Scribd Logo
Upload

Welcome to Scribd!

  • 65 views

    Data Privacy Module 3

    Uploaded by

    King Gaspar Calma
    The document discusses the role and responsibilities of a Data Protection Officer (DPO). Key points include: 1. All personal information controllers and processors are required to designate a DPO who is accountable for ensuring compliance with data privacy laws. 2. The DPO must have expertise in privacy and data protection laws and understand the organization's data processing operations. 3. In some cases, an organization can designate Compliance Officers for Privacy (COPs) to assist the DPO, but COPs must be supervised by the DPO. 4. The DPO should be an independent role to objectively ensure compliance, though they may have other roles in the organization as well.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    Data Privacy Module 3

    Uploaded by

    King Gaspar Calma
    65 views40 pages
    The document discusses the role and responsibilities of a Data Protection Officer (DPO). Key points include: 1. All personal information controllers and processors are required to designate a DPO who is accountable for ensuring compliance with data privacy laws. 2. The DPO must have expertise in privacy and data protection laws and understand the organization's data processing operations. 3. In some cases, an organization can designate Compliance Officers for Privacy (COPs) to assist the DPO, but COPs must be supervised by the DPO. 4. The DPO should be an independent role to objectively ensure compliance, though they may have other roles in the organization as well.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the role and responsibilities of a Data Protection Officer (DPO). Key points include: 1. All personal information controllers and processors are required to designate a DPO who is accountable for ensuring compliance with data privacy laws. 2. The DPO must have expertise in privacy and data protection laws and understand the organization's data processing operations. 3. In some cases, an organization can designate Compliance Officers for Privacy (COPs) to assist the DPO, but COPs must be supervised by the DPO. 4. The DPO should be an independent role to objectively ensure compliance, though they may have other roles in the organization as well.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    65 views40 pages

    Data Privacy Module 3

    Uploaded by

    King Gaspar Calma
    The document discusses the role and responsibilities of a Data Protection Officer (DPO). Key points include: 1. All personal information controllers and processors are required to designate a DPO who is accountable for ensuring compliance with data privacy laws. 2. The DPO must have expertise in privacy and data protection laws and understand the organization's data processing operations. 3. In some cases, an organization can designate Compliance Officers for Privacy (COPs) to assist the DPO, but COPs must be supervised by the DPO. 4. The DPO should be an independent role to objectively ensure compliance, though they may have other roles in the organization as well.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 40

    DATA PROTECTION

    OFFICER
    Data Privacy Fundamentals
    Module 3

    DPO Development Program


    DATA PROTECTION OFFICER
    DPA, Section 21(b)
    DPA IRR, Section 26(a), 50(b)
    National Privacy Commission Advisory 17-01

    DPO Development Program


    Module 3, DP Fundamentals
    ALL PICs AND PIPs should designate a
    Data Protection Officer
    • The personal information controller shall designate an
    individual or individuals who are accountable for the
    organization’s compliance with this Act. The identity of the
    individual(s) so designated shall be made known to any data
    subject upon request. (Sec. 21[b])
    • xxx The personal information processor shall comply with
    all the requirements of this Act and other applicable laws.
    (Sec. 14)

    DPO Development Program


    Module 3, DP Fundamentals
    PIC
    PIC/PIP
    Designates a Data
    DPO/COP
    Protection
    PIP Officer

    Compliance Must ensure that


    Must Comply and PIC or PIP
    Accountability Complies with the
    with the DPA DPA
    DPO Development Program
    Module 3, DP Fundamentals
    GENERAL QUALIFICATIONS
    • Specialized knowledge and demonstrate reliability
    • Expertise in relevant privacy or data protection
    policies and practices
    • Sufficient understanding of the processing operations
    being carried out by the PIC or PIP
    • Knowledge by the DPO of the sector or field of the
    PIC or PIP

    DPO Development Program


    Module 3, DP Fundamentals
    WHAT IS
    A COP?
    • In certain cases, a PIC or PIP is allowed to designate a compliance officer for privacy
    (COP).
    • COP refers to an individual or individuals who shall perform some of the functions of a
    DPO.
    • DPO generally oversees the operations of the COP to insure the performance of his/her
    functions, efficiently and economically, but without interference with day-to-day activities.
    • COP should actively coordinate and consult with the supervising DPO, and should take
    instructions from the same.

