Professional Documents
Culture Documents
Organization - Data Privacy Policy
Organization - Data Privacy Policy
Privacy Policy
Certifications
Privacy Policy
Section IV of the National Privacy Commission’s (NPC) Circular 16-03 referring to Personal
Data Breach Management, requires that the complying organization impose a breach
management policy for the purpose of preventing or minimizing the occurrence of a personal
data breach and assure the timely discovery of any security incident. This breach management
policy may be incorporated into the organization’s privacy policy and privacy management
programs that should be set up and properly cascaded amongst the organization’s employees.
One good example of a privacy policy as discussed in the establishment of a data privacy
accountability framework is stated in the study published by Henry Chang, listed in
https://www.nymity.com/data-privacy-
resources/~/media/NymityAura/Resources/Research/Privacy-Accountability-Management-
Framework-For-Data-Controllers-Operating-Across-Asia.pdf. The study included the application
of the proposed data privacy accountability framework under Philippine law, as well as other
Asian countries which have enacted data privacy and protection laws. For the benefit of personal
information controllers and personal information processors, the National Privacy Commission is
currently developing a template that may be used as basis in the drafting of a new privacy policy,
or in the revision of an existing one.
Back To Top
Certifications
There is currently no certification process for an organization’s (level of) compliance with the
Data Privacy Act. Nonetheless, the Commission does recommend that organizations obtain
certifications or accreditations vis-à-vis existing international standards, such as those prescribed
by the International Organization for Standardization (ISO), including the following:
The Commission does not also require certifications for key personnel of personal information
controllers or personal information processors, such as the latter’s Data Protection Officer or
Compliance Officer for Privacy. However, it is considered best practice across jurisdictions for
organizations to properly equip their personnel with appropriate trainings that enable them to
fulfill their specific roles and functions. Some international certifications or trainings commonly
considered for this purpose include:
While not explicitly required, certifications and/or accreditations allow for a more efficient
verification and monitoring process on the part of the Commission.
Back To Top