Data Privacy Protection

Training of Trainers
 Learning Topics

1. Statutory Goals and Regulatory Objectives

2. International Standards of Data Protection
3. Data Privacy Risk Management
4. Data Privacy and Information Security
Controls
5. Data Breach Incident Management
 TOPIC 1: STATUTORY GOALS &
REGULATORY OBJECTIVES

Learning Objectives
Determine, describe, document and
demonstrate the questions of understanding
compliance of the organization to the statutory
goals and regulatory objectives of “protecting
individual personal information in information and
communications systems in the government and
the private sector” (R.A. 10173- Data Privacy Act 2012)
Basic Belief on
Data Privacy The
information
The personal
data has to
system be protected
Protection
The
owner and
developer
with security
controls
information are against
controller and obligated to information
The person processor are plan, design, security
has human R.A. 10173obligated to build, test, threats that
rights, andImplementing Rules
apply the and release violate the
among thoseand Regulations
privacy a personal confidentiality
rights is to be protection data , integrity,
“let alone.” principles in processing and Rule VI
An individual
is made free
personal data product andRule availability of
collection, services personal
to act againstNational Privacy
retention, that XII information.
any intrusionCommission
use,
Advisory
Rule IV
sharing,
Circular, and
conform to
that
Rule and
undermines Case Resolution
disposal. privacy and
security
VIII
the privacy of rules and
personal data
 1. Protect the fundamental
[1]
R.A. 10173 – Section 2 Declaration of Policy
human right of privacy, of
communication while
Goals of ensuring free flow of
R.A. 10173 information to promote
innovation and growth.

2. Ensure that personal

information in information
and communications
systems in the
government and in the
private sector are secured
 and maintain?
[1]
R.A. 10173 – Section 2 Declaration of Policy 1. Implementation of rules and
standards to respect privacy rights
and to assure confidentiality,
Goals of integrity, and availability of personal
information.
R.A. 10173 2. Compliance governance to lead,
direct, and control data privacy
assurance and security of personal
information protection.
3. Enabling capability for the personal
information controller and processor
to accomplish the mandated
requirements of compliance that are
monitored in order to assure privacy
protection and information security.
4. Provision of regulation and procedures
 and eliminate?
[1]
R.A. 10173 – Section 2 Declaration of Policy 1. Penalized violation against data
privacy of a data subject
2. Non-conformity of the filing system,
Goals of automation program and
technology services to the data
R.A. 10173 privacy rights, data privacy
principles, lawful processing
criteria, condition to process
sensitive information, and security
measures in the personal data
collection, processing, retention,
sharing, and disposal.
3. Insecure technology infrastructure
and negative user behaviour of
unlawful access, control,
vidence of Data Privacy and Security Measures
 Compliance officer contract and
announcement to data subject
 Data protection and security policies
adopted and published by management
 Registration of data processing system
 Privacy and security risks assessment
called privacy impact assessment
 Recorded processing activities of
exercised privacy rights and application
of privacy principles in the data
vidence of Data Privacy and Security Measures
 Management of human resources
associated with data privacy and
information security requirements
 Application and monitoring of privacy
limitations in the data processing of
personal information
 Contracts of the personal information
processor
 Policies and procedures to limit access
and activities in the room, workstation,
dence of Data Privacy and Security Measures
 Security and privacy design of the
workplace or physical location of data
processing
 Work schedule of responsible to use the
workplace of data processing
 Policies and procedures regarding the
transfer, removal, disposal, and re-use
of electronic media
 Policies and procedures that prevent the
mechanical destruction of files and
equipment

dence of Data Privacy and Security Measures
 A security policy that assures the
confidentiality, integrity and availability
of personal information
 Safeguards to protect their computer
network against accidental, unlawful or
unauthorized usage, any interference
which will affect data integrity or hinder
the functioning or availability of the
system, and unauthorized access
through an electronic network
 Ability to ensure and maintain the
dence of Data Privacy and Security Measures

