FOR
RETAIL INDUSTRY SECTOR
NPC FAQs
NPC FAQs
FREQUENTLY ASKED QUESTIONS ON DATA PRIVACY
01. Personal data refers to all personal information, sensitive personal information and privileged information
02. Personal information information about an individual, and from which he or she reasonably and directly identified
03. Sensitive personal information refers to personal information: a. about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; b. about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by 2
such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; c. issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and d. specifically established by an executive order or an act of Congress to be kept classified.
04. Personal information controller (PIC) a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf, and is obliged to safeguard such data under penalty of law.
KEY TERMS
KEY TERMS The term excludes: a. a natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
06. Data subject an individual whose personal, sensitive personal, or privileged information is processed
b. a natural person who processes personal data in connection with his or her personal, family, or household affairs
07. Personal information processing any operation or set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system
05. Personal information processor (PIP) a natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject, and who is also obliged to safeguard such data under penalty of law
3
Q
RETAIL SECTOR
A If your company collects, stores, uses, shares, or discloses any information about a person, you are a personal information controller and the DPA applies to you. If you were outsourced or instructed by a PIC to process personal data, then you are a personal information processor or PIP. The DPA also applies to you. This is regardless whether the personal information you hold or process in the Philippines is that of a Filipino citizen or not.
01
Does the Data Privacy Act of 2012 (DPA) apply to my company? 4
Retail Stores may be collecting personal data during purchase transactions (in-store or online), processing of loyalty or membership cards, carrying out market research, taking contact details for marketing and promotions.
5
Q
RETAIL SECTOR
02
Do we need to always seek consent from our customers / clients?
A For processing that involves sensitive personal information, consent is not required when: a. The processing of the sensitive personal information is provided
for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
b. The processing is necessary to protect the life and health of
For processing to be considered lawful, PICs and PIPs should generally seek the data subject’s consent. Consent is not required when the processing involves personal information: a. involves the personal information of a data subject who is a party
to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the said agreement;
b. is necessary to comply with a legal obligation to which the
personal information controller is subject to;
c. is necessary to protect vitally important interests of the data
subject, including his or her life and health;
d. is necessary to respond to national emergency or to comply with
the requirements of public order and safety, as prescribed by law;
e. is necessary for the fulfillment of the constitutional or statutory
mandate of a public authority; or
f. is necessary to pursue the legitimate interests of the personal
information controller, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution.
6
the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
c. The processing is necessary to achieve the lawful and
noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
d. The processing is necessary for purposes of medical treatment,
is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
e. The processing concerns such personal information as is
necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
7
Q
RETAIL SECTOR
A Online merchants, as personal information controllers under the Data Privacy Act of 2012 (DPA), may save the credit card details and other personal information of their customers pursuant to the various criteria for lawful processing of personal as well as sensitive personal information under Sections 12 and 13 of the DPA. Online merchants may save credit card details of its customers for as long as necessary for the fulfillment of the purposes for which data was obtained. Credit details should be saved primarily for purpose of completing the particular transaction for which they were given Online merchants, may process personal data of their customers, including retaining credit card details of their customers, taking into account the following: 1. Retention of personal data should be only to the extent
03
Do online merchants have the right to save the credit card details of their customers? 8
required for the fulfillment of the purposes for which the data was obtained, unless data subjects consent to allow longer retention periods; 2. Data subjects or the clients should be adequately informed of
the nature and extent of the processing of their personal data; and 3. Security measures for the protection of personal data should
be implemented
9
Q
RETAIL SECTOR
A
A consent is valid if it is: a. Freely given b. Specific c. Informed d. Evidenced by written, electronic or recorded means
04
Implied, implicit, or negative consent is not recognized under the DPA and its IRR.
What is considered a valid consent? 10
11
Q
RETAIL SECTOR
A It is recommended that the company develop and maintain its own record management policy which provide for retention periods and procedures for disposal of records containing personal data. Factors that may be considered by a company in determining retention periods of employment records would include: a. Legal requirements to which the company may be subject to; b. Applicable prescription periods in existing law (i.e. money c. d. e. f.
05
Data Retention The DPA provides that personal data shall only be retained for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.1 The IRR further provides that personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.2
claims); Department of Labor and Employment Rules; Bureau of internal revenue regulations for bookkeeping requirements; and Industry standards, and other laws and regulations that apply to the sector.
Thus, for as long as your company can determine a legitimate business purpose for the retention of personal data, which is consistent with standards followed in the industry you are in, or if there exist any legal claims being pursued by the company, or when retention is allowed as provided for by law, then retention of personal data is permitted. However, such retention must not be in perpetuity in consideration of some future use which has not yet been determined.
