Data Privacy Protection Competency Guide shares the belief that the valid, verifiable, and actionable demonstration of respect on the data privacy rights of a data subject, and that the privacy and security of personal information are protected, comes from open guidance that presents the share-able practice standards that guide the right content of understanding, decision, and work of data privacy law compliance.
The workplace view of data privacy risks, policy, organization, process, and documentation have to be easily and consistently created and improved with freely available knowledge on the rules and standards of practice.
The directly accountable and responsible in the personal data collection, retention, use, sharing, and disposal have to be engaged to experience the applicability of data privacy rules and standards in their filing system, automation program, and technology services.
Data Privacy Protection Competrency Guide by a Data Subject
1. Data Privacy
Protection
Competency
Guide
“The data subject guidance on how to determine, describe,
document and demonstrate accountability, responsibility,
risks, policy, control, and operation of a managed data
privacy and information security in an enterprise or agency
of personal data processing.”
2. Data Privacy
Protection
Competency
Guide
Resource Person
John Macasio
He is a ICT project management
consultant who advocates the rule
and standard based data privacy and
security compliance of information
system that respects data privacy
rights of a “Data Subject,” and that
secure privacy of personal data.
In 2014, he was tasked to provide
standard based technical training
support with enterprise and agency
challenged by issues on information
security in their ICT services project
and operation.
He created in 2018 the Data Privacy
Protection Guide by a Data Subject to
support the whole-of-enterprise data
privacy and information security
“The data subject guidance on how to determine, describe,
document and demonstrate accountability, responsibility,
risks, policy, control, and operation of a managed data
privacy and information security in an enterprise or agency
of personal data processing.”
3. Personal Data Privacy:
The name and email addresses collected, retained, and used in the seminar
registration form are to recognize the participants and to send learning
materials and training information. The participant during the online live
seminar may opt to close his or her camera and simply use the microphone or
chat for questions and comments. The online live seminar is not streamed in
in Facebook or Youtube.
Copyright Notice:
The cited and annotated content of cited standards are duly owned by their
research organization or publishers.
The provided information about the rules and standards are for educational
purpose.
The guide is free to use.
Notification
4. Being Competent in Data Privacy
Protection
the decision and work associated to the
mandated function and outcome.
“A competent person has definitive
understanding, skills and character needed
to perform at a given level
of performance
standard,
5. Being Competent in Data Privacy
Protection
to new situations, and to the
requirement of collaborative
results.
It is indicated by the person’s
ability to transfer and apply
knowledge, skills and
attitude
6. Competency Model on Data
Privacy Protection
A competency model is about
shareable body of knowledge
believed to define and
differentiate the essential
indicators of the required
understanding, action and
attitude behind the successful
delivery of the performance
7. 1. Create privacy and data protection policies, taking
into account the privacy impact assessments, as well
as Sections 25 to 29 of the implementing rules and
regulations.
2. Inform and cultivate awareness on privacy and data
protection within the organization of the Personal
Information Controller or Processor, including all
relevant laws, rules and regulations and issuances of
the National Privacy Commission.
3. Conduct a mandatory, agency-wide training on
privacy and data protection policies once a year:
Provided, that a similar training shall be provided
The NPC Circular 16-01 and NPC Advisory 2017-1 have to be
recognized and implemented by a business enterprise or government
agency that claims to be data privacy compliant.
The competency guidance enables the personal information controller
and processor, and head of government agency to accomplish the
obligation:
8. Privacy Rule Context of Competency Re
NPC Circular
16-01
NPC Advisory 2017-01
Security of Personal Data in
Government Agencies
Designation of Data Protection Officers
9. R.A. 10173 –Data Privacy
Act 2012
Accountability and
ResponsibilityPrivacy and Security Risks
Privacy Impact Assessment Process
Privacy and Security Controls
Privacy and Security Policy Ma
Privacy and Security Management
Outcome-Process-Procedure -Enable
Security Incident Management
Breach and Complaint Handlin
ata Privacy Protection
Competency Guide
Data Subject
view of
Rules and
10. R.A. 10173 –Data Privacy
Act 2012
The Accountable and
Responsible
Goals of the Data Privacy Law
Concern of Data Privacy Law
Key Result Areas of Privacy Complian
Roles, Accountability and Responsibil
11. Statutory Goals 1. Protect the fundamental
human right of privacy, of
communication while
ensuring free flow of
information to promote
innovation and growth.2. Ensure that
personal information
in information and
communications
systems in the
government and in
the private sector
are secured and
protected.
R.A. 10173
Implementing Rules
and Regulations
National Privacy
Commission
Advisory- Circular
Issuances, and Case
Resolution
R.A. 10173 Chapter 1 Section 2
12. Whose Interest
and Benefit is
Data Privacy Act
of 2012 R.A.
10173
Participation, Accountability and
Responsibility
1. Data Subject Represents the exercise of data privacy rights
and main party to associate personal data to be
protected with privacy and security
2. National Privacy
Commission
Creates regulation; monitor compliance;
educate the public; enforces rules; and resolve
cases on data privacy
3. Personal Information Directs and rules the processing of personal
Data Privacy Stakeholders
13. Whose Interest
and Benefit is
Data Privacy Act
of 2012 R.A.