 Regular monitoring for security

breaches, and a process both for
identifying and accessing reasonably
foreseeable vulnerabilities in their
computer networks, and for taking
preventive, corrective, and mitigating
action against security incidents that
can lead to a personal data breach
 Ability to restore the availability and
access to personal data in a timely
dence of Data Privacy and Security Measures
 Process for regularly testing, assessing,
and evaluating the effectiveness of
security measures in the infrastructure
of personal data processing
 Encryption of personal data during
storage and while in transit,
authentication process, and other
technical security measures that control
and limit access.
 R.A. 10173 Data Privacy Management Requirements
Privacy Protection Management
Requirements Results
1. Data privacy and security Governance and
governance and oversight oversight roles,
accountability,
responsibility
2. Personal data and processing Registry of personal
system visibility, registration, data, filing system,
and risks assessment automation program and
PIA report
3. Respect the exercise of data Data privacy rights
privacy rights policy, procedures,
 R.A. 10173 Data Privacy Management Requirements

Privacy Protection Management

Requirements Results
6. Defined conditions to process Privacy policy and system
sensitive personal information conformity test

7. Accountability in personal data Data sharing agreement, and

sharing security measures
8. Security measures in personal Organization, physical and
information protection technical measures – policy,
role, activities, product,
services and technology
9. Breach incident management Breach reporting and case
and privacy violation management
 R.A. 10173 –Data Privacy Act 2012 –NPC
Circular 16-01
Accountability
f Agency – Personal and (PIC)
Information Controller
Obligation Responsibility Applicability Evidence Y/N
Published information about the
1. Check designated DPO
He/ She has designated a Data Protection Officer
to perform data privacy oversight of the agency.
Service Contract for outsource DPO.
2. He/ She conducted data privacy impact
Privacy impact assessment team,
assessment (PIA) of data processing system of
guide and report.
the agency.
3. He/ She created data privacy and protection Published data privacy and
policies based on PIA report and Sections 25 to protection policies available in all
29 of the IRR. business units and website
4. He/ She conducted the mandatory, agency-wide
HR data privacy training plan, data
training on privacy and data protection policies
privacy management manual, data
once a year, and regular training to orient
privacy and protection policy guide.
personnel.
Data processing systems inventory
5. He/ She registered to NPC the data processing
 R.A. 10173 –Data Privacy Act 2012
Accountability and Responsibility
Head of Data Processing–Applicability Check
Personal Information Processor (PIP)
Obligation Evidence Y/N
1. He/ She has the procedure for the collection of personal Data privacy and
data, including procedures for obtaining consent, when protection policies
applicable
2. She/ He has the procedures that limit the processing of Data management
data, to ensure that it is only to the extent necessary for the manual
declared, specified, and legitimate purpose Privacy service
agreements
3. He/ She has the policies for access management, system
monitoring, and protocols to follow during security incidents
or technical problems
4. He/ She has the policies and procedures for data subjects to
exercise their rights under the law
5. He/ She has the data retention schedule, including timeline
or conditions for erasure or disposal of records
Privacy impact
 R.A. 10173 –Data Privacy Act 2012 – NPC
Advisory 2017-01
Accountability
a Protection Officer –(DPO/COP)and Responsibility
Obligation Applicability Check
Evidence Y/N
1. He/she has monitored the compliance of the head of
agency (PIC) and business unit head of data processing Recorded activity of
(PIP) on the implementation of privacy rules and compliance monitoring
standards
2. He/she has advised the PIC and PIC on complaint Advisory notices of privacy
related data privacy violation and about the exercise of violation complaint and
privacy rights exercise of privacy rights
DPO information is published
for complaints and concern
3. He/she has responded to the data privacy violation
about data privacy
complaints of a data subject
Complaint procedure
guideline
4. He/she has ensured that PIC and PIC conducted the
privacy impact assessment of the information Privacy impact assessment
processing and communication system of personal data guide and report
What is
FAILURE in
the
governance
of
data
Administrative Fines
Section 2. Administrative Fines.
Any PIC or PIP who shall violate the
following provisions of R.A. 10173,
its IRR, and the issuances of the
Commission shall be liable for an
administrative fine for each
infraction.
 Administrative Fines
GRAVE INFRACTIONS
1. Infraction on the general privacy
principles in the processing of
personal data pursuant to Section
11 of the DPA, where the total
number of affected data subjects
Grave infraction gets administrative exceeds one thousand (1,001 or
fines of 0.5% to 3% of the annual
gross income of the immediately more).
preceding year when the infraction
occurred: 2. Infraction on the data subject rights
pursuant to Section 16 of the DPA,
 Administrative Fines
MAJOR INFRACTIONS
1. Any failure by a PIC to implement reasonable and
appropriate measures to protect the security of
personal information pursuant to Section 20 (a),
(b), (c), or (e) of the DPA.
2. Any failure by a PIC to ensure that third parties
processing personal information on its behalf
shall implement security measures pursuant to
Section 20 (c) or (d) of the DPA; or e.
Major infractions are subject to 3. Any failure by a PIC to notify the Commission and
administrative fines of 0.25% to 2% of affected data subjects of personal data breaches
the annual gross income of the
pursuant to Section 20 (f) of the DPA, unless
immediately preceding year when the
otherwise punishable by Section 30 of the DPA.
infraction occurred.
Data Privacy
Protection
Regulatory
Compliance
 PRIVACY

