Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.
This section lays down the basis of the Manual. Hence, it should provide an overview of the DPA, its IRR and other policies that relate to data protection and which are relevant issuances to the industry or sector of the organization, as well as the transactions it regularly carries out.
In brief, it should discuss how the organization complies with the data privacy principles, and upholds the rights of the data subjects, both of which are laid out in the DPA.
It is important that this portion impresses upon the user or reader why it is necessary for the organization to have a Privacy Manual.
Example:
This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. This organization respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.
Terms used in the Manual must be defined for consistency and uniformity in usage. This portion will make sure of that, and allow users of the Manual to understand the words, statements, and concepts used in the document.
Examples:
This section defines the coverage of the Manual. Given that the document is essentially an internal issuance and is meant for the use and application of the organization’s staff or personnel, that fact should be emphasized here.
Note that it would be useful to develop a separate Privacy Manual meant for external use or for persons who deal with the organization. Certain information may be omitted from that version, particularly those that relate to internal policies or processes that are relevant only to personnel of the organization.
Examples:
All personnel of this organization, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Privacy Manual.
Back to TopThis section lays out the various data life cycles (or processing systems) in existence within the organization—from the collection of personal data, to their actual use, storage or retention, and destruction.
A. Collection (e.g. type of data collected, mode of collection, person collecting information, etc.)
Example:
This company collects the basic contact information of clients and customers, including their full name, address, email address, contact number, together with the products that they would like to purchase. The sales representative attending to customers will collect such information through accomplished order forms.
B. Use
Example:
Personal data collected shall be used by the company for documentation purposes, for warranty tracking vis-à-vis purchased items, and for the inventory of products.
C. Storage, Retention and Destruction (e.g. means of storage, security measures, form of information stored, retention period, disposal procedure, etc.)
Example:
This company will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The company will implement appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall not be retained for a period longer than one (1) year. After one (1) year, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.
D. Access (e.g. personnel authorized to access personal data, purpose of access, mode of access, request for amendment of personal data, etc.)
Example:
Due to the sensitive and confidential nature of the personal data under the custody of the company, only the client and the authorized representative of the company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
E. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure of policy and processes, outsourcing and subcontracting, etc.)
Example:
All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
Back to TopAs a personal information controller or personal information processor, an organization must implement reasonable and appropriate physical, technical and organizational measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. In this section, you give a general description of those measures.
A. Organization Security Measures
Every personal information controller and personal information processor must also consider the human aspect of data protection. The provisions under this section shall include the following:
1. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
Example:
2. Functions of the DPO, COP and/or any other responsible personnel with similar functions
Example:
3. Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security
Example:
4. Conduct of Privacy Impact Assessment (PIA)
Example:
5. Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.
Example:
6. Duty of Confidentiality
Example:
7. Review of Privacy Manual
Example:
B. Physical Security Measures
This portion shall feature the procedures intended to monitor and limit access to the facility containing the personal data, including the activities therein. It shall provide for the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer, and the schedule and means of retention and disposal of data, among others. To ensure that mechanical destruction, tampering and alteration of personal data under the custody of the organization are protected from man-made disasters, power disturbances, external access, and other similar threats, provisions like the following must be included in the Manual:
1. Format of data to be collected
Example:
2. Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room)
Example:
3. Access procedure of agency personnel
Example:
4. Monitoring and limitation of access to room or facility
Example:
5. Design of office space/work station
Example:
6. Persons involved in processing, and their duties and responsibilities
Example:
7. Modes of transfer of personal data within the organization, or to third parties
Example:
8. Retention and disposal procedure
Example:
C. Technical Security Measures
Each personal information controller and personal information processor must implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access. They include the following, among others:
1. Monitoring for security breaches
Example:
2. Security features of the software/s and application/s used
Example:
3. Process for regularly testing, assessment and evaluation of effectiveness of security measures
Example:
4. Encryption, authentication process, and other technical security measures that control and limit access to personal data
Example:
Every personal information controller or personal information processor must develop and implement policies and procedures for the management of a personal data breach, including security incidents. This section must adequately describe or outline such policies and procedures, including the following:
1. Creation of a Data Breach Response Team
Example:
2. Measures to prevent and minimize occurrence of breach and security incidents
Example:
3. Procedure for recovery and restoration of personal data
Example:
4. Notification protocol
Example:
5. Documentation and reporting procedure of security incidents or a personal data breach
Example:
Every data subject has the right to reasonable access to his or her personal data being processed by the personal information controller or personal information processor. Other available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. Accordingly, there must be a procedure for inquiries and complaints that will specify the means through which concerns, documents, or forms submitted to the organization shall be received and acted upon. This section shall feature such procedure.
Example:
This section indicates the period of effectivity of the Manual, as well as any other document that the organization may issue, and which has the effect of amending the provisions of the Manual.
Example:
This section indicates the period of effectivity of the Manual, as well as any other document that the organization may issue, and which has the effect of amending the provisions of the Manual.
Example:
All content is in the public domain unless otherwise stated.
Learn more about the Philippine government, its structure, how government works and the officials behind it.
GOV.PH