10173
Participation, Accountability and
Responsibility
5. Data Protection
Officer
Perform the oversight function for the Personal
Information Controller to achieve the mandated
accountability and responsibility on data privacy
6. Compliance
Officer for Privacy
Assist in the oversight function to direct, compliance, to
monitor breach events, to resolve and report privacy
security incidents
7. IT and Provision of the technical measures to secure personal
information protection in the location, hardware, software,
Data Privacy Protection Stakeholders
14. 1. Compliance Governance
2. Personal Data of a Data Subject
3. Data Privacy Rights of a Data Subject
4. Privacy by Design and Privacy by Default of
Personal Data Processing – Filing System and
Automated System
5. Data Privacy and Information Security Risks
Assessment of Data Processing System
6. Security Measures of Personal Data
Protection
7. Privacy and Security Violations and Penalties
8. Privacy Management Program
9. Privacy Breach and Security Incident
Response
Implementation Concerns of
R.A.10173- Data Privacy Act 2012
15. Rule 1 – Policy and Definitions
Rule 2 – Scope of Application
Rule 3 – National Privacy Commission
Rule 4 – Data Privacy Principles
Rule 5 – Lawful Processing of Personal Data
Rule 6 – Security Measures Protection of Personal
Data
Rule 7 - Security of Sensitive Personal Information in
Govt
Rule 8 - Rights of Data Subject
Rule 9 - Data Breach Notification
Rule 10 – Outsourcing and Subcontracting
Rule 11 - Registration and Compliance
Requirements
Rule 12 – Rules on Accountability
Rules of Data Privacy Implementation
16. Some Exception Considerations
1. Stated scope limitation of the law in the
application of data privacy rules and regulation
2. Legal basis that limits the exercise of the data
subject or his or her data privacy rights
3. Necessary and mandated lawful requirements to
process personal data of a data subject
4. Legal basis for the “legitimate interest” of the
personal information controller to process
personal data gathered from a data subject
5. Legal basis that permits the requirements for data
sharing or exchange between controller and 3rd
17. Relevant NPC Circulars and
Advisories for the Implementation
Concerns1. Designate compliance officer
NPC Advisory 2017-1
2. Security of personal data in the government
agency
NPC Circular 16-01
3. Data sharing agreements involving
government agencies
NPC Circular 16-02
4. Registry of the data processing system
NPC Circular 17-01
5. Privacy impact assessment
NPC Advisory 2017-03
6. Privacy management manual
NPC Privacy Toolkit
18. Relevant Rules Circulars and
Advisories for Implementation
Concerns7. Personal data breach management
NPC Circular 16-03
8. Guidelines on security incident and personal
data breach reportorial requirements
NPC Advisory No. 2018-01
9. Rules of procedures to exercise the right to
complain NPC circular 16-04
10.Rules of procedure on requests for advisory
opinions NPC Circular 18-01
11.Rules on mediation before the national
privacy commission - NPC Circular 18-03
12.Guidelines on compliance checks
NPC Circular 18-02
19. 1.ISO 29100 – Privacy Framework
2.ISO 27001 Annex A – Security Framework
3.ISO 27701- Information Security Extended to
Privacy
4.ISO 29134 – Privacy Impact Assessment
5.ISO 29190 – Privacy Management Capability
Assessment
6.ISO 27035 – Security Incident Management
7.ISO 27036 – Supplier Relationship Security and
Privacy
8.ISO 27550 – Privacy in System Development
Lifecycle
Privacy and Security Standards
Normative references of practice
20. Basic Risks Management Methodology
Risks Criteria and Control Requirement
Identify, Analyze, Evaluate and Remedy
Privacy Impact Assessment Report
Privacy and Security Risks
Privacy Impact Assessment
Process
22. What reasons to cause privacy impact
assessment?1. The developed, acquired and operated data
processing system collects personal data
2. A change in applicable privacy related laws and
regulations, internal policy and standards,
information system operation, purposes and means
for processing data, new or changed data flows.
3. A new or prospective technology, service or other
initiative where personal information is, or to be,
processed
4. A decision that sensitive personal information is
going to be processed
5. A data privacy violation complaint is made against a
(ISO 29134)
24. Privacy Threat Incidents
Privacy Breach Threats to Personal Data
(SANS Threat Survey)
Security Controls
(R.A. 10173 and GDPR)
Privacy Law
R.A. 10173
1. Unauthorized processing
2. Negligence in access
3. Improper disposal
4. Unauthorized purpose
5. Unauthorized access
6. Intentional breach
7. Concealed breach
8. Malicious disclosure
9. Unauthorized disclosure
10. Combination of
unwanted act
1. Ransomware
2. Elevation of privilege into sensitive
systems
3. Breaches in cloud-based,
multitenant architectures
4. Denial of service
5. Data tampering
6. Identity theft
7. Insider threat
8. Questionable transactions
9. Corporate or foreign government
espionage
10.Information disclosure
11.Compromise of DNS infrastructure
enabling stealing and exfiltration of
data
12.Anti-malware/Antivirus
1. Security Policy
2. Network Protection
3. Confidentiality, Integrity, Availability,
and Resilience Assurance of
Processing System
4. Intrusion Detection and Prevention
5. Network Security Monitoring
6. Vulnerability Assessment and
Penetration Testing
7. Backup and Data Recovery
8. Identity, Access, Privilege
Management
9. Security Incident Management
System
10.Data Loss Prevention
11.Encryption and Pseudonymization,
Host-based encryption
12.Insider Threat Control
13.Third-Party Risk Management
25. Security Threat Incidents
Violation/Threat Vulnerability/Exploitation
(ETSI ISG ISI)
Control Measures
(CIS Security Controls)
Cyber Crime Prevention Law
-R.A. 10175
1. Illegal access
2. Illegal interception
3. Data interference
4. System interference
5. Misuse of device
6. Fraud
7. Forgery
8. Identity Theft
9. Cyber-squatting
10. Unsolicited Commercial
Communications
1. Website Forgery
2. Spam
3. Phishing
4. Intrusion
5. Website Defacement
6. Misappropriation of Resources
7. Denial of Service
8. Malware
9. Physical Intrusion
10. Malfunction
11. Loss or theft of mobile device
12. Trace Malfunction
13. Internal Deviant Behavior
14. Rights or Privileges Usurpation or Abuse
15. Unauthorized access to servers through remote
access points
16. Illicit Access to Internet
17. Deactivating of Logs Recording
18. Non-patched or poorly patched vulnerability
