I ON

MARITIME INDUSTRY MMI SS

C O
STEPS TOWARDS V A C Y
R I
APPROPRIATE A L P
I O N
DATANPROTECTION
AT
H E
TF
Y O
E R T
PROP THE NATIONAL PRIVACY COMMISSION
Raymund Enriquez Liboro
Privacy Commissioner and Chairman
12 July 2018
 I ON
M I SS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O What the law How it will
ER T
O P is all about affect you
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 https://timeline.com/how-the-
first-mass-market-camera-led-to-
the-right-to-privacy-and-roe-v-
wade-4fb4cd87df7a

I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 https://timeline.com/how-the-
first-mass-market-camera-led-to-
the-right-to-privacy-and-roe-v-
wade-4fb4cd87df7a

I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 RIGHT TO PRIVACY
I ON
M I SS
M
“the right to be let alone
O
Y C
- the most IVAC
PR
A L
comprehensive of rights
I O N
A T
E N and the right most
TH
O F valued by civilized men”
TY
PER
PR O
[Brandeis J, dissenting in Olmstead v.
United States, 277 U.S. 438 (1928)].
 1995
I ON
M I SS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR

Picture from
http://www.rappler.com/specials/pope-
francis-ph/80492-pope-john-paul-
assassination-plot
 2015
I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR

Picture from http://dzrhnews.com.ph/pope-silent-upon-hearing-stories-yolanda-victims/

 I ON
M I SS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR

https://images.dazeinfo.com/wp-content/uploads/2017/06/worlds-most-
valuable-brands-2017-vs-2012-forbes.jpg
 Diary
Credit
Browsing Card
I ON
SS
Billing
History I
Statement
M
Which of the C OM
C Y
A
RIV
following will Pyou
A L
share
I O with a
N
A T
HE N stranger?
F T Facebook
Y O
R T
E Home
Password
O P
PR
Address Phone
Messages
DISRUPTION
the displacement of
established technology I ON
by being replaced with
M ISS
a new one
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR https://www.npr.org/2017/09/26/55
3799200/equifax-ceo-richard-smith-
resigns-after-backlash-over-massive-
data-breach

https://www.esecurityplanet.co
m/network-security/avid-life-
media-ceo-resigns-following-
data-breach.html
 DISCRIMINATION
I ON
People are discriminated because of M I SS
O M
their race, color or ethnic origin Y C
A C
PR IV
A L
Stigmatization IO N
A T
E N
T H
O F
TY
PER
PR O
 Identity Theft N
I O
M I SS
C OM
C Y
I V A
L PR
Access to personal
N A information such as
ATIO name, date of birth,
E N
T H address, or email
OF address can result to
R TY fraudsters victimizing
PE
PR O individuals.
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 Loss of
Reputation I ON
M ISS
C OM
People have experienced C Y
stalking or harassment online, I V A
trouble with family members, L PR
N A
I O
lost a job or educational
T
A
N of
opportunity because
H E
something
F T posted online, and
Y
even Oas grave as physical
R T
OPE danger.
P R
 I ON
M I SS
C OM
C Y
I V A
L PR
N A
T I O
N A https://www.philstar.com/nati

H E on/2008/09/06/398622/canist

F T er-scandal-90-day-suspension-

Y O 2-docs-nurse-ends

ER T
O P
PR
 Unfair Decision-Making
Ba sed on Pr ofiling
I ON
Personal information such as marital In employment, someISS
status, religious or political affiliations M M
O while
experience difficulties
in gettingC
affects the decision-making of
C Yare unfairly
hired
companies in various cases. A
others
IVdismissed.
PR
A L
IO N
A T
E N
T H
O F
TY
PER
PR O
 Loss of Autonomy
I ON
M I SS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR

http://news.abs-cbn.com/trending/07/27/16/top-gear-sorry-for-identifying-wrong-suspect-in-road-rage
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 RESILIENCE AND THE FILIPINO SPIRIT

I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 RESILIENCE AND THE FILIPINO SPIRIT

I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 21st Century Hazards and Risks
I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
Philippine Constitution
Article 3, Bill of Rights

I ON
M I SS
C OM
C Y
I V A
• Section 2. Right to be secure in their persons, houses, papers, and
L PR
effects against unreasonable searches
A
Nof communication and correspondence
I O
• Section 3. Privacy
T exercise and enjoyment of religious profession and
N
• Section A
5. Free
H E
worship
F T
Y O • Section 6. Liberty of abode and the right to travel
E R T • Section 8. Right to information, and access to official records
O P
PR
 What is private then
was what was found within the four corners
I ON
of your home and within the I S S
M M
CO
confidentiality of communication.
Y
A C
R I V
A LP
IO N
A T
E N
T H
O F
TY
PER
PR O
 RA 9775
RA 8484 RA 9208 Anti-Child Pornography Act
Access Devices Anti-Trafficking
RA 9995
I ON
SS
Regulation Act Act

