dpa compliance infrastructure

69

Upload: khangminh22

Post on 24-Apr-2023

1 views

Category:

Documents


0 download

TRANSCRIPT

OPERATIONALIZINGDATA PRIVACY COMPLIANCE in the PUBLIC SECTOR: Going from WHAT to HOW

RACHEL P. FOLLOSCO, CPA, LL.B., CIPMManaging Partner

NPC opens passport data probeJanuary 16, 2019

Background (https://www.rappler.com/nation/220808-teddyboy-locsin-says-passport-data-taken-away-ex-contractor):

Ex-DFA contractor 'took off' with passport data, says Locsin(UPDATED) Foreign Secretary Teodoro Locsin Jr says his agency is 'rebuilding files from scratch' because of the incident and assures the public that 'it won't happen again’MANILA, Philippines – (UPDATED) Foreign Secretary Teodoro "Teddyboy" Locsin Jr said that a former contractor for Philippine passports "took off" with personal data after the end of its contract with the Department of Foreign Affairs (DFA).

xxx"But we are rebuilding our files from scratch because previous outsourced passport maker took all the data when contract terminated," said Locsin.

xxx

Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University

data subjects, whose personal data were made available for download via links posted on Facebook

Did not notify regarding breach

the right of an individual not to have private information about himself

disclosed, and to live free from surveillance and intrusion

Data Privacy Act of 2012 (DPA, RA No. 10173) A comprehensive and strict privacy legislation

“To protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Republic Act No. 10173, Chapter 1, Section 2)

Created the National Privacy Commission as the implementing agency

Right to Be Informed

Right to Access

Right to Object

Right to Erasure or Blocking

Right to Damages

Right to File a Complaint

Right to Data Portability

Uphold the rights of data

subjects

Personal information refers to any information whether

recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Apparent, can be reasonably ascertained, when put together…

Full name, birthdate, and address, information is unique that it cannot be anyone else

Fingerprint (NBI?) together with other information

• Ana • 18 Sampaloc St., Manila• 4424647

Sensitive Personal Information (SPI)

Race, ethnic origin, marital status, age, color, religious, philosophical or political affiliation;

SPI

Health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

SPI Government issued number such as social

security numbers, previous or current health records, licenses or denials, suspension or revocation, and tax returns; and

Specifically established by executive order or an act of Congress to be kept classified.

SEC. 4. Scope

This Act does not apply to the following:(a) an officer or employee of a government institution that relates to the position or functions of the individual, including: (1) The fact that the individual is or was an officer or

employee of the government institution; (2) The title, business address and office telephone

number of the individual; (3) The classification, salary range and responsibilities of

the position held by the individual; and (4) The name of the individual on a document prepared

by the individual in the course of employment with the government;

b) Information about an individual with contract in a government institution that relates to the services performed: terms of the contract, and name of the individual;

(c) Information relating to any discretionary benefit given by the government to an individual: the name, exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary to carry out the functions of public authority : i.e. independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.

Who are required to register

NPC Circular No. 17-01 dated 31 July 2017Subject to mandatory registration requirement:

1. Government branches, bodies or entities, including National Government Agencies, Bureaus or Offices, Constitutional Commissions, Local Government Units, Government-Owned and –Controlled Corporations;

2. Banks and Non-Bank Financial Institutions, including Pawnshops, Non-Stock Savings and Loan Associations (NSSLAS);

3. Telecommunications Networks, ISPs, and providers of similar services;

4. BPOs

5. Schools and Training Institutions;

Who are required to register

6. Hospitals including Primary Care Facilities, Multi-Specialty Clinics, Custodial Care Facilities, Diagnostic or Therapeutic Facilities, Specialized Out Patient Facilities, and Other Organizations processing genetic data; 7. Providers of Insurance Undertakings, including Life and Nonlife Companies, Pre-Need Companies and Insurance Brokers; 8. Business involved mainly in Direct Marketing, Networking and Companies providing Reward Cards and Loyalty Programs; 9. Pharmaceutical Companies engaged in Research; and 10. PIPs processing Personal Data for a PIC included in the preceding items, and Data Processing Systems involving Automated Decision-Making.

ALL OTHER PICs OR PIPs SHOULD REGISTER IF (a) IT EMPLOYS AT LEAST 250 PERSONS OR (b) IS PROCESSING AT LEAST 1,000 RECORDS INVOLVING SENSITIVE PERSONAL INFORMATION.

