1

PART B - THE DATA PRIVACY ACT OF 2012

(Republic Act. No. 10173)
By: Atty. Loma Linda A. Say

The background of the Data Privacy Act

Our right to privacy of communication and correspondence is a human right. It is our private
property, protected by our government. The government may obtain them, only upon a lawful
order of the court, or a valid exercise of its police power.

Article III Bill of Rights

xxx
section 3. (1) The privacy of communication and correspondence shall be
inviolable except upon lawful order of the court, or when public safety or order
requires otherwise as prescribed by law.
(2) Any evidence obtained in violation of this or the preceding section shall be
inadmissible for any purpose in any proceeding.

How do we protect this right? When our communication and correspondence consist only of
hard files or papers documents, to protect them is a matter of stashing them in our attics, or in
rented safety boxes. Fortunately for us, we are rapidly growing digital, and information creation
and transfer are increasingly fast. The methods to protect our right to privacy of communication
and correspondence had to improve digitally and evolve. Thus, our Data Privacy Act of 2012.

In 2012, the Philippines passed the Data Privacy Act of 2012 (DPA), to protect the fundamental
human right of privacy, and of communication, while ensuring free flow of information to
promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2). Two years after, in
2014, it was estimated that 2.5 quintillion — or 2.5 billion bytes of data were created every day.
This includes an unprecedented knowledge about what real individuals are doing, watching,
thinking, and feeling.
https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/

WHAT ARE THE EARLY BEGINNINGS OF OUR DPA?

Sometime in 2004, President Gloria Macapagal Arroyo tasked Commissioner Damian “Dondi”
Mapa of the Commission on ICT (Information and Communications Technology), to develop
the growing Philippine BPO industry and make it more competitive. In response, Commissioner
Mapa pursued the strategy on data protection as a competitive differentiator for business
process outsourcing.

The CICT, or the Commission on Information and Communications Technology, thereafter

invited several EU consultants from 2005 to 2006 for them to review the existing DTI
Administrative Order No. 8-2006 – the Guidelines for the Protection of Personal Data.
Incorporating the DTI A.O. No. 8-2006 and the review outputs, the CICT came up with RA No.
10173, An Act Protecting Individual Personal Information in Information And Communications
Systems In The Government And The Private Sector, Creating For This Purpose A National
Privacy Commission, And For Other Purposes, otherwise known as the Data Privacy Act of
2012.

If you look closely to our DPA, it is patterned after the European Union’s General Data
Protection Regulation (GDPR). Because of this, our DPA is already 90% compliant with GDPR,
according to Commissioner Mapa. https://eitsc.com/wp-content/uploads/2018/05/Mapping-
the-DPA-and-GDPR.pdf
 2

Under the DPA, A Data subject refers to an individual whose personal information is processed.
In this case, all of us, filling and giving our information to another person, are Data Subjects,
and that other person is a Person Information Controller.

IMPORTANT FEATURES OF DPA

1. Regulated collection of personal information.

All personal information must be collected for reasons that are specified, legitimate, and
reasonable. We should know the reason why our personal data is collected. The kind of data
collected must be specific, the use must be legitimate, and the amount of data collected must
be reasonable.

2. Personal information must be handled properly.

Our personal information must be kept accurate and relevant, used only for the stated
purposes, and retained only for as long as reasonably needed. Data Collectors must be active
in ensuring that unauthorized parties do not have access to our information.

3. Personal information must be properly disposed.

Collected personal information must be discarded in a way that does not make it visible and
accessible to unauthorized third parties. Unauthorized processing, negligent handling, or
improper disposal of personal information is punishable with up to six (6) years in prison or up
to five million pesos (PHP 5,000,000) depending on the nature and degree of the violation.
https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/

THE DATA PROTECTED UNDER THE DPA

Our DPA protects two general kinds of data

(1) Personal information, and

(2) Sensitive personal information.

As defined under 3.l of the Implementing Rules and Regulations of our DPA, Personal
Information refers to any information, whether recorded in a material form or not, from which
the identity of an individual is apparent or can be reasonably and directly ascertained by the
entity holding the information, or when put together with other information would directly and
certainly identify an individual.

Examples are our pictures, name, status, age, citizenship, up to our likes, dislikes.

