Data Privacy Protection

Resource Person: Joseph Meynard G. Ogdol

Data Privacy Protection Competency

● R.A. - Data Privacy Act 2012

● Accountability and Responsibility
● Privacy and Security Risks
● Privacy Impact Assessment Process
● Privacy and Security Management
● Privacy and Security Policy Making
● Security Incident Management
● Breach and Complaint Handling
Learning Management System Platform

Google Classroom

https://classroom.google.com

ophjtc2
DATA PRIVACY IS ABOUT

1 PEOPLE, NOT PLACES

2 PERSONAL CHOICE

3 CONTROL, NOT
SECRECY 4 RIGHT TO BE LEFT
ALONE
Who stores data about you?

- Government Agencies
- Private Companies
Which is more valuable?

DATA MONEY
“Data is more valuable
than money. If
someone takes your
money, that's all they
have. If you let
someone take your
data, they may
eventually take your
money too!“
Data Privacy Act of 2012
Scope | Section 4
THE LAW APPLIES

To the processing of all types of personal information and sensitive personal information

To both natural and juridical persons, so long as they involved in personal information
processing

To entities not found in the Philippines, so long as they use equipment that are located in the
Philippines, or maintain an office, brancH or agency in the Philippines with EXEMPTIONS:

Information relating to work or service performed under contract for a government

institution Personal information processed for journalistic, artistic, literary or research
purposes.
Goals of R.A. 10173

● Protect the fundamental human right of privacy, of

communication while ensuring free flow of information to
promote innovation and growth.
● Ensure that personal information in information and
communications systems in the government and in the private
sector are secured and protected.
What to achieve and maintain?

1. Implementation of rules and standards to respect privacy rights and to assure

confidentiality, integrity, and availability of personal information.
2. Compliance governance to lead, direct, and control data privacy assurance
and security of personal information protection.
3. Enabling capability for the personal information controller and processor to
accomplish the mandated requirements of compliance that are monitored in
order to assure privacy protection and information security.
4. Provision of regulation and procedures to create policies, to file complaints, to
investigate violation, and to provide remediation
What to prevent and eliminate?

1. Penalized violation against data privacy of a data subject

2. Non-conformity of the filing system, automation program and technology
services to the data privacy rights, data privacy principles, lawful processing
criteria, condition to process sensitive information, and security measures in
the personal data collection, processing, retention, sharing, and disposal.
3. Insecure technology infrastructure and negative user behaviour of unlawful
access, control, processing, transmission, storage, sharing, and deletion of
personal data.
Accountable and Responsible
The legal liability of data privacy compliance belongs to:

1. Personal Information
Controller
2. Personal Information
Processor
3. Data Protection Officer
collection
Personal Information Controller (Rule 1)

● A natural or juridical person, or any other body who controls the processing of
personal data, or instructs another to process personal data on its behalf.
There is control if the natural or juridical person or any other body decides on
what information is collected, or the purpose or extent of its processing.
● Implements reasonable and appropriate organizational, physical, and
technical security measures for the protection of personal data. The personal
information controller takes steps to ensure that any natural person acting
under their authority and who has access to personal data, does not process
them except upon their instructions, or as required by law.
Personal Information Controller (Business Owner) (Rule XII)

1. Responsible for any personal data under its control or custody, including information that have
been outsourced or transferred to a personal information processor or a third party for
processing, whether domestically or internationally, subject to cross-border arrangement and
cooperation.
2. Accountable for complying with the requirements of the Data Privacy Act of 2012, it’s
implementing rules and regulation, and other issuances of the National Privacy Commission. It
shall use contractual or other reasonable means to provide a comparable level of protection to
the personal data while it is being processed by a personal information processor or third
party.
3. Required to designate an individual or individuals who are accountable for its compliance with
the R.A. 10173. The identity of the individual or individuals so designated shall be made known
to a data subject upon request.
Personal Information Controller (Head of Agency) (NPC Circular 16-01 )

