What is access control policy?

Having all the latest software security tools does not mean that your system is safe from any attacks. Continuous improvement in security of information and data processing systems is a fundamental management responsibility. All applications and processing systems that deal with personal and sensitive information should include some form of authorization which is also known as access control policy. As systems grow in size and complexity, access control is a special concern for systems and applications that are distributed across multiple computers.

Access Control Policy sets requirements of credentials and identification that specify how access to computers, systems, or applications is managed and who may access the information in most circumstances. Authentication, authorization, audit, and access approval are the common aspects of access control policy.

Back To Top

What are the best practices in implementing access control policy?

As a personal information controller or processor, it is a diligent responsibility to take great efforts and be accountable in protecting the personal data that you process by managing the areas, distribution, and life-cycle of authentication and authorization of your organization's processes. Access to any confidential, personal, and sensitive data must always be protected, controlled, and managed with sufficient security policies. Preventing unauthorized access and data breach is the primary objective of a controller and processor. Physical and systematic approach in creating and managing access control should also be established by the management. Also, the small to large scale applications of the personal information controllers and personal information processors should be taken into consideration in the design and implementation of the policy.

Back To Top

What does the commission say about implementing access control policy?

In a time when data privacy and security matters, personal information controller and personal information processors are obliged to implement strong, reasonable, and appropriate organizational, physical, and technical security measures for the protection of the personal information that they process. These include access control policies to off-site and online access to personal and sensitive information. Accessing these kinds of information due to negligence or intentional breach will result to fines and imprisonment.

Back To Top

What is a Data Center?

A data center is a facility housing electronic equipment used for data processing, data storage, and communications networking. It is a centralized repository, which may be physical or virtual, may be analog or digital, used for the storage, management, and dissemination of data including personal data.

The National Privacy Commission imposes personal information controllers and personal information processors should implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data, especially in this critical infrastructure in Information and Communications Technology.

Back To Top

What are the recommended best practices for data center security?

    1. Include security and compliance objectives as part of the data center design and ensure the security team is involved from day one. Security controls should be developed for each modular component of the data center—servers, storage, data and network—united by a common policy environment.
    2. Ensure that approach taken will not limit availability and scalability of resources.
    3. Develop and enforce policies that are context, identity and application-aware for least complexity, and the most flexibility and scalability. Ensure that they can be applied consistently across physical, virtual and cloud environments. This, along with replacing physical with secure trust zones, will provide seamless and secure user access to applications at all times, regardless of the device used to connect to resources in the data center.
    4. Choose security technologies that are virtualization-aware or enabled, with security working at the network level rather than the server. Network security should be integrated at the hypervisor level to discover existing and new virtual machines and to follow those devices as they are moved or scaled up so that policy can be dynamically applied and enforced.
    5. Monitor everything continuously at the network level to be able to look at all assets (physical and virtual) that reside on the local area network (even those that are offline) and all inter-connections between them. This monitoring should be done on a continuous basis and should be capable of tracking dynamic network fabrics. Monitor for missing patches, application, or configuration changes that can introduce vulnerabilities which can be exploited.
    6. Look for integrated families of products with centralized management that are integrated with or aware of the network infrastructure, or common monitoring capabilities for unified management of risk, policy controls, and network security. This will also give detailed reports across all controls that provide the audit trail necessary for risk management, governance, and compliance objectives. Integrated families of products need not necessarily be procured from just one vendor. Look for those that leverage the needed capabilities of a strong ecosystem of partnerships to provide a consolidated solution across all data center assets.
  1. Consider future as well as current needs and objectives at the design stage such as whether access to public cloud environments is required.
  2. Define policies and profiles that can be segmented and monitored in multi-tenant environments. Consider security technologies that provide secure gateway connections to public cloud resources.

Back To Top

What are the security requirements for a computer system?

    1. Secure user authentication protocols including:
      1. Control of user IDs and other identifiers;
      2. Reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
      3. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
      4. Restricting access to active users and active user accounts only; and
      5. Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
    2. Secure access control measures that:
      1. Restrict access to records and files containing personal information to those who need such information to perform their job duties; and
      2. Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
    3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
    4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
    5. Encryption of all personal information stored on laptops or other portable devices;
  1. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information;
  2. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis;
  3. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Back To Top

What is encryption?

Encryption protects emails, bank accounts, transactions, and messages. In general, it protects data by encoding the information in such a way that it is only accessible to authorized parties or individuals. It is a way of safeguarding data, documents, or information from this generation's threats such as malicious hackers, spies, and criminals. It is one of the best tools to protect privacy especially for individuals. It is considered to be a necessity in keeping data privacy.

Back To Top

What does the commission state about encryption?

"Any technology used to store, transport, or access sensitive personal information for purposes of off-site access approved shall be secured by the use of the most secure encryption standard recognized by the Commission."

Data at rest, in transit, and in use should all be treated equally in terms of preserving its privacy and managing its security.

Back To Top

What should be encrypted?