A fraction of these personal information is the sensitive personal information. A Sensitive

information is that part of personal information that is considered under the law as sensitive.
Under section 3.t of the IRR, the following are regarded as sensitive information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such
individual, the disposal of such proceedings, or the sentence of any court in such
proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not
limited to, social security numbers, previous or current health records, licenses or its
denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept
classified.
 3

This list is exclusive, which means that those not found therein are only personal information. I
would like to present these types or kinds of information side by side:

PERSONAL
(defined under 3.l of IRR)

Refers to any information, whether recorded in a material form or not, from

which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put
together with other information would directly and certainly identify an
individual.

SENSITIVE NON-SENSITIVE
(Section 3.t of IRR)

5. About an individual’s race, ethnic origin, Not defined under the law.
marital status, age, color, and religious,
philosophical or political affiliations; It may be interpreted to
6. About an individual’s health, education, cover all other personal
genetic or sexual life of a person, or to any information not considered
proceeding for any offense committed or as sensitive.
alleged to have been committed by such
individual, the disposal of such proceedings,
or the sentence of any court in such
proceedings;
7. Issued by government agencies peculiar to
an individual which includes, but is not
limited to, social security numbers, previous
or current health records, licenses or its
denials, suspension or revocation, and tax
returns; and
8. Specifically established by an executive
order or an act of Congress to be kept
classified.

Enjoy more protection

Sensitive Information

1. About an individual’s race, Filipino citizenship, single, married, age, catholic,

ethnic origin, marital status, democratic, republican, apolitical, religious, atheist,
age, color, and religious, are some of the sensitive information in this category.
philosophical or political
affiliations; Ironically, we supply some of these information in our
Facebook account and posted them publicly.

How about our search history in google, safari,

explorer and other search engines? What do you
think of these data? Do you know how long google
keeps these information about us?

2. About an individual’s health,
education, genetic or sexual
life of a person, or to any
proceeding for any offense
committed or alleged to have
been committed by such
individual, the disposal of
such proceedings, or the
sentence of any court in such
proceedings;
3. Issued by government
agencies peculiar to an
individual which includes, but
is not limited to, social
security numbers, previous or
current health records,
licenses or its denials,
suspension or revocation,
and tax returns; and
4. Information Specifically
established by an executive
order or an act of Congress,
to be kept classified.
4
Under this category are our medical records in the
hospitals, in our insurers, in HR, psychologists, and
records of our case in the courts, probation offices,
and other offices.
This is the reason, why our government uses
numbers to identify us, as COVID positive during this
time.
However, unknowingly, we give these information on
on-line surveys under the promise of freebies or a
chance of winning something. Maybe next time, you
think twice when you give this kind of information.
Each of us has unique numbers generated by different
government agencies. Examples are:
Pag-IBIG Fund UMID No.
Pag-IBIG Fund Housing Loan Account No.
Phil Health No.
Social Security No.
Tax Identification No.
Driver’s License No.
OR and CR Nos. from LTO
And the records of denials, suspension or revocation
and other records of the proceedings related therein.
All of these unique numbers are sensitive.
This means that your friend cannot go to PhilHealth
office and ask for your PhilHealth Number. Banks
cannot call LTO to get your license number. Insurers
are not allowed to ask for your medical records found
in the Philhealth system.
Example of classified information is Executive Order
No. 2, Series of 2018, President Rudrigo R. Duterte
installed the Freedom of Information mechanism (FOI)
and harmonized the DPA, the freedom of information
and its exceptions as defined by the Presidential
Communications Office (PCOO), of the Office of the
President. Among exceptions are:
a. Information covered by Executive privilege;
b. Privileged information relating to national
security, defense or international relations;
c. Information concerning law enforcement and
protection of public and personal safety;
d. Information deemed confidential for the
protection of the privacy of persons and
certain individuals such as minors, victims of
crimes, or the accused;
e. Information, documents or records known by
reason of official capacity and are deemed as
confidential, including those submitted or
disclosed by entities to the government
agencies, tribunals, boards, or officers, in
relation to the performance of their functions,
 5

or to inquiries or investigation conducted by

them in the exercise of their administrative,
regulatory or quasi-judicial powers;
f. Prejudicial premature disclosure;
g. Records of proceedings or information from
proceedings which, pursuant to law or
relevant rules and regulations, are treated as
confidential or privileged;
h. Matters considered confidential under
banking and finance laws, and their
amendatory laws; and
i. Other exceptions to the right to information
under laws, jurisprudence, rules and
regulations.

