Personal Data Inventory

RACHELLE MAE M. ORTIZ

Certified Information Privacy Manager
Member of International Association of Privacy Professionals
National Privacy Commission (Former)
 EVIDENCE OF COMPLIANCE
1. Personal Data Inventory
2. Personal Data Process Flow
3. Consent Forms
4. Sample Data Sharing (DSAs)
5. DSA Tracker
6. List of PIPs
7. Sample Outsourcing Agreement with PIPs
8. List and Samples of Security Clearances Issued
9. List of Security Measures and Policies: Physical, Organizational and Technical
10. 1. Personal Data Inventory
Designation and Functions of the DPO
11. Duly notarized DPO Registration Form with Stamp from NPC
12. Candidate Privacy Impact Assessment Inventory of PPPMST
13. PIAs (Ongoing, Completed, Pending)
14. Compilation of Privacy Notices
15. List and Picture of Placement of Privacy Notices
16. List and Picture of Placement of CCTV Cameras with notices
17. Compilation of Privacy and Data Protection-related Policies and Procedures (“Manual”)
18. Network Access Policies affecting personal data
19. Physical Access Policies affecting personal data
20. Breach Management Team Directory
21. Breach Management Policies/ Procedures
22. Privacy-related Incident Tracker
23. Privacy-related Trainings Schedule and Tracker
24. Complaints Log/ Tracker
25. Request from Data Subjects Log/ Tracker
26. Consolidated Schedule of privacy-related activities
27. Consolidated Report of Privacy-related Budget/ Expenditures
Sec.26(c), IRR
Processing
(RA 10173, IRR section 3.m)

It refers to any operation or any set of operations performed upon

personal data including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation,
use, consolidation, blocking, erasure or destruction of data.

Processing may be by automated means, or manual processing, if the

personal data are contained or are intended to be contained in a filing
system.
 The Information Life cycle

Transfered Collected

DATA Use
Disclosed
Stored

Disposed
The Information Life Cycle

COLLECT/
CREATE

DATA
DISCLOSE/ USE
TRANSFER
LIFE
CYCLE

STORE/
DISPOSE
Personal Data Inventory
(template)
Definitions
Personal information refers to
any information whether
recorded in a material form or
not, from which the identity of
an individual is apparent or can
Personal be reasonably and directly
Information
ascertained by the entity
holding the information, or
when put together with other
information would directly and
certainly identify an individual.
– RA. 10173, Section 3.g
Definitions Sensitive personal information refers to personal
information:
(1) About an individual’s race, ethnic origin,
marital status, age, color, and religious,
Personal philosophical or political affiliations;
Information (2) About an individual’s health, education,
genetic or sexual life of a person, or to any
proceeding for any offense committed or
alleged to have been committed by such person,
the disposal of such proceedings, or the
Sensitive
Personal sentence of any court in such proceedings;
Information (3) Issued by government agencies peculiar to an
individual which includes, but not limited to,
social security numbers, previous or current
health records, licenses or its denials, suspension
or revocation, and tax returns; and
(4) Specifically established by an executive order
or an act of Congress to be kept classified.

– RA. 10173, Section 3.l

 SOURCE (Means of Collection)
Online Systems
• Cookies of Web sites
• Online Membership/
Registration
• Payroll Systems
• Social Networking Sites
• Human Resource
Management
• Point of Sale
• Web Sites
• Etc..
Electronic/Paper
• Application/
Registration Form
• Advertisement
Response
• Inquiry Forms
• CCTV Footage
• Order Forms
• Email
• Inbound / Outbound
Calls / Call Centres
Records
 Criteria for Lawful Processing
Personal Information (Not Sensitive) Sensitive Personal Information
(Ex. Name, Address, Phone Number, e-mail (Ex. Health, Education, Government Issued
address) Numbers)
Consent of Data Subject Consent of Data Subject
Necessary to the fulfillment of a contract Public organizations and their
associations, limited to members,
with consent
Legal Obligation (Reporting Laws and regulations, with safeguards
requirements)
Protect vitally important interests of Protect life and health of any person,
the data subject, including life and where data subject physically or legally
health unable to consent
National emergency, to comply with Protection of lawful rights and
the requirements of public order and interests of natural or legal persons in
safety, or to fulfill functions of public court proceedings, legal claims,
authority provided to government authority
LEGITIMATE INTEREST Medical treatment Purpose
The
GDPR
Mindset of
Lawful
Processing
 LOCATION (Storage of Personal Data)

Electronic Storage Media Physical Storage Media

• CCTV Surveillance • Filing Drawers / Shelves
System / Cabinets
• Computers (Desktop, • Offsite Store /
Notebook, Laptop) Warehouse
• Multi-function Copiers • Physical Boxes (Letter
• Portable Storage Box , Submission Box)
(Thumbdrive, External • Temporary Offices /
Hard Disk, CD ROM) Project Sites
• Spreadsheets and Word
Documents
• Cloud Storage (Dropbox,
Google Drive)
USERS OF DATA

Personal “Data Sharing

Agreement” External Entity,
Information Different Purpose
Controller (PIC)
(Internal Users)

“Outsourcing
Contract”

External Entity,
Purpose as
instructed
(PIP)
How should you comply?
R.A. 10173, Data Privacy Act of 2012

 SEC. 20 (a) The personal information controller must

implement reasonable and appropriate organizational, physical
and technical measures intended for the protection of personal
information against any accidental or unlawful destruction,
alteration and disclosure, as well as against any other unlawful
processing.

 Sectors can craft their own “privacy codes” to address relevant

industry issues and practices. These codes can be submitted to
the NPC for review/comment.
Finally, the DPO should make a notation on the form to the
following policies:
• Use/disclosure policy (Acceptable Use Policy, Data Sharing Agreements)
• Protection policy (Encryption, Lock-and-Key Cabinets)
• Backup policy (Scanned Forms and Back-up server)
• Disposal policy (Shredding of dispose documents)
End of Module.
Any Questions?

THANK YOU!