DATA PRIVACY POLICY

I. Background

Section 24, Article II of the 1987 Constitution states that, “The State shallrecognize the vital role of communication and information in nation-building;”

The Section 2(b) of Executive Order (E.O.) No. 47, issued on June 23, 2011, mandates the Information and Communications Technology Office (ICT Office) to ensure the provision of efficient and effective information and communications technology infrastructure, information systems, and resources to support efficient, effective, transparent, and accountable governance and, in particular, support the speedy and efficient enforcement of rules and delivery of accessible public services to the people.

The government recognizes the need to use ICT to effectively improve services by developing policies and frameworks that shall enhance the operational efficiency, promote interoperability of government agencies, implement unified ICT-enabled business processes designed to work seamlessly across public sector institutions, and establish information infrastructure that will allow the exchange, collaboration and sharing of data through the use of Government Common Platfrom (GCP).

The provisions of Republic Act 10173 also known as “Data Privacy Act of 2012” shall be recognized as pertinent guideline for the use of GCP among government agencies.

This GCP Data Privacy Policy shall established agency requirements for safeguarding the collection, access, use, dissemination and storage of personal and sensitive data that are collected from individuals through their applications in government agencies or from other sources such as those that are maintained by them. For purposes of this policy, the protection of these data shall be consistent with the provisions Data Privacy Act of 2012.

As the use of GCP among government agencies makes it possible to them to the sharing of data in accordance to their respective mandates, this policy is committed to protecting the data collected from individuals to the extent permitted by law. The GCP will treat all data with fairness and respect in terms of its privacy. In addition, the GCP ensures its integrity and responsibilities for the information entrusted to it.

II. Purpose

To protect data and information that is transferred, stored, utilized in any of the registries covered by the GCP. This policy recognized the privacy needs to be protected to ensure confidence in GCP while allowing fair and reasonable information sharing to secure potential benefits for citizens and government.

III. Scope

The privacy and confidentiality of the data shall be assured only to the extent of the purpose, functions and actions that are sanctioned in the GCP systems from collection, classification, transformation, storage and sharing of data among government agencies.

In addition, this Policy applies to all GCP employees, managers, contractors, collaborating government agencies working on behalf of GCP who handle, control, access, store, share or record data in the GCP systems that contain personal and sensitive personal data covered in the Data Privacy Act of 2012.

IV. Data

Data classification is established to prevent its unauthorised disclosure or access in its respective level. Personal data is much broader which is the information that identifies a person or can be used in conjunction with other information to identify a person, regardless iof whether a person would want it disclosed. This data connects to an individuals. Sensitive personal data is the data that an individual would prefer not to be known to the public because it is of an intimate nature.

A. Types of Data

1. Personal Dataany data from which are specifics to a person. These data may identify the person such as:

  • Name;

  • Mailing address(es);

  • Phone number(s);

  • E-mail address(es);

  • Employer, and

  • Job title

2. Sensitive Personal Data- in pursuant to Data Privacy Act of 2012, sensitive personal information are:

  • race;

  • ethnic origin;

  • marital status;

  • age;

  • color;

  • religious;

  • philosophical or political affiliations;

  • health;

  • education;

  • genetic;

  • sexual life;

  • issued by government agencies peculiar to an individual which includes but not limited to social secuirty numbers, previous and current health records, licenses or its denials, suspension or revocation and tax return, and

  • specifically established by an executive order or an act of Congress to be kept classifed shall be collected from data subject or natural person by the specific agency which requires the same for its specific mandate.

B. Purpose of Data Collection

The data from the individual that are collected, stored and shared among government agencies in the GCP will provide government agencies a common platform for greater, efficient and fast service.

C. Privacy Principles on Data Collection

One method for preserving individual’s privacy is by distprting the data values of the individual. The idea is that the distorted data does not reveal the or link to the owner while making it safe for using and sharing among government agencies. The data collection shall adopt the following privacy principles:

  • Transparency:

    • Notice and consent letter from respective government agency where data will be collected or available, shall be released and provided to the individual while covering the purpose of the collection and use of the collected data. Information collected will not be used for any other purpose unless authorized or mandated by law such as for scientific, statistical, research purposes. The individual shall be granted access to the data concerning him or her and shall have the right to demand the correction of inaacurate or misleading data

  • Anonymize the data:

    • For the purpose of data storage and protection, the GCP can either encrypt or remove personally identifiable information from data sets to prevent re-identification of individual concern and reduce the risk of unintended disclosure;

  • Pseudonymize data

    • By decryption key, the data will be kept in private while at the same time, the GCP allows interoperability of government agency in data access, correction and sharing;

  • Accuracy:

    • Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals are protected.

  • Security:

    • Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of data is properly safeguarded.

D. Access of Data

While data being collected for the GCP system shall be treated with privacy and confidentiality, the following types of access shall also govern in consonant with this Privacy Policy:

  • Open Access

    • Access to data generated from public funding should be easy, timely, user-friendly and web-based without any process of registration or authorization.