I
Anti-Photo and Video Voyeurism

M
C OM
C Y
1992 2000 2004RIVA 2012
L P
N A
I O
1998 AT 2003 2009
E N
T H
O F
R TY RA 8792
E
RA 10173

P
RA 7610 RA 9262 Data Privacy Act

PR O Special Protection
of Children against
Abuse Act
Electronic
Commerce
Anti-Violence
against Women
and Children Act
RA 10175
Cybercrime Prevention Act
Act
 The Data Privacy Act (“DPA”) of 2012
Data privacy - acknowledging the rights of
I ON
Data Subjects over their data and enforcing I S S
MM
the responsibilities of entities who process C O
C Y
them VA
R I
A LP
IO N
A T
E N
T H
O F
TY
PER
PR O
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 Transparency, Legitimate Purpose and Proportionality
a. Transparency – The data subject must be aware of the nature, purpose, and
extent of the processing of his or her personal data, including the risks
I O N
and
I S
safeguards involved, the identity of personal information controller,Shis or her
communication relating to the processing of personal dataO
M
rights as data subjects, and how these can be exercised. Any information
M be easy to
should
and
access and understand, using clear and plain language.Y C
A C
PR IV
b. Legitimate Purpose – The processing of L
information shall be compatible with a
N
declared and specific purpose which A not be contrary to law, morals, or
must
public policy.
A IO
T
E N
c. Proportionality –Fthe H
T processing of information shall be adequate, relevant,
Y O
suitable, necessary, and not excessive in relation to a declared and specified
purpose.RT Personal data shall be processed only if the purpose of the
P E could not reasonably be fulfilled by other means.
processing
P R O
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 ROOT CAUSES OF BREACH

I ON
M ISS
Malicious orOM
C
criminalYattack
24% A C
R I V
L P
N A
T I O System Glitch
N A 47%
H E
F T
Y O
ER T
O P 29% Human Error
PR

Ponemon Institute LLC, 2015 Cost of Data Breach Study: Global Analysis, May 2015, p. 10.
 HOW DO PRIVACY BREACHES OCCUR?

• lost or stolen laptops, removable storage devices,

I ON
or paper records containing personal information ISS
MM
C O
• hard disk drives and other digital storageC Y media
I VA
(integrated in other devices, forRexample,
multifunction printers, or A LP
otherwise) being
I O Nto equipment lessors
T
disposed of or returned
A
without the E N
contents first being erased
T H
O F
Y
• Tdatabases containing personal information being
PER ‘hacked’ into or otherwise illegally accessed by
PR O
individuals outside of the agency or organization

Office of the Australian Information Commissioner, Data breach notification guide: A guide to handling personal
information security breaches, August 2014, p. 5.
 HOW DO PRIVACY BREACHES OCCUR?

• employees accessing or disclosing personal

I ON
information outside the requirements or I S S
M M
authorization of their employment
C O
• paper records stolen from insecure recyclingC Y or
I V A
garbage bins
P R
• an agency or organization A L
mistakenly providing
I O N
personal information
A T to the wrong person, for
E N details out to the wrong
example by sending
T H
F and
address,
O
T
• RanYindividual deceiving an agency or organization
P E into improperly releasing the personal information of
P R O
another person.

Office of the Australian Information Commissioner, Data breach notification guide: A guide to handling personal
information security breaches, August 2014, p. 5.
 HOW DO PRIVACY BREACHES OCCUR

Databases containing
I ON
personal informationISS
M M
being ‘hacked C O’ into or
C Y illegally
I V A
otherwise
L PR accessed by
N A individuals outside of
T I O
N A the agency or
H E
F T organization
Y O
ER T
O P
PR

https://www.enterpriseinnovation.net/article/worst-
government-data-breaches-2015-2016-1273457573
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
Data
E NA Resilience

T H
O F
TY
PER
PR O
 Building a Culture of Privacy
1. Privacy management is a top to bottom approach;
I ON
M I
2. You should appoint a data protection officer and be sure SS
to listen to them; C OM
3. Conduct a privacy impact assessmentA onC
Y
R I V your
organization; L P
N A
T I O within your organization and
4. Develop privacy policies
N Aprivacy management program to guide your
E
Construct your
H
F T
organization
Y O5. Start building a culture of privacy within your
E R T
O P
PR
organizations by implementing organizational, Technical
and physical measures to protect personal data;
6. Build capacity among your staff.
7. Be prepared for breach.
 I ON
M ISS
C OM
C Y
I V A
L PR
N A
T I O
N A
H E
F T
Y O
ER T
O P
PR
 Beyond Compliance
I ON
M I SS
C
Data Protection and Regulation isYaiming OM
A C
R
for a digital world wherePpeople flourish IV
A L
with dignity as I O
autonomous individuals
N
A T
E N
T H
O F Compliance as part of
R TY
P E corporate responsibility and
P R O
sustainability

Hunton & Williams, “Centre for Information Policy Leadership: Regulating for Results, Strategies and Priorities: Discussion Paper”
 2018 Road to Data Privacy Resilience
I ON
M I SS
OM Code of
DPO Privacy Certification Global Sectoral
Registration Management And Seals
Y C
Certification
C
IVA
Program Conduct

P R
The DPO as Risk-based ★L
5 Star ★ ★A ★★ CBPR
N BPO
• • • •
NPC’s conduit • Privacy Policies I O
Compliance
T Privacy
• Corporate code of
N A GDPR code of
E
Conduct •
T H adequacy conduct
O F
R T Y
P E Binding

P R O Corporate
Rules
 I ON
M I SS
Thank you CY C OM
I V A
for listening!
AL
PR
I O N
AT
facebook.com/privacy.gov.ph
E N twitter.com/privacyPH
T H info@privacy.gov.ph
O F
TY
P ER
PR O
Raymund Enriquez Liboro
Privacy Commissioner and Chairman
Photo from http://makambaonline.com/index.php/2017/09/20/bring-african-countries-digital-economy/
12 July 2018