Professional Documents
Culture Documents
Data Privacy
Data Privacy
Data Privacy
DATA PRIVACY,
MANAGEMENT &
PROTECTION POLICY
2023
City of Tuguegarao
3500 Philippines
28
CAGAYAN MUSEUM & HISTORICAL RESEARCH CENTER
2021-2022
2 27
17.4.9 immediately inform the Museum if, in its opinion, an in-
struction violates the Data Privacy Act of 2012 or any other issu-
ance of the National Privacy Commission.
MANDATE
18. Review and Amendments
The Cagayan Museum and Historical Research Center was creat-
This Policy and Guidelines shall be reviewed periodically and amend- ed by virtue of Provincial Board of Cagayan Resolution No. 126
ed as needed. dated 18 February 1973 in response to the need for a curatorial
staff that shall oversee the set-up and operations of Cagayan Mu-
seum and Historical Research Center that eventually became op-
erational on 16 August 1973.
VISION
Crafted: September 24, 2021 The Cagayan Museum as the cultural service arm of the Provin-
Updated: January 27, 2022 cial Government of Cagayan shall provide direction, initiative, ex-
pertise, and accurate information on the history, culture, and arts
Updated: January 17, 2023
of Cagayan.
26 3
17.4.3 Implement appropriate security measures;
17.4.4 comply with the Data Privacy Act of 2012 and other issu-
ances of the National Privacy Commission, and other applicable
laws, in addition to the obligations provided in the contract, or
other legal act with the external party;
4 25
al Privacy Commission. A general summary of the reports shall be
prepared and made available annually.
24 5
I6.1.2 In the event that such signs are discovered, the employee or
ACCOUNTABILITY AND PROFESSIONALISM agent shall immediately report the facts and circumstances to the
The Museum is determined to be a good steward of an asset that the DPPO within twenty-four (24) hours from his/ her discovery for verifi-
community came together to create and which serves a vital public cation as to whether or not a breach requiring notification under the
function. It holds itself accountable for the best use of its collections, Data Privacy Act of 2012 has occurred as well as for the determina-
facilities, staff, volunteers, and financial resources. It is committed to tion of the relevant circumstances surrounding the reported breach
transparency and integrity in carrying out its Mission. It seeks to and/or Security Incident.
achieve the highest levels of professionalism via staff training, partici-
pation in professional organizations, and the use of informed scholars 16.1.3 The DPO shall notify the Museum Director who in turns notifies
and consultants. the Provincial Legal Office and the National Privacy Commission and
the affected Data Subjects pursuant to requirements and procedures
prescribed by the Data Privacy Act of 2012.
COMMITMENT TO EDUCATION
The Museum believes that exposure to the real thing—actual works of 16.1.4 The notification to the Provincial Legal Office, National Privacy
art, live animals, and three-dimensional natural and scientific objects, Commission and the affected Data Subjects shall at least describe the
as well as hands-on opportunities to explore nature and humankind’s nature of the breach, the Personal Data possibly involved, and the
impact upon it—are key to developing knowledge of and appreciation measures taken by the Museum to address the breach. The notifica-
for the world in which we live. It encourages children, adults, and fam- tion shall also include measures taken to reduce the harm or negative
ilies alike to pursue life- long learning. consequences of the breach and the name and contact details of the
DPPO. The form and procedure for notification shall conform to the
regulations and circulars issued by the National Privacy Commission,
as may be updated from time to time.
6 23
drawn his or her consent to the Processing thereof upon reasonable
request by the Data Subject.
