The Congress of the Philippines passed Republic Act No. 10173 known as the Data Privacy Act (DPA) of 2012. The DPA’s implementing rules and regulations (IRR) was issued effective September 9, 2016, thus requiring all companies to comply.
Overview of the DPA
The DPA was enacted to ensure that companies processing personal data establish policies and implement measures and procedures that guarantee the safety and security of personal data under the control and custody of the company, thereby upholding an individual’s data privacy rights. A personal information controller and personal information processor is obligated to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination, and other dangers. STAR PARKS CORPORATION is committed to safeguard the fundamental human right of every individual to privacy by adopting generally accepted principles and standards for personal data protection. This Privacy Manual is hereby adopted as a guide for ensuring compliance with the DPA, its IRR, and other relevant policies and issuances of the National Privacy Commission. It encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfilment and realization of the rights of data subjects.
DEFINITION OF TERMS
The following terms shall have the respective meanings hereafter set forth in this Manual:
Company refers to Star Parks Corporation.
Data subject refers to an individual whose personal information and/or sensitive personal information is processed.
Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
Employees refers to all persons engaged in a contract of service with the Company (whether on a part-time, temporary or full-time basis) and interns and trainees working at or attached to the Company (collectively referred to as “employees”) as well as persons who have applied for any such position with the Company (“job applicants”).
Filing system refers to a structured record-keeping system whereby information is stored either by reference to individuals or by reference to a criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.
Informed Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
Manual – refers to the Data Privacy Manual of Star Parks Corporation
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal information controller (PIC) refers to a person who controls the collection, holding, processing, uses personal information or instructs another to process personal data. He decides on what information is collected, or the purpose or extent of its processing.
Personal Information processor (PIP) refers to a person who is authorized by a personal information controller to process personal data pertaining to a data subject.
Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
Security Incident is an event that affects or tends to affect or may compromise data protection
Sensitive personal information refers to personal information:
a. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
b. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;
SCOPE OF DATA PRIVACY MANUAL
The Manual shall also apply to lessees and other persons contracting with the company who may be required to submit their own Personal Data and the Personal Data of their employees as a matter of policy or security
DATA PRIVACY PRINCIPLES
The processing of personal data shall be performed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.
a. Transparency. The Data Subject shall be informed of the nature, purpose, and extent of the processing of his or her Personal Data by the Company, including the risks and safeguards involved, the identity of personal information controller involved in the processing his or her Personal Data, his or her rights as a Data Subject, and how these can be exercised. Any information and communication relating to the processing of Personal Data should be easy to access and understand, using clear and plain language.
b. Legitimate purpose. The processing of Personal Data by the Company shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
c. Proportionality. The processing of Personal Data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the Company only if the purpose of the processing could not reasonably be fulfilled by other means.
DATA PROCESSING POLICIES AND PROCEDURES
Data Processing Records
Adequate records of the Company’s Personal Data processing activities shall be maintained at all times. The DPO, with the cooperation and assistance of all the concerned departments involved in the processing of Personal Data, shall be responsible for ensuring that these records are kept up-to-date. These records shall include, at the minimum:
1. Information about the purpose of the processing of Personal Data, including any intended future processing or data sharing;
2. A description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the processing;
3. General information about the data flow within the Company, from the time of collection and retention, including the time limits for disposal or erasure of Personal Data;
4. A general description of the organizational, physical, and technical security measures in place including the filing systems within the Company; and
5. The name and contact details of the DPO, Personal Data processors, as well as any other staff members accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
Human Resources & Administration Services (HRAS)
The DPO, with the cooperation of the Company’s HRAS, shall develop and implement measures to ensure that all the Company’s staff who have access to Personal Data will strictly process such data in compliance with the requirements of the Data Privacy Act and other applicable laws and regulations. These measures may include drafting new or updated relevant policies of the Company and conducting training programs to educate employees and agents on data privacy related concerns. The DPO, with the assistance of HRAS, shall ensure that the Company shall obtain the employee’s informed consent, evidenced by written, electronic or recorded means, to:
1. The processing of his or her Personal Data, for purposes of maintaining the Company’s records; and,
2. A continuing obligation of confidentiality on the employee’s part in connection with the Personal Data that he or she may encounter during the period of employment with the Company. This obligation shall apply even after the employee has left the Company for whatever reasons.
