PRINCIPLES OF PROCESSING DATA SUBJECT INFORMATION

To show a clear guide with regards to the processing of data subject information in accordance to RA 10173 - Data Privacy Act of 2012 which is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

This applies to all the procedures of St Dominic College of Asia (SDCA) where processing of the data subject information is involved.

Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

Data subject refers to an individual whose personal information is processed.

Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.

Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.

Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.

Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Personal information controller (PIC) refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

  1. A person or organization who performs such functions as instructed by another person or organization; and
  2. An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

Personal information processor (PIP) refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

Sensitive personal information refers to personal information:

  1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and;
  4. Specifically established by an executive order or an act of Congress to be kept classified.;

Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations.

When consent is required, it must be time-bounded in relation to the declared, specified and legitimate purpose. Consent given maybe withdrawn.

The data subject must provide specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing and data sharing.

Purpose should be determined and declared before, or as soon as reasonable and practicable after collection.

Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.

The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the rights as data subject and how these rights can be exercised.

The data subject must be informed or aware whether personal information pertaining to him or her shall be, are being, or have been processed.

The processing of data subject information should be compatible with a declared and specified purpose which was not contrary to law, morals or public policy.

The data subject has the right to refuse consent and can withdraw the consent anytime.

Waiver of the data subject of his or her data privacy rights shall not be considered as valid consent as required under the DPA (AdOp No. 2017-007).

Data subject has a genuine choice and control over how the PIC uses their data or information.

The processing of the data subject information shall be adequate, relevant, suitable, necessary, and not excessive in relation to the declared and specific purpose.

Personal data shall be processed only if the purpose of the processing of information could not reasonably be fulfilled by other means.

The free flow of the data subject information across the organization is allowed as where the information is necessary valid and legal.

Implement data protection policy that will maintain the availability, integrity and confidentiality of personal information against accidental or unlawful processing.

Provide limitation on access workstation or facilities, including proper guidelines that specify the use of and access of electronic media (e.g. locks, back-up protection, and other related hereinto).

Provide monitoring guidelines when access workstation or facilities and electronic media (e.g. locks, back-up protection, and other related hereinto).

The data subject is aware of his/her rights and understand how these rights can be exercised. The data subject rights are the following:

  1. Rights to be informed
  2. Rights to object
  3. Right to access
  4. Right to correct
  5. Right for erasure or blockingt
  6. Right to damagest
  7. Right to data portability

Ensure that the data subject information is accurate, complete and up-to-date.

Ensure the reliability of the data subject information before processing.

Establish proper collection of information procedure to ensure accuracy and quality of data collected.

Provide control mechanism to periodically check the accuracy and quality of the collected and stored information from the data subject.

Regularly test, assess, and evaluate the effectiveness of the security measure or security system.

Ensure that all personal information has reasonable steps to protect the data subject information from misuse and loss and from unauthorized access, modification or disclosure.

All data subject information processing is encrypted prior to transmittal or while at rest.

The employee who handles the processing of the data subject information is considered the personal information processor (PIP).

The assigned PIPs are accountable for compliance of the data privacy act.

The Personal Information Controller (PIC) is accountable for compliance of the data privacy act requirements.

The PIC should provide comparable level of protection while the information are being processed by a third party.


DATA SUBJECTS RIGHTS

The data subject has the right to be informed with regards to where the personal information shall be, being or have been processed.

The right to be informed is a basic right of the data subject.

The right to be informed empowers the data subject to consider other action in order to protect and assert the data privacy rights.

Aside from the right to be informed, the data subject is also having the reasonable right to access his/her personal information, if:

  1. Contents of the data subject information were processed;
  2. Sources from which the information were obtained;
  3. Name and address of the recipient is from the data subject;s
  4. Manner by which the information of the data subject was processed;
  5. Reason for disclosure of the data subject information;
  6. Information or automated processes where the data will or likely to be made as sole basis for any decision by which it would significantly affect the data subject.
  7. Name and address of the personal information controller.

The data subject has the right to dispute any inaccuracy or error in your personal data.

The data subject has the right to immediately request for correction of the information, unless the request is vexatious or unreasonable.

The PIC should provide receipt of the corrected information and the retracted information by the intended recipient thereof.

The data subject has the right to suspend, withdraw or order the blocking, removal or destruction of the information, on the following conditions:

  1. Personal data is incomplete, outdated, false or unlawful obtained;
  2. Personal data is being used for a purpose that is not authorized;
  3. Personal data is no longer necessary for the purpose for which the information was collected;
  4. The data subject has decided to withdraw the consent, or object the processing and there is no overriding legal grounds for processing;
  5. The processing of the data subject information is unlawful;
  6. The PIP and PIC violated the rights of the data subject.

The data subject has the right to get indemnified for any damages sustained to such inaccurate, incomplete, outdated, false, unlawfully obtained personal information and considering any violation of the rights and freedom of the data subject.

All data subject information that is processed electronically, the data subject has the right to obtain from the PIC a copy of such an electronically or structured that is commonly used and allows for further use.

The data subject has the control over his/her information based on the consent and contract, for commercial purpose or through automated means.

If the information of the data subject has been misused, maliciously disclosed or improperly disposed, or that any of the data privacy rights have been violated, the data subject has a right to file a complaint to the DPO of the institution/NPC.


SECURITY MEASURES

A Data Protection Officer (DPO) should be appointed by the Institution, a full-time organic employee.

Monitor the compliance of the PIC and PIP with the Data Privacy Act of 2012, IRR, issuances by the NPC and other applicable laws and policies. The DPO may:

  1. Collect information to identify the processing operations, activities, measures, projects, programs or system of the PIC or PIP, and maintain a record thereof;
  2. Analyze and check the compliance of the processing activities, including the issuance of security clearance to and compliance by third-party service providers
  3. Inform, advise and issue recommendations to the PIC and PIP;
  4. Ascertain renewal of accreditation or certifications necessary to maintain the required standards in personal data processing; and
  5. Advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties and to ensure its compliance with the law.

Ensure the conduct of Privacy Impact Assessments relative to the activities, measures, projects, programs or system of the PIC or PIP;

Advice the PIC or PIP regarding complaints and/or the exercise by the data subject of their rights;

Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;

Inform and cultivate awareness on privacy and data protection within the organization of the PIP or PIC, including all relevant laws, rules and regulations and issuances of the NPC;

Advocate for the development, review and/or revision of policies, guidelines, project and or programs of the PIC or PIP relating to privacy and data protection, adopting a privacy by design approach.

Serves as the contact person of the PIC and PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;

Cooperate, coordinate and seek advise of the NPC regarding matters concerning data privacy and security; and

Performa other duties and tasks that may be assigned by the PIC the will further the interest of data privacy and security and uphold the rights of the data subjects.

Personal Information Controller (PIC) or Personal Information Processor (PIP) General Obligations

Effectively communicate to its personnel the designation of the DPO or COP and his or her functions;

Allow the DPO or COP to be involved form the earliest stage possible in all issues relating to privacy and data protection;

Provide sufficient time and resources necessary for the DPO and COP to keep himself/herself updated with the developments in data privacy and security and to carry out his or her tasks effectively and efficiently;

Grant the DPO or COP appropriate access to the personal data it is processing, including the processing system;

Where applicable, invite the DPO or COP to participate in meetings of senior and middle management to represent the interest of privacy and data protection;

Ensure that the DPO or COP is made a part of all relevant working groups that deal with personal data processing activities conducted inside the organization or with other organization.

Management of Human Resources The DPO, in collaboration with the Human Resource Office (HRO) shall implement measures to ensure that all the SDCA employees who have access to personal data of the data subject will strictly process such information in compliance with the requirements of the Data Privacy Act and other applicable laws and regulations. These measures may include developing of new or updating relevant policies of SDCA and conducting orientation program to educate employees on data privacy related concerns.

The Human Resource Office shall obtain the employee’s consent, evidence by written, electronic or recorded means, to:

Management of Human Resources The DPO, in collaboration with the Human Resource Office (HRO) shall implement measures to ensure that all the SDCA employees who have access to personal data of the data subject will strictly process such information in compliance with the requirements of the Data Privacy Act and other applicable laws and regulations. These measures may include developing of new or updating relevant policies of SDCA and conducting orientation program to educate employees on data privacy related concerns.

