Documente Academic
Documente Profesional
Documente Cultură
CONTRIBUTORS
Office of the Privacy Commissioner
Public Information and Assistance Division
Finance and Administrative Office
Data Security and Compliance Office
Legal and Enforcement Office
Privacy Policy Office
Kristine Danica S. Adis
Alec Jean G. Del Castillo
Anella Vianchi G. Arevalo
PHOTO
Lauro M. Montellano, Jr.
Katrice A. Obrero
Pauleen Joy T. Saavedra
EDITOR
Olivia Khane S. Raza
Joseph U. Vizcarra
CONTENTS
06 PRIVACY
COMMISSIONER’S
24
NOTES
COMPLIANCE AND
MONITORING
08
THE NATIONAL
PRIVACY
COMMISSION
26
Vision, Mission and Functions
The Senior Leadership of the NPC
ENFORCEMENT
10
RULE
MAKING
Privacy Policy Office
28
Data Security and Technology
Standards Division COMPLAINTS AND
INVESTIGATION
16
ADVISORY
Advisory Opinions
30
Position Papers and Comments
INTERNAL
MANAGEMENT
18 PUBLIC
EDUCATION
PRIVACY
COMMISSIONER’S
NOTES
Around two years ago, the National Privacy Commission set out to pursue its
mission. Our goal, then and now, can be distilled into this philosophical vision:
To bring life to the Data Privacy Act—to make it permeate the daily practice
of Filipino individuals and organizations; to establish a regime of vigilance,
accountability, and ultimately, trust; to have data privacy and security become a
driving force of stability, progress, and nation-building.
For many, the NPC’s release of its Five Pillars of Data Privacy Accountability
and Compliance signaled the start of the journey towards compliance and
accountability.
In June 2017, most Filipinos did not know what “Personal Data Privacy” meant.
Only 13% were aware of the Data Privacy Act and only 11% at that time had
heard of the National Privacy Commission. As will be demonstrated in our 2017
Annual Report, these figures have surely increased.
In all humility I must say we have accomplished quite a sum in these areas these
past two years. I have been blessed with a hardworking and dedicated team of
professionals who were all equal to the challenge.
Beyond all of the figures and inventory of what we’ve done so far as
documented in this Report, is a simple synthesis: Two years ago, we set out to
do a job. We realized that we can only do it by tapping into the energies of our
many stakeholders. We planned, we toiled, and here we are now—lengthening
our strides and emerging as one of the most promising data sectors in the
world.
Two years ago, only a handful of local experts were talking about data privacy.
Today, it has become a buzzword in Philippine business circles. In as little as two
years, the Data Protection Officer has emerged as the hottest new profession
in town and many of our citizens, especially youngsters, are quickly catching up
on what data privacy is all about.
This is proof positive that our strong and close collaboration with our
stakeholders is effective. We continue to move in the right direction: Forward,
upward, faster and more efficiently towards a culture of trust and resiliency.
The Commission is headed by a Privacy Commissioner who serves as the Chairperson. The
Privacy Commissioner is assisted by two Deputy Privacy Commissioners.
This 2017, the PPO produced Production Unit. consent of employees for use publicly accessible platform recommendations on specific for the health sector which
sixty-nine (69) advisory Additionally, the PPO of their personal information this does not mean he or she issues, applying a personal was spearheaded by the
opinions on the interpretation created Advisory Opinions for marketing purposes and has given blanket consent for data protection perspective Department of Health. PPO
of the provisions of the DPA, that addressed pressing government requirements, its use for whatever purposes. on these proposals. was involved in the public
IRR, and other issuances of issues directly affecting employer’s access to PPO personnel, as consultation regarding
the NPC. These were issued the public at large. employees’ healthcare POSITION PAPERS representatives of the the said code as well as
in response to inquiries service usage, and validity Commission, acted as prepared in-depth comments
AND COMMENTS
from different stakeholders In 2017, the Office crafted an of consent in an employment resource persons in Senate and recommendations.
