The document outlines a technical learning session on data privacy and protection held on April 17-18, 2018, focusing on the laws, principles, and compliance requirements associated with data privacy in the Philippines. It covers key topics such as personal and sensitive data definitions, the importance of consent, rights of data subjects, and conducting privacy impact assessments. Emphasizing the significance of a structured privacy management program, it provides guidelines for organizations on mitigating risks associated with data processing and the necessary technical provisions for protecting personal data.

1. Data Privacy
& Protection
Technical Learning
Session
KNOWLEDGE
EDUCATION
CONFERENCE
April 17-18, 2018
Sison Auditorium
Lingayen, Pangasinan
KEC13

3. Housekeeping
•About me
What’s in this lecture
•Gadgets and other devices

4. About me
Francis Euston R. Acero
Chief, Complaints and
Investigations Division
complaints@privacy.gov.ph
Member
Integrated Bar of the
Philippines
Certified Penetration Testing
Engineer
Certified Digital Forensics
Examiner

5. Gadgets and other devices
Just in case you don’t get a copy, mail us at
info@privacy.gov.ph for one!
No need to capture with phones
Be careful of what you post on Facebook
Feel free to ask questions at ANY time during the
presentation

6. In this lecture
The law on data privacy and protection
Personal information and sensitive personal information
Data privacy principles
Conducting a Privacy Impact Assessment
Consent and the conditions for processing data
Key components of a Privacy Management Program
Protecting your own personal data

7. The law on data privacy
•The need to protect data privacy
The Data Privacy Act and its Implementing Rules
Concepts and Definitions

8. “The world’s most valuable
commodity is data.”
The Economist, 6 May
2017

9. Using data
“Like oil, those who see its
value and learn to extract
and use it will reap
rewards.”
Joris Toonders,
founder of Yonego
(Internet Marketing
Service)
writing for Wired, July 2014

10. Collection
Storage
Use
Sharing
Archiving
Deletion
Data processing

11. Data privacy laws
•Also known as data
protection (EU) and
information privacy (US)
•Ensure the free flow of
information by:
• Building trust between the
personal information
controller and the data subject
• Ensuring that data is secure
and used only for stated
purposes

12. The Data Privacy Act

13. Data subject
An individual whose information is
processed.
The definition does not include
juridical persons.
• FCC v. AT&T, 562 U.S. 397 (2011)
• Juridical persons cannot experience
physical suffering or such sentiments
as wounded feelings, serious anxiety,
mental anguish or moral shock.
People v. Manero, Jr., 218 SCRA 85, 96-
97 (1993).

14. Personal information
Any information:
• from which the identity of an
individual is apparent or can
be reasonably and directly
ascertained by the entity
holding the information;
• or when put together with
other information would
directly and certainly identify
an individual.

15. Sensitive personal
information
•Information about an
individual’s race, ethnic
origin, marital status, age,
color, and religious,
philosophical or political
affiliations
•Information about an
individual’s health,
education, genetic or sexual
life of a person, or to any
proceeding for any offense,
the disposal of such
proceedings, or the
sentence of any court in
such proceedings;

16. Sensitive personal
information
•Issued by government
agencies peculiar to an
individual which includes,
but not limited to, social
security numbers, previous
or current health records,
licenses or its denials,
suspension or revocation,
and tax returns
•Specifically established by an
executive order or an act of
Congress to be kept
classified

17. Data Privacy Principles
•Once you understand these core principles to data
protection, the text of the law follows

18. Transparency
Legitimate Purpose
Proportionality

19. Transparency
• The data subject must know
• The kind of personal data collected
• How the personal data will be
collected
• Why personal data will be
collected
• The data processing policies of
the PIC must be known to the
data subject
• The information to be provided
to the data subject must be in
clear and plain language

20. Legitimate Purpose
• Data collected must be always be
collected only for the specific, explicit,
and legitimate purposes of the PIC.
• No processing of data that is not
compatible with the purpose for
which the data was collected.
• The processing of data must respect
the law of the applicable jurisdiction,
in accordance with the International
Bill of Rights.
• Any processing of data that gives rise
to unlawful or arbitrary
discrimination is unfair.

