stage of the
processing. There is a gap when:
(1) There is a violation of any data privacy principle;

(2) The organizatio.nal, physical, and technic-al security measures

are inadequate to safeguard the confidentiality, availability,
and/or integrity of personal data; or

(3) The exercise of data subjects of their rights is not possible or

restricted without a legal basis,

e) Gaps should be evaluated to determine the risks involved in

personal data, possible threats, and existing vulnerabilities of the
systems. Risks include the following:
(1) Unauthorized or unlawful processing;

(2) Confidentiality breach;

'L/fe is Beautiful... Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo." Page 7 of 12

 Ref. No: DICTM(D)'221121-01

(3) Integrity breach;

(4) Availability breach; and

(5) Violations of rights of data subjects.

f) Risks, in turn, should be assessed to determine whether the

breach or privacy violation it poses is likely to happen. The
assessment should consider the processing operations of the PIC
or PIP, vulnerabilities and threats, as well as existing safeguards
if any. A determination of how the nsk will affect the rights and
freedoms of data subjects should be done based on the amount
and nature of personal data involved, and the impact of possible
harm;

g) Measures to address the risks identified should be proposed.

They may mitigate, accept, avoid, or transfer the risks posed by
the processing, by taking into account the likelihood and impact
of a breach or privacy violation, the available resources of the
organization to address the risks, current data privacy best
onrJ fhâ ínrliie^rví ЛГ
I wiwLiWww, <3itM M iw sector standards The proposed
measures should include:
(1) Risks and strategies for risk management;

(2) Implementing activities, including definite plans and specific

projects;

(3) Controlling mechanisms to monitor, review, and support

implementation;

(4) Proposed time frame, expected completion, or schedules;

(5) Responsible and accountable persons; and

(6) Include cost estimates for the conduct of activities.

h) The involvement of stakeholders should be documented;

i) The report featuring the results of the PIA should be reviewed

before being finalized and approved. It should include the
proposed measures that should serve as the basis for
implementing changes in the organization (e.g., new policies and
pmcedures, and security measures to strengthen data processing
systems, etc.). The report should also include recommendations
as to when the PIA will be updated and reviewed.

The results of the PIA should be reported to management and

communicated to Internal and external stakeholders. The PIC or PIP
can limit the information provided to the public based on its legitimate
interests, such as the legal, business operation, or security risks that
disclosure may give rise to.

‘Ufe is Beautiful... Kaligtasan Nyo, SagotKo. Tulong-tulong Tayo. Page 8 of 12

 Ref. No;01CTM(0}- 221121-01

DccuiTìsniicuivM Snd R@VÌ6vV

A PIA requires documentation and procedures for review. Its results

should be contained in a corresponding report.

The PIC or PIP must maintain a record of all its PIA reports. When a
report contains information that is privileged or confidential, the PIC or
PIP may prepare a PIA Summary that can be made available to data
subjects upon request. Other means of communicating the results of the
PIA to internal and external stakeholders should be considered, such as
publishing key findings or result summaries in the PIC or PIP website,
through newsletters, annual reports, and other similar materials.

A PIA should be evaluated every year. This, however, does not

preclude the conduct of a new PIA on the same data processing system,
when so required by significant changes required by law or policy and
other similar circumstances. All the personal information that will be
processed should be in accordance with the following personal
information life cycle:

a) Collection - the PNP office/unit shall collect only the necessary

personal information from data subjects and shall identify the type
of data collected, the mode of collection, and the person in charge
of collecting the same, in compliance with DPA 2012 and its IRR;

b) Use - the personal data shall be used by the PNP for specific
purposes corresponding to the function of the ofRce/unit
concerned;

c) Storage, Retention, and Destruction:

(1) Storage; the PNP office/unit shall ensure that personal data
under its custody are protected against unlawful destruction,
alteration, and disclosure as welt as against any other unlawful
processing, and shall implement appropriate security
measures in storing and/or destroying collected personal
information, depending on the nature of the information;

(2) Retention; The information gathered shall be retained for as

tong as necessary, with due regard to sensitive operations of
the PNP organization in relation to national security; and

(3) Destruction; Personal data shall be disposed of or discarded

in a secure manner that would prevent further processing,
unauthorized access, or disclosure to any other party or the
public, or prejudice the interests of the data subjects,

d) Access - due to the sensitive and confidential nature of the

personal data under the custody of the PNP,only the data subject
and the authorized representatives of PNP offices/units
concerned shall be allowed to access such personal data for any

’’Ufáis Beautiful... Kaligtasan Nyo, Saget Ko. Tulong-tulong Tayo. Page 9 of 12

 Ref. No: DICTM(D)- 221121-01

purpose, except for those contrary to law, public policy, public

order, or morals; and

e) Disclosure and Sharing - all PNP personnel shall strictly

maintain the confidentiality and secrecy of all personal data that
come to their knowledge and possession, even after resignation
or retirement, or any other termination of contractual relations.
Disclosure of classified information shall be allowed only when
the law warrants it. Personal data shall only be disclosed upon
formal request pursuant to a lawful purpose, and authorized
recipients of such data.

b. Responsibilities:

To ensure the proper implementation of this MC,the following are tasked

with roles and responsibilities:

1) TDICTM
a) Supervise the overall implementation of this MC;

b) Monitor the activities and compliance of the PIC and the PIP;

c) inform, advise, and issue recommendations to the PIC and PIP;

d) Ascertain renewal of accreditations or certifications of data

systems processing the personal information necessary to
maintain the required standards in personal data processing;

e) Ensure the conduct of PIA relative to the activities, measures,

projects, programs, or systems of the PIC or PIP;

f) Advise PIC and PIP regarding complaints and/or the exercise by

the data subjects of their right;

g) Cultivate awareness of privacy and data protection within the

organization;

h) Cooperate, coordinate, and seek the advice of the Commission

regarding matters concerning data protection and security;

i) Advise other units regarding the necessity of executing third-party

legal documents;

j) Ensure periodic lectures or refresher training on PIA for the PNP

personnel; and

k) Perform other tasks as necessary.

“Ute is Beautiful... Kaligtasan Nyo, SagotKo. Tulong-tulong Tayo. Page 10 of 12

 Ref. No: DICTM(D)-221121-01

2) D-Staffs, NSUs, PROS, DDs. PDs, CDs,and COPs

a) Support the CPGs in the organizational, physical, and technical
needs of their respective unit to ensure the security protection of
personal data; and

b) Perform other tasks as necessary.

3) CPOs(DPRM Letter Order No.650)

a) Supervise the conduct of PIA in order to evaluate and manage
privacy impacts in the programs, processes, activities, systems,
and operations of the PNP;
b) Implement security measures and privacy policies particularly
intended to prevent or minimize the occurrence of the personal
data breach;

c) Prioritize activities and focus efforts on issues that present higher

data protection risk;

d) Ensure submission of PIA Report every 1®* and 3^** Qtr of even/
calendar year; and

e) Perform all other functions of a DPO. Where appropriate, shall

also assist the supervising DPO in the performance of the latter’s
functions.

4) PIC and PIP

a) Initiate the conduct of the PIA;

b) Allow the DPO or the CPO to be involved in all issues relating to

the conduct of PIA;

c) Provide necessary time and resources necessary in the conduct

of the PIA;

d) Grant the DPO and the CPO appropriate access to the persona!
data that is being processed;

e) Promptly consult with the DPO and the CPO if there’s any
possible personal data breach discovered during the conduct of
PIA; and

f) Perform immediate remedial measures upon discovering a

possible data breach during the conduct of PIA.
7. PENALTY CLAUSE:

Any PNP personnel found violating any provision of this MC shall be

penalized in accordance with the provision of NAPOLCOM MC No. 2016-02 as
a ded, RA No. 8713, and other applicable laws, rules and regulaöons.
tttwi I

“Ufe is Beautiful... Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo." Page 11 of 12

 Reí. No: OICTM(D)- 221121-01

8. REPEALING CLAUSE:

All PNP policies, directives, and other issuances that are inconsistent with
the provisions of this MC are hereby deemed rescinded or modified accordingly.

9 AUTOMATIC REVIEW CLAUSE:

This MC shall be reviewed every three years or as necessary, whether it is

still responsive or it needs revision/amendment because of enactment of laws and or
development of technology.

10. EFFECTIVITY:

This MC shall take effect after 15 days from filing a copy thereof at the
University of the Philippines Law Center in consonance with Sections 3 and 4 of
Chapter 2, Book VII of EO No, 292, otherwise known as the “Revised Administrative
Code of 1987,” as amended.

ROD^FO S AZURIN, JR
Poliííe (ieneral
Chief. PNP
Distribution CPNPlí/«-2J S093206
Command Group
IG. IAS
Cmdr, APCs S093206
D-Staff
P-Staff
D, NSUs
RD, PROS
SPA to theSILG

"Life is Beautiful... Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 12 of 12

 ANNEX“A a

Republic of Ihe Philippines

NATIONAL POLICE COMMISSION
NATIONAL HEADQUARTERS,PHILIPPINE NATIONAL POLICE
DIRECTORATE FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY MANAGEMENT
Camp BGen Rafael T. Crame, Quezon

PRIVACY IMPACT ASSESSMENT

Conducted on;

I. Project/System Description

a. Description

Describe the program, project, process, measure, system or technology

product and its context. Define and specify what it intends to achieve.
Consider the pointers below to help you describe the project.

