I. BACKGROUND
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects
II.INTRODUCTION
This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission (NPC). This organization respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
TRIGOLD SECURITY & INVESTIGATION AGENCY, INC. (Trigold) needs to gather and use certain information about individuals. These include applicants, customers, suppliers, business contacts, employees and other people the organization has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the agency’s data protection standards and to comply with the law.
In compliance to the law, Trigold shall designate the following persons with special function, like:
a)DPO – Data Protection Officer/s
b)PIP – Personal Information Processor
c)PIC – Personal Information Controller
III. OBJECTIVES
- The manual aims to safeguard individual clients’ personal data against misuse, by regulating the proper management of personal data/information.
- To control the way information is handled and to give legal rights to people who have information stored about them.
IV. SCOPE AND LIMITATIONS
- The manual shall cover the Data Privacy request addressed to the Trigold Security & Investigation Agency, Inc. and all its offices.
- It applies to all data that the agency holds relating to the identifiable individuals regardless of the type of employment, stakeholders and other clients. This includes:
a) TRIGOLD PERSONNEL
The type of personal information or sensitive personal information which the Company may collect either directly or indirectly in relation to the job application for the position of (Ex. Security Personnel, Head Office Staff) shall include, among others, the following personal and sensitive personal information:
- Complete Name
- Present, Permanent or Provincial Address
- Land line and Mobile No.
- Email Address5.
- Date of Birth/ Age/ Place of Birth
- Weight/ Height
- Blood Type
- Nationality
- Distinguishing Marks
- Civil Status
- Gender
- Religion
- TIN / SSS/ PhilHealth and Pag-IBIG No.
- School Credentials and Educational Attainment
- NBI & Police Clearance
- Employment Medical Clearance
- Past Employment Details
- Character References
- Spouse Name
- Children’s Name/Age
- Spouse Religion
- Spouse Contact Number
- ID Picture/ LESP
b) TRIGOLD STAKEHOLDERS/CLIENTS
- Last Name, First Name, Middle Name and Extension Name
- Address
- Age
- Sex
- Marital Status
- Contact Numbers
- Email Address
- Land Ownership
- Real Property
- Government ID/ Numbers
- Contracts/ Cost Distribution
V.PROCESSING OF PERSONAL DATA
This refers to the various data life cycles: collection of personal data, to their actual use, storage or retention, and destruction.
A. Collection – This refers to the type of data collected, mode of collection, person collecting information with the consent (see Annex A – Consent Form) of the subject.
a.1 The PIP/PIC is responsible for collecting information; collection of data depends on the type of information and can be collected once, monthly, quarterly, or annually.
a.2 Data to be collected can be in a form of hard copy or e-copy and shall be consolidated by the PIP/PIC.
B. Use – Data collected shall be used by the agency for references and/or documentation purposes.
C. Storage, Retention and Destruction – Means of storage, security measures, form of information stored, retention period, disposal procedure.
c.1 For e-copy storage, should be situated at the server. If stored in USB, only authorized personnel are allowed to carry, open and transfer of the said documents.
c.2 For hard copy, document should be filed at the filing cabinet at the restricted area. Retention of the hard copy should be five (5) years or it depends on the importance of such data.
c.3 Storage for both e-copy and hard copy must be protected with a strong password and should be kept and locked using keys, respectively.
c.4 All files shall be disposed thru shredding for hard copy and e-copy shall be destroyed.
D. Access – Personnel authorized to access (see Annex B – Access Request Form) personal data, purpose of access, mode of access, requests for amendment of personal data.
d.1 Only authorized personnel can access and pull-out the data as designated in this policy.
d.2 Individuals can access others’ data as long as they are given the authorization/consent.
E. Disclosure – Individuals to whom personal data is shared, disclosure of policy and processes, outsourcing and subcontracting.
e.1 All employees (regular, contractual, Job Order) of the agency shall maintain the confidentiality and secrecy of all personal data.
e.2 Personal data under the custody of the agency shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
VI. SECURITY MEASURES
TRIGOLD security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. Restricts access personal information only to qualified and authorized personnel who hold the information with strict confidentiality and updates the information securely to keep the records accurate.
A. Organization Security Measures
a.1 Data Protection Officer (DPO)
- Conduct of trainings or seminars to keep personnel, updated vis-à-vis developments in data privacy and security.
- Conduct of Privacy Impact Assessment (PIA)
- Recording and documentation of activities carried out by the DPO
- Duty of Confidentiality.
- Review of Privacy Manual. It shall be reviewed and evaluated annually.
a.2 Physical Security Measures
- Format of data to be collected. It can be a word, excel and pdf type.
- Storage type and location
- Access procedure of agency personnel
- Monitoring and limitation of access to room or facility
- Design of office space/work station
- Persons involved in processing, and their duties and responsibilities
- Modes of transfer of personal data within the organization, or to third parties
- Retention and disposal procedure
a.3 Technical Security Measures
- Monitoring for security breaches
- Security features of the software/s and application/s used
- Process for regularly testing, assessment and evaluation of effectiveness of security measures.
- Encryption, authentication process, and other technical security measures that control and limit access to personal data
VII. DUTIES AND RESPONSIBILITIES
Everyone who works with the Agency has some responsibility for ensuring data is collected, stored and handled appropriately.
Personnel handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
The President & CEO, acting as the Overall Data Protection Officer (ODPO) and all Department Managers are designated as Data Protection Officers (DPOs) shall be responsible to:
1. Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. For this purpose, he or she may:
a. collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
b. analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;
c. inform, advise, and issue recommendations to the PIC or PIP;
d. ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
e. advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
- Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
- Advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
- Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
- Inform and cultivate awareness on privacy and data protection within the organization of the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC;
- Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
- Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
- Cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and
- Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
The Human Resource Management Manager/ Officer is the designated Personal Information Processor (PIP) and Personal Information Controller (PIC), responsible to:
- Effectively communicate to its personnel, the designation of the DPO or COP and his or her functions;
- Allow the DPO or COP to be involved from the earliest stage possible in all issues relating to privacy and data protection;
- Provide sufficient time and resources (financial, infrastructure, equipment, training, and staff) necessary for the DPO or COP to keep himself or herself updated with the developments in data privacy and security and to carry out his or her tasks effectively and efficiently;
- Grant the DPO or COP appropriate access to the personal data it is processing, including the processing systems;
- Where applicable, invite the DPO or COP to participate in meetings of senior and middle management to represent the interest of privacy and data protection;
- Promptly consult the DPO or COP in the event of a personal data breach or security incident; and
- Ensure that the DPO or COP is made a part of all relevant working groups that deal with personal data processing activities conducted inside the organization, or with other organizations.
VIII. INQUIRIES AND COMPLAINTS
- Each data subject has the right to a reasonable access to his or her personal data being processed by the personal information controller or personal information processor.
- He/She writes to the Head of the Agency and briefly discusses the inquiry, together with his/her contact details for reference.
- Complaints shall be filed in three (3) printed copies. The concerned department or units shall confirm with the complainant its receipt of the complaint.
XI. ADMINISTRATIVE LIABILITIES
Failure to comply with the provisions of this Data Privacy Policy shall be a ground for the following administrative penalties:
1st Offense – Reprimand;
2nd Offense – Suspension of one (1) to thirty (30) days;
3rd Offense – Dismissal from the service.
X.ANNEXES
11.1. Annex A – Consent Form
11.2. Annex B – Access Request Form
11.3. Annex C – Job Application Form