from both the government advisory opinion concerning contract, to name a few. and House hearings
The Privacy Policy Office
and the private sector. online merchants’ right to Of note also is the issue on on these bills. Their
likewise prepared policy
retain credit card details of whether a mobile number attendance ensured that
papers and comments on
Some of these advisory their customers. In doing is considered personal data privacy provisions
behalf of the Commission
opinions gave light to the so, the following should be information or not. are incorporated in the
on proposed legislations
data privacy implications taken into consideration: To determine this, proposals, when necessary.
both from the House
of certain government a distinction was
69
of Representatives
initiatives. These included 1. Retention of made whether Moreover, this gave an
and the Senate.
the Securities Exchange personal data it is a postpaid opportunity for the PPO to
Commission’s Reverse Search should be only to number or a share and impart data privacy
The PPO submitted
Module, the Department of the extent required prepaid one. The awareness and understanding
its comments and
Foreign Affairs’ proposed for the fulfillment former is personal
proposed revisions to the country’s legislators ADVISORY
software application for of the purposes information since
on bills such as the in the hopes that they may OPINIONS
monitoring Filipino nationals for which the data telecommunication consider data privacy and
Philippine HIV and Aids
working and residing abroad, was obtained, companies assign personal data protection as
Policy Act, proposed
Philippine National Police’s unless data a specific number an important consideration
amendments on the
request of personal data from subjects consent to each individual in formulating legislation.
Bank Secrecy Law, SEC’S REVERSE
the Department of Social to allow longer subscriber while
and proposals for SIM SEARCH MODULE
Welfare and Development retention periods; the latter only Review of Documents
Card Registration,
(DSWD), and data sharing becomes personal from Stakeholders.
No-Call and Text
concerns of the Anti- 2. Data subjects information
Registry, Social Media
Money Laundering Council should be once activated Part of the PPO’s DFA’S PROPOSED
(AMLC), among others. adequately and associated Registration, responsibilities is the review MONITORING
informed of the or linked to an and National ID of policies, guidelines, SOFFTWARE
Several government nature and extent individual System, among standards, and codes APPLICATION
agencies also sought formal of the processing subscriber. others. The PPO relative to data privacy
guidance on the application of their personal was likewise from stakeholders from
of the Data Privacy Act to data; and Another involved in the different sectors. In 2017,
is regarding information crafting of the these included review of PNP’S REQUEST OF
its operations, such as the
3. Security measures available in the public Implementing data sharing agreements, PERSONAL DATA
Philippine Health Insurance
for the protection domain. In several advisory Rules and consent forms, and personal FROM THE DSWD
Corporation (Philhealth),
Bangko Sentral ng Pilipinas of personal opinions, it was stated Regulations (IRR) of data protection policies
(BSP), Philippine Deposit data should be that the DPA still applies Republic Act No. 10929 or from organizations in the
Insurance Corporation implemented. since there is no express the Free Internet Access public and private sector.
(PDIC), Department of mention that personal data in Public Places Act. Pursuant to its mandate to DATA SHARING
Finance (DOF), Commission The issue of how the Data which is available publicly review standards and codes CONCERNS
on Elections (COMELEC), Privacy Act affects employer- is outside of its scope. These submissions put relating to organizational OF AMLC
Social Security System employee relationship emphasis on the inclusion of security measures for
(SSS), Tourism Information was also tackled in several Moreover, even if the data data privacy and protection protection of personal data,
Enterprise Zone Authority Advisory Opinions. Some of subject has provided his provisions in the proposed the PPO took part in the
(TIEZA), and APO these opinions are regarding or her personal data in a bills, as well as provided review of the privacy code
OW MORE
SOCIAL MEDIA N WEBSITE
K
Social media proved to be a From writers to artists, tasks In light of making the data After its launch in April 2017,
cost-efficient communication were meticulously laid out privacy law and data privacy the NPC website continually
channel for the NPC. In 2017, and executed to meet this protection much easier for met its objective of being
the Commission continued goal. Content buckets such mass consumption, efforts a knowledge hub for Data
to be present in three as related news, engagement were directed towards Protection Officers (DPOs)
social media platforms: posts, privacy push, and in putting together outputs that and Personal Information
Facebook (@privacy.gov. review made sure that the are simple, concise and fun. Controllers and Processors
ph), Twitter (@PrivacyPH), materials produced were In one year, NPC’s Facebook (PICs/PIPs), when it comes
and YouTube (National always new and engaging. page grew in Likes by to DPA compliance. It served
Privacy Commission). The 1,000.9 %, while the Twitter as repository of information
M PL Y
Commission easily reached page grew in Followers by on various NPC issuances—
the public through these 529.4%. Since the inception Memorandum Circulars,
accounts with daily content of the online information Advisories, Advisory Opinions
CO
that revolve around the and awareness campaign, and Legal Opinions, data
concepts of privacy in the the Commission has gained subject rights, knowledge
Philippines—from updates an audience of over 46,404 materials, presentations and
on the Commission and users in Facebook, 856 in latest updates about the
its activities, to everyday
tips that can protect one’s
personal data privacy.
