UNDERSTANDING AND IMPLEMENTING

THE DATA PRIVACY ACT OF 2012

“How Cloud Technologies can help companies implement security

and processes to comply with The Data Privacy Act of 2012”

A White Paper Prepared by:

DataOne Asia (Philippines), Inc.
in association with:
Sycip, Salazar, Hernandez & Gatmaitan (SyCipLaw)

©2017 – DataOne Asia (Philippines), Inc. All rights reserved.

Table of Contents

The Data Privacy Act of 2012.....................................................

I. Legal Overview...............................................................

a. What is the DPA all about?....................................................

b. Additional Terms and Concepts.............................................

II. Practical Outlook...................................................................

a. How to Comply?.....................................................................
b. Conducting the Privacy Impact Assessment..........................
c. Parameters and Requirements for Security
Measures................................................................................

III. Practical Steps to ensure compliance..............................

a. Organizational..................................................................
b. Physical...................................................................................
c. Technical.................................................................................

What happens if there is a Breach?...................................................

Summary and Resources ..................................................................

Authors:
Atty. Rose Marie M. King-Dominguez (Partner – SyCipLaw)
Celerina DelaCruz
Kar Wai Wong
Matthew Edmunds
The Data Privacy Act of 2012,
How does it affect my business?

You should by now be aware that the Data Privacy Act (DPA) of 2012 has finally
been implemented under the auspices of the newly formed ‘Data Privacy
Commission’ headed by commissioner Raymund Enriquez Liboro together with
deputy commissioners Ivy Patdu .

The main thrust of the legislation is to provide “…a 21st century law to address
21st century crimes and concerns”.

(1) protects the privacy of individuals while ensuring free flow of

information to promote innovation and growth

(2) regulates the collection, recording, organization, storage, updating or

modification, retrieval, consultation, use, consolidation, blocking, erasure
or destruction of personal data

(3) ensures that the Philippines complies with international standards set
for data protection through National Privacy Commission (NPC).

The implementing rules and regulations (IRR) were published August 25, 2016
and took effect last September 9, 2016 detailing the specifics of the
implementation of the legislation.
The National Privacy
This White Paper aims to provide a primer to assist organizations to better Commission is the
understand the impact of this new legislation on their businesses and to provide country’s privacy
in a nutshell, guidance on the key elements of the law to assist in assessing the watchdog; an
independent body
risks and costs associated with becoming compliant. mandated to administer
and implement the Data
This document is not intended to be a legal opinion and should not be Privacy Act of 2012, and
considered as such but rather a starting point to help companies to get onto to monitor and ensure
compliance of the
the right path towards compliance. country with
international standards
set for data protection.
I. Legal Overview
a. What is the DPA all about?
The Philippine Data Privacy Act of 2012 (DPA) and its related issuances set down
rules for the protection and privacy of personal data, that is, personal
information and sensitive personal information. The DPA and its implementing
rules and rules (IRR) regulate the collection and processing of that data. The
regime applies to both the private and public sector.

Personal Information
Personal information is data about individuals or natural persons (the law refers
to them as “data subjects”). It does not cover or protect any other type of data.

Personal information is defined as “any information whether recorded in a

material form or not, from which the identity of the individual is apparent or can
be reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify
an individual.” In other words, if the entity holding the information cannot tell Under RA 10173, people
whose information that is, the activities of that entity in respect of that whose personal
information is collected,
information would not be subject to the DPA. stored, and processed
are called data subjects.
Personal data can be “personal information” (PI) or “sensitive personal Organizations who deal
information” (SPI). The DPA lists what are SPI.i While PI would include the name with your personal
details, whereabouts, and
and address of an individual, SPI would include marital status, age, color, religion, preferences are
health records, and government issued information such as social security dutybound to observe and
respect your data privacy
numbers. Requirements for the collection and processing of SPI are more rights.
restrictive.
“If you feel that your
personal data has been
How DPA Regulates; PICs vs. PIPs misused, maliciously
disclosed, or improperly
The DPA regulates the collection and processing of personal data by: disposed, or if any of the
rights discussed here
have been violated, the
recognizing rights of data subjects, and data subject has a right
to file a complaint with
imposing obligations on those who collect and process that data. us.” (Privacy Commssion)

Those who collect and process data may be considered as personal information
controllers (PICs) or personal information processors (PIPs).

PICs are persons or entities that control the collection and processing of personal
data. PIPs are persons or entities to whom a PIC may outsource the processing of
personal data. An example of a PIP would be a business
process outsourcing company that process personal data under the instructions
of its client; the PIC would be the PIP’s client. PIPs can be PICs as well, as they
would be in respect of the data of their own employees.

PICs continue to be directly responsible for personal data the processing of which
has been outsourced to a PIP.

Rights of Data Subjects

The Philippine Constitution recognizes an individual’s right to privacy. The right
springs from the right to be safe from intrusion into one’s home, paper, effects
and person.

