The Data Protection Officer
Last month, the National Privacy Commission (NPC) came out with an Advisory (No. 2017-01) regarding the designation of a data protection officer (DPO). The administrative issuance establishes a set of guidelines meant to help organizations and individuals understand the concept of a DPO and its functions.
The notion of having a DPO or a specific individual in an organizational setting in charge of data privacy or data protection is not new. Germany, for instance, has been requiring DPOs in certain private and public bodies since the early 1990s. New Zealand has its Privacy Officer, while countries like Hong Kong and Australia strongly urge having a DPO or Privacy Contact Officer, respectively. In the European Union, the General Data Protection Regulation (GDPR), which is set to take effect next year on 25 May 2018, also makes it mandatory to appoint a DPO in specific instances.
Indeed, an increasing number of laws around the world are now requiring organizations to have at least 1 person responsible for privacy or data protection issues. In some instances, companies have appointed DPOs or privacy officers even in the absence of an explicit legal requirement.
This post outlines the key points of the NPC issuance:
Who are required to designate a DPO?
Under Philippine law, all entities that qualify as personal information controllers (PICs) and personal information processors (PIPs) are required to designate one or more individuals who shall be responsible for their compliance with the country’s data protection policies, particularly the Data Privacy Act of 2012.
Anyone or anything processing personal data is essentially a PIC or PIP. This means each one of them—whether they be part of the government or the private sector, big company or small company, an organization or individual—must have a DPO.
That said, there are instances wherein the NPC will allow some derogation from this rule. In these instances,a PIC or PIP may be allowed to designate a so-called Compliance Officer for Privacy (COP), instead of a DPO. Let us take a look at these special cases:
LGUs. Where the next higher/larger type of LGU it forms part of already has a DPO, a component city, municipality, or barangay will be allowed to designate a COP. The concerned DPO will play a supervisory role.
Government Agencies. Government agencies and offices that have sub-units (e.g., regional offices, provincial offices, etc.) may also designate a COP for each of these units. They, too, will be under the supervision of the DPO.
Private Entities. In the case of private entities that also have sub-offices or component units, each sub-office may also have a COP.
Group of Companies. It is possible for a group of companies to have a single DPO, with only a COP for each member. This option, however, may not be readily availed of. A group hoping to adopt this setup will have to seek authorization from the NPC.
Analogous Cases. PICs or PIPs in similar or analogous circumstances may also secure the approval of the Commission insofar as the designation of a COP.
Who may be designated as a DPO?
In terms of setting parameters that determine the qualifications of an ideal DPO, the NPC opted to give PICs and PIPs significant elbow room by avoiding very specific requirements. The minimum set of qualifications it provided include:
Knowledgeable. Given its range of functions, a DPO should be knowledgeable of a number of things: (a) relevant privacy or data protection laws and policies; (b) processing operations, and internal structure and policies of the PIC/PIP; and (c) sector or industry of the PIC/PIP. The importance of this requirement is evident: ignorance or lack of familiarity with any of these things will prevent, or at least limit significantly the DPO’s ability to do its job.
Organic and Accessible. Except in rare cases, the DPO must be working full-time for the PIC/PIP. He or she must be an organic part of the organization. In government, the DPO post may be a career or appointive position. In the private sector, it should ideally be a regular or permanent position. If the term is contract-based, the term of such contract should be at least for 2 years. Stability is key to ensuring an effective data protection regime.
Direct Access to Management. While the DPO need not be part of management, its direct access to the top honchos of the organization is paramount. Many of the outputs of a DPO require the immediate attention of or action from management. If anything, they are crucial in maintaining an informed decision-making process.
The qualifications of a COP will be proportional to its functions, as provided in the Advisory and any other role assigned to him by the PIC/PIP.
“DPOs, above all else, are privacy advocates whose role in today’s data-driven society will increase exponentially as governments and businesses find more uses for personal data.”
What is a DPO supposed to do?
Up until the issuance of the Advisory, most people came to rely on the literal meaning of the law when it says that a DPO will be “accountable for the compliance” of his or her organization. Understandably, this caused a lot of hesitation—if not outright resistance—on the part of those being considered for the DPO position. The NPC sought to address this by listing down what it expected each DPO to be responsible for:
Monitor compliance. Perhaps the key function of a DPO is monitoring his or her principal’s compliance with data protection or data privacy policies. This may consist of several things:
1. Collecting information about the PIC/PIP’s personal data processing systems
2. Analyzing and checking security features, accreditations, and certifications
3. Advising the PIC/PIP on matters relating to personal data processing (e.g., outsourcing, data sharing, etc.)
Ensure the conduct of a Privacy Impact Assessment (PIA). A PIA is undertaken whenever a PIC/PIP develops a new system, program, or project that involves personal data. The goal is to surface any inherent weaknesses or risks, in order to allow for the necessary adjustments (or the scrapping of the project altogether) before any injury or damage is done. The DPO’s involvement in the conduct of the PIA is highly recommended. At the very least, however, his or advice should be secured whenever possible.
Advise regarding the exercise by a data subject of his or her rights. The law gives the people, as data subjects, a number of rights that they can then assert or invoke against PICs/PIPs. The DPO must be able to advise its principal how to properly deal with such situations. A balance must be struck between allowing the proper exercise of rights, and protecting a PIC/PIP from vexatious or baseless actions.