1,000.9 %
FACEBOOK
Twitter, and 169 in Youtube
by December 2017. A total
of 458 Facebook posts
Commission. The design
enabled PICs, PIPs and data
subjects to easily explore the
were made in 2017, with an website depending on their
The team had a goal in mind: average reach of 5,142 users objective (‘I want to know
AIN
PL
529.4 %
to heighten engagement with per post. Notably, there were more’, ‘I want to comply’,
the Filipino public online, social media materials that M ‘I want to complain’).
CO
thus elevating awareness TWITTER reached as many as 347,038
and discourse on data users in just one post. During the height of the
privacy and security. Taking registration period of DPOs
on such an endeavor is no and their respective PIC/PIP
easy feat; however, the Data Processing Systems,
team took advantage of the website primarily catered
the high online presence to compliance concerns.
of Filipinos, and rode along
with trending topics and
issues to incorporate good
data privacy protection
practices in NPC materials.
566 11 10
invites DPO Data Privacy
attended by Assemblies Roadshows
the Commission
FAST NUMBERS
to reduce processing time. The turnaround time of 3-45 working days
in 2016 was cut to 1-3 working days for general inquiries and 3-15
working days for inquiries relating to compliance and policy in 2017.
2626
and on-going revision of the Citizen’s Charter, the Public Assistance Total number of
unit also started preparing the development of a public assistance inquiries received via
manual- an internal guideline for NPC frontline staff. e-mail, Facebook,
and AskPriva in 2017
218
In the same year, the establishment of AskPriva, an online assistance
and inquiry system, contributed in providing citizen-centric services. It Average inquiries
served as an additional channel with which the public can lodge their received per month
inquiry, suggestion or any other feedback. With this addition coupled with
the wider advocacy initiative, the average number of inquiries received
100%
per month rose from 5 in 2016 to 218 in 2017. The rate of inquiries acted Walk-in inquiries
upon by the NPC improved from 48.86% in 2016 to 73% in 2017. acted upon by
the NPC
100%
Phone-in inquiries
acted upon by
the NPC
73%
Inquiries received via
e-mail, Facebook,
and AskPriva acted
upon by the NPC
& MONITORING 3
Members from the different
7
The CMD conducted seven (7)
sectors were invited during
compliance check visit to the
the Focus Group Discussion
following PICs: 1.) Bank of the
to get their respective view
Philippine Island 2.) West Visayas
and opinion with respect to
State University Medical Center
the draft Data Protection
COMPLIANCE 3.) Google Philippines, Inc. 4.) Focus group Officer Designation,
Department of Education 5.)
The National Privacy and recommend the employees entering CHECK Healthway Medical, Inc. 6.) Suy- discussions Data Processing System
Circular and Compliance
Commission (NPC) is the necessary action into contracts with
VISITS Sing Corporation 7.) Philippine DPO,DPS, ccv Check Visit Guidelines.
country’s independent body in order to meet the government that International Life Insurance.
mandated to administer and minimum standards involves accessing
implement the Data Privacy for protection of or requiring sensitive
47
Act of 2012 (R.A. 10173), personal information personal information Through coordination
with other divisions, CMD
11
and to monitor and ensure pursuant to the DPA A total of 47 Partial Check
Compliance Letter were sent personnel participated in
compliance of the country 6. Adopt a system for the following DPO Summit
to the identified PICs by the
with international standards 3. Provide assistance registration of data Commission. Said letter were per sectors: 1.) Government
Agencies 2.) Bank 3.)
set for data protection. on matters relating processing systems partial sent primarily to require the latter
Telecommunications 4.)
to data protection in the country
check
to send documents or policies
as embedded in the 32-point
dpo summits’ Education 5.) BPO 6.) Internet
As an integral division at the request of
of the Commission, the a national or local 7. Assist in the compliance compliance to check their level participation Society and Social Media
7.) Private Hospital 8.) Retail
of compliance with the DPA.