21. Proportionality
• The processing of personal
data should be limited to
such processing as is
adequate, relevant, and not
excessive in relation to the
purpose of the data
processing.
• Efforts should be made to
limit the processed data to
the minimum necessary.

22. Consent
Where the data subject agrees to the collection and processing
of his personal data.
The agreement must inform:
(a) purpose, nature, and extent of processing;
(b) period of consent/instruction; and
(c) rights as a data subject.

23. Processing Personal Information
(a) The data subject has given his or
her consent;
(b) The processing of personal
information is necessary and is
related to the fulfillment of a
contract with the data subject or in
order to take steps at the request of
the data subject prior to entering
into a contract;
(c) The processing is necessary for
compliance with a legal obligation to
which the personal information
controller is subject;

24. Processing Personal Information
(d) The processing is necessary to
protect vitally important interests
of the data subject, including life
and health;
(e) The processing is necessary in
order to respond to national
emergency, to comply with the
requirements of public order and
safety, or to fulfill functions of
public authority which necessarily
includes the processing of personal
data for the fulfillment of its
mandate; or

25. Processing Personal Information
(f) The processing is necessary
for the purposes of the
legitimate interests pursued by
the personal information
controller or by a third party or
parties to whom the data is
disclosed, except where such
interests are overridden by
fundamental rights and
freedoms of the data subject
which require protection under
the Philippine Constitution.

26. Processing Sensitive Information
(a) The data subject has given
his or her consent, specific to
the purpose prior to the
processing, or in the case of
privileged information, all
parties to the exchange have
given their consent prior to
processing;
(b) The processing of the same is
provided for by existing laws and
regulations:
• Provided, That such regulatory
enactments guarantee the
protection of the sensitive personal
information and the privileged
information:
• Provided, further, That the consent
of the data subjects are not
required by law or regulation
permitting the processing of the
sensitive personal information or
the privileged information;

27. Processing Sensitive Information
(c) The processing is
necessary to protect the life
and health of the data subject
or another person, and the
data subject is not legally or
physically able to express his
or her consent prior to the
processing;
(d) The processing is necessary to
achieve the lawful and
noncommercial objectives of public
organizations and their associations:
• Provided, That such processing is only
confined and related to the bona fide
members of these organizations or
their associations:
• Provided, further, That the sensitive
personal information are not
transferred to third parties:
• Provided, finally, That consent of the
data subject was obtained prior to
processing;

28. Processing Sensitive Information
(e) The processing is
necessary for purposes of
medical treatment, is carried
out by a medical practitioner
or a medical treatment
institution, and an adequate
level of protection of personal
information is ensured; or
(f) The processing concerns
such personal information as
is necessary for the protection
of lawful rights and interests of
natural or legal persons in
court proceedings, or the
establishment, exercise or
defense of legal claims, or
when provided to government
or public authority.

29. Rights of Data Subjects
Right to be
Informed
Right to
Object
Right to
Access
Right to
Correct/Rectify

30. Rights of Data Subjects
Right to
Block/Remove
Right to Data
Portability
Right to File a
Complaint
Right to be
Indemnified

31. 1
Commit to Comply:
APPOINT A DATA
PROTECTION
OFFICER
2
Know Your Risks:
CONDUCT A
PRIVACY IMPACT
ASSESSMENT
3
Write Your Plan:
CREATE A PRIVACY
MANAGEMENT
PROGRAM
4
Be Accountable:
IMPLEMENT YOUR
PRIVACY AND DATA
PROTECTION
MEASURES
5
Be Prepared for Breach:
REGULARLY EXERCISE
YOUR BREACH
REPORTING
PROCEDURE