The DPA recognizes these specific rights of a data subject:

 The right to be informed

 The right to access
 The right to object
 The right to erasure or blocking
 The right to damages
 The right to file a complaint THE VISION
 The right to rectify
 The right to data portability A world-class regulatory
and enforcement agency
upholding the right to
privacy and data
protection while ensuring
Obligations of PICs and PIPs; Security Measures the free flow of
information, committed to
When the law creates or recognizes rights, it also creates the corresponding excellence, driven by a
obligation to respect those rights. The DPA also imposes certain specific workforce that is highly
competent, future-
obligations, principally on PICs and PIPs. Broadly, these key obligations are: oriented, and ethical,
towards a competitive,
(i) to collect and process personal data only on the basis of lawful knowledge-based, and
criteria; innovative nation.
(ii) to adhere to the privacy principles of transparency, legitimate
purpose and proportionality; and
(iii) to implement reasonable and appropriate organizational, physical and
technical security measures for the protection of personal data.
The obligation to implement security measures could be viewed as
operationalizing the more general requirements of observing data subjects’
rights and adhering to privacy principles.

These measures must include those for the monitoring of and responding to data
security breaches. Regulations require that the National Privacy Commission and
the affected data subjects be notified of a data security breach under certain
circumstances.

These measures must include those for the monitoring of and responding to data
security breaches. Regulations require that the National Privacy Commission and
the affected data subjects be notified of a data security breach under certain
circumstances.

National Privacy Commission

The DPA has created the National Privacy Commission (NPC). The NPC is in
charge of implementing the DPA.

The NPC has monitoring, advisory, rule-making, and quasi-judicial functions. It

can impose penalties.

The NPC requires certain PICs and PIPs to register their respective data
processing systems with the NPC. The following PICs and PIPs need to comply
with this registration requirement: “We have never given our
personal information as
(i) Those PICs and PIPs that employ more than two hundred and fifty easily as we do today.
(250) employees; Technology, and the
convenience it offers, has
seduced us into handing
(ii) Those PICs and PIPs, with less than 250 employees, where: over our names,
addresses, and phone
(a) the processing carried out is likely to pose a risk to the numbers so willingly.
rights and freedoms of data subjects; Personal data is
exchanged for free online
and offline services,
(b) the processing is not occasional; or
loyalty card discounts,
and personalized brand
(c) the processing includes sensitive personal information of experiences, among
at least 1,000 individuals. others”.

The Stated Mission of the Commission is :

We shall continuously deliver services to:

(1) Be the authority on data privacy and protection, providing knowledge,

know-how, and relevant technology.

(2) Establish a regulatory environment that ensures accountability in the

processing of personal data and promotes global standards for data
privacy and protection.

(3) Build a culture of privacy, through people empowerment, that enables

and upholds the right to privacy and supports free flow of information.
 Penalties
Certain acts are penalized by the law, and sanctions include the imposition of
fines as well as imprisonment. Where the guilty party is a company or
organization, the penalty of imprisonment can be imposed on the responsible
officers who participated in, or by their gross negligence, allowed the
commission of the crime.

b. Additional Terms and Concepts

The comments above already define or explain certain important terms such as
PI, SPI, PICs, and PIPs. The following are also important for a basic understanding
of the DPA and its rules:

1. Processing Systems -- refers to the structure and procedure by which “But giving out personal
personal data is collected and further or relevant filing system, including the data comes at a potential
cost. Security breaches
purpose and intended output of the processing; happen where personal
information gets
destroyed, lost, altered
. 2. Criteria for lawful processing of personal information -- Processing of or disclosed, accessed,
and processed without
personal information is allowed, unless prohibited by law. For processing to be consent. Many times,
lawful, any of the following conditions must be complied with: these instances lead to
identity theft, fraud,
a. The data subject must have given his or her consent prior to the duplication of credit
cards, blackmail and
collection, damaged reputation —
or as soon as practicable and reasonable; both among individuals and
organizations.
b. The processing involves the personal information of a data subject
These breaches are on
who is a party to a contractual agreement, in order to fulfil the rise as organizations
obligations under the contract or to take steps at the request of increasingly rely on digital
data, making data
the data subject prior to entering the said agreement; protection more important
than ever. This is where
c. The processing is necessary for compliance with a legal obligation we, the National Privacy
to which the personal information controller is subject; Commission or NPC, come
in”.
d. The processing is necessary to protect vitally important interests of
the data subject, including his or her life and health;

e. The processing of personal information is necessary to respond to

national emergency or to comply with the requirements of public
order and safety, as prescribed by law;
 f. The processing of personal information is necessary for the
fulfilment of the constitutional or statutory mandate of a public
authority; or

g. The processing is necessary to pursue the legitimate interests of

the personal information controller, or by a third party or parties
to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data
subject, which require protection under the Philippine
Constitution.