Brief Description of the project/system

- Describe the process of the projects;
- Describe the scope and extent; and
- Any links with existing programs or other projects.

The system/project’s overall aims (purpose of the project/system)

- What is the project/system aims to achieve? and
- What are the benefits for the organizations and data subjects?

Any related documents to support the projects/system

- Project/System Requirements Specification;
- Project/System Design Specification; and
- Or any related documents.

b. Scope of the PIA

This section should explain, what part or phase of the program the PIA covers
and, where necessary for clarity, what it does not cover.

- What will the PIA cover?

- What areas are outside scope?
- Is this just a “desk-top" information gathering exercise, do I have to
get information from a wide variety of sources?
- Who needs to be involved and when will they be available?
- Where does the PIA need to fit in the overall project plan and
timelines?
- Who will make decisions about the issues identified by the PIA?
- What information do they need and how long will it take to get sign-
off from them?
- Do I need to consult with anyone (for instance the individuals whose
personal information the project will involve)?
- When and how should this happen? and

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

(hups { у.улу.privacy* floy.Fh/wp-conlent'f>les.'altachmenl3 Pin.

"Life is Beautiful.. . Kaligtasan Nyo, Sagot Ко. Tulong-tulong Tayo. Page 1 of 13

 - Are there any third parties involved and how long do I need to allow
for them to play their part?

II. Threshold Analysis

The following questions are intended to help you decide whether a PIA is necessary.
Answering ‘yes' to any of these questions is an indication that a PIA would be a useful
exercise. You can expand on your answers as the project develops if you need to.

a. Will the project or system involve the collection of new information about
individuals?
No Yes

b. is the information about individuais sensitive in nature and iikeiy to raise

privacy concerns or expectations e g. health records, criminal records or
other information people would consider particularly private?

No Yes

c. Are you using information about individuals for a purpose it is not currently
used for, or in a way it is not currently used?

No Yes

d. Will the initiative require you to contact individuals in ways which they may
find intrusive?

No Yes

e. Will information about individuals be disclosed to organizations or people

who have not previously had routine access to the information?

No Yes

f. Does the initiative involve you using new technology which might be
perceived as being privacy intrusive (e.g. biometrics or facial recognition)?

No Yes

g. Will the initiative result in you making decisions or taking action against
individuals in ways which cah have a significant impact on them?

No Yes

h. Are the personal data collected prior to August 2016?

No Yes

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

v.v.vj privacy gov phrWo-contenl'files/attacnmenis/nws-tr-’^jPL ● ’JSpi;-)

“Life is Beautiful... Kaliglasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 2 of 13

III. Stakeholder(s) Engagement

Stats 3Ü project stakehcldsrs, consultsd in conducting PIA Identify which pert they
were involved. {Describe how stakeholders were engaged in the PIA process)

Name Role Involvement Inputs/

Recommendations

* add additional rows if needed.

IV. Personal Data Flows

Sample Data Flow

PII principal PII controller PH processor Third parly

Collccr
I’il 0..1Кч1 I’flix iiltf
M'Utsir.it mil

Store
■mD-» -Siiif«-

I ;so Uve
t'linvllllU' I'mei-v
iniL-*.

Transler LejKnJ UeevUc

Tr.Hlvfi-r
► Trjíi-Ícr
_{ImT]—^
Datu Flinv

^ in>tructii>n
Delete
DcUte Delete
C» Service ►

Figure 1. Información flow ofpersonal information can be visualized in a workßow diagram

on personal information processing.

● Objective: To identify information flows of personal information under

assessment.
● Input: Description of the process and information system to be assessed.
● Expected output: Summary of findings on the information flow of personal
information within the process.
● Actions: The person responsible for conducting a PIA should consult with
others in the organization and perhaps externa! to the organization to describe
the personal information flows and specifically:
Adopted from NPC Privacy Toolkit - Privacy impact Assessment Guide
.v.pfivacy gov pi: лр-conient ' -.'а1’асПт«г::=/П¥;5!1:,'МРС : '■'A [0 ori:')

"Life is Beautiful. . . Kaligtasan Nyo, Sagot Ко. Tulong-tulong Tayo. Page 3 of 13

 how personal information is collected and the related source;
who is accountable and who Is responsible within the organization for
the personal information processing:
for what purpose personal information is processed:
how personal information will be processed;
personal information retention and disposal policy;
how personal information will be managed and modified;
how will personal Information processors and application developers
protect personal information:
Identify any personal information transfer to jurisdictions where lower
levels of personal information protection apply: and
whether applicable, notify the relevant authorities of any new personal
Information processing and seek the necessary approvals.

Output of this process in terms of the information flow of personal information

should be documented In the PIA report

● Implementation Guidance:

Use of personal information (or transfer of personal information) may include

approved data sharing flows of personal information to other parties.

As an input to the PIA, the organization should describe the information flow in as
detailed a manner as possible to help identify potential privacy risks. The assessor
should consider the impacts not only on Information privacy, privacy related
regulations, e.g. telecommunications acts. The whole personal information life
cycle should be considered.

Identify the persona! data involved and describe the data flow from collection to
disposal by answering the following questions below:

What personal data are being or will be processed by this project/system?

List all personal data (e.g. Personal Full Name, address, gender, phone number, etc.,)
and state which is/are the sensitive personal information (e.g. race, ethnicity, marital
status, health, genetic, government issued numbers).

All the information stated above will be in accordance to the next section.

Collection

1. State who collected or will be collecting the personal information and/or

sensitive information.
2. How the personal information/sensitive personal information is collected and
from whom it was collected?

If personal information is collected from some source other than the Individual?

». variai, lü/aia uia u» ou»/c?oi/»»y t»iir pcr»ou»»a» uaia.'

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

4IV3CV gov pivv/p-contemit'iles'atsacnmenis/n

"Life is Beautiful.. Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 4 of 13

 Be clear about the purpose of collecting the information; and
Are you collecting what you only need?

2. How was or will the consent be obtained?

- Do individuals have the opportunity and/or right to decline to provide
data? and
What happen if they decline?

Storage

1. Where is it currently being stored?

Is it being stored in a physical server or in the cloud?

2. Is it being stored in other country?

If it is subject to a cross-border transfer, specify what country or

countries.

3. Is the storage of data being outsourced?

Specify if the storing process is being done in-house or is it handled by

a service provider

Disclosure/Sharing

To whom it is being disclosed to?

Is it being disclosed outside the organization? Why is it being disclosed?

Specify ifthe personal information is being shared outside the organization: and
What are the reasons for disclosing the personal information.

Disposal/Destruction

Usage

1. How will the data being used or what is the purpose of its processing?

Describe how the collected information is being used or will be used

Specify the processing activities where the personal information is being used.

Retention

1. How long are the data being retained? And Why?

State the length of period the data is being retained? and

What is the basis of retaining the data that long? Specify the reason(s)

2. The data is being retained by the organization or is It being outsourced?

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide
( iHivacv ouv.ph'wo-coniePtT!!-- 1* hmentsínwsllfiNPC ● ●lOpr;:)

'Life is Beautiful... Kaligtasan Nyo. Sagol Ko. Tulong-tulong Tayo. Page 5 of 13

 specify if the data retention process is being done in-house or is it handled by
a service provider.

1. How will the data be disposed?

Describe the process of disposing the personal information

2. Who will facilitate the destruction of the data?

State if the process is being managed in-house or if it is a third party

V. Privacy Impact Analysis

Each program, project or means for collecting personal Information should be tested
for consistency with the following Data Privacy Principles (as Identified in Rule IV,
Implementing Rules and Regulations of Republic Act No. 10173, known as the “Data
Privacy Act of 2012”). Respond accordingly with the questions by checking either the
“Yes” or “No"column and/or listing the what the questions may indicate.

Not
Transparency Yes No
applicable
1. Are data subjects aware of the nature, purpose, and extent
of the processing of his or her personal data?
■2. Are data subjects aware of the risks and safeguards
involved in the processing of his or her personal data?
3. Are data subjects aware of his or her rights as a data
subject and how these can be exercised?

Below are the rights of the data subjects;

● Right to be informed
● Right to object
● Right to access
● Right to correct
● Right for erasure or blocking
● Right to file a complaint Right to damages
● Right to data portability
4. Is there a document available for public review that sets out
the policies for the management of personal data?

Please identify document(s) and provide link where

O VÇálIOUlV.

5. Are there steps in place to allow an individual to know what

personal data it holds about them and its purpose of
collection, usage and disclosure?
Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide
/'wAw privacy oov ph/wp-contenl/files'atlacnmenls^nwsItr/iJPC Pim 0618 díI:)

■‘Life is Beautiful... Kaligtasan Nyo, Sagot Ко. Tulong-tulong Tayo. Page 6 of 13

6. Are the data subjects aware of the identity of the personal
information controller or the organization/entity processing
men pt;i duficii ucuci f

7. Are the data subjects provided information about how to

contact the organization's Data Protection Officer(DPO)?
Not
Legitimate Purpose Yes No
applicable
1. Is the processing of personal data compatible with a
declared and specified purpose which are not contrary to law.
morals, or public policy?
2. Is the processing of personal data authorized by a specific
law or regulation, or by the individual through express
consent?
Not
Proportionality Yes No
applicable
1. Is the processing of personal data adequate, relevant,
suitable, necessary and not excessive in relation to a declared
and specified purpose?

