INTRODUCTION

The Council for the Welfare of Children (CWC) adopts this Data Privacy Policy and Guidelines on the Implementation of Republic Act No. 10173, otherwise known as the “Data Privacy Act of 2012”, (DPA) to cultivate conscientiousness in respecting data privacy rights through adherence to the general principles of data privacy: transparency, proportionality, legitimate purpose as well as the enforcement of data security measures.

DEFINITION OF TERMS

“Commission” – refers to the National Privacy Commission (NPC), the agency mandated to administer and implement the provisions of DPA, and to monitor and ensure compliance of the country with international standards set for data protection.

“Consent of the Data Subject” – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal data about and/or relating to them. Consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

“Data Subject” – refers to an individual whose personal, sensitive personal, or privileged information is processed by the Council for the Welfare of Children (CWC). This includes but is not limited to children, employees, job applicants, consultants, service providers, and system users.

“Personal Data” – refers to all types of personal information, including personal, sensitive personal, and privileged information.

“Personal Information” – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

“Sensitive Personal Information” – refers to personal information, which includes, but are not limited to:

• About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
• About an individual’s health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
• Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or their denials, suspensions or revocations, and tax returns; and
• Specifically established by an executive order or an act of Congress to be kept classified.

“Privileged Information” – refers to any and all forms of data which, under the Rules of Court and other pertinent laws, constitute privileged communication (e.g., lawyer-client, doctor-patient, or priest-penitent relationships).

“Personal Data Breach” – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

“Personal Information Controller (PIC)” – refers to a person or organization, such as CWC or any of its authorized personnel, who controls the collection, holding, processing, use, transfer, or disclosure of personal information, including one who instructs another to do so on their behalf. The term excludes those who process personal data under the direct control or instruction of another.

“Personal Information Processor (PIP)” – refers to any natural or juridical person qualified under the DPA and its Implementing Rules and Regulations (IRR), to whom a PIC may outsource or instruct the processing of personal data pertaining to a data subject.

“Processing” – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, sharing, blocking, erasure, or destruction of data.

“Filing system” – refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

“Information and communications system” – refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted, or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document.

“Privacy Focal Person (PFP)” – refers to a unit, office or division’s focal person, which supports the functions of the Data Protection Officer and ensures the implementation of the data privacy policies within his/her respective office.

SCOPE AND LIMITATIONS

This Data Privacy Policy and its implementing guidelines shall govern the acts, decisions, and responsibilities of all employees and officers of the CWC related to the collection, use, and processing of personal data. It applies to all CWC personnel, including employees, officers, contract of service workers, consultants, interns, and job applicants. It also covers external parties such as retirees, beneficiaries, clients, stakeholders, partner organizations, donors, service providers, and contractors. Furthermore, this policy applies to any other individuals or entities whose personal data are directly and indirectly collected in the course of CWC’s operation.

This policy shall at all times respect the rights of data subjects, which include but are not limited to:

1. Right to be informed;
2. Right to damages;
3. Right to access;
4. Right to file a complaint;
5. Right to object;
6. Right to rectify;
7. Right to erasure or blocking; and
8. Right to data portability.

PROCESSING OF PERSONAL DATA

As the focal government agency for children’s rights and welfare in the Philippines, the CWC, through its programs, services, systems, and partner mechanisms, processes personal data pursuant to its mandate under Presidential Decree No. 603 (The Child and Youth Welfare Code), Republic Act No. 9344 (Juvenile Justice and Welfare Act), and other relevant laws and executive issuances.

1. Collection
   CWC collects basic and necessary personal data for the effective implementation of its programs, policy development, research initiatives, consultations, monitoring activities, and delivery of services for children and related stakeholders.

The types of personal data collected may include, but are not limited to, the following:

• Personal details: full name, date and place of birth, age, sex, nationality, civil status, and affiliations;
• Contact information: address, email, mobile/telephone numbers;
• Employment and professional information: government-issued IDs or numbers, position or role, agency/organization, and compensation (where applicable);
• Child or beneficiary-specific information: age, sex, educational status, family composition, background or case information (with necessary safeguards);
• Registrant/applicant information: data submitted through online or physical forms for participation in training, consultations, programs, and services.

