In a move to help organizations implement appropriate security and privacy practices, legal governance and technology experts, as well as officials of the National Privacy Commission (NPC) discussed the compliance aspects of the Data Privacy Act (DPA) and its recently released implementing rules and regulations (IRR) in a one day event organized by the Disini & Disini Law Office. The “Data Privacy Act Compliance for the Private Sector and Government” seminar was held last November 3, 2016 at Dusit Thani Manila.
In his keynote, NPC Commissioner Raymund E. Liboro said, “In the face of twenty first century crimes, we need a twenty first century law that upholds data privacy.” He stressed the need for rigorous compliance while recognizing the demands of the private sector and government for a free flow of information.
Other speakers included NPC Deputy Commissioner Dondi Mapa, NPC Director of Policy Atty. Jamael Jacob, Presidential Communications Office Assistant Secretary Kristian Ablan, ECC International Director for Delivery and Project Management Kamesh Ganeson, Ateneo Graduate School of Business professor Atty. Vincent Edward Festin and Disini & Disini Managing Partner Atty. JJ Disini.
Greater control over personal information
To start off the event, Atty. Jacob emphasized that data privacy is the right to control one’s personal information in his talk, “The Data Privacy Act and the IRR.” He explained that the law gives the data subject the right to control what information is collected, how it is collected, why it is collected and for how long said information will be stored or processed, giving subjects greater control over the processing of their personal information.
The DPA protects personal information, or any data that can be used to identify an indivdual. On the other hand, processing, according to Atty. Jacob, refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Atty. Jacob also explained any processing of personal data must comply with the data privacy principles of transparency, legitimate purpose and proportionality.
The Role of the NPC
The second speaker, Commissioner Liboro in his talk “The National Privacy Commission” discussed the role that the NPC plays in protecting the rights of the data subjects and holding violators accountable.
He noted that it is important to differentiate data privacy from data security, that while data privacy involves the the rights of the data subject and responsibilities of processors and controllers to data subject, data security refers to the responsibility of processors and controllers regarding the protection of data. This includes safeguards, internal policy, regular monitoring and confidentiality measures.
In implementing the DPA, Commissioner Liboro said that all stages of “data processing” must be covered and the NPC shall hold processors and controllers liable for any violation of the DPA.
Legal Compliance Roadmap for the DPA
To help organizations initiate the Data Privacy Act compliance process, the speakers discussed some frameworks for data privacy policies. The speakers agreed that privacy management is a top to bottom approach which requires attention from decision makers to the rank and file.
To begin the process, Atty. Disini in his talk, “Legal Compliance Roadmap for the DPA,” suggested that data controllers start with gap analysis. According to Atty. Disini, the contoller is the person who decides what data to collect, and what to do with that information. They have the responsibility to enact measures for data security.
First, personal information life cycle which includes IT infrastructure, current management policies, extent of reviewed data, and proposed security measures should be drawn up. Next, companies must build a data privacy road map based upon a proper assessment of the risks. Finally, a full and consistent implementation should follow, with periodic review and revision of the relevant policies and programs.
It must be noted, however that the data controller should approach the need for security from three standpoints. In terms of technical security, the controller should ensure that his physical, electronic, or technological systems are safe and up to date. From the perspective of governance, the controller should implement data privacy trainings, protocols, and precedures, with regular review and revisions. Finally, legally, the controller should assess what kind of consent is needed from the data subjects, as well as develop the appropriate privacy codes, data sharing agreements, and data processing agreements.
Corporate Governance and Data Privacy
Meanwhile, Atty. Festin discussed the interrelation of corporate governance and data privacy. He explained that corporate governance is as framework of rules, systems and processes in the corporation that governs the performance by the Board of Directors (BOD) and management of their respective duties and responsibilities to the stockholders and other stakeholders.
With the DPA in place, a new stakeholder emerges – the data subject. This becomes a challenge for both private and public institutions. Atty. Festin then suggested to adopt a “framework of responsibility.” He said that CEOs and BODs should enhance and take the lead in accountability, policy-making management, oversight functions as well as strategy formulation pertaining to data privacy.
According to him, to be able to provide an enabling environment to achieve compliance to the DPA, an institution must assess the risks, competencies and protocols, establish processes, and reassess.
Best practices in data privacy
To further guide participants in formulating their data policies, Director Ganeson outlined the some of the best practices of companies relating to data privacy. These include accessing control policies and profiles, assessing risks, using cryptography softwares and private networks, maintainig an in-house software, protecting physical avenues such as internet and USB ports, monitoring databases regularly, evaluating the importance and sensitivity of the data, and putting up firewalls.
Meanwhile, Liboro assured the participants that the NPC shall be in the driver’s seat to inculcate principles of privacy across different sectors. In a couple of weeks, he said that the PC will release a Data Privacy Management Guide in a couple of weeks.
More proactive approach on data management
As threats to data privacy are more real than imagined, NPC Deputy Commissioner Mapa challenged data controllers to not just comply with the DPA but be more proactive in their approach to data privacy management. Calling for accountability he said, “data controllers are thus expected to implement dynamic programs and initiatives to answer the ever evolving threats to data privacy.”
In its efforts to build a culture of accountability, the NPC has created four memorandum circualrs on data privacy: Security of Personal Data in Government Agencies (16-01), Data Sharing Agreements Involving Government Agencies (16-02), Personal Data Breach Management (16-03), and the Rules of Procedure of the National Privacy Commission (16-04).
Mapa focused on the first circular which outlines the obligation to (1) designate a Data Protection Officer; (2) conduct a Privacy Impact Assessment for each program involving data privacy; (3) create privacy and data protection policies; (4) conduct a mandatory, agency-wide training on privacy and data protection policies once a year; (5) register data processing systems with the Commission if the data of at least 1,000 individuals are involved; and (6) cooperate with the Commission when the agency’s privacy and data protection policies are subjected to review and assessment.
Balancing the right to privacy and the need for information
As a final point, the speakers noted that the DPA also seeks to balance an individual’s the right to privacy and the need for information in nation building. This is especially important in light of the recently signed Freedom of Information Executive Order (FOI-EO).
Pursuant to the EO, all agencies of the government are encouraged to engage in proactive disclosure. According to Assistant Secretary Ablan, this is to lessen the FOI requests and to increase transparency and accountability. The disclosure, he said, should take into account the rights of data subjects as stipulated in the Data Privacy Act and the IRR.
Assistant Secretary Ablan also reminded the participants that covered entities are encouraged to publish an accessible directory of information which states what it will publish, how often it will be published, and when it will be published. Aside from that, these entities are required to create a mechanism or inventory for tracking FOI requests.
The issues that surround data privacy principles are not simple. But in an era of data sharing, assuring citizens that their personal information are not compromised becomes more material than ever.