DATA PRIVACY

AWARENESS SESSION
MARCH 16, 2018
OBJECTIVES

 Explain the key points of data privacy and why it should

matter personally and for the company
 Present the impact of DPA in how the company operates
and delivers its services
 Prevent situations that may lead to legal disputes due to
company negligence
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
 HISTORY

Mandatory Mandatory
Compliance Registration

Data Privacy Act Implementing Rules

(RA 10173) & Regulations
Privacy & Deputy Privacy National Privacy
Commissioners Commission Gov’t Agencies &
Private Companies

DICT Act of 2015

(RA 10844)

DICT

Sept 2017 –
2012 Mar 2016 May 2016 Aug 2016
Mar 2018

*DICT – Department of Information and Communications Technology

** Deadline of Registration:
Phase I: Registration of DPO – until September 9, 2017
Phase II: Registration of personal data processing systems – until March 8, 2018
PERSONAL DATA HANDLING

Information Life Cycle

Data Collection

Data Retention
Data Privacy Data Storage
and Disposal/ Principles & Transmission
Destruction

Disclosure and
Distribution/ Data Data Usage
Sharing
TERMINOLOGIES

Personal Information Personal Information

Data Subject
Controller (PIC) Processor (PIP)

Concept: Processing
ECOSYSTEM

Personal
Personal Information Information
Data Subject
Controller (PIC) Processor (PIP)

provide outsources
personal data the
processing

• Personal Information
• Sensitive Personal
Information Third Parties
• Privilege Information shares data sub-contracts
TYPES OF DATA
Personal information
► Information, whether recorded in
a material form or not, from
which the identity of an
individual:
► is apparent, or
► can be reasonably and directly
ascertained by the entity
holding the information, or
► when put together with other
information would directly and
certainly identify an individual
(IRR)
► Name
► Home address
► Phone number
Sensitive personal information Privileged information
► Personalinformation whose ► Anyand all forms of data which
leakage could impact the material under the Rules of Court or
well being of an individual (EU other pertinent laws
GDPR). constituted privileged
► Race, ethnic origin, marital communications. (IRR)
status, age, color, religious, ► Attorney-client privileged
philosophical or political information
affiliation.
► Doctor-patient privileged
► Health, education, genetic or information
sexual life, offenses committed
or alleged, disposal of such, or
sentences of any court.
► Issued by any government
agency peculiar to an individual
such as SSS numbers, previous
and current health records,
licenses, denials, suspension or
revocation, and tax returns.
► Specifically
established by an
executive order or an act of
Congress to be kept classified.
(IRR)
KNOWLEDGE CHECK
DATA PI or SPI or N/A?

Gender (Male or Female) SPI

School graduated from and

year graduated
SPI

A company’s contact N/A

number

E-mail addresses that is only

collected by websites PI

Office or home address PI

OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
RIGHTS OF DATA SUBJECT

Consent Object Access Correct

Erase Damages Data Portability

RIGHTS OF DATA SUBJECT

Under R.A. 10173, your personal data is treated almost literally in the same
way as your own personal property. Thus, it should never be collected,
processed and stored by any organization without your explicit consent,
unless otherwise provided by law.
Consent

As a data subject, you have the right to be informed that your personal data will be, are being, or were,
collected and processed.

The Right to be Informed is a most basic right as it empowers you as a data subject to consider other
actions to protect your data privacy and assert your other privacy rights.
RIGHTS OF DATA SUBJECT
Under the Data Privacy Act of 2012, you have a right to obtain from an
organization a copy of any information relating to you that they have on their
computer database and/or manual filing system. It should be provided in an
easy-to-access format, accompanied with a full explanation executed in plain
Access
language.

You may demand to access the following:

• The contents of your personal data that were processed.

• The sources from which they were obtained.
• Names and addresses of the recipients of your data.
• Manner by which they were processed.
• Reasons for disclosure to recipients, if there were any.
• Information on automated systems where your data is or may be available, and how it may
affect you.
• Date when your data was last accessed and modified
• The identity and address of the personal information controller.
RIGHTS OF DATA SUBJECT

Your consent is necessary before any organization can LAWFULLY collect and process your
personal data. If without your consent, any such collection and processing of personal
Object information by any organization can be contested as unlawful or ILLEGAL, and would
therefore be answerable to the Data Privacy Act of 2012.

