Privacy Manual
BACKGROUND
The surge in technological advancement and the growing concerns to individual privacy in the online world of computer networks, including the internet, paved way for Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012.
The law seeks to prevent malicious use, collection, retention, destruction and disclosure of personal data shared between and among individuals and in the cyber. It addresses the legal concerns surrounding the privacy of a person.
The Data Privacy Act of 2012 ensures that the personal information of individuals, either in government or private sectors, are secured or protected. It provides that no access to any personal information shall be granted unless permitted by the individual or person who owns such information.
Any entity involved in processing an individual’s personal information or personal data shall create and implement privacy policies that are in line with the National Privacy Commission’s mandate of securing personal information and sensitive personal information under the principles of transparency, legitimate purpose and proportionality.
This Privacy Manual serves as a guideline to all employees and officers of Infinit-O Manila in compliance to the Data Privacy Act of 2012.
INTRODUCTION
Compliance to the Data Privacy Act of 2012 is essential in every company or organization to keep its employees and clients aware of how the information they provide is being used and protected. This manual contains the Privacy Manual that serves as the guide for Infinit-O Manila in dealing with the data they gather.
Infinit-O Manila ensures that it complies with the Data Privacy Act of 2012, protects the right of the employees, customers and partners, and protects the company itself from the risks of data breach.
This Privacy Manual explains how Infinit-O Manila collects, uses, stores, destroys, and discloses information on the website, www.Infinit-o.com and its subdomains, “Outsourcing Insider (www.blog.Infinit-o.com), and “Outsourcing Information” (www.outsourcing-information.com), collectively “the Site” and information from its clients, applicants, and vendors. It likewise collects, uses, stores, destroys, and discloses information collected from applicants, employees, and vendors and stored in the company’s server and hard copies retained in its various departments.
DEFINITION OF TERMS
The definitions of the terms used herein are based on the Implementing Rules and Regulations of Republic Act No. 10173, also known as the Data Privacy Act of 2012.
Ø Commission – shall refer to the National Privacy Commission.
Ø Consent of the data subject – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.
Ø Data subject – refers to an individual whose personal, sensitive personal, or privileged information is processed.
Ø Filing system – refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
Ø Information and Communications System – refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document.
Ø Personal information – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Ø Personal information controller – refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
1. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her personal, family or household affairs;
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing;
Ø Personal information processor – refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
Ø Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
Ø Privileged information – refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication.
Ø Sensitive personal information – refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.
SCOPE AND LIMITATIONS
This Privacy Manual shall apply to all the employees, clients, third party providers, vendors, applicants and other business associates of Infinit-O Manila. This shall provide paramount importance to keeping all personal information in confidence and ensuring that each authorized person to access the information complies with the provisions stated and required in the Data Privacy Act of 2012.
PROCESSING OF PERSONAL DATA
Processing of personal data shall comply with Sections 12 and 13 of the Data Privacy Act of 2012:
SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
A. Collection (e.g. type of data collected, mode of collection, person collecting information, etc.)
In gathering personal information from the employees, clients, third party providers, vendors, applicants and other business associates of Infinit-O Manila, the company predominantly makes use of the MyHR tool handled by the Human Resources Department. For other departments, e-mail and telephone are the primary tools.
Prior to collection of data containing personal information, employees, clients, third party providers, vendors, applicants and other business associates of Infinit-O Manila are required to give consent to such data processing. All persons accessing information online are made to give consent by agreeing to the use of cookies before proceeding to access the web page, contents thereof are as follows:
Privacy Statement – Cookies
We use cookies to ensure you get the best experience on www.outsourcing-information.com.
By continuing to browse on our site, you are agreeing to our use of cookies.
Find out more here: Privacy Statement.
We use cookies to ensure you get the best experience on www.Infinit-o.com.
By continuing to browse on our site, you are agreeing to our use of cookies.
Find out more here: Privacy Statement.
Privacy Statement - Policy
Your privacy is important to us.
We are committed to protecting your personal information. This Privacy Statement explains how Infinit-O Global Limited and its affiliates (“Infinit-O”) collect and use information on the website, www.infinit-o.com and its subdomain, “Resource Center” (https://resourcecenter.infinit-o.com), collectively “infinit-o.com” or “the Site”, and some of the ways it uses that information.
Infinit-O Manila, Inc. is an ISO 27001:2013 certified organization. Our compliance with the said standard only demonstrate that we actively manage our data in line with international best practice.
What does Infinit-O’s Privacy Statement cover?
This privacy policy will cover all information you will provide when visiting our site. We will let you know about the ways we collect and use your information so you can make an informed choice to make your information available to us.
What types of information does Infinit-O collect?
When providing your information on our site, as applicable, you may be asked to enter your name, contact number, email address, or other details to help you with your inquiry or application.
The following terms shall have the respective meanings based on the Implementing Rules and Regulations of the R.A. 10173 Data Privacy Act of 2012:
“Personal Information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
“Sensitive Personal Information” refers to information that can be used on its own or with other information to identify contact, or locate, a single person, or to identify an individual context.
Does Infinit-O collect information from children below 13?
The Site is not intended for use by children. Infinit-O encourages parents and guardians to be familiar with the web sites that their children visit. We do not knowingly collect personal information from anyone under the age of 13. If we learn we have collected personal information from a child under the age of 13 without verification of parental consent, we will delete that information as soon as practicable. We recommend that children ages 13 to 18 seek parental permission before disclosing any personal information via the internet.
Does Infinit-O disclose personally identifiable information?
Infinit-O do not sell, trade or disclose any personally identifiable information obtained from our users to any other outside third party for unknown or unrelated purposes.
What is the purpose of the collection? How does Infinit-O Manila use the information collected?
We collect your personal information and use it for the purpose for which it was provided to us.
· Job Hunt or Application - Your information allows us to facilitate the recruitment process because we aim to match your details against job vacancies that may be suitable in order to assess your fit to that role.
· Marketing Communication - To answer enquiries and/or questions for clients and notify all those who registered to our site of relevant events and other or further services of interest through Infinit-O.
· Disclosing upon lawful requests to lawful authorities in compliance with applicable laws;
· Sharing with third party providers for any employment checks deemed necessary by the company; or
· Other - For any other reason that you engaged with us.
Does the company share aggregate information?
Infinit-O may provide aggregate information regarding members of the Site to third parties for various purposes; provided, however, that such information will not include personally identifiable information or your Personal Profile.
(Aggregate means presenting information in segments or categories.)
How long does Infinit-O keep your personal information?
Infinit-O will retain your personal information for the period necessary to fulfill the purposes determined by the company unless a longer retention period is required or permitted by law.
How does Infinit-O Manila protect and secure information collected?
Infinit-O has necessary safeguards in place to protect the information you share in the Site. In order to prevent unauthorized access or disclosure, your registration data collected online is placed on a secured server.
All involved systems and information are assets of Infinit-O and have adequate protection in place from misuse, unauthorized manipulation, disclosure and destruction.
Does the links to other web sites found in the Site still within the scope of Infinit-O’s Privacy Statement?
The Site may contain links to other web sites. Each of these linked web sites maintains its own independent data privacy practices which is different to that of Infinit-O.
It is your responsibility to familiarize yourself with these privacy policies as we accept no responsibility for and have no control over them or any information or data collected by or for them.
Can Infinit-O modify its Privacy Statement without prior notice?
Infinit-O reserves the right to change the content of the Privacy Statement as deemed necessary without notice. Users are encouraged to review the Privacy Statement whenever they access the Site.
How to contact us?
Should you need more information on privacy or wish to file a complaint or any question about this policy, you may contact us using the details below.
Email: dpo@infinit-o.com
Infinit-O Manila, Inc. (INFINIT-O)
9/F SCMC Mall of Asia Arena Annex (MAAX) Building,
Pasay City 1300 Philippines
For us to properly and efficiently respond, you will need to provide us with sufficient details regarding your questions and/or complaint as well as supporting evidence and/or information.
I declare that I have read the Privacy Statement and have fully understood its contents. I further declare that I voluntarily and willingly agree to the Terms and Conditions provided in this policy. By agreeing to this Privacy Statement, I hereby waive any liability against Infinit-O and its Management from any prosecution or suit of any kind. I hereby waive any claim of penalties, charges or fees, or damages of any kind.
Send Privacy Statement to your email.