exploitation
19. Configuration vulnerability exploitation
20. Security incidents on non-inventoried and/or not
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software
on Mobile Devices, Laptops, Workstations and
Servers
6. Maintenance, Monitoring and Analysis of Audit
Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols
and Services
10. Data Recovery Capabilities
11. Secure Configuration for Network Devices, such
as Firewalls, Routers and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Implement a Security Awareness and Training
26. Data Processing Privacy and Security
Impact AssessmentName of Data Processing System: Controller: Processor:
[] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis Data
Processing: Data Share:
SECURITY
INCIDENT
CONSIDERED AS
THREAT TO
PRIVACY AND A
PENALIZED
VIOLATION
VULNERABILITIES
Privacy Rights Not
Respected
Privacy Principles
Undermined
Lawful Criteria to
Process Personal
Information Not
Applied
Conditions to
Process Sensitive
Personal
Information Not
Applied
Data Sharing
Condition
Not Applied
1.Unauthorized
processing
2.Negligence in
access
3.Improper disposal
4. Unauthorized
purpose
5.Unauthorized
access or intentional
27. Data Processing Privacy and Security
Impact AssessmentName of Data Processing System: Controller: Processor:
[] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis Data
Processing: Data Share:
SECURITY
INCIDENT
CONSIDERED AS
THREAT TO
PRIVACY AND A
PENALIZED
VIOLATION
VULNERABILITIES
Organizational
Security Measures
Not Instituted
Physical Security
Measures Not
Implemented
Technical Security
Measures Not
Installed
CIS Security
Control Not
Applied
OWASP Web
Application
Security Risks not
Remedied
1.Unauthorized
processing
2.Negligence in
access
3.Improper disposal
4. Unauthorized
purpose
5.Unauthorized
access or intentional
breach
28. Data Processing Privacy and Security
Impact Assessment
Name of Data Processing System: Controller: Processor:
[] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis
Data Processing: Data Share:
VIOLATION SOURCE OF
SECURITY
THREAT
EXPLOITED
VULNERABILITIE
S
IMPACT PROBABILITY REMEDY
TREATMENT
1.Unauthorized
processing
Organizational No policy Negligible Unlikely Vulnerability test
2.Negligence in
access
Physical Poor office design Limited Possible Policy review
3.Improper disposal Technical Lack of
procedures
Significant Likely Acquire tools
4. Unauthorized
purpose
Organizational Weak monitoring Maximum Almost certain Organize team
5.Unauthorized
access or intentional
breach
Technical Not segmented
network
Training people
29. What to Achieve-Maintain-Prevent-Elim
Data Privacy and Security Governance
Data Privacy Protection Policy
Information Security Policy
Privacy and Security Controls
Privacy and Security Policy
Making
30. What is to achieve with R.A.
10173? 1. PRIVACY RIGHTS (RA
10173 chapter IV)
“Right to be informed”
“Right to access”
“Right to object”
“Right to complain”
The rights to be exercised by an individual in the processing of p
“Right to rectify”
“Right to block”
“Right to erase”
“Right to data portability”
“Right to damages”
31. Privacy Rights on Personal Data
Privacy Rights of
Data Subject
Respect Indicators
5. The right to erasure
or blocking
Permission to withdraw and
delete personal data
6. The right to rectify Permission to check accuracy
and to correct
7. The right to data
portability
Ability to request and download
personal data
8. The right to complain Rules of procedure to file
32. Privacy Rights on Personal Data
Privacy Rights of
Data Subject
Respect Indicators
1. The right to be
informed
Notification and consent
2. The right to give
consent
Written or recorded
agreement to process
personal data
3. The right to access Permission to view and
participate
33. What is to achieve with R.A.
10173?2. PRIVACY
PRINCIPLES (RA 10173 chap III)
The foundation of data processing system that is privacy by design
Consent and choice
Proportionality
Transparency
Legitimate Purpose
Fairness
Lawfulness
Accuracy
Minimization
Participation
Anonymity
Accountability
34. Privacy Principles of Personal
Data ProcessingPrinciples of Transparency, Legitimate Purpose and
Proportionality
1.
Transparency
The data subject must be aware of the nature, purpose, and
extent of the processing of his or her personal data, including
the risks and safeguards involved, the identity of personal
information controller, his or her rights as a data subject, and
how these can be exercised. Any information and
communication relating to the processing of personal data
should be easy to access and understand, using clear and
plain language
2. Legitimate
purpose
The processing of information shall be compatible with a
declared and specified purpose which must not be contrary to
law, morals, or public policy
35. Privacy Principles of Personal
Data ProcessingGeneral principles in collection, processing and
retention
1. Collection must be for a
declared, specified, and
legitimate purpose
Consent is required prior to the collection and processing of
personal data, subject to exemptions provided by the Act and
other applicable laws and regulations. When consent is
required, it must be time-bound in relation to the declared,
specified and legitimate purpose. Consent given may be
withdrawn.
The data subject must be provided specific information
regarding the purpose and extent of processing, including,
where applicable, the automated processing of his or her
personal data for profiling, or processing for direct marketing,
and data sharing.
Purpose should be determined and declared before, or as
soon asreasonably practicable, after collection
36. Privacy Principles of Personal
Data Processing2. Personal data shall be
processed fairly and lawfully.
Processing shall uphold the rights of the data subject, including
the right to refuse, withdraw consent, or object. It shall likewise
be transparent, and allow the data subject sufficient information
to know the nature and extent of processing
Information provided to a data subject must always be in clear
and plain language to ensure that they are easy to understand
and access.
Processing must be in a manner compatible with declared,
specified, and legitimate purpose
Processed personal data should be adequate, relevant, and
limited to what is necessary in relation to the purposes for
which they are processed
Processing shall be undertaken in a manner that ensures
appropriate privacy and security safeguards.
3. Processing should ensure
data quality.
Personal data should be accurate and where necessary for
declared, specified and legitimate purpose, kept up to date
37. Privacy Principles of Personal
Data Processing4. Personal Data shall not
be retained longer than
necessary
Retention of personal data shall only for as long as necessary:
(a) for the fulfillment of the declared, specified, and legitimate
purpose, or when the processing relevant to the purpose has
been terminated;
(b) for the establishment, exercise or defense of legal claims;
or
(c) for legitimate business purposes, which must be consistent
with standards followed by the applicable industry or approved
by appropriate government
agency
Retention of personal data shall be allowed in cases provided
by law
Personal data shall be disposed or discarded in a secure
manner that
would prevent further processing, unauthorized access, or
disclosure to any
38. Privacy Principles of Personal
Data Processing5. Any authorized further
processing shall have
adequate safeguards.
Personal data originally collected for a declared, specified, or
legitimate purpose may be processed further for historical,
statistical, or scientific purposes, and, in cases laid down in law,
may be stored for longer periods, subject to implementation of the
appropriate organizational, physical, and technical security
measures required by the Act in order to safeguard the rights and
freedoms of the data subject
Personal data which is aggregated or kept in a form which does
not permit identification of data subjects may be kept longer than
necessary for the declared, specified, and legitimate purpose
Personal data shall not be retained in perpetuity in contemplation
of a possible future use yet to be determined.
39. Privacy Principles of Personal
Data ProcessingGeneral Principles for Data Sharing
1. Data sharing shall be
allowed when it is expressly
authorized by law:
Provided, that there are adequate safeguards for data privacy and security, and processing adheres to
principle of transparency, legitimate purpose and proportionality
2. Data Sharing shall be
allowed in the private sector
if the data subject consents
to data sharing, and the
following conditions are
complied with:
1.Consent for data sharing shall be required even when the data is to shared with an affiliate or mother
company, or similar relationships
2. Data sharing for commercial purposes, including direct marketing, be covered by a data sharing
agreement.
(a) The data sharing agreement shall establish adequate safeguards for d privacy and security, and uphold
rights of data subjects.
(b) The data sharing agreement shall be subject to review by the Commission on its own initiative or upon
complaint of data subject
3. The data subject shall be provided with the following information p to collection or before data is shared:
(a) Identity of the personal information controllers or personal information processors that will be given
access to the personal data;
(b) Purpose of data sharing;
(c) Categories of personal data concerned;
(d) Intended recipients or categories of recipients of the personal data;
(e) Existence of the rights of data subjects, including the right to access and
correction, and the right to object
40. Privacy Principles of Personal
Data ProcessingData collected from
parties other than
the data subject for
purpose of
research shall be
allowed
When the personal data is publicly available, or has the consent of the
data subject for purpose of research: Provided, that adequate
safeguards are in place, and no decision directly affecting the data
subject shall be made on the basis of the data collected or processed.
The rights of the data
subject shall be upheld without compromising research integrity
Data sharing
between
government
agencies for the
purpose of a public
function or
provision of a
1. Any or all government agencies party to the agreement shall comply
with the Act, these Rules, and all other issuances of the Commission,
including putting in place adequate safeguards for data privacy and
security.
2. The data sharing agreement shall be subject to review of the
Commission, on its own initiative or upon complaint of data subject
41. What is to achieve with R.A.
10173? INFORMATION
SECURITYThe preservation of the confidentiality, integrity, and availability of information
CONFIDENTIALITY
Authority is enforced to keep
secrecy and privacy of personal data
INTEGRITY
Trust is assured in the accuracy,
completeness, immediacy, usefulness,
and reliability of personal data
AVAILABILITY
Accessibilityis guaranteed in the connectivity,
uptime, reach ability, location, protection, and speed of personal
information exchange
42. What is to achieve with R.A. 10173?
3. SECURITY MEASURES (RA 10173 chap V)
Organizational
Security
Physical Security Technical Security
1.Compliance Officers. 1.Policies and Procedures on
Limited Physical Access
1.Security policy in processing
personal data
2.Data Protection Policies 2.Security Design of Office Space
and Room
2.Safeguards to protect computer
network again unlawful, illegitimate,
and destructive activities
3.Records of Processing Activities 3.Person Duties, Responsibility and
Schedule Information
3.Confidentiality, integrity, availability,
and resilience of the processing
systems and services
4.Processing of Personal Data 4.Policies on transfer, removal,
disposal, and re-use of electronic
media
4.Vulnerability assessment and
regular monitoring for security
breaches
5.Personal Information Processor
Contracts
5.Prevention policies against
mechanical destruction of files and
equipment
5.Ability to restore the availability and
access to personal data
43. What is to be prevented-eliminated
with R.A. 10173?
is illegal or unwanted act that endangers the
privacy rights of a person. Data privacy violation
is penalized act to be complained through NPC
Complaint-Assisted Form.Section 25 Unauthorized
processing
Section 30 Concealment of
breach
Section 26 Negligence in
access
Section 31 Malicious
disclosure
Section 27 Improper disposal Section 32 Unauthorized
disclosure
Section 28 Unauthorized Section 33 Combination of
4. PRIVACY VIOLATION (RA 10173 chap VII
44. Data Privacy Rights Violation
1.Unauthorized
processing
It is when personal information is
processed without the consent of
the data subject, or without being
authorized using lawful criteria
1.Negligence in
access
It is when personal information is
made accessible due to
negligence and without being
authorized by any existing law.