2. Is the processing of personal data necessary to fulfill the

purpose of the processing and no other means are available?
Not
Collection Yes No
applicable
1. Is the collection of personal data for a declared, specified
and legitimate purpose?
2. Is individual consent secured prior to the collection and
processing of personal data?
и ^
iC, Specify the reason

'3. Is consent time-bound in relation to the declared, specified

and legitimate purpose?
4. Can consent be withdrawn?
5. Are all the personal data collected necessary for the
program?
6. Are the personal data anonymized or de-identified?
|7. Is the collection of personal data directly from the I
¡individual?
Is there authority for ccllecting personal data about the
individual from other sources?
Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide
(::uos I .v4vw privacy.aov.pfi/wp-coment/fiies/auacnmenis.nwsiir- ívHL; Lb lõ

“Life is Beautiful. . . Kaligtasan Nyo, Sagot Ко. Tulong-tulong Taya. Page 7 of 13

 9. Is it necessary to assign or collect a unique identifier to
¡individuals to enable your organization to carry out the
program?
10. Is it necessary to collect a unique identifier of another
agency?

e.g. SSS number. PhilHealth, TIN, Pag-IBIG, etc.,

Not
Use and Disclosure I Yes No
applicable
1. Will Personal data only be used or disclosed for the primary
purpose?
2. Are the uses and disclosures of personal data for a
secondary purpose authorized by law or the individual?
Not
Data Quality Yes No
applicable
1. Please identify all steps taken to ensure that all data that is
collected, used or disclosed will be accurate, complete and up
to date:
1.1 *Please identify all steps taken to ensure that all data that
|is collected, used or disclosed will be accurate, complete and
up to date;
1.2 *The system is regularly tested for accuracy:
1.3 *Periodic reviews of the information
1.4 *A disposal schedule in place that deletes information that
го ÜvCl Ü 14^ iS/VWIUIWM poi

1.5 *Staff are trained in the use of the tools and receive
periodic updates
1.6 ‘Reviews of audit trails are undertaken regularly
1.7 ‘Independent oversight
1.8 ‘Incidents are reviewed for lessons learnt and systems/
processes updated appropriately
1.9 ‘Others, please specify

Not
Data Security Yes No
applicable
1. Do you have appropriate and reasonable organizational,
physical and technical security measures in place?

organizational measures - refer to the system’s environment,

particularly to the individuals carrying them out. Implementing
the organizational data protection policies aim to maintain the_ >
Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide
(i;l!ps />>v.yw privacy qov.ptv'wi>content.‘fiies/'al!ac.hments/nvtfSltr'NPC 06 lij.pdO

“Life is Beautiful... Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 8 of 13

availability, integrity, and confidentiality of personal data
against any accidental or unlawful processing (i.e. access
control policy, employee training, SLm/eillance. efn )
physical measures - refers to policies and procedures shall
be implemented to monitor and limit access to and activities
in the room, workstation or facility, including guidelines that
specify the proper use of and access to electronic media (i.e.
locks, backup protection, workstation protection, etc.,)
technical measures - involves the technological aspect of
security in protecting personal Information (i.e. encryption,
data center policies, data transfer policies, etc.,)
Not
lOrganizational Security Yes No
applicable
*Have you appointed a data protection officer or compliance
officer?

*Are there any data protection and security measure policies

in place?
*Гч-
uo yuu have ei inventoiy of proccssifiy sysiciiiS? Will you
include this project/system? I

*Are the users/staffs that will process personal data through

this project/system under strict confidentiality if the personal
data are not intended for public disclosure?

*lf the processing is delegated to a Personal Information

Processor, have you reviewed the contract with the personal
iinformation processor?
Not
Physical Security Yes No
applicable
*Are there policies and procedures to monitor and limit the
access to this project/system?
*Are the duties, responsibilities and schedule of the
individuals that will handle the persona) data processing
clearly defined?
*Do you have an inventory of processing systems? Will you
include this project/system?
Not
Technical Security Yes No
lapplicable
*ls there a security policy with respect to the processing of
personal data?
*Do you have policies and procedures to restore the
availability and access to personal data when an incident
happens?

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

(ti;ip_^;_yvw4y privaCY.qov nh..vp-contont/fiies/attachtTients/n*A^i;r. NPC I- 1.

■‘Life is Beautiful. . . Kaligtasan Nyo, Sagot Ко. Tulong-tulong Tayo. Page 9 of 13

*Do/Will you regularly test, assess and evaluate the
effectiveness of the security measures of this project/ system?
*Are the personal data processed by this project/system
encrypted while in transit or at rest? !I
2. The program has taken reasonable steps to protect the
personal data it holds from misuse and loss and from
uuáultiúiizeu access, luOuincaüün ûi üisCiüSuié?

3. If yes, which of the following has the program undertaken

to protect personal data across the information lifecycle:
3.1 * Identifying and understanding information types

3.2 * Assessing and determining the value of the information

3.3 * Identifying the security risks to the information

Л * ûnnl\/inn con irih; moociiroc to nroteot tho informotion

3.5 * Managing the information risks.

Not
Disposal Yes No
applicable
1. The program will take reasonable steps to destroy or de-
identify personal data if it is no longer needed for any purpose.
If YES. please list the steps

Not
Cross-border Data Flows (optional) Yes No
applicable
1. The program will transfer personal data to an organization
or person outside of the Philippines

If YES, please describe

2. Personal data will only be transferred to someone outside

'of the Philippines if any of the following apply:

a. The individual consents to the transfer

b. The organization reasonably believes that the recipient,
IS

subject to laws or a contract enforcing information

handling

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

(iutpj- iya_cy.gpv oh’wp-conterU/fi[esj'atiaclimer!t&_/nv/snr^NPC Pi.A

"Ufe is Beautiful. . . Kaligtasan Nyo, Sagot Ко. Tulong-tulong Tayo. Page 10 of 13

 principles substantially similar to the DPA of 2012

r. The transfer is necessary for the performance of a

contract

between the individual and the organization

d. The transfer is necessary as part of a contract in the

interest of the individual between the organization and
a third party
e. The transfer is for the benefit of the individual;

3. The organization has taken reasonable steps so that the

information transferred will be stored, used, disclosed and
otherwise processed consistently with the DPA of 2012

If 'YES, pISaSG иЗЗСПЬз

VI. Privacy Risk Management

For the purpose of this section, a risk refers to the potential of an incident to result in
harm or danger to a data subject or organization. Risks are those that could lead to
the unauthorized collection, use, disclosure or access to personal data. It includes
risks that the confidentiality, integrity and availability of personal data will not be
maintained, or the risk that processing will violate rights of data subjects or privacy
principles (transparency, legitimacy and proportionality).

The first step in managing risks is to identify them, including threats and vulnerabilities,
and by evaluating its impact and probability.

The following definitions are used in this section

Risk - 4he potential for loss, damage or destruction as a result of a threat

exploiting a vuinerabiiiiy ';

Threat - “a potential cause of an unwanted Incident, which may result in harm

to a system or organization”;

Vulnerability - ‘a Vv'eakness of an asset or group of assets that can be

exploited by one or more threats”;

Impact - severity of the injuries that might arise if the event does occur (can
be ranked from trivial injuries to major injuries); and

Probability - chance or probability of something happening;

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide
9-4v.pl; -contentMileS'at'. ● nentsmvs. .MCi

-Life Is Beautiful. . . Kaligtasan Nyo, Sagot Ко. Tuiong-tutong Tayo. Page 11 of 13

 Impact
'Rating Ттурез Description
The data subjects will either not be affected or may
1 Negligible encounter a few inconveniences, which they will overcome
without any problem.
The data subject may encounter significant inconveniences,
2 Limited which they will be able to overcome despite a few
uiiiicuiiies.
The data subjects may encounter significant
3 Significant inconveniences, which they should be able to overcome but¡
with serious difficulties.
The data subjects may encounter significant
4 Maximum inconveniences, or even irreversible, consequences, which
they may not overcome.

Probability
Not expected, but there is a slight possibility it may occur at
1 Unlikely
some time.
2 Possible Casual occurrence, it might happen at some time..
Frequent occurrence. There is a strong possibility that it
3 Likely
might occur. _
4 Almost Certain Very likely. It is expected to occur in most circumstances. i

Select the appropriate level or criteria of impact and probability to better assess the
risk. Kindly refer to the table below for the criteria.

Note: Try to itemize your risks by designating a reference number. This will
be used as a basis on the next sections (VII. Recommended Privacy
Solutions and VIII. Sign off and Action Plan). Also, base the risks on the
violation of privacy principles, rights of data subjects and confideniiality,
integrity and availability of personal data.

Threats/
Ref# Impact Probability Risk Rating
Vulnerabilities
1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

1 2 3 4 1 2 3 4

*add additional rows if needed

Kindly follow the formula below forgetting the Risk Rating:

Risk Rating = Impact x Probability

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

( .'.'Bi :v oov phi -J Pi. ' ■ШП

‘'Life is Beautiful. .. Kaligtasan Nyo, Sagot Ко. Tulong-tulong Tayo. Page 12 of 13

 Kindly refer to the table below for the criteria.

