Attachment 4
1
DATA PRIVACY MANUAL
Background
Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA),
aims to protect personal data in information and communications systems both in
the government and the private sector.
It ensures that entities or organizations processing personal data establish policies
and implement measures and procedures that guarantee the safety and security of
personal data under their control or custody, thereby upholding an individual’s data
privacy rights. A personal information controller or personal information processor
is instructed to implement reasonable and appropriate measures to protect
personal data against natural dangers such as accidental loss or destruction, and
human dangers such as unlawful access, fraudulent misuse, unlawful destruction,
alteration, and contamination.
To inform its personnel of such measures, each personal information controller or
personal information processor is expected to produce a Privacy Manual. The
Manual serves as a guide or handbook for ensuring the compliance of an
organization or entity with the DPA, its Implementing Rules and Regulations (IRR),
and other relevant issuances of the National Privacy Commission (NPC). It also
encapsulates the privacy and data protection protocols that need to be observed
and carried out within the organization for specific circumstances (e.g., from
collection to destruction), directed toward the fulfillment and realization of the rights
of data subjects.
I. Introduction
In 2022, the Community-Based Monitoring System (CBMS) was implemented in
various Local Government Units (LGUs), pursuant to RA 11315 or the CBMS Act.
The CBMS refers to an organized technology-based system of collecting,
processing and validating necessary disaggregated data that may be used for
planning, program implementation, and impact monitoring at the local level. The
said implementation was spearheaded by the Philippine Statistics Authority (PSA).
As the CBMS involves generation of data at the local level, the LGU shall ensure
the integrity and safety of the gathered information against unnecessary leakage
and access by unauthorized persons. Hence, this Privacy Manual shall serve as a
guide for proper protection and security of the data collected and processed for the
CBMS in the City of Antipolo/Municipality of [LGU Name].
This manual is adopted in compliance with the Data Privacy Act of 2012, its IRR,
1
This sample Data Privacy Manual is based on the guide provided in the National Privacy
Commission Third Edition NPC Privacy Toolkit that you may access through
https://privacy.gov.ph/wp-content/uploads/2022/01/3rdToolkit_0618.pdf. Please use the LGU’s
letterhead/branding for this purpose.
Page 1 of 10
�and other relevant policies, including issuances of the NPC. The City of Antipolo
/Municipality of [LGU Name] respects and values the data privacy rights, and
makes sure that all personal data collected from its constituents are processed in
adherence to the general principles of transparency, legitimate purpose, and
proportionality.
This Manual shall provide the data protection and security measures and may
serve as guide in exercising data subjects’ rights under the DPA.
II. Definition of Terms
● Compliance Officer for Privacy (COP) – refers to an individual or individuals
who perform some of the functions of a Data Protection Officer (DPO).
● Data Protection Officer (DPO) – refers to an individual designated by the
head of agency or organization to be accountable for its compliance with
the Act, its IRR, and other issuances of the Commission: Provided, that,
except where allowed otherwise by law or the Commission, the individual
must be an organic employee of the government agency or private entity:
Provided further, that a government agency or private entity may have more
than one DPO.
● Data Subject – refers to an individual whose personal, sensitive personal or
privileged information is processed by the organization. It may refer to
officers, employees, consultants, and clients of this organization.
● Personal data – refers to all types of personal information, including
privileged information.
● Personal Information – refers to any information whether recorded in a
material form or not, from which the identity of an individual is apparent or
can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and
certainly identify an individual.
● Processing – refers to any operation or any set of operations performed
upon personal information including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure, or destruction of data.
● Personal Information Controller (PIC) – refers to a natural or juridical
person, or any other body who controls the processing of personal data, or
instructs another to process personal data on its behalf.
There is control if the natural or juridical person or any other body decides
on what information is collected, or the purpose or extent of its processing.
For purposes of this Manual, the Head of the Agency or the Local Chief
Executive (LCE) shall be automatically designated as the PIC.
Page 2 of 10
� ● Personal Information Processor (PIP) – refers to any natural or juridical
person or any other body to whom a PIC may outsource or instruct the
processing of personal data pertaining to a data subject.
