Security of sensitive personal information in Government

1. Responsibility of Heads of Agencies

All sensitive personal information maintained by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, subject to these Rules and other issuances of the Commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein. The Commission shall monitor government agency compliance and may recommend the necessary action in order to satisfy the minimum standards. (Section 30, Rule VII, IRR of the Data Privacy Act)

2. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information.

a. On-site and Online Access

1. No employee of the government shall have access to sensitive personal information on government property or through online facilities unless he or she the employee has received a security clearance from the head of the source agency. The source agency is the government agency who originally collected the personal data.

2. A source agency shall strictly regulate access to sensitive personal information under its custody or control, particularly when it allows online access. An employee of the government shall only be granted a security clearance when the performance of his or her official functions or the provision of a public service directly depends on and cannot otherwise be performed unless access to the personal data is allowed.

3. Where allowed under the next preceding sections, online access to sensitive personal information shall be subject to the following conditions:

(a) An information technology governance framework has been designed and implemented;

(b) Sufficient organizational, physical and technical security measures have been established;

(c) The agency is capable of protecting sensitive personal information in accordance with data privacy practices and standards recognized by the information and communication technology industry;

(d) The employee of the government is only given online access to sensitive personal information necessary for the performance of official functions or the provision of a public service.

b. Off-site access

1. Sensitive personal information maintained by an agency may not be transported or accessed from a location off or outside of government property, whether by its agent or employee, unless the head of agency has ensured the implementation of privacy policies and appropriate security measures. A request for such transportation or access shall be submitted to and approved by the head of agency. The request must include proper accountability mechanisms in the processing of data.

2. The head of agency shall approve requests for off-site access in accordance with the following guidelines:

(a) Deadline for Approval or Disapproval. The head of agency shall approve or disapprove the request within two (2) business days after the date of submission of the request. Where no action is taken by the head of agency, the request is considered disapproved;

(b) Limitation to One thousand (1,000) Records. Where a request is approved, the head of agency shall limit the access to not more than one thousand (1,000) records at a time, subject to the next succeeding paragraph.

(c) Encryption. Any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission. (Section 31, Rule VII, IRR of the Data Privacy Act)

3. Implementation of Security Requirements

Notwithstanding the effective date of these Rules, the requirements in the preceding sections shall be implemented before any off-site or online access request is approved. Any data sharing agreement between a source agency and another government agency shall be subject to review of the Commission on its own initiative or upon complaint of data subject. (Section 32, Rule VII, IRR of the Data Privacy Act)

4. Applicability to Government Contractors

In entering into any contract with a private service provider that may involve accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, a government agency shall require such service provider and its employees to register their personal data processing system with the Commission in accordance with the Act and these Rules. The service provider, as personal information processor, shall comply with the other provisions of the Act and these Rules, particularly the immediately preceding sections, similar to a government agency and its employees. (Section 33, Rule VII, IRR of the Data Privacy Act)


Republic Act No. 10173, Data Privacy Act of 2012

2016 IRR of the Data Privacy Act

Disclaimer: All information is for educational and general information only. These should not be taken as professional legal advice or opinion. Please consult a competent lawyer to address your specific concerns. Any statements or opinions of the author are solely his own and do not reflect that of any organization he may be connected.

Table of Contents

Read more

Law Articles

Sales – Nature and Form

By the contract of sale one of the contracting parties obligates himself to transfer the ownership and to deliver a determinate thing, and the other