It is freedom from intrusion

into the private life or affairs
of an individual or person
when that intrusion results
(ISO 2382) from undue or illegal
gathering and use of data
about that individual.
 PRIVACY PROTECTION

It represents the definitive act

of respecting the person's rights
of privacy and the security of
personal data that are being
(ISO 2382)
collected, processed, retained,
shared, and disposed of by the
personal information controller
 Data Protection Rules of RA 10173
–Data Privacy Act of 2012?
Rule 1 – Policy and Definitions
Rule 2 – Scope of Application
Rule 3 – National Privacy Commission
Rule 4 – Data Privacy Principles
Rule 5 – Lawful Processing of Personal Data
Rule 6 – Security Measures Protection of Personal Data
Rule 7 - Security of Sensitive Personal Information in
Government
 Data Protection Rules of RA 10173
–Data Privacy Act of 2012?
Rule 8 - Rights of Data Subject
Rule 9 - Data Breach Notification
Rule 10 – Outsourcing and Subcontracting
Rule 11 - Registration and Compliance
Requirements
Rule 12 – Rules on Accountability
Rule 13 – Privacy Violation Penalties
Rule 14 – Miscellaneous Provisions
 Data Privacy Protection Compliance

Data Privacy is inventory and registration of

information and communication system
 RA 10173 IRR RULE XI – Registration and
Compliance
Requirement
 NPC Circular 2022-04 - Registration of Personal
Data Processing System
 Registration Content
1. The name and address of the personal information
controller or personal information processor, and of its
representative, if any, including their contact details
2. The purpose or purposes of the processing, and whether
processing is being done under an outsourcing or
subcontracting agreement
3. A description of the category or categories of data subjects,
and of the data or categories of data relating to them
4. The recipients or categories of recipients to whom the data
Rule XI might be disclosed
Section 47 5. Proposed transfers of personal data outside the Philippines
 Registration Content
6. A general description of privacy and security
measures for data protection
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data
privacy, and information security
9. Attestation to all certifications attained that are
related to information and communications
processing
Rule XI 10. Name and contact details of the compliance or data
Section 47 protection officer, which shall immediately be
updated in case of changes
INVENTORY OF DATA AND APPLICATION SYSTEM
BUSINESS BUSINESS DATA DATA DATA SHARE PROCESSIN
FUNCTION PROCESS COLLECT, INFORMATIO COLLECTED G
AND UNIT STORE, USE, N AND CONTROL
AUTHORITY SHARE PROCESSIN STORED COMPLIANC
G SYSTEM DATA E
Official name The name of Name the Name of the Identify the Identity the law,
of the business the process and category of filing system if category of regulation,
function database owner data being the data are data collected advisories, and
in carrying out created, being and stored by agreement that
the activities collected, processed the business make valid the
required for a stored, use, manually unit that by authority,
mandated reuse, share, regulation and scope, input,
results of the disclose, and Name of the agreement process,
business disposed in information and must be shared output,
function achieving the communication to legitimate 3rd location,
legitimate system if data party quality,
purpose of are being quantity, time,
business processed with security,
process digital privacy and
technology. cost of data
and application
system
 INVENTORY OF DATA AND APPLICATION SYSTEM

