ALANO, JULIUS N. TM 298 Data Privacy & Info.

Security
2018 – 20700 Atty. Elson Manahan
Requirement 2: INDIVIDUAL PAPER
Implementation of Data Privacy Rules and Information Security Standards
Introduction
Implementing a rule of law and/or a standard set by the government and/or a
private institution is a meticulous process as this will affect the public good. Rules and
standards in general, are set to provide guidance and protection which must be followed
and complied on. It is also established to have control and govern depending on the
purpose of the rule or the standard. A model for these rules and standards is the data
privacy rules and information security standards that the government institutions and
even the private sector must observe and comply on.
The implementing rules and regulations (IRR) of Data Privacy Act of 2012 in the
Philippines is an example of data privacy rules which is also based on many countries it
was being implemented. Its main purpose it to protect the fundamental human right to
privacy and preventing disclosure of its private information without any consent. The
rule also applies on the act of processing personal information with some exceptions. Its
approach shall also follow the principles of transparency, legitimate purpose, and
proportionality. The law also established the National Privacy Commission which will be
the one to enforce and administer the implementation.
ISO/IEC 27002 which was established by the International Organization for
Standardization (ISO) and International Electrotechnical Commission (IEC) set out
information security standards as it gives controls on the management and
implementation of information security management systems. It follows the principles of
CIA triad which is the confidentiality, integrity, and availability which is deem believed to
be essential in information security. The standard sets objectives and controls to be
implemented to meet certain requirements as also specified and identified by a risk
assessment as usually conducted. Organizations are expected to follow such standards
in information security management as to protect vital data and information.
Despite the established rules and standards, there are still such under the rule
and/or standards that in theory must be implemented but is not usually observed. In an
essence, the rule or standard was existent but was neglected unintentionally by
authorities or organizations. In this paper, some rules or standards will be discussed as
identified to be unusually unobserved or overlooked by law enforcement and standards
implementers or we may call it as transgression as these actions goes against the rule.
Data Privacy Rules
In the Philippines, the Data Privacy Act of 2012 or the act protecting individual
personal information and communications systems in the government and the private
sector. It is also known as the Republic Act No. 10173 which was passed and approved
last July 25, 2011. Last August 24, 2016, the Data Privacy Act was promulgated with is
implementing rules and regulations as enforced by the established National Privacy
Commission. With implementing rules and regulations, it is deemed to observe the three
principles of the act with transparency, legitimate purpose, and proportionality. The rules
are also critical with the collection, processing, and the consent of an individual’s data.
The methodologies or practices must be observed on how one’s personal data is being
collected, processed, and the consent acquired from the individual. This is where the
National Privacy Commission takes place as to check and enforce such rules if is being
observed and complied by government institutions and even the private sector.
Even with of the enforcement of the act, many of the government institutions or
even the private sector’s processes does not really observe the data privacy rules as
their employees which usually serves as personal information processor or personal
information controller deliberately exposes data to others without the consent of the
data subject. Usually this exposure happens in processing of the data especially on
manual procedures in filing. Data subject usually fills out a data form in a paper which
can be consciously be exposed to others then submits the form to the personal data
processor. These documents were filed manually and can be in bulk which can be
potentially by accessible to others.
These practices are still proliferating as organizations may be unaware of the
rules and regulations of the data privacy act. It may also mean that the organization is
not into improving their systems or processes as it may relate to their financial
capabilities. The National Privacy Commission must be aware of these practices
especially with the government institutions as to be a role model in implementing such
data privacy rules. If the concern is the budget for the improvement of their systems,
they must implement a better process or practice to avoid such transgression within an
organization.
Information Security Standard
The ISO/IEC 27002 as established by ISO together with IEC gives organizations
whether government institutions or even the private organizations recommended
practices for the implementation of their information security management systems
(ISMS). The information security revolves with the context of the CIA triad which is
confidentiality, integrity, and accessibility. Confidentiality basically ensuring that only
those authorized have access to specific data or information and prevents obtaining any
information from an unauthorized access. Integrity is about ensuring that the data has
not been tampered or modified which therefore can be trusted. Accessibility means the
networks, systems, and applications are running and the authorized users will have
access any time they needed it. Organizations are trusted to be compliant on these
principles as it also follows data privacy rules which it must complied on.
As data privacy rules is integrated on the information security systems of
organizations. There are some practices or process that may seem to be neglected
resulting transgression to data privacy act. Within an organization, for some instance,
personal information of an individual may be processed by different entity without the
consent of the individual. Personal information within an information system of an
organization may be accessed by an individual without the consent of the data subject.
Filling out forms especially waiver for data privacy consent forms gives organization
these rights to process personal data into their systems. Unauthorized distribution of
these data is a clear transgression to the standards as well as the data privacy rules.
Systems processes may have different approach to data and information
processing. Organizations have the control on the methodologies and data processing
which gives them the opportunity to comply on the data privacy rules and standards. It
must also be clear on the authorized access especially for the access on personal
information uploaded on the information systems.
Conclusion
Data privacy rules and information security standards is a broad concept as a
rule and standard which organization must be aware of. Enforcers of these rules and
standard on the other hand, must also be critical in administering such rules and
standards to avoid neglect and indifference from organizations in complying such.
Individual’s personal data is a critical provision in the act as this is where the law
revolves in such collection, processing, and consent must be observe. The National
Privacy Commission must be vigilant with its law enforcing activities to monitor and
control data processors and controllers within different entity or organizations.

References:

Implementing Rules and Regulations of the Data Privacy Act of 2012. (2018, September
10). Retrieved June 16, 2020, from https://www.privacy.gov.ph/implementing-
rules-and-regulations-of-republic-act-no-10173-known-as-the-data-privacy-act-of-
2012/

Walkowski, D. (2019, July 09). What Is The CIA Triad? Retrieved June 16, 2020, from
https://www.f5.com/labs/articles/education/what-is-the-cia-triad
Wall, A. (2020, May 06). Summary: Philippines Data Privacy Act and implementing
regulations. Retrieved June 16, 2020, from https://iapp.org/news/a/summary-
philippines-data-protection-act-and-implementing-regulations/