On Dec. 1, PHI DP issued circular regarding security of personal data.
PHI DP issued circular on security of personal data in government and private sector.
Aims to provide updated requirements for the security of personal data processed by personal information controllers (PIC) or personal information processors (PIP).
Follows PHI DP Dec. 2022 consulted on circular re security of personal data, #156625.
Document dated Dec. 1, 2023, was added on Mar. 26, 2024 due to editorial backfill.
General Obligations
PIC/PIP must designate and register its Data Protection Officer (DPO) with PHI DP.
Register its data processing systems with PHI DP according to the provisions of DPA.
Create inventory of all data processing systems and activities; conduct a privacy impact assessment (PIA) on the processing of personal data and ensure it is updated.
A PIA should be undertaken for every processing system that involves personal data.
The risks identified in the PIA must be addressed by a control framework.
Both previously assessed controls and those newly identified via PIAs to be monitored, evaluated, updated, and incorporated as per PIC’s privacy management program.
Set a privacy management program, taking into account certain factors.
Train employees, agents, personnel, or representatives on privacy and data protection.
Other Rules
A PIC or PIP shall consider privacy-by-design principles in its processing activities and enable privacy-by-default in data processing systems without action of data subjects.
Must store personal information in a way that permits identification of data subjects for only as long as necessary for the specific purpose it was initially processed.
When a PIC engages a service provider for the purpose of storing personal data under the PIC’s control or alternatively its custody, the service provider acts as a PIP.
Personal data that are processed must be adequately protected through best practices.
Personal data stored in databases under the control of the PIC may only be accessed or modified using authorized software programs either by the PIC or by its PIP.
A PIC/PIP must have a business continuity plan to mitigate potential disruptive events.
A PIC or PIP that transfers personal data by email must ensure that the data is adequately protected and use secure transmission and reception of email messages.
PIC/PIP must adhere to guidelines for disposal and destruction of personal data.
Includes miscellaneous provisions on threat monitoring, breach management, audit.
Effectiveness
Rules shall take effect 15 days after publication in newspaper of general circulation.
A PIC shall be given a transitory period of 12 months from the effectivity of this circular to comply with the requirements provided within it.
Regulators
PHI DP
Entity Types
CNSM; Corp
Reference
Cir 2023-06, 12/01/2023; Rpl 16-01,
Functions
Audit; BCS; Compliance; Outsourcing; Privacy; Product Administration; Product Design; Record Retention; Technology; Training