BUSINESS APPLICATIO DEVELOPME DATABASE RELATED 3RD PARTY

FUNCTION N SYSTEM NT TECHNOLOG SYSTEM FOR SERVICE
PROCESS OF TECHNOLOG Y DATA PROVIDER
INFORMATIO Y SHARING
N
PROCESSIN
G
Official name The name of Name the kind Name the kind Identify the Identity how
of the business the information of application of database business entity system is
process to processing development technology and the system developed,
achieve the system that is technology to being used, and that are operated and
legitimate used to create, design, code, brand necessary for maintain.
purpose of the collect, store, test, release, specification the data
information to transmit, use, maintain the sharing of Who are the
be created share, present, information and information party involve in
and dispose communication collection and the service
data system use provision.
Administration Recruitment Java Technology Open Source CSC In-house
Human and Hiring MYSQL Information development
Resource System System and support
Management GSIS ILMAAMS
 SIPOC OF PERSONAL DATA PROCESSING

[] Filing System Data Processing System Name:

[] Automated System
Accountable: Responsible:
Personal Information Controller Personal Information Processor & 3rd Party
Legitimate Purpose: Trigger Event: Compliance:
What value the process delivers What is What is the regulatory or policy
to the customers of the function: condition to reference to validate and verify
What is legitimate interest to cause the start acceptability of input-process-
achieve of the process output and responsible

SOURCE INPUT PROCEDURE OUTPUT CUSTOMER

The first person What data to 1. Collect What Who is internal
data subject or collect, retain, 2. Store information is user or 3rd
the 3rd party of and use 3. Use shared Party of
data share 4. Disclose disclosed
5. Dispose information
 Data Privacy Protection Compliance

 Data Privacy is about personal data,

facts about the individual, that can
directly or indirectly identify the
person with rights to privacy
 Personal Data Category
1. Name Given name, middle name, surname, alias
2. Identification License number, tax number
number
3. Location data Address, GPS location
4. Online identifier e-mail, IP address
5. Digital identifier Biometric, CCTV data
6. Genetic Data DNA test result
7. Health Data Diagnostic report
8. Research Data Research question, enumerator interview logs
9. Physical factor Height, weight, sex
10. Physiological Body chemistry
factor
11. Mental factor Intellectual aptitude test results
12. Economic factor Salary, debts, property
 Sensitive Personal Information (RA 10173
sec 3i)
1. Health, education, genetic or sexual life of a person
2. Proceeding for any offense committed or alleged to
have been committed by such individual, the
disposal of such proceedings, or the sentence of
any court in such proceedings
3. Individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political
affiliations
4. Identification document issued by government
agencies peculiar to an individual which includes,
but is not limited to, social security numbers,
 Privileged Personal Information
Privileged information refers to all forms of
data, which, under the Rules of Court and
other pertinent laws constitute privileged
communication.
1. Patient and doctor communication
2. Client and lawyer communication
3. Informant and reporter
 Privacy Rights on Personal Data

Privacy Rights
of Respect Indicators
Data Subject
1. The right to be Privacy Notification
informed
Written or recorded
2. The right to give
consent
agreement to
process personal data
 Privacy Rights on Personal Data
Privacy Rights
of
Respect Indicators
Data Subject -
Student
5. The right to erasure Permission to withdraw and
or blocking delete personal data
Permission to check accuracy
6. The right to rectify
and to correct
7. The right to data Ability to request and
portability
 Data Privacy Protection Compliance

Data Privacy is about the “processing of

information ” that is legally limited by
privacy principles and lawful criteria.