Rating Types
1 Negligible
2 to 4 Low Risk _
6 to 9 Medium Risk
10-16 High Risk

PRIVACY RISK MAP

4 4 8 12 \6 '

I
M 3 6 9 12
P
A
C 2 4 6 8
T

1 2 3 4

1 2 3 4
PROBABILITY

VII. Recommended Privacy Solutions

From the risks stated in the previous section, identify the recommended solution
or mitigation measures You r*on r'ito '»Olir ovictinn /'/^nfrrvle tr>
'●'●It WW
fho rieUe in tho M> Vlt4<i

same column.

Recommended Solutions (Please provide justification)

*add additional rows if needed

Compliance to Privacy Officer (CPO)

Adopted from NPC Privacy Toolkit - Privacy Impact Assessment Guide

(htips/ Л :. :л'асу.ооу ptv''.vp-çon{eni/fttes-a'.iachm-3nt&/riv/sitf/NPC PIA 05iS odO

“Life is Beautiful. .. Kaligtasan Nyo, Sagot Ko. Tulong-tulong Tayo. Page 13 of 13

 m
Republic
:of the Philippines
NATIONAL POLICE COMMISSION
NATIONAL HEADQUARTERS,PHILIPPINE NATIONAL POLICE
DIRECTORATE FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY MANAGEMENT
Camp BGen Rafael T. Crame, Quezon City

DPD-2021-12-08-02 ‘) о ‘ '
hi I i ill 4
MEMORANDUM
FOR : CPNP APPRWf;.! / pit

THRU : TDCA 1 1 2021

CPNP ftw ?1 A0S8382
Ö
TDCO X NOV 1 0f?071
TCDS A05S382

FROM : TDICTM/Data Protection Officer

SUBJECT ; Memorandum Circular on PRIVACY MANAGEMENT PROGRAM

DATE : August 12, 2021

1. References: . -
a. Republic Act No. 10173 entitled “An Act Protecting’Individual Personal
Information in information Communications Systems in the Government
and the Private Sector, creating for this Purpose a National Privacy
Commission, and for other Purposes” also known as the “Data Privacy Act
of 2012” (DPA): and
b. Implementing Rules and Regulations (IRR) of Data Priva.

2. Relative to the above references, please be informed that this Directorate has
consolidated all the comments and recommendations from the different Directorates for
the crafting of Memorandum Circular on “PRIVACY MANAGEMENT PROGRAM
GUIDELINES AND PROCEDURES IN COMPLIANCE TO DATA PRIVACY ACT 2012”.

3. In this regard, request approval and signature on the attached Memorandum

Circular.

4. Further recommend approval of para 3.

ALEXANDER J^MPAGA
Polii (jor (Зепега! ● -

DtCTM: cíí^ctal ín<uul¡onm4íU<ui.

i-ï-‘
Ж OCPNP
Ш íiDocTi Р499062 ЧМ9 11,

orcos T06'j58i
 Republic of the Philippines
NATIONAL POLICE COMMISSION
NATIONAL HEADQUARTERS,PHILIPPINE NATIONAL POLICE
OFFICE OF THE CHIEF, PNP
Camp BGen Rafael T Crame, Quezon City

NOV 1 Э 2021
MEMORANDUM. CIRCULAR
NO.; 2 0 2 1 ' 1 T Ч
PRIVACY MANAGEMENT PROGRAM
GUIDELINES AND PROCEDURES IN V^WIVtr LIANCE WITH
DATA PRIVACY ACT 2012

1. REFERENCES:
a. 1987 Philippine Constitution;
b. Republic Act (RA) No. 10173 entitled, “An Act Protecting Individual
Personal Information in Information Communications Systems in the
Government and the Private Sector, creating for this Purpose a National
Privacy Commission, and for other Purposes” also known as the “Data
Privacy Act of 2012”:
c. Implementing Rules and Regulations (IRR) of the Data Privacy Act of 2012;
d. RA No. 10175 also known as “Cybercrime .Prevention Act of 2012”;
e. Executive Order No. 2, s. 2016 entitled, “Operationalizing in the Executive
Branch the People’s Constitutional Right to Information and the State
Policies to Full Public Disclosure and Transparency in the Public Service
and Providing Guidelines Therefor”;
f. National Privacy Commission (NPC) Circular No. 2016-03 entitled,
“Personal Data Breach Managemenf ;
g. NPC Circular No. 2016-02 entitled, “Data Sharing Agreements Involving
Government Agencies":
h. NPC Circular No. 2016-01 entitled, “Security of Personal Data in
Government Agencies”:
i. NPC Advisory No. 2017-02 entitled, “Access to Personal Data Sheet of
Government Personnel”;
i. PNP People’s Freedom of Information (FOI) Manual PNPM-DPL-DS-5-1-
18;
k. Information Assurance Policy MG 2016-013; and
I. DPRM Letter Order No. 680 dated March 11, 2019 entitled, “Designation
of Data Protection Officer (DPO) and Compliance to Privacy Officers”.

2. RATIONALE:

The Philippine National Police (PNP) adheres to the policy of the State to
protect the fundamental human right of privacy of communication while ensuring free
flow of information to promote innovation and growth. Section 2 of RA No. 10173 also
known as the Data Privacy Act of 2012 provides that the State recognizes the vital role
of communication and information in nation-buiiding and its Inherent obligation to ensure
that personal data in the government’s information and communication systems are
secured and protected.

Page 1 of 15
 3. SITUATION:

There are increasing incidents of personal data breaches that impact both
public and private entities, entailing significant economic losses and putting the data and
data subject at risk for identity theft and other crimes. Worldwide, over a billion records
of personal identifiable information have been stolen or unwittingly shared in recent
years.
In July 2019, Facebook settled with the Federal Trade Commission for a total
of $5bilIion resolving the investigation how the company mishandled its communications
with its users and losing control to protect their personal data. These eventually led to
the inadvertent exposure of its 87 million users' personal data to Cambridge Analytica, a
political analysis firm.
In the Philippines, in April 2016, the Commission on Elections (COMELEC)
encountered a data breach which resulted in the exposure of the 55 million voters’
personal data, though COMELEC denied this and stated that no sensitive information
was leaked, and the breach was only a website defacement.
The PNP, with the mandate to serve and protect, handles thousands of
personal data from private citizens as well as from its own personnel in its daily
transactions.

With the enactment of the Data Privacy Act(DPA), the PNP needs to ensure
that personal information and equipment are protected in accordance with the
aforementioned law.
4. PURPOSE:

This Memorandum Circular (MC) serves as the Privacy Management

Program of the PNP and sets forth the guidelines in ensuring the security and protection
of the personal data of its personnel and private citizens (data subjects).
The objective of a Privacy Management Program is to ensure that the privacy
of data subjects are protected in all the organization’s initiatives and services, based on
applicable laws and that the organization can adapt to the inevitable changes. It is a
holistic approach and process intended to embed privacy and data protection in the
strategic framework and daily operations of the PNP. More irnportantly, it puis in place a
system for review to allow improvements that are responsive to data privacy best
practices and technological developments.
5. SCOPE:

This MC applies to all uniformed and non-uniformed personnel of the PNP, or

any other body in the government or private sector engaged In the processing of personal
data of individuals transacting business with PNP units.
All provisions of this MC shall uphold the exceptions laid down in the DPA, Its
IRR, and other existing laws such as, but not limited to, information related to national
security and other matters of public concern.
6. DEFINITION OF TERMS:

a. Commission - refers to the National Privacy Commission.

Page 2 of 15
b. Compliance to Privacy Officers (СРО) - refer to those accountable for
ensuring compliance with applicable laws and regulations for the protection
of data privacy and security under the direct supervision of the Data
Protection Officer.

c. Consent Form - refers to a written permission given to another party to

perform an activity and indicates that the signatory understands the terms
of the activity that will be performed.

d. Consent of the Data Subject - refers to any freely given, specific,

informed indication of will, whereby the data subject agrees to the
collection and processing of personal information about and/or relating to
him or her. Consent shall be evidenced by written, electronic or recorded
means. It may also be given on behalf of the data subject by an agent
specifically authorized by the data subject to do so.

e. Data Breach - refers to the intentional or unintentional release of secure

or private/confidential information to an untrusted environment or
unauthorized person.

f. Data Breach Response Team - refers to the team comprised of

knowledgeable and skilled individuals which will respond to any
suspect/alleged personal data breach.

g. Data Processing System - refers to the structure and procedure by which

persona] data is collected and further processed in information and
communications system or relevant filing system, including the purpose
and intended output of the processing.

h. Data Protection Officer (DPO) - refers to an individual designated by the

head of agency to be accountable for the agency’s compliance with the
Act: Provided, that the individual must be an organic employee of the
government agency; Provided further, that a government agency may have
one or more data protection officer.

j Data Sharing - is the disclosure or transfer to a third party of pereona! data

under the custody of a personal information controller or personal
information processor. In the case of the latter, such disclosure or transfer
must have been upon the instructions of the personal information controller
concerned. The term excludes outsourcing, or the disclosure or transfer of
personal data by a personal information controller to a personal information
processor.

j. Data Subject - refers to an individual whose personal information is

processed,

k. Filing System - refers to any act of information relating to natural or

juridicai persons to the extent that, although the information is not
processed by equipment operating automatically in response to

Pag© 3 of 15
 insinjctions given for that purpose,the set is structured, either by reference
to individuals or by reference to criteria relating to individuals, In such a
way that specific information relating to a particular person is readily
accessible.

