_____ Refers to the mechanism of MAKING COPIES OF YOUR DATA to restore in the event of a loss or corruption.
_____ Refers to the mechanism of KEEPING YOUR DATA SAFE from unauthorized access and distribution.
Data Protection
- Should your data security strategy fail, data protection facilitates the recovery of clean data copies.
Data Security.
- Data security protects your data from unauthorized access that could result in compromised data, corruption, or deletion.
A law that SEEKS TO PROTECT ALL FORMS OR INFORMATION, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.
Purpose: Comprehensive and strict privacy legislation “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.”
Data Privacy Act of 2012 (Republic Act No. 10173)
_____: Collectively refers to PERSONAL INFORMATION , sensitive personal information, and privileged information.
_____: Refers to ANY INFORMATION whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and CERTAINLY IDENTIFY AN INDIVIDUAL.
_____: Refers to an INDIVIDUAL whose PERSONAL, SENSITIVE personal, or PRIVILEGED information is processed.
Personal Data
Personal Information
Data Subject
_____ refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations.
____ refers to an individual whose personal, sensitive personal, or privileged information is processed.
_____ refers to the Manila Medical Services, Inc. (Manila Doctors Hospital).
_____ collectively refers to personal information, sensitive personal information, and privileged information.
_____ refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Data Privacy Act
Data Subject
Office
Personal Data
Personal Information
_____ refers to any OPERATIONS or SET OF OPERATIONS PERFORMED upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
_____ refers to ANY AND ALL FORMS OF PERSONAL DATA, which, under the Rules of Court and other pertinent laws constitute privileged communication.
Privileged information
Security incident
_____ refers to personal data:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations.
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings.
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
Sensitive Personal Information
A DPO shall be appointed by the Office. The DPO shall be chosen from one of the officers of the Quality and Risk Management Office.
The DPO is responsible for:
1. Monitoring the Office’s personal data processing activities in order to ensure compliance with applicable personal data privacy laws and regulations, including the conduct of periodic internal audits and review.
2. Acting as a liaison between the Office and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements.
3. Developing, establishing, and reviewing policies and procedures for the exercise by data subjects of their rights.
4. Acting as the primary point of contact whom data subject may coordinate and consult with for all concerns relating to their personal data.
5. Formulating capacity building, orientation, and training programs for employees, agents or representatives.
6. Preparing and filing the annual report of the summary of documented security incidents and personal data breaches.
Data Privacy Officer (DPO)
Data Privacy Principles
All processing of personal data within the Office should be conducted in compliance with the following principles:
_____. The data subject must be aware of the NATURE, PURPOSE, and EXTENT of the processing. Any information and communication relating to the processing should be easy to access and understand, using clear and plain language.
_____ The processing shall be COMPATIBLE with a DECLARED and SPECIFIED purpose which must not be contrary to law, morals, or public policy.
_____ The processing shall be ADEQUATE, RELEVANT, SUITABLE, NECESSARY, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose could not reasonably be fulfilled other means.
Transparency
Legitimate purpose
Proportionality
Adequate records of the Office’s personal data processing activities shall be maintained at all times. The DPO, with the cooperation and assistance of the _____, shall be responsible for ensuring these records are KEPT UP TO DATE.
These records shall include, at the minimum:
1. Information about the purpose of the processing, including any intended future processing or data sharing;
2. A description of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;
3. General information about the data flow within the Office, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data;
4. A general description of the organizational, physical, and technical security measures in place within the Office; and
5. The name and contact details of the DPO as well as any other staff members accountable.
Management Information Systems Department (MISD)
- Data Processing Records
The DPO, with the cooperation of the _____, shall DEVELOP and IMPLEMENT MEASURES to ensure that all staff who have access to personal data will strictly process such data in compliance with the requirements of the Data Privacy Act.
These measures may include drafting new or updated relevant policies and conducting training programs.
Human Resources Department (HRD)
- Management of Human Resources
The DPO shall ensure that all employment agreements reflect appropriate clauses indicating the employee’s informed consent to:
- The processing of his or her personal data, for purposes of maintaining the Office’s records;
- A continuing obligation of confidentiality on the employee’s part in connection with the personal data that he or she may encounter during the period of employment with the Office. This obligation shall apply even after the employee has left the Office for whatever reasons.
Employment Agreements
The DPO, with the assistance of relevant directorates/divisions, shall document the Office’s personal data collection and processing procedures.
The DPO shall ensure that such procedures are updated and that the consent of the data subjects (when required) is properly obtained.
Such procedures shall also be regularly monitored, modified, and updated to ensure that the rights of the data subjects are respected, and that processing thereof is done fully in accordance with the DPA.
Data Collection Procedures
Subject to applicable requirements of the DPA, personal data shall not be retained by the Office for a period longer than necessary and/or proportionate to the purposes for which such data was collected.
The DPO shall be responsible for developing measures to determine the applicable data retention schedules, as well as to safeguard the destruction and disposal of such personal data.
Data Retention Schedules
The DPO shall develop and implement policies and procedures for the Office to monitor and limit access to, and activities in, the offices/workstations where personal data is processed, including guidelines that specify the proper use of, and access to, electronic media.