3. Data sharing -- General Principles for Data Sharing. Further Processing of

Personal Data collected from a party other than the Data Subject shall be
allowed under any of the following conditions:

(a) Data sharing shall be allowed when it is expressly authorized

by law: Provided, that there are adequate safeguards for data
privacy and security, and processing adheres to principle of
transparency, legitimate purpose and proportionality.
“You have the right to
(b) Data Sharing shall be allowed in the private sector if the data
dispute and have
subject consents to data sharing, and the following conditions are corrected any inaccuracy
complied with: or error in the data a
personal information
controller (PIC) hold about
1. Consent for data sharing shall be required even when the data is to be
you. The PIC should act on
shared with an affiliate or mother company, or similar relationships; it immediately and
accordingly, unless the
2. Data sharing for commercial purposes, including direct marketing, shall request is vexatious or
unreasonable. Once
be covered by a data sharing agreement.
corrected, the PIC should
ensure that your access
and receipt of both new
and retracted information.
(a) The data sharing agreement shall establish adequate PICs should also furnish
safeguards for data privacy and security, and uphold rights of data third parties with said
information, should you
subjects. request it.”.

(b) The data sharing agreement shall be subject to review by the

Commission, on its own initiative or upon complaint of data
subject;

3. The data subject shall be provided with the following information prior
to collection or before data is shared:

(a) Identity of the personal information controllers or personal

information processors that will be given access to the personal
data;
 (b) Purpose of data sharing;

(c) Categories of personal data concerned;

(d) Intended recipients or categories of recipients of the personal

data;

(e) Existence of the rights of data subjects, including the right to

access and correction, and the right to object;

(f) Other information that would sufficiently notify the data

subject of the nature and extent of data sharing and the manner
of processing.

4. Privacy impact assessment -- a process undertaken and used to

evaluate and manage the impact on privacy of a particular project, The right to access

program, process or measure This is your right to find

out whether an
5. Privacy by design -- an approach to the development and organization holds any
implementation of projects, programs, and processes that personal data about you
and if so, gain “reasonable
integrates into the latter’s design or structure safeguards that are access” to them. Through
necessary to protect and promote privacy, such as appropriate this right, you may also ask
them to provide you with a
organizational, technical and policy measures. written description of the
kind of information they
have about you as well as
their purpose/s for holding
II. Practical Outlook them.

Under the Data Privacy

a. How to Comply? Act of 2012, you have a
right to obtain from an
When a PIC or PIP considers the practical aspects of complying with the DPA, a organization a copy of any
useful approach would be to first focus on two of the law’s requirements: information relating to you
registration with the NPC and implementation of adequate security measures. that they have on their
computer database and/or
manual filing system. It
If the PIC/PIP needs to register its data processing system, then it only needs to should be provided in an
comply, with the specific procedures set out by the NPC in the relevant circulars.i easy-to-access format,
accompanied with a full
In respect of security measures, the law sets down parameters for what would explanation executed in
plain language.
be considered adequate and even provides for certain minimum requirements.
But a final decision on what measures should be implemented should also
depend on the results of the PIC’s/PIP’s privacy impact assessment (PIA).
 a. Conducting the Privacy Impact Assessment
A very good way to begin the process of compliance with the law is to conduct an
initial assessment of the current state of your organization in the context of Data
Privacy.

We have provided at this link a simple worksheet to start the process of asking
the important questions that need to be answered to understand your exposure.
You may download this worksheet at this link:
The right to be informed
http://data1asia.com/d1_website2012/wp-content/uploads/2017/11/0171110-
Under R.A. 10173, your
dpo-assessment-workbook.xlsx personal data is treated
almost literally in the same
way as your own personal
property. Thus, it should
b. Parameters and Requirements for Security Measures never be collected,
processed and stored by
What the law requires -- The DPA requires: any organization without
your explicit consent,
1. Three types of security measures be put into place -- unless otherwise provided
by law. Information
 Organizational controllers usually solicit
your consent through a
 Physical privacy notice. Aside from
 Technical. protecting you against
unfair means of personal
2. The measures must be adequate, that is: data collection, this right
also requires personal
- they should be “reasonable and appropriate” information controllers
(PICs) to notify you if your
data have been
- In determining what is “appropriate”, the NPC will take into
compromised, in a timely
account: manner.

(1) the nature of the personal data As a data subject, you

(2) risks posed by the processing have the right to be
informed that your
(3) size of organization personal data will be, are
(4) complexity of operations being, or were, collected
(5) current best practices and processed.
(6) cost of security implementation The Right to be Informed
is a most basic right as it
- they should seek to protect personal data empowers you as a data
subject to consider other
3. For organizational measures, the rules specify compliance with certain actions to protect your
measures including the appointment of a data protection officer, data privacy and assert
your other privacy rights.
compliance officer for privacy, and data security breach response team;
issuance of a data privacy policy; and maintenance of records describing
the data processing system.

4. For physical measures, the rules look for policies and procedures for
monitoring and limiting access; policies and procedures that prevent
destruction and protection against natural disasters, power disturbances,
 external access and similar threats; and an appropriate design of office
space and work stations to provide privacy for persons processing data.

