Associated Marine Officers’ and

Seamen’s Union of the Philippines

Data Protection and Privacy /Quality Assurance

Page 1
Background
History
Mandatory Mandatory
Compliance Registration

Data Privacy Act Privacy Commissioner & Implementing Rules & Gov’t Agencies &
(RA 10173) Deputy Privacy Regulations (IRR) Private Companies
Commissioners

1 National Privacy DICT Act of 2015

Commission (NPC) (RA 10844)

DICT

Sept 2017 –
March 2012 June 2015 March 2016 May 2016 August 2016
March 2018

*DICT – Department of Information and Communications Technology

** Deadline of Registration:
Phase I: Registration of DPO – until September 9, 2017
Phase II: Registration of personal data processing systems – until March 8, 2018

Page 2 SH-DPA p1 Rev01/10292018

 Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection,
use, disclosure, and retention of personal information

Personal
Information
Name, Home address, Race, ethnic origin, marital status, age,
 Information directly
phone number attributable to an Sensitive PI color, religious, philosophical or
individual. political affiliations
 Personal information whose
leakage could impact the
material well being of an Health, education, genetic or sexual
individual is considered as life, offenses committed or alleged,
Sensitive PI. sentences.
 Specifically defined by IRR
Issued by any government agency
peculiar to an individual, licenses,
denials, tax returns.

Page 3 SH-DPA p1 Rev01/10292018

Background
Data flow
provides
• PI personal data
• SPI
• PrI
Data Subject
Collection

Outsourcing

Personal Personal
Information Information
Controller (PIC) Processor (PIP)

Data Sharing

Third Party PIC

Page 4 SH-DPA p1 Rev01/10292018

Background
Background
Rights andduties
Rights and Duties

Access to own
Object data
Informed
consent
Basis for
Protection processing
Transparency
Data Data Integrity
Damages Portability
Corrections
Forgotten

Rights of Data Subject Duties of Data Controller

Page 5 SH-DPA p1 Rev01/10292018

 Background
Rights oftheData
Rights of DataSubject
Subject

Consent Object Access

Rights of Data Subject

Correction /
Portability Damages
Erasure

Page 6 SH-DPA p1 Rev01/10292018

Rights of Data Subject
Background
Consent
Rights of the Data Subject

Consent
The data subject must be informed whether
personal information pertaining to him or her Consent Object Access
shall be, are being or have been processed.
The following information must be provided
before the entry of the personal information
into the processing system, or at the next
practical opportunity:
1. Description of the personal information
to be entered into the system;
2. Purposes for which they are being or
are to be processed;
Rights of Data Subject
3. Scope and method of the personal
information processing;
4. The recipients or classes of recipients to
whom they are or may be disclosed;
5. Methods utilized for automated access
6. The identity and contact details of the
personal information controller or its
representative; Correction /
7. The period for which the information Portability Damages
Erasure
will be stored; and
8. The existence of their rights.

Page 7 SH-DPA p1 Rev01/10292018

 Background
Consent
Consent
Where relying on consent as the basis for lawful processing,
it must be additionally ensured that:
Consent from data subjects ► Consent is freely given, specific, informed indication
must be explicit, specific of will

and time-bound. ► Consent is written, electronic or recorded means

► Consent is active, i.e. does not rely on silence, inactivity
or pre-ticked boxes;
► Consent may also be given on behalf of a data subject
by a lawful representative or an agent specifically
authorized by the data subject to do so;
► Data subjects are informed of the right to withdraw
consent at any time (through simple methods);
► Separate consents are obtained for distinct processing
operations.

Note: If dealing with aliens, know that

there are also applicable foreign privacy
laws, especially for cross-border transfers
of personal data.