The lawful heirs and assigns of the Data Subject may invoke the STRATEGIC PRIORITIES
rights of the Data Subject to which he or she is an heir or an assign-
ee, at any time after the death of the Data Subject, or when the Data
1. To elevate to WORLD CLASS STANDARDS the Museum exhibi-
Subject is incapacitated or incapable of exercising his/her rights.
tions, services, and visitor experience shifting from the old paradigm
of museums as simply a showcase of antiques but as a dynamic and
15. Data Portability catalytic cultural hub integrating and strengthening its functions of rig-
orous research, conservation, and management that are people-
15.1 Where his or her Personal Data is processed by the Museum centered, inclusive, and sustainable.
through electronic means and in a structured and commonly used for-
mat, the Data Subject shall have the right to obtain a copy of such da-
ta in an electronic or structured format that is commonly used and al- 2. To secure the future of our collections and other heritage proper-
lows for further use by the Data Subject. ties not only onsite but around the entire province of Cagayan, both
movable and immovable tangible, and intangible, by making opera-
15.2 The exercise of this right shall primarily take into account the tional, efficient and exceptional the Museum’s CONSERVATION func-
right of Data Subject to have control over his or her Personal Data tion.
being processed based on consent or contract, for commercial pur-
pose, or through automated means.
3. To promote the Museum as a Research Institution as a reputable
and recognized center of excellence for RESEARCH providing accu-
15.3 The DPPO shall regularly monitor and implement the National rate, reliable, and up-to-date historical and cultural data for the prov-
Privacy Commission’s issuances specifying the electronic format re- ince of Cagayan.
ferred to above, as well as the technical standards, modalities, proce-
dures and other rules for their transfer.
4. To strengthen the museum as an inclusive CULTURAL HUB recog-
nized as an international destination for tourists, artists, culture bear-
16. Data Breaches and Security Incidents ers, researchers, and students serving as supplement to formal edu-
cation.
16.1 Data Breach Notification
6.1.1 All employees and agents of the Museum involved in the Pro- 5. To be a catalyst for sound, inclusive and sustainable HERITAGE
cessing of Personal Data are tasked with regularly monitoring for MANAGEMENT for the province providing direction and initiative
signs of a possible data breach or Security Incident. for the sustainable development of Cagayan’s cultural resources facil-
itating its integration into mainstream contemporary Cagayan way of
life.
22 7
and the simultaneous receipt of the new and the retracted Personal
Data by the intended recipients thereof: Provided, That recipients or
third parties who have previously received such processed Personal
Data shall be informed of its inaccuracy and its rectification, upon rea-
sonable request of the Data Subject.
13.6.1 The Data Subject shall have the right to suspend, withdraw, or
order the blocking, removal, or destruction of his or her Personal Data
from the Museum filing system.
13.6.2.2 The Personal Data is being used for purpose not au-
thorized by the Data Subject;
13.6.3 The DPPO may notify third parties who have previously re-
ceived such processed Personal Data that the Data Subject has with-
8 21
13.4.1.1 Contents of his or her Personal Data that were pro-
cessed; DATA PRIVACY, MANAGEMENT AND PROTECTION POLICY
Updated: 17 January 2023
13.4.1.2 Sources from which Personal Data were obtained;
13.4.1.6 Information on automated processes where the Per- (1) properly process personal data;
sonal Data will, or is likely to, be made as the sole basis for any (2) safeguard personal data;
decision that significantly affects or will affect the Data Subject; (3) permit access by individuals to their personal data;
4. Definitions 13.3.2 The Data Subject shall also be notified and given an opportuni-
ty to withhold consent to the Processing in case of changes or any
4.1 Data Privacy Act or DPA refers to Republic Act No. 10173 or amendment to the information supplied or declared to the Data Sub-
the Data Privacy Act of 2012 and its implementing rules and regula- ject in the preceding paragraph.
tions.
13.3.3 When a Data Subject denies, objects, or withholds consent,
4.2 Data Subject refers to an individual whose Personal Infor- the Museum shall no longer process the Personal Data, unless:
mation, Sensitive Personal Information, or Privileged Information is
processed. 13.3.3.1 the Personal Data is needed pursuant to a subpoena;
13.3.3.2 the Processing is for obvious purposes, including,
4.3 Museum refers to Cagayan Museum and Historical Research
when it is necessary for the performance of or in relation to a
Center, a division of the Office of the Governor of the Province of
contract or service to which the Data Subject is a party, or
Cagayan, Republic of the Philippines.
when necessary or desirable in the context of an employer-
employee or Museum-agent relationship between the Museum
4.4 Personal Data collectively refers to Personal Information,
and the Data Subject; or
Sensitive Personal Information, and Privileged Information.