I. Information and Communications System - refers to a system for

generating, sending, receiving, storing or otherwise processing electronic
data messages or electronic documents and includes the computer system
or other similar device by or which data is recorded, transmitted or stored
and any procedure related to the recording, transmission or storage of
electronic data, electronic message, or electronic document.

m. Personal Data - refers to all types of personal information.

n. Personal Data Breach > refers to a breach of security leading to the

accidental orunlav^l destruction, loss, alteration, unauthorized disclosure
of, or access to, personal data transmitted, stored, or otherwise processed.
A persona! data breach may be in the nature of
1) Availability breach resulting from loss, accidental or unlawful
destruction of personal data;

2) Integrity breach resulting from alteration of personal data; and/or

3) Confidentiality breadi resulting from the unauthorized disclosure of or

access to personal data.

0. Personal Information (PI)- refers to any information whether recorded in

a material form or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and
certainly identify an individua!.

p. Personal Information Controller (PIC) - refers to a person or

organization who controls the collection, holding, processing or use of
personal information, including a person or organization who instructs
another person or organization to collect, hold, process, use, transfer or
disclose personal information on his or her behalf The term excludes:
1) A person or organization who performs such functions as instructed by
another person or organization; and

2) An individual who collects, holds, processes or uses persona!

information in connection with the individual’s personal, family or
household affairs.

q. Personal Information Processor(PIP)- refers to any natural or juridical

person qualified to act as such under the DPA to whom a personal
information controller may outsource the processing of persona! data
pertaining to a data subject.

Page 4 of 15
 г. Privacy Notice > is a statement made to a data subject that describes how
the organization coilects, uses, retains, and discloses personal
information.

s. Privileged information < refers to any and all forms of data which under
the Rules of Court and other pertinent laws constitute privileged
communication.

t. Processing - refers to any operation or any set of operations performed

upon personal information including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval,
consuitation, use, consolidation, blocking, erasure or destruction of data.

u. Security Incident - is an event or occurrence that affects or tends to affect

data protection, or may compromise the availability, integrity and
confidentiality of personal data. It includes incidents that would result in a
personal data breach, if not for safeguards that have been put in place.

V. Sensitive Pereona! Information - refers to persona! information:

1) About an individual's race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;

2) About an individual's health, education, genetic or sexual life of a

person, or to any proceeding for any offense committed or alleged to
have been committed by such person, the disposai of such
proceedings, or the sentence of any court in such proceedings;

3) Issued by government agencies peculiar to an individual which

includes, but not limited to, social security numbers, previous or
current health records, licenses or its denials, suspension or
revocation, and tax returns; and

4) Specifically established by an executive order or an act of Congress to

be kept classified.

7. PRINCIPLES AND DATA SUBJECT RIGHTS:

The Privacy Manual must contain the privacy policy of a PNP office/unit acting
as PIC or PIP, including the security measures and its procedure in breach reporting. In
processing personal information, it shall adhere to these Data Privacy Principles:
a. TRANSPARENCY ~ a data subject must be aware of the nature, purpose
and extent of the processing of the personal information controller, his or
her rights as a data subject, and how these can be exercised. Any
information and communication relating to the processing of personal
data should be easy to access and understand, using clear and plain
language.

Page 5 of 15
 b. LEGITIMATE PURPOSE - the processing of information shall be
compatible with a declared and specified purpose, which must not be
contrary to law, morals or public policy.

c. PROPORTIONALITY - the processing of information shall be adequate,

relevant, suitable, necessary, and not excessive in relation to a declared
and specified purpose. Personal data shall be processed only if the
purpose of the processing could not reasonably be fulfílled by other
means.
The PNP shall likewise uphold and protect the following Rights of a Data
Subject while ensuring that its operations are being carried out in accordance with its
constitutional mandate:
Я PinW fn hô infnrmeH*

b. Right to object;

c. Right to access:

d. Right to rectification;

e. Right to erasure or blocking;

f Right to file a complaint;

9- Right to damages; and

h. Right to data portability

The aforesaid rights are subject to limitations and shall not be applicable to
the processing of personal data gathered for the purpose of investigation in relation to
any criminal, administrative ortax iiabiliiies of a data subject. Any limitations on the rights
of the data subject shall only be to the minimum extent necessary to achieve the purpose
of said investigation.
Moreover, the DPA and its rules shall not apply to special cases enumerated
under Section 5 of the IRR, but only to the minimum extent of collection, access, use,
disclosure or other processing necessar^^ to the purpose, function, or activity concerned.
8. GENERAL GUIDELINES:

The following guidelines shall be observed by PNP offices/units in various

parts of “data life cycles" or processing systems in order to secure the confidentiality,
integrity, and availability of data as preventive and minimization procedure in upholding
the rights of the data subject and his/her personal information,
a. Collection - the PNP office/unit shall collect only the necessary
personal information from data subjects and shall identify the type of
data collected, the mode of collection, and the person in charge of
collecting the same;

Page 6 of 15
 b. Use - the personal data shall be used by the PNP for specific purposes
corresponding to the function of the office/unit concerned.

c. Storage, Retention, and Destruction:

1) Storage: the PNP office/unit shall ensure that personal data under
its custody are protected against unlawful destruction, alteration,
and disclosure as well as against any other unlawful processing,
and shall implement appropriate security measures in storing and/or
destroying collected personal information, depending on the nature
of the information;

2) Retention: The information gathered shall be retained for as long

as necessary, with due regard to sensitive operations of the PNP
organization in relation to national security; and

3) Destruction: Personal data shall be disposed or discarded in a

secure manner that would prevent further processing, unauthorized
access, or disclosure to any other party or the public, or prejudice
the interests of the data subjects.

d. Access - due to the sensitive and confidential nature of the personal

data under the custody of the PNP, only the data subject and the
authorized representatives of concerned PNP offices/units shall be
allowed to access such personal data for any purpose, except for those
contrary to law, public policy, public order, or morals; and

e. Disclosure and Sharing - all PNP personnel shall strictly maintain the
confidentiality and secrecy of all personal data that come to their
knowledge and possession, even after resignation or retirement, or any
other termination of contractual relations. Classified information shall be
allowed only when the law warrants. Personal data shall only be
t rûHMoet r\iireii^n4 ^r\ о lo\Affiil гм
wiQwiwwwM wipv/i I iWiimCii iwvfK.ewwl kw \л imvVimi рМ1 and to
authorized recipients of such data.

9. PRIVACY MANUAL:

While PNP offices/units perform different functions and deal with privacy
concerns that may not be similar to one another, all offices/units must develop and
implement a Privacy Manual to identify and properly address data protection issues they
encounter in their day-to-day transactions. Thus, the Privacy Manual must contain the
following sections:
a. Introduction
This section sets down the basis of the Manual which includes an overview
of the DPA, its IRR and its policies on data protection relevant to the
transactions of the PNP offices/unIt. The manual should discuss how the
office/unit complies with the Data Privacy Principles and upholds the rights of
the Data Subjects. It is important that the user or reader understands why it
is necessary for the unit to have a Privacy Manual.

Page 7 of 15
b. Scope and Limitations

This section defines the coverage of the Manual. Given that the document
is essentially an internal issuance and is meant for the use and application of
the offices/unit’s staff or personnel, that fact should be emphasized here,
c. Processing of Personal Data

All PNP offices/units must specify and outline how they process personal
data in reference to the “data life cycle” -- from the collection of personal
data, to their actual use, storage or retention, and destruction as discussed
in the general guidelines. This section was previously discussed in the
GENERAL GUIDELINES.
d. Security Measures

Confidentiality, integrity, and availability is considered the core component

of information security. Every security control and every security vulnerability
can be viewed in light of one or more of these key concepts. For a security
program to be considered comprehensive and complete, it must adequately
address confidentiality, integrity, and availability.
The following security measures embodied in the Privacy Manual shall
maintain the availability, integrity, and confidentiality of personal data and are
intended to protect the personal data against any accidental or unlawful
destruction, alteration, and disclosure, as well as against any other unlawful
processing:
1) Organizational Security Measures
The PNP must consider the human aspect of data protection that
establishes the organizational security within the organization,
a) Data Protection Officer (DPO) and Compliance to Privacy
Officers (CPO). The DPO and CPOs shall be accountable for
ensuring the proper implementation of this MC. The CPOs shall be
under the supervision of the DPO. A DPO or CPO must be
independent in the performance of his/her functions, and should be
accorded a significant degree of autonomy by the PIC or PIP;
For reference, DPRM Letter Orders No.680 dated March 11,2019
designated the following PNP personnel as follows:
Position/Unit/Office Designation
TDICTM - PNP Data Protection Officer
Executive Officers - CPOs for Directorial Staff
Chiefs of Staffs - CPOs for National Support Units
RCDS - CPOs for Police Regional Offices
CDDS - CPOs for NCRPO District
Offices/Police Stations
Deputy Provincial/City - CPOs for PPO/CPO/City/Municipal
Director for Administration Police Stations

Page 8 of 15
 The СРО shall also form and designate the Data Privacy Team and
Breach Response Team per unit in support of his/her functions which
may include the Servicing Legal Officer (SLO), Information Technology
Police Officer (ITPO), Head Process Owner, and Human Resource
Personnel.

The CPO may grant security clearance to the PIC and PIPs who
have access to personal and sensitive personal information.

b) Conduct of Privacy Impact Assessment (PIA). The PNP shall

conduct a PIA to all activities, projects, and systems involving the
processing of persona! data. !t may choose to outsource the
conduct of PIA to a third party;

c) Recording of Activities. The PNP shall maintain records that

describe its data processing system, what kind of data it holds, the
purpose and basis of collecting, and the scope and method of
processing, it shall likewise identify the duties and responsibilities
of PNP personnel who will have access to personal datar

d) Duty of Confidentiality and Conduct of Trainings or Seminars.

