DATA PRIVACY PROTECTION COMPETENCY FRAMEWORK

INTRODUCTION

The data privacy protection competency framework training is an online learning to

enable the person or entity, which are mandated to be accountable and responsible in the
implementation of R.A. 10173 – Data Privacy Act of 2012, to understand, decide and act the
rules and standards of data privacy protection and personal information security.

The implementation rules and regulation of R.A. 10173, Data Privacy Act of 2012, in
particular Rule VI. Security Measures for the Protection of Personal Data has identified the
protection requirements that the Personal Information Controller and Processor are obligated
to execute in order to provide evidences that the privacy of the personal information will not be
violated in the information and communication system of government agency and private
organization.

The Personal Information Controller or Processor of a government agency or business

organization is any person or entity who gives instruction or executes agreement to process
personal information in the business filing system and digital services. They are legally
obligated to make sure that data processing instruction and execution are compliant with data
privacy rules and regulations, issuances of National Privacy Commission and recognized
international standards of protecting the privacy and security of personal data.

The training on data privacy protection competency framework identifies and elaborates
the knowledge, skills, and attitudes that make the Personal Information Controller and
Processor to achieve the following objectives of R.A. 10173 – implementing rules and
regulation.

1. Mitigate data privacy violations

2. Organize data privacy governance and oversight
3. Apply the principles of privacy protection in data processing system
4. Enable the process for the exercise of data privacy rights
5. Conduct privacy and security risk assessment and define security level requirements
6. Implement the security measures to protect personal information and sensitive
personal information
7. Manage breach and information security incident
8. Privacy by design and by default information processing system
9. Ensure data privacy and information security in supplier relationship
10. Observe the registration and report requirements of compliance
 The learning process involves the use of existing rules, regulation and issuance related to
R.A. 10173 implementation, and the globally cited and accepted standards in order to establish
the underpinning knowledge to plan-do-check-act the management of data privacy and
information security. It is observing Rule I Section 2 of R.A. 10173 Implementing Rules and
Regulation, which states, “These Rules further enforce the Data Privacy Act and adopt generally
accepted international principles and standards for personal data protection.” 

The online face-to-face instruction provides the presentation and demonstration of how
to understand and act the obligations of protecting the individual’s personal information in the
information and communication system of government and private sector. The learning
engagement elicits, elaborates, analyzes, and documents the valid, verifiable, acceptable and
actionable normative references of performance.

TRAINING PARTICIPANTS AND OBJECTIVES:

The training is designed for person or entity that are identified by R.A. 10173 as Personal
information Controller, Personal Information Processor, Head of Agency and Data Protection
Officer who are obligated by data privacy rules to be accountable and responsible for the
following:

1. Data privacy and information security governance

2. Registry of personal data and information system asset
3. Privacy impact assessment and information security risk management
4. Data Privacy and information security policies
5. Privacy and information security management system
6. Breach and security incident management
7. Privacy and security complaint and concern handling
8. Privacy and security in supplier relationship
9. Awareness training on data privacy and personal information security
10. Compliance reporting and registration

The importance and impact of data privacy protection training are experienced in the
ability of the designated accountable and responsible for data protection to achieve the
following objectives:

1. perform the oversight responsibilities as identified in NPC Advisory 2017-01

2. implement the obligation to protect personal data in government as outlined in
NPC Circular 16-01
3. create the inventory of information assets and register the information system
associated with personal data processing as required by R.A. 10173 - Rule XI
4. conduct the privacy impact assessment of the filing system, information, and
communication system, automation program, and project of the organization
based on NPC Advisory 2017-03
 5. formulate the data privacy and security policies that mitigate both privacy and
security risks based on the privacy impact assessment report and the guidance
provided by R.A. 10173 IRR Rule VI
6. create the privacy management program and manual on data privacy protection
guided by R.A. 10173 implementing rules and regulation, and globally recognized
practice standards
7. create the security incident management system to support the handling of the
data breach and other security incidents associated with violation of data privacy
in accordance with NPC Circular 16-03
8. Create procedures to handle data privacy complaints and compliance reporting
in accordance with NPC Circular 16-04 and NPC 18-02
9. Create the requirements to guide the information system development that is
privacy by design and by default
10. Create the training plan for the whole-of-agency awareness and training on data
privacy and information security.

TRAINING PROGRAM

Learning Learning Topic Training Training Output

Session Duration

Session 1 R.A. 10173 - Data Privacy Act of 2012 – 3 hours Data Privacy Protection
Goals, Objectives, Roles, Accountability and Role Matrix
Responsibility
Session 2 Global Practice Standards to Guide the 3 hours List of Normative
Implementation of R.A. 10173 – Data Privacy References aligned to
Act of 2012 Compliance Requirement

Session 3 Data Privacy and Information Security Risks 3 hours Privacy Impact Assessment
Management Methodology – Activities,
Risk Criteria, Threat
Intelligence,
Documentation
Session 4 Data Privacy and Security Control Policies 3 hours Policy Creation Content
Template

Session 5 Breach and Security Incident 3 hours Security Incident

Management Management –
Organization, Function,
Process, Document, and
Technology Requirement
Checklist