Page 8 SH-DPA p1 Rev01/10292018

Rights of Data Subject

Page 9 SH-DPA p1 Rev01/10292018

Page 10 SH-DPA p1 Rev01/10292018
Rights of Data Subject
Background
Object
Rights of the Data Subject

Object Consent Object Access

The data subject shall have the right to
object to the processing of his or her
personal data, including processing for direct
marketing, automated processing or
profiling.

The data subject shall also be notified and

given an opportunity to withhold consent to
the processing in case of changes or any Rights of Data Subject
amendment to the information supplied or
declared to the data subject in the preceding
paragraph.

Correction /
Portability Damages
Erasure

Page 11 SH-DPA p1 Rev01/10292018

Rights of Data Subject
Background
Access
Rights of the Data Subject

Access Consent Object Access

The data subject has reasonable access to,
upon demand, the following:
1. Contents of his or her personal
information that were processed;
2. Sources from which personal information
were obtained;
3. Names and addresses of recipients of
the personal information; Rights of Data Subject
4. Manner by which such data were
processed;
5. Reasons for the disclosure of the
personal information to recipients;
6. Information on automated processes
where the data will or likely to be made
as the sole basis for any decision
significantly affecting or will affect the Correction /
data subject; Portability Damages
Erasure
7. Date when his or her personal
information concerning the data subject
were last accessed and modified; and
8. The designation, or name or identity and
address of the personal information
controller

Page 12 SH-DPA p1 Rev01/10292018

Rights of Data Subject
Background
Correction/ Erasure
Rights of the Data Subject

Correction Consent Object Access

The right to correction involves the right of
the data subject to dispute inaccuracies or
error in the personal information and have
the same corrected immediately.

Rights of Data Subject

Erasure
The data subject shall have the right to
suspend, withdraw or order the blocking,
removal or destruction of his or her personal
data from the personal information
controller’s filing system.
Correction /
Portability Damages
Erasure

Page 13 SH-DPA p1 Rev01/10292018

Right of Data Subject
Background
Damages
Rights of the Data Subject

Damages Consent Object Access

The data subject is entitled to be indemnified
for any damages sustained due to such
inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of
personal information.

A. Right to Lodge a Complaint before the

Commission: Rights of Data Subject
This right can be inferred from the duty of
the National Privacy Commission to receive
complaints, institute investigations, facilitate
or enable settlement of complaints through
the use of alternative dispute resolution
processes, adjudicate, award indemnity on
matters affecting any personal information.
Correction /
B. Right to Know the Identity of Portability Damages
Erasure
Accountable Individuals:
The data subject has a right to be informed
of the identities of individuals who are
accountable for the organization’s
compliance with the DPA as designated by
the personal information controller

Page 14 SH-DPA p1 Rev01/10292018

Rights of Data Subject
Background
Portbility
Rights of the Data Subject

Data Portability Consent Object Access

The data subject shall have the right, where
personal information is processed by
electronic means and in a structured and
commonly used format, to obtain from the
personal information controller a copy of
data undergoing processing in an electronic
or structured format, which is commonly
used and allows for further use by the data Rights of Data Subject
subject.

Correction /
Portability Damages
Erasure

Page 15 SH-DPA p1 Rev01/10292018

Background
Duties ofData
Duties of Data Controller
Controller

Lawful As a general rule, processing of personal

Protection
Processing information is allowed, unless prohibited The PIC and PIP shall place reasonable
by law. governance, technical control and physical
control over the Personal data being
By default, the processing of sensitive and collected, processes and stored.
privileged information is prohibited.

Data Integrity The PIC and PIP shall ensure that all
personal data collected from the data
subject is true, accurate and updated. The
PIC shall also have reasonable procedure
to correct onerous personal data, once
requested by the data subject
PIC and PIP must inform the Data Subject
Transparency
of the contents, sources, name and address
of the recipient, manner of processing and
disclosure to third parties of personal data.

