Data Privacy Module 2

DATA PRIVACY
PRINCIPLES
Data Privacy Fundamentals
Module 2
DPO Development Program

Data Subject
Transparency
Rights
Legitimate Security
Purpose Safeguards Accountability
Proportionality Data Quality

Module 2, DP Fundamentals
Transparency
Data Subject Rights Fairness
Notice Access Openness

Transparency
• The data subject must be aware of the nature, purpose, and
extent of the processing of his or her personal data, including
the risks and safeguards involved, the identity of personal
information controller, his or her rights as a data subject, and
how these can be exercised.
• Any information and communication relating to the processing

of personal data should be easy to access and understand,
using clear and plain language.

TRANSPARENCY AND RIGHTS OF
DATA SUBJECTS
• The data subject should be informed whether personal
information pertaining to him or her shall be, are being or have
been processed
• The data subject must be furnished information relevant to the
processing of his or her personal data, provided reasonable
access upon demand, and given a copy of his or her personal
data undergoing processing in an electronic or structured format
to allow further use (data portability)

RIGHT TO INFORMATION
• Description of • Classes of recipients
WHAT personal data WHOM of personal data
• Purposes of Processing, • Identity and contact

including Direct marketing, details of PIC
WHY automated decision-making, WHO • Contact details of Data
profiling; Basis of Processing Protection Officer
• Scope and Method of Processing • Data Subjects’ Rights,

including right to file a
HOW • Methods utilized for automated
access RIGHTS complaint before the
• Storage Period Privacy Commission

A Privacy notice is a statement on the data processing
activities of an agency or organization, providing
information about the categories of personal data
processed, purpose and extent of processing, and
safeguards in place for data protection. It demonstrates
transparency and fairness in processing, and provides
one of the means to uphold rights of data subjects. To
be effective, the privacy notice should be accessible,
engaging and easy to understand.

Contents of Privacy Notice
I. Service description
II. Personal Information that are collected
III. Collection method
IV. Timing of collection
V. Purpose of collected personal information
VI. Storage and transmission of personal information
VII. Method of use
VIII. Location of personal information
IX. Third party transfer
X. Retention period
XI. Participation of data subject
XII. Inquiry
Please refer to NPC Toolkit (3rd edition) for further information

ROLE OF DPO IN TRANSPARENCY
• The DPO serves as the contact person of the PIC or
PIP vis-à-vis data subjects, and the NPC
• Contact details of the DPO and COP should be
published in the website, privacy notice, and manual.
Their names need not be published but should be
made available upon request of data subject. (NPC
Advisory 17-01)
• Notification of data subjects may be required in cases
of personal data breach(NPC Circular 16-03)
RIGHT TO ACCESS
Reasonable access to, upon demand:
1. Contents of personal information processed
2. Sources from which personal information were obtained;
3. Names and addresses of recipients of the personal information;
4. Manner by which such data were processed;
5. Reasons for the disclosure to recipients;
6. Information on automated processes where the data will or likely to be made as the
sole basis for any decision significantly affecting or will affect the data subject;
7. Date when personal information were last accessed and modified; and
8. The designation, or name or identity and address of the personal information
controller;

REMEMBER
• The Data Subject can be provided information through a clear privacy
notice that is accessible and easy to understand.
• While a privacy notice may not include specific details of contents of

personal data being processed or recipients, the data subject may obtain
such information through the right to access.
• A Privacy Notice is different from Consent. (AdOp No. 2018-013)

COMPLIANCE FRAMEWORK
❑ Designate a DPO
❑ Have privacy notices
❑ Establish mechanisms for exercise of data
subject rights
❑ Where appropriate, data subjects should be
notified in case of a personal data breach

Legitimate Purpose
Notice and Choice Lawfulness
Purpose Purpose
Use Limitation
Specification Limitation

Legitimate Purpose
The processing of information shall be compatible with a
declared and specified purpose which must not be
contrary to law, morals, or public policy.

CONSENT
▪ The data subject agrees to the collection and
processing of personal information
✔ Freely given
✔ Specific
✔ Informed indication of will
▪ Evidenced by written, electronic or recorded
means:
✔ signature
✔ opt-in box/clicking an icon
✔ sending a confirmation email
✔ oral confirmation(recorded)
▪ Opt-in; silence, pre-ticked boxes or inactivity
does not constitute consent

CONSENT
• “Implied, implicit or negative consent is not recognized under
the law. Thus, a company policy that merely stipulates that the
inputting of requested personal information amounts to consent
or a waiver by a data subject of his or her data privacy rights
shall not be considered as valid consent, as required under the
DPA”. (AdOp No. 2017-007)

FREELY GIVEN, SPECIFIC, AND INFORMED
▪ Consent means giving data subjects genuine choice and
control over how a PIC uses their data. This means data
subjects must be able to refuse consent, and must be able
to withdraw consent easily at any time.
▪ It also means consent should be unbundled from other
terms and conditions (including giving granular consent
options for different types of processing) wherever
possible.
Source: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

PROCESSING OF PERSONAL INFORMATION
IS ALLOWED IF:
a) Consent
b) Contract
c) Compliance with a legal obligation
d) Protect vitally important interests of the data subject, including life and
health
e) Fulfill functions of public authority (national emergency, public order and
safety)
f) Legitimate interests
Sec. 12, DPA

PROCESSING OF SENSITIVE PERSONAL INFORMATION IS
PROHIBITED PROVIDED THAT:
a) Consent
b) Existing laws and regulations
c) Protect the life and health of a data subject or another person
(Emergency cases)
d) Medical treatment (Medical Practitioner)
e) Court proceedings, legal mandate of government authorities

EXAMPLES OF PROCESSING WHICH MAY
NOT NEED CONSENT:

ILLUSTRATION
“Under Republic Act No. 9406, it is our understanding that the mandate of PAO is to extend free
legal assistance to indigent persons in criminal, civil, labor, administrative and other quasi-judicial
cases. Should PAO then be authorized as legal representatives of the minor data subjects, they may
then be provided information regarding the particular data subject they are representing, subject to
the presentation of proof of such authorization”.
“Lastly, as to the request of the media and other private organizations, the disclosure of statistical
or aggregated information without involving any personal or sensitive personal information
should suffice. The release of a copy of the master list of students and individuals who were
vaccinated with Dengvaxia®, which contains sensitive personal information to the Requesting, to
any requesting public, could constitute an unwarranted invasion of personal privacy”.

ILLUSTRATION
INFORMATION SOUGHT
1. Name
2. Birthday
3. Home address Request was:
4. Name of parents
5. Consent form
a. Not provided by existing laws and regulations;
6. Vaccination card b. Made without the consent of the data subjects or their
7. Name of vaccinator authorized representatives; and
8. Position of the vaccinator c. Not done pursuant to PAO’s constitutional or statutory
9. Health educator
mandate.
See Section 13 – instances when processing of

sensitive personal information is considered
lawful

❑ Have Records of Processing Activities and document basis of
processing
❑ Policies and procedures for every stage of the data life cycle
(Procedures for obtaining consent)
❑ Manage third party risks (Outsourcing contracts, Data Sharing,
Disclosures to any third party and Reporting Requirements)
❑ Regular Assessment and Review (Review consent forms, contracts,
notices)

Proportionality
Data Minimization Necessity
Collection
Storage Limitation Deidentification*
Limitation

Proportionality
The processing of information shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a
declared and specified purpose.
Personal data shall be processed only if the purpose of the

processing could not reasonably be fulfilled by other means.

PROCESSING OF PERSONAL INFORMATION
MUST BE:
Adequate
Not
Relevant
excessive
Necessary Suitable

EXAMPLE OF EXCESSIVE COLLECTION OF PERSONAL
INFORMATION

OAKES PROPORTIONALITY TEST
1. Examines whether the measure is necessary to meet the
objective—that is, whether there are less intrusive ways of
achieving the same objective.
2. Examines whether the measure chosen for the collection of
information is effective in achieving the objective—that is, whether
it is rationally connected to it.
3. Weighs the proportional benefits of collecting information
against the harm to the employee’s/data subject’s privacy.
R vs. Oakes, S.C.R. 103, Supreme Court of Canada, 1986

ILLUSTRATION
“It is proper for the CAAC and the Board to judiciously evaluate and determine whether the
publication of the decisions on the website is indispensable in achieving its purpose. The Board can
consider redaction of sensitive personal information, such as the identity of patients and their
health information, which may not be necessary for purposes of posting in the website”.

❑ Have Records of Processing Activities,
including data inventory and data flow
❑ Conduct Privacy Impact Assessment
❑ Policies and procedures for every stage of the
data life cycle (Use, Records retention policy,
disposal)
❑ Regular Assessment and Review (Review
consent forms, contracts, data collection forms)

Data Quality
Access and
Integrity
Correction
Adequate Relevant Accurate

DATA QUALITY MEANS:
That the data must be accurate, relevant and, where necessary for
purposes for which it is to be used the processing of personal
information, kept up to date; inaccurate or incomplete data must
be rectified, supplemented, destroyed or their further processing
restricted;
Section 11, par. c, Chapter III, Data Privacy Act of 2012

DATA QUALITY ALSO MEANS:
1. Ensuring that the Personal Information is accurate, complete, up-to-date;
2. Ensuring the reliability of the Personal Information from a source other than from
the data subject before it is processed;
3. Establishing personal information collection procedures to help ensure accuracy
and quality; and
4. Establishing control mechanism to periodically check the accuracy and quality of
collected and stored personal information.
ISO/IEC 29100:2011 – Information Technology – Security Techniques – Privacy Framework

DATA QUALITY
• Obligation to implement security measures to maintain integrity of personal
data
• There must be safeguards against accidental, unlawful, or unauthorized
alteration or contamination of Personal data.
• Data subjects have a right to be indemnified for any damages sustained
due to inaccurate, incomplete, outdated or false personal information.

❑ Policies and procedures for every stage of the
data life cycle (Access control, Updating of Records)
❑ Implement Organizational, Physical and Technical
Security Measures (Maintain integrity of personal data)
❑ Regular Assessment and Review (Internal audit)

Security Safeguards
Preventing Harm Resilience
Confidentiality Integrity Availability

Organizational • Management Buy-In
Commitment • DPO
• Reporting Mechanisms
•
•
Records of Processing Activities
Risk Assessment
PREVENT
Program Controls
•
•
•
Registration
Policies and Procedures
Data Security
HARM TO
•
•
•
Capacity Building
Breach Management DATA
Notification
Continuing
•
•
Third-Party Management
Communication SUBJECTS
Assessment and • Continuity and Review
Development

❑ Implement Privacy Management Program
❑ Develop Privacy Manual
❑ Implement Organizational, Physical and Technical
Security Measures

Data Subject Rights
Individual
Notice
Participation
Access and
Choice Remedies
Correction

RIGHTS OF THE DATA SUBJECT

Right to OBJECT
• When does the right to object apply?
X
▪ processing is based on consent (including processing
for direct marketing, automated processing, or profiling)
▪ processing is based on legitimate interests of the PIC
• If you process personal data for direct marketing

purposes:
• You must stop processing as soon as you receive an
objection. There are no exemptions or grounds to refuse.

Right to OBJECT
• When a data subject objects or withholds consent, the PIC
shall no longer process the personal data, unless:
1. Personal data is needed pursuant to a subpoena;

2. Processing are for obvious purposes, i.e. necessary for the
performance of a contract, or when necessary or desirable in
the context of an employer-employee relationship between
collector and data subject; or
3. Information is being collected and processed as a result of a
legal obligation.