For processing of information outside of the website or offline, all persons accessing are made to give consent by agreeing to the collection of personal data thru Consent Form embedded in all documents of the company and/or agreeing in Infinit-O’s Privacy Notice upon entering.
Consent Form
I hereby agree to the use, collection, destruction, retention and disclosure of the data that I will provide to Infinit-O Manila in the course of my application and/or employment.
This is also to give permission to Infinit-O Manila to the use, collection, destruction, retention and disclosure of the personal data provided according to its Policy. And that, I understand and agree that Infinit-O Manila will use, collect, destroy, retain and disclose personal data provided according to its Policy.
Privacy Notice
Thank you for visiting Infinit-O Manila and complying with our policy to register in our Visitor’s Log and in providing personal data prior to entering our premises and/or availing our services.
Infinit-O Manila is committed to protecting your personal information in accordance with the provisions of the Data Privacy Act of 2012 and its Implementing Rules and Regulations. All personal data collected is processed in accordance to privacy principles of transparency, legitimate purpose and proportionality. For more details on our Privacy Statement visit our website, www.Infinit-o.com and its subdomains, “Outsourcing Insider” (www.blog.infinit-o.com), and “Outsourcing Information” (www.outsourcing-information.com), collectively “Infinit-o.com” or “the Site”, and some of the ways it uses that information.
Infinit-O Manila, Inc. is an ISO 27001:2013 certified organization. Our compliance with the said standard only demonstrate that we actively manage our data in line with international best practice.
By signing our visitor’s log and entering our premises, you agree to Infinit-O Manila’s Privacy Statement and give your consent to collect, use, store, destroy, and disclose information. Information disclosed and collected are only necessary for the purpose intended.
Should you need more information on privacy or any question about this policy, you may contact us using the details below.
Email: dpo@infinit-o.com
Infinit-O Manila, Inc. (INFINIT-O)
9/F SCMC Mall of Asia Arena Annex (MAAX) Building,
Pasay City 1300 Philippines
Infinit-O reserves the right to change the content of the Privacy Statement as deemed necessary without notice. Users are encouraged to review the Privacy Statement whenever they access the Site.
For processing of information via telephone call, all persons accessing are made to give consent by agreeing to the collection of personal data by the PIP reciting the contents of the Consent Form to the Data Subject and requesting his/her consent prior to continuing the telephone conversation.
A.1 HUMAN RESOURCES DEPARTMENT
Ø New Applicants, Employees
Upon registration on the company website, an applicant provides the necessary information that will be needed in the processing of the application; this may include the data subject’s biographical information, contact numbers, government identification number, and all other personal information. The same provided information is kept in confidence when he becomes an employee.
All provided personal information is given with the consent of the data subject when he agrees with the Privacy Manual of the company before registration.
A.2 FINANCE and ACCOUNTING DEPARTMENT
Ø Vendors, Suppliers
Information from the vendors and suppliers are gathered directly by the departments concerned which may be the Support Service & Procurement, Learning & Development, Marketing, or Finance department. This process can be done through e-mail, walk in or phone call. Data given by the vendors and suppliers varies from the type of their request or inquiry. They are also asked basic information that may contain personal information for the transaction, the company’s name, address, contact number, and e-mail. As previously stated, prior to data collection, all data subjects are required to agree and consent to Infinit-O’s Privacy Statement.
All provided information is given with the consent of the data subjects when they agree with the Data Sharing Agreement of Infinit-O Manila before processing the transaction or request.
Data Sharing Agreement Template:
Data Sharing Agreement
This Data Sharing Agreement is made on [AGREEMENT DATE] (the “Effective Date”) between Infinit-O Manila, Philippine corporation with its principal place of business at 9/F SCMC Mall of Asia Arena Annex (MAAX) Building, Pasay City 1300 Philippines (the “IOM”) and [PARTY B NAME], [whose principal place of residence is at / a [CORPORATE JURISDICTION] corporation with its principal place of business at] [PARTY B ADDRESS]] (the “[PARTY B ABBREVIATION]”).
The parties agree as follows:
Purpose of Data Sharing. The parties are entering into this agreement, and IOM is granting [PARTY B] access to the data provided by the former, for the purpose of [INSERT SHORT DESCRIPTION OF PURPOSE OF THE DATA USE].