The PNP shall be responsible for selecting and supervising those
employees who will have access to personal data. They shall
operate and hold personal data under strict confidentiality if the
personal data are not intended for public disclosure. This
obligation shall continue even after the employee has left the
public service, transferred to another position, or was terminated
from his/her employment or contractual relations. There shall be
capacity-building seminars, orientation, or training programs for
said employees regarding data privacy:

e) Review of Privacy Manual. The concerned PNP units shall

develop, implement and regularly review their policies embodied
in the Privacy Manual to ensure that the same are updated and
consistent with current data privacy best p.^actices; and

f) Contracts with Personal Information Processors (PIPs). The

PNP as PIC, through appropriate contractual agreements, shall
ensure that its PIPs, where applicable, shall also implement the
security measures required by the law. It shall only engage those
PIPs that provide sufficient guarantees to implement appropriate
security measures specified in the DPA and its IRR, and ensure
the protection of the rights of the data subject.

2) Physical Security Measures

The focus of this security measure is to protect physical assets
through office designs and layout and environmental components,

Page 9 of 15
 emergency response readiness, accessibiiity to the public, security
against natural disasters, and any other relevant points.
Each concerned PNP office/unit shall conceptualize data privacy in
the context of the actual design of its office, physical arrangement of
equipment and furniture (computers, printers, desks, filing cabinets, etc),
permissible modes of transfer of data, schedule means of retention, and
disposal of data, among others.
3) Technical Security Measures
This involves the technological aspect of security in protecting the
network, encrypting persona! information in storage and in transit,
mitigating data transfer risks, implementing software system designs, and
having efficient access control policies.
DICTM, ACG, and ITMS to formulate standard technical security
measure in safeguarding the data to be adopted and implemented by all
offices/units.

All PNP offices/units must Implement technical security measures to

make sure that there exists sufñdent safeguard in the computer network
being used in the office through encryption and authentications process,
among others,
e- Breach Reporting Procedure

Each PNP office/unit must develop and implement policies and procedures
for the management of a personal data breach, including security incidents. It
must adequately describe or outline such policies and procedures, as follows:
1) Create a Data Breach Response Team(DBRT)
A Data Breach Response Team (DBRT) comprising of at least five
authorized PNP personnel (Team Leader, Assistant Team Leader,
Investigator, and two members) shall be responsible for ensuring
immediate action in the events of security incident or personal data breach.
2) Formulate measures to prevent or minimize occurrence of breach
or security incidents
The PNP unit shall regularly conduct Privacy impact Assessment(PIA)
and periodic reviews of data policies.
3) Establish procedure for recovery and restoration of personal data
The PNP unit shall always maintain a backup file for all personal data
under its custody. In case of incident or breach, it shall always compare
the backup with the affected file to determine the presence of any
inconsistencies or possible alterations.

Page 10 of 15
 4) Foiiow notification protocol
The Head of the DBRT shall inform within 24 hours the CPO of the
incident or breach. The CPO must notify the DPO within 48 hour^ upon
knowledge of, or when there is reasonable belief that a personal data
breach has occurred.

The DPO shall notify the Commission within 72 hours through e-mail
at [email protected] or through delivery of a hard copy to its
Office. A confirmation message will be received from the Commission upon
receipt of the notification from the DPO.
Notification to the affected data subjects may be done electronically
or in written form but must be done individually within 72 hours. The
notification must not involve a further, unnecessary disclosure of personal
data. If notilying the affected data subjects individually will involve
disproportionate effort, an authorization from the Commission to employ
alternative means is required.
5) Documentation and annual report of security incidents or
personal data breach

The DBRT shall prepare a detailed entry of every security incident and
personal data breach, and submit annual report signed by the CPO to the
TDICTM/DPO and the Commission. The terms “personal data breach” and
“security incident” have different meanings as defined in the Definition of
Terms.

The report must contain the number of security incidents and data
breaches encountered. It must also Include the classification of data
breaches according to their impact on the availability, integrity, or
confidentiality of personal data,
f. Privacy Notice and Consent Form

The Privacy Notice is a statement made to a data subject that describes

how the organization collects, uses, retains, and discloses personal
information. A Consent Form gives wTitten permission to another party to
perform an activity and indicates that the signatory understands the terms of
the activity that will be performed.
If a unit collects personal data (i.e., visitors fill up web forms, feedback
forms, etc.), a Privacy Notice and/or Consent Form is required for data
subjects to be informed of their rights under the DPA. If the website doss not
have a Privacy Notice, the National Privacy Commission shall issue an
enforcement notice requesting that you either place a Privacy Notice on your
site, or cease processing data, and that failure to comply could result in
prosecution with a possible penalty. A Privacy Notice is required in websites
while Consent Form is a must in printed documents intended for the collection
of personal information. The Privacy Notice and Consent Forr can be
attached as an Annex to the Privacy Manual.

Page 11 of 15
 10. ROLES AND RESPONSiBiLiTiES:

To ensure the proper implementation of this MC,the following are tasked with
roles and responsibilities:
a. The Director for ICT Management (TDiCTM) is designated as Data
Protection Officer vi^o shall supervise and monitor the compliance of the
PNP and shall likewise register with the Commission in line with the Data
Privacy Act of 2012 and other guidelines set forth by the latter.

TDICTM shall also perform the following:

1) Supervise the overall implementation of this MC;

2) Monitor the activities and compliance of the PIC and the PIP;

3) Analyze and check compliance with the DPA of all processing activities,
including the issuance of security clearances to third party service
providers:

4) Inform, advise, and issue recommendations to the PIC and PIP;

5) Ascertain renewal of accreditations or certifications of data systems

processing personal information necessary to maintain the required
standards in personal data processing;

6) Ensure the conduct of Privacy Impact Assessment relative to the

activities, measures, projects, programs or systems of the PIC or PIP;

7) Advice PIC and PIP regarding complaints and/or the exercise by the
data subjects of their right;

8) Formulate standard technical security measures in safeguarding the

data to be adopted and implemented by ail offices/units;

9) Ensure proper data breach and security incident management;

10)Cultivate awareness on privacy and data protection within the

organization;

11)Advocate the development, review and revisions of policies and

guidelines, projects and programs;

12)Servô as the contact person of the PIC and PÎP and the Data Subject;

13)Cooperate, coordinate, and seek advice of the Commission regarding

matters concerning data protection and security;

14)Advise other units regarding the necessity of executing third party legal
documents:

15)Directly report to the Commission; and

Page 12 of 15
 16)Perform other tasks as necessary.

b. The D-Staff, D-NSUs. PROS, DDs, PDs, CDs. and COPs shall:
1) Support the CPOs in the organizational, physical and technical needs
of their respective unit to ensure security protection of personal data;

2) Designate a PIC to collect, hold, process, use or transfer personal

information of personnel and to ensure full compliance with the data
privacy law;

3) Shall develop and implement a Privacy Manual to help identify and

properly address data protection issues; and

4) Perform other tasks as necessary.

c. The CPOs(DPRM Letter Order No.680)shall have the following tasks:

1) Inform the DPO of the Data Processing System being used in their
respective offices and units and with the assistance of the DPO shall
register the same with the Commission;

2) Perform Privacy Impact Assessment to evaluate and manage privacy

impacts in the organization’s programs, processes, activities, systems,
and operations;

3) Ensure the inclusion of Privacy Notice and Consent Form in all websites
and fill out forms, respectively, being managed by the offices/units
concerned;

4) Develop Privacy Manual to serve as a general description and

procedures of security measures;

5) Designate a Breach Response Team that shall be responsible in

security incident and data breach management to include reporting to
the DPO;

6} Implement security measures and privacy policies particularly intended

to prevent or minimize occurrence of personal data breach;

7) Actively coordinate and consult with the DPO and should take
instruction from the same;

8) Prioritize activities and focus efforts on issues that present higher data
protection risk;

9) Ensure the incident reporting and response capability of the unit/office;

and

10)Perform ail other functions of a DPO. Where appropriate, shall also

assist the supervising DPO in the performance of the latter’s functions.

Page 13 of 15
 d. The P!C snd PIP shsll perform the follovviny tssks!
1) Effectively communicate to its personnel, the designation of the DPO
or CPO and his/her functions;

2) Allow the DPO or CPO to be involved in all issues relating to privacy

and data protection from the earliest stage possible;

3) Provide necessary time and resources necessary for the DPO to be

updated with the development of data privacy protection and security;

4) Grant the DPO and CPO appropriate access to the personal data that
is being processed;

5) Promptly consult with the DPO and CPO in the event of personal data
breach or security incidents; and

6) Ensure that the DPO or CPO is involved in all relevant working groups
that deal with personal data processing activities conducted inside the
organization or with other organization.

e. The Director, Legal Service shall ensure availability of a Resource Person

to ensure that all legal aspects stipulated under the DPA of 2012, its IRR,
and other related issuances are properly conveyed;

f. The Director, ACG and D, MS shall formulate a standard technical

security measure in safeguarding the data to be adopted and implemented
by all ofñces/units; and

g. All offices/units shall include In the regular conduct of PICE the

dissemination of DPA 2012, the proposed policy, and related issuances.

