DATA PRIVACY ACT

Sterling Global Call Center Privacy Manual

  • Organizational Commitment

1. Sterling Global Call Center (SGCC), will be hereby known as Personal Information Processor (PIP), is thoroughly committed in upholding the rights of an individual’s data privacy rights. As PIP implements reasonable and appropriate measures to protect data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. This Manual serves as a guide or handbook for ensuring the compliance of the organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.

1.1  Background
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector. 
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody.

1.2 Introduction
This Manual shall inform you of SGCC’s data protection and security measures, and may serve as your guide in exercising your rights under the Data Privacy Act of 2012.

1.3 Definition of Terms 
Terms used in this Manual are defined for consistency and uniformity in usage 
     1.3.1 “Data Subject” – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
     1.3.2  “Personal Information” – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
     1.3.3 “Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

1.4 Scope and Limitations 
     This section defines the coverage of the Manual. This document essentially applies to all employees of SGCC regardless of rank and file. All employees regardless of the type of employment or contractual arrangement must comply with the terms set out in this Privacy Manual.

1.5 Processing of Personal Data
    This section lays out the various data life cycles (or processing systems) in existence within the organization—from the collection of personal data, to their actual use, storage or retention, and destruction; lawfully and fairly. 
      1.5.1 Collection- SGCC collects the basic personal information of data subjects. All agents are competently trained in the proper collection and handling of information. 
      1.5.2 Use – Personal data collected shall be used by the agents only as required by Smart, as the Personal Information Controllers (PIC) to continue the operations of the business.
      1.5.3 Storage, Retention and Destruction- SGCC ensures that personal data under its custody, stored in the various system platforms of the PIC are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The company implements appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall not be retained for a period for longer than three months. After three months, all hard and soft copies of personal information shall be disposed and destroyed, through secured means. 
      1.5.4 Access (e.g. personnel authorized to access personal data, purpose of access, mode of access, request for amendment of personal data, etc.) -Due to the sensitive and confidential nature of the personal data under the custody of the company, stored in the various system platforms of the PIC, only the PIC and the authorized and certified representatives of SGCC shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.  All representatives are afforded with unique log in name and password for any tool that their role is allowed to use.
      1.5.5 Disclosure and Sharing– All employees and personnel of the SGCC maintains the confidentiality and secrecy of all personal data that come to the knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company, stored in the various system platforms of the PIC, shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

1.6.1      Organization Security Measures 
      1.6.1.1 Data Protection Officer (DPO), or Compliance Officer for Privacy (COP) 

      Functions of the DPO, COP and/or any other responsible personnel with similar functions 
     The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.

      The Data Protection Officer shall be responsible for structuring, designing and managing the privacy management program including all procedures, monitoring / auditing, documenting, evaluating and follow- up. 

      The Data Protection Officer shall conduct trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security. The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary. The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary. 

      The Data Protection Officer shall conduct of Privacy Impact Assessment (PIA). The organization shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party. 

      The Data Protection Officer shall record and document activities carried out by the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies. 

      The Data Protection Officer shall perform the duty of confidentiality- All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure. 

      The Data Protection Officer shall review and evaluate the privacy manual annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices. 

1.6.2 Physical Security Measures 
This portion features the procedures intended to monitor and limit access to the facility containing the personal data, including the activities therein. To ensure that mechanical destruction, tampering and alteration of personal data under the custody of the organization are protected from man-made disasters, power disturbances, external access, and other similar threats, provisions like the following must be included in the Manual: 

        1.6.2.1 Format of data to be collected- Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format. 
        1.6.2.2 Storage type and location- All personal data being processed by the organization shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by the company with appropriate encryption and security measures. 
        1.6.2.3 Access procedure of all staff, agents and clients
            1.6.2.3.1 Agents and Management staff must wear the company ID and “on-duty” ID during shift. This must be surrendered after the shifts. 
            1.6.2.3.2 All personnel who will enter the company must register in the logbook indicating the date, time and signature of the personnel. 
            1.6.2.3.3 All bags and personal belongings must be left in the lockers. Clients must affix the purpose of the entry to the company. 
            1.6.2.3.4 Only identified management staff shall be allowed to use their mobile units inside the company. 
            1.6.2.3.5 All clients must register the serial numbers of their laptops. All clients who are allowed to use their mobile phones while visiting the company must be in the list provided to the DPO. 

     1.6.2.4 Design of office space/work station- The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data. 
     1.6.2.5 Persons involved in processing of data subject’s information, and their duties and responsibilities- Persons involved in processing maintains confidentiality and integrity of personal data. PIPs are not allowed to bring gadgets or storage device of any form when entering the data storage room. 
     1.6.2.6 Modes of transfer of personal data within the organization, or to third parties – Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data. 
      1.6.2.7 Retention and disposal procedure- The organization shall retain the personal data of a client for three months from the data of purchase. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.

1.6.3 Technical Security Measures
 Each personal information personal information processor implements technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access. They include the following, among others: 

        1.6.3.1 Monitoring Security Breaches- SGCC uses an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system. This shall be through the Active Directory software installed at all stations which monitors all activities being conducted at each work station. 
        1.6.3.2 Process for regularly testing, assessment and evaluation of effectiveness of security measures- The organization reviews security policies, conducts vulnerability assessments and performs penetration testing within the company on regular schedule to be prescribed by the appropriate department or unit. 
        1.6.3.3 Encryption, authentication process, and other technical security measures that control and limit access to personal data- Each personnel with access to personal data verifies his or her identity using a secure encrypted link and multi-level authentication. 

2. Breach and Security Incidents 
The PIP develops and implements policies and procedures for the management of a personal data breach, including security incidents. This section adequately describes and outlines such policies and procedures, including the following: 
        2.1 Creation of a Data Breach Response Team 
            The PIP have a Data Breach Response Team comprising of nine (9) officers who are responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach. 
       2.2 Measures to prevent and minimize occurrence of breach and security incidents 
            The PIP regularly conducts a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Correspondingly, there is a periodic review of policies and procedures being implemented in the organization. 
        2.3 Procedure for recovery and restoration of personal data 
            All personal data of data subjects are stored at the platforms of the PIC. Hence, all recovery and restoration, in case of a data breach shall be coordinated with the PIC. 
        2.4 Notification protocol 
            The Head of the Data Breach Response Team shall inform the management of the PIC.  The PIC may decide to delegate the actual notification to the National Privacy Commission, if the need arises. 
        2.5 Documentation and reporting procedure of security incidents or a personal data breach 
            The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the top management and the NPC, within the prescribed period. Reports templates are as follows: 
            a. Data Breach form 
            b. Assessment Questionnaire 
            c. Data Breach Impact Severity Form 
            d. Checklist of additional information during the evaluation process 

3. Inquiries and Complaints 
     Every data subject has the right to reasonable access to his or her personal data being processed by the personal information controller or personal information processor. Other available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. 

        Procedure for Inquiries and Complaints 
        Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the PIC, including the data privacy and security  policies implemented to ensure the protection of their personal data. 
        As the PIP, certified agents and representatives shall handle inquiries and complaints of data subjects coursed through the PIC’s hotline channel (*888 or 02-888-1111).
        Each agent and representatives are trained to accurately document and escalate any raised inquiries and complaints to the PIC.
        IT personnel are trained to accurately document and escalate any raised inquiries and complaints to the PIC. 

Footer

COMPANY

INDUSTRIES

Services

Newsletter

Don’t miss to subscribe to our news feeds, kindly fill the form below.