 RA 10173 IRR RULE IV - Privacy Principles

 PNS ISO/IEC 29100 – Information technology –
Security techniques – Privacy framework
 RA 10173 IRR RULE V – Lawful Processing of
Personal Data
 Regulated Processes of Information System in R.A. 10173

Processing refers to any operation or any set of

operations performed upon personal data including,
but not limited to, the collection, recording,
organization, storage, updating or modification,
retrieval, consultation, use, 1.Collection
consolidation, (Data
blocking,
erasure or destruction of data. Gathering)
2.Retention (Data
 Filing system
Storage)
 Information and Communication System 3.Use (Data
 Automation Program
Processing)
 Personal Data
Collection and Retention Process
Input
DATA SUBJECT

Request to
Give
Personal Personal Data View
Consent Block
Information or Change
Request Correct
Requirement
Read Notification Delete
Copy
PI CONTROLLER

Data Privacy
Privacy Regulation, Instruct Collection Yes Rights
No
Policy and Controls and Retention of Principles
Personal Data Capture & Store
Rules

Yes
PI PROCESSOR

PI PROCESSOR

Data Execute Personal Ready for

Processing Personal Data Data use and
Agreement Collection and Store disclosure
Retention
 Personal Data
Use and Disclosure Process
View
Give Input Block
SUBJECT

Personal Consent Personal

DATA

Correct
Information Data Delete
Requirement Read Copy
Or Complain
Notification
Request
Access
CONTROLLE

Data Instruct
Yes Legitimate Use No
Privacy Utilization and Criteria Lawful
PI
R

Regulation, Sharing of Processing

Policy and Personal Data Privacy Control
Controls
Yes
3rd PARTY

Data Execute Personal

PI PROCESSOR

the Use and Display Data

Utilization and Processing
Sharing Sharing of Sharing
Data and Results Store
Agreement
 Personal Data
Disposal Process
Give Input View
SUBJECT

Personal Consent
DATA

Information Request Copy

Requirement Read Access Complain
Notification

Instruct
CONTROLLE

Data Disposal
Disposal of No
Privacy
Stored
Yes Condition Retention
PI
R

Regulation, Rule
Personal
Policy and Responsible
Information
Controls
Execute Yes
3rd PARTY

Data File
PI PROCESSOR

the Disposal or
Retention and Shredde
Destruction of
Disposal d Media
Personal Data
Agreement Destroye
and Media
d
 PRIVACY PRINCIPLES
undational belief of data processing system
privacy by design and by default
TransparencyConsent and choice
AccuracyParticipation
egitimate Purpose
Proportionali Accountability
ty
Fairness Anonymity
Lawfulness Minimization
 Privacy Principles of Personal Data Processing (Rule IV)
Principles of Transparency, Legitimate Purpose
and Proportionality
1. The data subject must be aware of the nature,
Transparency purpose, and extent of the processing of his or her
personal data, including the risks and safeguards
involved, the identity of personal information
controller, his or her rights as a data subject, and how
these can be exercised. Any information and
communication relating to the processing of personal
data should be easy to access and understand, using
clear and plain language.
2. Legitimate The processing of information shall be compatible with
purpose a declared and specified purpose which must not be
contrary to law, morals, or public policy.
 Privacy Principles of Personal Data Processing (Rule IV)

General principles in collection, processing and

retention
1. Collection must Consent is required prior to the collection and
processing of personal data, subject to exemptions
be for a provided by the Act and other applicable laws and
declared, regulations. When consent is required, it must be time-
bound in relation to the declared, specified and
specified, and legitimate purpose. Consent given may be withdrawn.
legitimate purpose The data subject must be provided specific information
regarding the purpose and extent of processing,
including, where applicable, the automated processing
of his or her personal data for profiling, or processing
for direct marketing, and data sharing.
Purpose should be determined and declared before, or
as soon as reasonably practicable, after collection
 Privacy Principles of Personal Data Processing (Rule IV)
2. Personal data Processing shall uphold the rights of the data subject,
including the right to refuse, withdraw consent, or object. It
shall be shall likewise be transparent, and allow the data subject
processed fairly sufficient information to know the nature and extent of
processing.
and Information provided to a data subject must always be in
lawfully. clear and plain language to ensure that they are easy to
understand and access.
Processing must be in a manner compatible with declared,
specified, and legitimate purpose
Processed personal data should be adequate, relevant, and
limited to what is necessary in relation to the purposes for
which they are processed