[PARTY B]’s Use of Data
Purpose. [PARTY B] shall use or disclose the data provided by IOM only in furtherance of the project or as required by the purpose.
Safeguards Around Data. [PARTY B] shall use appropriate safeguards to protect the data provided by IOM from misuse and unauthorized access or disclosure, including maintaining adequate physical controls and passwords protections for any server or system on which the data provided is stored.
[PARTY B] shall ensure taking any other measures reasonably necessary to prevent any use or disclosure of the data provided by IOM other than as allowed under this agreement.
[PARTY B] will not, without IOM’s prior consent, publish or present any data provided by IOM to [PARTY B] in connection with the project.
[PARTY B] shall exercise the same degree of care as IOM in handling the data provided by IOM as it uses with its own confidential information and shall not be less than the reasonable care to protect the data provided by IOM from misuse and unauthorized access or disclosure.
Personal Information. [PARTY B] will not attempt to identify any person whose information is contained in any data provided by IOM or attempt to contact those persons outside the scope of the purpose contained in this agreement.
Permitted Disclosure. [PARTY B] may disclose the data provided by IOM only to the extent necessary and to its employees, consultants and representatives on a need-to-know-basis.
Required Disclosure. If [PARTY B] is compelled by law to disclose any data provided by IOM, [PARTY B] shall notify IOM within reasonable time and await IOM’s approval before disclosing the compelled data.
Confidentiality Obligation. The parties shall continue to be bound by the terms of the non-disclosure agreement during the term provided unless earlier terminated for just cause by either party.
Term. This agreement will commence on the [Effective Date] and continue as long as [PARTY B] retains the data provided by IOM and unless terminated earlier by either party.
Termination Notice. Either party may terminate this data sharing agreement for any violation or material breach of the data sharing agreement with 30 days written notice to the other party.
Indemnification. [PARTY B] as an indemnifying party shall indemnify IOM as an indemnified party against all fines, fees, losses, expenses and damages arising out of any proceeding either brought by a third party against IOM or brought by IOM itself, and arising out of [PARTY B]’s breach of its obligations under this data sharing agreement.
A.3 SSP
Ø Clients
All departments of Infinit-O Manila concerned in dealing with clients gather data from their respective clients through various processes. Nonetheless, every client has to provide his basic information such as biographical and personal information, contact details, government identification number, and all other related matters.
All provided information is given with the consent of the data subject when he enters into an agreement with Infinit-O Manila and upon review and acceptance of Infinit-O Manila’s Privacy Statement.
A.3 MANAGEMENT
A.4 INFORMATION TECHNOLOGY
Ø New and Existing Employees
Personal information is obtained by the IT via request from the Team Leaders and/or Managers using the New Hire Checklist. Data collected shall be retained for future references.
All provided information is given with the consent of the data subject thru the Team Leaders and/or Managers upon request of IT services.
B. Use
The Human Resources, Finance, and Information Technology departments collects the abovementioned information in order to process applications and to document the personal records of the employees through different tools such as Infinit-O website, MyHR and MyPayroll.
Whereas, Learning & Development, Marketing, and Support Service & Procurement either collects or receives information from third party providers, suppliers and vendors in order to process and store requests, inquiries, invitations, and promotions.
B.1 HUMAN RESOURCE DEPARTMENT
Ø The information collected by the HR Department from its unselected candidates and employees shall be stored at MyHR and shall only be used for specific purpose for which they are intended. MyHR shall be handled pursuant to Company Policy & Procedure Manual HR - Access Control List (Ref. No.: CPP-HR_0405) which provides for the user access profiles, management of access rights to any electronic systems and other electronic accounts as well as defining the corresponding roles and responsibilities.
B.2 FINANCE and ACCOUNTING
Ø Information collected by Finance and Accounting Department are stored and used only for the specific use in which they are intended. The following Company Policy & Procedure Manuals covers its use and storage:
Ø The Company Policy & Procedure Manual F&A access Control List (Ref. No. : CPP-FA-0001) establishes the user access control profiles, management of access rights as well as the roles and responsibilities on the usage of Quickbooks Financial Software (QBFS) On Line, E-Payroll System and other system/items managed by the Finance & Accounting Team.
