Rule VI. Security Measures for the Protection of Personal Data
Section 25. Data Privacy and Security. Personal information controllers and personal information processors shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data.
The personal information controller and personal information processor shall take steps to ensure that any natural person acting under their authority and who has access to personal data, does not process them except upon their instructions, or as required by law.
The security measures shall aim to maintain the availability, integrity, and confidentiality of personal data and are intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing. These measures shall be implemented to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
Section 26. Organizational Security Measures. Where appropriate, personal information controllers and personal information processors shall comply with the following guidelines for organizational security:
a. Compliance Officers. Any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as data protection officer, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
b. Data Protection Policies. Any natural or juridical person or other body involved in the processing of personal data shall implement appropriate data protection policies that provide for organization, physical, and technical security measures, and, for such purpose, take into account the nature, scope, context and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects.
- The policies shall implement data protection principles both at the time of the determination of the means for processing and at the time of the processing itself.
- The policies shall implement appropriate security measures that, by default, ensure only personal data which is necessary for the specified purpose of the processing are processed. They shall determine the amount of personal data collected, including the extent of processing involved, the period of their storage, and their accessibility.
- The polices shall provide for documentation, regular review, evaluation, and updating of the privacy and security policies and practices.
c. Records of Processing Activities. Any natural or juridical person or other body involved in the processing of personal data shall maintain records that sufficiently describe its data processing system, and identify the duties and responsibilities of those individuals who will have access to personal data. Records should include:
- Information about the purpose of the processing of personal data, including any intended future processing or data sharing;
- A description of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;
- General information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data;
- A general description of the organizational, physical, and technical security measures in place;
- The name and contact details of the personal information controller and, where applicable, the joint controller, the its representative, and the compliance officer or Data Protection Officer, or any other individual or individuals accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
d. Management of Human Resources. Any natural or juridical person or other entity involved in the processing of personal data shall be responsible for selecting and supervising its employees, agents, or representatives, particularly those who will have access to personal data.
The said employees, agents, or representatives shall operate and hold personal data under strict confidentiality if the personal data are not intended for public disclosure. This obligation shall continue even after leaving the public service, transferring to another position, or upon terminating their employment or contractual relations. There shall be capacity building, orientation or training programs for such employees, agents or representatives, regarding privacy or security policies.
e. Processing of Personal Data. Any natural or juridical person or other body involved in the processing of personal data shall develop, implement and review:
- A procedure for the collection of personal data, including procedures for obtaining consent, when applicable;
- Procedures that limit the processing of data, to ensure that it is only to the extent necessary for the declared, specified, and legitimate purpose;
- Policies for access management, system monitoring, and protocols to follow during security incidents or technical problems;
- Policies and procedures for data subjects to exercise their rights under the Act;
- Data retention schedule, including timeline or conditions for erasure or disposal of records.
f. Contracts with Personal Information Processors. The personal information controller, through appropriate contractual agreements, shall ensure that its personal information processors, where applicable, shall also implement the security measures required by the Act and these Rules. It shall only engage those personal information processors that provide sufficient guarantees to implement appropriate security measures specified in the Act and these Rules, and ensure the protection of the rights of the data subject.
Section 27. Physical Security Measures. Where appropriate, personal information controllers and personal information processors shall comply with the following guidelines for physical security:
a. Policies and procedures shall be implemented to monitor and limit access to and activities in the room, workstation or facility, including guidelines that specify the proper use of and access to electronic media;
b. Design of office space and work stations, including the physical arrangement of furniture and equipment, shall provide privacy to anyone processing personal data, taking into consideration the environment and accessibility to the public;
c. The duties, responsibilities and schedule of individuals involved in the processing of personal data shall be clearly defined to ensure that only the individuals actually performing official duties shall be in the room or work station, at any given time;
d. Any natural or juridical person or other body involved in the processing of personal data shall implement Policies and procedures regarding the transfer, removal, disposal, and re- use of electronic media, to ensure appropriate protection of personal data;
e. Policies and procedures that prevent the mechanical destruction of files and equipment shall be established. The room and workstation used in the processing of personal data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.
Section 28. Guidelines for Technical Security Measures. Where appropriate, personal information controllers and personal information processors shall adopt and establish the following technical security measures:
a. A security policy with respect to the processing of personal data;
b. Safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network;
c. The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of their processing systems and services;
d. Regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against security incidents that can lead to a personal data breach;
e. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
f. A process for regularly testing, assessing, and evaluating the effectiveness of security measures;
g. Encryption of personal data during storage and while in transit, authentication process, and other technical security measures that control and limit access.
Section 29. Appropriate Level of Security. The Commission shall monitor the compliance of natural or juridical person or other body involved in the processing of personal data, specifically their security measures, with the guidelines provided in these Rules and subsequent issuances of the Commission. In determining the level of security appropriate for a particular personal information controller or personal information processor, the Commission shall take into account the nature of the personal data that requires protection, the risks posed by the processing, the size of the organization and complexity of its operations, current data privacy best practices, and the cost of security implementation. The security measures provided herein shall be subject to regular review and evaluation, and may be updated as necessary by the Commission in separate issuances, taking into account the most appropriate standard recognized by the information and communications technology industry and data privacy best practices.
- Extension of Filing Periods and Suspension of Hearings for March 29 to April 4, 2021: SC Administrative Circular No. 14-2021 (Full Text) - March 28, 2021
- ECQ Bubble for NCR, Bulacan, Cavite, Laguna and Rizal: Resolution No. 106-A (Full Text) - March 27, 2021
- Guidelines on the Administration of COVID-19 Vaccines in the Workplaces (Labor Advisory No. 3) - March 12, 2021