Data Privacy Manual

BACKGROUND

Republic Act No. 10173 entitled, “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes”, or simply, Data Privacy Act of 2012 (DPA), is the law that gives form to the declared policy of the State to protect the fundamental human right of privacy and communication. While the State recognizes the vital role of information and communications technology in nation-building, it also acknowledges its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

The Manual will serve as a guide in order to ensure compliance of the organization with the Data Privacy Act and its Implementing Rules and Regulations. This document will apply to everyone at Credit Solutions and Business Alliances, Inc. – all employees, managers, directors, executive officers and members of the board of directors. In addition to the general guidelines, detailed requirements in local data protection laws must be followed by employees who are responsible for activities involving processing of personal data.

INTRODUCTION

Credit Solutions and Business Alliances, Inc., in its commitment to uphold, respect, and value data privacy rights, hereby adopts this Data Privacy Manual in compliance with the DPA, its Implementing Rules and Regulations, and other relevant policies. All personal data collected from all its officials, personnel, and clients shall be processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

The Manual outlines our data protection and security measures and may guide you in exercising your rights under the DPA.

DEFINITION OF TERMS

For purposes of this Manual the following terms are defined as follows:

  1. Data Subject – refers to an individual whose personal, sensitive personal or privileged information is processed by Credit Solutions and Business Alliances, Inc.. It may refer to its officials, employees, partners, and clients.
  2. Personal Data – refers to the personal information or collection of personal information that identifies an individual in an apparent and reasonably ascertain.
  3. Processing – refers the collection and manipulation of items of data to produce meaningful information. It may include, but not limited to collection, validation, sorting, summarization, aggregation, analysis, reporting, classification, storage, transportation, erasure and destruction of data.
  4. Personal Information Processor (PIP) refers to any natural of juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
  5. Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing, of personal data, or instructs another to process personal data on his behalf.
  6. Sensitive personal information – refers to following personal information:
    • Age, Marital Status, Color, Religion, Race, Ethnic Origin, Philosophical or Political Affiliation
    • Education, Health, Genetic or Sexual Life, Criminal History
    • Government issued identifiers
    • Established by an Executive Order or Law as classified information’

SCOPE AND LIMITATIONS

This Privacy Manual applies to all Credit Solutions and Business Alliances, Inc. officials and employees including all project and agency-based employees. All entities in the organization must comply with the terms specified in this document.

PROCESSING OF PERSONAL DATA

  1. Collection – The collection of both personal information and sensitive personal information is done by lawful means and for a lawful purpose and is directly related and necessary in the achievement of the organizations vision and mission.Information are obtained openly and straightforwardly without any hidden motive through the clients' filling up of official forms. These forms are essential in the provision of service to clients.

    Similarly, personal data of the organization's officials and employees (including project and/or agency-based employees), and applicants to vacant positions are obtained through the requisite Corporate Personal Data Sheet and by accomplishing forms essential in training and other developmental interventions.

  2. Use – Personal data collected shall be used Credit Solutions and Business Alliances, Inc. solely for reportage and documentation purposes. In all this, the individual is not deemed identified as the data shall be presented in statistics form. The organization shall ensure no manipulation of personal data and that the same shall not be used against any individual.
  3. Storage, Retention and Destruction – Credit Solutions and Business Alliances, Inc. shall ensure that it will strictly implement reasonable and appropriate organizational, physical, and technical security measures to protect the data against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.

    Credit Solutions and Business Alliances, Inc. will retain the personal data for the duration it deems necessary for its reasonable business needs to ensure full delivery and performance of the services, including for the purposes of satisfying any legal, accounting, or reporting requirements, or for complying with any applicable law, regulation, legal process or governmental requests.

    After said period, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.