The right to object is most specifically applicable when organizations or personal information controllers
are processing your data without your consent.
RIGHTS OF DATA SUBJECT

Erase or
Blocking
Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of
your personal data. You can exercise this right upon discovery and substantial proof of the following:

1. Your personal data is incomplete, outdated, false, or unlawfully obtained.

2. It is being used for purposes you did not authorize.
3. The data is no longer necessary for the purposes for which they were collected.
4. You decided to withdraw consent, or you object to its processing and there is no overriding legal
ground for its processing.
5. The data concerns information prejudicial to the data subject — unless justified by freedom of
speech, of expression, or of the press; or otherwise authorized (by court of law)
6. The processing is unlawful.
7. The personal information controller, or the personal information processor, violated your rights as
data subject.
RIGHTS OF DATA SUBJECT
You may claim compensation if you suffered damages due to
inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data, considering any violation of your
rights and freedoms as data subject.
Damages

Write or speak to the organization which mishandled your personal information to see if you can
reach an agreement and claim compensation.

If you feel that your concern has not been satisfactorily addressed, you should write to the
organization and inform them of your intent to take the matter to the court, before you start court
proceedings. Talk to a legal adviser if you want to make a claim in court.

The right to file a complaint with the National Privacy Commission

If you feel that your personal information has been misused, maliciously disclosed, or improperly
disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint
with the NPC.
RIGHTS OF DATA SUBJECT

Data Portability

Data portability allows you to obtain and electronically move, copy or transfer your data in a secure
manner, for further use. It enables the free flow of your personal information across the internet and
organizations, according to your preference. This is important especially now that several organizations
and services can reuse the same data.
CONSENT FORM

 Applicants' Consent Form

 Active Employees' Consent Form
 Resigned Employees' Consent Form
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
ROLES OF DATA SUBJECT
Physical Security
Do’s
• Secure storage of hardcopy
documents by locking filing
cabinets and giving access only to
those authorized and required to
fulfill processing of these
documents
• Secure destruction/disposal of
hardcopy documents
• Control over printing of
documents containing personal
data
• Clear the workstation from any
documents containing personal
data.
Technical Security
Do’s
• Comply with the company’s
password policies (i.e., do not
share passwords with anyone, use
of highly complex passwords)
• Encrypt attachments being sent
through e-mail and send the
password in a separate e-mail with
a different subject
• Lock the home screen of the
workstation when leaving it
unattended
• Beware of phishing attacks
• Always shut down and/or restart the
computers to keep the operating
systems and anti-virus software
up to date
PRIVACY IMPACT ASSESSMENT

Privacy Impact Assessment (PIA) is a tool used to identify

the potential risk of existing personal or sensitive personal
information on the company’s systems, technology,
programs/process or activities to an individual’s privacy.

When do we conduct PIA:

 For new or modification of current process
 For new projects
 For new marketing initiatives
 For changes in the IT system infrastructure
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Duties of PIC/PIP
 Compliance with DPA
 Penalties
 Frequently Asked Questions (FAQs)
DUTIES OF PIC/PIP

Lawful Processing Protection Data Integrity Transparency

OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Duties of PIC/PIP
 Compliance with DPA
 Penalties
 Frequently Asked Questions (FAQs)
COMPLIANCE
5 Pillars of Data Privacy
Commit to Accountability and Compliance
Comply
Appoint and
Register Data Know our
Privacy Officer /
Compliance Officer risks
and personal data Conduct a Privacy
processing Impact
systems
Be
Assessment
accountable
1 Develop Privacy
Management Demonstrate
Program and craft compliance
your Privacy Manual
Implement Privacy
2 and Data Protection
Be prepared for
measures
breach
Regularly exercise your
3 Breach Reporting
Procedures

