PHILIPPINES Law and Practice Contributed by: Kerwin K. Tan, Veronica S. Balbin and Jose Maria B. Buenagua, Tan Hassani and Counsels
data processed, prevent its use for unauthorised purposes, and comply with the requirements of the DPA, its Implementing Rules and Regulations (IRR), other applicable laws for processing of personal data, and other issuances of the NPC. The IRR of the DPA further provides for certain provisions that must be stipulated in such contract or any legal act entered into by the parties. On the other hand, if one party is sharing personal information with another party for a completely dif - ferent purpose, the NPC suggests that a data sharing agreement be entered into by the parties involved. A data sharing agreement is an agreement that sets out the obligations, responsibilities, and liabilities of the personal information controllers involved in the transfer of personal data. While the execution of a data sharing agreement is not mandatory, it is still best practice to execute one when sharing personal data from one personal information controller to another. The NPC issued a guide for the creation of a data sharing agreement. It details what the NPC expects to find in such agreement. The guide also states that if the disclosure or public access is facilitated by an online platform, the program, middleware, and encryp - tion method that will be used should also be identified. More recently, the NPC issued a circular clarifying that a data sharing agreement is not a legal requirement for data sharing to be considered lawful. Neverthe - less, the NPC continues to recommend the use of such agreements, as they promote accountability and demonstrate stronger compliance with data privacy regulations. In all instances, parties engaged in data sharing must adhere to the fundamental principles of transparency, legitimate purpose, proportionality, and consent. Both outsourcing and data sharing agreements require that the organisational, physical, and techni - cal security measures to be adopted by the parties for the protection of personal information be included in the outsourcing contract or data sharing agreement. In both instances, the NPC emphasises the exercise of rights by data subjects. Both documents must include provisions informing data subjects how they can exer -
cise their rights, including how the data subjects can communicate with the data protection officer of each contracting party for the exercise of such rights. In addition to this, it is not unusual for any contract - ing party to require the other party to sign a non- disclosure agreement or a confidentiality agreement. Agreements like these serve to protect not just the personal information that is being shared by one party with the other, but other confidential business mat - ters, trade secrets, and intellectual properties that are being shared. As regards business continuity, a circular by the NPC requires a PIC or PIP to prepare a business continuity plan in order to mitigate potential disruptive events. The PIC or the PIP should consider the following: • personal data back-up restoration, and remedial time; • periodic review and testing of the business con - tinuity plan, taking into account disaster recov - ery, privacy, business impact assessment, crisis communications plan, and telecommuting policy, among others; and • contact information and other business-critical matters – eg, electrical supply, building facilities, information and communications technology (ICT) assets. With a lot of companies in the Philippines practising a hybrid work set-up, the NPC also provides some security measures that may be taken by PICs or PIPs: • training on the limitations on use of company- issued computing devices with secure configu - ration of the PIC’s ICT assets to protect against security risks and cyberthreats such as unauthor - ised access, malware, data loss, and theft; • best password management and secured practices in managing online accounts, computers, mobile phones, and network appliances; and • periodic training on data privacy, cybersecurity, and online productivity, among others.
49 CHAMBERS.COM
Powered by FlippingBook