Data Privacy Policy
- Introduction
The Fertilizer and Pesticide Authority (“FPA”) adopts this Data Privacy Policies and Guidelines on the Implementation of Republic Act No. 10173, otherwise known as the “Data Privacy Act Of 2012”, to cultivate conscientiousness in respecting data privacy rights through adherence to the general principles of data privacy: transparency, proportionality, legitimate purpose as well as the enforcement of data security measures.
- DEFINITION OF TERMS
“Commission” – refers to the National Privacy Commission.
“Consent of the Data Subject” – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him/her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
“Data Subject” – refers to an individual whose personal, sensitive personal or privileged information is processed by the FPA. It may refer to officers, employees, consultants, and clients/customers of the FPA.
“Personal Data” – refers to all types of personal information.
“Personal Data Breach” – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
“Personal Information” – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
“Personal Information Controller (PIC)” – refers to an official/personnel who controls the collection, holding, processing, use, transfer, or disclosure of personal information, including an official/personnel who instructs another official/personnel to collect, hold, process, use, transfer or disclose personal information on his/her behalf. There is control if the official/personnel decides on what information is collected, or the purpose or extent of its processing. The term excludes an official/personnel who performs such functions as instructed by another official/personnel, and an official/personnel who collects, holds, processes, uses, transfers, or discloses personal information in connection with the individual’s personal, family or household affairs.
“Personal Information Processor (PIP)” – refers to any natural or juridical person qualified to act as such under the Data Privacy Act (DPA) and its Implementing Rules and Regulations (IRR) to whom a PIC outsources or instructs the processing of personal data pertaining to a data subject.
“Privileged Information” – refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
“Processing” – refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
“Sensitive Personal Information” – refers to personal information:
- about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- specifically established by an executive order or an act of Congress to be kept classified.
- SCOPE AND LIMITATIONS
This Data Privacy Policies and Guidelines governs the acts and decisions of all the FPA’s employees and officers, contractual and contract of service personnel, consultants, applicants, retirees, clients, beneficiaries, contract counterparties, subcontractors, partners, donors, stakeholders and other persons and entities whose personal data are directly or indirectly processed by the FPA.
- PROCESSING OF PERSONAL DATA
As a technical regulatory agency, the FPA, through its Divisions, Units and Offices, processes personal data pursuant to its mandate under Presidential Decree No. 1144 to assure the public of safe and adequate supply of fertilizer, pesticide, and other agricultural chemicals by providing quality services on the issuance of licenses, registrations and permits.
- Collection
The FPA collects the basic contact information of the data subject, including his/her full name, address, email address, contact number and other basic demographic information in the performance of its mandate.
The types of data being collected include, but not limited, to the following:- Personal details such as name, birth, sex, civil status, and affiliations;
- Contact information such as address, email, mobile and telephone numbers;
- Employment information such as government-issued numbers, position, functions, and compensation; and
- Registrant/applicant information.
- Use
The FPA processes personal data to achieve the following purposes:
- Assuring the agricultural sector of adequate supplies of fertilizer and pesticide products at reasonable prices;
- Educating the agricultural sector in the use of these agricultural inputs;
- Supervision of relevant endeavors;
- Management of human resources and supervision of work conduct;
- Documentation and record-keeping purposes;
- Contractual and financial purposes;
- Corporate governance and housekeeping, regulatory and audit purposes; and
- Other matters inherent and incidental to the foregoing.
- Storage, Retention and Destruction
The FPA shall ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration, and disclosure as well as against any other unlawful processing. The FPA shall implement appropriate security measures in storing collected personal information, depending on the nature of the information.
Moreover, the records retention and disposal schedule shall comply with the National Archives of the Philippines Circular No. 1 dated 20 January 2009.
- Access
Due to the sensitive and confidential nature of the personal data under the custody of the FPA, only the client and the authorized representative of the FPA shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order, or morals.
The Data Privacy Officer (DPO) shall, at the request of the data subject, provide the latter with access to his/her personal data within a reasonable time after such request is made and will consider a request from the data subject for correction of that information.
