Академический Документы
Профессиональный Документы
Культура Документы
I. Legal Overview...............................................................
a. How to Comply?.....................................................................
b. Conducting the Privacy Impact Assessment..........................
c. Parameters and Requirements for Security
Measures................................................................................
a. Organizational..................................................................
b. Physical...................................................................................
c. Technical.................................................................................
Authors:
Atty. Rose Marie M. King-Dominguez (Partner – SyCipLaw)
Celerina DelaCruz
Kar Wai Wong
Matthew Edmunds
The Data Privacy Act of 2012,
How does it affect my business?
You should by now be aware that the Data Privacy Act (DPA) of 2012 has finally
been implemented under the auspices of the newly formed ‘Data Privacy
Commission’ headed by commissioner Raymund Enriquez Liboro together with
deputy commissioners Ivy Patdu .
The main thrust of the legislation is to provide “…a 21st century law to address
21st century crimes and concerns”.
(3) ensures that the Philippines complies with international standards set
for data protection through National Privacy Commission (NPC).
The implementing rules and regulations (IRR) were published August 25, 2016
and took effect last September 9, 2016 detailing the specifics of the
implementation of the legislation.
The National Privacy
This White Paper aims to provide a primer to assist organizations to better Commission is the
understand the impact of this new legislation on their businesses and to provide country’s privacy
in a nutshell, guidance on the key elements of the law to assist in assessing the watchdog; an
independent body
risks and costs associated with becoming compliant. mandated to administer
and implement the Data
This document is not intended to be a legal opinion and should not be Privacy Act of 2012, and
considered as such but rather a starting point to help companies to get onto to monitor and ensure
compliance of the
the right path towards compliance. country with
international standards
set for data protection.
I. Legal Overview
a. What is the DPA all about?
The Philippine Data Privacy Act of 2012 (DPA) and its related issuances set down
rules for the protection and privacy of personal data, that is, personal
information and sensitive personal information. The DPA and its implementing
rules and rules (IRR) regulate the collection and processing of that data. The
regime applies to both the private and public sector.
Personal Information
Personal information is data about individuals or natural persons (the law refers
to them as “data subjects”). It does not cover or protect any other type of data.
Those who collect and process data may be considered as personal information
controllers (PICs) or personal information processors (PIPs).
PICs are persons or entities that control the collection and processing of personal
data. PIPs are persons or entities to whom a PIC may outsource the processing of
personal data. An example of a PIP would be a business
process outsourcing company that process personal data under the instructions
of its client; the PIC would be the PIP’s client. PIPs can be PICs as well, as they
would be in respect of the data of their own employees.
PICs continue to be directly responsible for personal data the processing of which
has been outsourced to a PIP.
These measures must include those for the monitoring of and responding to data
security breaches. Regulations require that the National Privacy Commission and
the affected data subjects be notified of a data security breach under certain
circumstances.
These measures must include those for the monitoring of and responding to data
security breaches. Regulations require that the National Privacy Commission and
the affected data subjects be notified of a data security breach under certain
circumstances.
The NPC requires certain PICs and PIPs to register their respective data
processing systems with the NPC. The following PICs and PIPs need to comply
with this registration requirement: “We have never given our
personal information as
(i) Those PICs and PIPs that employ more than two hundred and fifty easily as we do today.
(250) employees; Technology, and the
convenience it offers, has
seduced us into handing
(ii) Those PICs and PIPs, with less than 250 employees, where: over our names,
addresses, and phone
(a) the processing carried out is likely to pose a risk to the numbers so willingly.
rights and freedoms of data subjects; Personal data is
exchanged for free online
and offline services,
(b) the processing is not occasional; or
loyalty card discounts,
and personalized brand
(c) the processing includes sensitive personal information of experiences, among
at least 1,000 individuals. others”.
