I. OUR OBJECTIVES
To respect and value data privacy rights and ensure that all personal data collected from the Data Subject are processed in adherence to the general principle of transparency, legitimate purpose, and proportionality.
To ensure that personal data under the control of the Company remain safe and secure in the course of implementing its key operations and processes.
II. POLICY STATEMENTS
Pursuant to R.A. 10173, otherwise known as “Data Privacy Act of 2012 (DPA)”, its Implementing Rules and Regulations (IRR), other issuances of the National Privacy Commission (NPC).
Medical Test Systems, Inc. referred as the “Company” adheres to the State ideals of protecting the fundamental human rights of privacy, while enduring free flow of information to promote innovation and growth.
III. DEFINITION OF TERMS
Data Subject – refers to an individual whose Personal, Sensitive Personal, and/or Privileged Information is processed by the Company. It may refer to members of the board of directors, officers, employees (whether probationary, regular or contractual), trainees, applicants, consultants, and clients of this organization and other persons whose Personal Data are collected and processed by the Company.
Personal Data – collectively refers to Personal Information, Sensitive Personal Information and/or Privileged Information.
Personal Information – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual.
Examples: name, address, birth date, birthplace, contact number, gender, citizenship, and other identifying information.
Sensitive Personal Information – refers to Personal Information:
a) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
b) About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
c) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
d) Specifically established by an executive order or an act of Congress to be kept classified.
Privileged Information – refers to all forms of data, which under the Rules of Court and other pertinent laws, constitute privileged communication.
Processing – refers to any operation or set of operations performed upon Personal Data including, but not limited to its collection, recording, organization, storage, updating or modification, retrieval consultation, use, consolidation, blocking, erasure or destruction of data. May it be performed through automated means, or manual processing, if the Personal Data is contained or is intended to be contained in a filing system.
Security Incident – is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would result to a Personal Data Breach, if not for safeguard that have been put in place;
Personal Data Breach – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to, Personal Data transmitted, stored, or otherwise processed. A Personal Data Breach may be in any of the following nature:
a) Availability Breach – which results from the loss of, or accidental or unlawful destruction of Personal Data;
b) Confidentiality Breach – which results from the unauthorized disclosure of, or access to Personal Data; and/or
c) Integrity Breach – which results from the alteration of Personal Data.
Data Protection Officer/s or DPO – refer to an individual designated by the head of the organization to be accountable for its compliance with the Data Privacy Act, its IRR, and other issuances of the National Privacy Commission. The individual must be an organic employee/s.
Authorized Personnel – refer to an individual accountable in processing personal data.
IV. GUIDELINES
RIGHTS OF THE DATA SUBJECT
As provided under the DPA, Data Subject has the following rights in connection with the Processing of his/her Personal Data. Employees and Authorized Personnel of the Company shall respect the rights of the Data Subjects. The DPO, with the assistance of the Human Resources Division shall be responsible for monitoring such compliance and developing appropriate disciplinary measures.
A. RIGHT TO BE INFORMED
The Data Subject has the right to be informed whether Personal Data pertaining to him/her shall be, are being, or have been processed.
Before entry of his/her Personal Data into the records of the Company, or at the next practical opportunity, the Data Subject shall be notified and furnished with the following information:
a) description of the Personal Data to be entered into the system;
b) purpose/s for which Personal Data are being or will be processed;
c) basis of Processing, when Processing is not based on the consent of the Data Subject;
d) scope and method of the Personal Data Processing;
e) recipient/s or classes of recipient/s to whom the Personal Data are or may be disclosed or shared;
f) method utilized for automated access, if the same is allowed by the Data Subject, and the extent to which such access is authorized, including meaning information about the logic involved, as well as the significance and the envisioned consequence of such Processing for the Data Subject;
g) identity and contact details of the Company representatives and/or DPO;
h) period for which the Personal Data will be stored; and
i) existence of his/her rights as Data Subject, including the right to lodge a complaint before the Commission.
B. RIGHT TO OBJECT
The Data Subject shall have the right to object for the Processing of his/her Personal Data. The Data Subject shall also be notified and given an opportunity to withhold consent to the Processing in case of changes or any amendment to the information supplied or declared to the subject in the preceding section. When a Data Subject objects or withholds consent, the Company shall no longer process the Personal Data, unless:
a) the Personal Data is needed pursuant to a subpoena;
b) the Processing is for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party or when necessary or desirable in the context if an employer-employee relationship between the Company and the Data Subject; or
c) the Personal Data is being collected and processed to comply with a legal obligation.
