Are You Prepared? How the Data Protection Act (DPA) Will Affect You As An Employer
When recalling the passport data breach scare that happened just recently, imagine the magnitude of that scenario if the same thing happens to your business—even more so if it’s a conglomerate and a multinational corporation.
Ever since the Data Privacy Act’s (DPA) implementing rules and regulations (IRRs) have been set in force in September 2016, up to what extent has the DPA affected and influenced the changes in both the public and private sectors?
The National Privacy Commission (NPC) identifies business sectors operating in the Philippines that are in the business of processing personal data as personal information controllers (PICs) and personal information processors (PIPs).
Registration of personal data processing system
The DPA is applicable to: all PIPs and PICs that are established in the Philippines; an institution with a branch office or a subsidiary; executing data processing in the country; whose data subjects are Philippine residents; and whose contract is entered within the country.
Under the following DPA conditions, PIPs and PICs must register their personal data processing systems with the NPC in accordance to the rules and regulations.
- At least 1,000 individuals’ sensitive personal information is being processed
- If the PIC or PIP has personnel of at least 250
- When PIC or PIP employs less than 250 but processing of data is on regular terms
- If employing less than 250 but data processing has a possibility of risking the rights of subject individuals
Appointing a data protection officer or a compliance officer
Part of the required security measures for data protection is the appointment of a data protection officer (DPO) or a compliance officer who should have the following qualifications:
- Significant proficiency in privacy and data protection policies and practices
- With sufficient understanding of the said processing operations being utilized by a PIP/PIC; as well as information systems, data protection needs, and data security
- Knowledge of the PIP/PIC’s industry sector including internal structure, policies and processes
The DPO will be the person-in-charge to ensure the compliance of all applicable laws and regulations as dictated under the rules and regulations on data security including the following tasks:
- Executing data protection policies
- Maintaining records that detail the data processing system including the duties of individuals with access to personal data
- Supervising, selecting and training employees who will have jurisdiction of access
- Develop, evaluate, implement policies and procedures on collection and processing of data—to ensure that data subjects can exercise their rights under the DPA
- Comply with physical security guidelines
- Adopt and establish technical security measures (e.g. security on computer network protection, periodic evaluation of effectiveness of security measures, personal data encryption, and security policy for personal data processing)
In the event of a data breach, the PIP or PIC must inform the NPC and all data subjects within 72 hours from the time the data breach took place.
Recruitment, employment and data sharing
It’s common for employers to collect, store and update personal information from applicants during the recruitment process, during employment and until exiting from the company—doing so makes any employer fall under the category of either a PIP or a PIC; which therefore means that it is compulsory for them to abide by the DPA rules and regulations and respect employee rights as data subjects.
While the general rule is that consent is always necessary, it is indicated that consent may be waived if “the collection and processing is meant for obvious purposes—including when necessary for the performance of or in relation to a contract or service in which the data subject is involved in or within the context of an employer-employee relationship.”
- Identity of the PIP/PIC that will have access to the said data
- Purpose of data sharing
- Categories of personal data concerned
- Intended recipients of the personal data
- Existence of data subjects’ right to access, correct and object
Archive One is a document management software designed to help companies easily classify, store, secure, and retrieve essential company documents that are needed for retention and audits. With the help of our partners, we provide an end-to-end document management solution from scanning to document storage, at a highly competitive price.