Personal Data Controller refers to a person or organization who controls the collection, holding, processing or use of personal data, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal data on his or her behalf. The term excludes:
A person or organization who performs such functions as instructed by another person or organization; and
An individual who collects, holds, processes or uses personal data in connection with the individual’s personal, family or household affairs.
Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged data. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;
Data subject refers to an individual whose personal, sensitive personal, or privileged data is processed;
Data processing systems refers to the structure and procedure by which personal data is collected and further processed in an data and communications system or relevant filing system, including the purpose and intended output of the processing;
Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal data controller or personal data processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal data controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal data controller to a personal data processor;
Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals;
Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
Personal data refers to any data, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the data, or when put together with other data would directly and certainly identify an individual;
Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
Security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
Sensitive personal data refers to personal data:
About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
Specifically established by an executive order or an act of Congress to be kept classified.
The processing of personal data within AMAes should only be done pursuant to the following principles, as provided by the Implementing Rules and Regulations of Data Privacy Act:
Transparency. The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal data controller, his or her rights as a data subject, and how these can be exercised. Any data and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
Legitimate purpose. The processing of data shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
Proportionality. The processing of data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Consent or authorization from applicants, students, alumni, employees, clients, and customers of AMAes will be secured first prior to any collection, process, storage, access, use, and sharing or transfer of personal data by AMAes. Consent will be secured through paper-based or electronic form. The consent form for processing of data of students is attached as Annex A, while the consent form for processing data of employees is attached as Annex B.
A. Data Privacy Officer (DPO)
AMAes shall have a Data Privacy Officer (“DPO”) who shall be mainly responsible for managing the compliance of the Company with R.A. 10173 also known as Data Privacy Act, its IRR, any circulars issued by NPC, and other laws that may be pertinent to the protection of Data. The functions and responsibilities of the DPO shall be the ff:
Draft, study, review and assess the established policies and procedures of AMAes in connection with Data Privacy as well as the way the Data Subject exercises their rights under the Data Privacy and other laws and regulations pertinent to Data Privacy,
Acts as the contact person of the Data Subject when the latter inquires, or has complaints regarding his or her data privacy rights,
Initiate Privacy Impact Assessment.
Acts as a representative of AMAes before the National Privacy Commission and other government agencies which is also engaged in Data Privacy.
B. Compliance Officer for Privacy (COP)
Since AMA Education System is a private education conglomerate composed of the following member schools: AMA Colleges, AMA Computer College, AMA Computer University, Inc., ABE International College of Business and Accountancy, ABE International College of Business and Economics, AMA Computer Learning Center, ACLC College, St. Augustine International School, St. Augustine School of Nursing, St. Augustine College, AMA Schools of Medicine, Southern Luzon College of Business, Maritime, Science and Technology, Inc. and Sta. Veronica College, we have assigned a Compliance Officer for Privacy in all member schools who will coordinate with the Data Privacy Officer regarding Data Privacy.
Based on NPC Advisory No. 2017-01, a Compliance Officer for Privacy refers to an individual or individuals who shall perform some of the functions of a DPO, as provided in this Advisory. In our setting however, functions of COP would revolve around the following:
Knowing the flow of data of students and employees concerning his/her branch, from the collection of the data, to its use, to its storage, and its archiving/disposal/deletion. And document this flow, and coordinate said flow with the DPO.
Knowing the Department or specific personnel/s involved in the stages of processing of data.
Assist the DPO in conducting Privacy Impact Assessment as to their school.
Be the immediate contact person of Data Subjects transacting in your school as to any Data Privacy concerns.
Be the primary person to be coordinated by the DPO concerning any Data Privacy concerns of your school.
In case of any security or incident breach, the one to be notified immediately by the school and the one to notify the DPO of such. Also, to assist the DPO, in resolving or mitigating the security or breach incident.
In case of No.8, to work together with the DPO in making the annual report, to be submitted to the NPC, as provided by Data Privacy Act.
Other tasks that would be necessary to comply with Data Privacy Act.
C. Management of all persons who collect, process, store, use, share or transfer and dispose
Before the personal data is to be collected, processed, stored, used, shared or transferred, and archived/ disposed, AMAes assures that the consent of the relative Data Subject is obtained whether it be in an electronic or paper-based form.
The DPO and the COP concerned, with the assistance of all the representative of all the Departments within AMAes shall create, review, and implement organizational, physical, and technical measures to ensure that all the AMAes employees who deal with personal data will strictly process it for legitimate and lawful purpose only. These measures may include drafting new pertinent policies and guidelines and constant review of said policies and guidelines. Said measure may also include conducting of seminars or trainings of employees who deal with personal data. Lastly, employees who deal with personal data are bound by a non-disclosure agreement regarding any data they handle.
In case of any suspicious activity that may result to an actual or potential breach or incident of Privacy rights of any Data Subjects of AMAes, the COP concerned shall coordinate said breach or incident with the DPO, and the latter will coordinate with the Data Breach Response Team.