The above 4 categories are sensitive information. Again, the list is exclusive, any personal
information not found therein, are considered only as ordinary or non-sensitive kind, even
though you might think otherwise. Like who is your boyfriend? Who is your ultimate crush?

Why did the DPA distinguish sensitive information from non-sensitive? They are treated
differently, in terms of obligations, penalties and other effects.

The eight Privacy rights under the DPA

Under the DPA, we have 8 privacy rights, the Right to be Informed, Right to Access, Right to
Object, Right to Erasure and Blocking, Right to Damages, Right to File the Complaint, Right to
Rectify, and Right to Data Portability

1. The Right to be Informed (Section 34.a of the IRR)

The data subject has a right to be informed whether personal data pertaining to him or her shall
be, are being, or have been processed, including the existence of automated decision-making
and profiling. Xxx

Under this provision, as a Data Subject, I have the right to be informed that the personal
information I gave in my credit card application shall be entered into their system, the purpose,
whether my information will be used for direct marketing, profiling, historical, statistical or
scientific purpose. I also have the right to know the recipients of my data, the identity and
contact details of the personal data controller or its representative, and the period for which the
information will be stored.

Let us take for example an application for a credit card, the following personal information a
bank (Personal Information Controller) shall require are, in the order and arrangement of the
Bank:
1. Personal Information - Complete name, Gender, Date of Birth, Place of Birth,
Citizenship, No. of dependents, TIN No., SSS/GSIS No., No. of cars owned,
Mortgaged or owned, civil status, school last attended, Educational attainment,
Mother’s full maiden name, Father’s full name, Spouse full name, Spouse date of
birth;
2. Communication & Delivery Instructions – Home ownership (owned by applicant,
rented, mortgaged /financed, company quarters, living with relatives, boarding,
Present address, permanent address, office address, and their corresponding
telephone, cellphone, fax numbers and email addresses;
3. Employment / Business information – employment, gross monthly income, source
of funds, no. of years in the present job, in the past job, rank when employee (Non-
 6

officer, Junior officer, senior officer), for business (single proprietorship,

partnership, corporation.

In giving this myriad of information, I have a right to be informed that they shall be entered into
their system, the purpose, whether my information will be used for direct marketing, profiling,
historical, statistical or scientific purpose, the identity of the recipients of my data, the identity
and contact details of the personal data controller or its representative, and the period for which
the information will be stored.

So how does the government enforce or implement this right? Aside from reportorial
requirements and other compliance requirements, a bank or PIC ordinarily requires us to give
our consent, by way informing us of the use of our personal information:

DATA PRIVACY CONSENT

In compliance with the requirements of the Data Privacy Act (“DPA”),
• I/we authorize the general use and sharing of information obtained from me/us in the
course of my/our transaction/s with BDO, its parent, subsidiaries, affiliates, and their
respective representatives and agents (“BDO Group”), or from third parties.
• The data, which include my/our personal information or sensitive personal information
may be collected, processed, stored, updated, or disclosed by BDO or continually be
collected, stored, processed and/or shared for five (5) years from the conclusion of
my/our transaction (which may include any transaction, business or other form of
commercial relationship) with any member of the BDO Group or until the expiration of
the retention limits set by Applicable Law, whichever comes later, (i) for legitimate
purposes, (ii) to implement transactions which I/we request, allow, or authorize, (iii) to
offer and provide new or related products and services of the BDO Group or third
parties, and, (iv) to comply with the BDO Group’s internal policies and its reporting
obligations to Governmental Authorities under Applicable Laws.
• I/We allow members of the BDO Group to process, collect, use, store, or disclose
my/our information to other members, to Governmental Authorities, to all credit card
information service providers including without limitation the Credit Information
Corporation defined in R.A. No. 9150, and to any third party (local or overseas) who
acquires or will acquire the rights and obligations of any member of the BDO Group;
who is in negotiations with any member of the BDO Group in connection with the
possible sale, acquisition or restructuring of any member of the BDO Group; who
processes information, transactions, services, or accounts, on behalf of the BDO
Group (including but not limited to courier agencies; telecommunication information
technology companies; payment, payroll, collection, training, and storage agencies;
entities providing customer support, and other similar entities); or who requires the
information for market research, product and business analysis, audit and
administrative purposes, offering of products and services, or for marketing or
advertising activities undertaken by the BDO Group.
• I/We understand that should I/we wish to access, update, or correct certain
information, or withdraw consent to the use of any of the information provided herein,
I/we may communicate with BDO's Data Protection Officer at
data_protection_officer_bdounibankinc@bdo.com.ph. I/We may file complaints with,
and/or seek assistance from the National Privacy Commission.