  1. The processing of his or her Personal Data/Information, for the purpose of gathering and maintaining the institution’s records; and
  2. A continuing agreement of confidentiality on the employee’s part in relation with the Personal Data during the period of contract with the institution. Further, the above agreement shall also be considered even after the employment for whatever reason.

Data Privacy Principles All processing of personal data within the institution should be conducted in compliance with the data privacy act with transparency, legitimate purpose, proportionality, data quality, security measures and rights of the data subject

Data Collection Procedures The assigned PIPs in all department may collection personal information from the data subject if the collection is relevant to the process of the department or unit. The DPO shall ensure that procedure in collection personal information is updated and that the consent of the data subject is properly obtained and evidenced by written, electronic or recorded means. Such procedure shall be regularly monitored, modified (if needed), and updated (when necessary) to ensure that the rights of the data subject are respected and that processing is fully in accordance with the data privacy act and other applicable laws and regulations.

Data Processing of Records Records of the institution should be effectively and efficiently maintained ensuring that these records are kept updated. The institution record should:

  1. Inform the purpose of processing the data subject information, including the intention for future processing or data sharing;
  2. A clear entity of the data subject that will be involved in the processing;
  3. Provide general information about the data flow of information within the Institution, form the time of collection, retention, and the process of disposal or erasure of the data subject information.
  4. Clearly name and contact details of the DPO, PIP, and PIC to ensure compliance with the applicable laws and regulations for protection of data privacy and security.

Data Retention Procedure Data retention of the data subject should be compliant to the requirements of the DPA and other relevant laws and regulations. The data subject information should be retained for a period longer that necessary and/or appropriate to the purposes for which the data was collected. The PIC or PIP in each office should be responsible for developing measures to determine the applicable data retention schedules and procedures to allow for the withdrawal of previously given consent of the data subject as well as to safeguard the destruction and disposal of such personal data.

Physical Security Measures The DPO with the assistance and cooperation of the Information Communication Technology (ICT), Human Resource Office (HRO), Transport and General Services (TAGS), and Building Administration Office (BAO), shall develop and implement policies and procedures for the institute to monitor and limit access to, and activities in, the offices including guidelines that specify the proper use of, and access to, electronic media. res to allow for the withdrawal of previously given consent of the data subject as well as to safeguard the destruction and disposal of such personal data. The design ang layout of the offices that processes personal information of the data subject, shall be evaluated and readjusted in order to provide privacy to anyone Processing Personal Data, taking into consideration the environment and accessibility to unauthorized persons.

Technical Security Measures The institution should regularly evaluate the security policy with respect to the processing of personal information of the data subject. The security policy should consider the following requirements.

  1. Safeguard of the institutions system and database networks against accidental, unlawful or unauthorized usage, any interference which will affect the integrity or hinder the functionality or availability of the system and from unauthorized access.
  2. Ensure and maintain the confidentiality, integrity, availability of data processed electronically.
  3. Regular monitoring of security breaches, and the vulnerability of the Institution’s network and system and to take preventive, corrective and mitigating action against security incidents that may lead to data breach.
  4. Ensure quick restoration access and availability of personal data in the event of a physical or technical incident.
  5. Develop process for regularly testing, assessing, and evaluating the effectiveness of security measures.
  6. Make encryption of Personal Data to assure the security measures and limit to access during storage and transfer of data.

OUTSOURCING DATA SUBJECT INFORMATION

The disclosure and transfer to a third party of personal information is under the control or custody of a Personal Information Controller (PIC).

The disclosure or transfer of personal information may be done by a Personal Information Processor (PIP) upon the instruction of the PIC.

Contract, joint issuance or any similar document that contains the terms and conditions of an outsourcing or subcontracting should be arranged between two parties.

Only the Personal Information Controller (PIC) shall be made parties to an outsourcing or subcontracting agreement.

