FOR
NON-LIFE INSURANCE SECTOR
NPC FAQs
NPC FAQs
FREQUENTLY ASKED QUESTIONS ON DATA PRIVACY
KEY TERMS 01. Personal data refers to all personal information, sensitive personal information and privileged information
02. Personal information information about an individual, and from which he or she reasonably and directly identified
03. Sensitive personal information refers to personal information: a. about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; b. about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by 2
such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; c. issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and d. specifically established by an executive order or an act of Congress to be kept classified.
04. Personal information controller (PIC) a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf, and is obliged to safeguard such data under penalty of law.
KEY TERMS The term excludes: a. a natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
06. Data subject an individual whose personal, sensitive personal, or privileged information is processed
b. a natural person who processes personal data in connection with his or her personal, family, or household affairs
07. Personal information processing any operation or set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system
05. Personal information processor (PIP) a natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject, and who is also obliged to safeguard such data under penalty of law
3
Q
NON-LIFE INSURANCE SECTOR
01
Should Local Captive Insurance Call Centers be required to use “Mini Miranda” statements? (Disclosed calls are being recorded.) 4
A The processing of personal data should always adhere to the data privacy principles of transparency, legitimate purpose and proportionality. Transparency necessitates that the data subject must be made aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. A disclosure that calls are being recorded is one way of demonstrating transparency and upholding the right of the data subjects to be informed.
5
Q
NON-LIFE INSURANCE SECTOR
02
Are we in the process of creating a Philippine HIPAA Law soon?
03
Should all our (internal and external) e-mail attachments be encrypted?
6
A 02
We are not aware of the current thrust of our Congress on enacting a similar law to HIPAA. Please note that the HIPAA is a US law and our Data Privacy Act of 2012 was largely based on the 1995 EU Directive. 03
The Data Privacy Act of 2012 requires all personal information controllers (PICs) and personal information processors (PIPs) to implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. The determination of the appropriate level of security must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Hence, it is up to the internal determination of the company if it needs all email attachments to be encrypted, taking into account the above parameters. 7
Q
NON-LIFE INSURANCE SECTOR
04
What are the confidentiality regulations between the company and its employees concerning company assigned tools? 8
A Pursuant to Section 20(e) of the Data Privacy Act of 2012, the employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. A company should have policies in place regarding the confidentiality and non-disclosure of personal data being processed. The specific terms and conditions will depend on other factors, i.e. applicable laws and regulations on confidentiality of personal data, requirements of the company, industry or sector standards, as well as international standards and best practices
9
Q
NON-LIFE INSURANCE SECTOR
05
What are your suggestions to avoid breach on company assigned tools (e.g., company laptops and mobile phones)? 10
A The NPC recognizes the fact that breaches are bound to happen and there is no 100% secure data processing system. As such, it is incumbent upon personal information controllers and processors to mitigate the risk associated with the processing of personal data through the implementation of reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information. The Commission has issued NPC Circular No. 2016-03 on Personal Data Breach Management. This circular provides for the framework for personal data breach management and the procedure for personal data breach notification and other requirements. Please refer to the said circular for further information.
11
Q
NON-LIFE INSURANCE SECTOR
06
What is the compliant application process that will entail changes to the processes of non-life insurance companies, especially to online applications?
07
What kind/level of information is acceptable to share to external partners? 12
A 06
The processing of personal data should always adhere to the data privacy principles of transparency, legitimate purpose and proportionality, and grounded upon any of the criteria for lawful processing of personal and sensitive personal information under Sections 12 and 13 of the Data Privacy Act of 2012 (DPA). We cannot declare a particular application process to be compliant with the DPA unless and until the Commission conducts and concludes a compliance check. However, for guidance, we have the Data Privacy Accountability and Compliance Framework which we prescribe to all personal information controllers and processors. This details the steps towards compliance with the DPA.
