The European Innovation, Technology and Science Center (EITSC) has partnered with the National Privacy Commission (NPC) to bring Data Privacy Workshops to the general public in Manila.
The high turnout in the workshops is a clear indication that we in business are highly interested to know more about the Data Privacy Act, its implementation and how it will affect our organizations and us as managers.
The business community has advocated for the data privacy legislation for a long time and was happy when in was finally signed into law by President Aquino in 2012. Why were we in business interested in such legislation?
- we wanted to be at par with other countries and regions in the world that were legislating the use of private data, and
- as a country that is already using huge amounts of data in Business Process Management and Knowledge Process Management, we wanted to be at par with competing countries and protect the data processing industry and its enormous potential with Big Data hitting all of us.
But what has happened since the law was passed and since the National Privacy Commission has started the implementation process four years later?
We are getting different messages – let me quote a few newspaper headlines:
- Obeying data-privacy rules seen giving Philippine firms a competitive edge (sounds good)
- Is your company using employee data ethically? (raises some issues)
- Data Privacy Law increases job openings for IT graduates (sounds good again)
- NPC want select companies to submit info on security officers by Sept. 9 (starts putting pressure on us; where do we find trained Data Protection Officers (DPOs)?
- Criminal disclosure – the column by Atty. Alex B. Cabrera on August 6 must have started scaring a few of us!! Criminal charges are hitting us if we fail in data privacy protection!!
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.
Companies / organizations have to employ Data Protection Officers; every personal information controller or personal information processor must develop and implement policies and procedures for the management of a personal data breach, including security incidents.
Every data subject (your employees) has the right to reasonable access to his or her personal data being processed by the personal information controller or personal information processor. Other available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. There is no doubt that private data handlers and Human Resource Managers become endangered species.
The workshop EITSC is running in Manila has five Modules, taking a whole day. Each of our workshops are oversubscribed. Managers are realizing that data privacy is difficult to implement.
Where do we go from here? How can we cooperate? How can we assist each other in the process to avoid data breaches and the severe implications that come with data breaches… I am referring to criminal charges…
Maybe, it is time to bring a workshop to Cebu! If you are interested contact me – firstname.lastname@example.org
by: Henry J. Schumacher