Having all the latest software security tools does not mean that your system is safe from any attacks. Continuous improvement in security of information and data processing systems is a fundamental management responsibility. All applications and processing systems that deal with personal and sensitive information should include some form of authorization which is also known as access control policy. As systems grow in size and complexity, access control is a special concern for systems and applications that are distributed across multiple computers.
Access Control Policy sets requirements of credentials and identification that specify how access to computers, systems, or applications is managed and who may access the information in most circumstances. Authentication, authorization, audit, and access approval are the common aspects of access control policy.
As a personal information controller or processor, it is a diligent responsibility to take great efforts and be accountable in protecting the personal data that you process by managing the areas, distribution, and life-cycle of authentication and authorization of your organization’s processes. Access to any confidential, personal, and sensitive data must always be protected, controlled, and managed with sufficient security policies. Preventing unauthorized access and data breach is the primary objective of a controller and processor. Physical and systematic approach in creating and managing access control should also be established by the management. Also, the small to large scale applications of the personal information controllers and personal information processors should be taken into consideration in the design and implementation of the policy.
Back to TopIn a time when data privacy and security matters, personal information controller and personal information processors are obliged to implement strong, reasonable, and appropriate organizational, physical, and technical security measures for the protection of the personal information that they process. These include access control policies to off-site and online access to personal and sensitive information. Accessing these kinds of information due to negligence or intentional breach will result to fines and imprisonment.
Back to TopA data center is a facility housing electronic equipment used for data processing, data storage, and communications networking. It is a centralized repository, which may be physical or virtual, may be analog or digital, used for the storage, management, and dissemination of data including personal data.
The National Privacy Commission imposes personal information controllers and personal information processors should implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data, especially in this critical infrastructure in Information and Communications Technology.
Encryption protects emails, bank accounts, transactions, and messages. In general, it protects data by encoding the information in such a way that it is only accessible to authorized parties or individuals. It is a way of safeguarding data, documents, or information from this generation’s threats such as malicious hackers, spies, and criminals. It is one of the best tools to protect privacy especially for individuals. It is considered to be a necessity in keeping data privacy.
Back to Top“Any technology used to store, transport, or access sensitive personal information for purposes of off-site access approved shall be secured by the use of the most secure encryption standard recognized by the Commission.”
Data at rest, in transit, and in use should all be treated equally in terms of preserving its privacy and managing its security.
Back to TopEmails
Most corporations, organizations, agencies, and firms use emails to communicate, send files, and exchange data. This way of communication has been the standard of electronic messaging for many years. It has also been one of the major cases of privacy breaches throughout those years. These kinds of incidents exposed the privacy of several individuals so they should be managed, guarded, and most importantly, prevented. Organizations that transfer personal data via email should either make sure that the data is encrypted or use a secure email facility that facilitates the encryption.
Portable Media
Attack on privacy can happen anytime, anywhere, any place and sometimes even with portable storage devices. It can infiltrate an organization’s system and expose all of its confidential and sensitive information. Devices such as USB flash drives and internal or external disk that store, collect or transfer personal data must be encrypted, especially the data in it. Organizations that use laptops to process personal data must use a full disk encryption.
Links (URL)
Agencies and organizations that utilize online access to process personal data should employ an identity authentication method that uses a secured encrypted link.
Back to Top“Organizational, physical, and technical security measures for personal data protection, encryption, and access to sensitive personal information maintained by government agencies, considering the most appropriate standard recognized by the information and communications technology industry.”
Back to Top“Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard. Passwords or passphrases used to access personal data should be of sufficient strength to deter password attacks. A password policy should be issued and enforced through a system management tool.”
Back to TopEvery person that owns or licenses personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains organizational, technical, and physical security that are appropriate to:
Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:
Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. When processing of personal information is outsourced (Personal Information Processor), such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.
Personal Information Controllers (PIC) are those who decide what types of data are collected and how they are processed (i.e. Ayala Land). On the other hand, Personal Information Processors (PIP) are those who process data as instructed by the controllers (i.e. HR Mall).
For transfers abroad, a personal information controller shall be responsible for any personal data under its custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.
Back to TopProcessing of personal data collected from a party other than the data subject shall be allowed under any of the following conditions:
A data sharing agreement refers to a contract, joint issuance, or any similar document that contains the terms and conditions of a data sharing arrangement between two or more parties provided that only personal information controllers shall be made parties to a data sharing agreement. Where a data sharing agreement involves the actual transfer of personal data or a copy from one party to another, such transfer shall comply with the security requirements imposed by the Philippine Data Privacy Act, its IRR, and all applicable issuances of the National Privacy Commission.
Back to TopA data sharing agreement refers to a contract, joint issuance, or any similar document that contains the terms and conditions of a data sharing arrangement between two or more parties provided that only personal information controllers shall be made parties to a data sharing agreement. Where a data sharing agreement involves the actual transfer of personal data or a copy from one party to another, such transfer shall comply with the security requirements imposed by the Philippine Data Privacy Act, its IRR, and all applicable issuances of the National Privacy Commission.
Back to TopAll content is in the public domain unless otherwise stated.
Learn more about the Philippine government, its structure, how government works and the officials behind it.
GOV.PH