Data Security PDF

**Jonathan M. Santiago** - Certified as a Data Protection Officer and Cybersecurity Professional. - Active membership in the National Privacy Commission and Philippine Institute of Cyber Security Professionals. - Pursuing a Master in Information Technology, holds an MBA from 1999. - Current roles include being President of the Organization of Data Privacy Professionals and Deputy - Data Protection Officer at Baliuag University. - Involved in leadership positions at various organizations, including the Bulacan Samaritan Supreme Eagles Club. **Industrial Revolution:** - Industry 1.0: Mechanization, steam power, weaving loom (started in 1784). - Industry 2.0: Mass production, assembly line, electrical energy (began around 1870). - Industry 3.0: Automation, computers, and electronics (started in 1969). - Industry 4.0: Cyber-Physical Systems, Internet of Things, networks (current era). **New Normal:** - Remote learning, virtual events, work-from-home setups, and telehealth. **RA 10173 or Data Privacy Act of 2012** - It is the policy of the state to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth. **Privacy:** The right to be let alone. **Data Privacy**: An individual\'s right for the protection of his/her data. **Monetization Paths:** Define, Create, or Analyze Efficiencies or Output Create New Services and Products Create New Markets **Data Privacy Act of 2012 in the Philippines.** - **August 15, 2012**: President Benigno S. Aquino III signed RA No. 10173, the Data Privacy Act of 2012. - **March 7, 2016**: The National Privacy Commission (NPC) was inaugurated and promulgated, with Commissioner Raymund Liboro leading the commission. - **August 24, 2016**: The Implementing Rules and Regulations (IRR) of the Data Privacy Act were signed after consultations with various stakeholders. - **September 9, 2016**: The IRR took effect. - **May 2016**: The NPC formally investigated the Commission on Elections (COMELEC) for a data breach involving voter information. - **February 21, 2017**: The NPC announced another investigation into the COMELEC for a suspected data breach involving voter information. - **December 5, 2019** to present: New commissioners were appointed to the NPC, with Atty. John Henry D. Naga as Privacy Commissioner and Chairman. **Four key areas related to data privacy** - Protecting individual personal data - Information and communications systems - Government and the private sector - National Privacy Commission **Penalty**- Fines and imprisonment **Liable**-Any person,Any responsible employee or officers of the company **Social Engineering Attack**:Smishing Attack,Phishing Attack,Hacking,Scammer **Data Subject** - Refers to an individual,Whose personal, sensitive personal, or privileged information is processed **PERSONAL INFORMATION** - Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. **SENSITIVE PERSONAL INFORMATION** - About an individual\'s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; - About an individual\'s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; - Government Issues ID **Privileged Personal Information (PPI)** - Refers to data that is accorded a higher level of protection due to its sensitive nature. PPI includes: - Communications: Such as privileged attorney-client communications or doctor-patient confidentiality; - Trade Secrets: Proprietary information critical to a company\'s competitive advantage; - Journalistic Sources: Information that identifies sources of journalistic, literary, or artistic work. **Processing** - Refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. - Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system. **PIC(PERSONAL INFORMATION CONTROLLER)** - Person or Organization who controls or process the data. **PIP(PERSONAL INFORMATION PROCESSOR)** - A natural or juridical person to whom a personal information controller (PIC) may outsource the processing of personal data pertaining to a data subject. **DATA PROCESSING SYSTEMS** - refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing; **INFORMATION & COMMUNICATIONS SYSTEM** - "Information and communications system" refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted, or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document; **BEFORE COLLECTION OF DATA** **3 Data Privacy Principles must be observed** **TRANSPARENCY** - Data Subjects must be aware of the nature, purpose, and extent of processing. **LEGITIMATE PURPOSE** - The processing of information shall be compatible with a declared and specified purpose. **PROPORTIONALITY** - Collect only what is needed and commensurate to the benefits. **Rights of a Data Subject** - People whose personal information are collected, stored and processed are called data subjects. - Under RA 10173, they are accorded certain rights which they may invoke and enforce against personal information controllers or processors, and which the latter are duty-bound to observe and respect. **8 rights of the data subject** **1.The right to be informed** - The data subject has a right to be informed whether personal data pertaining to him or her will be, are being, or were processed. - The data subject should be notified and furnished with the following information before the entry of his or her personal data into the processing system, or at the next practical opportunity: a. Basis b. Description c. Purpose d. Scope/method e. Storage f. Identity of PIC g. Recipients h. Rights 2.**The right to access** The data subject has the right to reasonable access to, upon demand, the following: a. Contents of his or her personal data that were processed; b. Sources from which personal data were obtained; c. Names and addresses of recipients of the personal data; d. to recipients, if any; e. Date when his or her personal data concerning the data subject were last accessed and modified; and f. The designation, name or identity, and address of the personal information controller. **3. The right to object** - The data subject has the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. He or she should be given an opportunity to withhold consent in case of any amendment to the information supplied to the data subject under the right to be informed. The personal information controller should not process the personal data without consent unless: a. The personal data is needed pursuant to a subpoena; b. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or c. The information is being collected and processed because of a legal obligation. **4. The right to erasure or blocking** The data subject has the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller\'s filing system. a\. The personal data is incomplete, outdated, false, or unlawfully obtained; **5.The right to data portability** The data subject has the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows further use. The exercise of this right should consider the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. **6.The right to rectify** The data subject have the right to dispute and have corrected any inaccuracy or error in the data a personal information controller (PIC) hold about them. Once corrected, the PIC should ensure that the access and receipt of both new and retracted information. PICs should also furnish third parties with said information, should the data subject request it. **7.The right to damages** The data subject should be indemnified for any damages sustained due to such false, incomplete, outdated, unlawfully obtained or unauthorized use of personal data, considering any violation of his or her rights and freedoms as a data subject. **8.The right to file a complaint** If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint with the NPC.

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue