Employers’ compliance with security measures under the IRR of the Data Privacy Act of 2012
With the promulgation of the Implementing Rules and Regulations (IRR) of the Data Privacy Act, employers should be aware of their obligations under the IRR and comply with same within one (1) year from the effectivity of the IRR.
Republic Act No. 10173, also known as the Data Privacy Act, was enacted on Aug. 15, 2012. Subsequently, the National Privacy Commission promulgated the Implementing Rules and Regulations (IRR) on Aug. 24, 2016 to take effect fifteen (15) days after publication in the Official Gazette. The IRR requires personal information controllers and personal information processors to implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data.
A “personal information controller” refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. On the other hand, a “personal information processor” refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
Under the IRR, personal data pertain to any personal information wherein the identity of the individual is readily apparent. A personal information is said to be sensitive when it is about an individual’s race, ethnic origin, marital status, age, color, health, education, genetic or sexual life of a person, social security number, tax returns, among others.
As an employer, it is necessary to collect and update personal information, especially sensitive personal information, of its employees in relation to human resources management. From the application of prospective employees until their severance from employment, employers collect and update personal information to process employee benefits, payment of salaries, filing of tax returns, remittance of contributions to the Social Security, Home Development Mutual Fund (Pag-IBIG), and National Health Insurance ( PHILHEALTH), etc.
Such collection and updating of personal information is within the scope of “processing,” which is defined by the IRR as any operation performed upon personal data. Hence, employers are personal information controllers. Consequently, employers are mandated to comply with the applicable guidelines on the adoption of organizational, physical, and technical security measures as required under the IRR.
For organizational security measures, employers must ( 1) have compliance officers; ( 2) adopt and implement data protection policies; (3) maintain records of processing activities; (4) be responsible for selecting and supervising employees who will have access to personal data; (5) develop, implement and review procedures for processing personal data; and (6) for outsourced data processing, ensure that contracts with personal information processors comply with the Data Privacy Act and its IRR.
With regard to physical security measures, the IRR requires employers to adopt policies and procedures on monitoring and restricting access to workstations, including guidelines on proper use of and access to electronic media. Employers must also design its work space in such a way that affords privacy to individuals processing personal data. In addition, employers must clearly define the duties, responsibilities, and schedules of such individuals. Furthermore, policies and procedures on preventing physical destruction of files and equipment must be established.
As to technical security measures, employers should ( 1) adopt a security policy with respect to processing of personal data; ( 2) establish safeguards that will protect the computer network against any act that will affect data integrity and functioning of the system; ( 3) ensure and maintain the confidentiality, integrity, availability, and resilience of the processing systems and services; ( 4) monitor and adopt procedures in cases of security breach; ( 5) have the ability to timely restore the availability and access to personal data in the event of physical or technical event; ( 6) regularly assess the effectivity of the security measures; and (6) encrypt personal data and other technical security measures that control and limit access.
In addition to the abovementioned security measures, the IRR requires registration of personal data processing systems, which refer to the procedures by which personal data are collected and further processed in an information system, for employers with at least two hundred fifty ( 250) employees, or if there is risk to the rights and freedoms of data subjects, or the processing is not occasional, or the processing includes sensitive personal information of at least one thousand (1,000) individuals.
The Data Privacy Act mandates industries, businesses and offices to comply with the requirements within one (1) year from the effectivity of the IRR. If personal information controllers or personal information processors are unable to comply within the one (1) year period, they may apply for an extension with the National Privacy Commission.
This article is for general informational and educational purposes only and not offered as and does not constitute legal advice or legal opinion.