07
The Data Privacy Act of 2012 has the twin task of protecting the fundamental human right of privacy while ensuring free flow of information to promote innovation and growth. The law does not operate to limit the sharing of information so long as the same adheres to the data privacy principles of transparency, legitimate purpose and proportionality, and grounded upon any of the criteria for lawful processing of personal and sensitive personal information under Sections 12 and 13 of the Data Privacy Act of 2012 (DPA). Thus, the kind/level of information sharing will largely depend on the underlying purpose for the said sharing.
13
Q
NON-LIFE INSURANCE SECTOR
08
What are the general rules on company data (hard copy/soft copy) retention and purging? 09
Can a company ask for extension of submission of report to the Commission? 14
A 08
Under Section 11 of the Data Privacy Act of 2012, personal information must be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law. For specific rules on retention and disposal of data, these would be based on any applicable law on the matter, i.e. if there are provisions in the Insurance Code or a regulation or issuance of the Insurance Commission on retention and disposal, this will be controlling.
09
It is possible for PICs to be granted additional time by the Commission to comply with the submission of the full report required within five (5) days from knowledge of or the reasonable belief of the occurrence of a personal data breach.
15
Q
NON-LIFE INSURANCE SECTOR
10
For publicly-listed companies, where does one draw the line on personal data required by law (directors’ passport, details in affidavits) vs personal data protected by law. 16
A Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions are outside of the scope of the law, but only to the minimum extent of collection, access, use, disclosure or other processing necessary to the purpose, function, or activity concerned. This is interpreted to the effect that there is a presumption that personal data may be lawfully processed by a personal information controller or processor, but the processing shall be limited to achieving the specific purpose, function or activity, and that the personal information controller or processor remains to be subject to the requirements of implementing measures to secure and protect personal data. For instance, a government agency having a constitutional or statutory mandate to collect and process personal data may do so even without the consent of the data subject. But this is with the concomitant responsibility of ensuring that organizational, physical and technical security measures are in place to protect the personal data it is processing.
17
Q
NON-LIFE INSURANCE SECTOR
11 Can PIRA provide a template of Data Privacy Manual or Privacy Policy that shall be adopted by all PIRA Members for uniformity of Non-Life Insurance Industry?
12 Why should the PICs be bound by the Data Privacy practices of the PIPs? (That should be the lookout and responsibility of the PIPs since it is their own practices/policies. PICs are not for the internal matters or internal management of PIPs.) 18
A 11
It is possible for PIRA to come up with a template for a privacy manual, policy or code to be adopted by the industry or sector as it is in the best position to know the nuances and needs of the sector vis-à-vis data privacy and data protection requirements and standards. The NPC may review such privacy codes and require changes thereto for purposes of complying with the DPA. 12 Under Section 21 of the DPA, it is stated that each personal information controller (PIC) is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing. It further states that PICs are accountable for complying with the requirements of the law and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party. We relate this to Section 14 of the law which states as follows: “SECTION 14. Subcontract of Personal Information. — A personal information controller may subcontract the processing of personal information: Provided, That the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with all the requirements of this Act and other applicable laws.” As the processing of a PIP is upon instruction of a PIC, the latter has the prerogative to ensure that the PIP is complying with the DPA. 19
Q
NON-LIFE INSURANCE SECTOR
13 What are the responsibilities of a company in terms of data privacy protection in the area of social media? Are we liable for clients who willingly share sensitive and personal information on public online/szocial media platforms? What is the best way to obtain consent from clients on social media?
14 What is the implication of the Data Privacy Law in cases wherein a company has to send out or publish a “Notice to the Public� - e.g., in the case of sales agents or ex-employees who commit fraud? 20
A 13
The same data privacy principles, obligations and responsibilities apply to processing of personal data online, including social media platforms. PICs must endeavor to inform and educate data subjects on the dangers and risks of sharing sensitive personal information online. Obtaining consent online may be through an opt-in box or clicking an icon or sending a confirmation email or some other pertinent format. We wish to emphasize that consent as a criterion for processing personal data must be freely given, specific and informed indication of will, whereby the data subject agrees to the collection and processing of personal information.