Most corporations, organizations, agencies, and firms use emails to communicate, send files, and exchange data. This way of communication has been the standard of electronic messaging for many years. It has also been one of the major cases of privacy breaches throughout those years. These kinds of incidents exposed the privacy of several individuals so they should be managed, guarded, and most importantly, prevented. Organizations that transfer personal data via email should either make sure that the data is encrypted or use a secure email facility that facilitates the encryption.

Portable Media

Attack on privacy can happen anytime, anywhere, any place and sometimes even with portable storage devices. It can infiltrate an organization’s system and expose all of its confidential and sensitive information. Devices such as USB flash drives and internal or external disk that store, collect or transfer personal data must be encrypted, especially the data in it. Organizations that use laptops to process personal data must use a full disk encryption.

Links (URL)

Agencies and organizations that utilize online access to process personal data should employ an identity authentication method that uses a secured encrypted link.

Back To Top

What does the commission recommend with regards to encryption?

"Organizational, physical, and technical security measures for personal data protection, encryption, and access to sensitive personal information maintained by government agencies, considering the most appropriate standard recognized by the information and communications technology industry."

"Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard. Passwords or passphrases used to access personal data should be of sufficient strength to deter password attacks. A password policy should be issued and enforced through a system management tool."

Back To Top

What are the standards for protecting personal information?

Every person that owns or licenses personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains organizational, technical, and physical security that are appropriate to:

  1. the size, scope and type of operations of the agency obligated to secure the personal data under such comprehensive information of the DPA;
  2. the amount of resources available to such person;
  3. the amount of stored data; and
  4. the need for security and confidentiality of both client and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in the Data Privacy Act of 2012 by which the person who owns or licenses such information may be regulated.

Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

    1. Designating a DPO to maintain the comprehensive information security program;
    2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current security for limiting such risks, including but not limited to:
      • ongoing employee (including temporary and contract employee) training;
      • employee compliance with policies and procedures; and
      • means for detecting and preventing security system failures.
    3. Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
    4. Imposing disciplinary measures for violations of the comprehensive information security program rules.
    5. Preventing terminated employees from accessing records containing personal information.
    6. Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or cloud hosting.
    7. Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information security as necessary to limit risks.
  1. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
  2. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Back To Top

What is data sharing?

Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. When processing of personal information is outsourced (Personal Information Processor), such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.

Personal Information Controllers (PIC) are those who decide what types of data are collected and how they are processed (i.e. Ayala Land). On the other hand, Personal Information Processors (PIP) are those who process data as instructed by the controllers (i.e. HR Mall).

For transfers abroad, a personal information controller shall be responsible for any personal data under its custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.

Back To Top

Am I allowed to process personal data?

Processing of personal data collected from a party other than the data subject shall be allowed under any of the following conditions:

  • Authorized by law
  • Consent for Data Sharing
  • Covered by a data sharing agreement for commercial purposes
  • Provided the following to data subjects before sharing:
      1. Identity of PIC and PIP
      2. Purpose of data sharing
      3. Categories of personal data
      4. Intended recipients of personal data
      5. Broadcasted the rights of data subjects
      6. Other information about the nature and extent of data sharing and manner of processing
    1. Sharing between government agencies for the purpose of a public function or provision of a public service should be covered by a data sharing agreement.

Back To Top

What is a Data Sharing Agreement?

A data sharing agreement refers to a contract, joint issuance, or any similar document that contains the terms and conditions of a data sharing arrangement between two or more parties provided that only personal information controllers shall be made parties to a data sharing agreement. Where a data sharing agreement involves the actual transfer of personal data or a copy from one party to another, such transfer shall comply with the security requirements imposed by the Philippine Data Privacy Act, its IRR, and all applicable issuances of the National Privacy Commission.

Back To Top

What are the things I should see on a Data Sharing Agreement?

  • Purpose of Data Sharing
  • Participating personal information controller and processor:
    1. Types of personal data
    2. Personal information processor that will process personal data
    3. Manners of how PIC and PIP are processing personal data
    4. The remedies available to a data subject in case the processing of personal data violates his or her rights and how these rights may be exercised;
    5. Designated data protection officer or compliance officer.
  • Duration of the agreement
  • General description of the security measures that will ensure the protection of personal data of the data subjects, including the policy for retention or disposal of records.
  • Inform how a data subject can obtain a copy of the data sharing agreement.
  • If a personal information controller shall grant online access to personal data under its control or custody, it shall specify the following information:
    1. Justification for allowing online access;
    2. Parties that shall be granted online access;
    3. Types of personal data that shall be made accessible online;
    4. Estimated frequency and volume of the proposed access; and
    5. Program, middleware and encryption method that will be used.
  • It shall specify the PIC responsible for addressing any information request, or any complaint filed by a data subject, and/or any investigation by the Commission
  • It shall identify the method that shall be adopted for the secure return, destruction, or disposal of the shared data.
  • It shall specify other terms and conditions that the parties may agree on.

Back To Top