The protection of personal information

(Second of two parts)

By Carlo Kristle G. Dimarucut

Business World (1/28/2013)

In last week’s article, we discussed the salient features of Republic Act 10173, or the Data Privacy Act of 2012. This article now focuses on how the law affects companies that have access to personal information, and how they can comply with the provisions of the law.

Several groups, spearheaded by the Business Processing Association of the Philippines (BPAP), welcomed the approval of RA 10173 in August 2012. BPAP, the umbrella organization of the information technology and business process outsourcing industry in the country, described the law as an “important step to increasing confidence among foreign investors” and brought the Philippines to “international standards of privacy protection.” According to the BPAP, the law is based on the standards set by the European Parliament and consistent with the Information Privacy Framework of the Asia-Pacific Economic Cooperation.
While the law has its upside, particularly on the expected long-term positive effects on the economy, the responsibility it places on entities handling any type of personal information is enormous. From execution of service contracts to seemingly harmless telephone inquiries from third parties, organizations must now carefully consider the effects of any form of data sharing, and take action to prevent the risk of penalties, and worse, a damaged reputation.

Implementing changes for compliance with new laws has never been a clear-cut process. A large number of Philippine companies process Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). Given the technical nature of its requirements and the absence of the accompanying implementing rules and regulations (IRR), implementation of the Data Privacy Act may be a challenging exercise. There are, however, steps that a company can take to prepare for compliance while waiting for the release of the IRR.

Inventory all information
The first step is to do an inventory of all PII and SPII. Knowing what information you are processing, where are they stored, and where they are coming from is necessary. Knowledge about these data will help a company identify specific compliance requirements.

For example, information gathered from data subjects can require the company to secure waivers from their customers, while information passed on from other entities may require them to implement additional controls or modify contractual agreements to reflect data protection as required by the new law.

This activity will also allow companies to identify data that are being stored without any particular reason. For example, data privacy issues may arise if a small retail shop may be keeping information about their customers from a previous promotional event (but without any current use for it) if they continue to retain the information.

Assess existing controls
The second step is to answer the question “How are we protecting this information?” Companies need to assess their existing data control infrastructure to identify any gaps.

There are three areas, applicable to both large and small organizations, which should be considered:
Governance of data
This deals with the company’s policies on using and classifying the data. A company, for example, may choose to stratify data based on whether it is regular confidential data, PII, SPII, or non-confidential. It will then base its controls on the data’s classification, such as determining policies on who can access particular levels of data.

Controls imposed upon the data
Data can be in different states: at-rest, in-motion, or in-use. Different controls govern the data in their different states. Controls over information on a hard disk, stored in a warehouse are different from the controls required when it is being transported or being processed. Data controls for at-rest data focus on endpoint systems and physical security; data in-use controls focus on anonymization, redaction, and masking of data; data in-motion controls focus on messaging, email, collection, and exchange.

Supporting processes
This deals with how the company is executing policies that keep data controls functioning such as compliance management, business continuity, and configuration management. For example, strong encryption controls will not function as well without a proper review of the user access.

Personal Information Controller

As part of its preparation for the implementation of RA 10173, companies may also need to scout for qualified individuals within or outside the organization to as act as the Personal Information Controller (PIC) who will ensure compliance with the law. Among others, the PIC will be tasked to craft the data privacy policy, tweak the information systems, and even to inculcate the culture of confidentiality within the organization.

Implementing Rules and Regulations
The National Privacy Commission is tasked to draw up the implementing rules and regulations (IRR) within 90 days from the passage of the Act. While there is a delay in its release, the IRR is expected to provide clear guidelines on dealing with data breach, the establishment of data breach policies and response plans, and the establishment of safety standards, including the execution of confidentiality agreements. In the meantime, companies are advised to begin evaluating their information management processes and controls.

With the fast-paced advances in information technology, RA 10173 will hopefully serve as a deterrent to data breaches arising from malicious actions. Moreover, it must serve as a constant reminder to personal information handlers that, where personal information is concerned, there should be no room for any kind of error – intentional or otherwise. Every mistake should be treated as one that may pose a serious harm to affected individuals.

Carlo Kristle G. Dimarucut is an Associate Director of SGV & Co.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.