WHAT IS PRIVACY?

- The right of an individual to be let alone

- The state or condition of being free from being observed or disturbed by other people.

TWO MAIN FORMS OF PRIVACY

- PHYSICAL
- INFORMATIONAL
PHYSICAL PRIVACY

- could be defined as preventing "intrusions into one's physical space or solitude (state of
being alone)”
INFORMATIONAL PRIVACY

- Is the right to have some control over how your personal information is collected and used

REPUBLIC ACT NO. 10173 (DATA PRIVACY ACT OF 2012)

- An Act Protecting Individual Personal Information In Information And Communications

Systems In The Government And The Private Sector.
- Is the first law in the Philippines which acknowledges the rights of Individuals over their
Personal Data and enforcing the responsibilities of entities who process them
- (Signed August 15, 2012)

NATIONAL PRIVACY COMMISSION

- Is an independent body created under Republic Act No. 10173 or the Data Privacy Act of
2012, mandated to administer and implement the provisions of the Act, and to monitor and
ensure compliance of the country with international standards set for data protection. It is
attached to the Philippines' Department of Information and Communications Technology
(DICT) for purposes of policy coordination, but remains independent in the performance of
its functions. The Commission safeguards the fundamental human right of every individual
to privacy, particularly Information privacy while ensuring free flow of information for
innovation, growth, and national development.

(Formed March 7, 2016)

(IRR of DPA was signed on August 24, 2016. It took effect on September 9, 2016)

WHAT IS THE SCOPE OF THE LAW?

- Processing of all types of personal data

- Natural and juridical person involved in personal information
- Privileged communication (interaction between two parties in which the law recognizes a
private, protected relationship. Whatever is communicated between these pairs of parties
shall remain confidential, and the law cannot force disclosure of these communications)
WHO IS REQUIRED

- Employs at least two hundred fifty (250) employees

- Sensitive personal information or at least one thousand (1,000) individuals
- Pose a risk to the rights and freedoms of data subjects
- The processing is not occasional

WHO ELSE ARE REQUIRED?

- Government branches, bodies or entities, including national government agencies, bureaus

or offices, constitutional commissions, local government units, and government-owned and
controlled corporations (GOCCs);
- Banks and non-bank financial institutions, including pawnshops, non-stock savings and loan
associations (NSSLAS);
- Telecommunications networks, internet service providers and other entities or organizations
providing similar services;
- Business process outsourcing companies;
- Universities, colleges and other institutions of higher learning, all other schools and training
institutions;
- Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities,
diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations
processing genetic data;
- Providers of insurance undertakings, including life and non-life companies, pre-need
companies and insurance brokers;
- Business involved mainly in direct marketing, networking, and companies providing reward
cards and loyalty programs;
- Pharmaceutical companies engaged in research; and
- Personal information processors (PIPs) processing personal data for a personal information
controller (PIC) included in the preceding items, and data processing systems involving
automated decision-making.

DATA PRIVACY VS. FREEDOM OF INFORMATION

FREEDOM OF INFORMATION

Requires all executive departments, agencies, bureaus, and offices to disclose public records,
contracts, transactions, and any information requested by a member of the public, except
for matters affecting national security and other information that falls under the inventory
of exceptions (issued by Executive Secretary Salvador Medialdea).

DOLE FOI MANUAL SECTION IV. While providing for access to information, the DOLE offices
shall afford full protection to a person’s right to privacy, as follows:

a. Ensure that personal information, particularly sensitive personal information, in

its custody or under its control is disclosed only as permitted by existing laws;
b. Protect personal information in its custody or under its control by making
reasonable document security protocol against unauthorized access, leaks or
premature disclosure;
 c. The FOI Receiving Officer, FOI Decision Maker, or any employee or official who
has access, whether authorized or unauthorized, to personal information, the
DOLE offices shall not disclose that information except authorized by existing
laws.

PERSONAL INFORMATION

- Refers to any information whether recorded in a material form or not, from which the
identity of an individual is apparent (obvious) or can be reasonably and directly ascertained
(made certain, sure) by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.

ARE THESE PERSONAL INFORMATION?

A.
B. Philippine Hero Born on November 30, 1863
C. Andres De Castro Bonifacio
D. Man born on November 30, 1863

SENSITIVE PERSONAL INFORMATION

- Race, ethnic origin marital status, age, color, and religious, philosophical or political
affiliations;
- Health, education genetic or sexual life of a person, or to any proceeding for any offense
committed or alleged to have been committed or alleged to have been committed by such
person, the disposal of such proceedings, or the sentence of any court in such proceedings
- Issued by government agencies peculiar to an individual
- Specifically established by an executive order or an act of Congress to be kept classified

PREVILEGED INFORMATION

- Any and all forms of data which under the Rules of the Court and other pertinent laws
constitute privileged communication. One such example would be any information given by
a client to his lawyer. Such information would fall under attorney-client privilege and would,
therefore, be considered privileged information.

PRIVACY NOTICE

A privacy policy is a statement or a legal document (in privacy law) that discloses some or all
of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal
requirement to protect a customer or client's privacy.
EX:

YISRAEL SOLUTIONS AND CONSULTING INC.

PRIVACY NOTICE

YISRAEL SOLUTIONS AND CONSULTING INC. respects your right to privacy. We collect, acquire, or
generate your personal information, including but not limited to name, profession, employer or
organization you are representing, email address, mobile number, which you provide us upon
confirming to attend to this event through YISCON’s representatives.

We shall only useyour personal information exclusively for this event: “DATA PRIVACY AWARENEESS
AND COMPLIANCE WORKSHOP” which would include exchange of business cards and contact
information for legitimate business interests and accomplishment of feedback forms.