5. For technical measures, the rules require safeguards to protect the

confidentiality, integrity, availability, and resilience of processing systems;
regular monitoring for security breaches and a process to identify
vulnerabilities and to take preventive, corrective and mitigating action
against security incidents; process for regular testing, assessing, and
evaluating effectiveness; encryption of personal data during storage and
while in transit, authentication process and other technical measures that
control and limit access. The NPC has recommended Advanced
Encryption Standard with a key size of 256 bits (AES-256).
You must register with
A PIC’s or PIP’s system should also be set up so that the controller or processor the National Privacy
Commission if:
will be capable of responding to a data subject’s exercise of his or her rights (e.g.,
right to access, right to correct, right to erase, data portability). The Personal Information
Controller or Personal
Information Processor
employ more two hundred
and fifty (250) persons.
2. Practical Steps to ensure compliance
Or
After completing the initial risk assessment questionnaire, this should give you a
Personal Information
better idea of your current possible exposure in the three areas:
Controllers or Personal
Information Processors
Organizational have less than 250
Physical employees but:
Technical the processing carried out
is likely to pose a risk to
The next step is to categorize the data that you are storing or processing into the the rights and freedoms of
two categories defined by the DPA. data subjects;
the processing is not
Personal Information occasional (more
frequently than once a
Sensitive Personal Information year); or
the processing includes
Personal Information is any set of data that when evaluated together could easily sensitive personal
point to a specific individual. This might include data fields such as: information of at least one
thousands (1,000)
individuals
Name
Address (physical or electronic}
Workplace
Phone Numbers
Shopping Habits
Social Media Accounts
Etc.
Sensitive Personal Information Can include, but is not limited to:

Gender
Religion
Social Security or Similar government issued Identifiers
Bank or financial account numbers or Credit Card numbers
Health / Medical Information
Etc.

It is important to remember that this regulation extends to employees of the

company; 201 files and health Insurance information for instance are considered
‘Sensitive’. You may be outsourcing payroll or similar functions to a third party
processor in which case a ‘processing agreement’ must be in place and the third
party must adhere by the privacy rules.

Once you have a clearer picture of the types and categories of data you have,
What should I look for in
then it is also a good idea to categorise the types of persons who should have a DPO?
access to this data and what depth of access.
Your DPO should have
expertise in relevant
For instance, can your employees potentially download copies of this data and privacy or data protection
take it off premise? Studies clearly show that as much as 80% of cyber theft is policies and practices. He
or she should have
internal. Ensuring that proper internal controls are in place is key to securing the
sufficient understanding
data that you are managing. of the processing
operations being carried
Typical control mechanisms, whether physical or technologogical consist of out by the PIC or PIP,
including the latter’s
defining who can: information systems, data
security and/or data
 Collect Data protection needs.
 View Knowledge by the DPO of
the sector or field of the
 Edit / update PIC or PIP, and the
 Download latter’s internal structure,
policies, and processes is
 Delete
also useful.
The simplest way to manage this is to create ‘user groups’. Assign one or several
of the above actions to the group and then assign users to the various groups.
Ensure that all users who have access to t he data have been appropriately
trained on the importance of Privacy and Security of the data and that they also
understand the potential risks and attendant penalties for breach of protocol.

Data Protection officer

Spearheading these above activities should be your DPO or Data Protection
Officer. Each company that is required to register must also register their DPO;
this is a legal requirement. This person is ultimately responsible for the
implementation of the policy and controls. Your DPO must be appropriately
trained and should be familiar with the Data Privacy Act, the IRR, and the various
circulars and clarifications that are being promulgated by the Privacy Commission
from time to time.

If you have not yet appointed and registered your DPO, this should be done
immediately. Deadline for registration was September 11 th 2017 but the
Commission will still accept “late registrations”.

a. Organizational
What are the standards for protecting personal information?
Every person that owns or licenses personal information shall develop,
implement, and maintain a comprehensive information security program that is
written in one or more readily accessible parts and contains organizational, Creating a Privacy
Manual.
technical, and physical security protocols that are appropriate to:
The Manual serves as a
1. the size, scope and type of operations of the agency obligated to guide or handbook for
secure the personal data under such comprehensive information ensuring the compliance of
an organization or entity
of the DPA; with the DPA, its
Implementing Rules and
2. the amount of resources available to such person; Regulations (IRR), and
other relevant issuances of
3. the amount of stored data; and the National Privacy
Commission (NPC). It also
4. the need for security and confidentiality of both client and encapsulates the privacy
and data protection
employee information. protocols that need to be
observed and carried out
Without limiting the generality of the foregoing, every comprehensive within the organization for
information security program shall include, but shall not be limited to: specific circumstances
(e.g., from collection to
destruction), directed
1. Designating a DPO to maintain the comprehensive information security toward the fulfillment and
program; realization of the rights of
data subjects.
2. Identifying and assessing reasonably foreseeable internal and external
risks to the security, confidentiality, and/or integrity of any electronic, paper or
other records containing personal information, and evaluating and improving,
where necessary, the effectiveness of the current security for limiting such risks,
including but not limited to:

 ongoing employee training (including temporary and contract

employees);
 employee compliance with policies and procedures; and
 means for detecting and preventing security system failures.
Access Control Policy

What is access control policy?

