A comprehensive overview of the five pillars of compliance within the Philippine Data Privacy Act. By Rachelle M Diaz of PJS Law
The author observes that there is increased attention on data privacy in the new landscape that the pandemic has drawn for us. Clients are raising questions on compliance requirements brought about by changes in the way they conduct their business and engage clients. Businesses are implementing work-from-home arrangements for their staff, employing measures to manage social distancing requirements and contact tracing protocols, or transitioning to online platforms.
Coping with the changes brought by the pandemic is enough of a challenge, and ensuring that arrangements implemented to mitigate the impact of the pandemic comply with regulatory requirements can be a daunting task. What is reassuring is that data privacy regulations in the Philippines are fairly consistent, in terms of what is expected of personal information controllers (PICs) and personal information processors (PIPs).
Compliance revolves around the general data privacy principles of transparency, proportionality and legitimate purpose. In addition, the National Privacy Commission (NPC) has crafted the five pillars of compliance, which condenses the requirements that PICs and PIPs need to observe under the Philippine Data Privacy Act of 2012 (DPA).
The five pillars are: (1) appoint a data protection officer (DPO); (2) conduct a privacy impact assessment (PIA) to assess capabilities, threats and risks; (3) prepare a privacy management programme; (4) implement data privacy governance to carry out identified security measures; and (5) prepare data breach protocols.
With the pandemic redefining behaviours and compelling everyone to embrace a so-called new normal, it is imperative for business to revisit these pillars of compliance to adopt to current circumstances.
(1) Appointment of a DPO. The DPO is the key officer accountable for ensuring PIC and PIP compliance with data privacy regulations, including the DPA, its implementing rules and regulations, and issuances by the NPC. Specific duties and responsibilities of a DPO include: Analyzing the PIC or PIP’s processing activities involving personal information; checking security clearances to, and compliance by, third-party service providers engaged by the company; informing, advising and recommending compliance measures to the PIC or PIP; and advocating the development, review and/or revision of policies, guidelines, projects and/or programmes of the PIC or PIP relating to privacy and data protection.
For some companies, the DPO function is delegated to employees or officers engaged in other roles. With increased attention on privacy concerns at this time, organizations should re-assess whether the DPO requires additional support to carry out his or her functions. In certain instances, it may become necessary to constitute a team, even temporarily, to assist the DPO in managing the data privacy concerns of the organization. This allows the company to remain faithful to their obligation of ensuring that personal data that they control or processes remains secure and safe.
Employers should be also be mindful of engaging their DPOs at the earliest stages of crafting new processes or policies involving personal information, especially at this time, where implementation of new measures involve tight schedules. The DPO requires adequate time and resources to make sure that privacy concerns are addressed, including sufficient opportunity to effectively communicate to the relevant data process owners the necessary compliance requirements.
(2) Conduct privacy impact assessment. A PIA involves a review and evaluation of programmes, projects, processes, measures, systems or technology products of a PIC or PIP, which involves personal information, to assess and manage risks that may affect the integrity or security of the data. Each PIA is unique to the PIC or PIP, since it takes into account the nature of the personal data processed, the personal data flow, the risks to privacy and security posed by the processing, current data privacy best practices, the costs, available resources and even the size of the organization and scale of its operations. The PIC or PIP is primarily accountable for the conduct of a PIA. This responsibility remains even when it elects to outsource or subcontract the actual conduct of the activity.
Most companies had previously conducted PIAs soon after the implementation of the DPA. Companies, however, should not overlook the need to conduct a PIA to review any updates, adjustments or changes to existing data processes, to assess risks and identify measures to address such risks.
Changes to the manner by which a company operates during the lockdown, or community quarantine, should involve a PIA, even if such measures are temporary, and more so if the adjustments will be permanent. For some processes, there may be a need to update a PIA, due to adjustments of scale.
For instance, work-from-home arrangements are not a new concept, and some companies had implemented them in some form even prior to the community quarantine. The imposition of a lockdown, however, has pushed some employers to scale up work-from-home arrangements to the majority of the workforce. It then becomes necessary to assess whether available infrastructure in place prior to the lockdown remains capable of supporting the increase in remote users.
Conducting a PIA simply breaks down the processes and identifies material considerations relevant to ensuring compliance. The earlier the assessment is made, the sooner that security gaps can be addressed. The scale of the PIA will vary depending on the nature of the processes involved. For instance, the PIA involved in collecting health questionnaire forms to be physically filled out by guests and employees will be different from the PIA that will be involved where the company uses a platform for the same purpose. The risks also vary, taking into account also the access of third parties to the information.
Putting on paper the identified risks allows management and the organization to better appreciate the magnitude of risks, and to properly allocate resources to address them.
(3) Preparing a privacy management programme. Most companies would already have a privacy management programme codified into a privacy manual. The privacy manual is meant to inform and serve as a guide to the company’s personnel on measures being taken by the PIC to guarantee the safety and security of personal data under their custody.
The new arrangements for the pandemic require the PIC and PIP to revisit the company’s privacy manuals to record new processing systems or changes existing ones, as well as to highlight heightened risks brought about by the times. Updating manuals and policies should remain a priority to ensure that the PIC or PIPs, and employees, remain informed and aware of developments in processes.
(4) Implementing data privacy governance to carry out identified security measures. Complying with the above-mentioned requirements is insufficient if the PIC or PIP is unable to effectively carry out identified security measures. Regularly engaging and training employees about these privacy programmes are necessary to avoid breaches brought about by lapses due to negligence or inattention. Even this exercise poses a challenge at this time, since training and implementation of security measures need to be conducted remotely.
It is, however, necessary to ensure that policies are disseminated and communicated properly to the employees. Employees should be aware of the importance of such policies, and organizations need their employees to buy into their privacy programmes.
(5) Data breach protocols. Data breaches are a constant and real risk, and the likelihood of their occurrence may increase with remote arrangements and increased reliance on digital and electronic platforms. The author cannot overemphasize the need to create a well-defined and robust data breach response plan.
In addition, there should be training and simulations, not just with the technical team but also with the data process owners. Delays usually occur when an organization has not tried out their plans, and there are questions on who needs to be informed in case of a breach. The manner by which an organization reacts after a data breach occurs is often as important as the measures taken to avoid them.
While we are unable to identify all possible risks and threats to data privacy, preparedness remains key to compliance with privacy regulations. Awareness of the basic principles espoused in regulations also allows businesses to be adaptable and flexible in maintaining compliance.