Compliance and Monitoring agency, a private compilation of letters (sent) Industry 9.) Insurance Non-
Life 10.) Pharmaceutical
Division shall have the entity or any person agency system of 11.) Local Government.
following core functions: records and notices,
4. Assist Philippine including index and
1
1. Ensure compliance of companies doing other finding aids,
8
Out of 47 PICs who received the
personal information business abroad for publication; and Partial Check Compliance Letter, Data Processing System was
controllers with the to respond to data eight (8) of which complied developed that primarily
and these are the following: 1.) handle records of the
provisions of the DPA protection laws 8. Manage requests Data Protection Officer for
Holcim Philippines, Inc. 2.) JR &
and regulations for off-site access online dps
2. Monitor the in government data partial R Distributors 3.) Magnolia, Inc.
4.) Maynilad Water Services, Inc. dpo registrtation
registration purposes.
compliance of other 5. Manage the processing systems. check 5.) Mitsubishi Motors Philippines
government agencies registration of the compliance Corporation 6.) Siemens
Corporation 7.) Supervalue, Inc.
or instrumentalities personal information (received) 8.) Victorias Milling Co., Inc. Others:
on their security and processing system of
technical measures contractors and its ●● Setting Up Local Area
Network (for encoders)
100
+As part of the public education ●● 300 Plus - Inquiries (phone
calls, emails and walk-ins)
program of the Commission,
CMD personnel were invited ●● 300 Plus Follow ups for
and served as guest speaker DPO Registration (NGAs)
speakerships- for the awareness, summits
awareness and DPO briefing apart ●● Development CMD Encoding
from the compliance and
summits & monitoring functions.
System (Software)
dpo briefings ●● Participation in the Development
of Process Flow for Phase I and
Phase II Registration System
4,656
A total of 4,656 PICs ●● Membership in the BAC
submitted their respective TWG and ICT Task Force
DPO Registration form. This is
a manifestation that PICs are ●● Two Key positions in the Employee
Phase i dpo taking the initial phase towards Associations (Atty. Vida Zora Bocar
registration compliance with the DPA. and Mr. Cleo Martinez as President
and Vice-President, respectively of
the NPC Employees Organization.)
6
Laundering Council (AMLC), System; in Conducting Public Bidding, Accounting, and Preparation
the United States Federal of Financial Reports
As part of its effort to
Bureau of Investigation, the 8.Privacy of strengthen the enforcement Procurement Training
Philippine National Police- Communications Act of for End-Users Code of Conduct and
mandate of the Commission,
Ethical Standards for Public
Anti-Cybercrime Group 2018; and the Division envisions 2018 LEGAL Officials and Employees
and the National Bureau of as a year where strong Procurement Planning and
Investigation. It also worked 9.Mobile Number Portability measures to protect data
SKILLS Compliance, Procedural and
Practical Guide in Conducting
with the DICT-CICC for the Act. rights will be implemented. TRAINING Alternative Methods of Procure-
Anti-graft and Corrupt
Practices Act and Related Laws.
take down of adult-section
ment and Other Special Topics
of the Manila Backpage.
The Financial, Planning of annual and long-range division also worked Number of publications (ex. Compilation of agency system
and Management Division Programs/Activities/Projects closely with the Human 352,598.40
or records and notices, laws, case reports)
(FPMD) provides planning (PAPs). This, to ensure Resource Development
support and financial that the commitments and Division in conducting
direction to help steer the performance are aligned with a series of workshops Number of Public Information/Education Projects
5,596,719.16
Commission towards its the Commission’s goals. The related to the crafting of implemented
fiscal targets for the year. division also spearheaded individual, division and office
the NPC Strategic Planning performance commitments Number of private sector and government agencies
To establish efficient and Workshop; Midyear review, to pave the way 1,191,996.25
representatives meeting/coordination
optimum use of resources, Performance Assessment; the agency’s establishment
the FPMD has consistently and 2018 Planning Workshop and implementation of
Number of Registration system established (ex. Government
played its critical role in the in June 2017 and November its Strategic Performance 2,072,248.97
contracts)
formulation and monitoring 2017, respectively. The Management System (SPMS).
