SlideShare uma empresa Scribd logo

Data Privacy - Security of Personal Information

JDP Consulting
JDP Consulting

Philippine Data Privacy Law (R.A. 10173) requires observance of Security of Personal Information. Summary of Presentation: 1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties). 2) The standards for protection measures are two-fold: reasonable and appropriate. 3) Measures should be organizational, physical, and technical. 4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives. 5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.

Direito
1 de 15
Baixar para ler offline
Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers
Standards The law sets for a minimum standard for Security of Personal Information. Data Privacy Law requires Personal Information Controllers (PIC) to implement measures that are: reasonable and appropriate. These two-fold standards are the test by which the security of personal information shall be adjudged. Since what is “reasonable” and “appropriate” are not specific, it is expected that implementation will vary from one industry to another. Supreme Court decisions (i.e. jurisprudence) will set the precedence as to what would constitute reasonable and appropriate as the law develops. Reference: Section 20 (a) and (b), R.A. 10173
Standards Coverage: 1) Personal Information Controllers (PIC); 2) PIC-engaged Contractors (or 3rd Parties). The standards for Security of Personal Information apply to the them. Reference: Section 20 (a) and (b), R.A. 10173
Organizational, Physical, Technical The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. Measures to be implemented have to be: 1) Organizational – PIC as an organization or a company should have systems, processes, and practice in place for Data Privacy compliance. 2) Physical – A PIC should have physical technological, device, or equipment that can enforce protection for personal information. 3) Technical – A PIC should have technical knowledge on personal data protection. Reference: Section 20 (a), R.A. 10173
Standards: Security of Personal Info The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. 2 Kinds of Dangers: (1) Natural Dangers, and (2) Human Dangers Natural Dangers, by definition, are those that are non-human related such as force majeure as in fires, typhoons, calamities, and analogous thereto. Human Dangers are those that are man-made such as hacking, cybercrime, unlawful access, fraudulent misuse, and analogous thereto. Reference: Section 20 (b), R.A. 10173
Standards: Security of Personal Info The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. When designing a security measure, the above factors should be considered as a matter of compliance with the Data Privacy Law. Non-compliance of the above factors may result in liabilities. Reference: Section 20 (c), R.A. 10173
Standards: Security of Personal Info … Subject to guidelines as the Commission may issue from time to time, the measures implemented must include: (1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability; (2) A security policy with respect to the processing of personal information; (3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and (4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach. The security measures should thus be as comprehensive as possible. Reference: Section 20 (c), R.A. 10173
Security Measures: 3rd Parties by PIC The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision. If PIC contracts out processing of personal information, the PIC is required to ensure that the engaged Contractor (or 3rd party) shall comply with the security measures required by the Data Privacy Law. The PIC may be held liable for non-compliance of the contractor. Reference: Section 20 (d), R.A. 10173
Strict Confidentiality for PIC Personnel The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. The obligation survives (or continues) despite: lateral transfer, leaving employment, or after contractual relations. Coverage: (1) PIC Employees; (2) PIC Agents; and (3) PIC Representatives. Reference: Section 20 (e), R.A. 10173
Notification Requirement The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach… Prompt notice is required on the PIC who shall give such to the NPC and the affected Data Subjects. For: Sensitive Personal Information or Identity-Fraud Enabler Information Reference: Section 20 (f), R.A. 10173
Notification Requirement … Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. General Rule: Prompt Notification to the NPC and the Data Subject When notice may be delayed: 1) To the extent necessary to determine the scope of the breach; 2) To prevent further disclosures; and 3) To restore reasonable integrity to the information and communications system. Reference: Section 20 (f), R.A. 10173
Notification Requirement When notification may be exempted or postponed: (1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information. (2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects. (3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. Reference: Section 20 (f), R.A. 10173
Summary 1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties). 2) The standards for protection measures are two-fold: reasonable and appropriate. 3) Measures should be organizational, physical, and technical. 4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives. 5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.
Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers Atty. Jericho B. Del Puerto SME Business Lawyer For inquiries, comment, or permission to use slides, send us an email : info@jdpconsulting.ph.
Data Privacy - Security of Personal Information

