SlideShare a Scribd company logo

Data Privacy - Security of Personal Information

JDP Consulting
JDP Consulting

Philippine Data Privacy Law (R.A. 10173) requires observance of Security of Personal Information. Summary of Presentation: 1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties). 2) The standards for protection measures are two-fold: reasonable and appropriate. 3) Measures should be organizational, physical, and technical. 4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives. 5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.

Law
1 of 15
Download to read offline
Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers
Standards The law sets for a minimum standard for Security of Personal Information. Data Privacy Law requires Personal Information Controllers (PIC) to implement measures that are: reasonable and appropriate. These two-fold standards are the test by which the security of personal information shall be adjudged. Since what is “reasonable” and “appropriate” are not specific, it is expected that implementation will vary from one industry to another. Supreme Court decisions (i.e. jurisprudence) will set the precedence as to what would constitute reasonable and appropriate as the law develops. Reference: Section 20 (a) and (b), R.A. 10173
Standards Coverage: 1) Personal Information Controllers (PIC); 2) PIC-engaged Contractors (or 3rd Parties). The standards for Security of Personal Information apply to the them. Reference: Section 20 (a) and (b), R.A. 10173
Organizational, Physical, Technical The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. Measures to be implemented have to be: 1) Organizational – PIC as an organization or a company should have systems, processes, and practice in place for Data Privacy compliance. 2) Physical – A PIC should have physical technological, device, or equipment that can enforce protection for personal information. 3) Technical – A PIC should have technical knowledge on personal data protection. Reference: Section 20 (a), R.A. 10173
Standards: Security of Personal Info The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. 2 Kinds of Dangers: (1) Natural Dangers, and (2) Human Dangers Natural Dangers, by definition, are those that are non-human related such as force majeure as in fires, typhoons, calamities, and analogous thereto. Human Dangers are those that are man-made such as hacking, cybercrime, unlawful access, fraudulent misuse, and analogous thereto. Reference: Section 20 (b), R.A. 10173
Standards: Security of Personal Info The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. When designing a security measure, the above factors should be considered as a matter of compliance with the Data Privacy Law. Non-compliance of the above factors may result in liabilities. Reference: Section 20 (c), R.A. 10173
Standards: Security of Personal Info … Subject to guidelines as the Commission may issue from time to time, the measures implemented must include: (1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability; (2) A security policy with respect to the processing of personal information; (3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and (4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach. The security measures should thus be as comprehensive as possible. Reference: Section 20 (c), R.A. 10173
Security Measures: 3rd Parties by PIC The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision. If PIC contracts out processing of personal information, the PIC is required to ensure that the engaged Contractor (or 3rd party) shall comply with the security measures required by the Data Privacy Law. The PIC may be held liable for non-compliance of the contractor. Reference: Section 20 (d), R.A. 10173
Strict Confidentiality for PIC Personnel The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. The obligation survives (or continues) despite: lateral transfer, leaving employment, or after contractual relations. Coverage: (1) PIC Employees; (2) PIC Agents; and (3) PIC Representatives. Reference: Section 20 (e), R.A. 10173
Notification Requirement The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach… Prompt notice is required on the PIC who shall give such to the NPC and the affected Data Subjects. For: Sensitive Personal Information or Identity-Fraud Enabler Information Reference: Section 20 (f), R.A. 10173
Notification Requirement … Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. General Rule: Prompt Notification to the NPC and the Data Subject When notice may be delayed: 1) To the extent necessary to determine the scope of the breach; 2) To prevent further disclosures; and 3) To restore reasonable integrity to the information and communications system. Reference: Section 20 (f), R.A. 10173
Notification Requirement When notification may be exempted or postponed: (1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information. (2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects. (3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. Reference: Section 20 (f), R.A. 10173
Summary 1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties). 2) The standards for protection measures are two-fold: reasonable and appropriate. 3) Measures should be organizational, physical, and technical. 4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives. 5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.
Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers Atty. Jericho B. Del Puerto SME Business Lawyer For inquiries, comment, or permission to use slides, send us an email : info@jdpconsulting.ph.
Data Privacy - Security of Personal Information