5
COMPLIANCE Data Breach Notification
Notify data subject/s
(if likely to result in risk to
individuals)
Notify NPC and ► Data processors must report
local authorities
(if likelihood of risk to personal data breaches to FPH
individuals) through its Data Breach Response
Team (DBRT).
► First Balfour must report personal
data breaches to NPC, local
Investigate
breach authorities and in some cases,
affected data subjects.
► First Balfour maintains a personal
data breach tracker.
Awareness of
breach ► Depending on the nature of the
Without incident, or if there is delay or
undue
Without failure to notify, NPC may
delay
undue delay investigate the circumstances
(no later than surrounding the personal data
Breach 72 hrs) breach. Investigations may include
on-site examination of systems and
procedures.

Report ALL personal data breaches to your Data Protection Officer or

designated COP as soon as possible for appropriate attention and action.
 HR COMPLIANCE // DPA
DATA COLLECTION
Applicant • Why do we collect your info • CBE – online form
• What types of info do we • Walk in – paper form
New & Current collect • Non-CBE – paper form
Employees • How do we collect, acquire,
Resigned generate your info Deadline – March 15
Informed • To whom do we share your
Consent info
• How do we protect your info Deadline – March 15
Awareness Cascade • Where and how long do we
keep your info Include in NEO
• How can you access and
erase info
DATA STORAGE and TRANSMISSION
DATA USAGE
Handling of medical
Health records must be Pre-employment Turnover to Health Group
Records centralized to the APE results thru your Nurses
Health Group
 HR COMPLIANCE // DPA
DISCLOSURE and DISTRIBUTION / DATA SHARING
Subcon, headhunter,
Data Outsourcing service provider (accredited
Sharing hospitals,…) Paper form – get from Drive
Agreemen Internal Subsidiaries O (pending approval)
t Data to be shared
External
externally
• Photoshoot – ongoing (c/o
Must not include TAO)
• Gov’t ID numbers
IDs Sensitive Personal • Workers’ ID – template to
• Blood Type
Info (SPI) be sent. Re-issue new IDs
• Due: March 15
DATA RETENTION and DISPOSAL / DESTRUCTION
2 years after receipt of
Applicant • All documents containing
resume
Archiving PI
and New & Current • All documents containing
Purging Employees 15 years after resignation SPI
Resigned • Biometrics, photographs
OUTLINE

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
 PENALTIES
Violation Fine (Php) Imprisonment

Unauthorized Processing of:

a. Personal Information 500 thousand to 2 million 1 year to 3 years
b. Sensitive Personal Information 500 thousand to 4 million 3 years to 6 years

Accessing due to negligence of:

a. Personal Information 500 thousand to 2 million 1 year to 3 years
b. Sensitive Personal Information 500 thousand to 4 million 3 years to 6 years

Improper Disposal of :
a. Personal Information 100 thousand to 500 thousand 6 months to 2 years
b. Sensitive Personal Information. 100 thousand to 1 million 1 year to 3 years

Processing for Unauthorized Purposes:

a. Personal Information 500 thousand to 1 million 18 months to 5 years
b. Sensitive Personal Information 500 thousand to 2 million 2 years to 7 years

Unauthorized Access or Intentional Breach 500 thousand to 2 million 1 year to 3 years

 PENALTIES
Violation Fine (Php) Imprisonment

Concealment of Security Breaches

500 thousand to 1 million 18 months to 5 years
Involving Sensitive Personal Information

Malicious Disclosure 500 thousand to 1 million 18 months to 5 years

Unauthorized Disclosure of:

1 year to 3 years
a. Personal Information 500 thousand to 1 million
3 years to 5 years
b. Sensitive Personal Information 500 thousand to 2 million

Combination or Series of Acts 1 million to 5 million 3 years to 6 years

SCENARIO

Data Collection
Employees Employment Req. Employer
Can the employer collect
both the personal
information and sensitive
personal information?

An employee is required to submit TIN, SSS, and Pag -IBIG

membership certificate, along with other pre-employment
requirements. Yes, it meets the
requirement for lawful
The employer requires these documents in order to process
processing
regulatory requirements of BIR, SSS, Pag-IBIG. and PhilHealth. The
employer obtained consent for these personal data but has not
obtained consent for these government-issued IDs.

