Professional Documents
Culture Documents
Data Protection and Privacy Session
Data Protection and Privacy Session
Page 1
Background
History
Mandatory Mandatory
Compliance Registration
Data Privacy Act Privacy Commissioner & Implementing Rules & Gov’t Agencies &
(RA 10173) Deputy Privacy Regulations (IRR) Private Companies
Commissioners
DICT
Sept 2017 –
March 2012 June 2015 March 2016 May 2016 August 2016
March 2018
Personal
Information
Name, Home address, Race, ethnic origin, marital status, age,
Information directly
phone number attributable to an Sensitive PI color, religious, philosophical or
individual. political affiliations
Personal information whose
leakage could impact the
material well being of an Health, education, genetic or sexual
individual is considered as life, offenses committed or alleged,
Sensitive PI. sentences.
Specifically defined by IRR
Issued by any government agency
peculiar to an individual, licenses,
denials, tax returns.
Outsourcing
Personal Personal
Information Information
Controller (PIC) Processor (PIP)
Data Sharing
Access to own
Object data
Informed
consent
Basis for
Protection processing
Transparency
Data Data Integrity
Damages Portability
Corrections
Forgotten
Correction /
Portability Damages
Erasure
Consent
The data subject must be informed whether
personal information pertaining to him or her Consent Object Access
shall be, are being or have been processed.
The following information must be provided
before the entry of the personal information
into the processing system, or at the next
practical opportunity:
1. Description of the personal information
to be entered into the system;
2. Purposes for which they are being or
are to be processed;
Rights of Data Subject
3. Scope and method of the personal
information processing;
4. The recipients or classes of recipients to
whom they are or may be disclosed;
5. Methods utilized for automated access
6. The identity and contact details of the
personal information controller or its
representative; Correction /
7. The period for which the information Portability Damages
Erasure
will be stored; and
8. The existence of their rights.
Correction /
Portability Damages
Erasure
Correction /
Portability Damages
Erasure
Data Integrity The PIC and PIP shall ensure that all PIC and PIP must inform the Data Subject
personal data collected from the data Transparency
of the contents, sources, name and address
subject is true, accurate and updated. The of the recipient, manner of processing and
PIC shall also have reasonable procedure
to correct onerous personal data, once disclosure to third parties of personal data.
requested by the data subject
1. The data subject must have given his or her consent prior to the collection, or as soon as practicable
and reasonable.
2. The processing involves the personal information of a data subject who is a party to a
contractual agreement.
3. The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject.
4. The processing is necessary to protect vitally important interests of the data subject, including
his or her life and health.
5. The processing of personal information is necessary to respond to national emergency or to, as
prescribed by law; comply with the requirements of public order and safety.
6. The processing of personal information is necessary for the fulfillment of the constitutional or
statutory mandate of a public authority.
7. The processing is necessary to pursue the legitimate interest of the PIC, or by a third party or
parties to whom the data is disclosed.
1. Consent is given by data subject, or by the parties to the exchange of privileged information, prior to
the processing of the sensitive personal information or privileged information.
2. The processing of the sensitive personal information or privileged information is provided for by
existing laws and regulations.
3. The processing is necessary to protect the life and health of the data subject or another
person, and the data subject is not legally or physically able to express his or her consent prior to the
processing.
4. The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations.
5. The processing is necessary for the purpose of medical treatment.
6. The processing is necessary for the protection of lawful rights and interests of natural or legal
persons in court proceedings.
Unauthorized Access or Intentional Breach Php 500,000 to 2,000,000 One (1) year to three (3) years
Concealment of Security Breaches Involving Sensitive Personal One (1) year and six (6) months to five (5) years
Php 500,000 to 1,000,000
Information
Malicious Disclosure Php 500,000 to 1,000,000 One (1) year and six (6) months to five (5) years
Unauthorized Disclosure of:
a. Personal Information Php 500,000 to 1,000,000 One (1) year to three (3) years
b. Sensitive Personal Information Php 500,000 to 2,000,000 Three (3) to five (5) years
Combination or Series of Acts Php 1,000,000 to 5,000,000 Three (3) to six (6) years
Page 19
Background
Common Issues
Common issues
Page 21
SH-DPA p1 Rev01/10292018
CPAR forms
Page 22
SH-DPA p1 Rev01/10292018
DPCR forms
Page 23
SH-DPA p1 Rev01/10292018
DRR form
Page 24
SH-DPA p1 Rev01/10292018
Quality Objectives form
Page 25
Minutes of the Meeting form
Page 26
Audit Checklist form
Page 27
Internal Audit Plan form
Page 28
Internal Audit Findings Report form
Page 29
Questions?