Processingrefers to any operation or any set of operations performed upon personal information including, but not limited to:

Collection Recording Organizing Storing Using Updating or

modifying

RetrievingConsolidating Blocking Erasing Destroying

Registration requirement

PHASE 1: DPO RegistrationSeptember 9, 2017

PHASE 2: Data Privacy System Registration

March 8, 2018

Data Protection Officer Primarily accountable for

organization’s compliance with the DPA

Liaise between the organization and NPC

Must be organic/full time employee If bound by contract, period must be

at least 2 years

Appoint a DPO

What are PICs and PIPs?

those who decide what personal data is collected and how it

is processed (e.g. Insurance Company,

Hospital, Bank)

Personal Information Controller

(PIC)

those who process data upon the instructions of a PIC (e.g. service

provider, external lab, IT vendor)

Personal Information Processor

(PIP)

PICs and PIPs are required to have a privacy program

Privacy Program should include: Organizational Security Measures Physical Security Measures Technical Security Measures

DATA PRIVACY PRINCIPLES

TRANSPARENCY Data subject must be aware of the nature,

purpose and extent of the processing: Risk and safeguards Identity of PIC Rights of the data subject

DATA PRIVACY PRINCIPLES

TRANSPARENCYLEGITIMATE PURPOSEPROPORTIONALITY

DATA PRIVACY PRINCIPLES

Legitimate Purpose Compatible with the declared purpose NOT against law, morals, public policy

DATA PRIVACY PRINCIPLES

PROPORTIONALITY Adequate Relevant Suitable Necessary and NOT excessive in relation to the declared

purpose

Criteria for Legitimate Processing

ConsentContractCompliance with legal obligationVital Interest Legitimate interestPublic Interest (order, safety,

fundamental rights & freedom)

Requirement of Technical, Administrative and Physical Security in Government

Special Sections in RA 10173 and emphasized in the IRR further specified in NPC Circular No. 16-01

Sections 22 and 23 of the DPA are further explained by the NPC in its Circular No. 16-01 pursuant to its functions to develop, promulgate, review or amend rules and regulations for the effective implementation of the Act.Circular No. 16-01 governs the security of personal data in government agencies

SECTION 4. General Obligations (NPC Circ. No. 16-01)

1. Commit to Comply2. Know Your Risks3. Be Accountable:

Create your Privacy Management Program and Privacy Manual

4. Demonstrate your Compliance: Implementation

5. Be prepared for Breach

conduct a Privacy Impact Assessment (Sec.5)

create privacy and data protection policies (Sec. 6)

conduct a mandatory, agency-wide training on privacy and data protection policies once a year:

register its data processing systems with the Commission

cooperate with the Commission when the agency’s privacy and data protection policies are subjected to review and assessment

Covered by the five pillars

RULE II.STORAGE OF PERSONAL DATA (NPC Circ. 16-01)

Personal data being processed by a government agency shall be stored in a data center, which may or may not be owned and controlled by such agency (Sec. 7)

Encryption of Personal Data. All personal data that are digitally processed must be encrypted, whether at rest or in transit. (Sec. 8) Advanced Encryption Standard with a key size of 256 bits

(AES-256) – NPC recommended A password policy should be issued and enforced through

a system management tool.

Service Provider, Audit, (NPC Circ. 16-01). Service provider shall function as a personal information Processor

(Section 10).

The Commission reserves the right to audit a government agency’s data center, or, where applicable, that of its service provider (Section 11).

Independent verification or certification by a reputable third party may also be accepted by the Commission.

ISO/IEC 27018 NPC’s recommendation as the most appropriate certification for the service or function provided by a service provider (Sec. 12)

Archives are covered by the requirements under the DPA

SEC. 23 DPA and Section 31 IRR. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information

a) On-site and Online Access1) employee has received a security clearance from the head of the source agency (agency which originally collected the personal data).

Security clearance shall only be granted when:

performance of official functions/ provision of a public service directly depends on and cannot otherwise be performed unless access to the personal data is allowed

2) Source agency strictly regulate access to sensitive personal information under its custody or control

NPC Circ. 16-01SECTION 9. Restricted Access

should be enforced by an access control system that records when, where, and by whom the data centers are accessed.

Access records and procedures shall be reviewed by agency management regularly

Online access to sensitive personal information shall be subject to the following conditions (DPA):

(a) information technology governance framework; (b) Sufficient organizational, physical and technical

security measures; (c) The agency protects sensitive personal

information in accordance with recognized data privacy practices and standards;

(d) online access to sensitive personal information necessary for the performance of official functions or the provision of a public service.

NPC Circ. No. 16-01

Only programs developed or licensed by a government agency shall be allowed (Section 14)

A government agency shall strictly regulate access to personal data under its control or custody.

A copy of each security clearance must be filed with the agency’s Data Protection Officer (Sec. 15).

(b) Off-site Access (DPA):

sensitive personal information maintained by an agency may not be transported or accessed from a location off government property except: request for such transportation or access approved

by the head of the agency in accordance with the following guidelines:(1) must be approved within 2 days from request otherwise, deemed DENIED

(b) Off-site Access (DPA):

(2) Limit is One thousand (1,000) records at a time; and(3) Encryption – Any technology shall be secured by the use of the most secure encryption standard recognized by the Commission.

The requirements of this subsection shall be implemented not later than six (6) months after the date of the enactment of this Act (2012).

SEC. 24. Applicability to Government Contractors

Contract involving SPI of =>1000 individuals

contractor and its employees with registered personal information processing system

Compliant with the DPA

Data Sharing Agreement

Access to personal data by independent contractors, consultants, and service providers engaged by a government agency shall be governed by strict procedures contained in formal contracts (Section 16)

Each government agency shall have an up-to-date Acceptable Use Policy regarding the use by agency personnel of information and communications technology- this policy may also contain the other requirements

set forth in the other sections of the Circular.

