- Privacy Notice
- Retention of Personal Data
- Disposal of Personal Data
Tips in Crafting Your Privacy Notice
A privacy notice aims to empower the public. It is meant to
tell individuals what, how and why personal data is being collected
from them. As such, privacy notices should be highly readable to be
usable and effective. However, recent researches reveal that only a few
actually read privacy notices.
With the average privacy notice taking ten minutes to read (at
most 42 minutes), it is no surprise that only 16% of internet users
take the time to read them, based on the Internet Society’s Global
Internet User Survey. The figure may even be lower in the Philippines
where the concept of data privacy is just emerging.
This prompted the NPC to compile the following tips on how to
effectively craft your privacy notice.
Privacy notices should be concise and written in plain
language as you write for a diverse audience. A segment of your
audience may not be familiar with data privacy. Thus, it is important
to communicate the content clearly.
To keep notices brief, you may use a layered approach. The
privacy notice should be the first, shortest and simplest layer that is
intended for consumers. The next layer should be the full privacy
policy or the privacy management manual that use standard legalese and
has all the details including the technical information. Hyperlink the
term in the notice to a definition. Maximize the second layer to fully
explain technical terms mentioned in the privacy notice.
The notice should be simple, straightforward, direct,
affirmative and respectful. Use short sentences, in active voice, which
are easier to understand. If you are enumerating several items, use
bullet points. Each section of the notice should have an informative
heading to accurately describe what follows.
To reduce legal risks, privacy commitments in your notices
should be aligned with your actual privacy practices. Various resources
reveal that while notices should try to avoid using bold statements,
they should not also be too generic. Notices should cover both current
and prospective privacy practices, which necessitates strategic
planning involving everyone in the organization.
The key is to conduct factual and legal due diligence.
According to the International Association of Privacy Professional,
factual due diligence allows you to determine what information your
organization uses. The legal due diligence allows you to determine what
laws govern the use of that information. Conducting a privacy impact
assessment may help you achieve due diligence.
Gaining public trust has been considered a barrier to
continued growth among public and private organizations offering
products and services. Online, consumer spending only accounts for
about 1.7% of overall retail revenues due to this barrier, among
others. Thus, it is important to maximize the use of privacy notice to
increase your trustworthiness among your clients.
To make a privacy notice compelling, it should instantly show
what is in it for your clients. At the minimum, it should highlight the
types of personal information you collect, how you use it, how you
protect it, how your clients can access and correct their personal
information and how they can contact you. You may use this template to
map out and analyze your personal data collection and processing.
Lastly, note that studies reveal that “legally mandated or
unlikely to significantly reduce consumer reluctance to provide
personal information”. The type of information and privacy statement
determines consumer willingness to submit information to a greater
degree. Hence, it is important to provide a feedback mechanism through
which your clients can suggest and comment on your privacy notices.
Back To Top
What does Data Privacy Act say about retention of personal
In Chapter III, Section 11.e: General Data Privacy Principles
of Data Privacy Act of 2012, Personal Information must be retained only
for as long as necessary for the fulfillment of the purposes for which
data was obtained. The following are the purposes stated in the
Implementing Rules and Regulations (IRR):
Back To Top
- For the fulfillment of the declared, specified, and
legitimate purpose, or when the processing relevant to the purpose has
- For the establishment, exercise or defense of legal claims
- For legitimate business purposes, which must be consistent
with standards followed by the applicable industry or approved by
appropriate government agency
- And in any case provided by law
What are my responsibilities when retaining personal data?
As an organization that retains personal data, your
Back To Top
- To be clear about how long you will retain personal data
- To ensure quality of the data being retained
- To ensure the security of the archived personal data
- To ensure restricted access to personal data
- To give access and inform the data subjects about their
What does Data Privacy Act say about disposal of personal
Rule IV, Section 19.d: General principles in collection,
processing and retention of the Implementing Rules and Regulations
(IRR) states that personal data shall be disposed or discarded in a
secure manner that would prevent further processing, unauthorized
access, or disclosure to any other party or public, or prejudice the
interests of the data subjects.
As mentioned in the National Privacy Commission (NPC) Circular
16-01: Security of Personal Data in government agencies, procedures
must be established regarding the following:
- Disposal of files that contain personal data, whether such
files are stored on paper, film, optical or magnetic media
- Secure disposal of computer equipment, such as disk
servers, desktop computers and mobile phones at end-of-life (especially
storage media) provided that the procedure shall include the use of
degaussers, erasers, and physical destruction devices
- Disposal of personal data stored offsite
Organization/s can engage third-party service providers to
carry out the disposal of personal data under its control or custody
provided that the service provider shall contractually agree to the
agency’s data protection procedures and ensure that the confidentiality
of personal data is protected.
Back To Top
What are my responsibilities when disposing personal data?
It is the organization’s duty to make sure that data will be
disposed properly in a way that the data should be unreadable (for
paper) or irretrievable (for digital records). The organization should
categorize whether the data they have are high-risk or low-risk. It is
recommended that the appropriate data disposal method be used.
Back To Top