Guidelines to ensure PI and SPI data can only be accessed by authorized personnel
in accordance with their roles and responsibilities.

Access should be secured. Systems and processes must be in place.

There should be a definitive access needs and privileges.

There should be account maintenance

What are the security
User IDs should be controlled, no sharing of user IDs. requirements for a
computer system?
Use of strong passwords and mandatory change of default or initial
password. Secure user
authentication protocols
including:
Control of user IDs and
What does the commission say? other identifiers;
Reasonably secure method
In a time when data privacy and security matters, personal information of assigning and selecting
controllers and personal information processors are obliged to implement passwords, or use of
unique identifier
strong, reasonable, and appropriate organizational, physical, and technical technologies, such as
security measures for the protection of the personal information that they biometrics or token
devices;
process. These include access control policies for off-site and online access to
personal and sensitive information. Control of data security
passwords to ensure that
Unauthorised access to these kinds of information due to negligence or such passwords are kept
in a location and/or
intentional breach can result in fines or imprisonment. format that does not
compromise the security
of the data they protect;

a. Physical Restricting access to

active users and active
Do I need a Data Center? user accounts only; and
Blocking access to user
identification after
The physical environment in which data is stored is an important part of security multiple unsuccessful
and privacy. For a small company, this might be something as simple as a attempts to gain access or
the limitation placed on
dedicated filing room with controlled access or just a locked filing cabinet with
access for the particular
clear policy about who holds the keys and under what conditions, data can be system;
requested.

Larger organizations may already have a data room in which their IT equipment
is housed; others may have a full data center or be outsourcing the hosting of
their IT equipment to a professionally managed data center facility provider.
What is a Data Center?
A facility housing electronic equipment used for data processing, data storage,
and communications networking. It is a centralized repository, which may be
physical or virtual, used for the storage, management, and dissemination of data
including personal data. It is where organizations house their critical processing
systems and it is vital to the continuity of daily operations.

What are the recommended best practices for data center security?
1. Security controls should be developed for each data center component
– facilities, network, servers, storage and most importantly data.

2. Develop, apply and enforce policies across physical, virtual and cloud
environments

3. Monitor at the network level for visibility and transparency into all What are my
assets (physical and virtual) that reside on the LAN, and even those that responsibilities when
retaining personal data?
are offline, and all the interconnections between them. Monitoring
should be done 24 x 7 As an organization that
retains personal data, your
4. Maintain the DC equipment, UPS, generator sets, batteries, precision responsibilities include:

airconditioners etc. To be clear about how long

you will retain personal data
5. Manage expertise and specialist skill sets amongst your technical and its reason/s
support team
To ensure quality of the
data being retained

To ensure the security of

What are the benefits of outsourcing to a professionally managed the archived personal data
To ensure restricted access
Data Center? to personal data

There are many advantages to outsourcing to a data center provider, here are To give access and inform
just a few items to consider. the data subjects about
their data being retained
1. Facilities Management -- You may not have sufficient budgets to retain a
full time facilities management team. A data center has numerous
complex systems that require certified engineers to manage including;
electrical power monitoring, filtering, and management to ensure cost
efficient consumption of power. In addition, sufficient, redundant,
generator power must be available on demand, and gen sets must be
regularly serviced and tested to ensure they will function on demand.

In addition, a data center also requires fire detection and suppression

systems (not water sprinklers), leak detection systems, access monitoring
systems, security cameras and related equipment, and HVAC systems
 2. Costs – In addition to the initial Capex required for the build out of the
facility, the ongoing monthly costs must be carefully considered. The
largest operational expense for most data centers is the power
consumption. This is often grossly underestimated.

In addition to the manpower costs, the regular preventative

maintenance, testing, and replacement of equipment, fuel for the
generators etc. must not be forgotten. The cost of inspection and
certification by government agencies such as the DENR (emissions testing
for generator sets) and others can also add considerable unexpected
costs.

What are the security

3. Uptime, Compliance, and SLA – it is also important to consider that a
requirements for a
professionally managed data center also complies with a number of computer system?
important international standards such as ISO and Uptime Institute for
instance. The cost to implement and regularly re certify may be beyond Secure user authentication
protocols including:
the reach of most enterprises. Control of user IDs and
other identifiers;
A Tier III data center commits to an minimum uptime for power and Reasonably secure method
of assigning and selecting
facilities of at least 99.985%. This basically translates to an allowable passwords, or use of unique
aggregate downtime of just seven (7) minutes per month, a target that identifier technologies,
would be very difficult to reach for most own managed data centers. such as biometrics or token
devices;

A good data center provider also provides a strong, actionable SLA that Control of data security
allows for rebates in a case where SLA is breached during a specified passwords to ensure that
such passwords are kept in
period of time. This is far more attractive than simply reprimanding your
a location and/or format
in-house IT manager. that does not compromise
the security of the data
they protect;

c. Technical Restricting access to

active users and active
Striking a balance user accounts only; and
Blocking access to user
identification after
We are now in the ‘Digital Age’ and the constant buzz around digital multiple unsuccessful
transformation, Internet of Things, Artificial Intelligence, and Big Data Analytics attempts to gain access or
the limitation placed on
bombards us daily.
access for the particular
system;
The ubiquity of the internet and the rapid rise of social media combined with the
massive collection and analysis of data of every kind opens up limitless
possibilities for exciting new developments for individuals and for society as a
whole.