By signing this consent form, you know, you understand, and you consent to the collection, use
and storage of your information by the bank.

How about a recording, audio or video, is it covered? Yes.

In recording a conversation or interview with someone, it is enough to verbally ask for a direct
consent from an individual data subject. If the subject yields, it would be useful to also mention,
that it shall be recorded. Banks involved in phone banking tell their callers that the conversation
with their call center agent would be recorded, and that proceeding with the call, is indication of
their consent (This is considered sufficient notice).
 7

Meanwhile, websites resort to publishing a Privacy Notice page, which essentially

accomplishes the same thing. Privacy notices should be made in public establishments
equipped with security CCTVs. Hence, in some establishments, you see notices of a CCTV,
primarily not to warn the robbers, but to notify us, as required under DPA.

Let us end this, by going back to your own recording in your phone, and your pictures. When
you post them in Facebook, either in pubic on “only me”, did you give you any kind of consent
as to its use, processing and storing?

2. The Right to Access under rule 34.C

The data subject has the right to reasonable access to, upon demand, the following:

1. Contents of his or her personal data that were processed;

2. Sources from which personal data were obtained;
3. Names and addresses of recipients of the personal data;
4. Manner by which such data were processed;
5. Reasons for the disclosure of the personal data to recipients, if any;
xxx

You have a right to obtain from companies or government agencies, your personal information
which they store in their computer database and/or manual filing system. Example is a CCTV
Footage. You must execute a written request to the organization, addressed to its Data
Protection Officer (DPO). In the letter, mention that your request is being made in exercise of
your right to access under the Data Privacy Act of 2012. The DPO is required to respond to
your written request. Be prepared to provide evidence of your identity, which the DPO should
require of you to make sure that personal information is not given to the wrong person.

However, a criminal suspect is not allowed access to the personal data held about him by law
enforcement agencies as it may impede the latter’s investigation. In the same manner, you are
not allowed access information contained in communications between a lawyer and his or her
client, if such communication is subject to a legal privilege in court. Your right to access your
own medical and psychological data may be denied in when it is deemed that your health and
well-being might be negatively affected.

3. The Right to Object under rule 34.b

The data subject shall have the right to object to the processing of his or her personal data,
including processing for direct marketing, automated processing or profiling. The data subject
shall also be notified and given an opportunity to withhold consent to the processing in case of
changes or any amendment to the information supplied or declared to the data subject in the
preceding paragraph. xxx

You can exercise your right to object if the personal data processing involved is based on
consent or on legitimate interest. When you object or withhold your consent, the PIC should no
longer process the personal data, unless the processing is pursuant to a subpoena, for obvious
purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation.

The right to object is most specifically applicable when organizations’ or personal information
controllers are processing your data without your consent for the following purposes: Direct
marketing purposes, Profiling purposes, Automated processing purposes.

You may assert your right to object verbally, be it in person or via a phone call. To have it
formally documented, however, you must execute a written request to the organization,
addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that
your request is being made in exercise of your right to object under the DPA. The DPO must
act on your written request. In case you feel your request have not been addressed
satisfactorily, you may file a formal complaint before the NPC, attached therewith your request
letter to the DPO.
 8

4. The Right to Erasure and Blocking under rule 34.e of the IRR

The data subject shall have the right to suspend, withdraw or order the blocking, removal or
destruction of his or her personal data from the personal information controller’s filing system.

5. The Right to Damages under rule 34.f.

The data subject shall be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking
into account any violation of his or her rights and freedoms as data subject.

6. The Right to File the Complaint under rule 34. a.2. (1)

The existence of their rights as data subjects, including the right to access, correction, and
object to the processing, as well as the right to lodge a complaint before the Commission.

7. The Right to Rectify under rule 34.d

The data subject has the right to dispute the inaccuracy or error in the personal data and have
the personal information controller correct it immediately and accordingly, unless the request is
vexatious or otherwise unreasonable. xxx

8. The Right to Data Portability under rule 36

Where his or her personal data is processed by electronic means and in a structured and
commonly used format, the data subject shall have the right to obtain from the personal
information controller a copy of such data in an electronic or structured format that is commonly
used and allows for further use by the data subject. Xxx

Let us go back to my Facebook example? I admit that at first, I used my real name and diligently
fill in several sensitive personal data in my Facebook profile, expecting my friends to recognize
and contact me, after all this a social media platform. When I work with Pag-IBIG Fund, and
started filing criminal complaints against businesses which refuse to comply with the Pag-IBIG
Fund Law, I found myself checking their names in the Facebook to get a profile and a “picture
of a person” in my case. Was it legal? Of course, the name and picture are publicly posted in
Facebook.