11. PENAL PROVISIONS:

The following offenses are penalized under the DPA, as follows:

a. Unauthorized Processing - one (1) year to three (3) years and three
(3) years to six (6) years imprisonment, and a fine ranging from
Php500,000 to Php4,000,000;

b. Access Due to Negligence - one(1) year to three(3) years and three

(3) years to six (6) years imprisonment, and a fine ranging from
PhpSOO.OOO to Php4,000,000;

c. Improper Disposal - six (6) months to two (2) years and one (1) year
to three (3) years imprisonment; and a fine ranging from Php100,000 to
Phpl,000,000;

d. Unauthorized Purposes - eighteen (18) months to five (5) years and

two Í2) years to seven Í7) vears imorisonment: and a fine ranging from
Php500,000 to Php2,odo,ob0;
Page 14 of 15
 e. Intentional Breach - one (1) year to three (3) years imprisonment; and
a fine ranging from PhpSOO.OOO to Php2,000,000;
f. Concealment of Breach - eighteen (18) months to five 5 years
imprisonment; and a fine ranging from Php500,000 to Phpl.000,000;

9- Malicious Disclosure - eighteen (18) months to five 5 years

imprisonment; and a fine ranging from Php500,000 to Phpl,000,000;
h. Unauthorized Disclosure - one (1) year to three (3) years and three
(3) years to five (5) years imprisonment, and a fine ranging from
Php500,000 to Php2,000,000; and

i. Combination of Acts-three(3) years to seven (7) years imprisonment,

and a fine ranging from Phpl,000,000 to Php5,000,000.
Furthermore, any PNP personnel found violating any provision of this MC
shall be penalized in accordance with the provision of NAPOLCOM MC 2016-02, RA No.
6713, and other applicable laws, rules and regulations.
12. REPEALING CLAUSE;

Ail PNP policies, directives, and other issuances that are inconsistent with
the provisions of this MC are hereby deemed rescinded or modified accordingly.
13. EFFECTIVITY:

This MC shall take effect after 15 days from filing a copy thereof at the
University of the Philippines Law Center in consonance with Sections 3 and 4 of Chapter
2, Book VII of Executive Order No. 292, otherwise known as the “Revised Administrative
Code of 1987,” as amended.

DIONARDO В CARLOS
Police General
Chief. PNP
CPNPcf/s?» S087472

Distribution
IG, IAS S087472
Cmdr, APCs
D-Staff
P-Staff
D, NSUs
RD, PROS

Copy Furnished
Command Group
SPA to the SILG

Page 15 of 15
 m
Republic of the Philippines
NATIONAL POLICE COMMISSION
NATIONAL HEADQUARTERS. PHILIPPINE NATIONAL POLICE
DIRECTORATE FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY MANAGEMENT
Camp BGen Rafael T Crame, Quezon City

DICTM
0 7 1Ш
Standard Operating Procedure
Number 2023-01

Technical Security Measures in Safeguarding Data

1. REFERENCES:
a. Republic Act No. 10173 "Data Privacy Act of 2012 and its
Implementing Rules and Regulations”:

b. National Privacy Commission (NPC) Circular 16-01 “Security of

Personal Data in Government Agencies";

c. Memorandum Circular No.: 2021-179 entitled Privacy

Management Program Guidelines and Procedures in Compliance
with Data Privacy Act of 2012"; and

d. ISO/IEC 27701:2019 entitled "Privacy Information Management

System (PIMS)."

2. BACKGROUND:

In an era dominated by digital technologies and data-driven operations,

these measures play a crucial role in safeguarding the confidentiality, integrity, and
availability of sensitive information. The evolution of technical security measures has
been driven by the need to protect against a wide range of cyber threats, ensuring that
the PNP and individuals can operate securely in the digital landscape. The rapid
expansion of data, coupled with the rising complexity of Data Processing Systems
(DPS), underscores the paramount importance of prioritizing data security.

3. PURPOSE:

The purpose of this SOP is to provide a comprehensive framework for

personal information controllers and processors to establish robust technical security
measures, ensuring the protection, integrity, and confidentiality of persona! data
throughout its processing lifecycle.

4. SCOPE:

This SOP shall be mandatorily implemented to all data processing system

being maintained and managed by PNP.

Page 1 of 9
 Ref. No. DICTM (Db231030-0243

5. DEFINITION OF TERMS;

For purpose of this SOP,the following iemis are defineci as followst

a. Access Control - A fundamental component of data security that

regulates who can access and use an organization’s information and
resources;

b. Access Log - A record of activities and interactions related to accessing

and using a resource or service;,

c. Anti-Virus - A type of security software designed computers and other

devices from malicious software or malware;

d. Audit Log - Concise records that capture and document activities,

events, and changes within a system or network. They serve as a
chronological trail of actions performed by users,applications, or system
processes;

e. Backup - A copy of data or fiies that is aeaied and stored separately

from the original source;

f. Compliance to Privacy Officer (CPO) - A crucial aspect of the

organization’s effort to ensure compliance with applicable laws and
regulations for the protection of data privacy and security under the
direct supervision of the Data Protection Officer;

g. Data - Raw, unprocessed information or facts that are typically in the

form of numbers, te)ct, images, audio, or other formats. Data is the
foundation upon which computer systems operate and make decisions;

h. Data Breach Response Team (DBRT) - A group of information

technology and cybersecurity experts responsible in handling and
mitigating the impact of data breach;

i. Data Protection Officer(DPO)- A designated role or position within an

organization responsible for overseeing the data protection and privacy
matters and ensuring the compliance with the data protection laws and
regulation;

j, Data Privacy Team (DPT)- A group of individuals responsible for

managing and ensuring compliance with data privacy practices and
regulations. Formulate a privacy manual and measures to prevent or
minimize occurrence of breadi or security incidente and implement data
privacy and protection measures;

k. Encryption -A method by which information is converted into a secret

code that hides the information's true meaning;

Page 2 of 9
 Ref. No. OICTM (Ob23103(KrZ43

I. Firewall - A network security device or software application that is

designed to monitor and control incoming and outgoing network
traffic based on predetermined security rules. Firewalls act as a
barrier between a trusted internal and untrusted external network to
protect against unauthorized access, data breaches, malware, and
other cyber threats:

m. Network Security - Set of techniques that protects the usability and

integrity of the organization’s infrastructure by preventing the entry
or proliferation within the network of potential threats;

n. Network Traffic - Amount of data moving across a network at any given

time;

o. Patch Management- Systematic notification, identification, deployment,

installation, and verification of operating system and application
software code revisions;

p. Personal Information Controller (PIC) - A person who controls the

collection, holding, processing or use of persona! information, including
a person or organization who Instructs another person to collect, hold
process, use, transfer or disclose personal information on his or her
behalf;

q. Personal Information Processor (PIP)- Any natural or juridical person

qualified to act as such under the DPA to whom a personal information
controller may outsource the processing of personal data pertaining to
a data subject;

r. Personally Identifiable Information (PII)- Any data that can be used to

identify or distinguish an individual;

s. Secure Socket Layer (SSL) - A cryptographic protocol used to

authenticate internet connections and enables data encryption and
decryption for network communication,

t. Security Audit - Independent review and examination of system,

system's records, and activities to determine the adequacy of system
controls, ensure compliance with established security policy and
procedures, detects breaches in security services and recommends any
changes that are indicative for countemieasures;

u. Technical Controls- Hardware and software components that protect

a system against cyberattacks; and

V. Transport Layer Security(TLS)- A cryptographic protocol that protects

internet communications.

Page 3 of 9
 Ref. Mo. DICTM (D)*23103(M)243

6. TECHNICAL SECURITY MEASURES

The following are the basic technical security measures in reference to

the IRR of RA No. 1Õ173 that must be implemented in aii PH? Data processing
Systems(DPS).

a. The use of anti-virus and anti-malware software which are

designed to detect, prevent, and remove malicious software that could damage
the network and/or steal data.

b. The organization shall encrypt all sensitive data in storage and in

transit using approved encryption algorithms. Encryption is an essential
component of data security that involves encoding data to prevent unauthorized
access.
Using any of the following encryption methods will ensure the
safeguarding of sensitive data, preventing unauthorized access especiaiiy during
transmission over public networks:
1) Symmetric Encryption. Type of encryption where a single key
is used to both encrypt and decrypt ftie data. This key must be
kept secret from anyone who should not have access to the
data;

2) Asymmetric Encryption. Also known as public key encryption,

uses two separate keys, a public key for encryption and a
private key for decryption. The public key can be shared freely
with anyone who wants to encrypt data, but the private key
must be kept secret:

3) Transport Layer Security/Secure Socket Layer (TLS/SSL)

Protocols that provide secure communication over the
internet. They use a combination of symmetric and
asymmetric encryption to secure data transmission between
Clients and servers.