1. To designate a Data Protection Officer

2. To conduct a Privacy Impact Assessment for each program, process or measure within the
agency that involves personal data, Provided, that such assessment shall be updated as
necessary
3. To create privacy and data protection policies, taking into account the privacy impact
assessments, as well as Sections 25 to 29 of the IRR
4. To conduct a mandatory, agency-wide training on privacy and data protection policies once a
year: Provided, that a similar training shall be provided during all agency personnel orientations
5. To register its data processing systems with the Commission in cases where processing involves
personal data of at least one thousand
6. To cooperate with National Privacy Commission in the review of data privacy and security policy.
Registration of Data Processing and Notifications regarding
Automated Decision-Making NPC Circular 17-01)
(

● Mandatory Registration
○ A. the PIC or PIP employs at least two hundred fifty (250) employees;
○ B. the processing includes sensitive personal information of at least one thousand (1,000)
individuals;
○ C. the processing is likely to pose a risk to the rights and freedoms of data subjects.
○ D. the processing is not occasional
● Voluntary Registration
○ An application for registration by a PIC or PIP whose data processing system does not
operate under any of the conditions set out in the next preceding Section shall be accepted as
a voluntary registration.

When to Register? two (2) months of the commencement of such system

Personal Information Processor

1. Any natural or juridical person or any other body to whom a personal

information controller may outsource or instruct the processing of personal
data pertaining to a data subject.
2. Performs the instruction to process personal information based on a
processing agreement with a Personal Information Controller that protects
privacy of a Data Subject. Privacy protection is measures taken to ensure
privacy. The measures include data protection and limitations on the
gathering, combining, and processing of data about individuals.
Personal Information Processor

3. Personal information processors implements reasonable and appropriate

organizational, physical, and technical security measures for the protection of
personal data. The personal information processor shall take steps to ensure that
any natural person acting under their authority and who has access to personal
data, does not process them except upon their instructions, or as required by law

4. A service provider engaged by government for the purpose of storing personal

data under the agency’s control or custody, functions as a personal information
processor and complies with all the requirements of the Act, its IRR and all
applicable issuances by the Commission.
Personal Information Processor
5. Involved in the processing of personal data who is obligated by law to develop, implement
and review

A. A procedure for the collection of personal data, including procedures for obtaining
consent, when applicable
B. Procedures that limit the processing of data, to ensure that it is only to the extent
necessary for the declared, specified, and legitimate purpose
C. Policies for access management, system monitoring, and protocols to follow during
security incidents or technical problems
D. Policies and procedures for data subjects to exercise their rights under the Act
E. Data retention schedule, including timeline or conditions for erasure or disposal of
records.
Personal Information Processor in your Agency
Data Protection Officer

The Data Protection Officer is designated by a Personal Information Controller or

Personal Information Processor to be accountable for the organization’s
compliance with applicable laws and regulations for the protection of data privacy
and security.
Data Protection Officer (Compliance Oversight) (NPC Advisory 2017-1)

The key result areas of an independent Data Protection Officer are the following:

1. Monitor the compliance of the Personal Information Controller and Processor

with the R.A 10173 implementing rules and regulation, and with the circulars,
advisories and case resolution issued by the National Privacy Commission.
2. Advice the Personal Information Controller or Processor regarding
complaints and/or the exercise by data subjects of their rights.
3. Respond to the concern and complain of a Data Subject on the violation of
data privacy in accordance with NPC rules of procedure.
Data Protection Officer (Compliance Oversight) (NPC Advisory 2017-1)

4. Ensure the conduct of Privacy Impact Assessment on the process, system and
technology of personal data processing of the Personal Information Controller or
Processor
5. Ensure proper data breach and security incident management of the Personal
Information Processor and Controller. Make sure that the communication and
documentation requirements of the National Privacy Commission are responded by
the Personal Information Controller or Processor
6. Inform and cultivate awareness on privacy and data protection within the
organization. Ensure the conduct of enterprise or agency wide capacity building or
training program, and regular personnel training on data privacy and security
management
Data Protection Officer (Compliance Oversight) (NPC Advisory 2017-1)

7. Advocate the development, review and/or revision of policies, guidelines,

projects and/or programs of the Personal Information Controller or Processor
related to privacy and data protection, by adopting a privacy by design
approach
8. Serve as the contact person of the Personal Information Controller or
Processor to relate with a data subjects, interest group, National Privacy
Commission, and other authorities in all matters concerning data privacy or
security issues or concern
9. Cooperate, coordinate and seek advice of the National Privacy Commission
regarding matters concerning data privacy and security
KEY ROLES IN THE DATA PRIVACY ACT
Data Subjects - Refers to an individual whose, sensitive personal, or privileged information is
processed personal

Personal Information Controller (PIC) - Controls the processing of personal data, or instructs
another to process personal data on its behalf.