45. Data Privacy Rights Violation
3. Improper
disposal
It is when personal information is
knowingly or negligently
disposed, discard, or abandon in
an area accessible to the public
or has otherwise placed the
personal information of an
individual in any container for
trash collection
4. Unauthorized It is when personal information is
46. Data Privacy Rights Violation
5. Unauthorized
access or
intentional
breach
It is when an individual handling personal
information knowingly and unlawfully, or
violating data confidentiality and security
data systems, breaks in any way into any
system where personal and sensitive
personal information are stored
6. Concealed
breach
It is when an individual or entity who has
knowledge of a security breach and of the
obligation to notify the Commission
pursuant to Section 20(f) of the Act,
47. Data Privacy Rights Violation
7. Malicious
disclosure
It is when an individual or entity
with malice or in bad faith,
discloses unwarranted or false
information relative to any
personal information or sensitive
personal information obtained by
him or her
8. Unauthorized
disclosure
It is when an individual or entity
discloses to third party personal
48. DATA SUBJECT
Maintain
Personal
Information
Inventory
PI CONTROLLER PI PROCESSOR THIRD-PARTY
Execute
Personal Data
Processing Privacy
Agreement
Personal Information
Processing Responsibility Flow
Personal
Information
Instruct Processing of
Personal Data
Receive, Accept and
Provide Request for
For Personal
Information
Share
Retained or
Receive
Collected
Personal
Information
Of
Data Disclosure or
Sharing Agreement
Collect
Retain
Use
Disclose
Dispose
Access
Block
Erase
Change
Personal
Information
Complain
Transfer
Claim
Privacy
Regulations
Policies
Controls
Agreements
Personal
Information
49. DATA PRIVACY RIGHTS AND
PROCESSING POLICYDATA
PRIVACY
RIGHTS
PERSONAL DATA PRIVACY PROCESSING POLICY
Collection
(Get)
Processing
(Use)
Retention
(Store)
Sharing
(Disclose)
Disposal
(Delete)
1. To be
informed
2. To give
consent
3. To have
accessed
4. To correct
5. To block or
erase
6. To complain
7. To claim
damage
8. To transfer
rights
9. To claim data
1. Lawful criteria
2. Transparency
3. Legitimate
purpose
4. Proportionality
5. Declared,
specified, and
legitimate
purpose.
6. Fair and
lawful;
7. Data Quality
8. Not retained
longer
9. Adequate
1. Lawful criteria
2. Transparency
3. Legitimate
purpose
4. Proportionality
5. Declared,
specified, and
legitimate
purpose.
6. Fair and
lawful;
7. Data Quality
8. Not retained
longer
9. Adequate
1. Lawful criteria
2. Transparency
3. Legitimate
purpose
4. Proportionality
5. Declared,
specified, and
legitimate
purpose.
6. Fair and
lawful;
7. Data Quality
8. Not retained
longer
9. Adequate
1. Authorized
by law
2. Data subject
consent
3. Adequate
Safeguard
4. For research
using publicly
available
data
5. Data sharing
agreement
1. Lawful criteria
2. Transparency
3. Legitimate
purpose
4. Proportionality
5. Declared,
specified, and
legitimate
purpose.
6. Fair and
lawful;
7. Data Quality
8. Not retained
longer
9. Adequate
50. SECURITY MEASURES POLICY
SECURITY MEASURES POLICY
Organizational Security Physical Security Technical Security
1.Compliance Officers. 1.Policies and Procedures on
Limited Physical Access
1.Security policy in processing
personal data
2.Data Protection Policies 2.Security Design of Office Space
and Room
2.Safeguards to protect computer
network again unlawful, illegitimate,
and destructive activities
3.Records of Processing Activities 3.Person Duties, Responsibility
and Schedule Information
3.Confidentiality, integrity,
availability, and resilience of the
processing systems and services
4.Processing of Personal Data 4.Policies on transfer, removal,
disposal, and re-use of electronic
media
4.Vulnerability assessment and
regular monitoring for security
breaches
5.Personal Information Processor
Contracts
5.Prevention policies against
mechanical destruction of files and
equipment
5.Ability to restore the availability
and access to personal data
6.Regularly testing, assessing, and
evaluating the effectiveness of
51. DATA PRIVACY AGREEMENT POLICY
PRIVACY AGREEMENT WITH PERSONAL INFORMATION CONTROLLER
DATA SUBJECT DATA PROCESSOR 3RD PARTY DPO
Notification and
Consent Form
Data Processing
Agreement
Data Sharing
Agreement
Appointment Contract
1. The purpose
2. The personal data
3. The data
processing
activities
4. The data
processor and 3rd
party
5. The exercise of
privacy rights
6. The privacy
compliance
procedures
1. Data privacy rights
2. Data processing
privacy principles
3. Personal data
security measures
4. Accountability
1. Data sharing
principles
1. Authority
2. Accountability
3. Tasks
4. Deliverables
53. Who are the stakeholders of data privacy
management?1.Data Subject
-personal data
-privacy rights
-complainant
3.Personal Information Controller
-legitimate interest
-data processing instruction
-privacy law accountability 4.Personal Information Process
-data processing system
-data processing agreement and execution
-privacy law accountability5.Data Protection Officer
-privacy compliance oversight
-privacy single point of contact
-privacy awareness and training
2.National Privacy Commiss
-rule making
-compliance monitoringg
-complaint and investigation
-enforcement
54. What are the stakeholders’ privacy
agreement 1.Assets of data privacy to be secured
2.Privacy and security risks to be controlled
3.Privacy protection policies and measures to
be maintained
5. Business system and process to be ruled with data privacy
and security controls
4. Privacy and security contracts to be
enforced
7.Privacy capability building of personnel to be regularly
conducted
8. Data privacy and information security ecosystem
relationship to maintain
6.Privacy and security management methodology and technology
to be acquired
55. What is to be managed?
1. PRIVACY
is freedom from intrusion into the private
life or affairs of an individual or person, when
that intrusion results from undue or illegal
gathering and use of data about that individual.
