12.1 Processing
Any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
12.1.1 Standards for protecting personal information
Every person that owns or licenses personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains organizational, technical, and physical security measures.
12.1.2 Organizational Security Measures
Every personal information controller and personal information processor must also consider the human aspect of data protection.
- Data Protection Officer (DPO) and Compliance Officer for Privacy (COP);
- Conduct of trainings or seminars;
- Conduct of Privacy Impact Assessment (PIA);
- Recording and documentation of activities;
- Compliance with the duty of confidentiality; and
- Creation and review of Privacy Manual.
12.1.3 Physical Security Measures
Pertains to monitoring and limiting access to the facility containing the personal data, including the activities therein.
- Storage type and location;
- Access procedure of agency personnel;
- Design of office space/workstation;
- Persons involved in processing, and their duties and responsibilities;
- Modes of transfer of personal data within the organization, or to third parties; and
- Retention and disposal procedure.
12.1.4 Technical Security Measures
Measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access. They include the following, among others:
- Monitoring for security breaches
- Security features of the software/s and application/s used
- Process for regularly testing, assessment and evaluation of effectiveness of security measures
- Encryption, authentication process, and other technical security measures that control and limit access to personal data
12.2 Security Requirements for a Computer System
- Secure user authentication protocols;
- Secure access control measures;
- Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
- Encryption of all personal information stored on laptops or other portable devices
- For files containing personal information on a system that is connected to the internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information
- Education and training of employees on the proper use of the computer security system and the importance of personal information security
12.3 NPC CID Case No.: 17-002
FACTS: COMELEC reported that on 11 January 2017, a desktop computer of the Office of the Election Officer in Wao, Lanao Del Sur was stolen by unidentified persons. The desktop computer contained, among other applications, the Voter Registration System (“VRS”) and the Voter Search (“VS”) program that utilize the data stored in the National List of Registered Voters. From the submissions, this Commission found out that the VRS contained a total of 58,364 registration records for the Municipality of Wao. An EMPLOYEE was criminally charged for Accessing Personal Information and Sensitive Personal Information Due to Negligence.
RULING: In this case, the Employee cannot be said to have been negligent in implementing reasonable and appropriate security measures to prevent the taking of the desktop computer containing voter personal data. Just like what a reasonable and prudent man would have done to secure the computers inside the office, the employee placed padlocks and gave instructions to make sure that all doors and windows are locked at the end of the working day. He also installed a strong password to said desktop computer and only he and his casual employee knew the said password. The robbery was committed with force upon things, implying that the perpetrator had to break the locks and force his way through the back window into the office of the Election Officer. Further, COMELEC, in their personal data breach report to this Commission, maintains that technical security measures are in place to limit access to the VRS program in the desktop computer and that the VRS and the NLRV data are encrypted in AES 256.
12.4 Transfer of Personal Data
Emails. A government agency that transfers personal data by email must either ensure that the data is encrypted or use a secure email facility that facilitates the encryption of the data, including any attachments. Passwords should be sent on a separate email. It is also recommended that agencies utilize systems that scan outgoing emails and attachments for keywords that would indicate the presence of personal data and, if appropriate, prevent its transmission.
Removable Physical media. Where possible, the manual transfer of personal data, such as through the use of removable physical media like compact discs, shall not be allowed: Provided, that if such mode of transfer is unavoidable or necessary, authentication technology, such as one-time PINs, shall be implemented
Portable Media. A government agency that uses portable media, such as disks or USB drives, to store or transfer personal data must ensure that the data is encrypted. Agencies that use laptops to store personal data must utilize full disk encryption.
Fax Machines. Facsimile technology shall not be used for transmitting documents containing personal data.
Transmittal. A government agency that transmits documents or media containing personal data by mail or post shall make use of registered mail or, where appropriate, guaranteed parcel post service. It shall establish procedures that ensure that such documents or media are delivered only to the person to whom they are addressed, or his or her authorized representative: Provided, that similar safeguards shall be adopted relative to documents or media transmitted between offices or personnel within the agency.
12.5 Disposal of Personal Data
Personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
Procedures must be established regarding:
- disposal of files that contain personal data, whether such files are stored on paper, film, optical or magnetic media;
- secure disposal of computer equipment, such as disk servers, desktop computers and mobile phones at end-of-life, especially storage media: Provided, that the procedure shall include the use of degaussers, erasers, and physical destruction devices; and
- disposal of personal data stored offsite.
Third-Party Service Providers. A government agency may engage a service: Provided, that the service provider shall contractually agree to the agency’s data protection procedures and ensure that the confidentiality of all personal data is protected.
12.6 Final Note
The DPA is not meant to prevent government agencies from processing personal data when necessary to fulfill their mandates. Rather, the law aims to protect the right to data privacy while ensuring free flow of information. It promotes fair, secure, and lawful processing of such information.
Refrain from sharing videos and photos online on instructions on how to process 2022 CBMS data and map data files. These data and map data files contain highly sensitive personal information which should always be protected. Any personnel who will mishandle such data will be liable to the authorities pursuant to Data Privacy Act of 2012.
All tablet files in temporary storage devices such as Google Drive, external hard disk drives or USBs must be deleted as soon as these are saved and backed up in server PC. Passwords should be set on all folders/files in temporary storage devices before transmission to intended authorized users in the PSA.