Professional Documents
Culture Documents
Session 1 Updated Primer On DPA - MNL - 062718
Session 1 Updated Primer On DPA - MNL - 062718
OF 2012
(R.A. 10173)
ATTY. KARL JOHN A. BAQUIRAN
Which is more VALUABLE?
DATA MONEY
https://news.mb.com.ph/2016/11
/20/big-data-defeats-dengue/
http://www.gmanetwork.com/news/scitech/technology/657644/couple-arrested-for-allegedly-hacking-a-travel-
agency-s-fb/story/
http://entertainment.inquirer.net/279469/jeopard
y-winner-get-prison-sneaking-emails
Diverted Payroll Payments of
Faculty & Staff
http://www.gmanetwork.com/news/news/regions/89630/cebu-hospital-apologizes-for-surgery-spectacle/story/
https://www.forbes.com/sites/stevemorgan/2016/05/13/list-of-the-5-most-cyber-attacked-
industries/#1c66467a715e
http://www.darkreading.com/threat-intelligence/healthcare-suffers-estimated-$62-billion-in-data-breaches/d/d-id/1325482
BDO Fraudulent
Transactions
WHAT IS PRIVACY?
• the right of an individual
to be let alone.
WHAT IS PRIVACY?
• ability to maintain own
physical space or solitude.
PHYSICAL PRIVACY
• The ability of a person to:
– control
– manage
– delete information
– decide how and to what
extent such information is
communicated to others.
INFORMATIONAL
PRIVACY
THE
DATA PRIVACY ACT
OF 2012
• processing of all types of
personal data
• natural and juridical
person involved in
personal information
• privileged communication
PERSONAL
INFORMATION
“when put together with other information”
Annie Cruz
SENSITIVE PERSONAL
INFORMATION
• Any and all forms of data
which under the Rules of
Court and other pertinent
laws constitute privileged
communication.
PRIVILEGED
INFORMATION
CRITERIA FOR LAWFUL PROCESSING
Personal Information Sensitive Personal Information
(permitted only if not otherwise prohibited by law) (prohibited, except)
Consent Consent
Necessary and is related to the fulfillment of Provided for by existing laws and regulations
a contract
For compliance with a legal obligation For compliance with a legal obligation
Processing is necessary to protect vitally Necessary to protect the life and health of the data
important interests of the data subject, subject, and the data subject is not legally or
including life and health physically able to express his or her consent
National emergency, public order and safety Necessary to achieve the lawful and
and functions of public authority noncommercial objectives
Legitimate interests Necessary for purposes of medical treatment
provided adequate level of protection of personal
information is ensured
For the protection of lawful rights and interests
any operation or any
set of operations
performed upon
personal information
PROCESSING
PERSONAL INFORMATION
CONTROLLER (PIC)
• person or organization who
controls the processing of
personal data
• also includes those who
instructs another to process
personal data on his or her
behalf.
Any natural or
juridical person to
whom a PIC may
outsource the
processing of
personal data
DATA SUBJECT
Must be EXPRESS:
Freely given
Informed
Specific
CONSENT
SPECIAL CASES
(a) Employees of the government;
(b) For those performing service under contract for
a government institution;
(c) For those relating to any discretionary benefit of
a financial nature;
(d) For journalistic, artistic, literary or research
purposes;
SPECIAL CASES
(e) To carry out the functions of public authority;
(f) Necessary for banks and other financial
institutions;
(g) Information originally collected from residents of
foreign jurisdictions.
RIGHT TO:
Information Erase
Object Damages
Access Data Portability
Rectify File A Complaint
TRANSPARENCY
The processing of information
shall be compatible with a
declared and specified
purpose
LEGITIMATE
PURPOSE
PROPORTIONALITY
• adequate, relevant,
suitable & necessary
• not excessive in
relation to a declared
and specified purpose.
Are you over-collecting?