2. Use
   CWC processes personal data for the following purposes:

• Formulation and implementation of child-related policies, programs, and advocacy;
• Coordination and support to inter-agency mechanisms for children’s welfare;
• Research and data collection for child rights monitoring and development planning;
• Organization and facilitation of stakeholder consultations, trainings, and forums;
• Documentation, communication, and publication purposes;
• Human resource management and administrative operations;
• Contractual, financial, and procurement-related processes; and
• Other functions inherent or incidental to the above or as authorized by law.

3. Storage, Retention and Destruction

CWC ensures that personal data under its custody are stored securely and protected from accidental or unlawful destruction, alteration, and disclosure, as well as from any unauthorized processing. Security measures are in place depending on the sensitivity and classification of the data.

As provided in Section 19 (d), Rule VI (Data Privacy Principles) of the DPA’s IRR, personal data collected must be kept and stored in safe storage, whether physical or electronic, until the fulfillment of the declared, specified, and legitimate purpose or as provided by law.

The retention period shall be set on the following grounds:

• guidelines prescribed by the National Archives of the Philippines (NAP), in accordance with Circular No. 1 dated January 20, 2009, or as otherwise required by law;
• for documents utilized for administrative, budgetary, and legal purposes, the retention period should follow existing and applicable laws, rules, and regulations from the following: Commission on Audit (COA), Civil Service Commission (CSC), Freedom of Information (FOI), Anti-Red Tape Authority (ARTA) , other laws or issuances from regulatory bodies, among others; and
• other databases should follow the retention period specified in their respective PIAs.

4. Access
   Due to the sensitive and confidential nature of personal data maintained by the CWC, access shall be restricted only to authorized CWC personnel and, where applicable, to the concerned data subject or their authorized representative. Access shall be granted solely for its lawful and legitimate purposes.

Data subjects may request access to their personal data by submitting a written request to the Data Protection Officer (DPO). The DPO shall respond to such requests within a reasonable period. Data subjects may also request corrections to any inaccurate or outdated personal data by submitting a formal request and supporting documents, subject to verification by CWC’s designated Privacy Focal Persons.

If the request is found to be valid, the CWC shall rectify the data accordingly.

5. Disclosure and Sharing

All CWC personnel are expected to uphold the confidentiality and integrity of personal data acquired in the performance of their duties. This duty continues even after the termination of employment or service.

Personal data under CWC’s custody shall be disclosed or shared only in accordance with existing laws, upon the data subject’s consent, or in the performance of lawful obligations and mandates. Such disclosure shall be made only to authorized recipients and in a manner that upholds data privacy rights.

Personal data under CWC’s custody shall be disclosed or shared only in accordance with existing laws, upon the data subject’s consent, or in the performance of lawful obligations and mandates. Such disclosure shall be made only to authorized recipients and in a manner that upholds data privacy rights.

CWC shall share personal data only if required by law, prescribed by existing and applicable rules and regulations, upon the authorization of the CPO or Head of Agency in accordance with the fulfillment of the agency or its duly authorized representative’s function, or for compliance associated with a Data Sharing Agreement (DSA).  All PIP and PICs shall keep and treat all personal data confidential, and shall adhere to this manual for its proper collection, processing and storage.

All DSAs shall be reviewed and endorsed by the Legal Unit prior to the approval of the DPO/Head of Agency. Further, the DSA must comply with NPC Circular No. 2020-03 dated 23 December 2020, particularly its contents which must include the purpose and lawful basis for entering into such an agreement, the objectives, parties, and terms involved, the operational details, security, and rights of data subjects, and the retention and data disposal as provided in Section 9 (Contents of a Data Sharing Agreement).

SECURITY MEASURES

The CWC is mandated to implement the following security measures in all actions and decisions directly and indirectly related to processing of personal data and/or sensitive personal information:

1. Organizational Measures
   1. Conduct of Privacy Impact Assessment (PIA)
      The CWC shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct of a PIA to a third party.

      The PIA shall include an assessment of the documents, data processing systems and policies of units and offices. The PIA shall include the process of understanding the personal data flow, identifying, and assessing threats and vulnerabilities, and proposing measures to address privacy risks.

