- Privacy Notice
- Retention of Personal Data
- Disposal of Personal Data
Tips in Crafting Your Privacy Notice
A privacy notice aims to empower the public. It is meant to tell individuals what, how and why personal data is being collected from them. As such, privacy notices should be highly readable to be usable and effective. However, recent researches reveal that only a few actually read privacy notices. With the average privacy notice taking ten minutes to read (at most 42 minutes), it is no surprise that only 16% of internet users take the time to read them, based on the Internet Society’s Global Internet User Survey. The figure may even be lower in the Philippines where the concept of data privacy is just emerging. This prompted the NPC to compile the following tips on how to effectively craft your privacy notice.
To reduce legal risks, privacy commitments in your notices should be aligned with your actual privacy practices. Various resources reveal that while notices should try to avoid using bold statements, they should not also be too generic. Notices should cover both current and prospective privacy practices, which necessitates strategic planning involving everyone in the organization. The key is to conduct factual and legal due diligence. According to the International Association of Privacy Professional, factual due diligence allows you to determine what information your organization uses. The legal due diligence allows you to determine what laws govern the use of that information. Conducting a privacy impact assessment may help you achieve due diligence.
What does Data Privacy Act say about retention of personal
In Chapter III, Section 11.e: General Data Privacy Principles of Data Privacy Act of 2012, Personal Information must be retained only for as long as necessary for the fulfillment of the purposes for which data was obtained. The following are the purposes stated in the Implementing Rules and Regulations (IRR):
- For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated
- For the establishment, exercise or defense of legal claims
- For legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency
- And in any case provided by law
What are my responsibilities when retaining personal data?
As an organization that retains personal data, your responsibilities include:
- To be clear about how long you will retain personal data and its reason/s
- To ensure quality of the data being retained
- To ensure the security of the archived personal data
- To ensure restricted access to personal data
- To give access and inform the data subjects about their data being retained
What does Data Privacy Act say about disposal of personal
Rule IV, Section 19.d: General principles in collection, processing and retention of the Implementing Rules and Regulations (IRR) states that personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or public, or prejudice the interests of the data subjects. As mentioned in the National Privacy Commission (NPC) Circular 16-01: Security of Personal Data in government agencies, procedures must be established regarding the following:
- Disposal of files that contain personal data, whether such files are stored on paper, film, optical or magnetic media
- Secure disposal of computer equipment, such as disk servers, desktop computers and mobile phones at end-of-life (especially storage media) provided that the procedure shall include the use of degaussers, erasers, and physical destruction devices
- Disposal of personal data stored offsite
Organization/s can engage third-party service providers to carry out the disposal of personal data under its control or custody provided that the service provider shall contractually agree to the agency’s data protection procedures and ensure that the confidentiality of personal data is protected.
What are my responsibilities when disposing personal data?
It is the organization’s duty to make sure that data will be disposed properly in a way that the data should be unreadable (for paper) or irretrievable (for digital records). The organization should categorize whether the data they have are high-risk or low-risk. It is recommended that the appropriate data disposal method be used.