[Table of Contents] [Glossary]
Rule VII. Security of Sensitive Personal Information in Government
Section 30. Responsibility of Heads of Agencies. All sensitive personal information maintained by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, subject to these Rules and other issuances of the Commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein. The Commission shall monitor government agency compliance and may recommend the necessary action in order to satisfy the minimum standards.
Section 31. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information.
a. On-site and Online Access.
- No employee of the government shall have access to sensitive personal information on government property or through online facilities unless he or she the employee has received a security clearance from the head of the source agency. The source agency is the government agency who originally collected the personal data.
- A source agency shall strictly regulate access to sensitive personal information under its custody or control, particularly when it allows online access. An employee of the government shall only be granted a security clearance when the performance of his or her official functions or the provision of a public service directly depends on and cannot otherwise be performed unless access to the personal data is allowed.
- Where allowed under the next preceding sections, online access to sensitive personal information shall be subject to the following conditions:
- (a) An information technology governance framework has been designed and implemented;
- (b) Sufficient organizational, physical and technical security measures have been established;
- (c) The agency is capable of protecting sensitive personal information in accordance with data privacy practices and standards recognized by the information and communication technology industry;
- (d) The employee of the government is only given online access to sensitive personal information necessary for the performance of official functions or the provision of a public service.
b. Off-site access.
- Sensitive personal information maintained by an agency may not be transported or accessed from a location off or outside of government property, whether by its agent or employee, unless the head of agency has ensured the implementation of privacy policies and appropriate security measures. A request for such transportation or access shall be submitted to and approved by the head of agency. The request must include proper accountability mechanisms in the processing of data.
- The head of agency shall approve requests for off-site access in accordance with the following guidelines:
- (a) Deadline for Approval or Disapproval. The head of agency shall approve or disapprove the request within two (2) business days after the date of submission of the request. Where no action is taken by the head of agency, the request is considered disapproved;
- (b) Limitation to One thousand (1,000) Records. Where a request is approved, the head of agency shall limit the access to not more than one thousand (1,000) records at a time, subject to the next succeeding paragraph.
- (c) Encryption. Any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission.
Section 32. Implementation of Security Requirements. Notwithstanding the effective date of these Rules, the requirements in the preceding sections shall be implemented before any off-site or online access request is approved. Any data sharing agreement between a source agency and another government agency shall be subject to review of the Commission on its own initiative or upon complaint of data subject.
Section 33. Applicability to Government Contractors. In entering into any contract with a private service provider that may involve accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, a government agency shall require such service provider and its employees to register their personal data processing system with the Commission in accordance with the Act and these Rules. The service provider, as personal information processor, shall comply with the other provisions of the Act and these Rules, particularly the immediately preceding sections, similar to a government agency and its employees.
- Extension of Filing Periods and Suspension of Hearings for March 29 to April 4, 2021: SC Administrative Circular No. 14-2021 (Full Text) - March 28, 2021
- ECQ Bubble for NCR, Bulacan, Cavite, Laguna and Rizal: Resolution No. 106-A (Full Text) - March 27, 2021
- Guidelines on the Administration of COVID-19 Vaccines in the Workplaces (Labor Advisory No. 3) - March 12, 2021