Equally however, it opens up huge possibilities for the criminal misuse of this
information.
Technology has a pivotal role to play in managing the entire lifecycle of the data that we
collect, process, and store.

On the one hand we want to make it as simple and efficient as possible to capture and
analyse data.

On the other hand, we have a duty of care to ensure that the privacy of the individuals
identified by the data is adequately protected.

When designing and managing the technical systems that we deploy to process and
manage information; it is important to consider the table provided below and to evaluate
at each step how technology will interplay with the data flow. What does Data Privacy
Act say about retention
of personal data?

In Chapter III, Section

11.e: General Data Privacy
Principles of Data Privacy
Table 1. Information Lifecycle Act of 2012, Personal
Information must be
< ----- SECURITY ----- > retained only for as long
Collect Use Retain Disclose Dispose as necessary for the
fulfilment of the purposes
by? by? by? by? by? for which data was
obtained. The following
from? to? are the purposes stated in
the Implementing Rules
and Regulations (IRR):
how? how? how? how? how?
Information
Personal

For the fulfilment of the

when? when? how long? when? when? declared, specified, and
legitimate purpose, or
Where? Where? Where? Where? Where? when the processing
relevant to the purpose
has been terminated
why? why? why? why? why?
For the establishment,
authority? authority? authority? exercise or defense of
legal claims
< ----- TECHNOLOGY ----- >
For legitimate business
purposes, which must be
consistent with standards
followed by the applicable
industry or approved by
appropriate government
agency

And in any case provided

by law
 To more clearly illustrate the above; we might take the example of a
‘Dermatology Practice’. This type of company may be essentially a ‘retail’
business operating with numerous branches. When customers enter the store, it
is common for the store team to request the company to fill a form which may
be paper or digital.

Collect:
Who is the data collected by? A qualified doctor or just a temporary agency
employee engaged to welcome customers at the front desk? Has the person
collecting data been properly briefed on privacy?
From, How, When, Where; from what type of customer should data be
collected? One who is there to have a procedure or perhaps one who is just
inquiring about rates for services? It is important to consider various possible
scenarios and what data is appropriate to collect.
Is the customer (Data Subject) filling paper or digital forms themselves? Or
simply relating data to a person who is taking down the information? Best
practice is to provide access to a screen or app wherein the customer can input
the data for themselves to ensure correctness and to ensure that it remains
private.
Why, Authority; Has the customer been advised of why the data is being The right to rectify
collected? Is the type and amount of data collected proportional to the need
for the specific purpose? Has the customer been advised of how long the data You have the right to
will be retained and of their rights with respect to correction and deletion? dispute and have
Has the customer specifically affirmed that are giving ‘permission’ for the corrected any inaccuracy
collection and processing of the data? This should not be assumed simply or error in the data a
because the customer is filling the form. There must be a check box and link to personal information
the privacy policy in the form for the customer to select prior to signing. controller (PIC) holds
about you.
A similar process of questioning should be undertaken for each step of the data
lifecycle: USE, RETAIN, DISCLOSE, DISPOSE The PIC should act on it
immediately and
accordingly, unless the
request is vexatious or
unreasonable.

Deploying Technology Once corrected, the PIC

should ensure that your
An in depth discussion of the plethora of technologies that may be deployed is far beyond the access and receipt of both
scope of this paper; however, we would like to highlight just a few salient points that may be new and retracted
information.
directly impacted by this new legislation.
PICs should also furnish
Data Collection -- At some level, your business will be collecting data related to data
third parties with said
subjects. Your marketing team may be running contests and promotions or enrolments that information, should you
require users to complete forms be they paper or digital. It is not uncommon for such forms to request it.
ask questions such as ‘gender’ and or ‘religion’. If this is the case, then this new legislation
treats this information as ‘Sensitive Data’. This therefore means that how this data is collected,
stored, and processed must now be handled accordingly.

Another important factor to implement is to ensure that during data collection, the company’s
‘Privacy Policy’ is clearly made available to the user. In addition, there must be a mechanism
within the form that allows the user to explicitly provide ‘permission’ (often known as ‘Opt In).
Another important factor to implement is to ensure that during data collection, the
company’s ‘Privacy Policy’ is clearly made available to the user. In addition, there must
be a mechanism within the form that allows the user to explicitly provide ‘permission’
(often known as ‘Opt In). If you are collecting this permission electronically, then it is
best practice to log not only the permission but the data and time that it was given and if
possible the location and IP address from which it was given.

