GUIDELINES FOR THE PREVENTION OF PERSONAL DATA BREACH

Read also: PROHIBITED ACTS UNDER THE DATA PRIVACY ACT OF 2012

• A personal information controller or personal information processor shall constitute a data breach response team, which shall have at least one (1) member with the authority to make immediate decisions regarding critical action, if necessary.

• The security measures should be directed to ensuring the availability, integrity, and confidentiality of the personal data being processed.

• A security incident management policy shall include measures intended to prevent or minimize the occurrence of a personal data breach.

The Philippine Constitution guarantees respect for the right to privacy, including information privacy. The increasing incidents of personal data breaches resulted to identity theft, crimes and other harm. And in order to afford protection of personal data, reasonable and appropriate organizational, physical and technical measures should be implemented.

National Privacy Commission issued Circular 16-03 providing for the Guidelines for The Prevention of Personal Data Breach:

A personal information controller (any other body that controls the processing of personal data, or instructs another to process personal data on its behalf) or personal information processor (any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject) shall implement policies and procedures for the purpose of managing security incidents, including personal data breach. These policies and procedures must ensure:

1. Creation of a data breach response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach;
2. Implementation of organizational, physical and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident;
3. Implementation of an incident response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;
4. Mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and
5. Compliance with the Data Privacy Act of 2012, its Implementing Rules and Regulation, and all related issuances by the National Privacy Commission pertaining to personal data breach notification.

Data Breach Response Team. 

A personal information controller or personal information processor shall constitute a data breach response team, which shall have at least one (1) member with the authority to make immediate decisions regarding critical action, if necessary. The team may include the Data Protection Officer. The team shall be responsible for the following:

1. Implementation of the security incident management policy of the personal information controller or personal information processor;
2. Management of security incidents and personal data breaches; and
3. Compliance by the personal information controller or personal information processor with the relevant provisions of the Data Privacy Act of 2012, its IRR, and all related issuances by the National Privacy Commission on personal data breach management.

The team must be ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirements. The functions of the Data Breach Response Team may be outsourced.

The Data Protection Officer shall remain accountable for compliance with applicable laws and regulations. In cases where the Data Protection Officer is not part of the Data Breach Response Team, the Data Breach Response Team shall submit a written report addressed to the Data Protection Officer detailing the actions taken in compliance with the Rules.    

Preventive or Minimization Measures.

A security incident management policy shall include measures intended to prevent or minimize the occurrence of a personal data breach. Such safeguards may include:

1. Conduct of a privacy impact assessment to identify attendant risks in the processing of personal data. It shall take into account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
2. Data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
3. Implementation of appropriate security measures that protect the availability, integrity and confidentiality of personal data being processed;
4. Regular monitoring for security breaches and vulnerability scanning of computer networks;
5. Capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
6. Procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the effectiveness of the security measures.

The security measures should be directed to ensuring the availability, integrity, and confidentiality of the personal data being processed, and may include:

1. Implementation of back-up solutions;
2. Access control and secure log files;
3. Encryption;
4. Data disposal and return of assets policy.

---

Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.

All rights reserved.

---

SUBSCRIBE NOW FOR MORE LEGAL UPDATES!

[email-subscribers-form id=”4″]