Privacy Policy

Section IV of the National Privacy Commission’s (NPC) Circular 16-03 referring to Personal Data Breach Management, requires that the complying organization impose a breach management policy for the purpose of preventing or minimizing the occurrence of a personal data breach and assure the timely discovery of any security incident. This breach management policy may be incorporated into the organization’s privacy policy and privacy management programs that should be set up and properly cascaded amongst the organization’s employees. One good example of a privacy policy as discussed in the establishment of a data privacy accountability framework is stated in the study published by Henry Chang, listed in The study included the application of the proposed data privacy accountability framework under Philippine law, as well as other Asian countries which have enacted data privacy and protection laws. For the benefit of personal information controllers and personal information processors, the National Privacy Commission is currently developing a template that may be used as basis in the drafting of a new privacy policy, or in the revision of an existing one.

Back To Top



There is currently no certification process for an organization’s (level of) compliance with the Data Privacy Act. Nonetheless, the Commission does recommend that organizations obtain certifications or accreditations vis-à-vis existing international standards, such as those prescribed by the International Organization for Standardization (ISO), including the following:

  • ISO 27000 Family or Information Security Management Systems (ISMS). A systematic approach to managing sensitive company information that ensures its security. It includes people, processes and IT systems by applying a risk management process. It can help businesses of any size keep their information assets secure.
  • ISO/IEC 27001:2013. Applicable mainly to organizations that maintain data centers, this specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of an organization. The requirements set out are generic and are intended to be applicable to all organizations, regardless of type, size, or nature.
  • ISO/IEC 27018:2014. This establishes commonly-accepted control objectives, controls, and guidelines for implementing measures to protect personal information in accordance with the privacy principles in ISO/IEC 29100, which, in turn, concerns public cloud computing environments. It also specifies guidelines based on ISO/IEC 27002, taking into account the regulatory requirements for the protection of personal information that might be applicable within the context of the information security risk environment(s) of a (public) cloud service provider. It may be used by organizations of any type and size, including public and private companies, government entities, and non-profit organizations, which provide information processing services as Personal Information Processors (PIP) via cloud computing under contract to other organizations.

The Commission does not also require certifications for key personnel of personal information controllers or personal information processors, such as the latter’s Data Protection Officer or Compliance Officer for Privacy. However, it is considered best practice across jurisdictions for organizations to properly equip their personnel with appropriate trainings that enable them to fulfill their specific roles and functions. Some international certifications or trainings commonly considered for this purpose include:

  • Certified Information Systems Auditor (CISA). CISA is a globally recognized certification for IS audit control, assurance, and security professionals. A person’s CISA certification attests to his or her audit experience, skills, and knowledge. It demonstrates ones ability to assess vulnerabilities, report on compliance, and institute controls within a particular enterprise.
  • Certified Information Security Manager (CISM). A management-focused CISM certification that promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security.
  • Certified in the Governance of Enterprise IT (CGEIT). This certification recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices. A CGEIT certified professional has demonstrated his or her ability to bring IT governance into an organization, as well as his or her complete grasp of the complex subject. Thus, he is able to enhance the value of an enterprise.
  • Certified Information Systems Security Professionals (CISSP). The ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage the overall information security program of their organization, thereby protecting it from the growing number of sophisticated attacks.
  • GIAC Security Essentials (GSEC). Designed for professionals seeking to demonstrate their understanding of information security terminology and concepts, and their possession of skills and technical expertise necessary for "hands-on" security roles. GSEC credential holders are presumed to demonstrate a knowledge and technical skills in various areas (e.g., identifying and preventing common and wireless attacks, access controls, authentication, password management, DNS, cryptography fundamentals, ICMP, IPv6, public key infrastructure, Linux, network mapping, and network protocols).
  • Project Management Professional (PMP). This certification is touted as the most important industry-recognized certification for project managers. It signifies that the holder speaks and understands the global language of project management. It connects him or her to a community of professionals, organizations and experts worldwide. Indeed, unlike other certifications that focus on a particular geography or domain, the PMP is truly global and enables its holder to work in virtually any industry, with any methodology, and in any location.

While not explicitly required, certifications and/or accreditations allow for a more efficient verification and monitoring process on the part of the Commission.

Back To Top