Ø The Company Policy & Procedure Manual Docusign System and Procedure (Ref. No. : CPP-FA-0002) establishes the procedures in handling documents for signature thru DocuSign.
Ø The Company Policy & Procedure Manual Payroll Systems & Procedure (Ref. No. : CPP-FA-0001) establishes regular payroll process procedure.
B.3 IT
Ø New Employees
Personal information is required by the IT Department for purposes of setting up user access, registration in client systems, deployment of applicable assets and equipment as well as biometrics enrollment. The Team Leader and/or Manager is responsible in gathering the data to be forwarded to the IT. (Refer to End User Access Setup Procedure Manual for details)
Ø Existing Employees
Information is retained by the IT for purposes of access control, network security, asset management and data management. Personal data is needed to control access by revocation, ensuring network security through the monitoring (?) of internet usage, teleworking and mobile devices, system preventive maintenance and change implementation. In addition, the said information was needed to manage assets during deployments, disposals, and equipment security as well as managing data through encryption and performance of back up procedures. (Refer to Procedure Manuals for details.)
All provided personal information is given with the consent of the data subject when he agrees with the Privacy Manual of the company before registration.
B.4 LEARNING & DEVELOPMENT
B.5 MARKETING
B.6 SSP
C. Storage, Retention and Destruction (e.g. means of storage, security measures, form of information stored, retention period, disposal procedure, etc.)
C.1 HUMAN RESOURCE DEPARTMENT
Ø New Applicants, Employees
Data gathered is stored either on paper or electronically. If stored on paper, it will be kept in secured filing cabinets, where in only Human Resource authorized personnel have the direct access and responsibility of assuring that the same will not be accessed by any unauthorized person. The Human Resource Area is also secured with proximity access sensor to prevent access of unauthorized person. On the other hand, we take high level of care to ensure that electronically-stored data is protected from unauthorized access, accidental deletion and malicious hacking attempt. Individual access in MyHR and MyPayroll, which contain personal information provided by the applicants and employees, is protected with a strong password which is changed regularly should never be shared to anyone as a rule of thumb.
Ø Infinite-O mandates the practice of Company Policy & Procedure Manual Clear Desk Policy under Ref. No.: CPP-HR_0405 and Company Policy & Procedure Manual Clear Screen Policy under Ref. No.: CPP-HR_0407 to protect the confidentiality and integrity of all data in any information processing facility of the organization.
C.2 IT
All servers and computers containing data are protected by approved security software and a firewall. It is also backed up frequently and tested regularly in line with company’s standard back up frequency. Saving data to laptops or other mobile services like tablets or smart phones are prohibited.
Data are retained depending on the period stated in the Master List of Records. Obsolete records are shredded and disposed of securely while those in digital storage shall be deleted and anonymized.
After an employee has resigned, all electronically-stored data will be transferred to the Google drive of his supervisor or manager for storage and maintenance.
C.3 FINANCE and ACCOUNTING
Ø Vendors, Suppliers
All the confidential data from vendors or suppliers are being handled by Marketing and Support Service & Procurement Department of the company, such as calling cards, brochures, catalog, quotation and supplier or vendor profile are also with them. As stated in item B.2 on Use of data, all information collected are likewise stored in accordance with the indicated Company Policy & Procedure Manual.
When the vendors or suppliers are no longer connected with the company the data will still be protected. Data stored in electronically will be deleted and anonymized.
C.4 MANAGEMENT
Ø Clients
Infinit-O Manila has in their policy that the gadgets (such as laptops, tablets, smart phones, smart watches, flash drives) are strictly prohibited inside the production area.
Sending or receiving personal e-mail through work e-mail is monitored and prohibited. All data is stored in the client’s server. And transferring of any data is prohibited. All data stored by the employer are automatically known and monitored by the clients.
Non-work calls using company telephones inside the production are also prohibited.
The employee though Infinit-O Manila should return all client data and hardware to destroy it.
D. Access (e.g. personnel authorized to access personal data, purpose of access, mode of access, request for amendment of personal data, etc.)
