Tips in Crafting Your Privacy Notice

A privacy notice aims to empower the public. It is meant to tell individuals what, how and why personal data is being collected from them. As such, privacy notices should be highly readable to be usable and effective. However, recent researches reveal that only a few actually read privacy notices. With the average privacy notice taking ten minutes to read (at most 42 minutes), it is no surprise that only 16% of internet users take the time to read them, based on the Internet Society’s Global Internet User Survey. The figure may even be lower in the Philippines where the concept of data privacy is just emerging. This prompted the NPC to compile the following tips on how to effectively craft your privacy notice.


Privacy notices should be concise and written in plain language as you write for a diverse audience. A segment of your audience may not be familiar with data privacy. Thus, it is important to communicate the content clearly. To keep notices brief, you may use a layered approach. The privacy notice should be the first, shortest and simplest layer that is intended for consumers. The next layer should be the full privacy policy or the privacy management manual that use standard legalese and has all the details including the technical information. Hyperlink the term in the notice to a definition. Maximize the second layer to fully explain technical terms mentioned in the privacy notice. The notice should be simple, straightforward, direct, affirmative and respectful. Use short sentences, in active voice, which are easier to understand. If you are enumerating several items, use bullet points. Each section of the notice should have an informative heading to accurately describe what follows.


To reduce legal risks, privacy commitments in your notices should be aligned with your actual privacy practices. Various resources reveal that while notices should try to avoid using bold statements, they should not also be too generic. Notices should cover both current and prospective privacy practices, which necessitates strategic planning involving everyone in the organization. The key is to conduct factual and legal due diligence. According to the International Association of Privacy Professional, factual due diligence allows you to determine what information your organization uses. The legal due diligence allows you to determine what laws govern the use of that information. Conducting a privacy impact assessment may help you achieve due diligence.


Gaining public trust has been considered a barrier to continued growth among public and private organizations offering products and services. Online, consumer spending only accounts for about 1.7% of overall retail revenues due to this barrier, among others. Thus, it is important to maximize the use of privacy notice to increase your trustworthiness among your clients. To make a privacy notice compelling, it should instantly show what is in it for your clients. At the minimum, it should highlight the types of personal information you collect, how you use it, how you protect it, how your clients can access and correct their personal information and how they can contact you. You may use this template to map out and analyze your personal data collection and processing. Lastly, note that studies reveal that “legally mandated or imposed privacy policy statements resulting from regulation are unlikely to significantly reduce consumer reluctance to provide personal information”. The type of information and privacy statement determines consumer willingness to submit information to a greater degree. Hence, it is important to provide a feedback mechanism through which your clients can suggest and comment on your privacy notices.


Back To Top

Wish to read our privacy policy? Click here.

What does Data Privacy Act say about retention of personal

In Chapter III, Section 11.e: General Data Privacy Principles of Data Privacy Act of 2012, Personal Information must be retained only for as long as necessary for the fulfillment of the purposes for which data was obtained. The following are the purposes stated in the Implementing Rules and Regulations (IRR):

  • For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated
  • For the establishment, exercise or defense of legal claims
  • For legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency
  • And in any case provided by law

Back To Top

What are my responsibilities when retaining personal data?

As an organization that retains personal data, your responsibilities include:

    • To be clear about how long you will retain personal data and its reason/s
    • To ensure quality of the data being retained
    • To ensure the security of the archived personal data
    • To ensure restricted access to personal data
  • To give access and inform the data subjects about their data being retained

Back To Top

What does Data Privacy Act say about disposal of personal

Rule IV, Section 19.d: General principles in collection, processing and retention of the Implementing Rules and Regulations (IRR) states that personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or public, or prejudice the interests of the data subjects. As mentioned in the National Privacy Commission (NPC) Circular 16-01: Security of Personal Data in government agencies, procedures must be established regarding the following:

  • Disposal of files that contain personal data, whether such files are stored on paper, film, optical or magnetic media
  • Secure disposal of computer equipment, such as disk servers, desktop computers and mobile phones at end-of-life (especially storage media) provided that the procedure shall include the use of degaussers, erasers, and physical destruction devices
  • Disposal of personal data stored offsite

Organization/s can engage third-party service providers to carry out the disposal of personal data under its control or custody provided that the service provider shall contractually agree to the agency’s data protection procedures and ensure that the confidentiality of personal data is protected.

Back To Top

What are my responsibilities when disposing personal data?

It is the organization’s duty to make sure that data will be disposed properly in a way that the data should be unreadable (for paper) or irretrievable (for digital records). The organization should categorize whether the data they have are high-risk or low-risk. It is recommended that the appropriate data disposal method be used.

Back To Top