It also aims to provide all stakeholders within the company a complete understanding of the way personal information is collected, stored, accessed and shared and thereby ensure the strict compliance of Business Unit Heads, Heads of Corporate Divisions and Departments and their respective Managers, Team Leads and employees who are given the task to process personal information.
This information security policy is adopted to address corporate compliance with the Republic Act No. 10173 or the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the Company for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment of the rights of data subjects/employees/customers/business partners.
This policy manual informs all employees of data protection measures in place, and to serve as guide in the exercise of rights under RA 10173.
Definition of Terms
Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information (e.g. name, address, contact numbers), or when put together with other information would directly identify an individual. This includes “sensitive personal information” and “privileged information”.
Sensitive Personal Information pertains to one’s:
Privileged Information refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute “privileged communication”.
Refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
|"Personal Information Controller”||
Refers to those who decide what data is collected and how it is processed. This refers to the Head of business units and Corporate Divisions and Departments.
|“Personal Information Processor”||
Refers to those who process data as instructed by the Controllers. This refers to employees or third party service providers to whom a personal information controller may instruct or outsource the processing of personal data.
Scope and Limitations
Data Privacy Accountability
All Department Heads and Business Unit Heads of the Company are fully accountable in ensuring that ‘private information’ as defined in this policy which are handled by their respective departments and business units are processed in a secure manner as defined in this policy document.
Department Heads and Business Unit Heads are responsible for the privacy risk assessment of all business processes under their respective units that process any personal data of their employees, suppliers, partners and customers.
Lastly, Department Heads and Business Unit Heads are expected to report without delay any form of data privacy breach to the Company President or to the Data Protection Officer in the soonest possible time for proper disposition and reporting to concerned government agencies.
Processing of Personal Data
Personal data regardless of source and/or method of acquisition is protected by law. All employees must exercise due diligence in the handling of personal information as everyone may be held accountable in its improper use. When in doubt, employees should consult the Data Protection Officer or relevant process owners/ private information controllers.
Private information controllers and process owners must ensure that all personal information collected in the course of a process/ procedure that they control are to a minimum, necessary and with specific purpose relative to the process involved.
Collection of private and sensitive private information (see definition of terms) e.g. addresses, contact numbers, birthdays, etc., must include process provisions to safeguard those information where sharing and access to said information is restricted only to those who are authorized to use those information.
|Storage, Retention and Destruction||
Process Owners or PICs must ensure that personal data under their custody are protected against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. PICs will implement appropriate administrative and procedural security measures at a minimum, using appropriate information technology tools whenever possible, in storing collected personal information, depending on the nature of those information.
All information gathered shall not be retained for a period longer than necessary or as determined by other government regulatory requirements. In the absence of any specific retention requirement, personal information will only be retained for a period of one (1) year. After the required retention period, all hard and soft copies of personal information shall be disposed and destroyed through secured means.
Data subject e.g. employees, customers, partners, etc., persons authorized by the data subjects/employees/customers/business partners and authorized representatives of the company (e.g. PICs and PIPs) shall be allowed to access personal data, for any legitimate purpose, except for those contrary to law, public policy, public order or morals.
|Disclosure and Sharing||All employees shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession by any means, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall not be disclosed, except for those pursuant to a lawful purpose, and to authorize recipients of such data.|
Data Privacy Response and Reporting
Personal information controllers and processors (PIPs and PICs) will primarily be responsible in detecting and reporting a breach in data privacy policies and procedures that concerns the processes that they directly oversee.
Concerned PICs and PIPs together with the DPOs and COPs are automatically members of a Data Security Response Team that will in the event of a personal data breach conduct an initial assessment of the incident and the formal incident report.
The DPO together with the corporate legal office will determine the need to file and escalate a report to the National Privacy Commission.
If an employee suspects any breach in private information whether it is their own data or for a fellow employee, customer or business partner, he or she may directly report such incidents to the company’s Data Protection Officer at [email protected]. All reports will be treated in utmost confidence or as “privileged information”.
Violations and Penalties
Breach of this policy whether intentional or due to negligence is subject to administrative penalties that may include documented counseling, suspension or outright dismissal as determined by the company depending on the gravity of the policy violation.
Any incident of breach of privacy of private, sensitive private and privileged information will be reported to the National Privacy Commission as mandated by law and may be subject to criminal investigation and charges as deemed appropriate by the NPC.