The Republic Act No. 10173 also known as the Data Privacy Act of 2012 which requires the government and the private sector to follow and comply to fulfill their objective to protect personal data in information and communications systems. With this, it ensures that entities of the City Government of Cagayan de Oro to implement measures and procedures that guarantee the safety and security of personal data under their control or custody and thereby upholding an individual’s data privacy rights; this also applies the principles of Transparency, Legitimate Purpose, and Proportionality in processing of the personal data submitted and stored in the information and communication system. This Manual serves as a guide or handbook for ensuring the compliance and the City Government with the Data Privacy Act and its Implementing Rules and Regulations (IRR). This also encapsulates the privacy and data protection protocols that is being observed and is being carried out within this entity for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.
We, the City Government of Cagayan de Oro respects and values your data privacy rights. It is our duty to give you assurance and confidence to notify you on the submitted with data most specifically your given personal information on how it is being collected, processed, and kept. This is also to inform you on your rights in accordance of the laws and regulations stated and specified in the Republic Act No. 10173 which is also known as the “Data Privacy Act of 2012 (DPA)”.
Definition of Terms:
- Data Privacy Act – refers to the Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations https://www.privacy.gov.ph/implementing-rules-regulations-data-privacy-act- 2012/).
- Processing – refers to any operation or set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
- Personal data – collectively refers to personal information, sensitive personal information, and privileged information;
- Personal Information – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
- Sensitive Personal Information refers to personal data:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Privileged information - refers to any and all forms of personal data, which, under the Rules of Court and other pertinent laws constitute privileged communication;
- Data Subject / Clients - refers to an individual whose personal, sensitive personal, or privileged information is processed; who gives consent to the processors to process the stated data; [Include specific Data Subjects depending on the IS]
- Information System - an application or an online application that tools the automation process of personal data with the assigned processor; contains the data privacy consent of the client [define IS purpose here];
- Processing office - [main personal information controller and processor] given the authority to process the personal, sensitive personal, or privileged information;
- Processor - Staff, personnel, processing office, City Government of Cagayan de Oro employee or individual who processes the personal data using the information system with utmost confidentiality, integrity and authenticity;
- National Privacy Commission (NPC) - refers as the forefront of not only implementing but complying with the Data Privacy Act of 2012;
- Data Protection Officer - Any natural or juridical person or other body involved in the processing of personal data or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
- Third Party Sharing and Processing - Information as well as Personal information of the Data Subjects is being shared and processed outside the entity, subject to cross-border arrangement and cooperation.
- Data Sharing Agreement - Needed when third party sharing and processing of data is being made for the relevant process or use of the data of the data subjects.
SCOPE AND LIMITATIONS
All personnel of the City Government of Cagayan de Oro especially the office processing the data, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Data Privacy Manual. This Data Privacy Manual is publicly posted for the information and transparency of the data being processed through the information systems with the data processors identified in the next section of this manual.
[Can also include here the purpose of the IS on highlighting the scope of the data being processed within the IS]
PROCESSING OF PERSONAL DATA: WHAT WE PROCESS, HOW WE PROCESS, WHO WILL PROCESS, WHY WE PROCESS
- Collection (What Information Do We Collect):
The processing office with the processor collects the information required in the [information system]. The information provided and submitted by the clients, including their [full name, address, email address, contact number, birthday and other personal data together with their attached documents and the kind of request or process selected]. The information system stores the personal data in the database system assigned for this information system respectively and is being protected through the security protocol set out by the server where the database system is located to give assurance that the data will be protected and secured.
- Use (How We Process Your Information):
Personal data collected shall be used accordingly base on the data subject’s request as well as for the processing office and the City Government records which is as follows:
- Data Subject’ request:
- Processing for the service availed
- Third Party Processing [if there’s any]
- Profiling: [fill in]
- Research: [fill in]
- Others: [fill in]
- Storage, Retention and Destruction
The processor as well as the information system will ensure that personal data under its custody are protected against any other unlawful processing (misused, modified, interfered, lost or disclosed to unauthorized processors without the Data Sharing Agreement).
The implementation and the management of the information system shall have security practices and processes such as but not limited to the following:
- Document storage security policies;
- Security measures to control access to our systems and premises;
- Limitations on access to personal data;
- Strict selection of third-party data processors and partners; and
- Electronic security systems, such as firewalls, data encryption and transmission of data through a secured file transfer protocol.
The personal data shall be kept and maintained up to a certain period or as long as necessary for the purpose for which they were collected or as required by laws and regulations.
[Add retention period here.]
Due to the sensitive and confidential nature of the personal data under the custody of the City Government, only the client/data subject and the authorized processor shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals. The authorized processor of this information system are as follows:
- Processing office: Process your request [please edit if necessary]
- City Management Information System Office: ICT system in-charge for the City Government. Data accessibility of this office is only limited to the structure of the database for the development purposes only. This shared accessibility is being protected by a data sharing agreement between the processing office and the developer-CMISO.
- Third Party Offices: [if there’s any, please enumerate]
- Disclosure and Sharing
All processors shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the City Government shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
SECURITY MEASURED: HOW WE PROTECT YOUR DATA
The Data Privacy of the City Government is being managed by the registered Data Protection Officer, Atty. Reymond Q. Villablanca (currently the Asst. City Legal Officer). The Data Protection Officer who is being assisted by the Compliance Officer for Privacy of each City Government Offices/Department, shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure. All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format. All personal data being processed by the organization shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in secured server managed by the [who manages the server of this IS]. And only the authorized personnel have the access of the server with the level of access permission.
BREACH AND SECURITY INCIDENTS: RISK INVOLVE IN PROCESSING
The [server manager/CMISO] shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
In case of breach incident, the [server manager/CMISO] will report to the Data Protection Officer together with the responsible Compliance Officer for Privacy of the certain City Government Office for the notification protocol. The [server manager/CMISO] detailed documentation of the incident or breach encountered as will be forwarded to the management and to the NPC depending on the City Government DPO’s advise.
HOW MAY CONTACT US FOR INQUIRIES AND COMPLAINTS
You as our Data Subjects have the following rights (RIGHTS OF DATA SUBJECTS):
Personal information will be made available to the clients and authorized processors anytime in case there are requests for correction, modification or deletion. It is the right of the individual owning the personal data to inquire or obtain a copy of the personal information provided to us.
- The right to be informed, thus this Data Privacy Manual on how your personal information collected be processed through this Information System.
- The right to access, thus you have the access of your personal details and account.
- The right to object, thus you can the right not to submit the data so as not the data to be processed.
- The right to erasure or blocking. [if there’s a privilege for client to wipe out his/her data]
- The right to damages, thus you can request for assessment of your data that might be mishandled to our Data Privacy Officer.
- The right to file a complaint, thus you can file a complaint to our Data Privacy Officer to any misused, maliciously disclosed, or improperly disposition of your data.
- The right to rectify, thus you have the right to correct your submitted through [the system or through the data information processor].
For further inquiries or complaints, you may report or coordinate with our City Government’s Data Privacy Officer:
Atty. Reymond Q. Villablanca
Asst. City Legal Officer
City Legal Office
Ground Floor, Executive Building, City Hall, Cagayan de Oro City
Contact Number: (088) 857-2260
EFFECTIVITY OF THIS DATA PRIVACY MANUAL:
The provisions of this Manual are effective this __ day of _______, 2021, until revoked or amended by this entity, the City Government of Cagayan de Oro.
DPM Version 1.0 as of June 29, 2021