1. Processing Systems -- refers to the structure and procedure by which “But giving out personal
personal data is collected and further or relevant filing system, including the data comes at a potential
cost. Security breaches
purpose and intended output of the processing; happen where personal
information gets
destroyed, lost, altered
. 2. Criteria for lawful processing of personal information -- Processing of or disclosed, accessed,
and processed without
personal information is allowed, unless prohibited by law. For processing to be consent. Many times,
lawful, any of the following conditions must be complied with: these instances lead to
identity theft, fraud,
a. The data subject must have given his or her consent prior to the duplication of credit
cards, blackmail and
collection, damaged reputation —
or as soon as practicable and reasonable; both among individuals and
organizations.
b. The processing involves the personal information of a data subject
These breaches are on
who is a party to a contractual agreement, in order to fulfil the rise as organizations
obligations under the contract or to take steps at the request of increasingly rely on digital
data, making data
the data subject prior to entering the said agreement; protection more important
than ever. This is where
c. The processing is necessary for compliance with a legal obligation we, the National Privacy
to which the personal information controller is subject; Commission or NPC, come
in”.
d. The processing is necessary to protect vitally important interests of
the data subject, including his or her life and health;
3. The data subject shall be provided with the following information prior
to collection or before data is shared:
We have provided at this link a simple worksheet to start the process of asking
the important questions that need to be answered to understand your exposure.
You may download this worksheet at this link:
The right to be informed
http://data1asia.com/d1_website2012/wp-content/uploads/2017/11/0171110-
Under R.A. 10173, your
dpo-assessment-workbook.xlsx personal data is treated
almost literally in the same
way as your own personal
property. Thus, it should
b. Parameters and Requirements for Security Measures never be collected,
processed and stored by
What the law requires -- The DPA requires: any organization without
your explicit consent,
1. Three types of security measures be put into place -- unless otherwise provided
by law. Information
Organizational controllers usually solicit
your consent through a
Physical privacy notice. Aside from
Technical. protecting you against
unfair means of personal
2. The measures must be adequate, that is: data collection, this right
also requires personal
- they should be “reasonable and appropriate” information controllers
(PICs) to notify you if your
data have been
- In determining what is “appropriate”, the NPC will take into
compromised, in a timely
account: manner.
4. For physical measures, the rules look for policies and procedures for
monitoring and limiting access; policies and procedures that prevent
destruction and protection against natural disasters, power disturbances,
external access and similar threats; and an appropriate design of office
space and work stations to provide privacy for persons processing data.
Gender
Religion
Social Security or Similar government issued Identifiers
Bank or financial account numbers or Credit Card numbers
Health / Medical Information
Etc.
Once you have a clearer picture of the types and categories of data you have,
What should I look for in
then it is also a good idea to categorise the types of persons who should have a DPO?
access to this data and what depth of access.
Your DPO should have
expertise in relevant
For instance, can your employees potentially download copies of this data and privacy or data protection
take it off premise? Studies clearly show that as much as 80% of cyber theft is policies and practices. He
or she should have
internal. Ensuring that proper internal controls are in place is key to securing the
sufficient understanding
data that you are managing. of the processing
operations being carried
Typical control mechanisms, whether physical or technologogical consist of out by the PIC or PIP,
including the latter’s
defining who can: information systems, data
security and/or data
Collect Data protection needs.
View Knowledge by the DPO of
the sector or field of the
Edit / update PIC or PIP, and the
Download latter’s internal structure,
policies, and processes is
Delete
also useful.
The simplest way to manage this is to create ‘user groups’. Assign one or several
of the above actions to the group and then assign users to the various groups.
Ensure that all users who have access to t he data have been appropriately
trained on the importance of Privacy and Security of the data and that they also
understand the potential risks and attendant penalties for breach of protocol.
If you have not yet appointed and registered your DPO, this should be done
immediately. Deadline for registration was September 11 th 2017 but the
Commission will still accept “late registrations”.
a. Organizational
What are the standards for protecting personal information?
Every person that owns or licenses personal information shall develop,
implement, and maintain a comprehensive information security program that is
written in one or more readily accessible parts and contains organizational, Creating a Privacy
Manual.
technical, and physical security protocols that are appropriate to:
The Manual serves as a
1. the size, scope and type of operations of the agency obligated to guide or handbook for
secure the personal data under such comprehensive information ensuring the compliance of
an organization or entity
of the DPA; with the DPA, its
Implementing Rules and
2. the amount of resources available to such person; Regulations (IRR), and
other relevant issuances of
3. the amount of stored data; and the National Privacy
Commission (NPC). It also
4. the need for security and confidentiality of both client and encapsulates the privacy
and data protection
employee information. protocols that need to be
observed and carried out
Without limiting the generality of the foregoing, every comprehensive within the organization for
information security program shall include, but shall not be limited to: specific circumstances
(e.g., from collection to
destruction), directed
1. Designating a DPO to maintain the comprehensive information security toward the fulfillment and
program; realization of the rights of
data subjects.
