Wazzup Pilipinas!
The three-day workshop is intended to give attendees introductory knowledge about the need to protect and secure personal and sensitive data or information gathered, processed, maintained, accessed and disposed of by an organization, may it be from the government or the private sector, as mandated by Republic Act 10173 otherwise known as the Data Privacy Act of 2012, which requires all to “protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth, and to ensure that personal information in information and communication systems in the government and in the private sector are secured and protected.”
“The head of each government agency, or instrumentality, is responsible for complying with the security requirements mentioned in the law, which includes all sensitive personal information maintained by his or her agency are secured, as far as practicable, with the use of the most appropriate standards recognized by the information and communication technology industry and as recommended by the National Privacy Commission.”
From the workshop, we have identified the preliminary tasks that we need to accomplish:
1. Appoint a Data Protection Officer (DPO). Notarized and registered to the National Privacy Commission (NPC)
The DPO will oversee compliance of the organization to the Data Privacy Act (DPA). He or she must see to it that there is transparency, legitimate purpose, and proportionality in the acquisition, storing, safekeeping, sharing or destruction of data or information.
The head of an organization is by default the DPO, but he or she could also assign the responsibility to someone who must be among the decision makers since it involves the creation of policies designed to secure the Programs, Projects, Processes, Measures, Systems, Technologies (PPPMST) of the organization. The DPO could form a team of Compliance Officers for Privacy (COP) to help him with this endeavour. They will supervise the Personal Information Controllers (PIC) and Personal information Processors (PIP) involved in the handling of data or information. The PIC must implement the organizational, technical and physical measures intended for the protection of personal information against any unlawful or accidental processing, destruction, alteration or disclosure.
2. Conduct a Privacy Impact Assessment (PIA)
Evaluate and manage the impact of our PPPMST on data privacy to identify and minimize the privacy risks. The PIA would ensure that potential problems could be identified at an early stage to make them simpler and less costly.
3. Register all the data processing programs, projects, processes, measures, systems, technologies (PPPMST) of the organization to NPC
The speaker advises that compliance to the DPA is not a one-shot initiative but a process so we could register our PPPMST gradually. It would also show to NTC that we are actively engaged in conceptualizing our DPA procedures.
4. Formulate and implement the organization’s Privacy Management Program (PMP)
Draft the organization’s data privacy rules, privacy manual and complaints mechanism. These include providing adequate and proper notifications on how data is acquired (like putting up visible signage of CCTV presence), practicing cyber hygiene (like creating strong passwords, locking devices, installing anti-virus, etc), securing physical locations of records (like keeping filing cabinets containing records locked and accessible only to the authorized persons), etc.,
A hard copy compliance manual and 1 year subscription to full DPMS which includes response management module is required.
5. Designate members of the Breach Response Team (BRT)
The BRT could draft the Breach Management Procedures to be followed when a data breach occurs. They will take action and investigate if ever a possible breach is suspected or detected. A breach has occurred if the confidentiality, integrity or availability of data is compromised. A corresponding incident or breach report should be submitted to the NPC within 72 hours.
DATES TO REMEMBER:
Deadline for Registration of DPO to NPC: March 8, 2018
Deadline for submission of Annual Incident Report to NPC: March 31, 2018