(ISO 2382 – IT Vocabulary)
56. What is to be managed?
represents the definitive act
of respecting the person's
rights of privacy and the
security of personal data that
are being collected, processed,
retained, shared, and disposed
by the personal information
controller and processor of
business or government
2. PRIVACY PROTECTION
57. What is to be managed?
The identifiable person
has a human right called
PRIVACY.
that represent a
set of information
that identifies an
individual or
person.1. Personal Information
2. Sensitive Personal Information
3. Privileged Information
3. PERSONAL DATA
58. 1. Name Given name, middle name, surname, alias
2. Identification number License number, tax number
3. Location data Address, GPS location
4. Online identifier e-mail, IP address
5. Digital identifier Biometric, CCTV data
6. Genetic Data DNA test result
7. Health Data Diagnostic report
8. Research Data Research question, enumerator interview logs
9. Physical factor Height, weight, sex
10. Physiological factor Body chemistry
11. Mental factor Intellectual aptitude test results
12. Economic factor Salary, debts, property
13. Cultural factor Nationality, tribe
14. Social identity Club membership, titles, legal record
Personal Data Category
59. Sensitive Personal Information (RA 10173 sec 3i)
1. Health, education, genetic or sexual life of a person
2. Proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the
sentence of any court in such proceedings
3. Individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations
4. Identification document issued by government agencies peculiar to an
individual which includes, but is not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or
revocation, and tax returns
60. Personal Data Processing Privacy
ProtectionPrivacy Protection
Requirements
Management Results
1. Personal data and processing
system visibility
Registry of personal data,
filing system, automation
program
2. Respect data privacy rights Data privacy rights policy,
process, notification, consent
3. Regulated personal data
processing lifecycle of personal
information and sensitive personal
information
Inventory of process, system
and technology and risks
assessment
4. Data privacy principles in personal Data processing privacy
61. Personal Data Processing Privacy
ProtectionPrivacy Protection
Requirements
Management Results
6. Conditions to process sensitive
personal information
Privacy policy and system
conformity test
7. Accountability in personal data
sharing
Data sharing agreemnt, and
security measures
8. Security measures in personal
information protection
Organization, physical and
technical measures – policy, role,
activities, product, services and
technology
9. Breach and Privacy violation and
corresponding penalties
Breach reporting and case
management
62. Data Processing
Activities
Data Subject Information
Controller
Information
Processor
Third Party
Data Share
Collection
Retention
Processing
Share
Dispose
Consent
Register
Instruct
Collection
Collect
Secure
Store
Secure
-Consume
Instruct
Storage
Instruct
Processing
Instruct
Transfer
Instruct
Deletion
Use
Secure
Disclose
Secure
Delete
Secure
Provide
Receive
PI
PI
PI
PI
PI PI
PI
PERSONAL DATA FLOW
PI
PI
PI
63. DATASUBJECT
GroupThree
PICONTROLLERPIPROCESSORPersonal Data
Collection and Retention Process
Input
Personal Data
Or
Change
Request
PIPROCESSOR Read Notification
Give
Consent
Instruct Collection and
Retention of Personal
Data
Execute
Personal Data
Collection and
Retention
Request to
View
Block
Correct
Delete
Copy
Personal Information
Requirement
Data
Processing
Agreement
Data
Privacy Regulation,
Policy and
Controls
Privacy
Rights
Principles
Capture & Store
Rules
Personal
Data Store
Yes No
Yes
Ready for
use and
disclosure
64. DATASUBJECTPICONTROLLER3rdPARTYPersonal Data
Use and Disclosure Process
Input
Personal Data
Or
Request
Access
PIPROCESSOR Read Notification
Give
Consent
Instruct Utilization and
Sharing of Personal
Data
Execute
the Use and
Sharing of Data
View
Block
Correct
Delete
Copy
Complain
Personal Information
Requirement
Data
Utilization and
Sharing
Agreement
Data
Privacy Regulation,
Policy and
Controls
Legitimate Use
Criteria Lawful
Processing
Privacy Control
Yes No
Yes
Display
Processing and
Results
Personal
Data Sharing
Store
65. DATASUBJECTPICONTROLLER3rdPARTYPersonal Data
Disposal Process
Input
Request
Access
PIPROCESSOR Read Notification
Give
Consent
Instruct Disposal of
Stored
Personal Information
Execute
the Disposal or
Destruction of
Personal Data and
Media
View
Copy
Complain
Personal Information
Requirement
Data
Retention and
Disposal
Agreement
Data
Privacy Regulation,
Policy and
Controls
Disposal
Condition
Retention Rule
Responsible
Yes No
Yes
File
Shredded
Media
Destroyed
66. Develop Privacy Management Program
A privacy management
program or system is a
definitive and shared
understanding, decision and
work about the data privacy
protection capability and
protocols of the business units
that are responsible in personal
data processing.1. Organized compliance governance
2. Subscribed data privacy and security policies
3. Remediation action based on privacy impact
assessment report
4. Continual education on data privacy protection
67. Data Privacy Management Capability –
ISO 291901.Inventory Enterprise and agency understands what compose its
processing of personal data. It is able to make visible
and account the processes, systems, databases, and
third parties involved with processing personal
information and sensitive personal information.
2. Policy Enterprise and agency adopted and agreed on their
corporate and business unit policies over privacy rights
assurance and the security of personal information
protection in their collection, retention, transmission,
use, disclosure and disposal of personal data.
68. Data Privacy Management Capability –
ISO 291903.
Governanc
e
Enterprise and agency have accepted matrix of roles,
accountability, responsibilities and competencies to
manage data privacy and security of personal
information at the corporate and business unit levels.
4. Risk
Manageme
nt
Enterprise and agency has adopted an approach or
methodology for managing privacy risk and business
compliance across the organization, addressing the use
of technologies, and dealing with the trans-border and
multi-jurisdictional challenges
69. Data Privacy Management Capability –
ISO 291905.
Procedure
s &
Controls
Enterprise and agency has written and communicated
procedures and controls to actively enforce policy and
other compliance obligations, and monitoring of those
procedures and controls to ensure they remain intact and
effective
6.
Informatio
n Security
Enterprise and agency have set up the security
information management system that ensure the
confidentiality, integrity, and availability of personal
information and the related information technology used
to collect, store, transfer, use, share, archive, and destroy
the personal data.
70. Data Privacy Management Capability -
ISO 291907. Third
Party
Managem
ent
Enterprise and agency have 3rd party risk management
processes that account for privacy, including performing
due diligence during the selection process, putting
controls in place—both contractually and for the secure
transfer of the information—and building a solid basis of
confidence that the third parties using the personal
information can protect it and govern its use.
