Professional Documents
Culture Documents
The Information Lifecycle
The Information Lifecycle
The Information Lifecycle
If you handle personal information, you should consider how you will protect
personal information during the stages of its lifecycle.
The first step is to do an inventory of all PII and SPII. Knowing what
information you are processing, where are they stored, and where they
are coming from is necessary. Knowledge about these data will help a
company identify specific compliance requirements.
For example, information gathered from data subjects can require the
company to secure waivers from their customers, while information
passed on from other entities may require them to implement additional
controls or modify contractual agreements to reflect data protection as
required by the new law.
This activity will also allow companies to identify data that are being
stored without any particular reason. For example, data privacy issues
may arise if a small retail shop may be keeping information about their
customers from a previous promotional event (but without any current
use for it) if they continue to retain the information.
The second step is to answer the question How are we protecting this
information? Companies need to assess their existing data control
infrastructure to identify any gaps.
There are three areas, applicable to both large and small
organizations, which should be considered:
Governance of data
This deals with the companys policies on using and classifying the
data. A company, for example, may choose to stratify data based on
whether it is regular confidential data, PII, SPII, or non-confidential. It
will then base its controls on the datas classification, such as
determining policies on who can access particular levels of data.
Supporting processes
This deals with how the company is executing policies that keep data
controls functioning such as compliance management, business
continuity, and configuration management. For example, strong
encryption controls will not function as well without a proper review of
the user access.
To protect your privacy, the Philippine data privacy law explicitly requires
organizations to notify and furnish you the following information before
they enter your personal data into any processing system (or at the next
practical opportunity at least):
Section 4. Scope. The Act and these Rules apply to the processing of
personal data by any natural and juridical person in the government or
private sector. They apply to an act done or practice engaged in and
outside of the Philippines if:
Section 5. Special Cases. The Act and these Rules shall not apply to the
following specified information, only to the minimum extent of
collection, access, use, disclosure or other processing necessary to the
purpose, function, or activity concerned:
(a) The fact that the individual is or was an officer or employee of the
government;
(b) The title, office address, and office telephone number of the
individual;
a. The data subject must have given his or her consent prior to the
collection, or as soon as practicable and reasonable;
c. The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or
physically able to express his or her consent prior to the processing;