● Privacy Impact Assessment (PIA) – is a process undertaken and used to
evaluate and manage impacts on privacy of a particular program, project,
process, measure, system or technology product of a PIC or PIP program,
project, process, measure, system or technology product of a PIC or PIP. It
takes into account the nature of the personal data to be protected, the
personal data flow, the risks to privacy and security posed by the
processing, current data privacy best practices, the cost of security
implementation, and, where applicable, the size of the organization, its
resources, and the complexity of its operations;
● Sensitive personal information – refers to personal information defined in
Section 3 (l) of the Data Privacy Act of 2012.
● [Insert additional terms and their respective definitions to be covered in the
Data Privacy Manual]
III. Scope and Limitations
All personnel of the City of Antipolo /Municipality of [LGU Name], regardless of the
type and/or status of employment or contractual arrangement, must comply with
the terms set out in this Privacy Manual.
IV. Processing of Personal Data
A. Collection
The City of Antipolo /Municipality of [LGU Name] collects and processes
personal information and sensitive personal information of the data subject
including the name, address, contact details, household information on
education, economic characteristics, community engagement, health, food
security, financial inclusion, etc. through a Computer-Assisted Personal
Interview (CAPI) for the implementation of the CBMS.
B. Use
All data shall solely be used for documentation, analysis, processing, and
guide in policy direction for effective and efficient delivery of basic services.
C. Storage, Retention, and Destruction
The City of Antipolo /Municipality of [LGU Name] shall ensure that personal
data under its custody are protected against any accidental or unlawful
destruction, alteration, and disclosure as well as against any other unlawful
processing. Appropriate security measures in storing collected personal
Page 3 of 10
� information, depending on the nature of the information shall be
implemented. The storage, retention, and destruction of data shall be
complied with the standard protocols of the CBMS.
The City of Antipolo/Municipality of [LGU Name] shall store the CBMS data
in a secured location taking into consideration the provisions of RA 11315
and other related laws. Data may be disposed in accordance with the
provisions of the RA 11315 and other relevant issuances related thereto.
D. Access
Due to the sensitive and confidential nature of the personal data under the
custody of the City of Antipolo/Municipality of [LGU Name], only its
authorized personnel shall be allowed to access such personal data, for any
purpose, except for investigations in relation to any criminal, administrative
or tax liabilities of a data subject, and those contrary to law, public policy,
public order, or morals.
E. Disclosure and Sharing
All employees and personnel of the City of Antipolo /Municipality of [LGU
Name] shall maintain the confidentiality, integrity, and availability of all
personal data that come to their knowledge and possession, even after
resignation, termination of service or contract, or other contractual relations.
Personal data under the custody of the city/municipality shall be disclosed
only pursuant to a lawful purpose, and to authorized recipients of such data.
V. Security Measures
Security measures aim to maintain the availability, integrity, and confidentiality of
personal data and protect them against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent use, unlawful
destruction, alteration, and contamination.
A. Organization Security Measures
1. Conduct of Privacy Impact Assessment (PIA)
The City of Antipolo /Municipality of [LGU Name] shall conduct a Privacy
Impact Assessment (PIA) relative to all activities, projects, and systems
involving the processing of personal data. The city/municipality may choose
to outsource the conduct of a PIA to a third party.
A PIA should be conducted for both new and existing systems, programs,
projects, procedures, measures, or technology products that involve or
impact processing personal data. For new processing systems, it should be
undertaken prior to their adoption, use, or implementation.
2. Designation of the Data Protection Officer (DPO), and Compliance Officers
Page 4 of 10
� for Privacy (COP)2
Pursuant to National Privacy Commission Advisory No. 2022-04, each LGU
shall designate a DPO. However, a component city, municipality, or
barangay is allowed to designate a COP, provided that the latter shall be
under the supervision of the DPO of the corresponding province, city, or
municipality that the component city, municipality, or barangay forms part of.
3. Functions of the DPO, COP and/or any other responsible personnel with
similar functions
The DPO shall oversee the compliance of the city/municipality with the DPA,
its IRR, and other related policies, including the implementation of security
measures, security incident and data breach protocol, and the inquiry or
complaints procedure.
The DPO shall also ensure the conduct of PIA relative to activities,
measures, projects, programs, or system pursuant to the provisions of
relevant NPC Circular.
The Compliance Officer for Privacy shall assist the DPO in the management
and protection of the data, and equipment.