C. RIGHT TO ACCESS
The Data Subject has the right to demand reasonable access to the following:
a) contents of his/her Personal Data that were processed;
b) sources from which Personal Data were obtained;
c) names and addresses of recipient/s of the Personal Data;
d) manner by which his/her Personal Data were processed;
e) reasons for the disclosure of the Personal Data to recipient/s, if any;
f) information on automated processes where the Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affect the Data Subject;
g) date when Personal Data concerning the Data Subject were last accessed and modified; and
h) the designation, name or identity, and address of the DPO.
D. RIGHT TO CORRECTION
The Data Subject has the right to dispute the inaccuracy or rectify the error in his/her Personal Data, and the Company shall correct it immediately and accordingly, unless such request is vexatious or unreasonable. If the Personal Data has been corrected, the Company shall ensure the accessibility of both the new and the retracted Personal Data and the simultaneous receipt of the new and the retracted Personal Data by the intended recipient thereof. Recipients or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.
E. RIGHT TO ERASURE OR BLOCKING
The Data Subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his/her Personal Data from the Company’s filing, and may exercise such right, upon discovery and substantial proof of any of the following:
a) the Personal Data is incomplete, outdated, false, or unlawfully obtained;
b) the Personal Data is being used for purpose not authorized by the Data Subject;
c) the Personal Data is no longer necessary for the purpose/s for which they are collected;
d) the Data Subject withdraws consent of or objects to the Processing, and there is no other legal ground or overriding legitimate interest for the Processing;
e) the Personal Data concerns private information prejudicial to the Data Subject, unless justified by the freedom of speech, of expression, or of the person or otherwise authorized;
f) the Processing is unlawful; or
g) the Data Subject’s rights have been violated.
The Company shall notify third parties who have previously received such processed Personal Data that the Data Subject has withdrawn his/her consent to the Processing thereof upon reasonable request by the Data Subject.
F. TRANSMISSIBILITY OF RIGHTS OF DATA SUBJECTS
Any lawful heirs and/or assigns of the Data Subject may invoke the rights of the Data Subject to which he/she is an heir and/or assignee, at any time after the death of the Data Subject, or when the Data Subject is incapacitated or incapable of exercising his/her rights.
DATA PROCESSING RECORDS
COLLECTION
The DPO and the Authorized Personnel, shall be responsible for ensuring that these records are kept confidentially, and Processing shall be permitted only if not prohibited by law, and when at least one of the following conditions exist:
a) the Data Subject has given his or her consent;
b) the Processing of Personal Data is necessary and is related to the fulfillment if a contract with the Data Subject or in order to take steps at the request of the data prior to entering into a contract;
c) the Processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
d) the Processing is necessary to protect vitally important interests of the data subject, including life and health;
e) the Processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the Processing of Personal Data for the fulfillment of its mandate;
f) the Processing concerns such Personal Information as is necessary for the protection of lawful rights and interests of natural or legal persons on court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority; or
g) the Processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedom of the Data Subject which require protection under the Philippine Constitution.
USE
The Company’s use of the Personal Data shall only be for the purpose of carrying out the business operation. The Processing shall be for the following general purposes:
a) to document and manage records;
b) to conduct due diligence prior to executing a contract, and to facilitate the fulfillment of the terms of the contract thereafter; and
c) to comply with legal, regulatory, contractual obligations, government reportorial requirements, and pursuant to a lawful order on any court or tribunal.
STORAGE
The Personal Data of Data Subjects shall be stored in the pertinent filing System/s of the Company, such as but not limited to password-protected computer devices, secured filing cabinets, and archive room.
RETENTION AND DISPOSAL
Personal Data should only be stored for as long as necessary to carry out an aspect of the business operation of the Company. The purpose/s for which it was collected and processed, as well as the applicable periods prescribed by law, if any, shall be considered in retaining the Personal Data.
Upon expiration of such retention period, all copies, whether physical or electronic, of the Personal Data shall be destroyed and disposed of in a secure manner. For Physical (paper) copies, all sensitive paperwork should be shredded. While, for electronic copies, it must be deleted in the system or PC including possible duplicate or traceability.
DISCLOSURE AND DATA SHARING
At every stage of Data Processing all employees, officers and directors particularly Authorized Personnel shall maintain the confidentiality and secrecy of all Personal Data that come to their knowledge and possession, even after resignation or termination of contract or other contractual relations.
Data sharing shall be allowed when it is expressly authorized by law. Provided that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality.
Data Sharing shall be allowed if the Data subject gives consent, and the following conditions are complied with:
a) There shall be data sharing agreements that establish adequate safeguards for data privacy and security and uphold the rights of data subjects.
b) The data sharing agreement shall be subject to review on its commencement and/or upon complaint of data subject.