32. This is what it is, okay? I
said, “Empty your mind.” Be
formless, shapeless. Like
water. Now, you put water
into a cup, it becomes the
cup. You put water into a
bottle, it becomes the
bottle. You put it in a
teapot, it becomes the
teapot. Now, water can flow
or it can crash.
Be water, my friend.
-Bruce Lee

33. The Privacy Impact Assessment
•Foundation for Effective Privacy Management

34. Privacy Impact Assessment
•Tool to help understand data life cycles within an
organization
•Identifies attendant risks in data processing
•Proposes measures to control risks through a structured
framework

35. Key Considerations
•One PIA for every data
processing activity
•When applicable, done
before implementation of
the processing activity
•The output report can be
used to evaluate readiness
•May cover one processing
activity between controllers
and processors

36. Skip the PIA step only if:
There are minimal risks to the rights and freedoms of data
subjects
DPO recommendation to forego PIA exists

37. Objectives
Identify, evaluate, and manage risks in data processing
Documentation for processing activities, as integral part of
privacy management program
Determines state of compliance with standards
Establish control framework

38. Objectives
The final report must
contain:
•Stakeholder involvement
•Measures for risk
management
•Process through which
report will be
communicated through
stakeholders

39. Responsibility
Should be in controller or processor’s data privacy and
protection policies
• Triggers for activation
• Key personnel involved
• Resource allocation
• Review process
DPO should understand when to conduct a PIA
• Extent of participation to be determined

40. Stakeholder Involvement
Modes of involvement
•Direct participation
•Public forum roundtables
•Focus group discussions
•Surveys and feedback
forms
Stages of involvement
•Entire process
•Specific parts of the
process
•Participation in review
Distribution

41. Form and Structure
ISO/IEC 29134
Criteria for evaluating
methodology
• Systematic description of data flow
and processing activities
• Includes assessment of adherence to
principles, security measures, and
rights exercise mechanisms
• Identifies and evaluates risks to data
subjects
• Inclusive process
Risk evaluation
•Considers natural and
human dangers
•Considers impact or
likelihood of adverse
events
•Includes countermeasures
to mitigate or alleviate risk

42. Description of data flows
Purpose of the processing
Data inventory
Sources of personal data
Collection procedure
Functional description of data
processing
• List of information repositories
• Graphic representation of
physical location
Data transfers
Storage and disposal method
Accountable persons
Existing organizational,
technical, and physical
security

43. Planning
Commit to the process!
•Decide on the need for a
PIA
•Assign a person
responsible
•Provide resources
•Issue clear directive for
conduct
Identify the subject
process and key persons
Plan for
•Integrating results
•Communicating with
stakeholders

44. Key Persons
•Process owners
•Participants
•Persons in charge
•Signatories to report
•Secretariat (if necessary)
•Internal or external
stakeholders

45. Preparation
•Conduct a data inventory
• Understand and document
each stage of the data life cycle
•Determine inclusions in
baseline information
• Existing policies and security
measures
• Coordinate with department
heads
•Stakeholders may be
involved
•If processing more than
1000, ISO/IEC 27002 and
ISO/IEC 29151
recommended

46. Preparation
•Establish schedules and
timelines
• Completion of preparatory
activities
• Conduct of the PIA
• Reporting and publication of
results
•Obtain approval of resource
and budget allocations
•Set time for participants
•Set methods for stakeholder
involvement
•Define documentation and
review process
•Prepare any additional
documents

47. The Assessment
Collect and complete baseline
information
Evaluate processing activities
against the legal obligations
of the entity
Evaluate processing activities
against the control
framework
• Adheres to data privacy
principles
• Implementation of security
measures
• Procedure for exercise of
rights
• Consider privacy and data
protection measures

48. Baseline information
Records of processing
activities
Personal data inventory
Personal data flows
Purpose and legal basis for
the processing activity
Data sharing agreements
Persons responsible
Information repositories and
technology products used
Sources and recipients of
personal data
Persons with access to
personal data
Existing policies and
security measures