Regardless of the weight of any Data Privacy issue, the COP concerned and/or DPO will always coordinate with the NPC for a more comprehensive resolution regarding said Privacy issue.
D. Processing of Personal Data
It is to be stressed that consent of the Data Subject is secured first whether it be in an electronic or paper-based form, before the authorized representative of AMAes collects the necessary data.
AMAes collects data from its applicants, students, alumni, clients, and customers for identification purposes and record-making in the system of AMAes. Their identification is connected to the program, service, or product they have applied with AMAes and surely will be collected only for legitimate and lawful purpose.
The personal data used by AMAes shall be for documentation purposes, for tracking of their status as an applicant, student, client, or customer of AMAes and whether the services or products availed from AMAes had already been terminated, completed, or rescinded by said student, applicant, client, or customer.
3. Shares or Transfers
Sharing or transfer of data processed by AMAes will always be in connection with and only to advance the product or service availed by the Data Subject from AMAes.
AMAes may disclose and share the data of its Data Subjects:
With various units within AMAes or to any of its branches or subsidiaries to fully create their respective record whether it be for physical documentation(i.e. in portals or legitimate domains of AMAes), or for any investigation conducted by AMAes to prevent any unlawful or suspicious activity;
To any of its affiliates or third-parties for legitimate purposes and only in connection with the services and products of AMAes.
To any service providers who may need access to the data for the purpose of carrying out work on behalf of AMAes
To any Government agencies pursuant to law, regulations, or investigations conducted by them and to Philippines Court, if accordance to their order/s.
To a third person if it is pursuant to a Court order, and
To the Data Subject if it is with respect to their own record under the custody of AMAes when requested.
4. Retention and Disposal of Data
It is to be emphasized that AMAes does not store the personal data of the Data Subject unless it is necessary and for the interest of its Data Subjects.
Once it is not necessary anymore, or upon the request of the Data Subject based on justified reason/s, the personal data will be deleted.
Aside from the fact that AMAes employees signed a non-disclosure agreement with respect to the personal data processed by them, the following are also implemented in the workstations of said employees within AMAes:
The HRO, COP or other concerned Departments shall ensure that the consent of all the Data Subjects, having a connection or transaction with AMAes have been secured first before his or her personal data is processed.
All personal data, in the System of AMAes have corresponding backup files (both in paper-based and electronic form).
The consent forms of all applicants, students, alumni, clients, guests, and all employees shall be placed in the folder where the record of the latter can also be found.
The cabinets which are used for storing the personal data of all Data Subjects of AMAes should have locks or padlocks. The keys to these locks should be held by a trusted employee/s and said trusted employee/s should always be identified.
The position, job responsibilities, and name of the employees who are involved, directly or indirectly, in the processing of personal data, shall be clearly identified and documented to prevent unauthorized persons to process personal data.
The employee who process personal data, shall also document the Data Subject he or she is processing so that accountability can be easily established in case the privacy rights of said Data Subject is breached.
The HRO and/or COP shall ensure that employees who process personal data had signed the non-disclosure agreement to be provided by the DPO.
The IT Department will always maintain and update the security of the System or Database that AMAes uses in collecting, processing, and storing of Personal Data.
The IT Department will regularly look for any vulnerabilities or loopholes in the security measures they implement to protect the personal data stored in all the websites and in database of AMACC Inc., and
The COP will always be notified whenever there is an inquiry, complaint, or issue regarding any Data Privacy of their school.
The DPO will always coordinate with COP as to any Data Privacy concerns of their school.
The following security measures do not guarantee absolute protection of the Data processed by AMAes from violators of the law (i.e. hackers) since technology is always evolving. The security measures however, are implemented to manifest the intention of AMAes to fully protect its Data as to the maximum extent as possible.
A. The DPO and the COP concerned, with the assistance of IT Department shall always oversee the implementation of security policy established by AMAes for the protection of the data, which is in the System or Database or Network of AMAes. Also, they shall:
Monitor the system or database against security breaches (i.e. any unlawful collection, use, access, process, and share or disposal of personal data) and alert the organization or the department concerned of any attempt to interrupt or disturb the system of AMAes,
Implement guidelines to identify the person/s or software that caused any security breach affecting the personal data of the Data subjects,
Implement guidelines to mitigate or finally resolve the security breach that happened or could potentially happen.
Always make sure, especially the IT Department, that Personal Data are encrypted during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto. The data in the System of AMAes are encrypted so as to secure the data being encrypted, from being illegally accessed.
Review and evaluate software applications before installation in computers or devices of the organization to ensure the compatibility of security features with overall operations. The IT Department and/ or other concerned Department are tasked to ascertain that security of the System of AMAes are not prejudiced or compromised by reason of installation of any new software or applications.
Regularly assessed the security policy implemented in AMAes and the IT Department and/or other concerned Department shall also regularly test or evaluate the software applications used by AMAes, for the protection of the data in their System or Database or Network.