Conversely, your systems must be enabled in such a manner that allows the data subject
to withdraw that permission at any time. Once permission is withdrawn, then data
related to that subject must be anonymized or obfuscated to the extent that it is no
longer possible to identify that specific individual.
The right to data
It is also now mandated that during collection of the data, the subject is informed of portability
how long you will keep the personally identifiable data. This may be only a few months
in the case of a promotion or several years if there is a legitimate reason to keep the This right assures that
YOU remain in full control
data. Either way, the ‘time frame’ must be clearly indicated to the user at the time of
of YOUR data. Data
collection. portability allows you to
obtain and electronically
These are just a few examples of the rules that may well impact the way your current move, copy or transfer
technology is configured. Reconfiguration or customization of your systems may entail your data in a secure
considerable cost to become compliant so it is important to evaluate now what might be manner, for further use.
It enables the free flow
entailed. of your personal
information across the
Data at rest, Data in Transit -- it is also now mandated that data being stored internet and
and shared must be encrypted to ensure that even if your systems are breached, it organizations, according
would be almost impossible for the entity committing the breach to make any sense of to your preference.
the information. This is important
especially now that
several organizations and
What is encryption? services can reuse the
same data.
Data encryption translates data into another form, or code, so that only people with
Data portability allows
access to a secret key (called a decryption key) can read it. Encrypted data is commonly
you to manage your
referred to as ciphertext, while unencrypted data is called plaintext. personal data in your
private device, and to
Encryption is the process of using an algorithm to transform information to make it transmit your data from
unreadable for unauthorized users. This cryptographic method protects sensitive data one personal information
such as credit card numbers by encoding and transforming information into unreadable controller to another. As
such, it promotes
cipher text. This encoded data may only be decrypted or made readable with a key. competition that fosters
better services for the
Encryption is essential for ensured and trusted delivery of sensitive information. The public.
earlier Data Encryption Standard (DES) encryption algorithm, which uses a 56-bit key and
is no longer considered attack-proof. The Advanced Encryption Standard (AES) is
considered more reliable and secure because it uses a 128-bit, 192-bit or a 256-bit key.
What does the commission state about encryption?
“Any technology used to store, transport, or access sensitive personal information for
purposes of off-site access approved shall be secured by the use of the most secure
encryption standard recognized by the Commission.”

Data at rest, in transit, and in use should all be treated equally in terms of preserving its
privacy and managing its security.

What should be encrypted?

Emails, portable media, URL’s
Annual Reports

What does the commission recommend with regards to encryption? Personal information
controllers and processors
“Organizational, physical, and technical security measures for personal data protection, are required to submit their
Annual Report, where all
encryption, and access to sensitive personal information maintained by government security incidents and
agencies, considering the most appropriate standard recognized by the information and personal data breaches
communications technology industry.” must be documented
through written reports,
“Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most including those not covered
by the notification
appropriate encryption standard. Passwords or passphrases used to access personal data
requirements.
should be of sufficient strength to deter password attacks. A password policy should be
issued and enforced through a system management tool.” In the event of a personal
data breach, a report shall
include:

What are some of the best practices for data center security (a) the facts surrounding
the incident;
recommended by the Commission? (b) the effects of such
incident; and
“Develop and enforce policies that are context, identity, and application-aware for least (c) the remedial action
complexity and the most flexibility and scalability. Ensure that they can be applied taken by the personal
information controller.
consistently across physical, virtual, and cloud environments. This, along with replacing
physical network with logically defined secure trust zones, will provide seamless and For other security incidents
secure user access to applications at all times, regardless of the device used to connect not involving personal data,
to resources in the data center.” a report containing
aggregated data shall
constitute sufficient
“Choose security technologies that are virtualization-aware or enabled, with security
documentation.
working at the network level rather than the server. Network security should be
integrated at the hypervisor level to discover existing and new virtual machines and to
follow those devices as they are moved or scaled up so that policy can be dynamically
applied and enforced.”
Organizations need to look closely at how they securely store, manage, exchange data in
the face of an evolving threat landscape. Network virtualization technologies such as
VMware NSX would be a major boost in compliance by providing fully isolated virtual
networks and granular security control.

Compliant with the Commission’s recommendations, VMware NSX provides tight

integration of network security with the hypervisor and is independent of the underlying
network infrastructure. VMware NSX allows businesses to protect personal data
collected, processed and stored by their application systems and control the security risk
level of each workload in real-time. With NSX, network security policies follow virtual
machines (VMs) as they are moved around the data center and are dynamically
enforced. Each VM receives precise security capabilities as defined by the corporate
policies based on the VM’s role.