DATA SHARING
• disclosure or transfer to a
third party of personal
data
DATA SHARING
DATA SHARING AGREEMENT (DSA)
• CONTRACT, JOINT ISSUANCE
or any similar document that
contains the terms and
conditions of a data sharing
arrangement
• Only applies to PERSONAL
INFORMATION CONTROLLERS
(PIC)
• Purpose
• Identity of PICs
• Term or duration
• Overview of the Operational
Details
• Description of security measures
CONTENTS OF A DSA
How data subject may access
the DSA
PIC responsible for addressing
information request
Identify the method to secure
RETURN, DESTRUCTION or
DISPOSAL
Other terms and conditions
CONTENTS OF A DSA
OBLIGATIONS OF
PICS & PIPS
ADVISORIES CIRCULARS
ADVISORY Designation of CIRCULAR 17-01 Registration of Data
2017-01 Data Protection Processing Systems &
Officers Notifications Regarding
ADVISORY Access to Automated Decision-
2017-02 Personal Data Making
Sheets of CIRCULAR 16-01 Security of Personal Data
Government in Government Agencies
Personnel CIRCULAR 16-02 Data Sharing Agreements
ADVISORY Privacy Impact Involving Government
2017-03 Assessment Agencies
CIRCULAR 16-03 Personal Data Breach
OBLIGATIONS Management
TO BE CIRCULAR 16-04 Rules of Procedure of the
Commission
COMPLIED
Recent Advisories
ADVISORY TITLE
ADVISORY 2018-01 Guidelines on Security Incident and
Personal Data Breach
Perpetual or
Temporary
Deportation for
Aliens
Absolute Imprisonment
Disqualification
for Public Officials
Appoint a
Data Protection
Officer
(DPO)
DATA PROTECTION
OFFICER (DPO)
• an individual designated by
the head of agency or
organization to be
accountable for its
compliance
Know Your Risk:
Conduct a
Privacy Impact
Assessment
(PIA)
• process undertaken to
evaluate and manage the
impact of a program,
process and/or measure
on data privacy.
PRIVACY IMPACT
ASSESSMENT
• Personal Data and Processing
Systems Inventory
• Threshold Analysis
• Risk Identification
• Risk Management
• PIA Report
Create your
Privacy
Management
Program and
Privacy Manual
process intended
to embed privacy
and data protection
in the strategic
framework and
daily operations of
a PIC or PIP
DATA PRIVACY AND ACCOUNTABILITY
FRAMEWORK
PRIVACY
CONTINUITY MANAGE HR THIRD PARTY BREACHES
ECOSYSTEM
Demonstrate Your Compliance:
Implement your
Privacy & Data
Protection
(PDP) measures.
Measures
• Physical
• Organizational
• Technical
PDP MEASURES
Physical Measures
1. CCTV
2. Security Guard
3. Building Access Controls / Biometrics
4. Proper Office Desk Arrangement
5. Locked Storage Room
6. Locked Filling Cabinets
7. Enclosed Receiving/Processing Rooms
8. Kensington Locks
9. Screen Filters
10.Secure Disposal
Organizational Measures
1. DPO
2. Training
3. PIA
4. Security Clearance
5. Updated Policies
6. Certifications
7. Updated Consent Forms
8. Privacy Notices
9. Managed Third Parties
10.BYOD / Mobile Phone Policies
Technical Measures
1. Firewall / Anti-Virus / Spam Filters
2. Encryption
3. Strong Passwords / Computer Lock Policy
4. Back ups
5. Access Controls
6. Password Protected Printer/Copier
7. Cloud Storage
8. Updated Software / System Maintenance
9. VPN
10.Tests (Penetration)
Be Prepared for Breach:
BREACH
MANAGEMENT
Finally: REGISTER with the NPC
WHO IS REQUIRED?
• employs at least two hundred fifty (250) employees
• sensitive personal information of at least one
thousand (1,000) individuals
• pose a risk to the rights and freedoms of data
subjects
• the processing is not occasional
WHO ELSE ARE REQUIRED?
1. Government branches, bodies or entities, including national
government agencies, bureaus or offices, constitutional commissions,
local government units, and government-owned and controlled
corporations (GOCCs);
karl.baquiran@protonmail.com
+639175205275