13.3.3.3 the Personal Data is being collected and processed to
4.5 Personal Information refers to any information, whether rec- comply with a legal obligation.
orded in a material form or not, from which the identity of an individual
is apparent or can be reasonably and directly ascertained by the enti- 13.4 Right to Access
ty holding the information, or when put together with other information
would directly and certainly identify an individual. 13.4.1 The Data Subject has the right to reasonable access to, upon
demand, the following:
10 19
right to rectification, right to erasure or blocking, and right to damages.
Employees, contractors and agents of the Museum are required to 4.6 Processing refers to any operation or set of operations per-
strictly respect and obey the rights of the Data Subjects. The DPPO, formed upon Personal Data including, but not limited to, the collection,
with the assistance of the AO/s, shall be responsible for monitoring recording, organization, storage, updating or modification, retrieval,
such compliance and developing the appropriate disciplinary consultation, use, consolidation, blocking, erasure or destruction of
measures and mechanism. data. Processing may be performed through automated means, or
manual processing, if the Personal Data are contained or are intended
13.2 Right to be Informed to be contained in a filing system.
13.2.1 The Data Subject has the right to be informed whether Person- 4.7 Privileged Information refers to any and all forms of Personal
al Data pertaining to him or her shall be, are being, or have been pro- Data, which, under the Rules of Court and other pertinent laws consti-
cessed. tute privileged communication.
13.2.2 The Data Subject shall be notified and furnished with infor- 4.8 Security Incident is an event or occurrence that affects or
mation indicated hereunder before the entry of his or her Personal tends to affect data protection, or may compromise the availability, in-
Data into the records of the Museum, or at the next practical oppor- tegrity and confidentiality of Personal Data. It includes incidents that
tunity: would result to a personal data breach, if not for safeguards that have
been put in place.
13.2.2.1 description of the Personal Data to be entered into the
system; 4.9 Sensitive Personal Information refers to Personal Data:
13.2.2.2 purposes for which they are being or will be pro- 4.9.1 About an individual’s race, ethnic origin, marital status, age,
cessed, including Processing for direct marketing, profiling or color, and religious, philosophical or political affiliations;
historical, statistical or scientific purpose;
4.9.2 About an individual’s health, education, genetic or sexual life,
13.2.2.2 basis of Processing, when Processing is not based on or to any proceeding for any offense committed or alleged to have
the consent of the Data Subject; been committed by such individual, the disposal of such proceed-
ings, or the sentence of any court in such proceedings;
13.2.2.2 scope and method of the Personal Data Processing;
4.9.3 Issued by government agencies peculiar to an individual
13.2.2.3 the recipients or classes of recipients to whom the which includes, but is not limited to, tax identification numbers,
Personal Data are or may be disclosed or shared; previous or current health records, licenses or its denials, suspen-
sion or revocation, and tax returns;
13.2.2.4 methods utilized for automated access, if the same is
allowed by the Data Subject, and the extent to which such ac- 4.9.4 Specifically established by an executive order or an act of
cess is authorized, including meaningful information about the Congress to be kept classified; and
logic involved, as well as the significance and the envisaged
consequences of such Processing for the Data Subject; 4..9.5 Other information as may be defined by other laws.
