Module 1 - Introduction

Similar documents
Challenges in complying with the Data Privacy Act of Damian Mapa Deputy Privacy Commissioner

MAPUA UNIVERSITY DATA PRIVACY MANUAL

Applications for accreditation: Membership. Compilation of membership accreditation assessment received on 9 July 2016

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

Data Protection Act 1998 Policy

Medical Group Management Association of Mississippi Bylaws

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Data Protection Bill [HL]

BYLAWS OF INTERNATIONAL DETAILING ASSOCIATION As revised by a vote of the membership

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

OBJECTS AND REASONS. Arrangement of Sections PART I. Preliminary PART II. Licensing Requirements for International Service Providers

PERSONAL INFORMATION PROTECTION ACT

TITLE XXX OCCUPATIONS AND PROFESSIONS

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

ALABAMA ASSOCIATION OF PUBLIC PERSONNEL ADMINISTRATORS ALABAMA CHAPTER IPMA-HR BYLAWS ARTICLE I NAME AND GEOGRAPHIC AREA

Data Protection Bill [HL]

DATA PROTECTION LAWS OF THE WORLD. Egypt

LBP LEASING AND FINANCE CORPORATION INTERIM FREEDOM OF INFORMATION MANUAL (Patterned after GCG FOI Manual: July 2017)

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

Law Enforcement processing (Part 3 of the DPA 2018)

COVERAGE CRIMINAL LAW 2014 BAR EXAMINATIONS. A. Book 1 (Articles 1-99, RPC; exclude the provisions on civil liability)

(d) "Incarceration" and "confinement" do not include electronic home monitoring.

Act No. 502 of 23 May 2018

1.1: The name of this organization is "American Council for Construction Education, Inc.", hereinafter referred to as ACCE.

Health Practitioners Competence Assurance Act 2003 Complaints and Discipline Process

AS TABLED IN THE HOUSE OF ASSEMBLY

Anti-Bribery Policy. Policies, Guidance & Procedures. The Collett School, St Luke s School Forest House Education Centre

GAMING SECURITY PROFESSIONALS OF CANADA PROFESSIONNELS EN SÉCURITÉ DU JEU DU CANADA

Chapter 1: Interpretation

16 March Purpose & Introduction

HUU-AY-AHT FIRST NATIONS

SENATE BILL No February 14, 2017

DATA PROTECTION LAWS OF THE WORLD. South Korea

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Purposes of the Law. Information of Public Importance. Public Authority Body. Legal Presumptions of Justified Interest

Access to Personal Information Procedure

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

Code of Practice - Conduct of Officers of NAMA

DATA SHARING AND PROCESSING

BYLAWS of SSPC: THE SOCIETY FOR PROTECTIVE COATINGS

SUBJECT: NATIONAL GUIDELINES ON THE ISSUANCE OF COMPLIANCE CERTIFICATE FOR AGRICULTURAL AND FISHERIES MACHINERY

European College of Business and Management Data Protection Policy

bylaws The Sudbury Savoyards, Inc

MEMORANDUM. RE: NYC Lobbying Law Amendments Local Laws 15, 16 and 17

CHAPTER 308B ELECTRONIC TRANSACTIONS

Swedish Code of Statutes SFS 2010:682 Act Governing the Amendment to the Tobacco Act (1993:581);

Washington Association of Building Officials Accredited Code Official Program

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

Personal Data Protection Act

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

THE CONSTITUTION OF THE ANTHROPOLOGY GRADUATE STUDENT ASSOCIATION (ANTHRO GRADS) CALIFORNIA STATE UNIVERSITY, LONG BEACH (CSULB)

APPENDIX A: District Model Constitution

ENROLLED HOUSE BILL No. 4928

Data Protection Policy

REVISOR XX/BR

Policy/Procedure Statement

BYLAWS OF Open Source Hardware Association ARTICLE I MEMBERS

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI WESTERN DIVISION

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI WESTERN DIVISION PLEA AGREEMENT

RULE VIII ADMISSION OF FOREIGN ATTORNEYS AS AUTHORIZED HOUSE COUNSEL

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

Executive Order Access to Classified Information August 2, 1995

A Message to Legal Personnel

THE PERSONAL DATA (PROTECTION) BILL, 2013

Guidelines For the Organization and Operation of Student Government Associations

IC Chapter 6. Indiana DNA Data Base

Data Processing Addendum

ARTICLE 29 DATA PROTECTION WORKING PARTY

The University of Montana Greek Fraternal Organizations JUDICIAL PROCESS

BERMUDA VIRTUAL CURRENCY BUSINESS ACT 2018 BR/ 2018: TABLE OF CONTENTS PART 1 PRELIMINARY

AnyComms Plus. End User Licence Agreement. Agreement for the provision of data exchange software licence for end users

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Bylaws Peer Assistance Foundation of the Texas Society of Certified Public Accountants, Inc.