Personal Information Processor (PIP) - Organization or individual whom a personal information

controller may outsource or instruct the processing of personal data pertaining to a data subject

Data Protection Officer (DPO) - Responsible for the overall management of compliance to DPA

National Privacy Commission - Independent body mandated to administer and implement the
DPA of 2012, and to monitor and ensure compliance of the country with international standards
set for personal data protection
Examples of Breaches
1. COMELeak 14. Use of USB
2. Hospital – unsecure storage records 15. Personal laptop stolen
3. Student transferred by her parent without her 16. Lost a CD in transit
knowledge 17. An error in viewing of student records in the online
4. Clinical record of a student to disclose with her parents system
5. List of top students/passers 18. Use of re-cycled papers
6. Known Fastfood delivery – disclosing personal info of 19. Raffle stubs
clients 20. Universities and Colleges websites with weak
authentication
7. No Data sharing agreement (DSA) between and among
21. Personal Records stolen from home of an employee
Schools and Universities
22. Photocopiers re-sold without wiping the hard drives
8. Cedula in malls
23. Release of CCTV Footage
9. Security issues in buildings – logbook
24. Hard drives sold online
10.Profiling of customers from a mall
25. Password hacked/revealed
11.Unjustifiable collection of personal data of a school 26. Unencrypted Data
12.No Privacy Notice
Data Privacy Rights Violation

Unauthorized processing

It is when personal information is processed without the consent of the data

subject, or without being authorized using lawful criteria.
Data Privacy Rights Violation

Negligence in access

It is when personal information is made accessible due to negligence and without

being authorized by any existing law.
Data Privacy Rights Violation

Improper disposal

It is when personal information is knowingly or negligently disposed, discard, or

abandon in an area accessible to the public or has otherwise placed the personal
information of an individual in any container for trash collection
Data Privacy Rights Violation

Unauthorized purpose

It is when personal information is processed for purposes not authorized by the

data subject, or otherwise authorized by any existing laws.
Data Privacy Rights Violation

Unauthorized access or intentional breach

It is when an individual handling personal information knowingly and unlawfully, or

violating data confidentiality and security data systems, breaks in any way into any
system where personal and sensitive personal information are stored
Data Privacy Rights Violation

Concealed breach

It is when an individual or entity who has knowledge of a security breach and of

the obligation to notify the Commission pursuant to Section 20(f) of the Act,
intentionally or by omission conceals the fact of such security breach.
Assessment 1

Please answer assessment 1 on Google Classroom.

RIGHTS OF THE DATA SUBJECT RESPECTED

R.A. 10173 Chapter IV

I.R.R. Rule VIII
Data Subject
Refers to an individual whose, sensitive personal,
or privileged information is processed personal
RIGHTS OF THE DATA SUBJECT

1. The right to be informed

Data subject is INFORMED before the collection,
retention, processing, disclosure, and disposal of
personal data, and in the event there is breach of
data privacy.
The right to be informed
A. Description of the personal data to be entered in the system;
B. Purposes for which they are being or will be processed, including processing for direct marketing,
profiling or historical, statistical or scientific purpose;
C. Basis of processing, when processing is not based on the consent of the data subject;
D. Scope and method of the personal data processing;
E. The recipients or classes of recipients to whom the personal data are or may be disclosed;
F. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to
which such access is authorized, including meaningful information about the logic involved, as well
as the significance and the expected consequences of such processing for the data subject;
G. The identity and contact details of the personal information controller or its representative;
H. The period for which the information will be stored; and
I. The existence of their rights as data subjects.
RIGHTS OF THE DATA SUBJECT

2. The right to give consent

Data subject gives direct CONSENT before
collection, retention, processing, disclosure, and
disposal of personal data. Unless, there is legal
basis for exception.
RIGHTS OF THE DATA SUBJECT