D.1 HUMAN RESOURCES DEPARTMENT
Ø EMPLOYEES
An employee is entitled to access his personal information in the MyHR tool. In case an amendment is to be requested, he can submit the said request through the Online Ticket Request System (OTRS) available in MyHR. The Human Resource Department and the Information Technology Department are also authorized to access and maintain the tool.
Ø NON-EMPLOYEES
Non-employee who would like to gain access to the personal information that we hold about them may request in form of writing addressed to our designated DPO using the contact information we have provided below and provide proof of identity. If in any case we refuse to provide personal information requested, a notification will be sent out in writing of the reasons of refusal. Exercise right to have any mistakes corrected or to have your personal information deleted, a right to ask us to stop providing you with any of Infinit-O’s communication.
Ø Company Policy & Procedure Manual HR - Access Control List (Ref. No.: CPP-HR_0405) provides for the user access profiles, management of access rights to any electronic systems and other electronic accounts as well as defining the corresponding roles and responsibilities.
D.2 FINANCE and ACCOUNTING DEPARTMENT
Ø As stated in item B.2 on Use of Data, all information collected and stored are likewise accessed and used in accordance to the specific purpose as indicated in the cited Company Policy & Procedure Manual.
D.3 SSP
D.4 IT
Ø The Information Technology Department is authorized by Management to acquire and retain personal information in order to perform tasks and activities such as but not limited to control of access, providing network security, and managing of data and assets all in accordance with the pertinent Company Policy & Procedure Manual – Access Control List.
D.5 MANAGEMENT
E. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure of policy and processes, outsourcing and subcontracting, etc.)
Any request, inquiry or e-mail requiring a response from any multimedia agency should be forwarded to the Data Breach Response Team. The team will be responsible in assessing the content of the e-mail and the legitimacy of the request.
Any inquiry or request received from the national government or courts of law shall be forwarded to the Legal and Compliance Team. The team will be responsible in assessing the legitimacy of the request.
Any inquiry received from the local government, departments, bureaus, agencies, and instrumentalities will be sent to the Legal and Compliance Team. The team will be responsible in assessing the legitimacy of the request.
Infinit-O is permitted to use your personally identifiable information, including your personal profile, for the following limited circumstances:
1. Sending notifications regarding the use of the Site;
2. Disclosing upon lawful requests to lawful authorities in compliance with applicable laws;
3. Sharing with third party providers for any employment checks deemed necessary by the company; or
4. All other tasks analogous to the above.
Data Protection Officer will ensure the request is legitimate, when necessary; the Data Protection Officer will seek assistance from the board and from the company’s legal advisers as well.
SECURITY MEASURES
Everyone who works with Infinit – O Manila has a shared responsibility for ensuring that data collected is stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy.
However, these people have key areas of responsibility:
· Board of Directors (BOD) – ultimately responsible for ensuring that Infinit – O Manila meets its legal obligation.
· Data Protection Officer / PIC / PIP – ensuring compliance with applicable laws and regulations relating to data protection and privacy.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Checking and approving any contracts or agreements or third parties that may handle the company’s sensitive data.
· Information Technology Director - ensuring all systems, services and equipment used for storing data meet the acceptable security standards.
- Performing regular scans to ensure security hardware and software are functioning properly.
- Evaluate any third services the company considers to use to store or process data.
· Marketing Manager – Approving any data protection statements attached to communications such as e-mail and letters.
- Addressing any data protection queries from media outlets
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
A. Organization Security Measures
1. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
Infinit-O Manila assigned Ms. Mary Grace Malonzo to be the company’s Data Protection Officer.
2. Functions of the Data Protection Officer, Compliance Officer for Privacy and/or any other responsible personnel with similar functions
The Data Protection Officer has the main responsibility of ensuring that Infinit-O Manila is consistently complying with the applicable domestic laws and regulations in relation with this Privacy Manual. The DPO is also in charge of approving any contract or agreement with third parties that may handle the sensitive data of the company, arranging data protection training, and assuring that personal information are handled with maximum security. The DPO together with the Executive Committee are responsible for ensuring that Infinit – O Manila meets its legal obligation.
The IT Director is the one assigned in ensuring all systems, services and equipment used for storing data meet the acceptable security standards. He is in control of performing regular scans to ensure security hardware and software are functioning properly and evaluating any third services the company considers to use to store or process data.