2. Identifying and assessing reasonably foreseeable internal and external
risks to the security, confidentiality, and/or integrity of any electronic, paper or
other records containing personal information, and evaluating and improving,
where necessary, the effectiveness of the current security for limiting such risks,
including but not limited to:
Larger organizations may already have a data room in which their IT equipment
is housed; others may have a full data center or be outsourcing the hosting of
their IT equipment to a professionally managed data center facility provider.
What is a Data Center?
A facility housing electronic equipment used for data processing, data storage,
and communications networking. It is a centralized repository, which may be
physical or virtual, used for the storage, management, and dissemination of data
including personal data. It is where organizations house their critical processing
systems and it is vital to the continuity of daily operations.
What are the recommended best practices for data center security?
1. Security controls should be developed for each data center component
– facilities, network, servers, storage and most importantly data.
2. Develop, apply and enforce policies across physical, virtual and cloud
environments
3. Monitor at the network level for visibility and transparency into all What are my
assets (physical and virtual) that reside on the LAN, and even those that responsibilities when
retaining personal data?
are offline, and all the interconnections between them. Monitoring
should be done 24 x 7 As an organization that
retains personal data, your
4. Maintain the DC equipment, UPS, generator sets, batteries, precision responsibilities include:
There are many advantages to outsourcing to a data center provider, here are To give access and inform
just a few items to consider. the data subjects about
their data being retained
1. Facilities Management -- You may not have sufficient budgets to retain a
full time facilities management team. A data center has numerous
complex systems that require certified engineers to manage including;
electrical power monitoring, filtering, and management to ensure cost
efficient consumption of power. In addition, sufficient, redundant,
generator power must be available on demand, and gen sets must be
regularly serviced and tested to ensure they will function on demand.
A good data center provider also provides a strong, actionable SLA that Control of data security
allows for rebates in a case where SLA is breached during a specified passwords to ensure that
such passwords are kept in
period of time. This is far more attractive than simply reprimanding your
a location and/or format
in-house IT manager. that does not compromise
the security of the data
they protect;
Equally however, it opens up huge possibilities for the criminal misuse of this
information.
Technology has a pivotal role to play in managing the entire lifecycle of the data that we
collect, process, and store.
On the one hand we want to make it as simple and efficient as possible to capture and
analyse data.
On the other hand, we have a duty of care to ensure that the privacy of the individuals
identified by the data is adequately protected.
When designing and managing the technical systems that we deploy to process and
manage information; it is important to consider the table provided below and to evaluate
at each step how technology will interplay with the data flow. What does Data Privacy
Act say about retention
of personal data?
Collect:
Who is the data collected by? A qualified doctor or just a temporary agency
employee engaged to welcome customers at the front desk? Has the person
collecting data been properly briefed on privacy?
From, How, When, Where; from what type of customer should data be
collected? One who is there to have a procedure or perhaps one who is just
inquiring about rates for services? It is important to consider various possible
scenarios and what data is appropriate to collect.
Is the customer (Data Subject) filling paper or digital forms themselves? Or
simply relating data to a person who is taking down the information? Best
practice is to provide access to a screen or app wherein the customer can input
the data for themselves to ensure correctness and to ensure that it remains
private.
Why, Authority; Has the customer been advised of why the data is being The right to rectify
collected? Is the type and amount of data collected proportional to the need
for the specific purpose? Has the customer been advised of how long the data You have the right to
will be retained and of their rights with respect to correction and deletion? dispute and have
Has the customer specifically affirmed that are giving ‘permission’ for the corrected any inaccuracy
collection and processing of the data? This should not be assumed simply or error in the data a
because the customer is filling the form. There must be a check box and link to personal information
the privacy policy in the form for the customer to select prior to signing. controller (PIC) holds
about you.
A similar process of questioning should be undertaken for each step of the data
lifecycle: USE, RETAIN, DISCLOSE, DISPOSE The PIC should act on it
immediately and
accordingly, unless the
request is vexatious or
unreasonable.
Another important factor to implement is to ensure that during data collection, the company’s
‘Privacy Policy’ is clearly made available to the user. In addition, there must be a mechanism
within the form that allows the user to explicitly provide ‘permission’ (often known as ‘Opt In).