   2. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
      The protection of personal data flowing, within, and out of the CWC’s divisions, units and offices are under the autonomous and independent jurisdiction and authority of the DPO. Each division, unit and office of the CWC shall appoint a Privacy Focal Person to support the DPO and implement privacy and security initiatives for the division, unit or office concerned.
   3. Functions of the DPO, COP and/or any other responsible personnel with similar functions
      1. The DPO has the responsibility to:
         1. comply with legal and regulatory obligations related to data privacy;
         2. provide data protection support to various divisions, units and offices;
         3. enforce the CWC’s policies related to data privacy, information security, records management and data governance;
         4. coordinate with relevant offices to strengthen organizational, physical and technical security measures; and
         5. supervise the PFPs in ensuring data privacy across the CWC.
      2. PFPs have the responsibility to:
         1. support the DPO’s endeavors and initiatives;
         2. implement privacy policies and initiatives;
         3. proactively prevent, monitor, mitigate and manage existing or reasonably foreseeable security incidents and personal data breaches in their respective units;
         4. strictly observe the CWC’s Security Incident Management Policy; and
         5. investigate, address, remediate and resolve privacy gaps, and if necessary, impose sanctions to erring people in their units.

   4. Duty of Confidentiality
      All employees with access to personal data shall operate and hold personal data under strict confidentiality. Any public disclosure shall be authorized by a duly appointed supervisor, the Data Protection Officer or Head of Agency.

   5. Conduct of trainings or seminars to keep personnel, especially the DPO updated vis-à-vis developments in data privacy and security
      The CWC shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, the Management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary. Data Privacy Policies and Guidelines shall also be included in new-hire orientations.

   6. Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies

      There shall be detailed and accurate documentation of all activities, projects, and processing systems of the CWC, to be carried out by their respective divisions, units or offices.

1. 1. 1. 1.  

2. Physical Measures

   1. Format of data to be collected Personal data collected by the CWC may be in digital/electronic format or paper-based/physical format.

   2. Storage type and location
   The physical storage locations of personal data are folders, envelopes, drawers, cabinets, rooms, vaults and other file storage devices and locations within the premises of the CWC or in storage facilities contracted by the CWC. At all times, storage locations not in use shall be kept secure and locked. Storage devices such as external hard disks, USB flash disks and optical disks should be kept secure in locked storage locations when not in use.

   Privacy Focal Persons shall lead the implementation of the CWC’s Records Management Policy in their respective units and offices.

   3. Access procedure of agency personnel
   Only authorized personnel shall be allowed to enter or access storage locations, facilities and devices containing personal data. Other personnel may be granted access upon approval of the DPO upon request of the head and the Privacy Focal Person of the concerned division, unit or office.

   4. Monitoring and limitation of access to room or facility
   Access to documents and files containing personal data shall be restricted to CWC’s personnel that have the appropriate security clearance. Efforts to create an access control system to record when, where, and by whom data centers are accessed.

   Preferably, the CWC’s personnel authorized to access paper-based or physical storage locations must register with a paper-based or electronic registration platform before accessing any document or file. They shall indicate the date, time, duration, and purpose of each access.

   Drawers, cabinets, rooms and other storage locations containing personal data must be kept closed and locked when not in use or when not attended. Keys for these storage locations, must at all times, be kept secure.
   
   Privacy Focal Persons shall lead the implementation of the CWC’s Organizational and Physical Data Protection Measures Policy in their respective divisions, units and offices.

   5. Design of office space/workstation
   As much as practicable: (1) machines and workspaces shall be positioned in consideration of privacy and the protection of the processing of personal data; and (2) workspaces shall be configured and designed to restrict documents, files, and screens from the view of those who are not assigned to the concerned workspace.
   
   Printouts containing personal data should be immediately removed from printers.

   6. Persons involved in processing, and their duties and responsibilities
   Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room.

   7. Modes of transfer of personal data within the organization, or to third parties
   Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for documents containing personal data.

   Physical disclosure or transfer of documents containing personal data shall be conducted by CWC’s personnel whose work functions include the transmission or delivery of the concerned document when related to a legitimate purpose. In case of special circumstances wherein the work functions of the individual involved do not include the transmission or delivery of the document, then the approval of the Privacy Focal Person having jurisdiction is necessary.

   8. Retention and disposal procedure
   Records retention and disposal schedule shall adhere to the NAP Circular No. 1 dated 20 January 2009.

3. Technical Measures
   1. Monitoring for security breaches
   As needed, each division, unit or office shall determine and use technologies not falling below industry standards and practices necessary to prevent any attempt to interrupt or disrupt data processing systems.