Data subjects can request for data rectification by filling out the request form with supporting evidentiary documents as required by the FPA’s PIPs. The request shall be subjected to analysis by the Privacy Focal Persons. If the request is found in order, the data rectification request will be processed.
- Disclosure and Sharing
All FPA’s employees and personnel shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the FPA shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
- SECURITY MEASURES
The FPA is mandated to implement the following security measures in all actions and decisions directly and indirectly related to processing of personal data and/or sensitive personal information:
- Organizational Measures
- Conduct of Privacy Impact Assessment (PIA)
The FPA shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct of a PIA to a third party.
The PIA shall include an assessment of the documents, data processing systems and policies of units and offices. The PIA shall include the process of understanding the personal data flow, identifying, and assessing threats and vulnerabilities, and proposing measures to address privacy risks.
- Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
The protection of personal data flowing, within, and out of the FPA’s divisions, units and offices are under the autonomous and independent jurisdiction and authority of the DPO. Each division, unit and office of the FPA shall appoint a Privacy Focal Person to support the DPO and implement privacy and security initiatives for the division, unit or office concerned.
- Functions of the DPO, COP and/or any other responsible personnel with similar functions
- The DPO has the responsibility to:
- comply with legal and regulatory obligations related to data privacy;
- provide data protection support to various divisions, units and offices;
- enforce the FPA’s policies related to data privacy, information security, records management and data governance;
- coordinate with relevant offices to strengthen organizational, physical and technical security measures; and
- supervise Privacy Focal Persons in ensuring data privacy across the FPA.
- The DPO has the responsibility to:
- Focal Persons have the responsibility to:
- support the DPO’s endeavors and initiatives;
- implement privacy policies and initiatives;
- proactively prevent, monitor, mitigate and manage existing or reasonably foreseeable security incidents and personal data breaches in their respective units;
- strictly observe the FPA’s Security Incident Management Policy; and
- investigate, address, remediate and resolve privacy gaps, and if necessary, impose sanctions to erring people in their units.
- Conduct of Privacy Impact Assessment (PIA)
- Organizational Measures
- Duty of Confidentiality
All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
- Conduct of trainings or seminars to keep personnel, especially the DPO updated vis-à-vis developments in data privacy and security
The FPA shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, the Management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary
- Review of Data Privacy Policies and Guidelines
The FPA shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, the Management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary
- Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies
There shall be detailed and accurate documentation of all activities, projects, and processing systems of the FPA, to be carried out by the Risk Management Officer, in coordination with the Data Protection Officer.
- Format of data to be collected
Personal data collected by the FPA may be in digital/electronic format or paper-based/physical format.
- Storage type and location
The physical storage locations of personal data are folders, envelopes, drawers, cabinets, rooms, vaults and other file storage devices and locations within the premises of the FPA or in storage facilities contracted by the FPA. At all times, storage locations not in use shall be kept secure and locked. Storage devices such as external hard disks, USB flash disks and optical disks should be kept secure in locked storage location when not in use.
Privacy Focal Persons shall lead the implementation of the FPA’s Records Management Policy in their respective units and offices.
- Access procedure of agency personnel
Only authorized personnel shall be allowed to enter or access storage locations, facilities and devices containing personal data. Other personnel may be granted access upon approval of the DPO upon request of the head and the Privacy Focal Person of the concerned division, unit or office
- Monitoring and limitation of access to room or facility
Access to documents and files containing personal data shall be restricted to FPA’s personnel that have the appropriate security clearance. Efforts to create an access control system to record when, where, and by whom data centers are accessed.
Preferably, the FPA’s personnel authorized to access paper-based or physical storage locations must register with a paper-based or electronic registration platform before accessing any document or file. They shall indicate the date, time, duration, and purpose of each access.
Drawers, cabinets, rooms and other storage locations containing personal data must be kept closed and locked when not in use or when not attended. Keys for these storage locations, must at all times, be kept secure.
Privacy Focal Persons shall lead the implementation of the FPA’s Organizational and Physical Data Protection Measures Policy in their respective divisions, units and offices.
- Design of office space/workstation
As much as practicable (1) machines and workspaces will be positioned in consideration of privacy and the protection of the processing of personal data; and (2) workspaces shall be configured and designed to restrict documents, files, and screens from the view of those who are not assigned to the concerned workspace.
