dpa compliance infrastructure
TRANSCRIPT
OPERATIONALIZINGDATA PRIVACY COMPLIANCE in the PUBLIC SECTOR: Going from WHAT to HOW
RACHEL P. FOLLOSCO, CPA, LL.B., CIPMManaging Partner
NPC opens passport data probeJanuary 16, 2019
Background (https://www.rappler.com/nation/220808-teddyboy-locsin-says-passport-data-taken-away-ex-contractor):
Ex-DFA contractor 'took off' with passport data, says Locsin(UPDATED) Foreign Secretary Teodoro Locsin Jr says his agency is 'rebuilding files from scratch' because of the incident and assures the public that 'it won't happen again’MANILA, Philippines – (UPDATED) Foreign Secretary Teodoro "Teddyboy" Locsin Jr said that a former contractor for Philippine passports "took off" with personal data after the end of its contract with the Department of Foreign Affairs (DFA).
xxx"But we are rebuilding our files from scratch because previous outsourced passport maker took all the data when contract terminated," said Locsin.
xxx
Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University
data subjects, whose personal data were made available for download via links posted on Facebook
Did not notify regarding breach
the right of an individual not to have private information about himself
disclosed, and to live free from surveillance and intrusion
Data Privacy Act of 2012 (DPA, RA No. 10173) A comprehensive and strict privacy legislation
“To protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Republic Act No. 10173, Chapter 1, Section 2)
Created the National Privacy Commission as the implementing agency
Right to Be Informed
Right to Access
Right to Object
Right to Erasure or Blocking
Right to Damages
Right to File a Complaint
Right to Data Portability
Uphold the rights of data
subjects
Personal information refers to any information whether
recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Apparent, can be reasonably ascertained, when put together…
Full name, birthdate, and address, information is unique that it cannot be anyone else
Fingerprint (NBI?) together with other information
• Ana • 18 Sampaloc St., Manila• 4424647
Sensitive Personal Information (SPI)
Race, ethnic origin, marital status, age, color, religious, philosophical or political affiliation;
SPI
Health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
SPI Government issued number such as social
security numbers, previous or current health records, licenses or denials, suspension or revocation, and tax returns; and
Specifically established by executive order or an act of Congress to be kept classified.
SEC. 4. Scope
This Act does not apply to the following:(a) an officer or employee of a government institution that relates to the position or functions of the individual, including: (1) The fact that the individual is or was an officer or
employee of the government institution; (2) The title, business address and office telephone
number of the individual; (3) The classification, salary range and responsibilities of
the position held by the individual; and (4) The name of the individual on a document prepared
by the individual in the course of employment with the government;
b) Information about an individual with contract in a government institution that relates to the services performed: terms of the contract, and name of the individual;
(c) Information relating to any discretionary benefit given by the government to an individual: the name, exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary to carry out the functions of public authority : i.e. independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.
Who are required to register
NPC Circular No. 17-01 dated 31 July 2017Subject to mandatory registration requirement:
1. Government branches, bodies or entities, including National Government Agencies, Bureaus or Offices, Constitutional Commissions, Local Government Units, Government-Owned and –Controlled Corporations;
2. Banks and Non-Bank Financial Institutions, including Pawnshops, Non-Stock Savings and Loan Associations (NSSLAS);
3. Telecommunications Networks, ISPs, and providers of similar services;
4. BPOs
5. Schools and Training Institutions;
Who are required to register
6. Hospitals including Primary Care Facilities, Multi-Specialty Clinics, Custodial Care Facilities, Diagnostic or Therapeutic Facilities, Specialized Out Patient Facilities, and Other Organizations processing genetic data; 7. Providers of Insurance Undertakings, including Life and Nonlife Companies, Pre-Need Companies and Insurance Brokers; 8. Business involved mainly in Direct Marketing, Networking and Companies providing Reward Cards and Loyalty Programs; 9. Pharmaceutical Companies engaged in Research; and 10. PIPs processing Personal Data for a PIC included in the preceding items, and Data Processing Systems involving Automated Decision-Making.
ALL OTHER PICs OR PIPs SHOULD REGISTER IF (a) IT EMPLOYS AT LEAST 250 PERSONS OR (b) IS PROCESSING AT LEAST 1,000 RECORDS INVOLVING SENSITIVE PERSONAL INFORMATION.
Processingrefers to any operation or any set of operations performed upon personal information including, but not limited to:
Collection Recording Organizing Storing Using Updating or
modifying
RetrievingConsolidating Blocking Erasing Destroying
Registration requirement
PHASE 1: DPO RegistrationSeptember 9, 2017
PHASE 2: Data Privacy System Registration
March 8, 2018
Data Protection Officer Primarily accountable for
organization’s compliance with the DPA
Liaise between the organization and NPC
Must be organic/full time employee If bound by contract, period must be
at least 2 years
Appoint a DPO
What are PICs and PIPs?
