Data Privacy Laws

How to train employees on Data Protection Act, Philippines?

A cyber-security researcher named Jeremiah Fowlerhis brought it to everyone’s attention. According to him, the breach exposed a database containing over 1.2 million police records and 800 GB of data related to individuals who were either employed in law enforcement or had applied for such positions. Shockingly, this sensitive data was available for public access for at least six weeks!

“That is a serious national security issue.”

The Senate is investigating a data breach, and how much data was leaked remains uncertain.

However, one thing is sure:

The documents were stored in an unsecured and unprotected database, likely the reason for the breach.

The reported data breach highlights the importance of strictly adhering to data laws.

What is the data privacy act enacted by the Senate and House of Representatives of the Philippines? 

Let me get it straight.

The Data Privacy Act of 2012 aims to protect personal data in government and private sector information and communication systems.

The National Privacy Commission is responsible for enforcing the act’s provisions and ensuring that all personal data complies with the country’s international standards. The law applies to business offices and equipment used for processing as long as they are within the country’s jurisdiction.

Even though there are penalties for unauthorised processing, accessing, and improper disposal of data under the law, educating and informing individuals about the significance of data protection and privacy is essential.

Let’s dive right in and closely examine where the law applies.

The Scope of Application 

Personal Scope 

The Act covers processing all kinds of personal information and applies to both individuals and organisations involved in this processing.

Territorial scope 

The Data Privacy Act covers acts or practices, whether done inside or outside of the Philippines, by an entity if:

  • It involves personal information about a Philippine citizen or resident.
  • There is an entity connected to the Philippines that processes personal information in the country, has a branch, office, or subsidiary there, or has a contract or central management and control there.
  • The entity operates in the Philippines, or the personal information was collected or stored by an entity in the Philippines.

Material Scope

The Data Privacy Act applies to processing all types of personal information, except for specific cases. There are certain exceptions to the information that can be processed, such as personal data used for public access, journalistic or artistic purposes, research that benefits the public, the information needed for public authorities’ functions, information required by financial institutions under specific laws, and personal information collected from foreign residents that is processed in the Philippines.

How to design and deliver an effective DPA Philippines awareness program?

1. Conduct privacy awareness assessments 

Assess your employees’ knowledge of data privacy. It will allow us to determine the level of expertise required for the courses. By doing this, the organisation will also be able to identify its current level of risk when protecting its data.

2. Identifying employee roles and responsibilities 

A thorough understanding of employees’ job roles and responsibilities is essential to protecting their data. This will increase their awareness of the data they handle and emphasise its significance.

3. Incorporate engaging visuals and interactive quizzes

Provide real-life examples or demonstrate best practices by creating short videos or animations. Adding visual elements to the training can enhance its engagement and memorable quality. Use multiple-choice, true/false, or fill-in-the-blank questions to reinforce learning and provide immediate feedback.

4. Conduct DPA awareness campaigns

Organise a week-long or month-long campaign and distribute deliverables that explain key concepts.

Deliverables may include:

  • Infographics
  • Short videos
  • Crossword Puzzles
  • Posters
  • Comic Strips

To make the campaign more enticing, consider offering rewards to the top performer.

5. Develop a customised training program 

Adapt content to each department’s needs in an organisation. Provide a comprehensive overview of all topics covered under the DPA Phippines, including consent requirements, principles, data subject rights, security measures, breach management, and penalties for not following the DPA measures.

Not only does the training helps protect the company’s data, but it also gives the employees an awareness of what personal data they are sharing with the public and whether there is a need to consent to share the data.

A sample syllabus for DPA Philippines awareness training is provided below.  

1. Introduction to Data Privacy and Protection

1.1 Defining key terms

  • Data
  • Personal Data
  • Sensitive Data
  • Privacy
  • Data privacy
  • Data protection
  • Differentiate between what is privacy and data protection.
  • Data controller
  • Data processor
  • Global data privacy laws

2. Overview of the Data Privacy Act Philippines

  • Introduction to DPA Act
  • Introduction to DPA Law – Republic Act No – 10173

3. Key Provisions of the Data Privacy Act

  • Explanation of the main provisions and scope of the DPA
  • Understanding the rights and obligations of data subjects, data controllers, and data processors

4. DPA Act principles explained

5. Rights and Responsibilities under the DPA

5.1 Data Subject Rights: An Overview

  • Right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to object/opt-out
  • Right to data portability
  • Right not to be subject to automated decision-making

5.2 Responsibilities of data controllers and Processors in protecting personal information

5.3 Informed Consent and Consent Requirements

6. Understanding Penalties

7. Data Privacy Best Practices

To have an overview of data privacy and protection, check out Why is Data Protection and Privacy Awareness Training Important?

Wrapping Up

In conclusion, organisations dealing with data related to the Philippines must comply with the Data Privacy Act (DPA) of the Philippines. This is crucial for protecting an organisation’s data and reputation. Major incidents like the breach at Cebuana – a Philippine-based Pawnshop (2019), highlight the importance of staying vigilant and ensuring employees are well-informed about data privacy. By adhering to the DPA and implementing robust security measures, organisations can mitigate the risk of breaches and maintain the trust of their stakeholders.

Time constraints make it hard for employees to take hour-long courses. There are also cases where the attention span is low while taking long e-learning courses. So that might be a waste of time.