ALBURO ALBURO AND ASSOCIATES LAW OFFICES ALBURO ALBURO AND ASSOCIATES LAW OFFICES

contact

MON-SAT 8:30AM-5:30PM

June 1, 2022

PROCEDURE FOR HANDLING DATA PRIVACY BREACH

Image via: https://media2.govtech.com/images/940*630/shutterstock_636388169.jpg

Read also: GUIDELINES FOR THE PREVENTION OF PERSONAL DATA BREACH

  • The personal information controller or personal information processor shall implement policies and procedures for guidance of its data breach response team and other personnel in the event of a security incident.

  • All actions taken by a personal information controller or personal information processor shall be properly documented.

  • The incident response policy and procedure shall be subject to regular revision and review, at least annually.

Data breaches have been a concern since the birth of the internet and it becomes a greater issue as time goes by. In handling data privacy breaches, National Privacy Commission issued NPC Circular 16-03 or Personal Data Breach Management to guide personal information controller or personal information in case of privacy breach.

NPC Circular 16-03 provides:

The personal information controller (anybody who controls the processing of personal data, or instructs another to process personal data on his behalf)  or personal information processor (anybody to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject) shall implement policies and procedures for guidance of its data breach response team and other personnel in the event of a security incident. These may include:

  1. A procedure for the timely discovery of security incidents, including the identification of person or persons responsible for regular monitoring and evaluation of security incidents;
  2. Clear reporting lines in the event of a possible personal data breach, including the identification of a person responsible for setting in motion the incident response procedure, and who shall be immediately contacted in the event of a possible or confirmed personal data breach;
  3. Conduct of a preliminary assessment for purpose of:
    1. Assessing, as far as practicable, the nature and scope of the personal data breach and the immediate damage
    2. Determining the need for notification of law enforcement or external expertise; and
    3. Implementing immediate measures necessary to secure any evidence, contain the security incident and restore integrity to the information and communications system;
  4. Evaluation of the security incident or personal data breach as to its nature, extent and cause, the adequacy of safeguards in place, immediate and long-term damage, impact of the breach, and its potential harm and negative consequences to affected data subjects;
  5. Procedures for contacting law enforcement in case the security incident or personal data breach involves possible commission of criminal acts;
  6. Conduct of investigations that will evaluate fully the security incident or personal data breach;
  7. Procedures for notifying the Commission and data subjects when the breach is subject to notification requirements, in the case of personal information controllers, and procedures for notifying personal information controllers in accordance with a contract or agreement, in the case of personal information processors; and
  8. Policies and procedures for mitigating the possible harm and negative consequences to a data subject in the event of a personal data breach. The personal information controller must be ready to provide assistance to data subjects whose personal data may have been compromised.
  • Documentation

All actions taken by a personal information controller or personal information processor shall be properly documented. Reports should include:

  1. Description of the personal data breach, its root cause and circumstances regarding its discovery;
  2. Actions and decisions of the incident response team;
  3. Outcome of the breach management, and difficulties encountered; and
  4. Compliance with notification requirements and assistance provided to affected data subjects.

A procedure for post-breach review must be established for the purpose of improving the personal data breach management policies and procedures of the personal information controller or personal information processor.

  • Regular Review. 

The incident response policy and procedure shall be subject to regular revision and review, at least annually, by the Data Protection Officer, or any other person designated by the Chief Executive Officer or the Head of Agency, as the case may be. The date of the last review and the schedule for the next succeeding review must always be indicated in the documentation of the incident response policy and procedure.  


Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.

All rights reserved.


SUBSCRIBE NOW FOR MORE LEGAL UPDATES!

[email-subscribers-form id=”4″]

Leave a Reply

Your email address will not be published. Required fields are marked *

0 Shares
Share
Tweet
Share