HOW DO WE FARE IN OUR DATA PRIVACY PROTECTION?

Later, I realized that the same access is two-pronged. Like myself, any person who receives a
final demand to pay or to vacate, which I signed in my work, can also check my name, my
status and my profile picture with smiling face. I got the taste of my own medicine. Which led
me to question, as a culture, what kind of data subjects are we? Are we even aware that what
we posted in the Facebook are sensitive personal data of ourselves?

Did you notice, that your sponsored ads are quite tailored for us? For example, for those whose
age are in the 50’s, based on the date of birth in their profile, they are probably targeted with
age defying cosmetics, while those at their twenties may receive ads appropriate in their age.
Do you wonder why these target ads? Who gave them your age? Did you ever give consent to
Facebook to give or to sell you data to advertising corporations? Did you wonder, the price or
the value Facebook has received in exchange of your data?
 9

A Social Weather Stations (SWS) survey on data privacy and Internet usage, commissioned
by the National Privacy Commission, conducted from June 17 to 21, 2017, showed the 85% of
Filipino respondents agree that the rights of data subjects are important.

94% want to know more about where the personal information they provide during transactions
or applications will be used.

Meanwhile, in terms of trust in private institutions that collect personal information, schools are
found to be the most trustworthy, getting a +85-net trust rating. It is followed by hospitals and
clinics (+71), banks (+52), telecommunications companies (+35), and credit card companies
(+24).

Through the survey, NPC Commissioner Raymund Liboro confirmed that Filipinos value their
privacy.

The following are examples of cited violations of DPA, as reported by the National Privacy
Commission.
https://privacy.com.ph/dndfeature/personal-information-data-privacy-act-personal-information-
processed/

Sometime in August 2014, a popular blogger Michael Sy Lim of Fashion Pulis, posted
screenshots of what were alleged to be leaked medical records of model Deniece Cornejo from
Healthway Clinic showing her to be suffering from a sexually transmitted disease. At that time,
Cornejo was in the thick of a media storm caused by her allegation that she was raped by
celebrity dancer and host Vhong Navarro. On top of the rape case she had previously filed
against Navarro, she wound up filing another complaint for libel, this time against Lim.

Is there a violation? Of course, medical records of a person, are sensitive personal information.
It cannot be published on-line, unless there is a consent from the data subject. Who is liable for
such leaks? Under the law, it is the blogger who posted the screenshots and the Healthway
Clinic who allowed the exposure or release of such sensitive personal information.

The second case: In November 2017, at the height of the government’s high-stakes crackdown
against illegal drugs, the Philippine Drug Enforcement Agency (PDEA) conducted a raid at the
Seda Hotel in BGC, where 11 men, comprised of models and professionals, were rounded up
for allegedly engaging in a drug-fueled sex orgy. At a press conference following the arrest, the
PDEA announced that one of the men was HIV positive. There was incontrovertible
identification because PDEA officials had asked the said man to raise his hand. The incident
prompted a uniform outcry from HIV and data privacy advocates alike, accusing PDEA of
having overstepped its authority in revealing sensitive personal information that had nothing to
do with the crime for which the suspects were arrested and exposing the victim to ridicule and
discrimination. By the time PDEA owned up to its mistake, the damage had already been done.

In this case, the man’s medical record of being an HIV positive cannot be leaked without his
consent.

Why? What is the danger in an unprotected data? In the past, threats to our data were fire,
viruses, and bandits, now we have hackers and competition. Or worse, identity theft, fraud, and
theft of financial resources from employees and clients.

With this topic, I hope that you appreciate your data, the importance of their privacy. For one,
you don’t really have to use your complete name in the social media, your complete birth date,
and other data. As joked by the police, nowadays, they don’t have to search their databases
for these kind of information, they need only to go to Facebook and skim through public profiles,
unknowingly making their work easier.
 10

a. DPA IN HUMAN RESOURCE MANAGEMENT

In the aspect of Human Resource, the HR Manager / employee must ensure that personal and
sensitive personal data of the workers, which were collected from the process of recruitment
and selection down to the discharge of employment relations must be protected.

