WIRELESS LINK TECHNOLOGIES INC.
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfilment and realization of the rights of data subjects.
This Privacy Manual is by this means adopted in conformity with Republic Act No.10173 or the Data Privacy Act of 2012 (DPA), its implementing rules and regulations, and other relevant policies, including the issuance of the National Privacy Commission. This organization respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
This Manual shall apprise you of our data protection and security measures, and may serve as your guide in exercising your rights under the Data Privacy Act.
III. DEFINITION OF TERMS
For purposes of this Manual the following terms are defined as follows
- Data Subject – refers to an individual whose personal or confidential information is processed by Wireless Link Technologies Inc. It may refer to its officials, employees, and clients.
- Personal Data – refers to all types of personal information.
- Personal Data Breach – refers to a violation of security causing to the accidental or illegitimate destruction, loss, alteration, unsanctioned disclosure of, or access to personal data transmitted, stored or otherwise processed.
IV. SCOPE AND LIMITATIONS
All personnel of Wireless Link Technologies Inc., regardless of the type of employment or contractual arrangement, must conform with the terms set out in this Privacy Manual.
V. PROCESSING OF PERSONAL DATA
Wireless Link Technologies Inc. collects the privileged information of clients and customers, including their full name, address, email address, contact number, along with the products that they would like to purchase. The sales representative attending to clients will gather such information through accomplished order forms.
Data gathered shall be used by Wireless Link Technologies Inc. for documentation purposes, warranty tracking of purchased items, and for the inventory of products.
We also use the information collected to improve our systems and ensure our services are working as intended such as troubleshooting issues that were reported to us.
C. Storage, Retention and Destruction
Wireless Link Technologies Inc. will ensure that privileged data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other illegal processing.
Due to the sensitive and confidential nature of the data under the custody of Wireless Link Technologies Inc., only the client and the authorized representatives of the company shall be allowed to access such data, for any purpose except for those contrary to the law, public policy, public order or morals.
E. Disclosure and Sharing
All employees and personnel of Wireless Link Technologies Inc. shall preserve the confidentiality and secrecy of all private data that come to their custody and knowledge, even after resignation, termination of contract, or other contractual relations. Private data under the possession of the company shall be divulged only in accordance to a legal purpose, and to a authorized recipient of such data.
VI. SECURITY MEASURES
A. Organization Security Measures
1. Data Protection Officer (DPO)
The appointed Data Protection Officer is Mr. Carlo C. Dalino, who is at the same time serving as a Software Developer of Wireless Link Technologies Inc.
2. Functions of the Data Protection Officer
The Data Protection Officer shall supervise the compliance of the organization with the Data Privacy Act, its Implementing Rules and Regulations, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
3. Conduct of trainings or seminars to personnel updated in data privacy and security developments
Wireless Link Technologies Inc. shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of private data, management shall ensure their participation in relevant trainings and orientation, as often as necessary.
4. Conduct of Privacy Impact Assessment (PIA)
Wireless Link Technologies Inc. shall conduct a Privacy Impact Assessment relative to corresponding to all activities, projects and systems involving the processing of private data. It may select to outsource the conduct a Privacy Impact Assessment to a third party.
5. Recording and documentation of activities carried out by the DPO, or the organization itself, to guarantee compliance with the Data Privacy Act, its Implementing Rules and Regulations and other relevant policies.
Wireless Link Technologies Inc. shall sponsor a compulsory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their participation in pertinent trainings and orientations, as often as necessary.
6. Duty of Confidentiality
All employees of Wireless Link Technologies Inc. will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold private data under strict confidentiality.
7. Review of Privacy Manual
This Manual shall be reviewed and evaluate once a year. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
B. Physical Security Measures
1. Format of data to be collected
Privacy data in custody of Wireless Link Technologies Inc. may be in digital/electronic format and paper-based/physical format.
2. Storage type and location
All private data being processed by Wireless Link Technologies Inc. shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by the company.
3. Access procedure of agency personnel
Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel may be granted access to the room upon filing of an access request form with Data Protection Officer and the latter’s approval thereof.
Employees and personnel are prohibited to store any files or documents involved in organization’s processes to their personal devices or gadgets such as laptops, mobile phones or unauthorized USB flash drives to prevent data leakage.
4. Monitoring and limitation of access to room or facility
All personnel authorized to enter and access the data room or facility must fill out and register with the online registration platform of the organization, and a logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access. For effective monitoring, the data room shall have at least one(1) security camera installed.
5. Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and integrity of private data. They are not allowed to bring their personal gadget or storage device of any form when entering the data storage room.
6. Modes of transfer or personal data within the organization, or to third parties
Transfers of private data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing private data.
7. Retention and disposal procedure
Wireless Link Technologies Inc. shall retain the private data of a client for one (1) year from the date of acquisition. Upon expiration of such period all physical and electronic copies of the private data shall be disposed and expunged using secure technology.
C. Technical Security Measures
1. Monitoring for security breaches
The Wireless Link Technologies Inc. shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system.
2. Security features of the software/s and application/s used.
Wireless Link Technologies Inc. shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.
3. Process for regularly testing, assessment and evaluation of effectiveness of security measures.
Wireless Link Technologies Inc. shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on regular schedule to be prescribed by the appropriate department or unit.
4. Encryption, authentication process, and other technical security measures that control and limit access to private data.
Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.
VII. BREACH AND SECURITY INCIDENTS
1. Creation of a Data Breach Response Team
A Data Breach Response Team comprising of five (5) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
2. Measures to prevent and minimize occurrence of breach and security incidents.
Wireless Link Technologies Inc. shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
3. Procedure for recovery and restoration of personal data
Wireless Link Technologies Inc. shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
4. Notification protocol
The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
5. Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.
VIII. Inquiries and Complaints
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at firstname.lastname@example.org and briefly discuss the inquiry, together with their contact details for reference. Complaints shall be filed in three (3) printed copies, or sent to email@example.com. The concerned department or unit shall confirm with the complainant its receipt of the complaint.
The provisions of this Manual are effective by January 2020, until revoked or amended by this company, through a Board Resolution.