DEFINITION OF TERMS
- Data Subject – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization.
- Personal Information – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Sensitive Personal Information – Sensitive personal information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Processing – refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Full name
- Date of Birth
- Present Home address
- Permanent Home address
- Email address
- Employment Information
- Face/photo, fingerprints (can’t sign) or handwriting
- Contact numbers
- Civil Status
- Educational Background
- Social Media Account
- Family Members Information
- Government ID
- Other information necessary to achieve the purposes of the Foundation
SCOPE AND LIMITATIONS
PROCESSING OF PERSONAL DATA
This Foundation collects the basic contact information of data subjects (i.e. Muntinlupa Care Card Applicants/Cardholders, including their full name, address, email address, contact number, together with other information regarding their basic information and social background, such as the following:
Personal data collected shall be used by the Foundation for documentation purposes, to do the following:
- determine the social and economic services that are suitable to the MCC holder.
- determine eligibility for availing of social services, programs and activities rendered by LMF, the City Government of Muntinlupa and other non-profit organizations.
- providing specific, diverse and special intervention for assisting MCC holders in their economic, social, health and educational welfare and development.
- using, collating, researching and studying collective information of data subjects for determination of social concerns or problems arising within the City of Muntinlupa.
- providing other innovative services to MCC holders or other reasonable purposes which are related to the services we provide or improvements or upgrades in our systems and processes, such as, data analytics and automated processing.
C. STORAGE, RETENTION AND DESTRUCTION This Foundation will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The Foundation will implement appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall be retained for data subjects who are cardholders of an MCC. After two (2) years from cessation of membership, all hard and soft copies of personal information shall be archived in a secured storage place, through secured means and accessible only by authorized personnel. The hard and soft copies will be destroyed at the end of ten (10) years.
Due to the sensitive and confidential nature of the personal data under the custody of the Foundation, only the authorized representatives of the Foundation shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals. Such authorized personnel shall not be allowed to copy the records in any form unless it is necessary for the operations or to bring hard copies out of the office for whatever legitimate reason.
E. DISCLOSURE AND SHARING All employees of the Foundation shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the Foundation shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
The collected personal information or sensitive personal information is shared to:
- Any member of the LMF, its trustees, officers, employees, duly authorized representatives, related companies, affiliates, and partner entities, persons or non-government organizations providing similar services;
- Third party service providers and vendors including credit card processors, data analytics and customer support providers, and IT service providers who are bound by an obligation of confidentiality. They will have access to your personal data only as necessary to perform their requested function on your behalf, and if they have adequate security and privacy standards acceptable to LMF;
- City Government of Muntinlupa and its departments, offices and related agencies;
- National Government Agencies but only when necessary to achieve a social, educational, health and livelihood purpose for the MCC holders.
- Anyone we consider necessary for purposes of providing you services and other purposes mentioned above.
A. Organization Security Measures:
- Data Protection Officer The designated Data Protection Officer is Ms. Marnelie Ramos, who is concurrently serving as the
- Functions of the DPO The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
- The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
- Conduct of Privacy Impact Assessment (PIA) The organization shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data through the designed Data Protection Officer. If necessary, it may choose to outsource the conduct a PIA to a third party.
- Duty of Confidentiality All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
B. Physical Security Measures:
- Format of Data to be Collected Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format which shall be kept only by authorized personnel.
- Storage Type and Location All personal data being processed by the organization shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by the Foundation.
- Access Procedure of Agency Personnel Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel may be granted access to the room upon filing of an access request form with the Data Protection Officer and after obtaining the approval from the Board of Trustees.
- Monitoring and Limitation of Access to Room or Facility All personnel authorized to enter and access the data room or facility must fill out and register with the registration form of the organization before access and sign on the logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access.
- Design of Office Space/Work Station The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data. They shall be equipped with passcodes to prevent access by unauthorized persons. Persons in charge of the computers must change their passcodes every month.
- Persons Involved in Processing, and their Duties and Responsibilities Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room.
- Modes of Transfer of Personal Data within the Organization, or to Third Parties Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data. Every email account must contain a privacy statement regarding the authorized recipients of the email and advice if ever the email is sent to the wrong address.
- Retention and Disposal Procedure The organization shall retain the personal data of data subjects for two (2) years from the expiration of MCC. Upon expiration of such period, all physical and electronic copies of the personal data shall be archived in a protected data storage room. Destruction of data shall be done after ten (10) years.
C. Technical Security Measures
- Monitoring for Security Breaches The Foundation shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system.
- Security Features of the Software/s and Application/s Used The Foundation shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.
- Process for Regularly Testing, Assessment and Evaluation of Effectiveness of Security Measures The Foundation shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on regular schedule to be prescribed by the appropriate department or unit.
- Encryption, Authentication Process, and other Technical Security Measures that Control and Limit Access to Personal Data Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.
BREACH AND SECURITY INCIDENTS
Every personal information controller or personal information processor shall develop and implement policies and procedures for the management of a personal data breach, including security incidents.
1. Creation of a Data Breach Response Team A Data Breach Response Team comprising of three (3) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
2. Measures to Prevent and Minimize Occurrence of Breach and Security Incidents The Foundation shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
3. Procedure for Recovery and Restoration of Personal Data The Foundation shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
4. Notification Protocol The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. The Foundation may decide to delegate the actual notification to the head of the Data Breach Response Team.
5. Documentation and Reporting Procedure of Security Incidents or a Personal Data Breach The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.
RIGHTS OF DATA SUBJECTS
The data subjects can exercise any of the following rights:
1. The right to be notified and informed of the use of the personal data which he has given. The data shall be used for processing and sharing for the main purpose provided under Article IV (B).
2. The right to object. The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.
3. The right to access. The data subject has the right to reasonable access to, upon demand, the following:
- Contents of his or her personal data that were processed;
- Sources from which personal data were obtained;
- Names and addresses of recipients of the personal data;
- Manner by which such data were processed;
- Reasons for the disclosure of the personal data to recipients, if any;
- Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
- Date when his or her personal data concerning the data subject were last accessed and modified; and
- The designation, name or identity, and address of the personal information controller.
4. The right to rectification. The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
5. The right to erasure or blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.
6. The right to data portability. The data subject shall have the right to obtain from the personal information controller a copy of his personal data as processed and structured in its commonly used format.
INQUIRIES AND COMPLAINTS
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at firstname.lastname@example.org and briefly discuss the inquiry, together with their contact details for reference. They may also call the Foundation at (02) 555-0479.
Data subjects have the right to ask for a copy of any personal information that the Foundation holds about them. They can also ask for any correction if you think it is wrong.
Complaints shall be filed in three (3) printed copies, or sent to Lingkod Muntinlupa Foundation, 3rd Floor, No. 52, Joval, Bldg. Putatan, Muntinlupa City. The concerned department or unit shall confirm with the complainant its receipt of the complaint.
Management shall assign a team to investigate the complaint and give a recommendation on the proper course of action relevant to the complaint filed.
- Authorization and Consent Form
- Inquiry Summary Form
- Access Request Form
- Privacy Notice
- Request for Correction or Erasure
- Data Sharing Agreement