those who decide what personal data is collected and how it
is processed (e.g. Insurance Company,
Hospital, Bank)
Personal Information Controller
(PIC)
those who process data upon the instructions of a PIC (e.g. service
provider, external lab, IT vendor)
Personal Information Processor
(PIP)
PICs and PIPs are required to have a privacy program
Privacy Program should include: Organizational Security Measures Physical Security Measures Technical Security Measures
DATA PRIVACY PRINCIPLES
TRANSPARENCY Data subject must be aware of the nature,
purpose and extent of the processing: Risk and safeguards Identity of PIC Rights of the data subject
DATA PRIVACY PRINCIPLES
TRANSPARENCYLEGITIMATE PURPOSEPROPORTIONALITY
DATA PRIVACY PRINCIPLES
Legitimate Purpose Compatible with the declared purpose NOT against law, morals, public policy
DATA PRIVACY PRINCIPLES
PROPORTIONALITY Adequate Relevant Suitable Necessary and NOT excessive in relation to the declared
purpose
Criteria for Legitimate Processing
ConsentContractCompliance with legal obligationVital Interest Legitimate interestPublic Interest (order, safety,
fundamental rights & freedom)
Requirement of Technical, Administrative and Physical Security in Government
Special Sections in RA 10173 and emphasized in the IRR further specified in NPC Circular No. 16-01
Sections 22 and 23 of the DPA are further explained by the NPC in its Circular No. 16-01 pursuant to its functions to develop, promulgate, review or amend rules and regulations for the effective implementation of the Act.Circular No. 16-01 governs the security of personal data in government agencies
SECTION 4. General Obligations (NPC Circ. No. 16-01)
1. Commit to Comply2. Know Your Risks3. Be Accountable:
Create your Privacy Management Program and Privacy Manual
4. Demonstrate your Compliance: Implementation
5. Be prepared for Breach
conduct a Privacy Impact Assessment (Sec.5)
create privacy and data protection policies (Sec. 6)
conduct a mandatory, agency-wide training on privacy and data protection policies once a year:
register its data processing systems with the Commission
cooperate with the Commission when the agency’s privacy and data protection policies are subjected to review and assessment
Covered by the five pillars
RULE II.STORAGE OF PERSONAL DATA (NPC Circ. 16-01)
Personal data being processed by a government agency shall be stored in a data center, which may or may not be owned and controlled by such agency (Sec. 7)
Encryption of Personal Data. All personal data that are digitally processed must be encrypted, whether at rest or in transit. (Sec. 8) Advanced Encryption Standard with a key size of 256 bits
(AES-256) – NPC recommended A password policy should be issued and enforced through
a system management tool.
Service Provider, Audit, (NPC Circ. 16-01). Service provider shall function as a personal information Processor
(Section 10).
The Commission reserves the right to audit a government agency’s data center, or, where applicable, that of its service provider (Section 11).
Independent verification or certification by a reputable third party may also be accepted by the Commission.
ISO/IEC 27018 NPC’s recommendation as the most appropriate certification for the service or function provided by a service provider (Sec. 12)
Archives are covered by the requirements under the DPA
SEC. 23 DPA and Section 31 IRR. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information
a) On-site and Online Access1) employee has received a security clearance from the head of the source agency (agency which originally collected the personal data).
Security clearance shall only be granted when:
performance of official functions/ provision of a public service directly depends on and cannot otherwise be performed unless access to the personal data is allowed
2) Source agency strictly regulate access to sensitive personal information under its custody or control
NPC Circ. 16-01SECTION 9. Restricted Access
should be enforced by an access control system that records when, where, and by whom the data centers are accessed.
Access records and procedures shall be reviewed by agency management regularly
Online access to sensitive personal information shall be subject to the following conditions (DPA):
(a) information technology governance framework; (b) Sufficient organizational, physical and technical
security measures; (c) The agency protects sensitive personal
information in accordance with recognized data privacy practices and standards;
(d) online access to sensitive personal information necessary for the performance of official functions or the provision of a public service.
NPC Circ. No. 16-01
Only programs developed or licensed by a government agency shall be allowed (Section 14)
A government agency shall strictly regulate access to personal data under its control or custody.
A copy of each security clearance must be filed with the agency’s Data Protection Officer (Sec. 15).
(b) Off-site Access (DPA):
sensitive personal information maintained by an agency may not be transported or accessed from a location off government property except: request for such transportation or access approved
by the head of the agency in accordance with the following guidelines:(1) must be approved within 2 days from request otherwise, deemed DENIED
(b) Off-site Access (DPA):
(2) Limit is One thousand (1,000) records at a time; and(3) Encryption – Any technology shall be secured by the use of the most secure encryption standard recognized by the Commission.
The requirements of this subsection shall be implemented not later than six (6) months after the date of the enactment of this Act (2012).
SEC. 24. Applicability to Government Contractors
Contract involving SPI of =>1000 individuals
contractor and its employees with registered personal information processing system
Compliant with the DPA
Data Sharing Agreement
Access to personal data by independent contractors, consultants, and service providers engaged by a government agency shall be governed by strict procedures contained in formal contracts (Section 16)
Each government agency shall have an up-to-date Acceptable Use Policy regarding the use by agency personnel of information and communications technology- this policy may also contain the other requirements
set forth in the other sections of the Circular.