  4. Access – Access to personal data of officials and employees of Credit Solutions and Business Alliances, Inc. and applicants to vacancies shall be limited to the DPO, Director of and authorized staff of the Corporate Human Capital Management, and authorized administrative staff of Credit Solutions and Business Alliances, Inc.. At no time should anyone be given access to the personal files of other employees for any purpose, except as required by law, public policy, public order or morals.

    For personal data of clients, only the DPO, Director of the Managed Services Department and the heads and authorized staff of Credit Solutions and Business Alliances, Inc. shall have access to the same.

  5. Disclosure and Sharing – All employees and personnel of Credit Solutions and Business Alliances, Inc. shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of Credit Solutions and Business Alliances, Inc. shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

 

SECURITY MEASURES

Credit Solutions and Business Alliances, Inc. shall implement reasonable and appropriate physical, technical, and organizational measures for the protection of personal data. These security measures aim to maintain the availability, integrity, and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

A. Organization Security Measures

  1. Data Protection Officer
    The collection of both personal information and sensitive personal information is done by lawful means and for a lawful purpose and is directly related and necessary in the achievement of the organizations vision and mission.
  2. Functions of the DPO
    Listed hereunder are the functions and responsibilities of the DPO:

    1. Ensures compliance of the PIC or POC to applicable laws and regulations under the Data Privacy Act (Republic Act 10173). As such he/she may:
      1. Collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
      2. Analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;
      3. Inform, advise, and issue recommendations to the PIC or PIP;
      4. Ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
      5. Advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
      6. Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
    2. Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
    3. Advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
    4. Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
    5. Inform and cultivate awareness on privacy and data protection within your organization, including all relevant laws, rules and regulations and issuances of the NPC;
    6. Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
    7. Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
    8. Cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and
    9. Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
  3. Conduct of Trainings and Recording and Documentation of Activities Carried out by the DPO or by the Board

    Credit Solutions and Business Alliances, Inc. shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, their attendance and participation in relevant trainings and orientations shall be ensured as often as necessary.

  4. Conduct of Privacy Impact Assessment (PIA)Credit Solutions and Business Alliances, Inc. shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data.
  5. Duty of ConfidentialityAll employees shall be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
  6. Review of Privacy ManualThis Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within Credit Solutions and Business Alliances, Inc. shall be updated to remain consistent with current data privacy best practices.

B. Physical Security Measures

  1. Format of Data to be collectedPersonal data in the custody of Credit Solutions and Business Alliances, Inc. may be in digital/electronic format and paper-based/physical format.
  2. Storage Type and LocationAll personal data of Credit Solutions and Business Alliances, Inc.’s officials and staff including those of its project and agency-based employees in paper based documents shall be stored in a locked filing cabinet located at the Corporate Human Resources Records offices.
    Papers or documents bearing personal information of clients shall be kept in locked filing cabinets at Credit Solutions and Business Alliances, Inc.’s office.
    Digital/electronic files shall be stored in computers protected by passwords and servers located in a secured location which is protected by firewalls and other network security protocols. These files can only be accessed by authorized personnel.
  3. Access Procedure of Company PersonnelOnly the DPO, executive officers, and authorized staffs shall have access to the stored personal information of current and former Credit Solutions and Business Alliances, Inc. officials and staff and applicants to vacant positions.
    An official/employee who wishes to see documents on his/her personal file (201File) should get the proper authorization approval from the DPO or by the Head of the Corporate Human Resources.
    To protect against inappropriate disclosure of confidential information, certain records including those containing confidential information about more than one individual and medical records shall not be allowed to be accessed.
    An employee cannot invoke his/her right to access his/her 201 File under the law when the personal information is being processed for the purpose of investigation in relation to any criminal, administrative, or tax liabilities against him/her.
    Executive officers of other companies under the corporate group, other than those expressly mentioned in the preceding paragraphs, may have access to personal file information on a need-to-know basis.
    As for the stored personal data of clients, only the DPO, executive officers and authorized staff shall have access to the same.
  4. Monitoring and Limitation of AccessAll personnel authorized to enter and access the data room or facility must fill out a logbook. They shall indicate the date, time, duration and purpose of each access.
  5. Design of Office Space/WorkStationThe computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
  6. Maintenance of ConfidentialityPersons involved in processing shall always maintain confidentiality and integrity of personal data.
  7. Modes of Transfer of Personal Data within Credit Solutions and Business Alliances, Inc. to Other PartiesTransfer of personal data via electronic means/devices will be protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol and other appropriate decryption/compression tool.
  8. Retention and Disposal ProcedureCredit Solutions and Business Alliances, Inc. shall retain personal data in its custody following the schedule identified in the item Storage, Retention, and Destruction under the Processing of Data in this Manual. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.