2. The right to give consent

Consent shall be evidenced by written, electronic or
recorded means.
It may also be given on behalf of the data subject
by an agent specifically authorized by the data
subject to do so.
RIGHTS OF THE DATA SUBJECT

2. The right to give consent

Evidenced by written, electronic or recorded
means: signature opt-in box/clicking an icon
sending a confirmation email oral confirmation
RIGHTS OF THE DATA SUBJECT

2. The right to give consent

Consent should be unbundled from other terms
and conditions (including giving granular consent
options for different types of processing) wherever
possible.
• Clear affirmative action means someone must
take deliberate action to opt in.
Unbundled Consent
Granular Consent
RIGHTS OF THE DATA SUBJECT

2. The right to access

Data subject is provided ACCESS to the data
processing activities, as determined by existing
laws and agreement
RIGHTS OF THE DATA SUBJECT
2. The right to access
a. Contents of his or her personal data that were processed;
b. Sources from which personal data were obtained;
c. Names and addresses of recipients of the personal data;
d. Manner by which such data were processed;
e. Reasons for the disclosure of the personal data to recipients, if any;
f. Information on automated processes where the data will, or is likely to, be made
as the sole basis for any decision that significantly affects or will affect the data subject;
g. Date when his or her personal data concerning the data subject were last accessed and
modified; and
h. The designation, name or identity, and address of the personal information controller.
RIGHTS OF THE DATA SUBJECT

3. The right to object

Data subject is allowed to OBJECT the processing
of personal data, most especially when there is
concern on data privacy violation, or related to
direct marketing, automated processing or
profiling. A procedure to withdraw consent is
made available.
RIGHTS OF THE DATA SUBJECT

4. The right to object

The personal information controller should not process the personal data
without consent unless
a. The personal data is needed pursuant to a subpoena;
b. The collection and processing are for obvious purposes, including, when it is
necessary for the performance of or in relation to a contract or service to which
the data subject is a party, or when necessary or desirable in the context of an
employer-employee relationship between the collector and the data subject; or
c. The information is being collected and processed because of a legal
obligation.
RIGHTS OF THE DATA SUBJECT

4. The right to object

Can I object to direct marketing?
Yes. The right to object to direct marketing is stronger than any
objections you can make about other uses of your data.
If you object, the organisation cannot refuse your objection and
must stop using your data for direct marketing purposes. For
example, they cannot carry on using your data to try to sell or
promote things to you.
RIGHTS OF THE DATA SUBJECT

5. The right to erasure or blocking

Data subjected is allowed to BLOCK or ERASE
personal data processing and personal information
in the personal information controller’s filing system,
or automated program.
RIGHTS OF THE DATA SUBJECT
5. The right to erasure or blocking
This right may be exercised upon discovery and substantial proof of any of the following:
a. The personal data is incomplete, outdated, false, or unlawfully obtained;
b. The personal data is being used for a purpose not authorized by the data subject; The right to erasure or
blocking
c. The personal data is no longer necessary for the purposes for which they were collected;
d. The data subject withdraws consent or objects to the processing of his or her information, and there is no
other legal ground or overriding legitimate interest for the processing;
e. The personal data concerns private information that is prejudicial to data subject, unless justified by freedom
of speech, of expression, or of the press or otherwise authorized;
f. The processing is unlawful; or
g. The personal information controller or personal information processor violated the rights of the data subject.
The personal information controller may notify third parties who have previously received such processed
personal information.
RIGHTS OF THE DATA SUBJECT

6. The right to rectify

Data subject is allowed to RECTIFY or CORRECT
the inaccuracy or error in the personal data, and
have the personal information controller to make
correction.
Example

