Read also: GENERAL PRINCIPLES FOR DATA SHARING UNDER THE DATA PRIVACY ACT
-
For the protection of personal data, any person processing personal data must designate an individual who shall function as data protection officer.
-
Any person or other body involved in the processing of personal data shall implement appropriate data protection policies that provide for organization, physical, and technical security measures.
-
Any person involved in the processing of personal data shall maintain records that sufficiently describe its data processing system, and identify the duties and responsibilities of those individuals who will have access to personal data.
In a time when data privacy and security matters, personal information controller and personal information processors are obliged to implement strong, reasonable, and appropriate organizational, physical, and technical security measures for the protection of the personal information that they process.
The Implementing Rules and Regulations of Republic Act No. 10173 known as the “Data Privacy Act of 2012” sets the guidelines for organizational security which the personal information controllers and personal information processors shall comply.
Implementing Rules and Regulations of Republic Act No. 10173 provides:
Where appropriate, personal information controllers and personal information processors shall comply with the following guidelines for organizational security:
a. Compliance Officers.
Any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as data protection officer, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
b. Data Protection Policies.
Any natural or juridical person or other body involved in the processing of personal data shall implement appropriate data protection policies that provide for organization, physical, and technical security measures, and, for such purpose, take into account the nature, scope, context and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects.
- The policies shall implement data protection principles both at the time of the determination of the means for processing and at the time of the processing itself.
- The policies shall implement appropriate security measures that, by default, ensure only personal data which is necessary for the specified purpose of the processing are processed. They shall determine the amount of personal data collected, including the extent of processing involved, the period of their storage, and their accessibility.
- The polices shall provide for documentation, regular review, evaluation, and updating of the privacy and security policies and practices.
c. Records of Processing Activities.
Any natural or juridical person or other body involved in the processing of personal data shall maintain records that sufficiently describe its data processing system, and identify the duties and responsibilities of those individuals who will have access to personal data. Records should include:
- Information about the purpose of the processing of personal data, including any intended future processing or data sharing;
- A description of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;
- General information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data;
- A general description of the organizational, physical, and technical security measures in place;
- The name and contact details of the personal information controller and, where applicable, the joint controller, the its representative, and the compliance officer or Data Protection Officer, or any other individual or individuals accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
d. Management of Human Resources.
Any natural or juridical person or other entity involved in the processing of personal data shall be responsible for selecting and supervising its employees, agents, or representatives, particularly those who will have access to personal data.
The said employees, agents, or representatives shall operate and hold personal data under strict confidentiality if the personal data are not intended for public disclosure. This obligation shall continue even after leaving the public service, transferring to another position, or upon terminating their employment or contractual relations. There shall be capacity building, orientation or training programs for such employees, agents or representatives, regarding privacy or security policies.
e. Processing of Personal Data.
Any natural or juridical person or other body involved in the processing of personal data shall develop, implement and review:
- A procedure for the collection of personal data, including procedures for obtaining consent, when applicable;
- Procedures that limit the processing of data, to ensure that it is only to the extent necessary for the declared, specified, and legitimate purpose;
- Policies for access management, system monitoring, and protocols to follow during security incidents or technical problems;
- Policies and procedures for data subjects to exercise their rights under Data Privacy Act;
- Data retention schedule, including timeline or conditions for erasure or disposal of records.
f. Contracts with Personal Information Processors.
The personal information controller, through appropriate contractual agreements, shall ensure that its personal information processors, where applicable, shall also implement the security measures required by the Data Privacy Act and Implementing Rules and Regulations. It shall only engage those personal information processors that provide sufficient guarantees to implement appropriate security measures specified in the Act and these Rules, and ensure the protection of the rights of the data subject.
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.
All rights reserved.
SUBSCRIBE NOW FOR MORE LEGAL UPDATES!
[email-subscribers-form id=”4″]