Under the outsourcing or subcontracting agreement, the following should be present:

  1. Purpose of outsourcing/subcontracting
  2. Personal data to be shared
  3. Consent of the data subject
  4. Procedure for use or process of personal data
  5. Operational details of the data sharing or transfer of personal data.
  6. Security measures
  7. Online access to personal data
  8. Mutual representations
  9. Return, destruction, or disposal of transferred personal data
  10. Use of name
  11. Terms
  12. Remedies of the data subject
  13. Indemnification
  14. Authorized Personal Information Processor (PIP)
  15. Data Protection Officer or Compliance Officer
  16. Personal Information Controller (PIC) responsible for information request, or any complaint
  17. General provisions
  18. Responsibilities of the parties
  19. Confidentiality obligations
  20. Accountability for cross-border transfer or personal data
  21. Assignment
  22. Governing law
  23. Mandatory periodic review
  24. Review and modification
  25. Mandatory periodic review
  26. Severability
  27. Alternative dispute resolution
  28. Venue of action

DATA SHARING

The disclosure and transfer to a third party of personal information is under the control or custody of a Personal Information Controller (PIC).

The disclosure or transfer of personal information may be done by a Personal Information Processor (PIP) upon the instruction of the PIC.

Contract, joint issuance or any similar document that contains the terms and conditions of a data sharing should be arranged between two or more parties.

Only the Personal Information Controller (PIC) shall be made parties to a data sharing agreement.

Under the data sharing agreement that following should be present:

  1. Purpose of data sharing
  2. Personal data to be shared
  3. Consent of the data subject
  4. Procedure for use or process of personal data
  5. Operational details of the data sharing or transfer of personal data
  6. Security measures
  7. Online access to personal data
  8. Mutual representations
  9. Return, destruction, or disposal of transferred personal data
  10. Use of name
  11. Terms
  12. Remedies of the data subject
  13. Indemnification
  14. Authorized personal information processor (PIP)
  15. Data Protection Officer or Compliance Officer
  16. General provisions
  17. Responsibilities of the parties
  18. Confidentiality obligations
  19. Accountability for cross-border transfer or personal data
  20. Assignment
  21. Governing law
  22. Mandatory periodic review
  23. Review and modification
  24. Severability
  25. Alternative dispute resolution
  26. Venue of action

PROCESSING OF CONFIDENTIAL INFORMATION

Upon employment with St Dominic College of Asia, each employee should strictly observe and protect the following confidential information:

  1. Any confidential information employees have access to should be discussed with others only on a need-to-know basis;
  2. Confidential information may not be disclosed to any outside persons, outsource, industry partners without the appropriate confidential information disclosure agreement from legal counsel; and
  3. Sensitive and confidential information should not be discussed, even with fellow employees in public places;

Employees are advised to maintain the confidentiality of information in their specific workplace, depending on the type of job and access to information. Further, all employees of St. Dominic College of Asia should:

  1. Secure the confidential information at all times;
  2. Shred confidential documents that are no longer needed;
  3. Make sure that confidential information should be viewed in a secure devices and place;
  4. Disclosed to information to employees when necessary, authorized and with legal advice; and
  5. Keep all confidential information inside the company premises with proper security.

Confidential information may be disclosed for legitimate purpose should any regulatory body requests for the purpose of audit or investigation. Thus, disclosure is subject for approval from the Personal Information Controller (PIC).


DATA BREACH AND SECURITY INCIDENTS

In the event that the sign of security or data breach is discovered or encountered, such incidents shall be immediately reported to the DPO within 24 hours.

All data or security breaches should be sufficiently documented through written reports. All data breaches reports should include the facts, the effects of such incident and the remedial action taken by the Institution.

The discovery or encounter of the data breach should be verified to determine the relevant circumstances surrounding the reported data or security breach.

The HR Office will convene a meeting of every personnel involved in the data or security breach for investigation and clarification. Concrete documentation should be gathered for proper reporting.

Upon identifying the degree of the relevant circumstance surrounding the reported data or security breach, the DPO should notify the National Privacy Commission (NPC) and the affected data subject pursuant to the requirements and procedures prescribed by the Data Privacy Act (DPA).

The report to the NPC should present the measurements used to reduce the harm or negative consequences of the breach, the name and contact details of the DPO.

COPYRIGHT © 2017 ST DOMINIC COLLEGE OF ASIA | ALL RIGHTS RESERVED.