   2. Security features of the software/s and application/s used
   Prior to their installation and use, application software and system software used should be reviewed and evaluated by the appropriate information technology personnel from the Management Information Systems Unit (MISU) before the installation thereof in computers and devices. Compatibility of security features with overall operations must also be ensured by these personnel.

   3. Process for regularly testing assessment and evaluation of effectiveness of security measures
   The CWC, lead by MISU, shall review security policies, conduct vulnerability assessments, and perform penetration testing within the CWC on a regular schedule to be coordinated with the appropriate division, unit or office.

   4. Encryption, authentication process, and other technical security measures that control and limit access to personal data. Personal data at rest, in transit and in use must, at all times, maintain their confidentiality, integrity and availability through compliance with the CWC’s Information Security Policy, the implementation of which shall be led by Privacy Focal Persons.

   Personal data that are digitally processed are preferably encrypted, whether at rest or in transit. An appropriate encryption minimum standard (such as Advanced Encryption Standard with a key size of 256 bits (AES-256) or its predecessor technology) is preferred. Passwords or passphrases used to access personal data should be of sufficient strength to deter password attacks. Passwords and passphrases should at least be a minimum of twelve (12) characters. The MISU shall ensure password and passphrase policies are at par with security best practices.

   Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments.

BREACH AND SECURITY INCIDENTS
The mitigation, management and resolution of Security Incidents and Personal Data Breaches require the coordination of various CWC’s personnel. All concerned should be vigilant in their responsibilities to enable an effective security incident management process.

1. Creation of a Data Breach Response Team
   A Data Breach Response Team, composed of all the Privacy Focal Persons, shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
2. Measures to prevent and minimize occurrence of breach and security incidents
   The Privacy Focal Persons shall conduct Privacy Impact Assessments, as needed, to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks.

   The CWC’s personnel directly involved in the processing of personal data must attend trainings, and seminars for capacity building.

   Divisions, units and offices should conduct inventories of information assets. As far as practicable, these divisions, units and offices should adopt information security policies that address the specific needs of their divisions, units and offices with applicable controls and procedures. In no case shall policy specific to a division, unit or office may supersede or prevail over the CWC’s data privacy policies.

   There shall be a system to regulate access to data centers owned or controlled by the CWC. Appropriate security clearances or access control lists should be set up for classes of administrators and uses. There should be an access control system that records when, where, and by whom the data centers are accessed. Copies of access control lists and similar records must be filed to the MISU.

3. Procedure for recovery and restoration of personal data
   The CWC’s divisions, units and offices shall always maintain a backup for all personal data under their custody. In the event of a security incident or data breach, they shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

   As far as practicable, divisions, units and offices shall have disaster recovery and continuity plans to ensure availability of data despite the occurrence of disruptions.

4. Notification protocol
   The Head of the Data Breach Response Team shall inform the management of the need to notify the Commission and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team. In the event of a data breach, the concerned office must immediately inform the DPO of the incident. Upon clearance from the DPO, MISU shall then submit a notification report to the NPC through the Data Breach Notification Management System (DBNMS) online platform within 72 hours, which can be accessed via https://dbnms.privacy.gov.ph. Additionally, a comprehensive incident report must be submitted by the respective office within five (5) days from the day of the identification of the incident, unless the Agency requests and receives the NPC approval for an extension.

   Whenever applicable, the DOP shall submit an Annual Security Incident Reports (ASIR) to the NPC through the DBNMS.

5. Documentation and reporting procedure of security incidents or a personal data breach
   The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to Management and the Commission, within the prescribed period.

INQUIRIES AND COMPLAINTS
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the CWC, including the data privacy and security policies implemented to ensure the protection of their personal data. They may email the CWC at dpo@cwc.gov.ph and briefly discuss the inquiry, together with their contact details for reference.

Complaint may be filed in three (3) legible printed copies at the CWC Central Office or emailed at dpo@cwc.gov.ph. The DPO shall confirm with the complainant its receipt of the complaint and inform the concerned division, unit or office. The DPO may instruct the concerned Privacy Focal Person to coordinate with all necessary third parties, including dealing with the complainant.

Review of data privacy policies and guidelines
The Data Privacy Policy and its guidelines shall be reviewed every three (3) years. Updates on the policy shall be recommended by the Data Breach Response Team and approved by the Head of Agency, as needed.

EFFECTIVITY AND APPROVAL
All internal policies inconsistent herewith in part or in full, are hereby modified, revoked or repealed accordingly. This Policy shall take effect immediately.