By Imee Charlee C. Delavin, Senior Reporter

Personal-data handling rules for government agencies take shape

Posted on October 10, 2016

GOVERNMENT agencies engaged in processing personal data were told to implement stricter rules on data sharing, according to a draft copy of the circular set to be released by the National Privacy Commission (NPC) this week.

NPC Deputy Commissioner Ivy D. Patdu said Circular 16-001, dated Sept. 30 is “currently still being reviewed for any final changes” but the newly created commission intends to publish it this week along with other guidelines meant to police data privacy rights.

The first issuance directed government agencies -- including national government agencies, bureaus or offices, constitutional commissions, local government units, government-owned and-controlled corporations, state colleges and universities -- that are engaged in the processing of personal data to designate a data protection officer; conduct a privacy impact assessment within the agency; create privacy and data protection policies; and register its data processing systems with NPC.

“Personal data being processed by a government agency shall be stored in a data center... a service provider is engaged, the Commission may require the agency to submit its contract with its service provider for review.”

All data that is digitally processed must be encrypted, whether at rest or in transit, it added noting that access to all data centers owned by the agency should be restricted to the agency and that NPC has the right to audit the systems in place for the data centers.

After the publication of the implementing rules and regulations (IRR) of the Data Privacy Act, or RA 10173 the commission earlier said its next action will involve an information campaign on data privacy rights as well as the creation of a data privacy council composed of various public and private stakeholders. It will also seek to build a registry giving consumers a chance to opt out from being contacted by telemarketers.

Circular 16-001, is part of a series of guidelines that NPC is looking to release.

“A government agency shall strictly regulate access to personal data under its custody or control and shall grant to agency personnel a security clearance only when the performance of official functions or the provisions of a public service directly depends on and cannot otherwise be performed unless access is allowed to such agency personnel,” the draft circular read.

NPC said access to personal data by independent contractors, consultants and service providers engaged by a government agency “shall be governed by strict procedures contained in formal contracts, provisions of [RA 10173], its IRR, these circular and other issuances of the Commission.”

For paper-based filing systems, the Commission said, the government unit shall maintain a log, from which it can be ascertained which file was accessed, including when, and by whom and the log will also detail whether a copy of the file were made.

Access by other parties to personal data held by a government agency shall be governed by personal sharing agreements, it added, which will be covered by a separate issuance.

Meanwhile, NPC said procedures should be put in place on the disposal of files that contain personal data. For the purpose of managing data breaches, the appropriate guidelines will also be subject of a separate issuance.

“Violations of these rules, shall, upon notice and hearing, be subject to compliance and enforcement of orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines,” the circular further said.

NPC said government agencies shall be given a one-year transitory period to comply with the circular. It will take effect 15 days after its publication in the Official Gazette.

Ms. Patdu earlier said that the Commission is also looking to implement a “do not call” register for direct marketers and the Commission will work together with the telcos. Fines, she added, will be imposed on violators.

The NPC which was created in March -- nearly four years after the measure became law -- is tasked with implementing the Data Privacy Act, providing necessary protections for sensitive information in both public and private IT systems.

The Official Gazette published on June 20 the first draft of the proposed IRR.