Recommended

Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Data privacy act
Data privacy actData privacy act
Data privacy actansherina erika dejan
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 

Recommended

Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Data privacy act
Data privacy actData privacy act
Data privacy actansherina erika dejan
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Ethical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on ComputingEthical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on ComputingLaguna State Polytechnic University
 
CEU DPA
CEU DPACEU DPA
CEU DPABERBERGRACEMARJORIE
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simpleAurora Computer Studies
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Data protection
Data protectionData protection
Data protectionRaviPrashant5
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectJohn Macasio
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
Cybersecurity Threats to Watch Out For in 2023.pptx
Cybersecurity Threats to Watch Out For in 2023.pptxCybersecurity Threats to Watch Out For in 2023.pptx
Cybersecurity Threats to Watch Out For in 2023.pptxCyberneticGI
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceJDP Consulting
 
Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health DataNawanan Theera-Ampornpunt
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
238019494 rule-06-kinds-of-pleadings
238019494 rule-06-kinds-of-pleadings238019494 rule-06-kinds-of-pleadings
238019494 rule-06-kinds-of-pleadingshomeworkping3
 
Melihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiMelihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiICT Watch
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
Data Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General PublicData Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General Publicijtsrd
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesEvents2018
 

More Related Content

What's hot

Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectJohn Macasio
 
Cybersecurity Threats to Watch Out For in 2023.pptx
Cybersecurity Threats to Watch Out For in 2023.pptxCybersecurity Threats to Watch Out For in 2023.pptx
Cybersecurity Threats to Watch Out For in 2023.pptxCyberneticGI
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceJDP Consulting
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
238019494 rule-06-kinds-of-pleadings
238019494 rule-06-kinds-of-pleadings238019494 rule-06-kinds-of-pleadings
238019494 rule-06-kinds-of-pleadingshomeworkping3
 
Melihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiMelihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiICT Watch
 

What's hot (20)

Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Ethical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on ComputingEthical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on Computing
 
CEU DPA
CEU DPACEU DPA
CEU DPA
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
Data protection
Data protectionData protection
Data protection
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Cybersecurity Threats to Watch Out For in 2023.pptx
Cybersecurity Threats to Watch Out For in 2023.pptxCybersecurity Threats to Watch Out For in 2023.pptx
Cybersecurity Threats to Watch Out For in 2023.pptx
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-Compliance
 
Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health Data
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
238019494 rule-06-kinds-of-pleadings
238019494 rule-06-kinds-of-pleadings238019494 rule-06-kinds-of-pleadings
238019494 rule-06-kinds-of-pleadings
 
Melihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiMelihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data Pribadi
 
Data protection
Data protectionData protection
Data protection
 

Similar to Data Privacy - Security of Personal Information

Data Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General PublicData Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General Publicijtsrd
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesEvents2018
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachDawn Yankeelov
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationJason Hoeppner
 
Group 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxGroup 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxStephenQuijano3
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Adv Prashant Mali
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdfxstokes825
 
Chapter 3 legal framework of cybercrime and law enforcement tools
Chapter 3 legal framework of cybercrime and law enforcement toolsChapter 3 legal framework of cybercrime and law enforcement tools
Chapter 3 legal framework of cybercrime and law enforcement toolsMarkDennielMontiano
 
Principles of mobile privacy
Principles of mobile privacyPrinciples of mobile privacy
Principles of mobile privacyEuphodia Maluleke
 
Information Security
Information SecurityInformation Security
Information Securityikonick
 

Similar to Data Privacy - Security of Personal Information (20)

Data Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General PublicData Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General Public
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private Information
 
Group 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxGroup 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptx
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
 
Chapter 3 legal framework of cybercrime and law enforcement tools
Chapter 3 legal framework of cybercrime and law enforcement toolsChapter 3 legal framework of cybercrime and law enforcement tools
Chapter 3 legal framework of cybercrime and law enforcement tools
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
 
