Data Privacy is both a business and regulatory requirement. RuralNet and CashKo Insurance Brokerage commit to safeguard all Personal Data under its custody and control. As such, it is imperative for its employees including contractors, partners and third parties contracted by RuralNet and CasKo Insurance Brokerage to implement adequate data protection measures across systems, applications and other components that are directly related to the collection; use, storage and transmission; retention; and disposal and destruction of Personal Data.
II.SCOPE
This policy covers RuralNet and CashKo Insurance Brokerage, henceforth referred to as the “Company”. This also applies to all employees including contractors, partners, vendors and contracted third parties as well as customers who are directly involved in processing personal data. The Personal Data coverage includes, but is not limited to the data of employees, applicants, customers and insurance policy holders.
III.DEFINITION OF TERMS
The following key terms used throughout this document are defined for clarification
A. Data Subject
Refers to an individual whose personal, sensitive personal or privileged information is processed by the Company.
B. Personal Data
Personal Data Refers to all types of personal information, i.e personal identifiable, sensitive personal and privileged, as defined below:
a. Personal Identifiable Information (PII) or Personal Information
Any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained or when put together with other information would directly and certainly identify an individual. As per the Company, PII includes, but are not limited to, first name, middle name and last name in combination with any one or more of the following data elements:
Name
Date and Place of Birth
Specimen Signature or Biometrics(fingerprint)
Photo
Present Address
Permanent Address
Nationality
Nature of Work; Source of Funds or Income
Name of Employer or Nature of Self-Employment or Business
Contact Number
b. Priviledged Information
Refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
c. Sensitive Personal Information
This information falls to the category of personal information with higher security impact and that requires extra level of protection. In consideration of the list of defined SPIs per Section 3, part of the Implementing Rules and Regulations (IRR) of R.A. 10173 (Data Privacy Act of 2012), the following information are defined as SPIs:
i. About an individual’s health, education, gender or any proceeding for any offense committed or alleged to have been committed by individual
Education
Police Clearance
NBI Clearance
ii. Issued by government agencies peculiar to an individual
Social Security System (SSS) Number
Government Service Insurance System (GSIS) Number
Passport
Driver's License
Professional Regulation Commission (PRC) ID
Postal ID
Voter's ID
Baranggay Certification
Senior Citizen Card
Overseas Workers Welfare Administration (OWWA) ID
OFW ID
Seaman's Book
Certification from the National Council for the Welfare of Disabled Persons (NCWDP)
Department of Social Welfare and Development Certification (DSWD)
Foreign Passport or Alien Certification of Registration (ACR) or Immigrant Certificate of Registration (ICR) for foreigners
iii. Cardholder Data (Card Number, Full Track, CVV/CVC and Expiry Date)
iv. User Credential(i.e User and Password, PIN/MPIN, etc)
v. Integrated Bar of the Philippines ID
vi. IDs issued by private companies that are duly registered with the Securities and Exchange Commission
vii. Student's ID for students who are benefeciaries of remittance who are not yet of voting age (below 18 years old)
IV. REFERENCE
R.A. 10173 or Data Privacy Act of 2012
R.A. Implementing Rules and Regulations
NPC Circular No. 16-01
NPC Advisory 2017-01
V. POLICY
This Privacy Policy outlines the established security and protection policies to ensure that adequate control mechanisms are in place within RuralNet’s systems, applications and other components directly related to the collection; use, storage and transmission; retention; and disposal and destruction of Personal Data.
PROCESSING OF PERSONAL DATA
The Company is processing of Personal Data within the data life cycle, from collection to disposal and destruction, adheres with the principle of transparency, legitimate use and proportionality. It upholds the Rights of the Data Subject in the processing of Personal Data.
1.HOW DO WE CREATE AND COLLECT YOUR PERSONAL DATA?
1.1 The Company provides to customers and partners a statement to inform its data subjects what, how and why their personal data is being collected from them including, where applicable, the automated processing for profiling, or processing for direct marketing and data sharing these will be disclosed as part of the Privacy Notice is sometimes referred to as a privacy statement, a fair processing statement, or a privacy policy.
a. This Privacy Notice, referred to as privacy policy, will be posted in the website and online facilities of RuralNet.
b. In the event that collected Personal Data will be used for purpose or shared with outside entities it is necessary that consent from the Data Privacy Officer must be obtained.
c. Privacy notice will be placed if entities need to download any reports from RuralNet website and online facilities.
d. Privacy notice will be placed integrated into the Company’s physical forms, where customer’s personal data is collected.