Another important factor to implement is to ensure that during data collection, the
company’s ‘Privacy Policy’ is clearly made available to the user. In addition, there must
be a mechanism within the form that allows the user to explicitly provide ‘permission’
(often known as ‘Opt In). If you are collecting this permission electronically, then it is
best practice to log not only the permission but the data and time that it was given and if
possible the location and IP address from which it was given.
Conversely, your systems must be enabled in such a manner that allows the data subject
to withdraw that permission at any time. Once permission is withdrawn, then data
related to that subject must be anonymized or obfuscated to the extent that it is no
longer possible to identify that specific individual.
The right to data
It is also now mandated that during collection of the data, the subject is informed of portability
how long you will keep the personally identifiable data. This may be only a few months
in the case of a promotion or several years if there is a legitimate reason to keep the This right assures that
YOU remain in full control
data. Either way, the ‘time frame’ must be clearly indicated to the user at the time of
of YOUR data. Data
collection. portability allows you to
obtain and electronically
These are just a few examples of the rules that may well impact the way your current move, copy or transfer
technology is configured. Reconfiguration or customization of your systems may entail your data in a secure
considerable cost to become compliant so it is important to evaluate now what might be manner, for further use.
It enables the free flow
entailed. of your personal
information across the
Data at rest, Data in Transit -- it is also now mandated that data being stored internet and
and shared must be encrypted to ensure that even if your systems are breached, it organizations, according
would be almost impossible for the entity committing the breach to make any sense of to your preference.
the information. This is important
especially now that
several organizations and
What is encryption? services can reuse the
same data.
Data encryption translates data into another form, or code, so that only people with
Data portability allows
access to a secret key (called a decryption key) can read it. Encrypted data is commonly
you to manage your
referred to as ciphertext, while unencrypted data is called plaintext. personal data in your
private device, and to
Encryption is the process of using an algorithm to transform information to make it transmit your data from
unreadable for unauthorized users. This cryptographic method protects sensitive data one personal information
such as credit card numbers by encoding and transforming information into unreadable controller to another. As
such, it promotes
cipher text. This encoded data may only be decrypted or made readable with a key. competition that fosters
better services for the
Encryption is essential for ensured and trusted delivery of sensitive information. The public.
earlier Data Encryption Standard (DES) encryption algorithm, which uses a 56-bit key and
is no longer considered attack-proof. The Advanced Encryption Standard (AES) is
considered more reliable and secure because it uses a 128-bit, 192-bit or a 256-bit key.
What does the commission state about encryption?
“Any technology used to store, transport, or access sensitive personal information for
purposes of off-site access approved shall be secured by the use of the most secure
encryption standard recognized by the Commission.”
Data at rest, in transit, and in use should all be treated equally in terms of preserving its
privacy and managing its security.
What does the commission recommend with regards to encryption? Personal information
controllers and processors
“Organizational, physical, and technical security measures for personal data protection, are required to submit their
Annual Report, where all
encryption, and access to sensitive personal information maintained by government security incidents and
agencies, considering the most appropriate standard recognized by the information and personal data breaches
communications technology industry.” must be documented
through written reports,
“Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most including those not covered
by the notification
appropriate encryption standard. Passwords or passphrases used to access personal data
requirements.
should be of sufficient strength to deter password attacks. A password policy should be
issued and enforced through a system management tool.” In the event of a personal
data breach, a report shall
include:
What are some of the best practices for data center security (a) the facts surrounding
the incident;
recommended by the Commission? (b) the effects of such
incident; and
“Develop and enforce policies that are context, identity, and application-aware for least (c) the remedial action
complexity and the most flexibility and scalability. Ensure that they can be applied taken by the personal
information controller.
consistently across physical, virtual, and cloud environments. This, along with replacing
physical network with logically defined secure trust zones, will provide seamless and For other security incidents
secure user access to applications at all times, regardless of the device used to connect not involving personal data,
to resources in the data center.” a report containing
aggregated data shall
constitute sufficient
“Choose security technologies that are virtualization-aware or enabled, with security
documentation.
working at the network level rather than the server. Network security should be
integrated at the hypervisor level to discover existing and new virtual machines and to
follow those devices as they are moved or scaled up so that policy can be dynamically
applied and enforced.”
Organizations need to look closely at how they securely store, manage, exchange data in
the face of an evolving threat landscape. Network virtualization technologies such as
VMware NSX would be a major boost in compliance by providing fully isolated virtual
networks and granular security control.