4. Duty of Confidentiality
All personnel who shall have access to the personal data shall be asked to
execute an Oath of Data Privacy, as well as a Non-Disclosure Agreement
(NDA). The personnel shall operate and hold personal data under strict
confidentiality if the same is not intended for public disclosure. The Oath of
Data Privacy and the NDA shall be kept by both parties.
All employees and personnel of the LGU, its agents or representatives shall
maintain the confidentiality of all personal data that come to their knowledge
and possession, even after their resignation, termination of contract, or other
contractual relations.
5. Attendance to trainings or seminars to be updated on the developments in
data privacy and security
The City of Antipolo /Municipality of [LGU Name] is required to attend and
participate in the training on data privacy and security in relation to CBMS
conducted by the PSA.
The City of Antipolo /Municipality of [LGU Name] shall conduct training on
data privacy and security at least once a year. For personnel directly
involved in the processing of personal data, the city/municipality shall ensure
their attendance and participation in relevant trainings and orientations.
2
Guidelines on the registration of the Data Protection Officer may be accessed through
https://privacy.gov.ph/pips-and-pics/register/.
Page 5 of 10
�6. Review of Privacy Manual
This Privacy Manual shall be reviewed and evaluated annually. Privacy and
security policies and practices within the City of Antipolo /Municipality of
[LGU Name] shall be updated to remain consistent with current data privacy
best practices.
[7.] Recording and documentation of activities carried out by the DPO, or the
City of Antipolo /Municipality of [LGU Name], to ensure compliance with the
DPA, its IRR and other relevant policies.
The DPO shall designate personnel who shall record and be in custody of all
activities to ensure compliance with the DPS, its IRR and other relevant
policies.
B. Physical Security Measures
1. Format of data to be collected
Personal data in the custody of the City of Antipolo /Municipality of [LGU
Name] may be in digital/electronic format and printed paper-based/physical
format.
2. Storage type and location
Storage device/s shall be in the custody of the DPO. All data processed shall
be stored in a secured room, where paper-based documents are kept in
locked filing cabinets.
Digital/electronic files shall be stored in a server or desktop computer
(dedicated for CBMS use only) for the CBMS database with anti-virus and
security features.
3. Access procedure of authorized personnel
Only authorized personnel shall be allowed access to the data device/s and
the allotted data room.
An accountable assigned personnel for that purpose, shall be given a key to
the security storage cabinet. Other personnel may be granted access to the
room upon the filing of an access request form (refer to Annex __) subject to
the approval of the DPO.
4. Monitoring and limitation of access to room or facility
All personnel requesting data from device/s or facilities must fill out a data
request form and register with an access request logbook. The date, time,
duration, and purpose of each access shall be indicated in the form.
The access to the room or facility shall be approved by the DPO.
Page 6 of 10
� 5. Design of office space/workstation
The data computers/devices shall be positioned with considerable spaces
between them to maintain privacy and protect the processing of personal
data.
6. Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and
integrity of personal data. Bringing of own gadgets or storage device of any
form when entering the data room and when using the server or computers
allocated for the CBMS database shall not be allowed.
7. Modes of transfer of personal data within the organization, or to third parties
[The following provisions shall be upon the discretion of the LGU:]
To protect personal information, transfer of personal data via electronic mail
shall use a secure email facility with encryption of the data, including any or
all attachments. Use of Facsimile technology for transmitting documents
containing CBMS data shall not be allowed.
Transferring of data using storage devices (e.g., USB, external drives, etc.)
shall not be allowed. All USB ports or data transfer ports found in the data
storage computers/devices shall be deactivated for additional protection.
Transferring data using wireless data transfer (e.g., WIFI, Bluetooth, etc.)
shall not be allowed. The data storage computers/devices shall not be
connected in any way to any wireless networks.
Only a printed copy of the specific data requested via a request form shall be
allowed.
8. Retention and disposal procedure
All information gathered by the City of Antipolo /Municipality of [LGU Name]
shall not be retained in perpetuity. The City of Antipolo /Municipality of [LGU
Name] shall retain the personal data in its custody within the period
prescribed by law.
It shall ensure that all personal data gathered shall be disposed of properly in
a manner that data should be unreadable or irretrievable to prevent further
processing, unauthorized access, or disclosure to any party or public, or
prejudice the interests of the data subjects.