Printouts containing personal data should be immediately removed from printers.
- Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room.
- Modes of transfer of personal data within the organization, or to third parties
Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for documents containing personal data.
Physical disclosure or transfer of documents containing personal data shall be conducted by FPA’s personnel whose work functions include the transmission or delivery of the concerned document when related to a legitimate purpose. In case of special circumstances wherein the work functions of the individual involved do not include the transmission or delivery of the document, then the approval of the Privacy Focal Person having jurisdiction is necessary.
- Retention and disposal procedure
Records retention and disposal schedule shall adhere to the National Archives of the Philippines Circular No. 1 dated 20 January 2009.
- Monitoring for security breaches
As needed, each unit or office shall determine and use technologies not falling below industry standards and practices necessary to prevent any attempt to interrupt or disrupt data processing systems.
- Security features of the software/s and application/s used
Prior to their installation and use, application software and system software used should be reviewed and evaluated by the appropriate information technology personnel from the Planning, Management, and Information Division (PMID) before the installation thereof in computers and devices. Compatibility of security features with overall operations must also be ensured by these personnel.
- Process for regularly testing assessment and evaluation of effectiveness of security measures
The FPA shall review security policies, conduct vulnerability assessments, and perform penetration testing within the FPA on a regular schedule to be prescribed by the appropriate division, unit or office.
- Encryption, authentication process, and other technical security measures that control and limit access to personal data.
Personal data in rest, in transit and in use must, at all times, maintain their confidentiality, integrity and availability through compliance with the FPA’s Information Security Policy, the implementation of which should be led by Privacy Focal Persons.
Personal data that are digitally processed are preferably encrypted, whether at rest or in transit. An appropriate encryption minimum standard (such as Advanced Encryption Standard with a key size of 256 bits (AES-256) or its predecessor technology) is preferred. Passwords or passphrases used to access personal data should be of sufficient strength to deter password attacks. Passwords and passphrases should at least be a minimum of twelve (12) characters. The PMID shall ensure password and passphrase policies are at par with security best practices.
Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments.
The mitigation, management and resolution of Security Incidents and Personal Data Breaches require the coordination of various FPA’s personnel. All concerned should be vigilant in their responsibilities to enable an effective security incident management process.
- Creation of a Data Breach Response Team
A Data Breach Response Team comprising of five (5) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
- Measures to prevent and minimize occurrence of breach and security incidents
Privacy Focal Persons should coordinate with the DPO for the conduct of the Privacy Impact Assessment as needed to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks.
The FPA’s personnel directly involved in the processing of personal data must attend trainings, and seminars for capacity building.
Divisions, units and offices should conduct inventories of information assets. As far as practicable, these divisions, units and offices should adopt information security policies that address the specific needs of their divisions, units and offices with applicable controls and procedures. In no case shall policy specific to a division, unit or office may supersede or prevail over the FPA’s data privacy policies.
There shall be a system to regulate access to data centers owned or controlled by the FPA. Appropriate security clearances or access control lists should be set up for classes of administrators and uses. There should be an access control system that records when, where, and by whom the data centers are accessed. Copies of access control lists and similar records must be filed to the Data Protection Office.
- Procedure for recovery and restoration of personal data
The FPA’s divisions, units and offices shall always maintain a backup for all personal data under their custody. In the event of a security incident or data breach, they shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
As far as practicable, divisions, units and offices shall have disaster recovery and continuity plans to ensure availability of data despite the occurrence of disruptions.
- Notification protocol
The Head of the Data Breach Response Team shall inform the management of the need to notify the Commission and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
- Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to Management and the Commission, within the prescribed period.
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the FPA, including the data privacy and security policies implemented to ensure the protection of their personal data. They may email the FPA at fpacentral77@gmail.com and briefly discuss the inquiry, together with their contact details for reference.
Complaint may be filed in three (3) legible printed copies at the FPA Central Office or emailed at fpacentral77@gmail.com. The DPO shall confirm with the complainant its receipt of the complaint and inform the concerned division, unit or office. The DPO may instruct the concerned Privacy Focal Person to coordinate with all necessary third parties, including dealing with the complainant.