The DPO, with the assistance of HRAS and any other departments of the Company responsible for the processing of Personal Data, shall document the Company’s Personal Data processing procedures. The DPO shall ensure that such procedures are updated and that the consent of the Data Subjects (when required by the DPA or other applicable laws or regulations) is properly obtained and evidenced by written, electronic or recorded means. Such procedures shall also be regularly monitored, modified, and updated to ensure that the rights of the Data Subjects are respected, and that processing thereof is done fully in accordance with the DPA and other applicable laws and regulations.
General Data Collection Policies and Procedures
a. Only authorized personal information controllers and/or personal information processors shall be allowed to collect the personal data of employees, lessees, suppliers/contractors, tour agents and clients/customers using the prescribed forms attached as Annex A, B1, B2, & F. The data collected may include but is not limited to the full name, residential address, email address, contact telephones or cellphone numbers of the Data Subject.
b. Before requiring the Data Subject to fill-up the prescribed forms, the PIC or PIP shall introduce him/herself, then request the Data Subject to read the Data Privacy Manual of the Company or explain the salient and applicable provisions of the Manual.
c. After reading the Manual or hearing the explanation of the salient and applicable provisions, the Data Subject shall be required to fill-up the prescribed form and sign the consent clause statement. (See Annex A, B1, B2 page 2, C, E to I).
d. Upon submission of the duly filled-up and signed prescribed form, the PIC or PIP shall provide the Data Subject his/her contact information (company issued cellphone or phone number and email address) for follow-up inquiries.
e. All prescribed forms unsigned by the Data Subjects shall be considered invalid and, if the same cannot be rectified within thirty (30) days from date of prescribed form, shall be disposed of immediately (thru shredding or other applicable means).
f. The concerned department head shall be required to sign the prescribed forms to signify that all of the above procedures were strictly observed.
Data Retention Schedule
Subject to applicable requirements of the DPA and other relevant laws and regulations, Personal Data shall not be retained by the Company for a period longer than necessary and/or proportionate to the purposes for which such data was collected.
As a general policy, records of the Company shall be retained in storage for a period of ten (10) years in accordance with the existing rules of the Bureau of Internal Revenue (BIR). In the case of the following records, the retention policy is as follows:
a. Employment records shall be retained indefinitely as these will be necessary as reference information after separation/retirement or when a former employee requests for information or Certificate of Employment.
b. Records of job applicants (who were not hired) shall be stored for one (1) year. After the said period, resumes/application forms and supports shall be destroyed (using a shredder machine). Her/his name and the fact of her/his having applied shall however be retained for Company reference only.
c. Lessees’ and other persons contracting with the Company for other reasons records (for approved contracts) shall be maintained for ten (10) years in accordance with BIR rules. All disapproved applications for lease/contract shall be stored for two (2) years from disapproval date for future reference purposes only. The applicant’s name and the fact of applicant’s having applied shall however be retained for Company reference only.
d. The personal data of On-line guests or customers visiting the Company’s website to buy electronic tickets shall be stored as follows:
- For completed transactions (paid), the information shall be stored for a period of ten (10) years in accordance with BIR rules.
- For incomplete transactions (not paid), the information provided by the Data Subject will be deleted from the system within thirty (30) days.
Organizational Security Measures
A. Data Protection Officer or Compliance Officer
A Data Protection Officer (“DPO”) shall be appointed by the Company. He shall be accountable for ensuring the Company’s compliance with applicable laws and regulations for the protection of data privacy and security.
The DPO’s functions and responsibilities shall particularly include, among others:
1. Monitoring the Company’s Personal Data Processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized agents;
2. Acting as a liaison between the Company and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements mandated by the Data Privacy Act, as well any other applicable data privacy laws and regulations;
3. Developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the Data Privacy Act and other applicable laws and regulations on Personal Data privacy;
4. Acting as the primary point of contact whom Data Subjects may coordinate and consult with for all concerns relating to their Personal Data;
5. Formulating capacity building, orientation, and training programs for employees, agents or representatives of the Company regarding Personal Data privacy and security policies;
6. Preparing and filing the annual report of the summary of documented security incidents and Personal Data breaches, if any, as required under the Data Privacy Act, and of compliance with other requirements that may be provided in other issuances of the National Privacy Commission.
B. Trainings or Seminars
The Company shall sponsor a mandatory training on data privacy and security, at least once a year, especially the DPO, in order to be updated on developments in data privacy and security. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
C. Conduct of Privacy Impact Assessment (PIA)
The Company, on its own or thru outsourced third party, shall conduct a Privacy Impact Assessment relative to all activities, projects and systems involving the processing of personal data at least once a year.
D. Review of Privacy Manual
This privacy manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the Company shall be updated to remain consistent with current data privacy best practices.