Page 16 SH-DPA p1 Rev01/10292018

Background
Duties ofPIC
Duties of PIC or PIP
or PIP
Lawful
Processing
Criteria
Personal information

1. The data subject must have given his or her consent prior to the collection, or as soon as practicable
and reasonable.
2. The processing involves the personal information of a data subject who is a party to a
contractual agreement.
3. The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject.
4. The processing is necessary to protect vitally important interests of the data subject, including
his or her life and health.
5. The processing of personal information is necessary to respond to national emergency or to, as
prescribed by law; comply with the requirements of public order and safety.
6. The processing of personal information is necessary for the fulfillment of the constitutional or
statutory mandate of a public authority.
7. The processing is necessary to pursue the legitimate interest of the PIC, or by a third party or
parties to whom the data is disclosed.

Page 17 SH-DPA p1 Rev01/10292018

Background
Duties ofPIC
Duties of PIC or PIP
or PIP
Lawful
Processing
Criteria
Sensitive and privileged information

1. Consent is given by data subject, or by the parties to the exchange of privileged information, prior to
the processing of the sensitive personal information or privileged information.
2. The processing of the sensitive personal information or privileged information is provided for by
existing laws and regulations.
3. The processing is necessary to protect the life and health of the data subject or another
person, and the data subject is not legally or physically able to express his or her consent prior to the
processing.
4. The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations.
5. The processing is necessary for the purpose of medical treatment.
6. The processing is necessary for the protection of lawful rights and interests of natural or legal
persons in court proceedings.

Page 18 SH-DPA p1 Rev01/10292018

 Background
Penalties
Penalties
Violation Fine Jail Time
Unauthorized Processing of:
a. Personal Information Php 500,000 to 2,000,000 One (1) to three (3) years
b. Sensitive Personal Information Php 500,000 to 4,000,000 Three (3) to six (6) years
Accessing due to negligence of:
a. Personal Information Php 500,000 to 2,000,000 One (1) to three (3) years
b. Sensitive Personal Information Php 500,000 to 4,000,000 Three (3) to six (6) years
Improper Disposal of :
a. Personal Information Php 100,000 to 500,000 Six (6) months to two (2) years
b. Sensitive Personal Information. Php 100,000 to 1,000,000 One (1) to three (3) years
Processing for Unauthorized Purposes:
a. Personal Information Php 500,000 to 1,000,000 One (1) year and six (6) months to five (5) years
b. Sensitive Personal Information Php 500,000 to 2,000,000 Two (2) years to seven (7) years

Unauthorized Access or Intentional Breach Php 500,000 to 2,000,000 One (1) year to three (3) years
Concealment of Security Breaches Involving Sensitive Personal One (1) year and six (6) months to five (5) years
Php 500,000 to 1,000,000
Information

Malicious Disclosure Php 500,000 to 1,000,000 One (1) year and six (6) months to five (5) years
Unauthorized Disclosure of:
a. Personal Information Php 500,000 to 1,000,000 One (1) year to three (3) years
b. Sensitive Personal Information Php 500,000 to 2,000,000 Three (3) to five (5) years

Combination or Series of Acts Php 1,000,000 to 5,000,000 Three (3) to six (6) years

Page 19
 Background
Common Issues
Common issues

We’ve collected sensitive personal information from

1 individuals, do we remove the information or obtain their

consent?

We are outsourcing a portion of our service to an affiliate, do

2 we give notice to all our users or just stop the outsourcing

service?

Page 20 SH-DPA p1 Rev01/10292018

 Quality
Assurance
Department
Forms

Page 21
SH-DPA p1 Rev01/10292018
CPAR forms

Page 22
SH-DPA p1 Rev01/10292018
DPCR forms

Page 23
SH-DPA p1 Rev01/10292018
DRR form

Page 24
SH-DPA p1 Rev01/10292018
Quality Objectives form

Page 25
Minutes of the Meeting form

Page 26
Audit Checklist form

Page 27
Internal Audit Plan form

Page 28
Internal Audit Findings Report form

Page 29
Questions?