49. The Assessment
Evaluate for gaps to
determine risks involved,
including threats and
vulnerabilities of systems
Evaluate likelihood of risks
• Amount of nature of personal
data involved
• Impact of possible harm
A gap exists when:
• There is a violation of a data
privacy principle
• Measures are inadequate to
safeguard confidentiality,
integrity, or availability of
personal data
• There are undue restrictions
on the exercise of data subject
rights

50. The Assessment
Propose measures to address
identified risks
Measures may mitigate,
accept, avoid, or transfer risk.
Take into account:
• Likelihood and impact of a
breach or privacy violation
• Available resources to address
risks
• Current best practices
• Industry or sector standards

51. Measures to address risk include:
Risks and strategies for risk
management
Implementing activities
Controlling mechanisms to
monitor, review, and support
implementation
Time frame, completion, and
schedules
Responsible and accountable
persons
Resource allocation

52. The Assessment
Document stakeholder
participation
Review and assess results
before finalizing and
approving the PIA
Should include proposed
measures that serve as basis
for implementing changes
Communicate results!

53. The Assessment
Recipients
•Management
•Internal stakeholders
•External stakeholders
Redactions
Results may be redacted to
reduce legal or security
exposure

54. Documentation and Review
Results must be reduced into a report
Entity must maintain a record of PIA reports
Reports must be made available to data subjects on request
Evaluate on an annual basis

55. Accountability
Demonstration of compliance with Philippine data privacy
and protection laws
Considered in evaluating if the entity exercised due diligence
Provide a copy of the system to the NPC on demand

56. Protecting personal data
•Technical Provisions in NPC Circular No. 16-01

57. Storage
• Must be stored in a data center
• If digitally processed, must be
encrypted with at least AES-256
encryption
• Passwords must be strong
enough
• Access to all data centers must be
restricted to those with
appropriate security clearance
• NPC may audit, or may be
independently verified or certified

58. Agency Access to Personal Data
•Only programs developed or
licensed by a government
agency may access or
modify databases containing
personal data under that
agency’s control
•Access must be strictly
regulated

59. Agency Access to Personal Data
•Each user must sign an
agreement explaining an
updated acceptable use
policy
•Must use multi-factor
authentication for online
access

60. Agency Access to Personal Data
• Only known devices, properly
configured for security, can access
personal data. Only authorized media
may be used on computer equipment.
• Mobile devices owned by the agency
must be equipped with remote
disconnection or deletion technologies.
• Paper-based data systems must keep
logs showing file last accesed, including
when, where, and by whom.

61. Transfer of Personal Data
•If done by e-mail, must
ensure that data is
encrypted, or use a secure e-
mail facility that facilitates
the encryption of all data,
including any attachments.
•Send passwords on a
separate e-mail.

62. Transfer of Personal Data
•Scan outgoing emails for
attachments and keywords
that indicate personal data,
and prevent transmission
•Controls must be in place to
prevent printing or copying
to word processors and
spreadsheets without
security or access controls in
place.

63. Transfer of Personal Data
• Data stored in portable
media, like discs or USB
storage, must be encrypted
• Laptops must utilize full disk
encryption
• Manual transfer of personal
data, where possible is
prohibited. If impossible,
authentication technology
must be in place.

64. Transfer of Personal Data
•NO FAX TRANSMISSIONS
•Use registered mail or,
where appropriate,
guaranteed parcel post
service.
•Safeguards apply to internal
transfers!

65. Disposal of Personal Data
• Comply with National Archives of
the Philippines Act (RA 9470) if
archiving records
• Procedures must be established
over
• Disposal of files that contain
personal data, regardless of storage
medium
• Disposal of computer equipment at
end-of-life, including storage media.
Includes the use of degaussers,
erasers, physical destruction devices
• Offsite disposal

67. End.
https://privacy.gov.ph
facebook.com/privacy.gov.ph
twitter.com/PrivacyPH