Data Sharing Agreement

Access by other parties to personal data under the control or custody of a government agency shall be governed by data sharing agreements (Sec. 23)

NPC Circular No. 16-02. DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES

NPC Circular No. 16-02. DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES

Scope: 1) personal data under the control or custody of a

government agency that is being shared with or transferred to a third party for the purpose of performing a public function, or providing of a public service

2) personal data under the control or custody of a private entity that is being shared with or transferred to a government agency

3) custody of a PIP only allowed under instructions of PIC

REQUIREMENTS FOR DATA SHARING:

consent (prior to collection and processing, Sec. 4) adhere to DPA principles (Sec. 5) Must contain the following (Sec 6):

1. Specify Purpose2. Specify all PICs:3. Specify terms of agreement4. Overview of the operational details of the sharing5. General description of security measures6. Data subject access7. Specify rules for online access8. Specify PIC responsible for information request9. Identify method for the secure return, destruction or disposal of data and timeline10. Specify other terms and conditions

Prior Consultation (Sec. 11)

Prior to execution:1. the Commission;2. any person or organization (recognized as

representing the interests of the classes of data subjects whose personal data will be shared; and

3. any other person or organization the parties to the proposed data sharing agreement deem necessary.

Not compulsory but may help in case of breach

Review of the Agreement

By the Commission’s own initiative or upon complaint (Sec 13)

Mandatory periodic review by the parties:

End of term and after subsequent extensions- Must be recorded (Sec 14)

Termination (Sec. 16)

A. upon the expiration of its term, or any valid extension thereof;B. upon the agreement by all parties;C. upon a breach of its provisions by any of the parties; orD. where there is disagreement, upon a finding by the

Commission that its continued operation is no longer necessary, or is contrary to public interest or public policy

The Commission may motu proprio terminate: Breach of provisions Violation of PDA and its rules

Return, Destruction, or Disposal of Transferred Personal Data (Sec. 17)

Upon termination of agreement Penalties: compliance and enforcement orders, cease

and desist orders, temporary or permanent ban on the processing of personal data

payment of fines ground for administrative and disciplinary

sanctions against any erring public officer

OPERATIONAL COMPLIANCE FRAMEWORK

STRATEGIC MANAGEMENT==>

CUDS

A

P

S

R

STRATEGIC MANAGEMENT

Establish a privacy program Develop the mission & vision statement Develop the privacy strategy Structure the privacy team –privacy governance

modelAppoint the DPO Identify who needs to get involved

Head of Office/Agency DPO & COP Usec./ Asec/Department Heads HR, Accounting…..

C=>U=>D=>S

THE INFORMATION LIFE CYCLE:Collection=>Use=>Disclose/Transfer=>

Store/Dispose

Transparency, Proportionality, Legitimacy

C=>U=>D=>S

CollectionCollection Limitation Purpose SpecificationLawful Processing

C=>U=>D=>S

Use Purpose & Use limitationAccuracy

C=>U=>D=>S

Disclose/Share/Transfer Data is being transferred to another

office, local or overseas service provider/PIP

ContractsVendor Audit

C=>U=>D=>SStore/Retain/Dispose

- retention limitation- information security

Confidentiality IntegrityAvailability

A=>P=>S=>R

PRIVACY MANAGEMENT OPERATIONAL LIFECYCLE

ASSESS =>PROTECT =>SUSTAIN=>RESPOND

A=>P=>S=>RASSESS (data, systems, processes): To identify/determine the gaps Determine maturity level (ad hoc, repeatable, defined, managed,

optimized) Personal data inventory Identify privacy players Data mapping (CUDS)

Risk Assessment

Assess against: Laws, regulations, privacy groups standards, industry frameworks

A=>P=>S=>RPROTECT: HOW: POLICIES, PROCESSES & ACTIONSTOOLS: Privacy by Design (PbD) Data Lifecyle Management (DLM) Privacy Impact Assessment (PIA) Info Sec: technical, administrative/organizational,

physical

A=>P=>S=>RSUSTAIN: Monitor: compliance, changes to regulations, risks

(internal and externals attacks/threats), conditions, breaches, complaints, etc.

Audit: systematic and independent examination/evaluation

Communicate: create awareness, cascade policies, training

Update: identify areas for improvement; adjust policies to reflect changes and new developments (reflect in privacy policy and privacy notice)

A=>P=>S=>RRESPOND:

Managing information requestsMeeting legal compliancePlanning for incident responseHandling privacy incidents

A=>P=>S=>RStages—

Discovery/report/complaint => investigate Contain and analyze Notify: Determine when to notify

NPC 72- hour requirement

Nature of breach: nature of data breached, number of individuals affected, gravity of consequence of the breach, organization’s ability to mitigate the risk

Eradicate or prevent

A=>P=>S=>R

Incident Planning/Incident Response Plan[People + Process + Resources]

Key Roles and Responsibilities – of each key department and officers of the entity

Execution timeline Progress Reporting Response evaluation and modification

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

Additional penalty for a public officer

SEC. 36. Offense Committed by Public Officer. – accessory penalty consisting in the

disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.

Thank you!