When a worker is hired, his/her data pertaining to the work performance, statistics on
productivity, activities performed during and outside employment hours, recordings of CCTV
within the vicinity of the employer, access logs, network traffic statistics, biometrics data, among
others, are collected. During the employee’s severance from your company, whether voluntary
(resignation) or involuntary (just or authorized causes of termination), he/she must comply with
various other requirements and his 201 file (a file that keeps documentation of the employment
relationship for the duration of tenure, for a time being, must be stored.

What happens when this sensitive information is leaked or hacked?

Last year, in April 2019, the National Privacy Commission investigated hacking incidents from
April 1-2, 2019, to Facebook, Twitter, Yahoo, Wattpad, and some websites operated by public
and private organizations. The hacked government websites include the Armed Forces of the
Philippines, the Ateneo de Zamboanga and the Technological University of the Philippines in
Taguig. Initially, NPC identified the local hacker, as the Pinoy LulzSec.
https://www.pna.gov.ph/articles/1066539

This year, data breach of GE Vendor exposes highly sensitive employee information of General
Electric. GE has about 250,000 employees along with hundreds of thousands of former
employees who continue to receive benefits. GE disclosed that its third party, Canon Business
Process Services (Canon BPS) is GE contractor – vendor. Canon BPS is a subdivision of the
camera giant, that specializes in handling outsourced human resources tasks such as
document processing and accounts payable.

The unknown party (hacker), apparently gained access to the workflow routing service of Canon
BPS, thru one compromised email. And from February 3 - 14, 2020, the unknown party gained
access to sensitive documents, like Uploaded documents to GE as part of the process of
obtaining benefits, and possibly those who completed online employment applications as well,
which include bank accounts details. These data, all combined, are the documents one needs
to commit identify fraud and access to accounts. GE, in turn offered a credit monitoring to
protect its employees and former employees against the inevitable fraud attempts.

There are possible causes of data breach, including the possibility that Canon BPS email was
“fished” and all the documents in the inbox were harvested. What really happened? Why the
breach? At the time this incident was reported, GE requires its employees and former staff
upload documents directly to Canon BPS. It is possible that Canon BPS email account phished
by hackers. So, what is phishing?

Phishing - the analogy is of an angler throwing a baited hook out there (the phishing email) and
hoping you bite. Phishing is a cyber-attack that uses disguised email as a weapon. The goal
is to trick the email recipient into believing that the message is something they want or need —
a request from their bank, for instance, or a note from someone in their company — and to click
a link or download an attachment.
https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-
and-how-to-prevent-it.html
 11

Skott Ikeda, in his report in CPO magazine on 7 April 2020, entitled “Third Party Data Breach
of GE Vendor Exposes Highly Sensitive Employee Information Appears to Stem from Just One
Compromised Email Account, concluded that:

In terms of securing against a third-party data breach, this incident illustrates the need for
screening of not just the traditional IT countermeasures and posture of contractors but also
the susceptibility of individual employees that have access to sensitive data. Elad Shapira,
Head of Research at Panorays: “This cyber incident underscores why it’s so important for
companies to thoroughly assess their service providers’ cyber posture, and why that
assessment must also take into account the human factor. Specifically, companies should
be sure to check the likelihood of employees to be targeted for an attack based on factors
like social media presence, employee security awareness and the presence of a dedicated
security team.” https://www.cpomagazine.com/cyber-security/third-party-data-breach-of-
ge-vendor-exposes-highly-sensitive-employee-information/

b. CONCLUSION

The DPA has been implemented for 8 years, our government is still improving the systems, by
installing minimum standards for protection of personal information required under the DPA,
regulating the privacy codes used, and regulating Data Protection Officers.

As HR Manager, these are some of your obligations in so far as the 201 files of all the workers
in your company.

1. Ensure that the personal information in your custody, either in hard copies and in digital
form, is protected and safely stored. As a rule, any request for a copy or retrieval of this
information must have a consent of the data subject.

2. As part of human resource development, coordinate with NPC, for any training and
orientation for your company, to build capacity and promote compliance with the data
privacy policy, and to mitigate operational risks,

3. Establish and strengthen internal privacy policies.

As a culture, our sense of privacy to communications and correspondence is starting to kick

off. Maybe our next generation will be more conscious of this right and learn from our mistakes.