1.2 Collection must be for a declared, specified and legitimate purpose.
a. Collection of personal data, both Personally Identifiable Information (PII)and Sensitive Personal Information (SPI), about an individual will only be limited to those necessary, relevant and not excessive for the business purposes.
b. Manner of collection of PII and SPI that will be employed include accomplishment of online forms and/or hard copy service forms.
c. Collection of Personal Data about employee, applicants, customers, insurance policy holders and partners will rely to the fullest extent possible on the original source (e.g., employee or customer applications). The use of secondary copies (e.g., employee created spreadsheets, databases, and printed reports) of Personal Data should be limited, with the exclusion of the renewal of policies and services previously applied for.
2. HOW DO WE STORE AND TRANSFER YOUR INFORMATION?
2.1 Collected Personal Data, whether in electronic or hard copy, will be safeguarded against loss, unauthorized access and data leakage through adequate physical and technical security controls. All digitally processed Personal Data are encrypted when at rest and in transit.
2.2 Storage of Personal Data kept in digital format will also be protected against unlawful or unauthorized processing.
2.3 Personal Data will only be stored for as long as is necessary, in consideration of the purposes for which data was collected and the applicable legal storage periods.
a. Personal Data stored in temporary storage will be erased immediately once intention for temporary storage has been satisfied.
b. Personal Data with expired storage periods will be erased in a permanent and secure manner.
3. HOW DO WE DISTRIBUTE AND RETAIN YOUR INFORMATION?
3.1 Personal Data will only be processed in accordance with the expressed purpose and may not be shared, distributed, or otherwise disclosed to a third party without explicit approval of the Data Privacy Officer.
The Company recognizes that application of this policy may be inappropriate in certain limited circumstances. Accordingly, under the circumstances listed below. RuralNet may allow disclosures of Personal Data about employees, applicants, customers, insurance policy holders and partners:
When required in response to carry out the function of public authority in accordance with a constitutionally and statutorily mandated function pertaining to law enforcement, or regulatory function including a subpoena or search warrant;
When there exist an emergency which is believed to threaten risk of harm to person or property;
When used for the needs of scientific and statistical research intended for public benefit without any activities to be carried out or decisions to be undertaken regarding the owner of personal data; and
When necessary to protect legal interests of the Company
Exceptions, other than those for administrative or judicial process, are subject to evaluation and approval in writing by the Data Privacy Officer before proceeding with the actual disclosure. Requests for exceptions must be submitted in writing to the Data Privacy Officer for review and approval. Further consultation with the National Privacy Commission (NPC) of the Philippines can be initiated by the Data Privacy Officer on a case to case basis.
3.2 Steps will be required to verify that Personal Data about employees, applicants, customers, insurance policy holders and partners is accurate, complete and current.
a. Employees will comply with the established procedures to verify that any Personal Data being process is accurate and complete. If data is inaccurate or incomplete, it will be corrected or updated.
Employee will provide a profile sheet to be accomplished by the client, partners and vendors via digital or hardcopy forms.
Accomplished forms will be encoded to RuralNet online facilities and will be validated by the Employee by sending the information through email for confirmation.
b. Personal Data will be obtained from authoritative sources (e.g. direct data subject), when practical, rather than from secondary sources (e.g. personal spreadsheets).
3.3 Personal Data may only be disclosed to third parties, such as partners, contractors and providers when there is a legitimate reason, consent from data subject has been secured as necessary and such disclosure is covered by a Data Sharing Agreement. The Data Sharing Agreement must establish adequate safeguards for data privacy and security and upholds the rights of data subjects. Data Sharing Agreement needs to be in place with insurers and service providers.
3.4 Personal Data under the custody of the company will be treated with confidentiality and will be disclosed only pursuant to a lawful purpose and to authorize recipients of such data as required by law.
a. Formal requests for disclosure of Personal Data must be given by the Requesting Party along with supporting document to establish lawful purpose, e.g. subpoena
b. Disclosure will only be allowed subject to the evaluation of formal request and approval of the Data Privacy Officer.
3.5 Personal Data will not be retained longer than necessary for the purpose for which the information was collected or for which it is further processed or for which such longer period as may be required by applicable laws, regulation, or contractual responsibilities.
a. Steps will be undertaken to keep Personal Data about employees, applicants, customers and insurance policy holders only as long as it is necessary.
b. Retention of Personal Data may only be allowed for legitimate business purposes that are consistent with applicable standards or approved by appropriate government agency.
c. Personal Data will not be retained in permanence for possible future use yet to be determined.
d. Personal Data may be kept for a period of 5 years for the purpose of cross marketing, provision of additional services by the company and ease of re-use of services previously availed by the customer.
4.HOW DO WE DISPOSE AND DESTROY YOUR INFORMATION?