Total 14,318,974.16
387
units IT and Office
With a view in establishing effective and efficient systems, processes and procedures, the ASD Equipment
initiated the use of the DOST-Electronics Records Management System, which allowed for
the easy tracking of documents, thus facilitating timely decision-making. Through the division,
245
the NPC has also automated the procurement of airline tickets, both for domestic and foreign pieces of Furniture
travels.
and Fixtures
The ASD issued several guidelines to promote the efficient systems of procurement,
maintenance or repair and use of motor vehicles and management of NPC-owned properties
and equipment, thus putting in place internal management systems or controls. Among these
are the
(a) Policy on Request for Issuance of Supplies, Properties and Equipment; and the(b) Policy on
11 Motor Vehicles
the Maintenance, Repair, and Availment/Dispatch of Motor Vehicles and Allocation of Fuel.
The division also helped ensure the timely payment of NPC obligations amounting to a total of Overall, the division has greatly contributed to ensuring higher obligation rate at fiscal year-end
P78,684,868.99 to various creditors. Instrumental to achieving this was the ASD’s management by expediting the processing of purchase requests for the procurement of goods and services,
of funds collected and deposited to the bank within 24 hours from receipt. increasing the rate of absorptive capacity of the NPC to utilize its funds under the General
Appropriations Act.
Likewise, the ASD takes the lead in the planning, management and procurement of NPC’s
property, plant, and equipment registering a total of 387 units IT and Office Equipment, 245
pieces of Furniture and Fixtures, and 11 Motor Vehicles.
38
25 58
Plantilla
34
28 COS 24
Masteral Degree 20
NUMBER OF PERSONNEL
Doctorate Degree
Total
1
62
53
Plantilla Non-Plantilla
Total
Division (has assumed PERSONNEL TRAINING
Authorized Filled Unfilled COS Consultant position)
OPC 18 11 7 6 0 17 79%
Plantilla personnel
In-house
Summary of Trainings
5
OED 5 0 5 0 0 0 Sponsored 7
completed the
PIAD 7 4 3 13 0 17 above-mentioned NPC - Funded 17
DASCO 3 0 3 0 0 0 trainings. Total 29
CMD 14 9 5 7 0 16
DSTD 6 5 1 2 0 7
LEO 3 0 3 0 0 0
LD 6 3 3 0 0 3
ED 6 4 2 0 0 4
CID 7 6 1 3 0 9
FAO 3 0 3 2 0 2
FPMD 8 7 1 3 0 10
ASD 6 4 2 11 0 15
HRDD 5 3 2 1 0 4
PPO 3 0 3 0 0 0
PDD 12 5 7 1 0 6
PRD 11 1 10 0 0 1
ATTY. JANICE G. NADAL ATTY. FRANCISCO R. ACERO ATTY. RASIELLE DL. RELLOSA DR. ROLANDO R. LANSIGAN
OIC, Legal Division Chief, Complaints and Investigation Division OIC, Policy Development Division Chief, Compliance and Monitoring Division
janice.nadal@privacy.gov.ph francis.acero@privacy.gov.ph rashy.rellosa@privacy.gov.ph rolando.lansigan@privacy.gov.ph
JONATHAN S. RAGSAG MARIA DELIA S. PRESQUITO MALOU C. LEELIAN KIMBERLY ANN M. MEDINA OLIVIA KHANE S. RAZA
OIC, Data Security and Technology Chief, Administrative Services Division OIC, Financial Planning and Management Division OIC, Human Resource Development Division OIC, Public Information and Assistance Division
Standards Division madel.presquito@privacy.gov.ph malou.leelian@privacy.gov.ph kim.medina@privacy.gov.ph khane.raza@privacy.gov.ph
jonathan.ragsag@privacy.gov.ph
PRIVACY POLICY OFFICE