Read also: GUIDELINES FOR TECHNICAL SECURITY MEASURES UNDER DATA PRIVACY ACT
-
Data Protection Officers shall be accountable for ensuring the compliance by the Personal Information Controllers (PIC) or Personal Information Processors (PIP) with the Data Privacy Act (DPA), its Implementing Rules and Regulations (IRR), issuances by the National Privacy Commission (NPC), and other applicable laws and regulations relating to privacy and data protection.
-
The Data Protection Officers should be a full-time or organic employee of the Personal Information Controllers or Personal Information Processors.
-
A Data Protection Officers must be independent in the performance of his or her functions, and should be accorded a significant degree of autonomy by the Personal Information Controllers or Personal Information Processors.
Pursuant to the Implementing Rules and Regulations (IRR) of Data Privacy Act (DPA), any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as data protection officer (DPO), compliance officer, or shall otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
National Privacy Commission Advisory No. 2017-01 or “Designation of Data Protection Officers” provides that:
A Personal Information Controllers (PIC) or Personal Information Processors (PIP) shall designate an individual or individuals who shall function as Data Protection Officers (DPO). The DPO shall be accountable for ensuring the compliance by the PIC or PIP with the Data Privacy Act (DPA), its Implementing Rules and Regulations (IRR), issuances by the National Privacy Commission (NPC), and other applicable laws and regulations relating to privacy and data protection.
- General Qualifications
The Data Protection Officers should possess specialized knowledge and demonstrate reliability necessary for the performance of his or her duties and responsibilities. As such, the DPO should have expertise in relevant privacy or data protection policies and practices. He or she should have sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter’s information systems, data security and/or data protection needs.
- Position of the Data Protection Officers (DPO) or Compliance Officer for Privacy (COP)
The DPO or COP should be a full-time or organic employee of the PIC or PIP.
In the private sector, the DPO or COP should ideally be a regular or permanent position. Where the employment of the DPO or COP is based on a contract, the term or duration thereof should at least be two (2) years to ensure stability.
In the event the position of DPO or COP is left vacant, the PIC or PIP should provide for the appointment, reappointment, or hiring of his or her replacement within a reasonable period of time. The PIC or PIP may also require the incumbent DPO or COP to occupy such position in a holdover capacity until the appointment or hiring of a new DPO or COP, in accordance with the PIC or PIP’s internal policies or the provisions of the appropriate contract.
- Independence, Autonomy and Conflict of Interest
A DPO or COP must be independent in the performance of his or her functions, and should be accorded a significant degree of autonomy by the PIC or PIP.
In his or her capacity as DPO or COP, an individual may perform (or be assigned to perform) other tasks or assume other functions that do not give rise to any conflict of interest.
- Duties and Responsibilities Of the DPO
A DPO shall, inter alia:
- monitor the PIC’s or PIP’s compliance with the Data Privacy Act (DPA), its Implementing Rules and Regulations (IRR), issuances by the National Privacy Commission (NPC)and other applicable laws and policies. For this purpose, he or she may:
- collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
- analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;
- inform, advise, and issue recommendations to the PIC or PIP;
- ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
- advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
- ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
- advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
- ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
- inform and cultivate awareness on privacy and data protection within the organization of the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC;
- advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
- serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
- cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and
- perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
- Protections
To strengthen the autonomy of the DPO or COP and ensure the independent nature of his or her role in the organization, a PIC or PIP should not directly or indirectly penalize or dismiss the DPO or COP for performing his or her tasks. It is not necessary that the penalty is actually imposed or meted out. A mere threat is sufficient if it has the effect of impeding or preventing the DPO or COP from performing his or her tasks. However, nothing shall preclude the legitimate application of labor, administrative, civil or criminal laws against the DPO or COP, based on just or authorized grounds.
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.
All rights reserved.
SUBSCRIBE NOW FOR MORE LEGAL UPDATES!
[email-subscribers-form id=”4″]
Definitely, what a great blog and revealing posts, I will bookmark your website. Have an awesome day!
excellent publish, very informative. I wonder why the other specialists of this sector do not understand this. You must proceed your writing. I’m sure, you’ve a great readers’ base already!