¹ Republic Act No. 10173, § 11(e). ² Implementing Rules and Regulation of Republic Act No. 10173, §19(e)(3)
12
13
Q
RETAIL SECTOR
06 Do we need a Data Sharing Agreement if we share personal data to our partner companies? If the purpose is for the conduct of research, do we still have to enter into a DSA? Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor.3 Data sharing is allowed when it is expressly authorized by law and adequate safeguards are in place, including adherence by the parties thereto to the general principles of transparency, legitimate purpose, and proportionality.4 In the private sector, it is permitted if the consent of the data subject is obtained, and certain conditions provided in the Implementing Rules and Regulations (IRR) of the DPAare complied with.5 One such condition requires the execution of a DSA if sharing is carried out for commercial purposes.6 The term “commercial purpose” is read in its ordinary meaning and refers to any activity with the ultimate purpose of gain or profit. 14
A Data sharing between private sector entities is generally presumed to be in pursuit of some commercial objective or purpose, as is the compliance by such entities with the DSA requirement prior to any data sharing arrangement. This view is consistent with Section 38 of the DPA, which calls for an interpretation of the law that is mindful of the rights and interests of data subjects. Accordingly, it is incumbent upon a private sector entity seeking to exempt itself from the DSA requirement to overcome the aforesaid presumptions. With reference to personal information processed for journalistic, artistic, literary or research purposes, this is outside of the scope but only to the minimum extent of collection, access, use, disclosure or other processing necessary to the purpose, function, or activity concerned, i.e. there may be instances where the consent requirement under the DPA may not be applicable in certain research activities, but the non-applicability of the DPA does not extend to personal information controllers or personal information processors, who remain subject to the requirements of implementing security measures for personal data protection. Thus, sharing of personal data with other companies for the purpose of research is still covered by the DPA and therefore requires a DSA.
³ IRR, §3(f) ⁴ IRR, §20(a)
⁵ id., §20(b) ⁶ id., §20(b)(2)
15
Q
RETAIL SECTOR
07
Are Employees’ Information covered by the DPA?
A
Employees’ personal data is covered by the DPA. Thus, disclosure of personal data of employees to third parties should have the employee's consent, or the disclosure thereof should have some other basis in law. In this regard, an express, informed and freely given consent under the DPA shall be obtained from the data subject informing the latter on the purpose/s for collecting his/her personal data.
Do we need to ask for consent when disclosing employees’ information to other companies? 16
17
Q
RETAIL SECTOR
A You have three general obligations under the DPA: a. Adhere to data privacy principles (transparency, legitimate purpose and proportionality) b. Implement security measures c. Uphold data subject rights (right to information, right to object, right to access, right to correct, right to erase, right to damages, right to data portability, right to file a complaint) To initially kick-off your compliance with these general obligations, the NPC directs PICs and PIPs to have the Five Pillars of Data Accountability and Compliance in place: 1. Commit to comply: Appoint a Data Protection Officer (DPO)
08
2. Know your risks: Conduct a Privacy Impact Assessment
If the DPA applies to our company, what do we need to do?
3. Be accountable: Write your Privacy Management Program
(PIA) (PMP) and Privacy Manual 4. Demonstrate your compliance: Implement Privacy and Data Protection (PDP) measures 5. Be prepared for breach: Regularly exercise your Breach Reporting Procedure (BRP)
18
19
Q
RETAIL SECTOR
A If you are a PIC or PIP that has data processing systems that involve automated decision making, you are required to register with the NPC. You are likewise required, if you are a PIC or PIP: a. that employs at least 250 staff; b. whose personal data processing include sensitive personal information of at least 1,000 individuals; c. if your company is included in the list of sectors or institutions that are considered involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects. (see NPC Circular No.
09
Do we need to register with the NPC? 20
2017-01 Appendix 1 for the list) If you are covered by the mandatory registration based on the above conditions, please take note of these key dates: a.
Phase I registration – 9 September 2017
b.
Phase II registration – 8 March 2018
21
Q 10
When is personal data processing considered to likely pose a risk to the rights and freedoms of data subjects?
RETAIL SECTOR
10
A
Your processing is likely to pose a risk to the rights and freedoms of data subjects if it involves: a. information that would likely affect national security, public safety, public order, or public health; b. information required by applicable laws or rules to be confidential; c. vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, d. patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP; e. automated decision-making; or f. profiling;
11
11
When is personal data processing considered to be occasional?
Processing is considered occasional if it is only incidental to the mandate or function of the PIC or PIP, or, it only occurs under specific circumstances and is not regularly performed. Processing that constitutes a core activity of a PIC or PIP, or is integral thereto, will not be considered occasional. For more information about Registration, please refer to NPC Circular No. 2017-01, posted on our website.
22
23
Q
RETAIL SECTOR
A
Yes, you are required to have a Data Protection Officer or DPO if you are a PIC or PIP. Sub-units in government and private organizations are allowed to just have a Compliance Officer for Privacy or COP (who performs fewer functions), as long as the COP will still be supervised by the mother organization’s DPO.
12
Our company employs less than 250 staff and collects personal information from less than 1,000 individuals. Are we required to have a Data Protection Officer or DPO? 24
For a group of related companies, a DPO of one of its members may be designated to be primarily responsible accountable for ensuring the compliance of the entire group with all data protection policies, subject to the NPC’s approval.