Take me back to the Home Page. NotaryClasses.com Sample Notary Exam 1 FINES and PENALTIES

YORK COUNTY SOLID WASTE AND REFUSE AUTHORITY RECYCLABLE MATERIALS REGISTRATION RULES AND REGULATIONS

(Translation) The Trust for Transactions in Capital Market Act B.E (2007)

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

World Bank Group Directive

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

SUDAN Patents Act Act No. 58 of 1971 ENTRY INTO FORCE: October 15, 1971

Victims Rights and Support Act 2013 No 37

Texas Administrative Code

JUDICIARY AND JUDICIAL PROCEDURE (42 PA.C.S.) AND LAW AND JUSTICE (44 PA.C.S.) - OMNIBUS AMENDMENTS 25, 2008, P.L.

This article shall be known as and referred to as "The Small Loan Privilege Tax Law" of this state.

Legislative Brief The Information Technology (Amendment) Bill, 2006

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

OREGON YOUTH SOCCER ASSOCIATION, Inc BYLAWS. Part I General

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

Anti-Discrimination, Harassment and Bullying Policy

Environmental Laws. Enforcement of First Nation Land Laws & Environmental Protection Laws

INTERSTATE COMPACT FOR THE SUPERVISION OF ADULT OFFENDERS PREAMBLE

Criminal Background Checks

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

PARLIAMENT OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA

GENERAL ASSEMBLY OF NORTH CAROLINA 1995 SESSION CHAPTER 545 SENATE BILL 53

Transcription:

How to comply with the Data Privacy Act of 2012 Module 1 - Introduction

Republic Act No. 10173 August 15, 2012 SECTION 1. Short Title. This Act shall be known as the Data Privacy Act of 2012. SECTION. 2. Declaration of Policy. It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communication systems in the government and in the private sector are secured and protected.

Which is more valuable? Data Money

Which is more valuable? Data Money

Which is more valuable? Data Money

Republic Act No. 10173 August 15, 2012 SEC. 26. (b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law. SEC. 35. Large-Scale. The maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the above mentioned actions.

Agenda for Workshop Introduction Data Protection Officer (DPO) Privacy Impact Assessment (PIA) Privacy Management Program (PMP) Privacy and Data Protection (PDP) Breach Management Framework (BMF)

Structure of RA 10173, the Data Privacy Act Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors Section 22-24. Provisions Specific to Government Section 25-37. Penalties

Definitions Personal Information Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. RA. 10173, Section 3.g

when put together with other information? #4 Pili? Lily Ang? 10/24/55 # 4 Pili Lily Ang 10/24/55

Definitions Personal Information Sensitive Personal Information Sensitive personal information refers to personal information: (1) About an individual s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified. RA. 10173, Section 3.l

Key Definitions PIC PIP Personal Information Controllers those who decide what data is collected and how it is processed (example: Bank X, Hospital Y). Personal Information Processors those who process data as instructed by the controllers (example: shared services, IT vendor, external lab).

Structure of RA 10173, the Data Privacy Act Sections 1-6. Definitions and General Provisions Sections 7-10. National Privacy Commission Sections 11-21. Rights of Data Subjects, and Obligations of Personal Information Controllers and Processors Section 22-24. Provisions Specific to Government Section 25-37. Penalties

Punishable Act Jail Term Fine (Pesos) Access due to negligence 1y to 3y 3y to 6y 500k to 4m Unauthorized processing 1y to 3y 3y to 6y 500k to 4m Improper disposal 6m to 2y 3y to 6y 100k to 1m Unauthorized purposes 18m to 5y 2y to 7y 500k to 2m Intentional breach 1y to 3y 500k to 2m Concealing breach 18m to 5y 500k to 1m Malicious disclosure 18m to 5y 500k to 1m Unauthorized disclosure 1y to 3y 3y to 5y 500k to 2m Combination of acts 3y to 6y 1m to 5m

Who is liable? Sec. 22. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein Sec. 34. Extent of Liability. If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.

The Obligations which must be complied with by PICs and PIPs Data Privacy Act of 2012 IRRs (promulgated 2016) 2016 Series (issued) Circular 16-01 Gov t Agencies Circular 16-02 Data Sharing Circular 16-03 Breach Mgmt Circular 16-04 Rules Procedure 2017 Series Advisory 17-01 DPO Guidelines Advisory 17-02 PDS Guidelines Advisory 17-03 PIA Guidelines Circular 17-01 Registration

Pillar 1: Commit to Comply: Appoint a Data Protection Officer (DPO) Legal Basis: Sec. 21 of the DPA, Section 50 of the 50, Circular 16-01, and Advisory 17-01 Sec. 21 (b) The personal information controller shall designate an individual or individuals who are accountable for the organization s compliance with this Act.

Pillar 1: Commit to Comply: Appoint a Data Protection Officer (DPO) Legal Basis: Sec. 21 of the DPA, Section 50 of the 50, Circular 16-01, and Advisory 17-01

Pillar 2: Know Your Risks: Conduct a Privacy Impact Assessment (PIA) Legal Basis: Sec. 20(c) of the DPA, Section 29 of the IRR, Advisory 17-03 Sec. 20 (c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. How will you know what are the risks represented by the processing?