Data Sharing Agreement
Access by other parties to personal data under the control or custody of a government agency shall be governed by data sharing agreements (Sec. 23)
NPC Circular No. 16-02. DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES
NPC Circular No. 16-02. DATA SHARING AGREEMENTS INVOLVING GOVERNMENT AGENCIES
Scope: 1) personal data under the control or custody of a
government agency that is being shared with or transferred to a third party for the purpose of performing a public function, or providing of a public service
2) personal data under the control or custody of a private entity that is being shared with or transferred to a government agency
3) custody of a PIP only allowed under instructions of PIC
REQUIREMENTS FOR DATA SHARING:
consent (prior to collection and processing, Sec. 4) adhere to DPA principles (Sec. 5) Must contain the following (Sec 6):
1. Specify Purpose2. Specify all PICs:3. Specify terms of agreement4. Overview of the operational details of the sharing5. General description of security measures6. Data subject access7. Specify rules for online access8. Specify PIC responsible for information request9. Identify method for the secure return, destruction or disposal of data and timeline10. Specify other terms and conditions
Prior Consultation (Sec. 11)
Prior to execution:1. the Commission;2. any person or organization (recognized as
representing the interests of the classes of data subjects whose personal data will be shared; and
3. any other person or organization the parties to the proposed data sharing agreement deem necessary.
Not compulsory but may help in case of breach
Review of the Agreement
By the Commission’s own initiative or upon complaint (Sec 13)
Mandatory periodic review by the parties:
End of term and after subsequent extensions- Must be recorded (Sec 14)
Termination (Sec. 16)
A. upon the expiration of its term, or any valid extension thereof;B. upon the agreement by all parties;C. upon a breach of its provisions by any of the parties; orD. where there is disagreement, upon a finding by the
Commission that its continued operation is no longer necessary, or is contrary to public interest or public policy
The Commission may motu proprio terminate: Breach of provisions Violation of PDA and its rules
Return, Destruction, or Disposal of Transferred Personal Data (Sec. 17)
Upon termination of agreement Penalties: compliance and enforcement orders, cease
and desist orders, temporary or permanent ban on the processing of personal data
payment of fines ground for administrative and disciplinary
sanctions against any erring public officer
OPERATIONAL COMPLIANCE FRAMEWORK
STRATEGIC MANAGEMENT==>
CUDS
A
P
S
R
STRATEGIC MANAGEMENT
Establish a privacy program Develop the mission & vision statement Develop the privacy strategy Structure the privacy team –privacy governance
modelAppoint the DPO Identify who needs to get involved
Head of Office/Agency DPO & COP Usec./ Asec/Department Heads HR, Accounting…..
C=>U=>D=>S
THE INFORMATION LIFE CYCLE:Collection=>Use=>Disclose/Transfer=>
Store/Dispose
Transparency, Proportionality, Legitimacy
C=>U=>D=>S
CollectionCollection Limitation Purpose SpecificationLawful Processing
C=>U=>D=>S
Use Purpose & Use limitationAccuracy
C=>U=>D=>S
Disclose/Share/Transfer Data is being transferred to another
office, local or overseas service provider/PIP
ContractsVendor Audit
C=>U=>D=>SStore/Retain/Dispose
- retention limitation- information security
Confidentiality IntegrityAvailability
A=>P=>S=>R
PRIVACY MANAGEMENT OPERATIONAL LIFECYCLE
ASSESS =>PROTECT =>SUSTAIN=>RESPOND
A=>P=>S=>RASSESS (data, systems, processes): To identify/determine the gaps Determine maturity level (ad hoc, repeatable, defined, managed,
optimized) Personal data inventory Identify privacy players Data mapping (CUDS)
Risk Assessment
Assess against: Laws, regulations, privacy groups standards, industry frameworks
A=>P=>S=>RPROTECT: HOW: POLICIES, PROCESSES & ACTIONSTOOLS: Privacy by Design (PbD) Data Lifecyle Management (DLM) Privacy Impact Assessment (PIA) Info Sec: technical, administrative/organizational,
physical
A=>P=>S=>RSUSTAIN: Monitor: compliance, changes to regulations, risks
(internal and externals attacks/threats), conditions, breaches, complaints, etc.
Audit: systematic and independent examination/evaluation
Communicate: create awareness, cascade policies, training
Update: identify areas for improvement; adjust policies to reflect changes and new developments (reflect in privacy policy and privacy notice)
A=>P=>S=>RRESPOND:
Managing information requestsMeeting legal compliancePlanning for incident responseHandling privacy incidents
A=>P=>S=>RStages—
Discovery/report/complaint => investigate Contain and analyze Notify: Determine when to notify
NPC 72- hour requirement
Nature of breach: nature of data breached, number of individuals affected, gravity of consequence of the breach, organization’s ability to mitigate the risk
Eradicate or prevent
A=>P=>S=>R
Incident Planning/Incident Response Plan[People + Process + Resources]
Key Roles and Responsibilities – of each key department and officers of the entity
Execution timeline Progress Reporting Response evaluation and modification
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Additional penalty for a public officer
SEC. 36. Offense Committed by Public Officer. – accessory penalty consisting in the
disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.
Thank you!