The design and layout of the office spaces and work stations shall be periodically evaluated and readjusted in order to provide privacy.
The duties, responsibilities, and schedules of individuals involved shall be clearly defined to ensure that only the individuals actually performing official duties shall be in the room or work station.
The rooms and workstations used in the processing of personal data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.
Physical Security Measures
The DPO, with the cooperation and assistance of Administrative Directorate, shall continuously develop and evaluate the Office’s security policy.
The security policy should include the following minimum requirements:
- Safeguards to protect the Office’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
- The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Office’s data processing systems and services;
- Regular monitoring for security breaches, and a process for identifying and accessing reasonably foreseeable vulnerabilities and for taking preventive, corrective, and mitigating actions;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
- Encryption of personal data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto.
Technical Security Measures
Rights of the Data Subject
As provided under the DPA, data subjects have the following rights:
IOARED
1. Right to be informed – You have the right to know why and how your personal data is being collected, used, stored, or shared. 2. Right to object – You can say no to the processing of your personal data, especially if it’s not necessary or if it goes beyond what you agreed to. 3. Right to access – You have the right to see or request a copy of the personal data that an organization has about you. 4. Right to rectification – You can ask for corrections if the information about you is wrong, outdated, or incomplete. 5. Right to erasure or blocking – You can ask for your data to be deleted or blocked from use if it’s no longer needed, was collected unfairly, or used without your consent. 6. Right to damages – If your personal data was misused, leaked, or handled improperly, you can ask for compensation for any harm or damage caused.
The data subject has the right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed.
The data subject shall be notified of:
- Description of the personal data to be entered into the system;
- Purposes for which they are being or will be processed;
- Basis of processing;
- Scope and method of the personal data processing;
- The recipients or classes of recipients;
- Methods utilized for automated access, and the extent to which such access is authorized;
- The identity and contact details of the DPO;
- The period for which the information will be stored; and
- The existence of their rights as data subjects.
Right to be Informed
- The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling.
- The Office shall no longer process the personal data if the data subject objects or withholds consent, unless:
1. The personal data is needed pursuant to a SUBPOENA ((a legal order requiring the release of information.)
2. The collection and processing are for OBVIOUS PURPOSES (e.g., necessary for performance of a contract or employer-employee relationship); or
3. The personal data is being collected and processed as a result of a LEGAL OBLIGATION ((something the law requires the office to do).
Right to Object
The data subject has the right to reasonable access to, upon demand, the following:
- Contents of his or her personal data that were processed;
- Sources from which personal data were obtained;
- Names and addresses of recipients of the personal data;
- Manner by which such data were processed;
Reasons for the disclosure of the personal data to recipients, if any;
- Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision;
- Date when his or her personal data concerning the data subject were last accessed and modified; and
- The designation, name or identity, and address of the DPO.
Right to Access
_____
- The data subject has the right to dispute the INACCURACY or ERROR in the personal data, and the Office shall correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
- If corrected, the Office shall ensure the accessibility of both the new and the retracted personal data and inform previous recipients upon reasonable request.
Right to Rectification
_____
The data subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal data.
This right may be exercised upon discovery and substantial proof of any of the following:
- The personal data is incomplete, outdated, false, or unlawfully obtained;
- The personal data is being used for purpose not authorized;
- The personal data is no longer necessary for the purposes for which they were collected;
- The data subject withdraws consent or objects to the processing, and there is no other legal ground;
- The personal data concerns private information that is prejudicial to data subject, unless justified;
- The processing is unlawful; or
- The data subject’s rights have been violated.
Right to Erasure or Blocking
_____
The LAWFUL HEIRS AND ASSIGNS of the data subject may invoke the rights of the data subject after death or when incapacitated.
Transmissibility of Rights of Data Subjects
_____
The data subject shall have the right to OBTAIN A COPY of such data in an electronic or structured format that is commonly used and allows for further use, where their personal data is processed by the Office through electronic means.
Data Portability
_____
- Employees and agents are tasked with regularly monitoring for signs of a possible data breach or security incident.
- Any such sign must be immediately reported to the DPO within twenty-four (24) hours.
- The DPO shall notify the National Privacy Commission (NPC) and the affected data subjects.
- The notification shall at least describe the nature of the breach, the personal data possibly involved, and the measures taken to address and reduce harm.
_____
- All security incidents and personal data breaches shall be documented through written reports.
- A general summary of the reports shall be submitted by the DPO to the NPC annually.
Data Breach Notification
Breach Reports
-
Chapter 126
-
Chapter 2: Lesson 1 (ETHICAL THEORIES, OTHER RELATED THEORIES AND VIRTUE ETHICS)18
-
Chapter 2: Lesson 2 ( BASIC ETHICAL PRINCIPLES AND OTHER RELEVANT ETHICAL PRINCIPLES)16
-
Chapter 2: Lessons 2.213
-
Chapter 2: Lesson 313
-
Chapter 417
-
Chapter 518
-
Chapter 6 (Lesson 1)15
-
Chapter 6 (Lesson 2)6
-
Chapter 6 (Lesson 3)3
-
Chapter 728