8.
Complian
ce
Enterprise and government has the program to manage
compliance with policy, regulations, and other obligations
around data privacy assurance and security of personal
information protection.
71. Data Privacy Management Capability –
ISO 291909. Incident
Managem
ent
Enterprise and government have standard process,
documented in a comprehensive plan, which provides an
effective and orderly response to security incidents and
potential breach incidents involving personal
information.
10. Training
&
Awarenes
s
Enterprise and government have general and tailored
training related to the organization’s use and protection
of personal information, supported by an ongoing
awareness program and related guidance
72. Rule and Standard Based Management of
Data PrivacyR.A. 10173 Implementing
Rules
Data Privacy
Policy
ISO 29100
Information Security
Policy
ISO 27001 Annex A
Rule 1 – Policy and Definitions
Rule 2 – Scope of Application
Rule 3 – National Privacy Commission
Rule 4 – Data Privacy Principles
Rule 5 – Lawful Processing of Personal Data
Rule 6 – Security Measures Protection of
Personal Data
Rule 7 - Security of Sensitive Personal
Information in Government
Rule 8 - Rights of Data Subject
Rule 9 - Data Breach Notification
Rule 10 – Outsourcing and Subcontracting
Rule 11 - Registration and Compliance
Requirements
Rule 12 – Rules on Accountability
Rule 13 – Penalties
Rule 14 – Miscellaneous Provisions
5.2 Consent and choice
5.3 Purpose legitimacy and
specification
5.4 Collection limitation
5.5 Data minimization
5.6 Use, retention and
disclosure limitation
5.7 Accuracy and quality
5.8 Openness, transparency
and notice
5.9 Individual participation
and access
5.10 Accountability
5.11 Information security
5.12 Privacy compliance
A5 Information security policies
A6 Organization of information security
A7.Human resource security
A8.Asset management
A9.Access control
A10.Crytography
A11.Physical and environmental
security
A12.Operations security
A13.Communications security
A14.System acquisition, development
and maintenance
A15.Supplier relationship
A16.Information security incident
management
A17.Information security aspects of
business continuity management
73. Rule and Standard Based Management of
Data PrivacyPolicy Inventory Risks Controls Operation
R.A. 10173 -2016
Implementing Rules
and Regulation
NPC Advisories and
Circulars
ISO 10007 –
Configuration
Management
ISO 31000 – Risks
Management
ISO 27005 –
Security Risks
Management
R.A. 10173 Security
Measures
ISO 29151 – Privacy
Controls
ISO 27036 –
Security Supplier
Relationship
NPC Circular 16-03
Personal Data
Breach Management
NYMITY
Accountability
Framework
ISO 29100 – Data
Privacy Framework
ISO 27001 –
Information Security
Framework
ISO 29190 –
Privacy Management
Capability
NPC Circular 17-01
Registration of Data
Processing System
and Automated
System
ISO 29134 – Privacy
Impact Assessment
ISO 22307 - Finance
Sector Privacy
Impact Assessment
NPC Advisory No.
2017-03 PIA
Guidelines
ISO 27002 –
Security Controls
CSI Security
CONTROL
ISO 27017 – Cloud
Security
IS0 27018 – Cloud
Privacy
ISO 27045 – Big
ISO 27701 – Privacy
Information
Management System
ISO 27035 –
Security Incident
Management
ISO 27032 – Cyber
Security Guidelines
ISO 27550 -Privacy
Engineering For
ETSI Security
Indicators
74. Security Operation Center Configuratio
Security Incident Protocol and Breach
Rules on Procedures for Complaints
Change Management
Security Incident Management
Breach and Complaint Handling
75. DATA
COLLECT
DATA
RETAIN
PRIVACY
RIGHTS
DATA
PROCESS
TRANSMIT
TECHNOLOGY INFRASTRUCTURE
BUSINESS PROCESS, SYSTEM & TECHNOLOGY CONT
DATA
DISPOSE
1. Inform
2. Access
3. Block
4. Change
5. Transfer
Apps Platform
On-PremiseDataCenter
Network
Database
On-cloud
Sensors
DATA PROCESSING
PRIVACY COMPLIANCE
6. Complain
7. Damage
8. Portability
9. Correct
10. Erase
Customer Relationship System
Enterprise Resource System
1. Compliance Organization
2. Privacy Rights Process
3. Data Processing Privacy Principles
4. Lawful Criteria PI Processing
5. Condition SPI Processing
6. Accountability in Data Share
7. Data Protection Security Measures
8. Breach and Complaint Management
Performance Control System
DATA
SUBJECT
PERSONAL
INFORMATON
CONTROLLER
PROCESSOR
PI
SPI
PVI
PI
SPI
SECURITY
OPERATION
CENTER
PVI
Republic Act
10173 – DPA 2012
DATA
SHARE1,000
Record 250
Personnel
76. DATA
COLLECT
DATA
RETAIN
PRIVACY VIOLATION
DATA
PROCESS
TRANSMIT
TECHNOLOGY INFRASTRUCTURE
BUSINESS PROCESS, SYSTEM & TECHNOLOGY CONT
DATA
DISPOSE
Apps Platform
On-PremiseDataCenter
Network
Database
On-cloud
Sensors
Organizational Security Measure
Technical Security Measures
johnmacasio@gmaIL.com
Physical Security Measures
DATA
SUBJECT
PERSONAL
INFORMATON
CONTROLLER
PROCESSOR
PI
SPI
PVI
PI
SPI
SECURITY
OPERATION
CENTER
PVI
DATA
SHAREAccess
Record
Use
Access
Record
Use
1. Unauthorized
processing
2. Negligence in access
3. Improper disposal
4. Unauthorized purpose
5. Unauthorized access
6. Intentional breach
7. Concealed breach
8. Malicious disclosure
9. Unauthorized disclosureSECURITY VIOLATION
1. Illegal Access
2. Illegal
Interception
3. Data Interference
4. System
Interference
5. Misuse of Devices
6. Cyber
Squatting
7. Computer
Forgery
8. Computer
Fraud
9. Identity
Theft
77. Information Security Layer of Data Privacy
Protection Governance, Risks, and Compliance System
SIEM, IPS, Email, NAC, Wireless Security
VA, AV/Malware, PAM, CMDB, MDM, Host based F
RBAC, Encrytion, Source Code Test and Secur
Encryption, DLP, Data Backup. dDos
Data Center Building Power, Security
PERIMETER LAYER
COMPLIANCE LAYER
NETWORK LAYER
HOST LAYER
APPLICATION LAYER
DATA LAYER
PHYSICAL LAYER
Next Gen Firewall, VPN, IDP, SSO, MFA
Are cyber security and data privacy built-in or add-on in the STRATEGY,
SOURCING, DESIGN, BUILD, TEST, INSTALLATION and OPERATION of the digital
business process, information system and technology platform as required by the
implementation regulations of R.A. 10173, R.A. 10175 and DICT National Cyber
Security Plan 2022?