The Data Breach Response Team shall be assigned to assess the legitimacy of any request, inquiry, or e-mail from any multimedia agency and reply to the same if found to be legitimate.
The Marketing Manager is then assigned to administer the marketing initiatives of Infinit-O Manila and ensure that it abides by this Privacy Manual and the Data Privacy Act of 2012.
3. Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security
The Data Protection Officer shall attend all the trainings and seminars needed in order to keep abreast with the domestic laws and regulations intimately related to the compliance with the Data Privacy Act of 2012.
Onboarding employees of Infinit-O Manila, during their New Hire Orientation, will be informed of the company’s compliance with the Data Privacy Act of 2012. The Data Breach Response Team will conduct trainings to internal employees at least once a year. The trainings will include:
Ø Data Protection and Destruction;
Ø Mobile Device Security;
Ø E-mail Security; and
Ø Social Engineering.
At the end of every module, there will be an assessment. A grade of 80% is needed to pass the module.
Breach drills will be done every June of the year. Employees will have 30 days to accomplish the annual trainings provided in Infinit-O Learning Management System.
4. Conduct of Privacy Impact Assessment (PIA)
The Privacy Impact Assessment is an evaluation of determining the level of potential risks of each activity. Infinit-O Manila conducts the same annually and aligns all the activities related to the company’s compliance with this Privacy Manual.
As a matter of policy, results of the latest Privacy Impact Assessment shall be the basis of the amendment/revision of this Privacy Manual and is identified as Infinit-O Manila’s Privacy Management Program in compliance with the Data Privacy Act of 2012 and its IRR.
5. Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.
The DPO will archive all the records and documents related to this Privacy Manual. It will be placed in a secured storage wherein only the DPO and other authorized personnel have access.
In a case of suspicious breaching or security instances, one may contact the Data Breach Response Team through e-mail to report. The Data Breach Response Team will immediately look into it and take further actions necessary.
The Data Breach Response Team will assign one of the members to keep all the documents related in order to keep track of the incidents and give due action immediately in case it happens again.
After the report has been filed to the Data Breach Response Team, the team will now produce and submit a root cause analysis to the Data Protection / Compliance Officer. The Data Protection / Compliance Officer will then present it to the Executive Committee of Infinit-O Manila for a more elaborate discussion of the subject matter.
6. Duty of Confidentiality
Infinit-O Manila shall not disclose any personal information of the employees, clients, third party providers, vendors, applicants and other business associates of Infinit-O Manila to any unauthorized third parties, including any multimedia agency, national government, courts of law, local government, departments, bureaus, agencies, and instrumentalities, unless the data subject has given consent for the disclosure of the same.
7. Review of Privacy Manual
To ensure that Infinit-O Manila is in compliance with the Data Privacy Act of 2012, Data Breach Response Team should review and update the Privacy Manual in an annual basis. This Privacy Manual is produced to safeguard unauthorized access to or destruction of any personal information and for the security and confidentiality of the same.
B. Physical Security Measures
1. Format of data to be collected
Infinit-O Manila gathers personal information such as biographical information, contact numbers, government identification number, and all other personal information, through the online registration in the company’s MyHR tool. There may be requirements that the company may request to be submitted as print out. Regardless of the format of the information provided, the company shall exercise equal security measures for both.
2. Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room)
All the data stored on paper are kept in the secured filing cabinets located at the office of the Human Resources Department. On the other hand, the information gathered through MyHR is amalgamated into a database and is secured by the Information Technology Department.
Only authorized employee shall have access to the proximity access sensor for both departments.
3. Access procedure of agency personnel
When access to the personal information is needed by an unauthorized individual, he must provide a written request indicating the purpose of seeking permission to access the same to his supervisor or manager. His supervisor or manager shall then forward the written request to the Data Protection Officer in order for the latter to examine whether the permission shall be granted or denied.
4. Monitoring and limitation of access to room or facility
For paper-based data, an individual who wants to access the said information must provide his name, department, and purpose in the log sheet that will be provided by the authorized personnel handling the same. In the said log sheet, the individual shall also indicate whether he is authorized to access the same or not. If he is originally not authorized to access the information, he should also provide the name of the personnel who approved his request to access.