C. Technical Security Measures

  1. Monitoring for Security BreachesCredit Solutions and Business Alliances, Inc. uses commercially reasonable methods, technology and tools to secure personal data from unauthorized access, use or disclosure.

    The Information Security officer shall regularly read the firewall logs to monitor security breaches and alert Credit Solutions and Business Alliances, Inc. of any unauthorized attempt to access the network.

  2. Security Features of the Software/s and Application/s UsedThe organization shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with the data privacy policies.
  3. Process for Regularly Testing, Assessment and Evaluation of Effectiveness of Security MeasuresThe Network Facilities group of Credit Solutions and Business Alliances, Inc. shall make regular penetration testing of the firewall appliance from outside Credit Solutions and Business Alliances, Inc. premises and from within to conduct vulnerability assessment of the same.

BREACH AND SECURITY INCIDENTS

  1. Creation of a Data Breach Response TeamA Data Breach Response Team comprising of the DPO, the Network Facilities Head, the Data Center Operations Head, the Information Security Officer, and all network personnel of Credit Solutions and Business Alliances, Inc., under the direct supervision of the Managed Services Director is responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
  2. Measures to Prevent and Minimize Occurrence of Breach and Security IncidentsThe Data Breach Response Team shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data shall attend trainings and seminars for capacity building. A periodic review of policies and procedures being implemented in Credit Solutions and Business Alliances, Inc. shall be undertaken.
  3. Procedure for Recovery and Restoration of Personal DataCredit Solutions and Business Alliances, Inc. shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
  4. Notification ProtocolThe Head of the Data Breach Response Team shall inform the President of the need to notify the National Privacy Commission (NPC) and the data subjects affected by the incident or breach within 72 hours from knowledge thereof.
  5. Documentation and Reporting Procedure of Security Incidents or a Personal Data BreachThe Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the Executive Director and the NPC within the prescribed period. The report shall contain the following:
    1. Description of the nature of the breach;
    2. Personal data possibly involved;
    3. Measures undertaken by the team to address the breach and reduce the harm or its negative consequences; and
    4. Names of the personal information controller, including contact details, from whom the data subject can obtain additional information about the breach and any assistance to be provided to the affected data subjects.

INQUIRIES AND COMPLAINTS

Every data subject has the right to:

  1. Be notified and furnished with his or her information before entry into the processing system within 48 hours when such data shall be used for direct marketing, profiling or historical or scientific purpose. Notification shall be made through an Office Memoranda and/or email.
  2. View and recommend corrections to his or her data being processed. The data subject may also write or email Credit Solutions and Business Alliances, Inc. thru its DPO at dpo@csba.ph with a brief discussion of the inquiry and/or correction/s together with his/her contact details for reference.
  3. Complain and be indemnified for any damages sustained when the data subject’s recommendations for corrections to his or her data was not acted upon which resulted in damages due to inaccurate, incomplete, outdated and false information, unlawfully obtained or unauthorized use of personal data. Complaints shall be filed in three printed copies, or sent to dpo@csba.ph. The department or division concerned shall confirm with the complainant its receipt of the complaint.

EFFECTIVITY

This Manual takes effect on 01 01 2020 until revoked or amended.

 

Scroll to Top