Principles of mobile privacy
Principles of mobile privacyPrinciples of mobile privacy
Principles of mobile privacy
 
Box 10
Box 10Box 10
Box 10
 
Information Security
Information SecurityInformation Security
Information Security
 

More from JDP Consulting

Data Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationData Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationJDP Consulting
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectJDP Consulting
 
Philippine Franchising Law
Philippine Franchising LawPhilippine Franchising Law
Philippine Franchising LawJDP Consulting
 
What is Control in Contracting and Subcontracting?
What is Control in Contracting and Subcontracting?What is Control in Contracting and Subcontracting?
What is Control in Contracting and Subcontracting?JDP Consulting
 
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11JDP Consulting
 
Special Leave for Women
Special Leave for WomenSpecial Leave for Women
Special Leave for WomenJDP Consulting
 
Service Incentive Leave
Service Incentive LeaveService Incentive Leave
Service Incentive LeaveJDP Consulting
 

More from JDP Consulting (20)

Data Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationData Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal Information
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data Subject
 
Philippine Franchising Law
Philippine Franchising LawPhilippine Franchising Law
Philippine Franchising Law
 
Unfair Labor Practice
Unfair Labor PracticeUnfair Labor Practice
Unfair Labor Practice
 
DOLE D.O. 147-15
DOLE D.O. 147-15DOLE D.O. 147-15
DOLE D.O. 147-15
 
What is Control in Contracting and Subcontracting?
What is Control in Contracting and Subcontracting?What is Control in Contracting and Subcontracting?
What is Control in Contracting and Subcontracting?
 
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
 
Pag-IBIG Benefits
Pag-IBIG BenefitsPag-IBIG Benefits
Pag-IBIG Benefits
 
SSS Benefits
SSS BenefitsSSS Benefits
SSS Benefits
 
PhilHealth Benefits
PhilHealth BenefitsPhilHealth Benefits
PhilHealth Benefits
 
ECC Benefits
ECC BenefitsECC Benefits
ECC Benefits
 
Retirement Pay
Retirement PayRetirement Pay
Retirement Pay
 
Separation Pay
Separation PaySeparation Pay
Separation Pay
 
13th Month Pay
13th Month Pay13th Month Pay
13th Month Pay
 
Special Leave for Women
Special Leave for WomenSpecial Leave for Women
Special Leave for Women
 
VAWC Leave
VAWC LeaveVAWC Leave
VAWC Leave
 
Solo Parental Leave
Solo Parental LeaveSolo Parental Leave
Solo Parental Leave
 
Paternity Leave
Paternity LeavePaternity Leave
Paternity Leave
 
Service Incentive Leave
Service Incentive LeaveService Incentive Leave
Service Incentive Leave
 
Service Charges
Service ChargesService Charges
Service Charges
 

Recently uploaded

Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx2020000445musaib
 
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书Fs Las
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书Fs Las
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...James Watkins, III JD CFP®
 
如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书
如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书
如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书Fir L
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfMilind Agarwal
 
Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126Oishi8
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书Sir Lt
 
Offences against property (TRESPASS, BREAKING
Offences against property (TRESPASS, BREAKINGOffences against property (TRESPASS, BREAKING
Offences against property (TRESPASS, BREAKINGPRAKHARGUPTA419620
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm2020000445musaib
 
如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书
如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书
如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书Fir L
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueSkyLaw Professional Corporation
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书srst S
 
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书Fir L
 

Recently uploaded (20)

Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
Old Income Tax Regime Vs New Income Tax Regime
Old Income Tax Regime Vs New Income Tax RegimeOld Income Tax Regime Vs New Income Tax Regime
Old Income Tax Regime Vs New Income Tax Regime
 
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书
如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书
如何办理新西兰奥克兰商学院毕业证(本硕)AIS学位证书
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
 
Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
 
Offences against property (TRESPASS, BREAKING
Offences against property (TRESPASS, BREAKINGOffences against property (TRESPASS, BREAKING
Offences against property (TRESPASS, BREAKING
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
 
