Data Privacy Manual
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. This organization respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.
Definition of Terms
- Data Subject — refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
- Personal Information — refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Processing — refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
Scope and Limitations
All personnel of this organization, including the leadership team, associates, apprentices, and volunteers, must comply with the terms set out in this Privacy Manual.
Processing of Personal Data
OTTD collects the basic contact information of clients and customers, including their full name, nickname, home address, email address, contact number, date of birth, age, gender, civil status, faith/religious affiliation, Facebook account, educational background, employment history, community/church/ministry involvement, family background, relationship background, personal calling, spiritual experiences, and prayer life, together with the programs or services they want to avail of. All information will be collected through printed or online registration, application, or pre-retreat survey forms.
OTTD will not know your name, e-mail address, or any other personally identifiable information just because you browse our website or our Facebook page unless you:
- Access the website from a link in an e-mail sent by OTTD
- Request printed or e-mail materials
- Contact OTTD with a direct inquiry
- Subscribe to receive e-mail communications offered on the website or social media platforms.
Personal data collected shall be used by OTTD to personalize your experience, improve our website, improve our customer service, process transactions, and send periodic e-mails.
Your personal data shall help the ministry in providing relevant and appropriate care and guidance in the conduct of spiritual formation and spiritual accompaniment. Further, personal data will be used in the development of formation programs and retreats. Lastly, data collected shall be used by the ministry for documentation, and communications purposes.
Specifically, OTTD may send service-related announcements whenever it is necessary to do so such as promotion of future activities and updates on ongoing programs.
C. Storage, Retention, and Destruction
OTTD will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration, and disclosure as well as against any other unlawful processing. OTTD will implement appropriate security measures in storing collected personal information, depending on the nature of the information.
All information gathered shall not be retained for a period longer than three (3) years for spiritual formation and one (1) year for other short-term or one-day retreats or recollections. After such term, all hard and soft copies of personal information shall be disposed and destroyed, through secured means, unless the data subject decides to update and give permission to further retain and store such information.
If you no longer wish to receive communications, you may click unsubscribe in our e-mail promotions or send us a message requesting for the discontinuation of sending you such communications.
Due to the sensitive and confidential nature of the personal data under the custody of OTTD, only the Executive Director and Program Coordinator have full access to such information. Personal data, in part or in whole, found in your registration, application, and/or pre-retreat survey form will be shared to your retreat guide, spiritual director, small group facilitator, or administrative personnel on a strict need-to-know basis.
E. Disclosure and Sharing
All personnel of this organization, including the leadership team, associates, apprentices, and volunteers shall maintain the confidentiality and secrecy of all personal data that come to their possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of OTTD shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
A. Organization Security Measures
1. Data Protection Officer (DPO) or Compliance Officer for Privacy (COP)
The designated Data Protection Officer )DPO) or Compliance Officer for Privacy (COP) is Mr. Jo-ed C. Tome who is concurrently serving as the Program Coordinator of OTTD.
2. Functions of the DPO, COP and/or any other responsible personnel with similar functions
The DPO/COP shall oversee the compliance of OTTD with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment (PIA), implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
3. Conduct of trainings or seminars to keep personnel, especially the DPO updated vis-a-vis developments in data privacy and security
OTTD shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
4. Conduct of Privacy Impact Assessment (PIA)
OTTD shall conduct a PIA relative to all activities, projects, and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party.
5. Duty of Confidentiality
All personnel of this organization, including the leadership team, associates, apprentices, and volunteers will be asked to sign a Non-Disclosure Agreement. All those with access to protect data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
6. Review of Privacy Manual
This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
B. Physical Security Measures
1. Format of data to be collected
Personal data in the custody of OTTD may be in digital/electronic format and paper-based/physical format.
2. Storage type and location
All paper-based documents being processed by OTTD shall be stored in secure filing shelves or cabinets while the digital/electronic files are stored in computers provided and installed by OTTD.
3. Access procedure of agency personnel
Only authorized personnel shall be allowed access paper-based and/or digital/electronic documents. Other personnel may be granted access to the storage upon approval of such request by the DPO.
4. Design of office/work station
The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
5. Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room unless otherwise requested and approved by the DPO.
6. Modes of transfer of personal data within the organization, or to third parties
C. Physical Security Measures
1. Monitoring for security breaches
OTTD shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system.
2. Security features of the software/s and application/s used
OTTD shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.
3. Process for regularly testing, assessment, and evaluation of effectiveness of security measures
OTTD shall review security policies, conduct vulnerability assessments, and perform penetration testing within the company on regular schedule to be prescribed the appropriate department or unit.
4. Encryption, authentication process, and other technical security measures that control and limit access to personal data
Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication. Important codes are changed when there are possible threats to security such as turnover of staff, technical malfunctions, and the like. The codes are kept in a secure and encrypted location.
Breach and Security Incidents
1. Creation of a Data Breach Response Team
A data breach response team shall be responsible for ensuring immediate action in the event of a security or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
2. Measures to prevent and minimize occurrence of breach and security incidents
OTTD shall regularly conduct a PIA to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing personal data must attend trainings and seminars for capacity building. Any personnel who has issues with confidentiality will be dealth with accordingly. There must also be a periodic review of policies and procedures being implemented in the organization.
3. Procedure for recovery and restoration of personal data
OTTD shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
4. Notification protocol
The head of the data breach response team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the data breach response team.
5. Documentation and reporting procedure of security incidents or a personal data breach
The data breach response team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.
Inquiries and Complaints
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at email@example.com and briefly discuss the inquiry, together with their contact details for reference.
Complaints shall be filed in three (3) printed copies, or sent to firstname.lastname@example.org. The concerned department or unit shall confirm with the complainant its receipt of the complaint.
The provisions of this Manual are effective this 21st day of April, 2020, until revoked or amended by this company, through a meeting by the management.