Processing shall be undertaken in a manner that ensures

appropriate privacy and security safeguards.
 Privacy Principles of Personal Data Processing (Rule IV)
4. Personal Data Retention of personal data shall only for as
shall not be long as necessary:
retained longer (a) for the fulfillment of the declared, specified,
than necessary and legitimate purpose,
or when the processing relevant to the
purpose has been terminated;
(b) for the establishment, exercise or defense of
legal claims; or
(c) for legitimate business purposes, which must
be consistent with
standards followed by the applicable
industry or approved by
appropriate government agency
Retention of personal data shall be allowed in
 Privacy Principles of Personal Data Processing (Rule IV)
5. Any authorized Personal data originally collected for a declared,
specified, or legitimate purpose may be
further
processed further for historical, statistical, or
processing shall scientific purposes, and, in cases laid down in law,
have adequate may be stored for longer periods, subject to
safeguards. implementation of the appropriate organizational,
physical, and technical security measures
required by the Act in order to safeguard the
rights and freedoms of the data subject
Personal data which is aggregated or kept in a
form which does not permit identification of data
subjects may be kept longer than necessary for
the declared, specified, and legitimate purpose
 Privacy Principles of Personal Data Processing (Rule IV)

General Principles for Data Sharing

1. Data sharing Provided, that there are
shall be allowed adequate safeguards for
when it is data privacy and security,
expressly and processing adheres to
authorized by principle of transparency,
law: legitimate purpose and
proportionality
 Privacy Principles of Personal Data Processing (Rule IV)
General Principles for Data Sharing
2. Data 1. Consent for data sharing shall be required even when the data is to shared
with an affiliate or mother company, or similar relationships
Sharing
shall be 2. Data sharing for commercial purposes, including direct marketing, be
covered by a data sharing agreement.
allowed
in the 3. The data subject shall be provided with the following information p to
private collection or before data is shared:
(a) Identity of the personal information controllers or personal information
sector if processors that will be given access to
the data the personal data
subject (b) Purpose of data sharing;
(c) Categories of personal data concerned;
consents
(d) Intended recipients or categories of recipients of the personal data;
to data
sharing, (e) Existence of the rights of data subjects, including the right to access and
correction, and the right to object
and the (f) Other information that would sufficiently notify the data subject of the
 Privacy Principles of Personal Data Processing (Rule IV)
Data collected When the personal data is publicly available or has
from parties other the consent of the data subject for purpose of
than the data research: Provided, that adequate safeguards are in
subject for place, and no decision directly affecting the data
purpose of subject shall be made on the basis of the data
research collected or processed. The rights of the data subject
shall be allowed shall be upheld without compromising research
integrity.
Data sharing 1. Any or all government agencies party to the
between agreement shall comply with the Act,
government these Rules, and all other issuances of the
agencies for Commission, including putting in place
the purpose of a adequate safeguards for data privacy and security.
public
 Personal Data Processing Lawful Criteria(Rule V)
1. The data subject must have given his or her consent prior to the collection, or as soon as practicable and
reasonable
2. The processing involves the personal information of a data subject who is a party to a contractual
agreement, in order to fulfill obligations under the contract or to take steps at the request of the data
subject prior to entering the said agreement
3. The processing is necessary for compliance with a legal obligation to which the personal information
controller is subject
4. The processing is necessary to protect vitally important interests of the data subject, including his or her
life and health
5. The processing of personal information is necessary to respond to national emergency or to comply with
the requirements of public order and safety, as prescribed by law
6. The processing of personal information is necessary for the fulfillment of the constitutional or statutory
mandate of a public authority
7. The processing is necessary to pursue the legitimate interests of the personal information controller, or
by a third party or parties to whom the data is disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject, which require protection under the Philippine
Constitution.
 Sensitive Personal Information Processing (Rule V)
1. Consent is given by data subject, or by the parties to the exchange of privileged information, prior to the
processing of the sensitive personal information or privileged information, which shall be undertaken
pursuant to a declared, specified, and legitimate purpose
2. The processing of the sensitive personal information or privileged information is provided for by existing
laws and regulations: Provided, that said laws and regulations do not require the consent of the data
subject for the processing, and guarantee the protection of personal data
3. The processing is necessary to protect the life and health of the data subject or another person, and the
data subject is not legally or physically able to express his or her consent prior to the processing
4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations
and their associations
5. The processing is necessary for the purpose of medical treatment: Provided, that it is carried out by a
medical practitioner or a medical treatment institution, and an adequate level of protection of personal
data is ensured; or
6. The processing concerns sensitive personal information or privileged information necessary for the
protection of lawful rights and interests of natural or legal persons in court proceedings, or the
establishment, exercise, or defense of legal claims, or when provided to government or public authority
pursuant to a constitutional or statutory mandate.
 Data Privacy Protection Compliance