  • Registered Access

    • Data which are accessible only through a prescribed process of registration or authorization by respective government agencies or organizations will be available to the recognized institutions or organizations or public users, through defined procedures.

  • Restricted Access

    • Data declared as restricted, by laws and policies, will be accessible only through and under authorization.

V. Rights of Individual

The GCP guarantees several rights to the individual whose data is processed or recorded. The following rights shall be observed:

a. Information and notification right

The individual is communicated about the information and proccess of his data in government agency and then in GCP unless exempted by the law. Such exemptions are:

  • processing of data obtained with his or her consent

  • data processing is imposed by an act or law

  • data priocessing performed for statistical, historical or scientific purposes

  • data processing carried out for national security reasons

  • data is lawfully published

b. Access right

The access right available to the individual shall be through online access or personally apprearing in the government agency, which is the proper holder of the data, to correct or ammend the data. Individuals may personally request access to, or amendment of, his/her data records maintained by the GCP system and shall submit his/her request in writing and other requirements, as will be requested, to the concern government agency prescribed in the agency’s rules and regulations for perusal. Requests should contain a reasonable description of the records sought, the system or systems in which such record may be contained, and any additional identifying information. Sensitive information data shall be disclosed on request to the individuals to whom they pertain. Requests by individuals for the amendment of records will be acknowledged by the government agency, and referred to the Steering Committee of the colaborative groups in which the new data will be recorded and processed. If the system manager denies a request to amend a record, the notification of such denial shall contain the reason for the denial.

The individual shall have access to the following information:

  • confirmation that some data concerning him/her are or are not processed

  • processed data

  • available purpose of the use of data

  • recipents of the data

The GCP will maintain all records it uses in making any determination about any individual with accuracy, relevance, timeliness and completeness as is reasonably necessary. An individual may request that the corresponding agency holder of specific data to be ammended which it maintains in a designated system of records. Such a request should be submitted in writing and should contain the individual’s reason for requesting the amendment and a description of the record sufficient to enable the agency to identify the particular record or portion thereof with respect to which amendment is sought.

c. Right to object

The right to object shall be provided when individual has serious and legitimate reasons to object the processing of his/her data. Objections in processing shall be addressed to government agency which is the holder of data being processed.

VI. Responsibilities and Accountabilities

A. The GCP Office:

For privacy and confidentiality of the data being stored and shared in GCP system, the GCP Office also applies privacy requirements in system administrators. The GCP Office shall also continue to comply with existing requirements for computer security in administering the common platform and provide to the individuals as well as to government agencies the following:

  • clear language, information about management, operational and technical controls ensuring the security and confidentiality of data (e.g., access controls, data storage procedures, periodic testing of safeguards, etc.),

  • general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems.

  • authorize the individual to access at a level of public that their information is being protected while not compromising security

  • assure that new information technologies sustain, and do not erode, the protections provided in all laws and regulations relating to agency use, collection, and disclosure of data;

  • develop IT privacy policy and guidance and ensure their dissemination and implementation throughout the government agencies

  • Provide overall Privacy management and policy guidance

  • Ensure that government agencies conduct review of the data inventory to identify deficiencies, weaknesses or risks

  • Review and update the provisions protecting privacy contained in this policy annually and will make appropriate changes in response to changes in applicable law, technology, the purpose and use of the information systems, and public expectations.

  • Should document, to individual applicant and to the general public, that they will process data in a lawful and transparent manner;

  • The GCP will maintain an audit trail of accessed, requested, or disseminated information

  • The GCP will adopt and follow procedures and practices by which it can ensure and evaluate the compliance of users with system requirements and with the provisions of this policy and applicable laws. This will include logging access to its systems and periodic auditing of these systems, so as to not establish a pattern of the audits

  • Restrict the access within and between departments

  • Establish safeguards to ensure confidentiality, integrity and availability controls;

  • Terminate systems when no longer needed in accordance with proper destruction or transfer in GCP system;

  • Approve initial determinations on access to information

  • Account for access, amendments and disclosures to GCP systems

  • Be accountable in activities in response to technical breaches of data

  • Include supervisor-approved access technical controls such as (insert programs) to strictly restrict access to GCP system

  • Ensure that only approved and trained system administrators can access information stored in the GCP

  • create daily audit logs after each activities in GCP (e.g data transfer, update, storage, ammendment or cancellation)

  • Allow database administrators to review the audit logs daily to ensure that the data is not lawfully tranferred, leaked or breached

  • Ensure that program systems are protected by security safeguards

  • Ensure that program systems, hardware, software and network resources are only accessed and used in GCP application

  • Provide clarity over government agencies responsibilities in handling data

B. Government Agencies

The government agencies must comply with the Data Protection Act of 2012 and must also include the following tasks and responsibilities:

  • Secure consent to data collection and sharing:

  • Inform individuals to use the data collected for the GCP purposes and other statutory-mandated uses or other authorized activities under the Data Protection Act

  • Inform and educate employees and contractors of their responsibility for protecting collected and shared data;

  • Identify those individuals in the respective agency of the day-to-day responsibility for implementing privacy laws and policies.