14
There is a need to determine the basis of the processing, i.e. legitimate interest of the PIC (Section 12(f)), exercise or defense of legal claims (Section 13(f)), or some other criteria for processing. Likewise, it is essential that the personal data is accurate, relevant and, where necessary for purposes for which it is to be used, kept up to date. The data subject must be given the opportunity to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly.
21
Q
NON-LIFE INSURANCE SECTOR
15 What is the implication of the Data Privacy Law in coming up with identification cards for employees? What should and should not appear on the ID card (e.g., some ID cards show government id numbers, addresses, etc.)?
16 What is the implication of the Data Privacy Law in terms of security measures implemented on building or office security? Are we still allowed to obtain or view identification cards of visitors (e.g., in exchange for a visitor’s pass)? 22
A 15
The decision on what information to include in a company ID should take into consideration the data privacy principles of transparency, legitimate purpose and proportionality. Specifically on proportionality, one may consider limiting the personal information on the face of the ID to the following: name and facial image of the employee, where the only purpose of the ID is to prove, for instance, that Employee A is employed by Company X. Additional information or details may be included for as long as there is a legitimate purpose under existing laws, rules, and policies.
16
There is no prohibition on this practice. One just has to make sure the security personnel are trained and aware of existing security polies, that the collection of the ID cards is limited to the purpose of issuing visitors’ pass and ensuring security of the premises, that he or she cannot take pictures or make copies of such IDs for his or her own personal use, etc.
23
Q
NON-LIFE INSURANCE SECTOR
17 What is the implication of the Data Privacy Law in terms of CCTV footages, video footages, or photos? Take for example the following cases: ●● Client feels disrespected by a company employee (e.g., sales frontliner). In order to “document” the erring employee, the client takes video footage or takes photos of the employee. Even if the employee did commit a mistake in the way he treated the client, we assume the employee still has a right to privacy and can complain that his privacy rights have been violated? It is possible for the employee to invoke his rights under the DPA, in the same manner that the client may likewise invoke a criteria for lawful processing of personal data. These incidents will be treated on a case to case basis. 24
A ●● CCTV footage captures a person in the act of committing a crime (e.g., theft). Are companies allowed to share such footage with the public or with the media? Does a person committing a crime retain his right to privacy? CCTV footages of crimes should be made available to law enforcement agencies, following standard operating procedures.
●● How is the NPC working to balance data privacy protection with AMLA/KYC requirements, wherein it becomes necessary to obtain identifying information of clients? Information necessary for banks and other financial institutions under the jurisdiction of the independent central monetary authority or Bangko Sentral ng Pilipinas to comply with Anti-Money Laundering Act and other applicable laws is outside of the scope of the DPA, but only to the minimum extent of collection, access, use, disclosure or other processing necessary to the purpose, function, or activity concerned. The DPA should not be used as an excuse for non-compliance with existing laws and regulations. It has the twin task of protecting the fundamental human right of privacy while ensuring free flow of information to promote innovation and growth. For instance, a bank collecting information for KYC purposes may do so but with the concomitant responsibility of securing such personal data. Where a bank reports a covered or suspicious transaction for AMLA purpose, this is sanctioned and need not obtain consent from the depositor concerned.
25
Q
NON-LIFE INSURANCE SECTOR
18
What should a company’s first response be to a client who is complaining about a data privacy violation?
26
A
Refer the situation to the company’s data protection officer (DPO) and inform the data subject of the such action, including information on the DPO’s contact details.
●● Compliance and Implementation of the Privacy Act of 2012 ●● Steep and onerous penalties on the DPOs ●● Penalize the cybercrime perpetrators and focus in them rather than the victim companies and DPOs.
27