Implementing Privacy and Data Protection Measures
Moving on with our series on the National Privacy Commission’s “limang utos”—a distillation of the government’s data privacy and security imperatives into clear and accessible language—we now talk about the fourth imperative: Implementing privacy and data protection measures, by going through every item in a Data Privacy Accountability Framework.
As I have often said, we are not after perfunctory applications of our guidelines. Measures laid out in a data handling organization’s privacy and data protection policies should not remain in the realm of theory; they must continuously be assessed, reviewed, and revised as necessary, and training of essential staff as regards these policies must be conducted regularly.
As such, to refine and give even more clarity to it, we have articulated the particular steps that have to be taken under the fourth imperative. We refer to this as the 10-point Data Privacy Accountability Framework:
• Data Privacy Governance. This primarily consists of choosing a Data Protection Officer.
• Knowing your risks and establishing a baseline. This is done through conducting a Privacy Impact Assessment, and registering its data processing systems with the NPC.
• Organization. A data handling entity should be able to craft its internal privacy rules and, prepare its control framework.
• Nurturing information protection throughout the information life cycle and day-to-day operations. Organizations should have a privacy notice whenever it collects data; know and respect the rights of data subjects; have done everything within reason to protect these rights while that data is in their possession; and have a proper means of disposing of information to complete the data life cycle.
• Management. This means constant training of staff for proper data handling, and also disposal of data.
• Data security. Data handlers must have appropriate security for the data centers which serve as repository of the information it collects. Data must be encrypted, an access policy should clearly state which people will have access to the data, and safeguards must be in place during data transfer.
• For third-parties who handle data: Compliance, agreements, due diligence, notifications, and its own access policy must be clear.
• In case of breaches: A process of assessment, monitoring, a steady team at the helm, continuity of security efforts, review of existing protocols, and notification of data subjects must be in place.
• Projects. Privacy impact assessments must be done not only once institution-wide, but also for new individual projects that concern the handling of data.
• Managing legal requirements. Data handlers should be able to monitor circulars and other releases from the NPC and the government. It must keep an eye on the contracts it goes into, conduct due diligence, and advise top leadership on the legal privacy implications of its projects and initiatives.
Suffice it to say that, as the Commission exerts its utmost to communicate our efforts to data handlers, so too is it incumbent upon data handlers to, as the law states,“implement reasonable and appropriate organizational, physical, and technical measures” to protect the personal information that they process.
At the bottom line, personal information controllers are expected to be thorough and to conduct due diligence in handling our data—this is, after all, part of the social contract that they forge with the public. For certain, the NPC will remain an empowering force in the continuum of trust that makes our nation stable and modernizing, building consensus, advocating, and enforcing the law both to create an environment conducive for honest and sustainable business, and to protect the rights of the individual.
For news and updates, please like the National Privacy Commission’s page on Facebook (Facebook.com/PRIVACY.GOV.PH). Email info@privacy. gov.ph for comments and questions.