Ensure proper data breach management and other security measures. Data breaches and security incidents will happen, regardless of how good the security measures a PIC/PIP puts into place. This doesn’t mean, of course, that a PIC/PIP should not bother putting them up. They still prevent a large number of potential problems, or at least mitigate their impact. For this reason, a good DPO should ensure that his or her principal has a sound data breach management protocol and other security mechanisms.
Inform and cultivate awareness. The development of a culture of privacy among people and organizations is very important, especially given today’s fast-paced technology-driven setting. The DPO must fulfil its part in this aspect by leading the conduct of trainings, seminars, and other capacity-building efforts in relation to privacy and data protection.
Serve as contact person. For any matter or concern that involves privacy and data protection, the DPO must serve as the PIC/PIP’s primary contact person vis-à-vis other PIC/PIP personnel, the public, the NPC, and other regulatory authorities.
Cooperate and coordinate with the NPC. When issues surface—and they will—and the DPO is uncertain as to what proper steps to recommend to the PIC/PIP, it should not hesitate to coordinate with the NPC. The DPO may even request for an official opinion or set up a meeting with the relevant offices of the Commission. Where the NPC has an ongoing investigation, the DPO should also extend full cooperation to ensure a swift and proper resolution of cases.
A common question asked regarding the functions of a DPO is whether they can be outsourced by the PIC/PIP. In its Advisory, the NPC has officially responded to this by explaining that it will allow such option, except for the fact the DPO must always be the contact person of the PIC/PIP insofar as the Commission is concerned. As regards its functions that have been outsourced, the DPO retains the responsibility of ensuring that they are carried out properly by the third-party service provider.
One final note: The principal distinction between a DPO and a COP is that a COP is not expected to perform the first three functions assigned to the DPO.
What are the obligations of a PIC/PIP vis-à-vis its DPO?
To be sure, PICs and PIPs are not without their own responsibilities in relation to their DPO. The effectiveness of a DPO’s work relies heavily on the support he or she receives from the principal. The obligations of the PIC/PIP include:
Introduce. Each PIC/PIP must let everybody know how to contact its DPO, and make them understand his or her functions. “Everybody” here includes the PIC’s/PIP’s personnel, its customers/clients/constituency, the public at large, the NPC, and other regulatory agencies. Note that it is not necessary that the name of the DPO be publicly known, for so long as the contact information is provided. However, should any interested party inquire as to his or her identity, such information should be disclosed.
Involve. The PIC/PIP should involve the DPO in all processes or issues that concern personal data, at the soonest possible time. The DPO should be given appropriate access to the systems, projects, or programs that involve personal data. He or she should be able to attend meetings or be a member of relevant groups where insights regarding data protection is of high value.
Equip. The job of a DPO is no simple task and will undoubtedly require a proportionate amount of time and resources. It is important that he or she be given all the support necessary for him or her to do the job well. Resources in this sense could mean funding support, additional manpower, tools and equipment, and most importantly, the requisite trainings.
Protect. A PIC/PIP should not punish—or threaten to punish—the DPO for doing his or her job. A fully functional DPO makes the PIC/PIP better at protecting personal data, even if this means finding flaws in the PIC/PIP’s systems or mistakes committed by its other personnel.
Respect. The DPO should be given sufficient independence and autonomy in the performance of its functions. It should not receive any undue influence or instructions from the PIC/PIP as to how to do its job. Should disagreements arise, there should be efforts to resolve such conflicts, and if the two views are irreconcilable, the final decision remains with the principal. It is always good practice to document the disagreement, the efforts to resolve it, and how it was resolved.
Be Accountable. The DPO is there to assist the PIC/PIP in complying with the law. Under no circumstances does it take the responsibility of compliance away from the principal.
On top of these things that have just been laid out, three (3) other key takeaways should be taken to heart by PICs/PIPs and DPOs/COPs alike are:
(1) When something goes wrong, or in the event of a complaint, there is no automatic assignment of accountability on the DPO, the head of agency, or the PIC/PIP, for that matter. Each case will be assessed and investigated based on its own merits. Any finding of liability will be in accordance with the tenets of due process and will be pursuant to law.
(2) A DPO is a unique member of the PIC/PIP’s organization in that, while it remains subject to most rules and regulations that apply to all other personnel, it must be allowed to act independently in the performance of its tasks. This is the only way for it to do its job properly. A PIC/PIP that meddles with the work of its DPO is bound to suffer for it at some point, when significant damage results from a problem that could have been addressed properly had the DPO been allowed to do its job sans any interference or undue influence.
(3) In everything that it does, a DPO must still remember to keep secret or confidential the nature of its post, and any information it may come across in the course of its work. Of course, this is largely determined by any applicable contract with the PIC/PIP and by law.
DPOs, above all else, are privacy advocates whose role in today’s data-driven society is expected to increase as governments and businesses find more uses for personal data. As advocates, they stand guard against risks and dangers that can negatively impact personal data and its uses, to the detriment of the people the belong to. Especially during this crucial early period, a DPO doing its job well may very well be the only thing that stands in the way between a secure and effective data processing system, and complete disaster.