B. Breach and Security Incidents
In general, all employees who are tasked to process personal data are under an obligation to prevent any possible breach or security incident. In the event that there is a possible breach or security incident affecting the personal data of any Data subjects, he or she is tasked to report it to his or her immediate head and the COP of the branch/office, and the COP shall notify the DPO, who shall notify the Data Subject concerned as well as the National Privacy Commission.
The following are the guidelines that will be undertaken with regard to any actual or potential breach or security incident affecting the personal data of any Data Subjects:
The Data Breach Response Team will coordinate and immediately conduct a meeting.
The Data Breach Response Team comprising of five (5) officers namely: the Data Privacy Officer, Compliance Officer for Privacy of the concerned School, the IT Manager, the head HRO of the concerned school, and a representative from department connected with the data involved; and the employee/s involved, directly or indirectly with the personal data concerned, shall be responsible for ensuring immediate action in the event of a potential or actual security incident or personal data breach. Said team shall conduct an initial assessment of the incident or breach to establish the facts of the incident or breach. The Team shall effect measures that will mitigate and resolve said incident or breach immediately.
Identify the measures to prevent and minimize occurrence of breach and security incidents.
The measures that will be applied in case of any breach or incident would be affirmed by majority of the Data Breach Response Team and in case of a tie, the Data Privacy Officer will be the one to break the tie.
The ultimate goal of the measure to be effected in case of an incident or breach is to protect the identity of the Data Subject whose personal data is involved, and to know to what extent the Data Subject is going to be prejudiced from what happened.
The DPO shall regularly conduct a Privacy Impact Assessment to identify possible risks in the processing of data of all schools, and will always coordinate with the IT Department in monitoring the security of our System.
Procedure for recovery and restoration of personal data
AMAes shall always maintain an updated backup file for all personal data under its custody. The backup file will always be compared with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
The recovery and restoration of the personal data in the system, database, or network of AMAes will depend whether the system, database, or network of AMAes can operate again without risk from any potential or actual data privacy breach or incident.
The Data Breach Response Team will notify NPC in case there is security breach or incident.
Documentation and reporting procedure of security incidents or a personal data breach
The COP of the school involved should prepare within 24 hours from the incident or breach a detailed documentation of said incident or breach.
The Data Breach Response Team, after the meeting held, shall also prepare a detailed documentation of every incident or breach encountered by AMAes. It is the DPO, with the help of COP, who will prepare an annual report to be submitted to management and the NPC within seventy-two (72) hours from the date of breach or incident.
The DPO has provided forms to fill out for the exercise of the following rights so that AMAes and the Data Subjects would have an orderly and convenient communication:
RIGHT TO BE INFORMED.
The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
The data subject shall be notified and furnished with data indicated hereunder before the entry of his or her personal data into the processing system of the personal data controller, or at the next practical opportunity:
Description of the personal data to be entered into the system;
Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
Basis of processing, when processing is not based on the consent of the data subject;
Scope and method of the personal data processing;
The recipients or classes of recipients to whom the personal data are or may be disclosed;
Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful data about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
The identity and contact details of the personal data controller or its representative;
The period for which the data will be stored; and
The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission.
RIGHT TO OBJECT.
The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the data supplied or declared to the data subject in the preceding paragraph.
When a data subject objects or withholds consent, the personal data controller shall no longer process the personal data, unless:
The personal data is needed pursuant to a subpoena;
The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
The data is being collected and processed as a result of a legal obligation.
RIGHT TO ACCESS.
The data subject has the right to reasonable access to, upon demand, the following:
Contents of his or her personal data that were processed;
Sources from which personal data were obtained;
Names and addresses of recipients of the personal data;
Manner by which such data were processed;
Reasons for the disclosure of the personal data to recipients, if any;
Data on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
Date when his or her personal data concerning the data subject were last accessed and modified; and
The designation, name or identity, and address of the personal data controller.
RIGHT TO RECTIFICATION.
The data subject has the right to dispute the accuracy or request for rectification of the error in his/her personal data and have the personal data controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal data controller shall ensure the accessibility of both the new and the retracted data and the simultaneous receipt of the new and the retracted data by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.
RIGHT TO ERASURE OR BLOCKING.
The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal data controller’s filing system.
This right may be exercised upon discovery and substantial proof of any of the following:
The personal data is incomplete, outdated, false, or unlawfully obtained;
The personal data is being used for purpose not authorized by the data subject;
The personal data is no longer necessary for the purposes for which they were collected;
The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
The personal data concerns private data that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
The processing is unlawful
The personal data controller or personal data processor violated the rights of the data subject.
The personal data controller may notify third parties who have previously received such processed personal data.
RIGHT TO DAMAGES.
The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.
RIGHT TO DATA PORTABILITY.
Where his or her personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the personal data controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. The Commission may specify the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer.
The immediately preceding sections shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, that the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. The said sections are also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.