Recomendados

Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the Philippines
Shirley Ingles-Cruz
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non Lawyers
JDP Consulting
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperatives
jo bitonio
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)
Kirk Go
 
Data privacy act
Data privacy actData privacy act
Data privacy act
ansherina erika dejan
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
Digital law
Digital lawDigital law
Digital law
Alieyn_
 
On the cybercrime act
On the cybercrime actOn the cybercrime act
On the cybercrime act
CP-Union
 

Recomendados

Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the Philippines
Shirley Ingles-Cruz
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non Lawyers
JDP Consulting
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperatives
jo bitonio
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)
Kirk Go
 
Data privacy act
Data privacy actData privacy act
Data privacy act
ansherina erika dejan
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
Digital law
Digital lawDigital law
Digital law
Alieyn_
 
On the cybercrime act
On the cybercrime actOn the cybercrime act
On the cybercrime act
CP-Union
 
Anti-voyeurism in the Philippines presentation
Anti-voyeurism in the Philippines presentationAnti-voyeurism in the Philippines presentation
Anti-voyeurism in the Philippines presentation
Trix Rodriguez
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Jay Castillo
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Cybercrime law in the philippines
Cybercrime law in the philippinesCybercrime law in the philippines
Cybercrime law in the philippines
ian_oguis
 
INTEGRATIVE PROGRAMMING ch1.pptx
INTEGRATIVE PROGRAMMING ch1.pptxINTEGRATIVE PROGRAMMING ch1.pptx
INTEGRATIVE PROGRAMMING ch1.pptx
StephenStanleyAndres1
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Ethical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on ComputingEthical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on Computing
Laguna State Polytechnic University
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1
MLG College of Learning, Inc
 
Republic Act 10175: Cybercrime Prevention Act of 2012
Republic Act 10175: Cybercrime Prevention Act of 2012Republic Act 10175: Cybercrime Prevention Act of 2012
Republic Act 10175: Cybercrime Prevention Act of 2012
Michael Roa
 
Computer, E-mail and Internet Usage Policy and Procedure
Computer, E-mail and Internet Usage Policy and ProcedureComputer, E-mail and Internet Usage Policy and Procedure
Computer, E-mail and Internet Usage Policy and Procedure
The Pathway Group
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
tomasztopa
 
The Philippine Bill of Rights: Political and Legal Rights
The Philippine Bill of Rights: Political and Legal RightsThe Philippine Bill of Rights: Political and Legal Rights
The Philippine Bill of Rights: Political and Legal Rights
brianbelen
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
Financial Poise
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
Hajarul Cikyen
 
[Webinar Slides] Developing a Successful Data Retention Policy
[Webinar Slides] Developing a Successful Data Retention Policy [Webinar Slides] Developing a Successful Data Retention Policy
[Webinar Slides] Developing a Successful Data Retention Policy
AIIM International
 
Confidentiality training
Confidentiality trainingConfidentiality training
Confidentiality training
Sherin_26
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
Aurora Computer Studies
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
David Strom
 
Data Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General PublicData Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General Public
ijtsrd
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Events2018
 

Mais conteúdo relacionado

Mais procurados

Cybercrime law in the philippines
Cybercrime law in the philippinesCybercrime law in the philippines
Cybercrime law in the philippines
ian_oguis
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
Financial Poise
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
Hajarul Cikyen
 

Mais procurados (20)

Anti-voyeurism in the Philippines presentation
Anti-voyeurism in the Philippines presentationAnti-voyeurism in the Philippines presentation
Anti-voyeurism in the Philippines presentation
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Cybercrime law in the philippines
Cybercrime law in the philippinesCybercrime law in the philippines
Cybercrime law in the philippines
 
INTEGRATIVE PROGRAMMING ch1.pptx
INTEGRATIVE PROGRAMMING ch1.pptxINTEGRATIVE PROGRAMMING ch1.pptx
INTEGRATIVE PROGRAMMING ch1.pptx
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Ethical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on ComputingEthical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on Computing
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1
 
Republic Act 10175: Cybercrime Prevention Act of 2012
Republic Act 10175: Cybercrime Prevention Act of 2012Republic Act 10175: Cybercrime Prevention Act of 2012
Republic Act 10175: Cybercrime Prevention Act of 2012
 
Computer, E-mail and Internet Usage Policy and Procedure
Computer, E-mail and Internet Usage Policy and ProcedureComputer, E-mail and Internet Usage Policy and Procedure
Computer, E-mail and Internet Usage Policy and Procedure
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
The Philippine Bill of Rights: Political and Legal Rights
The Philippine Bill of Rights: Political and Legal RightsThe Philippine Bill of Rights: Political and Legal Rights
The Philippine Bill of Rights: Political and Legal Rights
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
 
[Webinar Slides] Developing a Successful Data Retention Policy
[Webinar Slides] Developing a Successful Data Retention Policy [Webinar Slides] Developing a Successful Data Retention Policy
[Webinar Slides] Developing a Successful Data Retention Policy
 
Confidentiality training
Confidentiality trainingConfidentiality training
Confidentiality training
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 

Semelhante a Data Privacy - Security of Personal Information

Data Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General PublicData Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General Public
ijtsrd
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
stevemeltzer
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Information Security
Information SecurityInformation Security
Information Security
ikonick
 

Semelhante a Data Privacy - Security of Personal Information (20)

Data Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General PublicData Protection Bill 2019 Participative Role of General Public
Data Protection Bill 2019 Participative Role of General Public
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private Information
 
Group 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxGroup 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptx
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
28 CFR Part 23-CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES.pdf
 
Chapter 3 legal framework of cybercrime and law enforcement tools
Chapter 3 legal framework of cybercrime and law enforcement toolsChapter 3 legal framework of cybercrime and law enforcement tools
Chapter 3 legal framework of cybercrime and law enforcement tools
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
 
Principles of mobile privacy
Principles of mobile privacyPrinciples of mobile privacy
Principles of mobile privacy
 
Box 10
Box 10Box 10
Box 10
 
Information Security
Information SecurityInformation Security
Information Security
 

Mais de JDP Consulting

Mais de JDP Consulting (20)

Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-Compliance
 
Data Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal InformationData Privacy- Security of Sensitive Personal Information
Data Privacy- Security of Sensitive Personal Information
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data Subject
 
Philippine Franchising Law
Philippine Franchising LawPhilippine Franchising Law
Philippine Franchising Law
 
Unfair Labor Practice
Unfair Labor PracticeUnfair Labor Practice
Unfair Labor Practice
 
DOLE D.O. 147-15
DOLE D.O. 147-15DOLE D.O. 147-15
DOLE D.O. 147-15
 
What is Control in Contracting and Subcontracting?
What is Control in Contracting and Subcontracting?What is Control in Contracting and Subcontracting?
What is Control in Contracting and Subcontracting?
 
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
DOLE D.O. 174-17 vs. DOLE D.O. 18-A-11
 
Pag-IBIG Benefits
Pag-IBIG BenefitsPag-IBIG Benefits
Pag-IBIG Benefits
 
SSS Benefits
SSS BenefitsSSS Benefits
SSS Benefits
 
PhilHealth Benefits
PhilHealth BenefitsPhilHealth Benefits
PhilHealth Benefits
 
ECC Benefits
ECC BenefitsECC Benefits
ECC Benefits
 
Retirement Pay
Retirement PayRetirement Pay
Retirement Pay
 
Separation Pay
Separation PaySeparation Pay
Separation Pay
 
13th Month Pay
13th Month Pay13th Month Pay
13th Month Pay
 
Special Leave for Women
Special Leave for WomenSpecial Leave for Women
Special Leave for Women
 
VAWC Leave
VAWC LeaveVAWC Leave
VAWC Leave
 
Solo Parental Leave
Solo Parental LeaveSolo Parental Leave
Solo Parental Leave
 
Paternity Leave
Paternity LeavePaternity Leave
Paternity Leave
 
Service Incentive Leave
Service Incentive LeaveService Incentive Leave
Service Incentive Leave
 

Último

一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
bd2c5966a56d
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
ShashankKumar441258
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
E LSS
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
PoojaGadiya1
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
SS A
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
SUHANI PANDEY
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
SS A
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
bd2c5966a56d
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
MollyBrown86
 