Physical Security Measures
The DPO, with the assistance of HRAS Engineering and Maintenance Department (EMD) and Information and Technology Department (“ITD”), shall develop and implement policies and procedures for the Company to monitor and limit access to the Company’s information and communication system, and activities in the offices of HRAS, as well as any other departments and/or workstations in the Company where Personal Data is processed, including guidelines that specify the proper use of, and access to, electronic media. The design and layout of the office spaces and work stations of the above-mentioned departments, including the physical arrangement of furniture and equipment, shall be periodically evaluated and readjusted in order to provide privacy to anyone processing Personal Data, taking into consideration the environment and accessibility to unauthorized persons. The duties, responsibilities, and schedules of individuals involved in the processing of Personal Data shall be clearly defined to ensure that only the individuals actually performing official duties shall be in the room or work station, at any given time. Further, the rooms and workstations used in the processing of Personal Data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.
The following security measures shall be observed at all times.
a. All desktop computers used by the Company shall be password protected.
b. Filing cabinets shall also be locked at all times.
c. Only authorized personnel shall be provided duplicate keys to access offices where sensitive and confidential data are stored.
d. The guard on duty shall also be provided emergency access keys and shall only open the room or facility if requested by a duly authorized regular employee of the company.
e. The guard on duty shall record the date, time duration and name of personnel who accessed the room or facility in a guard’s logbook provided for the said purpose.
f. Transfer of personal data within the organization shall always be approved in writing by the department manager. Transfers to third parties shall be approved by the President, Chief Finance Officer or Executive Vice President upon endorsement by the DPO.
Technical Security Measures
The DPO, with the cooperation and assistance of ITD, shall continuously develop and evaluate the Company’s security policy with respect to the processing of Personal Data. The security policy should include the following minimum requirements:
a. Safeguards to protect the Company’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
b. The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Company’s data processing systems and services;
c. Regular monitoring for security breaches, and installation of a process both for identifying and accessing reasonably foreseeable vulnerabilities in the Company’s computer network and system and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach;
d. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident affecting availability and access;
e. A process for regularly testing, assessing, and evaluating the effectiveness of security measures.
RIGHTS OF THE DATA SUBJECT
As provided under the DPA, Data Subjects have the following rights in connection with the Processing of their Personal Data: a) right to be informed, b) right to object, c) right to access, d) right to rectification, e) right to erasure or blocking, and f) right to damages. Employees and personnel of the Company are required to strictly respect and obey the rights of the Data Subjects. The DPO, with the assistance of HRAS shall be responsible for monitoring such compliance and developing the appropriate disciplinary measures and mechanism.
Right to be Informed
The Data Subject has the right to be informed whether Personal Data pertaining to him or her shall be, are being, or have been processed. The Data Subject shall be notified and furnished with information indicated hereunder before the entry of his or her Personal Data into the records of the Company, or at the next practical opportunity:
a. Description of the Personal Data to be entered into the system;
b. Purposes for which they are being or will be processed, including Processing for direct marketing, profiling or historical, statistical or scientific purpose;
c. Basis of processing, when Processing is not based on the consent of the Data Subject;
d. Scope and method of the Personal Data Processing;
e. The recipients or classes of recipients to whom the Personal Data are or may be disclosed or shared;
f. Methods utilized for automated access, if the same is allowed by the Data Subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject;
g. The identity and contact details of the DPO;
h. The period for which the Personal Data will be stored; and
i. The existence of their rights as Data Subjects, including the right to access, correction, and to object to the Processing, as well as the right to lodge a complaint before the National Privacy Commission.
Right to Object
The Data Subject shall have the right to object to the Processing of his or her Personal Data, including Processing for direct marketing, automated Processing or profiling. The Data subject shall also be notified and given an opportunity to withhold consent to the Processing in case of changes or any amendment to the information supplied or declared to the Data Subject in the preceding paragraph. When a Data Subject objects or withholds consent, the Company shall no longer process the Personal Data, unless:
1. The Personal Data is needed pursuant to a subpoena;
2. The Processing is for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the Company and the Data Subject; or
3. The Personal Data is being collected and processed to comply with a legal obligation.
Right to Access
The Data Subject has the right to reasonable access to, upon demand, the following:
1. Contents of his or her Personal Data that were processed;
2. Sources from which Personal Data were obtained;
3. Names and addresses of recipients of the Personal Data;
4. Manner by which his or her Personal Data were processed;
5. Reasons for the disclosure of the Personal Data to recipients, if any;
6. Information on automated processes where the Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the Data Subject;
7. Date when Personal Data concerning the Data Subject were last accessed and modified; and
8. The designation, name or identity, and address of the DPO.
Right to Rectification
The Data Subject has the right to dispute the inaccuracy or rectify the error in his or her Personal Data, and the Company shall correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, the Company shall ensure the accessibility of both the new and the retracted Personal Data and the simultaneous receipt of the new and the retracted Personal Data by the intended recipients thereof; Provided, that recipients or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.