For inquiries, concern and complaints, you may reach YISCON Data Protection officer at
ramil.madriaga@yisrael-dataprivacy.com

CRITERIA FOR LAWFUL PROCESSING

Personal Information Sensitive Personal Information

(permitted only if not otherwise prohibited by law)
Consent
Necessary and is related to the fulfillment of a
contract
For compliance with a legal obligation
Processing is necessary to protect vitally
important interests of the data subject,
including life and health
National emergency, public order and safety
and functions of public authority
Legitimate interests
(prohibited except)
Consent
Provided for by existing laws and regulations
For compliance with legal obligation
Necessary to protect the life and health of the
data subject, and the data subject is not legally
or physically able to express his or her consent
Necessary to achieve the lawful and
noncommercial objectives
Necessary for purposes or medical treatment
provided adequate level of protection of
personal information is ensured
For the protection of lawful rights and interests

CIVIL, ADMINISTRATIVE AND CRIMINAL LIABILITIES

PUNISHABLE ACTS

PREVENTING PERSONAL DATA BREACH

NPC Circular 16-03 – Personal Data Breach Management (RULE III).

Preventive or Minimization Measures. A security incident management policy shall include

measures intended to prevent or minimize the occurrence of a personal data breach. Such
safeguards may include:

a. Conduct of a privacy impact assessment to identify attendant risks in the processing of

personal data. It shall take into account the size and sensitivity of the personal data being
processed, and impact and likely harm of a personal data breach;
b. Data governance policy that ensures adherence to the principles of transparency, legitimate
purpose, and proportionality;
c. Implementation of appropriate security measures that protect the availability, integrity and
confidentiality of personal data being processed;
d. Regular monitoring for security breaches and vulnerability scanning of computer networks;
e. Capacity building of personnel to ensure knowledge of data breach management principles,
and internal procedures for responding to security incidents;
f. Procedure for the regular review of policies and procedures, including the testing,
assessment, and evaluation of the effectiveness of the security measures.

Availability, Integrity and Confidentiality of Personal Data. The implementation of security

measures shall be in accordance with the Act, its IRR, and other issuances of the Commission. The
security measures should be directed to ensuring the availability, integrity, and confidentiality of the
personal data being processed, and may include:

a. Implementation of back-up solutions;

b. Access control and secure log files;
c. Encryption;
d. Data disposal and return of assets policy.
GUIDELINES FOR INCIDENT RESPONSE POLICY AND PROCEDURE

NPC Circular 16-03 – Personal Data Breach Management (RULE IV).

Policies and Procedures. The personal information controller or personal information processor
shall implement policies and procedures for guidance of its data breach response team and other
personnel in the event of a security incident. These may include:

a. A procedure for the timely discovery of security incidents, including the identification of
person or persons responsible for regular monitoring and evaluation of security incidents;
b. Clear reporting lines in the event of a possible personal data breach, including the
identification of a person responsible for setting in motion the incident response procedure,
and who shall be immediately contacted in the event of a possible or confirmed personal
data breach;
c. Conduct of a preliminary assessment for purpose of:
d. Assessing, as far as practicable, the nature and scope of the personal data breach and the
immediate damage
e. Determining the need for notification of law enforcement or external expertise; and
f. Implementing immediate measures necessary to secure any evidence, contain the security
incident and restore integrity to the information and communications system;
g. Evaluation of the security incident or personal data breach as to its nature, extent and cause,
the adequacy of safeguards in place, immediate and long-term damage, impact of the
breach, and its potential harm and negative consequences to affected data subjects;
h. Procedures for contacting law enforcement in case the security incident or personal data
breach involves possible commission of criminal acts;
i. Conduct of investigations that will evaluate fully the security incident or personal data
breach;
j. Procedures for notifying the Commission and data subjects when the breach is subject to
notification requirements, in the case of personal information controllers, and procedures
for notifying personal information controllers in accordance with a contract or agreement, in
the case of personal information processors; and
k. Policies and procedures for mitigating the possible harm and negative consequences to a
data subject in the event of a personal data breach. The personal information controller
must be ready to provide assistance to data subjects whose personal data may have been
compromised.

Documentation. All actions taken by a personal information controller or personal information

processor shall be properly documented. Reports should include:

a. Description of the personal data breach, its root cause and circumstances regarding its
discovery;
b. Actions and decisions of the incident response team;
c. Outcome of the breach management, and difficulties encountered; and
d. Compliance with notification requirements and assistance provided to affected data
subjects.
e. A procedure for post-breach review must be established for the purpose of improving the
personal data breach management policies and procedures of the personal information
controller or personal information processor.
Regular Review. The incident response policy and procedure shall be subject to regular revision and
review, at least annually, by the Data Protection Officer, or any other person designated by the Chief
Executive Officer or the Head of Agency, as the case may be. The date of the last review and the
schedule for the next succeeding review must always be indicated in the documentation of the
incident response policy and procedure.

BREACH NOTIFICATION

SIX (6) PILLARS OF COMPLIANCE

1. Appoint a Data Protection Officer (an individual designated by the head of agency or
organization to be accountable for its compliance)
2. Conduct Privacy Assessment (Process undertaken to evaluate and manage the impact of a
program, process and /or measure on data privacy) Systems, Process Inventory, Threshold
Analysis, Risk Identification, Risk Management, PIA Report)
3. Create the Privacy Management Program and Privacy Manual
4. Implement Privacy and Protection Measures
5. Regularly Exercise Breach Reporting Procedures
6. Registration
DOLE-NCR COMPLIANCE

Data Protection Officer – May 24, 2018 (Online), July 6, 2018 (Hardcopy to NPC)

Compliance Officers for Privacy – May 25, 2018

Inventory of Systems, Processes – May 25, 2018

Data Privacy Impact Assessment – July 4, 2018

Data Privacy Technical Committee – August 30, 2018