Data Privacy is about the “penalized violation”

in undermining privacy rights and principles
in the information and communication
systems of government and private sector.

 RA 10173 IRR RULE XIII - Penalties

 NPC Circular No. 2022-01 – Guidelines on
Administrative Fines
 Data privacy
violation
It in
is illegal or unwanted R.A.
act that endangers
the privacy rights of a person, and privacy
10173
of personal data. Data privacy violation is
penalized act to be complained through
NPC Complaint-Assisted Form.
Section 25 Unauthorized Section 30 Concealment of
processing breach
Section 26 Negligence in Section 31 Malicious
access disclosure
Section 27 Improper Section 32 Unauthorized
disposal disclosure
Section 28 Unauthorized Section 33 Combination of
Data privacy
violation in R.A.
10173
 Data Privacy Rights Violation
1. Unauthorized It is when personal
processing information is processed
3-6 years
imprisonment
without the consent of the
500K-4M penalty data subject, or without
being authorized using
lawful criteria
2. Negligence in It is when personal
access information is made
1-6 years
imprisonment
accessible due to Slide 61
 Data Privacy Rights Violation
3. Improper It is when personal
disposal information is knowingly or
6 mos-3 years
negligently disposed, discard,
imprisonment
100K-1M penalty or abandon in an area
accessible to the public or has
otherwise placed the personal
information of an individual in
any container for trash
collection.
4. Unauthorized It is when personalSlide 62
 Data Privacy Rights Violation
5. It is when an individual handling
Unauthorized personal information knowingly and
access or unlawfully, or violating data
intentional confidentiality and security data
breach systems, breaks in any way into any
1-3 years system where personal and sensitive
imprisonment
500K-2M penalty
personal information are stored.
6. Concealed It is when an individual or entity who
breach has knowledge of a security breach
1-5 years and of the obligation to notify the
imprisonment Slide 63
 Data Privacy Rights Violation
7. Malicious It is when an individual or
disclosure entity with malice or in bad
1-65years
imprisonment
faith, discloses unwarranted or
500K-1M penalty false information relative to
any personal information or
sensitive personal information
obtained by him or her.
8. Unauthorized It is when an individual or
disclosure entity discloses to third party
1-5 years
personal information not
Slide 64
 Data Privacy Protection Compliance

Data Privacy is implementation of

“information security.“ Control measures to
ensure confidentiality, integrity and
availability of personal information
 RA 10173 IRR RULE VI – Security Measures
 PNS ISO/IEC 29151 – Information technology –
Security techniques – Privacy framework
 PNS ISO/IEC 27002 – Information security controls
 INFORMATION SECURITY

rvation of the confidentiality, integrity, and availability of info

CONFIDENTIALITY INTEGRITY
Authority is enforced to keep Trust is assured in the accuracy, completeness,
immediacy, usefulness,
secrecy and privacy of personal data
and reliability of personal data