NSX Security Groups and Security Tags allow granular and dynamic network security
control. NSX Security Groups enables application and context aware security policies
where VMs inherit firewall rules once they are provisioned. Security groups may be
defined by application tier, regulatory requirements, operating system, geo-location,
Not all data breaches have
security posture, etc. to be reported to the NPC.
Only when these are all
NSX Security Tags, on the other hand, allows complex security policies to be defined in a present, the personal
concise form while allowing changes to be dynamically applied as application or security information controller (or
posture changes. Third-party anti-virus & anti-malware solutions such as Trend Micro processor, as the case may
be):
Deep Security integrate with NSX through the Security Tags to protect and quarantine
compromised VMs in real-time by allowing for automatic reconfiguration of the virtual There is a breach of
network infrastructure in response to security incidents. sensitive personal
information or other
information that may, under
the circumstances, be used
What happens if there is a Breach! to enable identity fraud;
The data is reasonably
As much as we may try to protect our data, the truth is that breaches still do occur believed to have been
acquired by an unauthorized
whether through malicious intent or simple carelessness.
person; and
Either the personal
There have recently been a number of high profile cases of serious breach involving
information controller or
major multinational brands and costing millions of dollars in real revenues. the NPC believes that the
data breach is likely to give
But for each of these high profile cases that are broadly reported in the press; there are rise to a real risk of serious
potentially thousands of cases that go unreported. harm to the affected data
subject.
In comes cases companies feel that the breach is too small to worry about or are afraid
of the reputational impact on their business if their customers learn of the incident.
The privacy commission deals with breach, and breach reporting in a very carefully
considered, and specific manner with the main focus being placed on ‘Transparency’.
Exercising Breach Reporting Procedures
Each PIC must prepare as part of its Privacy Manual, Breach Reporting Procedures.
• Assessment
• The Security Incident Management Policy
• The Security Incident Response Team
• Annual Reports
• Mandatory Notification
• The Subsequent Investigation
If a breach is detected than an initial assessment must be carried out to understand the
nature, of the breach and the possible impact on privacy.
Breaches are categorized in three types. The Security Incident
Response Team is
- Availability breach -- from the loss accidental or unlawful destruction of personal responsible for:
data;
Implementing security
- Integrity breach -- from the unauthorized alteration of personal data; and incident management policy
- Confidentiality breach -- from the unauthorized disclosure of or access to of the personal information
personal data. controller or personal
information processor;
There should be in place an incident management policy and an incident management Managing security incidents
response team, Ideally, a ‘play book’ should be developed in advance to ensure that in a and personal data breaches;
and
case of breach, the teams no exactly what to do and how to do it.
Compliance by the personal
information controller or
Mandatory Notification personal information
processor with the relevant
In line with the mandate for transparency, if there is a breach that meets certain criteria provisions of the Act, its
then the PIC must notify both the data subjects affected and the Data Privacy IRR, and all related
issuances by the
Commission of the incident. Commission on personal data
breach management.
The DPA has outlined detailed reporting procedures; the most important of which to
observe is that notification must be made within 72 hours of the incident.
The resources already provided by the Privacy Commission are quite extensive and we
highly recommend that you study in detail.
If you have already identified and appointed your DPO, it is recommended that the DPO
read and understand the act itself and the accompanying IRR and Circulars to stay up to
date.
The NPC will consider
Whilst the privacy commission has been established to specifically address the privacy these factors in its
investigation following the
issue; many of the practices and suggested technologies herein discussed are highly
occurrence of a data
appropriate to all kinds of data security. breach:
It is highly recommended that you seek your own legal counsel for interpretation of the Security measures that
law and technical counsel for assistance with the complexities of securing your networks have been implemented and
applied to the personal data
and data.
at the time the personal
data breach was reasonably
believed to have occurred,
including measures that
For further information on this White Paper or general data security questions, please would prevent use of the
contact the authors of this paper at: personal data by any person
not authorized to access it;
DataOne Asia (Philippines), Inc. Subsequent measures that
have been taken by the
www.data1asia.com personal information
controller or personal
6th Floor, IBM Plaza, Eastwood City Cyberpark information processor to
E. Rodriguez Jr. Avenue, ensure that the risk of
Quezon City, harm or negative
1110 Philippines consequence to the data
subjects will not
TEL: + 63 (2) 995 8256 materialize;