Último (20)

Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptxPresentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Doctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddpptDoctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddppt
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 

Data Privacy - Security of Personal Information

  • 1. Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers
  • 2. Standards The law sets for a minimum standard for Security of Personal Information. Data Privacy Law requires Personal Information Controllers (PIC) to implement measures that are: reasonable and appropriate. These two-fold standards are the test by which the security of personal information shall be adjudged. Since what is “reasonable” and “appropriate” are not specific, it is expected that implementation will vary from one industry to another. Supreme Court decisions (i.e. jurisprudence) will set the precedence as to what would constitute reasonable and appropriate as the law develops. Reference: Section 20 (a) and (b), R.A. 10173
  • 3. Standards Coverage: 1) Personal Information Controllers (PIC); 2) PIC-engaged Contractors (or 3rd Parties). The standards for Security of Personal Information apply to the them. Reference: Section 20 (a) and (b), R.A. 10173
  • 4. Organizational, Physical, Technical The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. Measures to be implemented have to be: 1) Organizational – PIC as an organization or a company should have systems, processes, and practice in place for Data Privacy compliance. 2) Physical – A PIC should have physical technological, device, or equipment that can enforce protection for personal information. 3) Technical – A PIC should have technical knowledge on personal data protection. Reference: Section 20 (a), R.A. 10173
  • 5. Standards: Security of Personal Info The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. 2 Kinds of Dangers: (1) Natural Dangers, and (2) Human Dangers Natural Dangers, by definition, are those that are non-human related such as force majeure as in fires, typhoons, calamities, and analogous thereto. Human Dangers are those that are man-made such as hacking, cybercrime, unlawful access, fraudulent misuse, and analogous thereto. Reference: Section 20 (b), R.A. 10173
  • 6. Standards: Security of Personal Info The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. When designing a security measure, the above factors should be considered as a matter of compliance with the Data Privacy Law. Non-compliance of the above factors may result in liabilities. Reference: Section 20 (c), R.A. 10173
  • 7. Standards: Security of Personal Info … Subject to guidelines as the Commission may issue from time to time, the measures implemented must include: (1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability; (2) A security policy with respect to the processing of personal information; (3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and (4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach. The security measures should thus be as comprehensive as possible. Reference: Section 20 (c), R.A. 10173
  • 8. Security Measures: 3rd Parties by PIC The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision. If PIC contracts out processing of personal information, the PIC is required to ensure that the engaged Contractor (or 3rd party) shall comply with the security measures required by the Data Privacy Law. The PIC may be held liable for non-compliance of the contractor. Reference: Section 20 (d), R.A. 10173
  • 9. Strict Confidentiality for PIC Personnel The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. The obligation survives (or continues) despite: lateral transfer, leaving employment, or after contractual relations. Coverage: (1) PIC Employees; (2) PIC Agents; and (3) PIC Representatives. Reference: Section 20 (e), R.A. 10173
  • 10. Notification Requirement The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach… Prompt notice is required on the PIC who shall give such to the NPC and the affected Data Subjects. For: Sensitive Personal Information or Identity-Fraud Enabler Information Reference: Section 20 (f), R.A. 10173
  • 11. Notification Requirement … Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. General Rule: Prompt Notification to the NPC and the Data Subject When notice may be delayed: 1) To the extent necessary to determine the scope of the breach; 2) To prevent further disclosures; and 3) To restore reasonable integrity to the information and communications system. Reference: Section 20 (f), R.A. 10173
  • 12. Notification Requirement When notification may be exempted or postponed: (1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information. (2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects. (3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. Reference: Section 20 (f), R.A. 10173
  • 13. Summary 1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties). 2) The standards for protection measures are two-fold: reasonable and appropriate. 3) Measures should be organizational, physical, and technical. 4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives. 5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.
  • 14. Security of Personal Information Basics of Philippine Data Privacy Law for Non-Lawyers Atty. Jericho B. Del Puerto SME Business Lawyer For inquiries, comment, or permission to use slides, send us an email : info@jdpconsulting.ph.