Security measures

1. Data Privacy and Security

Personal information controllers and personal information processors shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data. (Section 25, Rule VI, IRR of the Data Privacy Act)

The personal information controller and personal information processor shall take steps to ensure that any natural person acting under their authority and who has access to personal data, does not process them except upon their instructions, or as required by law. (Paragraph 2, Section 25, Rule VI, Ibid.)

The security measures shall aim to maintain the availability, integrity, and confidentiality of personal data and are intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing. These measures shall be implemented to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. (Paragraph 3, Section 25, Rule VI, Ibid.)

2. Organizational Security Measures

Where appropriate, personal information controllers and personal information processors shall comply with the following guidelines for organizational security:

a. Compliance Officers

Any natural or juridical person or other body involved in the processing of personal data shall...