Data Privacy & Protection for the Data Privacy Act
isulanfc
115 views
67 slides
Sep 23, 2024
Slide 1 of 67
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
About This Presentation
data privacy
Slide Content
Data Privacy & Protection Technical Learning Session KNOWLEDGE EDUCATION CONFERENCE April 17-18, 2018 Sison Auditorium Lingayen, Pangasinan KEC 13
Housekeeping About me What’s in this lecture Gadgets and other devices
About me Francis Euston R. Acero Chief, Complaints and Investigations Division [email protected] Member Integrated Bar of the Philippines Certified Penetration Testing Engineer Certified Digital Forensics Examiner
Gadgets and other devices Just in case you don’t get a copy, mail us at [email protected] for one! No need to capture with phones Be careful of what you post on Facebook Feel free to ask questions at ANY time during the presentation
In this lecture The law on data privacy and protection Personal information and sensitive personal information Data privacy principles Conducting a Privacy Impact Assessment Consent and the conditions for processing data Key components of a Privacy Management Program Protecting your own personal data
The law on data privacy The need to protect data privacy The Data Privacy Act and its Implementing Rules Concepts and Definitions
“The world’s most valuable commodity is data.” The Economist, 6 May 2017
Using data “Like oil, those who see its value and learn to extract and use it will reap rewards.” Joris Toonders , founder of Yonego (Internet Marketing Service) writing for Wired, July 2014
Data processing
Data privacy laws Also known as data protection (EU) and information privacy (US) Ensure the free flow of information by: Building trust between the personal information controller and the data subject Ensuring that data is secure and used only for stated purposes
The Data Privacy Act
Data subject An individual whose information is processed. The definition does not include juridical persons. FCC v. AT&T , 562 U.S. 397 (2011) Juridical persons cannot experience physical suffering or such sentiments as wounded feelings, serious anxiety, mental anguish or moral shock. People v. Manero , Jr ., 218 SCRA 85, 96-97 (1993).
Personal information Any information: from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information; or when put together with other information would directly and certainly identify an individual.
Sensitive personal information Information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations Information about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense, the disposal of such proceedings, or the sentence of any court in such proceedings;
Sensitive personal information Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns Specifically established by an executive order or an act of Congress to be kept classified
Data Privacy Principles Once you understand these core principles to data protection, the text of the law follows
Transparency Legitimate Purpose Proportionality
Transparency The data subject must know The kind of personal data collected How the personal data will be collected Why personal data will be collected The data processing policies of the PIC must be known to the data subject The information to be provided to the data subject must be in clear and plain language
Legitimate Purpose Data collected must be always be collected only for the specific, explicit, and legitimate purposes of the PIC. No processing of data that is not compatible with the purpose for which the data was collected. The processing of data must respect the law of the applicable jurisdiction, in accordance with the International Bill of Rights. Any processing of data that gives rise to unlawful or arbitrary discrimination is unfair.
Proportionality The processing of personal data should be limited to such processing as is adequate, relevant, and not excessive in relation to the purpose of the data processing. Efforts should be made to limit the processed data to the minimum necessary.
Consent Where the data subject agrees to the collection and processing of his personal data. The agreement must inform: (a) purpose, nature, and extent of processing; (b) period of consent/instruction; and (c) rights as a data subject.
Processing Personal Information (a) The data subject has given his or her consent; (b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract; (c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
Processing Personal Information (d) The processing is necessary to protect vitally important interests of the data subject, including life and health; (e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
Processing Personal Information (f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Processing Sensitive Information (a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing; (b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
Processing Sensitive Information (c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; (d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
Processing Sensitive Information (e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or (f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
Rights of Data Subjects Right to be Informed Right to Object Right to Access Right to Correct/Rectify
Rights of Data Subjects Right to Block/Remove Right to Data Portability Right to File a Complaint Right to be Indemnified
1 Commit to Comply: APPOINT A DATA PROTECTION OFFICER 2 Know Your Risks: CONDUCT A PRIVACY IMPACT ASSESSMENT 3 Write Your Plan: CREATE A PRIVACY MANAGEMENT PROGRAM 4 Be Accountable: IMPLEMENT YOUR PRIVACY AND DATA PROTECTION MEASURES 5 Be Prepared for Breach: REGULARLY EXERCISE YOUR BREACH REPORTING PROCEDURE
This is what it is, okay? I said, “Empty your mind.” Be formless, shapeless. Like water. Now, you put water into a cup, it becomes the cup. You put water into a bottle, it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend. -Bruce Lee
The Privacy Impact Assessment Foundation for Effective Privacy Management
Privacy Impact Assessment Tool to help understand data life cycles within an organization Identifies attendant risks in data processing Proposes measures to control risks through a structured framework
Key Considerations One PIA for every data processing activity When applicable, done before implementation of the processing activity The output report can be used to evaluate readiness May cover one processing activity between controllers and processors
Skip the PIA step only if: There are minimal risks to the rights and freedoms of data subjects DPO recommendation to forego PIA exists
Objectives Identify, evaluate, and manage risks in data processing Documentation for processing activities, as integral part of privacy management program Determines state of compliance with standards Establish control framework
Objectives The final report must contain: Stakeholder involvement Measures for risk management Process through which report will be communicated through stakeholders
Responsibility Should be in controller or processor’s data privacy and protection policies Triggers for activation Key personnel involved Resource allocation Review process DPO should understand when to conduct a PIA Extent of participation to be determined