  • Designate an appropriate senior official or officials to serve as the agency’s member for Steering Committee in Collaborative Group

  • Adhere to privacy rules of conduct and may be subject to all applicable penalties under the Data Protection Act of 2012

  • Comply with the provisions of the Act at par with regulations and policies pertaining to collecting, accessing, using, disseminating and storing dta

  • Ensure that data contained in a system of records, to which they have access in the performance of their duties, is protected so that the security and confidentiality of the information are preserved before transferring to GCP system

  • Coordinate with the GCP to ensure that its organic Privacy Policy are consistent with the law and GCP Data Privacy Policy

  • The GCP’s personnel or other authorized users shall report errors and suspected or confirmed violations of relating to protected information to the Steering Committee in GCP

  • Offer adequate data security training and education to staff members for effective security precautions.

  • Ensure that authorizations to access personal data have been assigned by the competent person and require proper documentation;

  • Ensure that careful documentation for other forms of disclosure and automated access to data in orders that no illegal data transmissions have taken place;

  • Monitor and promote data protection at agency level;

  • Investigate data processing operations and intervene accordingly;

  • Ensure that individuals are informed about the use of their data;

  • Adopt interoperable standards in its databases in accordance to GCP system

  • execute process agreement on how to act on information to be exchanged for lawful purposes while upholding the integrity and confidentiality of it

  • ensure that data shared to GCP system are processed according to the levels of their internal privacy policies, GCP Data Privacy Policy and Data Privacy Act of 2012

C. Steering Committee in Collaborative Groups

  • Protect the availability of data and ensure that appropriate process in the collaborating groups is observed

  • Participate in assessing the impact of GCP on the privacy of personal information

  • Support the GCP office and collaborating government agencies in providing input, consulation and reccomendations for information technology and information management and processes related privacy policies and procedures

  • Monitor and perform oversight on processing and integrating data into collaborative groups to ensure that they are properly executed

  • Intervene if necessary by warning, admonishing or even fining controllers and processors, ordering data to be rectified, blocked or deleted, imposing a ban on processing;

VII. Policies

It is the policy of the GCP to safeguard an individual’s privacy in a manner consistent with the Data Protection Act of 2013 and other statutory grounds concerning privacy.

  • The GCP will safeguard all data in its possession

  • The GCP will limit the collection of data to only that which is necessary to accomplish its mission, administrative functions, regualtor or statutory requirements or to comply with it concerning privacy

  • The GCP, together with government agencies, will provide waiver or consent letter to be signed by the individual whose data is being collected when required by applicable law

  • The GCP will ensure that collection, use, storage of data is authorized by law such as but not limited for scientific, statistical and research purpose

  • The GCP will not desseminate or publish data without the prior consent of the individual or unless provided for by law

  • The GCP will ensure prompt notification to individuals affected by a breach of data with risk of harm to the individuals

  • The GCP will approve in writing all requests to access data from an offsite location or to transport or transmit sensitive data offsite

  • The GCP shall ensure that its employees, managers, collaborating government agencies working on behalf of GCP will adhere to its policies on data privacy

VIII. Penalties for Non-compliance

The GCP Office reserves the right to restrict the qualifications and number of personnel having access to center information and to suspend or withhold service and deny access to any individual, participating agency or participating agency personnel violating the center’s privacy policy. In addition, the following shall also be considered as penalties:

  • Employees may be subject to disciplinary action for failure to take appropriate action upon discovering a breach or for failure tyo take required steps to prevent a breach from occuring or re-occuring

  • Consequences will be commensurate with the level of responsibilty, type of data involved and severity of the violation. Any action taken must be consitent with laws and regulations.

  • Suspension of access privileges, reprimand, suspension, demotion, removal and criminal and civil penalties shall be the consequences for the breach to data privacy

  • Apply administrative actions or sanctions as provided by agency’s respective rules and regulations or as provided in agency personnel policies.

  • The Penalties provided in Chapter VIII of Data Privacy Act of 2012 shall also be applied

The individual shall also be punsihed in cases where he/she submits fraud data pertaining to him/her, or wished to pertain another person or deliberately submit wrongful data

IX. Monitoring

The ICT Office, Collaborative Group and government agencies are responsible for monitoring the policy.

X. Limitations

Internal privacy policies or rules of above-mentioned entities shall be remain enforceble and be reconciled with this Policy.

X. Amendments

This Data Privacy Policy may be amended from time to time consistent and confrom with the requirements and changes on privacy issues. Any amendments will posted on the iGov website.

Download the GCP Data Privacy Policy draft here.