Program, Process, or Measure Privacy Risk Benefit Controls Impact Assessment X.1 X.2 X.3 X.25 High Low Unacceptable Medium Medium High Unreasonable Low High Low Acceptable High High?? Medium High Medium Acceptable Privacy risk is the probability that the activity involving data will result in harm, or a loss of the rights and freedoms of an individual. Controls may be applied in order to reduce severity, likelihood, and magnitude of the privacy risk.

WHO should participate in the PIA? Those involved in the Information Life Cycle Collection Disposal Use Sharing Storage

Privacy Risk Map I M P A C T Extreme Major Stressful Slight Nil Low Med High PROBABILITY

Pillar 2: Know Your Risks: Conduct a Privacy Impact Assessment (PIA) Legal Basis: Sec. 20(c) of the DPA, Section 29 of the IRR, Advisory 17-03

Pillar 3: Write Your Plan: Create Your Privacy Management Program (PMP) Legal Basis: Sec. 11-15 of the DPA, Sections 21-23 and 43-45 of the IRR, Circulars 16-01 and 16-02

Principles Transparency no surprises in how the data collected is being processed Legitimate purpose required by law and not contrary to public morals Proportionality collect only what s needed and commensurate to the benefits

Pillar 3: Write Your Plan: Create Your Privacy Management Program (PMP) Legal Basis: Sec. 11-15 of the DPA, Sections 21-23 and 43-45 of the IRR, Circulars 16-01 and 16-02

THE NPC DATA PRIVACY ACCOUNTABILITY AND COMPLIANCE FRAMEWORK I. GOVERNANCE II. RISK ASSESSMENT A. Choose a DPO B. Register C. Records of processing activities D. Conduct PIA III. ORGANIZATION E. Privacy Management Program F. Privacy Manual IV. DAY TO DAY G. Privacy Notice H-O. Data Subject Rights P. Data Life Cycle V. DATA SECURITY Q. Organizational R. Physical S. Technical Data Center Encryption Access Control Policy VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY X. PRIVACY ECOSYSTEM T. Data Breach Management; Security Policy Data Breach Response Team Incident Response Procedure Document Breach Notification U. Third Parties; Legal Basis for Disclosure Data Sharing Agreements Cross Border V. Trainings and Certifications W. Security Clearance X. Continuing Assessment and Development Regular PIA Review Contracts Internal Assessments Review PMP Accreditations Y. New technologies and standards Z. New legal requirements

Pillar 4: Be Accountable: Implement your Privacy & Data Protection (PDP) Measures Legal Basis: Sec. 16-18 and 38 of the DPA and Sections 17-24, 34-37 of the IRR and Circular 16-04

Sections 16-18. Rights of Data Subjects Right to be informed Right to object Right to access Right to correct/rectify Right to block/remove Right to data portability Right to file a complaint Right to be indemnified

Pillar 4: Be Accountable: Implement your Privacy & Data Protection (PDP) Measures Legal Basis: Sec. 20.a-e, 22 and 24 of the DPA, Sections 25-29 of the IRR, Circular 16-01

Pillar 5: Be Prepared: Regularly exercise your Breach Reporting Procedures Legal Basis: Sec. 20.f and 30 of the DPA, Sections 38-42 and 57 of the IRR, Circular 16-03 IRR Sec. 38 (a) The Commission and affected data subjects shall be notified by the PIC within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.

Pillar 5: Be Prepared: Regularly exercise your Breach Reporting Procedures Legal Basis: Sec. 20.f and 30 of the DPA, Sections 38-42 and 57 of the IRR, Circular 16-03

Pillar 6: Registration Who should register? Personal Information Controllers and Personal Information Processors who: employ more than 250 persons process sensitive personal information of at least 1,000 individuals belong to sectors identified by the NPC where: the processing carried out is likely to pose a risk to the rights and freedoms of data subjects, and the processing is not occasional are service providers to government.

Pillar 6: Registration

Designating a DPO is the first essential step towards compliance. You cannot register your systems with the NPC unless you have a DPO. You cannot report your compliance activities unless you go through your DPO.

What happens if you don t comply? Sec. 7. Functions of the National Privacy Commission (b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report (c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest; (d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy; (i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act;

When should you comply? Yesterday. Obligations in the DPA and the IRR. September 2017. Additional Requirements in the IRR: Registration of Data Processing Systems and Automated Processing, 72-hour Breach Notification, Annual Incident Reporting October 2017. (for Government Agencies only) Additional security requirements in Circular 16-01.

Capacity to Comply Compliance Commitment to Comply

In Closing: How the NPC can help Workshops to deliver the message and build capacity -Updates on new standards and/or circulars (www.privacy.gov.ph) -Generic guidance and frameworks (facebook.com/ privacy.gov.ph) -When requested, advice on specific matters (info@privacy.gov.ph)

End of Module 1. Any questions?

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback