The Importance of Protecting Personal Data

In 2017, 2.7 million data records were compromised by data breaches globally. Of this number, more than two-thirds involved identity theft followed by financial breaches. In the digital age, bank accounts aren’t the most attractive thing to steal anymore; it’s data. And more and more organizations and companies worldwide are realizing this growing threat and the need to set up appropriate safeguards.

A company’s human resource department, for example, produces and gathers gigabytes of confidential data about the organization and its employees every day. It’s the responsibility of the company and all other Personal Information Controllers (PIC) that collect, hold, process, or use personal information to protect all that data. With the implementation of Republic Act No. 10173 in 2012 or the Data Privacy Act (DPA), that responsibility has now become a matter of following the law.

The DPA requires these Personal Information Controllers to observe the data privacy of their clients and follow the principles of the law: to protect personal (“any information which can be linked to your identity, thus making you readily identifiable”) and sensitive personal (race, age, marital status, religion, health, education, social security details, health records, etc.) information.

There are several aspects of the DPA in which HR practitioners and other PICs are particularly affected.

Consent

Under the DPA, companies and PICs must obtain a person’s explicit consent. It is also the right of the data subject, the person, to give his or her consent to collect and process their personal information in either written, electronic, or recorded form.

While companies typically gain consent when employees sign their employment contract, the DPA tightens this requirement and makes it even clearer. Employees must be aware that they are consenting to the collection and processing of their information and not merely agreeing to employment clauses. Explicit consent is important as implied consent isn’t considered valid.

Right to be Forgotten

The DPA also gives data subjects the right to order the removal or destruction of their data. Companies and PICs must do this if any of the following are present:

  • The information is incomplete, false, outdated, or unlawfully obtained.
  • The information is being used for unauthorized purposes.
  • The information they have is no longer necessary or needed for the purpose they were collected in the first place.
  • The individual withdraws his or her consent.
  • The information is considered to be prejudicial to the individual.
  • The information was unlawfully processed or the company violated the rights of the individual.

DPO Appointment

Under the DPA, it simply isn’t enough for companies to leave its implementation to the HR Department. All organizations are required to appoint a Data Protection Officer whose primary responsibility is to be accountable for ensuring the company’s compliance with all data protection laws and regulations. This can be an individual or several people within the company.

Data Breach Notification

In the event of a data breach, companies are required to notify the National Privacy Commission within 72 hours upon uncovering the breach, or when they believe it occurred, for proper escalation and guidance. They also need to notify the individuals whose data were put at risk and inform them of the steps the company is taking to address the situation.

This is just one part of the rights of data subjects which also include, but are not limited to, the right to have reasonable access to their personal information, the right to rectify an error in their personal information, and the right to object to the processing of personal data.

Compliance and Cooperation

In light of the growing threat of cyber attacks across various industries around the world, and the subsequent rise of data privacy laws in the European Union and the rest of Asia, it would be prudent for companies to realize the task ahead of them in securing the data of their clients and customers.

While compliance poses some organizational challenges, the benefits far outweigh them. In the eyes of consumers and clients, data privacy compliance builds trust as it shows them that their data is safe and protected in your company’s hands and, therefore, their business will be as well.

Learn how your companies can be compliant to avoid fines and criminal liabilities by attending Higher Heights Training and Events’s seminar on Data Privacy Act: A Step by Step Compliance on September 8, 8:00AM – 5:00AM at the Technopark Hotel, Sta Rosa City. For more details on the seminar and other business tips, visit HigherHeights.ph or https://www.facebook.com/higherheights.ph/

SOURCES: 
http://www.officialgazette.gov.ph/2012/08/15/republic-act-no-10173/
Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Our Privacy Statement

Higher Heights Training and Events, respects your right to privacy. This privacy statement summarizes what personal information we may collect, how we may use this information, and other important topics relating to your privacy and data protection.

It is our policy to comply with all applicable privacy and data protection laws. This commitment reflects the value we place on earning and keeping the trust of our clients, business partners, and others who share their personal information with us.

Why we collect your personal information

We Protect your personal information

Higher Heights maintains reasonable safeguards to protect the confidentiality, security and integrity of your personal information, as your personal information will generally be stored in Higher Heights database. In addition to technical security, we also implement organizational and physical security measures that are designed to protect your information from unauthorized or fraudulent access, alteration, disclosure, misuse, and other unlawful activities. Although we could not guarantee absolute protection we will employ all legal and permissible means to protect your Data.

Retention

We keep your information only for as long as necessary for us to: (a) provide the products and services that you avail from us, (b) for our legitimate business purposes, (c) to comply with pertinent laws, and (d) for special cases that will require the exercise or defense of legal claims.

What are your Rights as Data Subject

You should be provided with the following information prior to your personal information being added to a processing system or at the next practical opportunity: (i) a description of the personal information to be entered into the system; (ii) the purposes of processing; (iii) the scope and method of the personal information processing; (iv) the recipients; (v) automatic means to access the personal information; (vi) the identity and contact details of the personal information controller or its representative; (vii) the period for which the information will be stored; (viii) the existence of their rights; and (ix) the basis of processing.

Rights to access information

As data subject, you entitled to reasonable access to: (i) the contents of the personal information that was processed; (ii) the sources of the personal information; (iii) the names and addresses of recipients; (iv) the manner by which the personal information was processed; (v) the reasons for the disclosure of the personal information to recipients; (vi) information on automated decision processes; (vii) the date when his or her personal information concerning the data subject was last accessed and modified; and (viii) the designation, name or identity and address of the personal information controller.

Rights to data portability

Where your personal information is processed by electronic means and in a structured and commonly used format, you have the right to obtain the personal information in that format.

Right to be forgotten

Under the Data Privacy Act and the IRR, data subjects have the right to erasure and blocking. You, therefore, have the right to suspend, withdraw, order the blocking, removal or destruction of your personal information from our Personal Information Controller’s filing system.

Objection to direct marketing and profiling

The Data Privacy Act defines direct marketing as communication by whatever means of any advertising or marketing material which is directed to particular individuals. The IRR explicitly states that the data subject has the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared data.

Other rights

The data subject is also entitled to object to unauthorised use of their personal information and to have inaccurate or incorrect personal information corrected in some cases.

The rights of the data subject are transmissible to their heirs and assigns at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising his rights.

 

Back To Top