18 11
5. Organizational Security Measures 12. Technical Security Measures
5.1 Data Privacy and Protection Officer The DPPO, with the cooperation and assistance of ITMO, shall craft,
continuously develop and evaluate the Museum’s security policy with
5.1.1 A Data Protection Officer (“DPPO”) shall be appointed by the respect to the Processing of Personal Data. The security policy
Museum Director. should include the following minimum requirements:
5.1.2 The DPPO is responsible for ensuring the Museum’s compli- 12.1 safeguards to protect the Museum’s computer network and sys-
ance with applicable laws and regulations for the protection of data tems against accidental, unlawful, or unauthorized usage, any inter-
privacy and security. The functions and responsibilities of the DPPO ference which will affect data integrity or hinder the functioning or
shall particularly include, among others: availability of the system, and unauthorized access;
5.1.2.1 monitoring the Museum’s Personal Data Processing ac- 12.2 the ability to ensure and maintain the confidentiality, integrity,
tivities in order to ensure compliance with applicable Personal availability, and resilience of the Museum’s data processing systems
Data privacy laws and regulations, including the conduct of peri- and services;
odic internal audits and review to ensure that all the Museum’s
data privacy policies are adequately implemented by its, employ- 12.3 regular monitoring for security breaches, and a process both for
ees, contractors, and authorized agents; identifying and accessing reasonably foreseeable vulnerabilities in the
the Museum’s computer network and system, and for taking preven-
5.1.2.2 acting as a liaison between the Museum and the regula- tive, corrective, and mitigating actions against security incidents that
tory and accrediting bodies, and is in charge of the applicable can lead to a Personal Data breach;
registration, notification, and reportorial requirements mandated
by the Data Privacy Act of 2012, as well any other applicable 12.4 the ability to restore the availability and access to Personal Data
data privacy laws and regulations; in a timely manner in the event of a physical or technical incident;
5.1.2.3 developing, establishing, and reviewing policies and pro- 12.5 a process for regularly testing, assessing, and evaluating the ef-
cedures for the exercise by Data Subjects of their rights under fectiveness of security measures; and
the Data Privacy Act and other applicable laws and regulations
on Personal Data privacy; 12.6 encryption of Personal Data during storage and while in transit,
authentication process, and other technical security measures that
5.1.2.4 acting as the primary point of contact whom Data Sub- control and limit access thereto.
jects may coordinate and consult with for all concerns relating to
their Personal Data; 13. Rights of Data Subjects
5.1.2.5 formulating capacity building, orientation, and training 13.1 As provided under the Data Privacy Act of 2012, Data Subjects
programs for employees, agents or representatives of the Muse- have the following rights in connection with the Processing of their
um regarding Personal Data privacy and security policies; Personal Data: right to be informed, right to object, right to access,
12 17
sonal Data, shall be responsible for developing measures to deter- 5.1.2.6 preparing and filing the annual report of the summary of
mine the applicable data retention schedules, and procedures to allow documented security incidents and Personal Data breaches, if
for the withdrawal of previously given consent of the Data Subject, as any, as required under the Data Privacy Act of 2012, and of
well as to safeguard the destruction and disposal of such Personal compliance with other requirements that may be provided in oth-
Data in accordance with the Data Privacy Act of 2012 and other appli- er issuances of the National Privacy Commission.
cable laws and regulations.
6. Data Privacy Principles
11. Physical Security Measures
All Processing of Personal Data within the Museum should be con-
11.1 The DPPO, with the assistance of the AO/s, and any other sec- ducted in compliance with the following data privacy principles as es-
tions and units of the Museum, and the Information and Technology poused in the Data Privacy Act of 2012:
Officer-in-charge (“ITMO”), shall develop and implement policies and
procedures for the Museum to monitor and limit access to, and activi- 6.1 Transparency. The Data Subject must be aware of the nature,
ties in, the offices of AO/s, as well as any other sections or units and/ purpose, and extent of the Processing of his or her Personal Data by
or workstations in the Museum where Personal Data is processed or the Museum, including the risks and safeguards involved, the identity
stored, including guidelines that specify the proper use of, and access of persons and entities involved in Processing his/her Personal Data,
to, electronic media. his or her rights as a Data Subject, and how these can be exercised.
Any information and communication relating to the Processing of Per-
11.2 The design and layout of the office spaces and work stations of sonal Data should be easy to access and understand, using clear and
the abovementioned sections and units, including the physical ar- plain language.
rangement of furniture and equipment, shall be periodically evaluated
and adjusted in order to provide privacy to anyone Processing Per- 6.2 Legitimate purpose. The Processing of Personal Data by the
sonal Data, taking into consideration the environment and accessibil- Museum shall be compatible with a declared and specified purpose
ity to unauthorized persons. which must not be contrary to law, morals, or public policy.
