Data Privacy Act (Philippines)

What is the Data privacy Act?

During the last few years, the IT sector in the Philippines has grown extensively and new laws needed to be voted in order to ensure the protection of the population’s sensitive information. The Data Privacy Act came into action in 2012 and provides a framework for regulating the processing and storage of particularly personal and sensitive data, given the new ways of information exchange that have opened up and continue to open up in this era.

Thousands of companies from the banking, retail, IT sectors that have branches or that use equipment located in the Philippines are now required to comply with the new law and protect customers sensitive information. According to the legislation, the Pilipino regulatory body will now be able to fine entities who did not respect the regulation up to $100,000 depending on the type of infraction. Criminals also risk up to 5 years of imprisonment.

 

Requirements

Right to Access:

Any entity possessing any personal information must provide the data subject with a description of such data in its possession, as well as the purposes for which they are to be or are being processed. Furthermore, other details regarding the processing of the data may be obtained, such as the period for which the data will be stored, and the recipients to whom the data may be disclosed.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right to Erasure or Blocking:

Data subjects can suspend, withdraw or order the blocking, removal, of their personal information from the data controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.

How SecuPi Helps:

On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion” ). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.

 

Right to Object:

The consent of the data subjects must be secured in the collecting and processing of their personal information. It grants data subjects the choice of refusing to consent, as well as the opportunity to withdraw it, as regards collection and processing. As earlier stated, any activity involving data subject’s personal information without their consent is considered as illegal.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right to be Informed:

Collection and processing of information without the data subject’s knowledge and explicit consent is made unlawful, and entities possessing personal information are obligated to inform data subjects of any breaches or compromises in their data. Data subjects have the right to know when their personal information shall be, are being, or have been processed.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request). Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict processing of personal data.

 

Records of Processing:

Entities must maintain records that explicitly describe their data processing system and identify the duties and responsibilities of those individuals who will have access to data subject’s personal information.

How Secupi Helps:

SecuPi’s audit logs are clear and factual and can show which processor accessed which data, as well as providing full transcript of the processing activities done through the application. Since the SecuPi agent is deployed on the application server, it has access to all relevant information, including which user was used to process the information, timestamp, URI, etc. SecuPi enables to map data-flows and provides the ability to granularly audit and control it to maintain access on a “need to know basis” and use data in line with its purpose.

 

Breach Notification:

The data controller is required to notify the National Privacy Commission as well as the affected data subjects when it has reasonable belief that sensitive personal information or other information has been acquired by an unauthorized person, and that:

  1. such personal information may, under the circumstances, be used to enable identity fraud
  2. the data controller or the National Privacy Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

How SecuPi Helps:

In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

Want to see our product in action? Join us for a Demo!
Apply for this Job

Or send your resume at text@secupi.com
Thank for you applying
We will be in touch shortly.