78. USERS DATA SUBJECT ANONYMOUSREGULATOR
FIREWALL
SYSTEM
ACCESS/IDENTITY
CONTROL SYSTEM
FILE ENCYRPTION
SYSTEM
CONNECTIVITY Intranet/Internet – Wired /Wireless
INTRUSION
DETECTION
CYBER SECURITY AND PRIVACY THREAT SCENARIO
- vulnerabilities when exploited violate R.A. 10173 , R.A 10175, and GDPR
Data and
Storage
Identity and
Privilege
Process and
Application
Connectivity and
Access
Interoperation
Middleware
Service
Support
•Event LOG
•Context LOG
1. IDENTIFY-PROTECT 2. DETECT-RESPOND 3.RECOVER-CONTINUE
SECURITY INFORMATION and
EVENT MANAGEMENT (SIEM)
S
O
C
ANTIVIRUS
MALWARE
INTRUSION
PROTECTION
EXPLOITATION
ANALYTIC
USER BEHAVIOR
ANALYTIC
Governance, Risk, Compliance System
HARDWARE
SOFTWARE
NETWORK
SERVICES
CMDB
SECURED AREAS OF BUSINESS PERFORMANCE
PATCH
MANAGEMENT
APPS CODE
TEST
LOGS
MANAGEMENTVULNERABILITY AND PENETRATION TEST
79. Internet
Provider
Cloud
Services
Border
Router
Perimeter
Firewall
Content
Filter (WAF)
3.Intrusion Detection System
4. Intrusion Protection System
1.Access Management
2.Identity Management
1.Employee
Network
2. Management
Network
3. Business unit
Network
4. Guest
Mobile Network
5. Quarantined
Network
SECURITY OPERATION CENTRE
SIEM System
GRC System
DATA CENTRE OPERATION
3.Storage
4.Database
5.Application
6.Middleware
7. Agreements
Configuration
1.Control
2.Monitor
3.Security
1.Security Tools
2.Security Data
Collection
Analysis
Reporting
3. Security
Protection
Response
Recovery
NETWORK ROUTER
& SWITCHES
NETWORK SEGMENT
OF USER
CYBER SECURITY & DATA PRIVACY PROTECTION
TECHNICAL MEASURES vs. 8 Cyber Threats & 10 Privacy Breaches
ON-LINE
1.Customer
2.Providers
3.Employees
4.Anonymous
5.Mobile Social
Network
6.Data Subject
and Processors
IDENTIFY-PROTECT
DETECT-RESPONSE
1.DNS 2.Web Services
80. Behind the Wall of CyberPrivacy Assurance
IDENTIFICATION
DETECTION
PROTECTION
RESPONSE
DATA PRIVACY
STANDARDS
ISO 29100
ISO 29101
ISO29190
ISO 29134
ISO 27018
ISO 29151
ISO 31000
CYBER SECURITY
STANDARDS
ISO 27001
ISO 27002
ISO 27005
ISO 27017
ISO 27004
ISO 27035
ISO 22301
ISO 27032
IS0 19600
RECOVER
CONTINUE
THREAT INTELLIGENCECVE
CISA ALERT CMU SEI CERT
81. 1. Configuration Management
Database (CMDB)
2. Governance, Risks, and
Compliance System (GRC)
3. Security Information and Event
Management (SIEM)
4. File and Data Encryption
Management (KPI)
5. Access, Identity and Privileges
Management (IAM, PAM)
6. Anti-Virus and Malware
Management
7. Log Management System (LMS)
8. Patch Management System
9. Vulnerability Scanners and
Penetration Testing Tools (VP)
10.Intrusion Prevention and
11.Firewalls and Next-Generation
Firewalls (NGFW)
12.Cyber Threat Intelligence Feeds
and Vulnerability Measurement
Databases
13.User Behavior Analytics
14.Application Code Security Test
15.End-Point Protection
16.E-mail Gateway Protection
17.Insider Threat Protection Data
Vault
18.File and Storage Eraser
19.Data Backup and Recovery
20.CCTV and Control System
82. `
End-to-End Security and Privacy Service
Portfolio
CMDBSIEM
INTRUSION
DETECT/PROTECT
VULNERABILITY
ASSESSMENT
LOGS MANAGEMENT
EVENT & CONTEXT
LOGS
PATCH
MANAGEMENT
DATA LOSS
PREVENTION
THREAT
INTELLIGENCE
PKI & DATA/HOST
ENCYRPTION
APPS CODE
SECURITY TESTEND-POINT
PROTECTIO
N ANTI VIRUS
MALWARE
FIREWALL
WAF & MONITORING
IDENTITY
MANAGEMEN
T
EMAIL SECURITY
GATEWAYDATA BACKUP
& RECOVERY
INSIDER THREAT
CONTROL