A government employee resigned from her agency with a period with premium
payments of 20.49 years. The employee’s birthdate indicated in her Government
Service Insurance System (GSIS) records is 30 June 1959. However, her National
Statistics Office (NSO) authenticated Certificate of Live Birth shows 30 June 1952
as her birthdate. Her birthdate will determine when she will start receiving her
monthly pension – in 2019 if based on the GSIS record, and in 2012 if based on
her birth certificate. She, thus, invoked her right to rectify her personal data under
the Data Privacy Act of 2012.
How to exercise your right to rectify

if the organization does not yet have a system or form for data rectification, you
must execute a written request to the organization, addressed to its Data
Protection Officer (DPO), and have it received. In the letter, mention that your
request is being made in exercise of your right to object under the Data Privacy
Act of 2012. Documents to support your request must be attached. The DPO must
act on your written request. In case you feel your request have not been addressed
satisfactorily, you may file a formal complaint before the NPC, attached therewith
your request letter to the DPO.
RIGHTS OF THE DATA SUBJECT

7. The right to data portability

Data subject is provided with ability to obtain from
the personal information controller a digital copy of
personal data which is called right to DATA
PORTABILITY.
RIGHTS OF THE DATA SUBJECT

7. The right to data portability

Data portability allows you to manage your
personal data in your private device, and to
transmit your data from one personal information
controller to another. As such, it promotes
competition that fosters better services for the
public.
Examples

You may also exercise this right if you intend to get a usable copy of your personal
health records for the use of other doctors you may like to consult.

In banking, the right to data portability may be used to reduce the risks of being
locked-in with one single service provider, thereby expanding customers’ options
and improving customer experience.
RIGHTS OF THE DATA SUBJECT

8. The right to complain

Data subject is informed and provided with
procedure to COMPLAIN direct experience or
concern about data privacy violation
Who may complain?
Under Section 3, the following can file a complaint:

1. The National Privacy Commission (NPC), on its own initiative;

2. Those who have suffered a data privacy violation or personal data breach; and
3. Persons who are personally affected by a violation of the Data Privacy Act of 2012 (Republic Act No. 10173).

Persons who are the subject of the data privacy violation or personal data breach may appoint a duly authorized
representative to prosecute the complaint on their behalf.

Those who are not personally affected by a data privacy violation or personal data breach may: (a) request for an
advisory opinion on data protection matters; or (b) inform the NPC of a data protection concern.

The NPC may monitor the subject organization or take such further action as may be necessary.

Those who wish to file a complaint must comply with the rule of exhaustion of remedies. This rule means that in filing the
complaint, a complainant must be able to show that there was an opportunity offered in good faith to have the
respondent comply with any legal obligations involving data protection and privacy.
How to file a complaint?
Formal complaints are made by filing a complaint-affidavit, together with copies of any evidence and
affidavits of any witnesses at any NPC office.

Complaints can also be made by electronic filing, by: (a) attaching these documents in a specific e-mail sent
to [email protected]; or (b) submitting a portable electronic data storage device to any NPC office.

Electronic documents must digitally signed in and in .PDF format (if practicable), on page sizes compliant
with the Efficient Use of Paper Rule. If submitted in this digital format, the NPC may charge fees for printing.

If submitting through a portable electronic data storage device, similar portable data storage devices
containing the same files must also be given to any opposing party so named. One portable data storage
device is equivalent to one copy.

If the portable data storage device is infected with malware, the documents will not be considered as having
been filed.
RIGHTS OF THE DATA SUBJECT

9. The right to claim damages

Data subject is provided with procedure to CLAIM
DAMAGES, which is to be indemnified for damages
sustained due to inaccurate, incomplete, outdated,
false, unlawfully obtained, or unauthorized use of
personal data.
How to exercise your right to damages
Write or speak to the organization which mishandled your personal information to see if you
can reach an agreement and claim compensation. If you feel that your concern has not been
satisfactorily addressed, you should write to the organization and inform them of your intent to
take the matter to the court, before you start court proceedings. Talk to a legal adviser if you
want to make a claim in court.

The NPC has no role in dealing with compensation claims. But you may request NPC to assess
if the organization mishandled your personal data and broke the DPA. You can give a copy of
the NPC’s letter to the court along with the evidence to prove your claim. This, however, does
not guarantee that the judge will fully agree with NPC’s view. You may also require someone
from the NPC to give expert evidence which will only be allowed if the judge orders it. The party
calling the witness will have to shoulder the corresponding cost.
Do not COLLECT if you
cannot PROTECT
Assignment 1
Personal Information vs Sensitive Personal Information