NSX Security Groups and Security Tags allow granular and dynamic network security
control. NSX Security Groups enables application and context aware security policies
where VMs inherit firewall rules once they are provisioned. Security groups may be
defined by application tier, regulatory requirements, operating system, geo-location,
Not all data breaches have
security posture, etc. to be reported to the NPC.
Only when these are all
NSX Security Tags, on the other hand, allows complex security policies to be defined in a present, the personal
concise form while allowing changes to be dynamically applied as application or security information controller (or
posture changes. Third-party anti-virus & anti-malware solutions such as Trend Micro processor, as the case may
be):
Deep Security integrate with NSX through the Security Tags to protect and quarantine
compromised VMs in real-time by allowing for automatic reconfiguration of the virtual There is a breach of
network infrastructure in response to security incidents. sensitive personal
information or other
information that may, under
the circumstances, be used
What happens if there is a Breach! to enable identity fraud;
The data is reasonably
As much as we may try to protect our data, the truth is that breaches still do occur believed to have been
acquired by an unauthorized
whether through malicious intent or simple carelessness.
person; and
Either the personal
There have recently been a number of high profile cases of serious breach involving
information controller or
major multinational brands and costing millions of dollars in real revenues. the NPC believes that the
data breach is likely to give
But for each of these high profile cases that are broadly reported in the press; there are rise to a real risk of serious
potentially thousands of cases that go unreported. harm to the affected data
subject.
In comes cases companies feel that the breach is too small to worry about or are afraid
of the reputational impact on their business if their customers learn of the incident.

The privacy commission deals with breach, and breach reporting in a very carefully
considered, and specific manner with the main focus being placed on ‘Transparency’.
Exercising Breach Reporting Procedures
Each PIC must prepare as part of its Privacy Manual, Breach Reporting Procedures.

There are six basic steps to be followed:

• Assessment
• The Security Incident Management Policy
• The Security Incident Response Team
• Annual Reports
• Mandatory Notification
• The Subsequent Investigation

If a breach is detected than an initial assessment must be carried out to understand the
nature, of the breach and the possible impact on privacy.
Breaches are categorized in three types. The Security Incident
Response Team is
- Availability breach -- from the loss accidental or unlawful destruction of personal responsible for:
data;
Implementing security
- Integrity breach -- from the unauthorized alteration of personal data; and incident management policy
- Confidentiality breach -- from the unauthorized disclosure of or access to of the personal information
personal data. controller or personal
information processor;
There should be in place an incident management policy and an incident management Managing security incidents
response team, Ideally, a ‘play book’ should be developed in advance to ensure that in a and personal data breaches;
and
case of breach, the teams no exactly what to do and how to do it.
Compliance by the personal
information controller or
Mandatory Notification personal information
processor with the relevant
In line with the mandate for transparency, if there is a breach that meets certain criteria provisions of the Act, its
then the PIC must notify both the data subjects affected and the Data Privacy IRR, and all related
issuances by the
Commission of the incident. Commission on personal data
breach management.
The DPA has outlined detailed reporting procedures; the most important of which to
observe is that notification must be made within 72 hours of the incident.

Notification must be triggered if ALL three of the following are true:

- There is a breach of sensitive personal information or other information that
may, under the circumstances, be used to enable identity fraud;
- The data is reasonably believed to have been acquired by an unauthorized
person; and
- Either the personal information controller or the NPC believes that the data
breach is likely to give rise to a real risk of serious harm to the affected data
subject.
Summary
This primer is designed to set you on the right path with respect to getting started with
your Data Privacy Compliance.

The resources already provided by the Privacy Commission are quite extensive and we
highly recommend that you study in detail.

If you have already identified and appointed your DPO, it is recommended that the DPO
read and understand the act itself and the accompanying IRR and Circulars to stay up to
date.
The NPC will consider
Whilst the privacy commission has been established to specifically address the privacy these factors in its
investigation following the
issue; many of the practices and suggested technologies herein discussed are highly
occurrence of a data
appropriate to all kinds of data security. breach:

It is highly recommended that you seek your own legal counsel for interpretation of the Security measures that
law and technical counsel for assistance with the complexities of securing your networks have been implemented and
applied to the personal data
and data.
at the time the personal
data breach was reasonably
believed to have occurred,
including measures that
For further information on this White Paper or general data security questions, please would prevent use of the
contact the authors of this paper at: personal data by any person
not authorized to access it;
DataOne Asia (Philippines), Inc. Subsequent measures that
have been taken by the
www.data1asia.com personal information
controller or personal
6th Floor, IBM Plaza, Eastwood City Cyberpark information processor to
E. Rodriguez Jr. Avenue, ensure that the risk of
Quezon City, harm or negative
1110 Philippines consequence to the data
subjects will not
TEL: + 63 (2) 995 8256 materialize;

Age or legal capacity of

RESOURCES affected data subjects;
Provided, that in the case
Philippines Privacy Commission web site https://privacy.gov.ph/
of minors or other
individuals without legal
The Data Privacy Act of 2012 https://privacy.gov.ph/data-privacy-act/
capacity, notification may
be done through their legal
The Privacy Act – Implementing Rules and Regulations https://privacy.gov.ph/implementing-
representatives; and
rules-regulations-data-privacy-act-2012/ Compliance with the law and
existence of good faith in
SyCipLaw http://www.syciplaw.com/
the collection of personal
information.
Rose Marie M. King-Dominguez
http://www.syciplaw.com/lawyers/partners/RMMKingDominguez