The Data Subject shall be provided with the following information prior to collection or before data is shared:
a) Identity of the personal information controllers or personal information processors that will be given access to the personal data;
b) Purpose of data sharing;
c) Categories of personal data concerned;
d) Intended recipients or categories of recipients of the personal data;
e) Existence of the rights of data subjects, including the right to access and correction, and the right to object;
f) Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
SECURITY MEASURES
The Company shall establish and implement reasonable and appropriate organizational, physical, and technical measures for the protection of Personal Data. Security measures aim to maintain the availability, integrity and confidentiality of Personal Data and protect it against natural dangers, such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
ORGANIZATIONAL
The Company shall appoint a designated Data Protection Officer (DPO). The following are the functions and responsibilities of the DPO:
a) Monitoring the Company’s Personal Data Processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized personnel;
b) Developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the Data Privacy Act and other applicable laws and regulations on Personal Data privacy;
c) Acting as the primary point of contact whom Data Subject may coordinate and consult with all concerns relating to their Personal Data;
d) Informing and cultivating awareness by giving orientation and training programs regarding Personal Data privacy policies;
e) Ensuring proper data breach and security incident management, including preparation and submission of the reports within the prescribed period to the National Privacy Commission, if there is any, as required under the Data Privacy Act.
f) Reviewing of policy to remain consistent with current data privacy best practices.
PHYSICAL
All Personal Data being processed shall be stored in a secured facility, whether virtual or physical. Papers or physical documents bearing Personal Data shall be stored in locked filing cabinets, access to keys to which shall be entrusted only to Authorized Personnel.
The design and layout of the office spaces and work stations of the Authorized Personnel, including the physical arrangement of furniture and equipment, shall be periodically evaluated and readjusted in order to provide privacy to anyone Processing Personal Data. Computers shall be positioned with considerable spaces between them and/or screen be protected to maintain the privacy and protect the Processing of Personal Data.
Authorized Personnel as much as practicable and possible be assigned to office space and/or works stations with the least volume of foot traffic to minimize risk of Personal Data Breach and other Security Incident/s.
TECHNICAL
The Company shall implement technical security measures to make sure that there are appropriate and sufficient protections to secure the Processing of Personal Data, it shall include the following minimum requirements;
a) safeguards to protect the Company’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
b) ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Company’s data processing system;
c) regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in the Company’s compute network and system, and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach;
d) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
e) encryption of Personal Data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto.
DATA BREACH AND SECURITY INCIDENTS
NOTIFICATION
All employees and Authorized Personnel of the Company are tasked with regularly monitoring for signs of a possible data breach or security incident. In the event that such signs are discovered, the employees or Authorized Personnel shall immediately report the facts and circumstances to the DPO within twenty-four (24) hours from his/her discovery for verification as to whether or not a breach requiring notification under the Data Privacy Act has occurred, as well as for the determination of the relevant circumstances surrounding the reported breach and/or security incident.
A Data Breach Response Team comprising of {five (5) officers} shall be responsible for ensuring immediate action in the even of a security incident or Personal Data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
The DPO shall inform the Management of the need to notify the NPC and the Data Subjects affected by the incident or breach within seventy-two (72) hours upon knowledge of, or when there is a reasonable belief by the Management that a Personal Data breach requiring notification has occurred. A Personal Data breach must be reported to the Commission under the following conditions:
a) the compromised data involves Sensitive Personal Information or other Personal Data that may, under the circumstances, be used to enable identity fraud;
b) there is reason to believe that the information may have been acquired by an unauthorized person; and
c) the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected Data Subject.
The incident report shall contain the following:
a) description of the nature of the breach;
b) Sensitive Personal Information possibly involved;
c) measures taken by the entity to address the breach;
d) measures taken to reduce the harm or negative consequences of the breach; and
e) name of the DPO or representatives of the Company, including their contact details, from whom the Data Subject can obtain additional information about the breach and any assistance to be provided to the affected Data Subjects.
DOCUMENTATION AND REPORTING
The DPO shall prepare a detailed documentation of all security incidents and Personal Data breaches, including those not covered by the notification requirements. In case of Personal Data breaches, report shall include the facts surrounding the incident, the effects of such incident, and the remedial actions taken by the Company. In other security incidents not involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the NPC. A general summary of the reports shall be submitted to the NPC annually.
PROCEDURE FOR RECOVERY AND RESTORATION OF PERSONAL DATA
The Authorized Personnel shall maintain a backup file for all Personal Data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
INQUIRIES AND COMPAINTS
For inquiries and complaints of every Data Subject regarding their rights they may write or email at custcare@medtest.ph to discuss the concern, and for it to be acted upon.