    DPO Development Program


    Module 3, DP Fundamentals
    LOCAL GOVERNMENT UNITS (LGUS)

    • Aside from having a DPO, a component city, municipality,


    or barangay can designate a COP, as long as the COP shall
    be under the supervision of the DPO.

    Example:
    A DPO in an HUC (Highly Urbanized City) and a
    COP in each barangay under its jurisdiction

    DPO Development Program


    Module 3, DP Fundamentals
    GOVERNMENT AGENCIES
    • Aside from having a DPO, a government agency that
    has regional, provincial, district, city, municipal
    offices, or any other similar sub-units, may designate
    or appoint COP for each sub-unit. The COPs shall be
    under the supervision of the DPO.

    Example:
    A DPO in the COMELEC central office and a
    COP in each field office

    DPO Development Program


    Module 3, DP Fundamentals
    PRIVATE SECTOR

    • Where a private entity has branches, sub-offices, or any


    other component units, it may also appoint or designate a
    COP for each component unit.

    Example:
    A DPO in an insurance company’s central office and
    a COP in each branch office

    DPO Development Program


    Module 3, DP Fundamentals
    GROUP OF COMPANIES
    • Subject to the approval of the NPC, a group of related
    companies may appoint or designate the DPO of one of its
    members to be primarily accountable for ensuring the compliance
    of the entire group with all data protection policies. Where such
    common DPO is allowed by the NPC, the other members of the
    group must still have a COP, as defined in the Advisory.

    Example:
    A DPO in the holding company and a COP in each of its
    subsidiaries

    DPO Development Program


    Module 3, DP Fundamentals
    OTHER ANALOGOUS CASES

    • PICs or PIPs that are under similar or analogous


    circumstances may also seek the approval of the NPC for the
    appointment or designation of a COP, in lieu of a DPO.

    Example:
    A DPO in a national club and a COP in each chapter

    DPO Development Program


    Module 3, DP Fundamentals
    REMEMBER
    • It is important for the agency or company to make a determination of
    the privacy risks represented by its data processing operation. This
    should be considered when deciding on whether to have one DPO for
    multiple companies, or to have COPs in addition to the DPO.
    • Ideally, there should be one DPO for every entity.
    • An individual PIC or PIP shall be a de facto DPO.
    • A PIC or PIP may not be subject to NPC registration requirements, but
    is always required to designate a DPO.

    DPO Development Program


    Module 3, DP Fundamentals
    POSITION OF A
    DPO OR COP

    DPO Development Program


    Module 3, DP Fundamentals
    Position of a DPO or a COP

    • Full-time or organic employee

    • In the government, may be career or appointive.

    • In the private sector, may be regular or permanent. May also be


    contractual, but the term or duration should not be less than 2
    years.

    DPO Development Program


    Module 3, DP Fundamentals
    CONFLICT OF INTEREST
    • In his or her capacity as DPO or COP, an individual may
    perform (or be assigned to perform) other tasks or assume
    other functions that do not give rise to any conflict of
    interest.
    • The designated DPO may also occupy some other position in
    the organization (e.g., legal counsel, risk management officer,
    etc.).

    DPO Development Program


    Module 3, DP Fundamentals
    INDEPENDENCE AND AUTONOMY
    • The DPO or COP shall act independently in the performance of his or
    her functions, and shall enjoy a sufficient degree of autonomy.
    • PIC or PIP should not instruct the DPO or COP on how to interpret the
    law nor influence his or her position relative to a specific data protection
    issue.
    • A PIC or PIP should not directly or indirectly penalize or dismiss the
    DPO or COP for performing his or her tasks, but nothing shall preclude
    the legitimate application of labor, administrative, civil or criminal laws
    against the DPO or COP, based on just or authorized grounds.

    DPO Development Program


    Module 3, DP Fundamentals
    CONFIDENTIALITY
    • The DPO or COP is bound by secrecy or confidentiality concerning
    the performance of his or her tasks.
    • The DPO or COP should not use any information obtained in the course of
    performing his or her duties for any purpose outside his or her scope of work.