11.3 The duties, responsibilities, and schedules of individuals in- 6.3 Proportionality. The Processing of Personal Data shall be ad-
volved in the Processing of Personal Data shall be clearly defined to equate, relevant, suitable, necessary, and not excessive in relation to
ensure that only the individuals actually performing official duties shall a declared and specified purpose. Personal Data shall be processed
be in the office or work station, at any given time. by the Museum only if the purpose of the Processing could not rea-
sonably be fulfilled by other means.
11.4 Furthermore, the offices and workstations used in the Pro-
cessing of Personal Data shall, as far as practicable, be secured 7. Data Processing Records
against natural disasters, power disturbances, external access, and
other similar threats that may lead to loss or unauthorized access to 7.1 Adequate records of the Museum’s Personal Data Processing ac-
Personal Data. tivities shall be maintained at all times. The DPPO, with the coopera-
tion and assistance of all the concerned sections and units involved in
11.5 A review of these Physical Security Measures are to be done on the Processing of Personal Data, shall be responsible for ensuring
a periodic basis.
16 13
that these records are kept up-to-date. These records shall include, at 8.2.1 The Processing of his/ her Personal Data, for purposes of
the minimum: maintaining Museum records; and
7.1.1 information about the purpose of the Processing of Personal 8.2.2 A continuing obligation of confidentiality on the employee’s
Data, including any intended future Processing or data sharing; part in connection with the Personal Data that he or she may en-
counter during the period of engagement or employment with the
7.1.2 a description of all categories of Data Subjects, Personal Museum.
Data, and recipients of such Personal Data that will be involved in
the Processing; 8.2.3 This obligation shall apply even after or employee has left
the Museum for whatever reasons.
7.1.3 general information about the data flow within the Museum ,
from the time of collection and retention, including the time limits 9. Data Collection Procedures
for disposal or erasure of Personal Data;
9.1 The DPPO, with the assistance of the AO/s and any other sec-
7.1.4 a general description of the organizational, physical, and tions and/or units of the Museum responsible for the Processing of
technical security measures in place within the Museum; and Personal Data, shall document the Museum’s Personal Data Pro-
cessing procedures.
7.1.5 the name and contact details of the DPPO, Personal Data
processors, as well as any other staff members accountable for 9.2 The DPPO shall ensure that such procedures are updated and
ensuring compliance with the applicable laws and regulations for that the consent of the Data Subjects (when required by the Data Pri-
the protection of data privacy and security. vacy Act of 2012 or other applicable laws or regulations) is properly
obtained and evidenced by written, electronic, or recorded means.
8. Management of Human Resources
9.3 Such procedures shall also be regularly monitored, modified, and
8.1 The DPPO, with the cooperation of the Museum’s Administrative updated to ensure that the rights of the Data Subjects are respected,
Officer (AO), shall develop and implement measures to ensure that all and that Processing thereof is done fully in accordance with the Data
staff who have access to Personal Data will strictly process such data Privacy Act of 2012 and other applicable laws and regulations.
in compliance with the requirements of the Data Privacy Act and other
applicable laws and regulations. These measures may include draft- 10. Data Retention Schedule
ing new or updated relevant policies of the Museum and conducting
training programs to educate volunteers, employees and agents on 10.1 Subject to applicable requirements of the Data Privacy Act of
data privacy related concerns. 2012 and other relevant laws and regulations, Personal Data shall not
be retained by the Museum for a period longer than necessary and/or
8.2 The DPPO, with the assistance of the AO, shall ensure that the proportionate to the purposes for which such data was collected.
Museum shall obtain all employee’s informed consent, evidenced by
written, electronic or recorded means, to: 10.2 The DPPO, with the assistance of the AO/s, and any other sec-
tions and units of the Museum responsible for the Processing of Per-
14 15