4) Pretty Good Privacy (PGP). It is a data encryption program

used for email and file encryption. It employs both symmetric
and asymmetric encryptions to provide secure data
transmission;

5) Disk Encryption. It is the process of encrypting the entire hard

drive to prevent unauthorized access to the data on the drive:
and

6) File/Folder Encryption. It Is the process of encrypting

individual fiies or folder to ensure that only authorized users
can access.

c. Use of long,easy to remember and strong password wfth a minimum

of 12 characters, a combination of letters, numbers, and symbols, and periodically
change the password.
Page 4 of9
 Ref. No. DKTM(Db23103CW243

Creation of password security policy for all Data Processing

Systems (DPS)- password complexity, minimum length, password expiration,
trigger password history, and automatic account lockout for multiple attempts to
prevent brute force attack;

d. Passphrase. It is a sequence of words or a longer, more complex

phrase used for authentication, data encryption, or security purposes. It is often
longer and includes a combination of words, numbers, and special characters,
making them more resilient to brute-force attacks and easier for users to
remember;

e. Multifactor Authentication (MFA). Also known as two-factor

authentication (2FA), is a security process that requires users to provide two or
more distinct authentication factors before granting access to a system,
application, or account. The goal of MFA is to enhance security by adding layer of
verification beyond the traditional username and password combination;

f. Implement network security to prevent unauthorized access to

interna! sysierrìs such as but not limited to.
1) Intrusion Detection/Prevention Systems (IDS/IPS). These are
network security devices that detect and prevent unauthorized
access, attacks, and intrusion attempts by analyzing network
traffic;

2) Virtual Private Network(VPN). It provides a secure connection

over the internet between two devices, allowing users to
access a private network remotely;

3) Virtual Local Area Network(VLAN). A network technology that

allows network administrators to logically divide a physical
network into multiple isolated virtual networks. Each VLAN
operates as if it were a separate physical network, even
though devices in different VLANs may be physically
connected to the same network infrastructure. VLANs are
primarily used for segmentation, security, and traffic
management within a larger network; and

4) Access Control. Set of policies and procedures that control

access to the network and its resources, ensuring that only
authorized users have access to resources.

g. The organization shall implement a monitoring and logging

process to track access to data and information systems. This shall include the
collection and analysis of audit logs and event data.

Page 5 of 9
 Ref. No- OICTM (D}-23103CM)243

The fotlowing steps will ensure that the organization has a

comprehensive monitoring and logging process to effectively track access to data
and information systems and quickly detect any unauthorized access:

1) Define Audit Requirements. Identify the data and information

systems that require monitoring as well as the audit
requirements for each system, including which users require
access, access rights for each user, and events that need to
be monitored;

2) Define Security Audit Policies: Develop security audit policies

and procedures that detail events to be audited, how often
auditing will occur, and the data to be collected;

3) implement a monitoring system that can track all events and

activities in the system,from the user iogin events to database
changes and network traffic;

4) Configure the monitoring system to continuously track all

system events and activities, generate alerts when suspicious
activities are detected, and provide dashboard of real-time
monitoring and status updates;

5) Collect all relevant logs data from the system as well as

securely retaining iogs for a defined retention period;

6) Analyze logs data and system monitoring alerts to identify any

unauthorized access to data or information systems;

7) Analyze identified breaches and communicate the appropriate

actions to be taken. Respond to breaches by blocking or
isolating any unauthorized access to prevent further data
leakage or compromise;

8) Regularly review and update the monitoring and Logging

processes to ensure that they remain aligned with changes to
the system and the risk profile of the organization; and

9) Each log must contain information such as but not limited to

the lime the request was received, the client’s IP address,
latencies, request paths and server responses,

h. Regular and frequent backups of the organization's data shall be

undertaken by creating a regular scheduie of backups and disaster recovery plans
shall be in place to ensure that data can be restored in case of disaster:
1} identify all critical data and resources, such as database,
applications, user's files, and system configuration to include
Business Continuity Plan and Disaster Recovery Plan;

Page 6 of 9
 Ref. No. DICTM (D)-23103(H)243

2) Conduct a risk assessment to understand the potential risks

and threats tothe data and resources and prioritize them based
on their criticality;

3) Develop a backup strategy that outlines the frequency of

backup, retention period, backup location and backup method.
It is important to review and update the backup strategy to
ensure it remains effective and capable of meeting the
changing needs of the organization;

4) Implement reliable back technology, such as hardware

appliances, software solutions, doud services, or hybrid data
backup solutions based on the size and complexity of the ICT
environment;

5) Test and validate the backup soiution to ensure its effective

and reliable in case of disaster recovery;

6) implement server virtualization to create virtual copies of the

production environment, making it easier to restore data and
resources In case of disaster; and

7) Store backup copies offsite to prevent loss of data and

resources In the event of physical disaster.

8) Train Personnel about the importance of backups and how to

perform data restoration in the event of disaster,

i. To ensure the software remains secure, reliable, and up to date,

providing users with a better experience and reducing the risk of potential
vulnerabilities and issues. Concerned offices/units must Implement a patch
management program to ensure that all systems and software are up- to-date with
the latest security patches. Patch Management is a critical part of IT security.

Implement the following patch management practices that will

ensure the organization's systems and software security and will protect from
known vulnerabilities and reduce the risk of security incidents:
1) Establish a patch management plan that outlines the
processes and procedures for keeping systems and software
up to date with the latest security patches;

2) Maintain an inventory of all systems and software in the

organization to ensure that all assets are accounted for and
patched appropriately;

3) Prioritize patches based on the severity, criticality, and

potential Impact on the organization;

Page 7 of 9
 Ref. No. OiCTM (D)-23103(K)243

4) Test patches thoroughly before deploying them in a production

environment to ensure that they are compatible with existing
systems and software;

5) Use automated tools and processes to streamline the patch

management process and reduce tíie risk of human error;

6) Monitor when latest updates or patches become available for

critical systems and software used in the organization; and

7) Enforce patch compliance by ensuring that all systems and

software are up to date with the latest security patches,

j. Conduct Vulnerability Assessment and Penetration Testing as

needed for all information systems in coordination with ITMS and ACG;

k. Implement Rule-Based Access Control(RBAC)to ensure access

is granted to authorize users only;

1. Time-Based Access Control (TBAC) to ensure that access to

sensitive data may only be granted during business hours; and

m. Other security measures can be implemented as needed.

5. RESPONSIBILITIES

a. Compliance to Privacy Officer (CPO) responsible for

safeguarding the organization's data assets and ensure
implementation of that the security controls and procedures outlined
in this SOP;

b. Data Privacy Team (DPT) - responsible for implementing and

maintaining the technical security controls outlined in this SOP and
for the technical impiementaiion and configurations of all Technical
Security measures;

c. Personal Information Controller(PIC)-responsible for ensuring the

impiementaiion of appropriate technical security measures to protect
their respective assets; and

d. Personal Information Processor (PIP)- Responsible for following

the security measures and procedures outlined in this SOP.

6. SANCTIONS:
AU..«
Any personnel who shaii violate, inlentlonally or negligently on u It;
prescribed guidelines and procedures of this SOP ^all be held administratively
liable and shall be meted with appropriate sanction in accordance with
NAPOLCOM Memorandum Circular No. 2016-002 as the case may be.

Page 8 of9
 Ref. No. DICTM (D)>2310304)243

7. REPEALING CLAUSE:

All policies in conformity with this SOP are hereby rescinded.

8. TRAINING AND AWARENESS:

Personnel handling sensitive data and information system on data

security, confidentiality, and privacy shall undergo regular training and awareness
seminars. OfRce/unit shall provide regular training and awareness programs to all
personnel, especially u '●ose personne! handling sensitive data and information
systems on data security, confidentiality, and privacy,

g. REVIEW:

This SOP shall be reviewed annually or when there are significant

changes to the organization’s information security environment

10.EFFECTIVITY:

This SOP shall take effect immediately upon atóroval.

bernafoTmbanac
Police Major General
TDICTM

Disfribution:
IG. IAS
Cmdr, APCs
D-Staff
P-Staff
D. NSUs
RD. PROS

Copy furnished:
Command Group
SPAtoSILG

Page 9 of 9
 11. PENAL PROVISIONS:

The following offenses are penalized under the DPA. as follows;

a. Unauthorized Processing - one (1) year to three (3) years and three
(3) years to six (6) years imprisonment, and a fine ranging from
PhpSOO.tWO to Php4,000.000;

b. Access Due to Negligence - one(1) year to three (3) years and three
(3) years to six (6) years imprisonment, and a fine ranging from
Php500,000toPhp4.000.000;

c. Improper Disposal - six (6) months to two (2) years and one (1) year
to three (3) years imprisonment; and a fine ranging from Phpl 00,000 to
Php1.000,000;

d. Unauthorized Purposes - eighteen (18) months to five (5) years and

two (2) years to seven (7) years imprisonment; and a fine ranging from
PhpSOO.OOO to Php2,000.000;

Page 14 of 15

e. Intentional Breach - one (1) year to three(3) years impnsonment' and

a fine rangmg from PhpSOO 000 to Php2 000,000;

f. Concealment of Breach - eighteen (18) months to five 5 years

imprisonment, and a fine ranging from Php500.000 to PhplOOO.OOO,

9' Malicious Disclosure - eighteen (18) months to five 5 years

imprisonment; and a fine ranging from PhpSOO.OOO to Php1.000,000;

h Unauthorized Disclosure - one (1) year to three (3) years and three
(3) years to five (5) years irnprisonment, and a fine ranging from
PhpSOO.OOO to Php2,000,000; and

I. Combination of Acts -three(3) years to seven (7) years imprisonment,

and a fine ranging from Phpl,000,000 to Php5,000,000,

Furthermore, any PNP personnel found violating any provision of this MC

shall be penalized in accordance with the provision of NAPOLCOM MC 2016-02, RA No
6713. and other applicable laws, rules and regulations