4.1 Personal Data will be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
a. Steps to identify Personal Data which can or cannot be destroyed will be observed based on specified retention periods or as may be required by court order, litigation requirements, or other such requirements by regulatory authorities.
b. Departments who have been approved to create secondary copies of Personal Data about employees, applicants, customers, insurance policy holders and partner (e.g. employee- created spreadsheets, databases and printed reports) are responsible for prompt destruction of that information when it is no longer necessary to complete legitimate purpose or business activity.
c. Justified holding of any information on criminal conviction of the owner of Personal Data will follow secure disposal or destruction policy once the information is no longer required due to resolution of case.
d. Disposal or destruction of Personal Data is allowed if status of relationship of data subject with RuralNet has been changed (e.g. termination of relationship) and data becomes irrelevant to the service activities pertaining to the data subject, unless there are retention requirements as per 4.1.a.
SECURITY MEASURES
1. HOW DO OUR ORGANIZATIONAL SECURITY MEASURES WORK?
1.1 An appropriate level of leadership and resources to support the leadership, who are accountable for the Privacy and Data Protection Program, shall be established. The level of leadership may include, as appropriate the creation of a senior governing body (e.g. committee), who will provide support and oversight function on the effective implementation of the Privacy and Data Protection Program.
1.2 Designation of Data Privacy Officer (DPO) for RuralNet and CashKo Insurance Brokerage.
Data Privacy Officer (DPO)
The designated DPO will be the Information Security Officer. The DPO shall act independently in the performance of his or her functions and shall be given sufficient degree of autonomy. The DPO shall assume the following roles:
Establish and sustain a privacy program at the Company.
Maintain and supervise enforcement of the privacy policy.
Report to the RuralNet Top Management and Board of Directors on the status of the Privacy Program.
Monitor the legal and regulatory environment affecting the field staff, customers, contractors, vendors and third parties’ privacy.
Facilitate the development and establishment of privacy roles and responsibilities throughout the organization to ensure that privacy practices are communicated, understood and implemented.
Perform periodic assessments of privacy risk.
Sponsor or direct privacy control correction or improvement efforts when needed or the development and implementation of new privacy controls.
Review and process exception requests for the privacy policy.
Oversee the notification process required in the event of a breach in privacy.
Maintain this Policy.
Facilitate the sharing of ideas, tools, procedures and approaches relating to privacy company-wide.
Ensure compliance by the Personal Information Controller (PIC) or Personal Information Processor (PIP) with the Philippine Data Privacy Act (PDPA), its IRR, issuances by the National Privacy Commission (NPC), and other applicable laws and regulations relating to privacy and data protection.
The opinion of the DPO must be given due weight. In case of disagreement and should the PIC or PIP choose not to follow the advice of the DPO, it is recommended as good practice to document the reasons therefore.
1.3 Effective implementation of this policy is the responsibility of all employees, partners, contractors, vendors and contracted third parties including customers. The key roles and responsibility to uphold the requirements in this policy is attached as an Annex on the contract or agreement.
1.4 All employees with access to Personal Data shall operate and hold Personal Data under strict confidentiality if the same is not intended for public disclosure.
1.5 To properly protect Personal Data and meet legal obligations, this Data Privacy Policy as well as the Data Privacy Framework shall be monitored, assessed and revised, as needed, to allow for improvements and remain responsive to data privacy best practices and technology developments.
1.6 Record and document activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.
2. WHAT ARE OUR PHYSICAL SECURITY MEASURES?
These measures provide for the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer and the schedule and means of retention and disposal of data.
2.1 The layout of the office spaces and work stations as well as the physical arrangement of furniture and equipment of RuralNet and CashKO Insurance Brokerage will be periodically evaluated and adjusted in order to provide privacy to anyone processing Personal Data taking into consideration accessibility to unauthorized person.
2.2 Policies and procedures will be implemented to monitor and limit access to and activities in the work area of workstation, including the proper use of and access to electronic data and devices.
2.3 Policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of Personal Data will be imposed to all involved in the processing of personal data.
2.4 Policies and procedures that prevent the mechanical destruction of files and equipment shall be established to secure, as far as practicable, physical resources and infrastructure used in processing Personal Data against natural disaster, power disturbances, external access and other similar threats.
3. WHAT ARE OUR TECHNICAL SECURITY MEASURES?
Technical security involves the technological aspect of security in protecting Personal Data which includes.
3.1 Safeguard of computer network against accident, unlawful or unauthorized usage that will affect data integrity or hinder the functioning or availability of the system and unauthorized access.
3.2 Ensure and maintain the confidentiality, integrity, availability and resilience of Personal Data processing systems and services.
3.3 Restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
3.4 Regularly test, assess and evaluate the effectiveness of security measures.
3.5 Control and limit access on digitally processed Personal Data to authorized person through encryption whether it is at rest or while in transit, employ authentication process and other technical security measure.