25
Q
RETAIL SECTOR
A c. have sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter’s information systems, data security and/or data protection needs d. be knowledgeable of the sector or field of the PIC or PIP, and the latter’s internal structure, policies, and processes The DPO should also be someone in a position that can seamlessly communicate data privacy concerns to the top management. You should also ensure that your DPO does not simultaneously hold a
13
Who should we designate as a DPO?
position where a conflict of interest may arise. These questions may help you determine whether there is a conflict of interest: a. If appointed, will the DPO be required to monitor him or herself? [i.e. it will not be in the best interest of data subjects if an IT manager (acting as DPO) will have to monitor whether his or her own activities as the IT manager comply with the DPA] b. Is the DPO candidate a head of a unit that is heavily involved in
There are no specific positions recommended for the DPO designation.
the processing of personal data? [e.g. HR, legal, marketing]
Instead, the NPC recommends that DPO should have these general qualifications:
If your answer to any of these two questions is yes, then there may be a conflict of interest.
a. possess specialized knowledge and demonstrate reliability necessary for the performance of his or her duties and
For more information about the DPO, please refer to NPC Advisory
responsibilities
No. 2017-01, posted on our website.
b. have expertise in relevant privacy or data protection policies and practices 26
27
Q
RETAIL SECTOR
A Yes, you are required to conduct a PIA, under the DPA and various NPC issuances. PIA is a security measure for the protection of personal data, which PICs and PIPs are mandated to implement under Rule VI of the DPA’s IRR. It is a general obligation for government agencies under NPC Circular 2016-01, and a recommended measure for private companies’ security incident management policy under NPC Circular 2016-03. In general, a PIA should be undertaken for every processing system of a PIC or PIP that involves personal data. It may also be carried out vis-à-vis the entire organization of the PIC or PIP with
14
the involvement or participation of the different process owners and stakeholders. A PIA should be conducted for both new and existing systems,
Are we required to conduct a Privacy Impact Assessment or PIA? 28
programs, projects, procedures, measures, or technology products that involve or impact processing personal data. For new processing systems, it should be undertaken prior to their adoption, use, or implementation. Changes in the governing law or regulations, or those adopted within the organization or its industry may likewise require the conduct of a PIA, particularly if such changes affect personal data processing.
29
Q
RETAIL SECTOR
A 15
15
Can we outsource the conduct of the PIA?
Yes, you may outsource the conduct of the PIA to a PIP or a service or product provider. But the PIC or PIP remains to be primarily accountable for the conduct of a PIA. In this case, the PIC or PIP may lay down a policy, which establishes the circumstances under which a PIA shall be carried out, including the personnel involved, the resources available, and the review process that will be undertaken.
16
16
Do we need to regularly submit our PIA report to the NPC?
No, you do not need to regularly submit your PIA report to the NPC. But when the NPC determines that your data processing system poses a significant risk to the rights and freedoms of data subjects, it may request for a copy of the PIA report regarding such system. For more information about the PIA, please refer to NPC Advisory No. 17-03, posted on our website.
30
31
Q
RETAIL SECTOR
A
No. You are not required to submit your PMP to the NPC. The PMP is your organization’s self-determined set of standards and protocols in pursuit of your responsibility to protect the privacy rights of individuals whose personal data you were entrusted with to handle. As such, the NPC’s imprimatur would be irrelevant, if not if fact inappropriate.
17
Do we need to submit our Privacy Management Program to the NPC? 32
In case of a compliance check, however, your PMP would be among the things the NPC shall look for and look into. In such an instance, the Commission shall ascertain whether your PMP adequately covered your organization’s unique needs, and whether you conscientiously adhered to it.
33
Q
RETAIL SECTOR
A Generally, an organization should aim to establish its data privacy and protection regime at three levels. They involve instituting measures that are organizational, physical and technical in nature. Organizational measures involve implementing policies and programs explicitly intended to ingrain the culture of privacy into an organization’s psyche, thus making it impervious to hackers who resort to social engineering ploys. Depending on the nature of your business, this may include revising your device management and data handling policies, upgrading your project management standards, and conducting privacy awareness campaigns for your employees and customers.
18
What data privacy and protection measures should we implement? 34
Physical measures refer to the practical protective schemes such as provision for security guards, padlocks, lockers and secluded archives to physically protect paper records and databases against data thieves who may resort to brute force. It should also include commonsense solutions to prevent even seemingly insignificant incidents like “visual hacking� where unauthorized persons gain visual access of personal data. Technical measures cover all proactive and defensive IT solutions an organization could employ in securing its data assets against all types of breaches. This may include the use of robust firewall and encryption systems, rigorous data access protocols, as well as anti-virus and anti-spyware solutions.
35
Q
RETAIL SECTOR
A No. Notification is only required when: a. the personal data involves sensitive personal information or any other information that may be used to enable identity fraud; b. there is reason to believe that the information may have been acquired by an unauthorized person; and c. the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
19
However, all personal data breaches and security incidents should be documented through written reports to be annually submitted to the NPC, starting 2017.
Are we always required to notify the NPC whenever a personal data breach happens? 36
For more information about personal data breach management, please refer to NPC Circular No. 2016-03, posted on our website.
37