Stakeholder Involvement Modes of involvement Direct participation Public forum roundtables Focus group discussions Surveys and feedback forms Stages of involvement Entire process Specific parts of the process Participation in review Distribution
Form and Structure ISO/IEC 29134 Criteria for evaluating methodology Systematic description of data flow and processing activities Includes assessment of adherence to principles, security measures, and rights exercise mechanisms Identifies and evaluates risks to data subjects Inclusive process Risk evaluation Considers natural and human dangers Considers impact or likelihood of adverse events Includes countermeasures to mitigate or alleviate risk
Description of data flows Purpose of the processing Data inventory Sources of personal data Collection procedure Functional description of data processing List of information repositories Graphic representation of physical location Data transfers Storage and disposal method Accountable persons Existing organizational, technical, and physical security
Planning Commit to the process! Decide on the need for a PIA Assign a person responsible Provide resources Issue clear directive for conduct Identify the subject process and key persons Plan for Integrating results Communicating with stakeholders
Key Persons Process owners Participants Persons in charge Signatories to report Secretariat (if necessary) Internal or external stakeholders
Preparation Conduct a data inventory Understand and document each stage of the data life cycle Determine inclusions in baseline information Existing policies and security measures Coordinate with department heads Stakeholders may be involved If processing more than 1000, ISO/IEC 27002 and ISO/IEC 29151 recommended
Preparation Establish schedules and timelines Completion of preparatory activities Conduct of the PIA Reporting and publication of results Obtain approval of resource and budget allocations Set time for participants Set methods for stakeholder involvement Define documentation and review process Prepare any additional documents
The Assessment Collect and complete baseline information Evaluate processing activities against the legal obligations of the entity Evaluate processing activities against the control framework Adheres to data privacy principles Implementation of security measures Procedure for exercise of rights Consider privacy and data protection measures
Baseline information Records of processing activities Personal data inventory Personal data flows Purpose and legal basis for the processing activity Data sharing agreements Persons responsible Information repositories and technology products used Sources and recipients of personal data Persons with access to personal data Existing policies and security measures
The Assessment Evaluate for gaps to determine risks involved, including threats and vulnerabilities of systems Evaluate likelihood of risks Amount of nature of personal data involved Impact of possible harm A gap exists when: There is a violation of a data privacy principle Measures are inadequate to safeguard confidentiality, integrity, or availability of personal data There are undue restrictions on the exercise of data subject rights
The Assessment Propose measures to address identified risks Measures may mitigate, accept, avoid, or transfer risk. Take into account: Likelihood and impact of a breach or privacy violation Available resources to address risks Current best practices Industry or sector standards
Measures to address risk include: Risks and strategies for risk management Implementing activities Controlling mechanisms to monitor, review, and support implementation Time frame, completion, and schedules Responsible and accountable persons Resource allocation
The Assessment Document stakeholder participation Review and assess results before finalizing and approving the PIA Should include proposed measures that serve as basis for implementing changes Communicate results!
The Assessment Recipients Management Internal stakeholders External stakeholders Redactions Results may be redacted to reduce legal or security exposure
Documentation and Review Results must be reduced into a report Entity must maintain a record of PIA reports Reports must be made available to data subjects on request Evaluate on an annual basis
Accountability Demonstration of compliance with Philippine data privacy and protection laws Considered in evaluating if the entity exercised due diligence Provide a copy of the system to the NPC on demand
Protecting personal data Technical Provisions in NPC Circular No. 16-01
Storage Must be stored in a data center If digitally processed, must be encrypted with at least AES-256 encryption Passwords must be strong enough Access to all data centers must be restricted to those with appropriate security clearance NPC may audit, or may be independently verified or certified
Agency Access to Personal Data Only programs developed or licensed by a government agency may access or modify databases containing personal data under that agency’s control Access must be strictly regulated
Agency Access to Personal Data Each user must sign an agreement explaining an updated acceptable use policy Must use multi-factor authentication for online access
Agency Access to Personal Data Only known devices, properly configured for security, can access personal data. Only authorized media may be used on computer equipment. Mobile devices owned by the agency must be equipped with remote disconnection or deletion technologies. Paper-based data systems must keep logs showing file last accesed , including when, where, and by whom.
Transfer of Personal Data If done by e-mail, must ensure that data is encrypted, or use a secure e-mail facility that facilitates the encryption of all data, including any attachments. Send passwords on a separate e-mail.
Transfer of Personal Data Scan outgoing emails for attachments and keywords that indicate personal data, and prevent transmission Controls must be in place to prevent printing or copying to word processors and spreadsheets without security or access controls in place.
Transfer of Personal Data Data stored in portable media, like discs or USB storage, must be encrypted Laptops must utilize full disk encryption Manual transfer of personal data, where possible is prohibited. If impossible, authentication technology must be in place.
Transfer of Personal Data NO FAX TRANSMISSIONS Use registered mail or, where appropriate, guaranteed parcel post service. Safeguards apply to internal transfers!
Disposal of Personal Data Comply with National Archives of the Philippines Act (RA 9470) if archiving records Procedures must be established over Disposal of files that contain personal data, regardless of storage medium Disposal of computer equipment at end-of-life, including storage media. Includes the use of degaussers, erasers, physical destruction devices Offsite disposal
End. https://privacy.gov.ph facebook.com/privacy.gov.ph twitter.com/ PrivacyPH
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 115
- Slides 67
- Age 435 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views