AVAILABILITY
Accessibility is guaranteed in the connectivity, uptime,
reach ability, location, protection, and speed of personal information
exchange
 Security Measures R.A. 10173 IRR Rule VI
Organizational Security Physical Security Technical Security

1. Policies and Procedures on Limited 1. Security policy in processing personal

1. Compliance Officers.
Physical Access data

2. Safeguards to protect computer network

2. Data Protection Policies 2. Security Design of Office Space and Room again unlawful, illegitimate, and
destructive activities

3. Confidentiality, integrity, availability, and

3. Person Duties, Responsibility and Schedule
3. Records of Processing Activities resilience of the processing systems and
Information services

4. Policies on transfer, removal, disposal, and 4. Vulnerability assessment and regular

4. Processing of Personal Data
re-use of electronic media monitoring for security breaches

5. Personal Information Processor 5. Prevention policies against mechanical 5. Ability to restore the availability and
Contracts destruction of files and equipment access to personal data

6. Regularly testing, assessing, and

evaluating the effectiveness of security
measures
7. Encryption of personal data during
storage and while in transit,
authentication process
 Other Security Measures

Rule IX -Data Breach Notification

Rule X -Outsourcing and Subcontracting

Agreements

Rule XI -Registration and Compliance

Slide 69
 Data Privacy Protection Compliance

Data Privacy is the impact assessment of

information systems to privacy rights,
privacy processing principles, and security
controls.
 NPC Advisory 2017-03 – Privacy Impact
Assessment
 PNS ISO/IEC 29134 – Privacy Impact Assessment
What reasons to cause privacy
impact assessment?

1. The developed, acquired, and operated data

processing system collects personal data
2. A change in applicable privacy-related laws
and regulations, internal policy and
standards, information system operation,
purposes and means for processing data, and
new or changed data flows.
3. A new or prospective technology, service or
other initiative where personal information is,
What reasons to cause privacy
impact assessment?

4. A decision that sensitive personal

information is going to be processed
5. A data privacy violation complaint is made
against a system operation.
Data Privacy Protection Compliance

Data Privacy is management

of data breach incident.
 NPC Circular 16-03
 Security Incident
Management System
Breach and Complaint
1.Security Incident
Handling
Management Policy
A personal information controller
or personal information processor
shall implement policies and
procedures for the purpose of
managing security incidents,
NPC Circular 16-03
including personal data breach.
 Security Incident
Management System
Breach and Complaint
2.Data Breach Response Team
Handling
A personal information controller or
personal information processor shall
constitute a data breach response
team, which shall have at least one
(1) member with the authority to
NPC Circular 16-03 make immediate decisions
 Difference and
•
Relationship
Cybersecurity – It is associated with the prevention of, response
to, and investigation of cybercrime in the cyberspace of persons,
data, applications, systems, and infrastructure of service delivery and
customer

• Information security – It is associated with assuring

information confidentiality, process integrity, system availability,
service reliability, and user safety in digital technology-enabled
information management system

• Data privacy It is associated with the data subject’s privacy

rights, processing privacy principles, and system security controls in
the information and communication system relating to a Data
 Knowledge Check

1. What are the privacy roles in a government agency

and private sector for the obligations of protecting
the privacy of personal data in the information
system of personal data processing?
2. What are the indicators that governance of data
privacy protection is failed?
 Knowledge Check

3. What are the privacy rights of a Data Subject?

4. What are the general privacy principles that define
the acceptable processing of personal data in the
information system of the government agency and
private enterprise?
5. What are considered violations of privacy?
 Knowledge Check

6. What are the reasons that require privacy impact

assessment?
7. What are the categories of security measures to
protect personal information?
8. What indicates the ability to manage personal data
breach incidents in the organization?