C. Technical Security Measures
1. Monitoring for security breaches
Page 7 of 10
� The City of Antipolo/Municipality of [LGU Name] shall use an intrusion
detection system to monitor security breaches and alert the City of Antipolo
/Municipality of [LGU Name] of any attempt to interrupt or disturb the system
if available.
2. Security features of the software/s and application/s used
The City of Antipolo /Municipality of [LGU Name] shall first review and
evaluate software applications before the installation thereof in the allocated
server or computers/devices for the CBMS database to ensure the
compatibility of security features with overall operations.
3. Process for regularly testing, assessment, and evaluation of effectiveness of
security measures
The City of Antipolo /Municipality of [LGU Name] shall review security
policies, conduct vulnerability assessments, and perform penetration testing
within the city/municipality on a regular schedule to be prescribed by the
appropriate department or unit.
4. Encryption, authentication process, and other technical security measures
that control and limit access to personal data
The DPO shall create a strong password for the Information and
Communication Technology (ICT) Equipment and shall be shared only to
authorized personnel that executed a NDA. Each personnel with access to
the CBMS data shall verify his or her identity to authorized personnel (DPO
and COP) through the request form in Annex __.
Computer/devices password shall be set by the DPO and shared only to the
authorized personnel that signed an NDA. Each personnel with access to
the CBMS data shall verify his or her identity to authorized personnel (DPO
and COP) with a filled-up request.
VI. Breach and Security Incidents
1. Creation of a Data Breach Response Team
A Data Breach Response Team (DBRT) comprising of five (5) personnel
(headed by a representative from the (1) City/Municipal Mayor’s Office, and
composed of members from: (2) Information Office, (3) Legal Office,
(4) Planning and Development Office, and (5) Information Technology
Office) shall be constituted.
The DBRT shall be responsible in ensuring immediate action in the event of
a security incident or personal data breach.
The team shall conduct an initial assessment of the incident or breach in
order to ascertain the nature and extent thereof. It shall also implement
Page 8 of 10
� measures to mitigate the adverse effects of the incident or breach.
2. Measures to prevent and minimize occurrence of breach and security
incidents
The City of Antipolo /Municipality of [LGU Name] shall regularly conduct a
PIA to identify risks in the processing system and monitor for security
breaches and vulnerability scanning of computer networks. Personnel
directly involved in the processing of personal data must attend training and
seminars for capacity building. There must also be a periodic review of
policies and procedures being implemented in the organization.
3. Procedure for recovery and restoration of personal data
The City of Antipolo/Municipality of [LGU Name] shall always maintain a
backup file (server, desktop, or cloud drive intended for CBMS use only) for
all personal data under its custody. In the event of a security incident or data
breach, it shall always compare the backup with the affected file to
determine the presence of any inconsistencies or alterations resulting from
the incident or breach.
4. Notification protocol
The head of the DBRT shall inform its members of the need to notify the
NPC, the PSA, and the data subjects affected by the incident or breach
within the period prescribed by law. The head may also decide to delegate
the actual notification to any of the members of the DBRT.
5. Documentation and reporting procedure of security incidents or a personal
data breach
The members of the DBRT shall prepare a detailed documentation of every
incident or breach encountered, as well as an annual report, to be submitted
to the City/Municipal Mayor, PSA, and the NPC within the prescribed period.
VII. Inquiries and Complaints
Data subjects may inquire or request for information regarding any matter relating to
the processing of their personal data under the custody of the city/municipality,
including the data privacy and security policies implemented to ensure the protection
of their personal data. They may write to the city/municipality through the email
address [email protected] [insert email address] and briefly
discuss the inquiry, together with their contact details for reference.
Complaints shall be filed in three (3) printed copies, or sent to through the email
address [email protected] [insert email address]. The concerned
department or unit shall confirm with the complainant its receipt of the complaint.
Page 9 of 10
�VIII. Effectivity
The provisions of this Manual are effective this 1st [DD] of July [Month], 2025
[YYYY], until revoked or amended by the city/municipal government.
IX. Annexes (to be drafted by the LGU)
A. Consent Form
B. Inquiry Summary Form
C. Access Request Form
D. Privacy Notice
E. Request for Correction or Erasure
Page 10 of 10