Right to Erasure or Blocking
The Data Subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her Personal Data from the Company’s filing system.
1. This right may be exercised upon discovery and substantial proof of any of the following:
(a) The Personal Data is incomplete, outdated, false, or unlawfully obtained;
(b) The Personal Data is being used for purpose not authorized by the Data Subject;
(c) The Personal Data is no longer necessary for the purposes for which they were collected;
(d) The Data Subject withdraws consent or objects to the Processing, and there is no other legal ground or overriding legitimate interest for the Processing by the Company;
(e) The Personal Data concerns private information that is prejudicial to Data Subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
(f) The Processing is unlawful; or
(g) The Data Subject’s rights have been violated.
2. The DPO may notify third parties who have previously received such processed personal Data that the Data Subject has withdrawn his or her consent to the Processing thereof upon reasonable request by the Data Subject.
Transmissibility of Rights of Data Subjects
The lawful heirs and assigns of the Data Subject may invoke the rights of the Data Subject to which he or she is an heir or an assignee, at any time after the death of the Data Subject, or when the Data Subject is incapacitated or incapable of exercising his/her rights.
Where his or her Personal Data is processed by the Company through electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Data Subject. The exercise of this right shall primarily take into account the right of Data Subject to have control over his or her Personal Data being processed based on consent or contract, for commercial purposes, or through automated means. The DPO shall regularly monitor and implement the National Privacy Commission’s issuances specifying the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer.
The Company recognizes the right of the data subject to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. Accordingly, all complaints shall be addressed thru the DPO filed in three (3) printed copies or sent to complaints @starcity.com.ph. The DPO shall confirm the receipt of such complaint by affixing his signature on all copies duly dated or in the case of a complaint sent thru the email, shall acknowledge the receipt thereof by replying to the said email. The DPO shall evaluate the veracity and basis of and officially act on all complaints within thirty (30) days from receipt of the complaint form duly accomplished or email message.
SENSITIVE PERSONAL AND PRIVILEGED INFORMATION
The Company shall not process sensitive personal and privileged information except when there is consent given by the data subject or allowed by existing laws and regulations or is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing.
DATA BREACHES & SECURITY INCIDENTS
Data Breach Notification
All employees and personnel of the Company involved in the Processing of Personal Data are tasked with regularly monitoring for signs of a possible data breach or Security Incident. In the event that such signs are discovered, the employee or agent shall immediately report the facts and circumstances to the DPO within twenty-four (24) hours from his or her discovery for verification as to whether or not a breach requiring notification under the Data Privacy Act has occurred as well as for the determination of the relevant circumstances surrounding the reported breach and/or Security Incident. The DPO shall notify the National Privacy Commission and the affected Data Subjects pursuant to requirements and procedures prescribed by the DPA. The notification to the National Privacy Commission and the affected Data Subjects shall at least describe the nature of the breach, the Personal Data possibly involved, and the measures taken by the Company to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach and the name and contact details of the DPO. The form and procedure for notification shall conform to the regulations and circulars issued by the National Privacy Commission, as may be updated from time to time.
All Security Incidents and Personal Data breaches shall be documented through written reports by the DPO including those not covered by the notification requirements. In the case of Personal Data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the Company and submitted to the executive committee. In other security incidents not involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the National Privacy Commission. A general summary of the reports shall be submitted by the DPO to the National Privacy Commission annually.
This policy shall be effective this ______ day of ___________________ 2018, until revoked or amended by STAR PARKS CORPORATION, through a Board Resolution.
ANNEX A – Job Application Form
ANNEX B1 – Application Form for Lease (of Space at Star City)
ANNEX B2 – Application for Party Package Booking (at Star City)
ANNEX C – E-Ticket with Consent Clause (electronic)
ANNEX D – Data Privacy Request (Inquiry/Complaint) Form
ANNEX E – Consent Clause for Employees (to be filed in the 201 file of each employee)
ANNEX F - Application Form for Tour Agency Accreditation
ANNEX G – Data Privacy Consent - Suppliers/Contractors
ANNEX H – Data Privacy Consent – Security Incident
ANNEX I – Data Privacy Consent – Lost & Found