For electronic-based data, the Information Technology Department can track down the IP address of the user who is trying or is actually accessing the information. Information Technology Department also maintains audit logs of the system and tools. Hence, the Information Technology Department will be able to confirm if he is authorized to do so or not.
5. Design of office space/work station
Infinit-O Manila’s operations are facilitated with security and protection. There are Closed Circuit Television (CCTV) surveillance cameras installed around the office, proximity cards are given to each employee, and reasonable private spaces are ensured between stations of each employee.
6. Persons involved in processing, and their duties and responsibilities
The Human Resources Department, Information Technology Department, and other departments or personnel handling confidential information shall guarantee that they abide by the strict implementation of this Privacy Manual in protecting the personal information.
These authorized personnel shall also be prohibited in transferring and/or copying any confidential information through unauthorized storage devices such as USB flash drives.
7. Modes of transfer of personal data within the organization, or to third parties
Any personal information shall not be disclosed to any unauthorized person within the company or to third parties, regardless of the method of the transferring or sharing, unless disclosure and sharing policy has been followed.
8. Retention and disposal procedure
If all the data are no longer needed after 2 years, all printed data is shredded and disposed of securely and data that is stored electronically must be deleted appropriately.
C. Technical Security Measures
1. Monitoring for security breaches
To quickly monitor security breaches of the company, the Information Technology Department provides tools such as firewalls to prevent unauthorized access and anti-virus for malicious software, (etc).This protects and secures all the confidential information. (Provide details in access restrictions)
2. Security features of the software/s and application/s used
The Information Technology Department of the company uses software such as firewalls and anti-virus that is design for security and protection. These protect the company’s computers from being attacked over the internet and to prevent malicious threats that can destroy important data.
3. Process for regularly testing, assessment and evaluation of effectiveness of security measures
To ensure effective security measures, the company use and regularly update software or programs, install and maintain firewall configuration for protection and security.
4. Encryption, authentication process, and other technical security measures that control and limit access to personal data
Infinit-O Manila provides security measures exclusively for each team member with username and password that is changed monthly. For authentication process, the company uses biometrics for high security identification.
BREACH AND SECURITY INCIDENTS
1. Creation of a Data Breach Response Team
In order to ensure that all breach and security incidents are taken care of, Infinit-O Manila shall form a team which will solely handle the investigation of all issues, its risk measurement, and provide resolutions for the same. The Data Breach Response Team shall be formed of xx team members and their team leader.
2. Measures to prevent and minimize occurrence of breach and security incidents
To safeguard all the personal information provided by the employees, clients, third party providers, applicants, and other business associates of Infinit-O Manila, the Data Protection Officer and/or any other personnel with similar functions shall guarantee that the Privacy Impact Assessment is conducted for all activities related to the Policy and to keep this Privacy Manual updated to ensure that it complies with the Data Privacy Act of 2012.
Moreover, the Information Technology Department shall ensure that the tools provided to secure all confidential information are up to date to warrant that the same is fully protected.
3. Procedure for recovery and restoration of personal data
All confidential information provided to Infinit-O Manila shall have back-up data, which will be handled with utmost security by the Information Technology Department.
In case the original file was accidentally deleted, a request to recover the same must be sent to the Information Technology Department, through filing a support ticket available in the MyHR.
4. Notification protocol
In a case of suspicious breaching or security instances, one may contact the Data Breach Response Team through e-mail to report. The Data Breach Response Team will immediately look into it and take further actions necessary.
In accordance with Rule IX Sections 38 and 39 of the IRR of RA 10173, data breaches shall be notified to the National Privacy Commission by the Data Protection Officer within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.
5. Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team will assign one of the members to keep all the documents related in order to keep track of the incidents and give due action immediately in case it happens again.
After the report has been filed to the Data Breach Response Team, the team will now produce and submit a root cause analysis to the Data Protection & Compliance Officer. The DPCO will then present it to the Executive Committee of Infinit-O for a more elaborate discussion of the subject matter.
INQUIRIES AND COMPLAINTS
For further questions or information regarding the Privacy Manual, please do not hesitate to contact Infinit-O at info@infint-o.com. Any complaint will also be accommodated and will be given immediate attention.
EFFECTIVITY
The Privacy Manual shall take effect this __ day of _______, 2017, until revoked or amended by this company.