Right to ERASURE or BLOCKING
• When does the right apply?

a. The personal data is incomplete, outdated, false, or unlawfully obtained;
b. Being used for unauthorized purpose;
c. No longer necessary for the purposes for which they were collected;
d. The data subject withdraws consent or objects to the processing, and there is no
other legal ground or overriding legitimate interest for the processing;
e. The personal data concerns private information that is prejudicial to data subject,
unless justified by freedom of speech, of expression, or of the press or otherwise
authorized;
f. The processing is unlawful;
g. The PIC or PIP violated the rights of the data subject.

Right to RECTIFICATION
▪ Right to dispute the inaccuracy or error in the personal data and have the
PIC correct it immediately, unless the request is vexatious or otherwise
unreasonable.
▪ PIC shall ensure the accessibility of both the new and the retracted
information and the simultaneous receipt of the new and the retracted
information by the intended recipients.
▪ If you have disclosed the personal data in question to third parties, you must
inform them of the rectification upon reasonable request of the data subject.

Right to DAMAGES
• The data subject shall be indemnified for any damages

sustained due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal
data, taking into account any violation of his or her rights
✔
and freedoms as data subject.
See: NPC Circular No. 16-04 – Rules of Procedure

Right to DATA PORTABILITY
When does the right to data portability apply?
• If personal data is processed electronically, the data

subject shall have the right to obtain from the PIC a copy
of such data in an electronic/structured format that is
commonly used and allows for further use by the data
subject.
What is the purpose of this right?
• In order for the data subject to have control over his or

her personal data being processed based on consent or
contract, for commercial purpose, or through automated
means.

Accountability
Demonstrate
DPO
Compliance
Risk
Responsibility
Assessment and Certifications
for third party
Privacy
transfers of Privacy Codes
Management
personal data
Program
❑ Designate a DPO
❑ Have Records of Processing Activities
❑ Conduct Privacy Impact Assessment
❑ Implement a Privacy Management Program
❑ Regular Assessment and Review (Review of
Policies, Internal Audit, Certifications)

❑ Establish Procedures for Data Subjects to
Exercise their rights, including right to complain

ETHICAL USE
OF PERSONAL
Benefits
DATA
ACCOUNTABILITY
Harms

Thank you!
info@privacy.gov.ph
privacy.gov.ph
0939 963 8715

0945 1534 299

Data Privacy Module 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Privacy Module 2

Uploaded by

Copyright:

Available Formats

DATA PRIVACY

DPO Development Program

Proportionality Data Quality

DPO Development Program

Data Subject Rights Fairness

Notice Access Openness

DPO Development Program

• Any information and communication relating to the processing

DPO Development Program

DPO Development Program

• Purposes of Processing, • Identity and contact

• Scope and Method of Processing • Data Subjects’ Rights,

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

• While a privacy notice may not include specific details of contents of

• A Privacy Notice is different from Consent. (AdOp No. 2018-013)

DPO Development Program

DPO Development Program

Notice and Choice Lawfulness

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

See Section 13 – instances when processing of

DPO Development Program

DPO Development Program

Data Minimization Necessity

DPO Development Program

Personal data shall be processed only if the purpose of the

DPO Development Program

DPO Development Program

DPO Development Program

R vs. Oakes, S.C.R. 103, Supreme Court of Canada, 1986

DPO Development Program

DPO Development Program

DPO Development Program

Adequate Relevant Accurate

DPO Development Program

Section 11, par. c, Chapter III, Data Privacy Act of 2012

DPO Development Program

ISO/IEC 29100:2011 – Information Technology – Security Techniques – Privacy Framework

DPO Development Program

DPO Development Program

DPO Development Program

Preventing Harm Resilience

Confidentiality Integrity Availability

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

DPO Development Program

• If you process personal data for direct marketing

DPO Development Program

1. Personal data is needed pursuant to a subpoena;

DPO Development Program

• When does the right apply?

DPO Development Program