Lawful Processing

The processing involves the personal information of a data subject who is a party to a contractual agreement and
the processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a
public authority (e.g., BIR, SSS, Pag-IBIG and PhilHealth). Meanwhile, the processing of the sensitive personal
information is provided for by existing laws and regulations, thus no consent is needed for the aforementioned
government-issued IDs.
SCENARIO

Data Storage
Employee Address System Limitation
Can the Company
continually refuse the
updating request of its
employee?

An employee found out that HR has erroneously entered a wrong

address in his file. No, due to right to
rectification of the data
subject
He called the Company’s hotline to have this updated but HR
refused due to the lack of system functionality.

Right to Rectification

The Company should rightfully update the inaccurate home address of its customer as requested.
SCENARIO

Data Sharing
Fun Run Consent Company
Can the personal data be
used and shared by the
Company to its sister
company?

A Company organizes a fun run and collected contact details from

participants. Consent has been obtain for fun run registration purposes No, personal data must be
only. used only for specific
purpose for which the data
However, since most participants are potential customer, the Company subject consented to
later on shared the information to a sister company for direct marketing
purposes.

Data Usage
Personal data must be used only for the purpose for which the data subjected consented to. Data Subject must be
informed and explicitly consent the sharing of his/her data to a third party for direct marketing purposes.
FAQs

 Introduction to Data Privacy

 Rights of the Data Subject
 Roles of the Data Subject
 Penalties
 Frequently Asked Questions (FAQs)
 FAQs

Q: What procedural changes do I expect from First Balfour in compliance with Data Privacy Act?
A: Changing of ID, consent forms to be given out, strengthening of controls on the IT side

Q: Are we allowed to access social media, download pictures of whoever we want to and publish them even
for good purpose?
A: Social media is a public platform. Yes, we can view and download available media but use them for other
purposes outside of what is typically associated with the use of Social media platforms without consent of
owner is not allowed

Q: What if I don’t want to sign the consent forms being distributed by HR as part of Data Privacy
compliance?
A: It may result in delay of processing of your data (i.e. payroll) since company has to develop special means
to cater exemptions.

Q: When is it OK for Data Processor to not get consent of data subject?

A: Legal investigation initiated by government agencies such as NBI or PNP. DOH collecting records from
hospital to know communicable diseases. CCTV review requested by Security Admin. Or whenever a formal
investigation has already been initiated. Processing of data should be limited though to its intended purpose
 FAQs
Q: Can I request for my personal information be destroyed when I resign from the company?
A: You can request for its deletion 3 years after resignation. Inform HR and your company’s DPO through a
formal letter, but take note that you may no longer approach company for retrieval of your past record if you
need them in the future.

Q: Why is it required to perform PIA for new projects or processes?

A: DPO need to assess risks before he can recommend controls to ensure data privacy

Q: I am getting calls from unexpected sources? What rights do I have on them?

A: You have the right to withdraw your personal info from them (right to erasure or blocking).

Q: How about publication? Can media telecast or publish article about me (i.e. accident, crime-related,
events) regardless if it’s good or bad without my consent?
A: There are exemptions to the Data Privacy Act. For historical, statistical, or journalistic purpose consent is
typically not required even if the information is sensitive. It is still expected however that the data is treated

Q: Is someone spreading fake news on me in social media covered by data privacy? Is this something I can
report to NPC?
A: This is covered by the Cybercrime law. Different from the scope of the NPC.
 FAQs

Q: Can public (still) demand for private records of politician because of this law (i.e. SALN)?
A: This is covered by the Freedom of Information Act. This law does not enable it. However, it does exempt a
public official’s record so as long as it is related to their employment with the government.

Q: Can I complain directly to NPC for my non-work data privacy related concern? If yes, how?
A: Yes. Go to NPC website (https://privacy.gov.ph/mechanics-for-complaints/). However, NPC will ask whether
you have tried to resolve any issues with the data processor first before they entertain any complaints.
For more information visit:
www.privacy.gov.ph