如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书
如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书
如何办理普利茅斯大学毕业证(本硕)Plymouth学位证书
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
 
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
 

Data Privacy - Security of Personal Information

  • 1. Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers
  • 2. Standards The law sets for a minimum standard for Security of Personal Information. Data Privacy Law requires Personal Information Controllers (PIC) to implement measures that are: reasonable and appropriate. These two-fold standards are the test by which the security of personal information shall be adjudged. Since what is “reasonable” and “appropriate” are not specific, it is expected that implementation will vary from one industry to another. Supreme Court decisions (i.e. jurisprudence) will set the precedence as to what would constitute reasonable and appropriate as the law develops. Reference: Section 20 (a) and (b), R.A. 10173
  • 3. Standards Coverage: 1) Personal Information Controllers (PIC); 2) PIC-engaged Contractors (or 3rd Parties). The standards for Security of Personal Information apply to the them. Reference: Section 20 (a) and (b), R.A. 10173
  • 4. Organizational, Physical, Technical The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. Measures to be implemented have to be: 1) Organizational – PIC as an organization or a company should have systems, processes, and practice in place for Data Privacy compliance. 2) Physical – A PIC should have physical technological, device, or equipment that can enforce protection for personal information. 3) Technical – A PIC should have technical knowledge on personal data protection. Reference: Section 20 (a), R.A. 10173
  • 5. Standards: Security of Personal Info The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. 2 Kinds of Dangers: (1) Natural Dangers, and (2) Human Dangers Natural Dangers, by definition, are those that are non-human related such as force majeure as in fires, typhoons, calamities, and analogous thereto. Human Dangers are those that are man-made such as hacking, cybercrime, unlawful access, fraudulent misuse, and analogous thereto. Reference: Section 20 (b), R.A. 10173
  • 6. Standards: Security of Personal Info The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. When designing a security measure, the above factors should be considered as a matter of compliance with the Data Privacy Law. Non-compliance of the above factors may result in liabilities. Reference: Section 20 (c), R.A. 10173
  • 7. Standards: Security of Personal Info … Subject to guidelines as the Commission may issue from time to time, the measures implemented must include: (1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability; (2) A security policy with respect to the processing of personal information; (3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and (4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach. The security measures should thus be as comprehensive as possible. Reference: Section 20 (c), R.A. 10173
  • 8. Security Measures: 3rd Parties by PIC The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision. If PIC contracts out processing of personal information, the PIC is required to ensure that the engaged Contractor (or 3rd party) shall comply with the security measures required by the Data Privacy Law. The PIC may be held liable for non-compliance of the contractor. Reference: Section 20 (d), R.A. 10173
  • 9. Strict Confidentiality for PIC Personnel The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. The obligation survives (or continues) despite: lateral transfer, leaving employment, or after contractual relations. Coverage: (1) PIC Employees; (2) PIC Agents; and (3) PIC Representatives. Reference: Section 20 (e), R.A. 10173
  • 10. Notification Requirement The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach… Prompt notice is required on the PIC who shall give such to the NPC and the affected Data Subjects. For: Sensitive Personal Information or Identity-Fraud Enabler Information Reference: Section 20 (f), R.A. 10173
  • 11. Notification Requirement … Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. General Rule: Prompt Notification to the NPC and the Data Subject When notice may be delayed: 1) To the extent necessary to determine the scope of the breach; 2) To prevent further disclosures; and 3) To restore reasonable integrity to the information and communications system. Reference: Section 20 (f), R.A. 10173
  • 12. Notification Requirement When notification may be exempted or postponed: (1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information. (2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects. (3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. Reference: Section 20 (f), R.A. 10173
  • 13. Summary 1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties). 2) The standards for protection measures are two-fold: reasonable and appropriate. 3) Measures should be organizational, physical, and technical. 4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives. 5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.
  • 14. Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers Atty. Jericho B. Del Puerto SME Business Lawyer For inquiries, comment, or permission to use slides, send us an email : info@jdpconsulting.ph.