    DPO Development Program


    Module 3, DP Fundamentals
    WEIGHT OF OPINION
    • The opinion of the DPO or COP must be given due
    weight. In case of disagreement, and should the PIC or
    PIP choose not to follow the advice of the DPO or
    COP, it is recommended, as good practice, to
    document the reasons therefor.

    DPO Development Program


    Module 3, DP Fundamentals
    SUBCONTRACTING FUNCTIONS
    • Outsourcing or subcontracting is allowed.

    • DPO or COP must oversee the


    performance of the third-party service
    provider.

    • DPO or COP shall remain the contact


    person.

    DPO Development Program


    Module 3, DP Fundamentals
    DUTIES &
    RESPONSIBILITIES

    DPO Development Program


    Module 3, DP Fundamentals
    MONITOR COMPLIANCE
    1. Monitor the PIC’s or PIP’s
    compliance with the DPA, its
    IRR, issuances by the NPC
    and other applicable laws
    and policies.

    DPO Development Program


    Module 3, DP Fundamentals
    MONITOR COMPLIANCE COMPLIANCE AND ACCOUNTABILITY
    FRAMEWORK
    Collect information and maintain records of processing  Records of Processing Activities
    activities

    Analyze and check the compliance  Privacy Compliance and Progress Report
     Privacy Impact Assessment
    Inform, advise, and issue recommendations to the PIC or  Be aware of privacy ecosystem
    PIP  Privacy Management Program

    Ascertain renewal of accreditations or certifications  Continuing Assessment and Development

    Advice the PIC or PIP as regards the necessity of  Manage third parties
    executing a Data Sharing Agreement

    DPO Development Program


    Module 3, DP Fundamentals
    2. Ensure the conduct of Privacy Impact
    Assessments relative to activities, measures,
    projects, programs, or systems of the PIC or PIP;

    • The extent of the involvement of the DPO in the PIA is left to the
    discretion of the PIC or PIP. The DPO may actively take part in the
    PIA, or may simply be consulted on the PIA results. (NPC Advisory
    17-03).

    3. Advise the PIC or PIP regarding complaints and/or the exercise by data subjects
    of their rights

    DPO Development Program


    Module 3, DP Fundamentals
    4. Ensure proper data breach and security incident
    management by the PIC or PIP, including the latter’s
    preparation and submission to the NPC of reports and other
    documentation concerning security incidents or data breaches
    within the prescribed period;

    • Data Breach Response Team. A personal information controller or


    personal information processor shall constitute a data breach response
    team, which shall have at least one (1) member with the authority to make
    immediate decisions regarding critical action, if necessary. The team may
    include the Data Protection Officer. (NPC Circular 17-03, Section 5)

    DPO Development Program


    Module 3, DP Fundamentals
    5. Inform and cultivate awareness on privacy and data protection within the organization of
    the PIC or PIP, including all relevant laws, rules and regulations and issuances of the
    NPC;

    6. Advocate for the development, review and/or revision of policies, guidelines, projects
    and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a
    privacy by design approach;

    7. Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other
    authorities in all matters concerning data privacy or security issues or concerns and the
    PIC or PIP;

    DPO Development Program


    Module 3, DP Fundamentals
    8. Cooperate, coordinate and seek advice of the NPC
    regarding matters concerning data privacy and security;
    and

    SECTION 2. Advisory Opinion. – An advisory opinion


    refers to a determination of the NPC on matters relating to
    data privacy or data protection, at the request of any party,
    or on a complaint endorsed by the Complaints and
    Investigations Division (CID) under Sections 4 and 10 of
    Rule II of NPC Circular No. 2016-04 (NPC Circular No.
    18-01 – Rules of procedure on requests for Advisory
    Opinions)

    DPO Development Program


    Module 3, DP Fundamentals
    Advisory Opinion
    NPC Circular No. 18-01 – Rules of procedure on requests for
    Advisory Opinions

    How do you request for Advisory Opinion?

    a. File your request for advisory opinion in the same manner as a complaint.
    b. You request should include all facts necessary for the Commission to evaluate
    your concern and render an opinion.
    c. Provide the National Privacy Commission a way to contact you.
    d. Remember that if your request is for an advisory opinion, the National Privacy
    Commission will not award damages.

    DPO Development Program


    Module 3, DP Fundamentals
    8. Perform other duties and tasks that may be assigned by the
    PIC or PIP that will further the interest of data privacy and
    security and uphold the rights of the data subjects

    • Except for items (1) to (3), a COP shall perform all other functions of a
    DPO.
    • Where appropriate, he or she shall also assist the supervising DPO in the
    performance of the latter’s functions.

    DPO Development Program


    Module 3, DP Fundamentals
    SUPPORTING
    THE DPO

    DPO Development Program


    Module 3, DP Fundamentals
    Privacy
    Champion

    Compliance
    Information
    DATA PROTECTION
    Officer for
    Privacy
    Security OFFICER

    DATA PRIVACY NETWORK


    PROTECTIO
    N OFFICER
    CLEAR REPORTING
    IT Legal
    LINES

    RESOURCES AND
    Compliance SUPPORT
    Officer

    DPO Development Program


    Module 3, DP Fundamentals
    OBLIGATIONS OF PIC OR PIP
    • Communicate to its personnel and data subjects the designation of
    the DPO or COP, and his or her functions;

    WHERE WHAT
    Website Title or Name of the DPO
    designation or COP should be
    Privacy notice
    Postal address made available
    Privacy policy upon request of
    Dedicated
    Privacy manual or telephone number NPC or data
    privacy guide subject
    Dedicated email
    Other means address

    DPO Development Program


    Module 3, DP Fundamentals
    OBLIGATIONS OF PIC OR PIP
    • Allow the DPO or COP to be involved from the earliest stage
    possible in all issues relating to privacy and data protection;
    • Provide sufficient time and resources (financial,
    infrastructure, equipment, training, and staff) necessary to
    keep be updated with the developments in data privacy and
    security and to carry out his or her tasks effectively and
    efficiently;
    • grant appropriate access to the personal data it is processing;

    DPO Development Program


    Module 3, DP Fundamentals
    OBLIGATIONS OF PIC OR PIP
    • where applicable, invite the DPO or COP to participate in
    meetings of senior and middle management to represent
    the interest of privacy and data protection;
    • promptly consult the DPO or COP in the event of a
    personal data breach or security incident; and
    • ensure that the DPO or COP is made a part of all relevant
    working groups that deal with personal data processing
    activities conducted inside the organization, or with other
    organizations.
    DPO Development Program
    Module 3, DP Fundamentals
    TOP MANAGEMENT

    • Budget support for security controls (technical,


    organizational, physical)

    • Incorporating compliance into the performance bonus parameters of those concerned, especially
    for those handling personal data

    • Drive the message throughout the organization

    • Drive the urgency (e.g. like the SARS epidemic, when everyone started installing hand
    sanitizers)

    DPO Development Program


    Module 3, DP Fundamentals
    PROCESS OWNERS

    • Own/maintain their respective privacy impact


    assessments

    • Consult on strategic projects involving the use of


    personal data (“privacy by design”)

    • Conduct breach drill regularly – test each


    privacy impact at least once a year

    DPO Development Program


    Module 3, DP Fundamentals
    HUMAN RESOURCE

    • Roll-out training on privacy and data protection

    • Issue security clearances to staff processing personal data


    (such clearance to be made contingent on passing the
    privacy training). DPOs must have access to all security
    clearances issued.

    • Implement the recommended organizational controls

    DPO Development Program


    Module 3, DP Fundamentals
    LEGAL DIVISION

    • Ensure that all PIP/service provider


    contracts, job orders, etc. are compliant. For
    example, all PIPs must also have their own
    DPO.

    • Ensure that all external sharing of data


    meets the required guidelines of the NPC.

    DPO Development Program


    Module 3, DP Fundamentals
    OTHERS

    • IT to implement the recommended technical


    controls

    • Security to implement the recommended physical


    controls

    • Internal audit to test internally for compliance

    DPO Development Program


    Module 3, DP Fundamentals
    While the responsibility of complying with the DPA
    remains with the PIC or PIP, malfeasance, misfeasance,
    or nonfeasance on the part of the DPO or COP relative
    to his designated functions may still be a ground for
    administrative, civil, or criminal liability, in accordance
    with all applicable laws.

    DPO Development Program


    Module 3, DP Fundamentals
    Thank you!
    [email protected]

    privacy.gov.ph

    0939 963 8715


    0945 1534 299

    You might also like