3.6 Use of online access to process Personal Data should employ an identity authentication method that uses a unique user and password for log-in.
BREACH NOTIFICATION AND REPORT
1. HOW DOES BREACH NOTIFICATION WORKS?
1.1 All employees, contractors, partners and providers involved in the processing of Personal Data are enjoined to report any signs of possible data breach or Security Incident. In the event that such signs are discovered, the facts and circumstances need to be reported to the DPO within twenty-four (24) covers from its discovery for the verification as to whether or not a breach that occurred requires notification under the Data Privacy Act as well as for the determination of the relevant circumstances surrounding the reported breach and/or Security Incident.
1.2 For breach requiring notification, the DPO shall, within seventy – two (72) hours upon receipt of facts or circumstances, notify the National Privacy Commission and the affected Data subjects following the procedures prescribed by the DPA.
2. HOW DO WE DOCUMENT REPORTS ON DATA BREACH?
2.1 All Security Incidents and Personal Data breaches shall be documented through written reports, including those not covered by the notification requirements and summary of the reports shall be submitted by DPO to NPC annually as follows:
a.Personal Data Breaches with the facts surrounding an incident, the effects of such incident and the remedial actions taken by RuralNet to address the data breach.
b. Aggregated data of Security Incidents not involving Personal Data.
3. HOW DO WE CORRECT AND PREVENT DATA BREACHES?
3.1 Ransomware – is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.
Corrective Measure
Recovery consists of removing the ransom Trojan and transferring data from the backup storage. If ransom Trojan cannot be removed, data will be restored from daily record backups.
Preventive Measure
1. Daily backup of data base, application, domain server.
2. Enable and personalize anti-spam settings.
3. Orientation of users to avoid opening of suspicious attachments from unknown sender.
4. Up-to-date operating systems, antivirus and other software.
5. Browser add-on to block pop-ups.
3.2 Password attacks – Password attacks are combination of brute force attacks that are used to gain access to insecure passwords. A hacker uses a program that tries multiple passwords to get access to a user’s data until a password work.
Corrective Measure
Restore a backup for the domain server. A change password will be administered by the IT Administrator to users affected by the breach.
Preventive Measure
1. Login Password Retry Lockout
The ASA (firewall) allows an administrator to lock out a local user account after set of unsuccessful login attempts. Once a user is locked out, the account is locked until the administrator unlocks it.
Authorized users can lock themselves out of a device if the number of unsuccessful login attempts is reached. In addition, a malicious user can create a denial of service (DoS) condition with repeated attempts to authenticate with a valid username.
3.3 Phishing – Email or phone calls that seem official to gain access or personal information is called phishing. They frequently take the guise of known, credible entities—such as a person’s bank. Various levels of misrepresentation to outright deception are employed to defraud or gain information.
Corrective Measure
1. Immediate disconnection of the device from the internet.
A ransomware will be installed on the computer and will be placed offline.
For wired connections, the internet cable from the computer will be unplugged and Wi-Fi networks will be disconnected.
2. Change RuralNet account credentials.
Change passwords for all online accounts must be done, especially email, online banking, and social media, and do it from a clean computer.
It’s also critical to use different passwords for each account to make it difficult for cyber criminals to steal identity.
3. Scan systems for malware
After changing passwords, will run a complete anti-malware scan of the system to get rid of self-replicating malware that could spread to the network and the devices connected to it.
Key points to remember:
Scan using offline software
Run a second scan using a different program
No program should run if scanning is not completed.
Prevention:
1. Orientation to employees on phishing incidents.
2. Installation of latest security patches and updates for all system.
3. Deployment of SPAM filters to detect viruses and blank senders.
4. Deployment of web filter to block malicious websites
MONITORING AND ENFORCEMENT
To monitor compliance with this policy and to identify area for improvement in response inquiries and /or complaints regarding Personally Identifiable Information (PII) that is subject to this policy, the following shall be observed:
1. Regularly test and verify management of Personal Data consistent with this policy.
2. Supervise third party compliance with contractual obligations relating to data privacy.
3. Periodic conduct of risk-assessment process that includes follow-up procedures to verify accuracy of privacy practices and controls implemented by concerned organizational unit and/or employees, partners, contractors and third party providers.
4. Monitor corrections or improvements to deficiencies in control or policies to verify that compliance finding are addressed in a timely manner.
5. Handle privacy concerns, issues or complains reported by data subjects in a timely manner. Privacy complaints and action steps taken will be documented and corrective actions reviewed for patterns and root causes.
6. Train al employees to recognize and report potential privacy event, provide awareness on the importance of reporting any possible privacy event in a timely manner.
A current version of this document is shared to all members of staff under RuralNet.
ROLES AND RESPONSIBILITIES:
1. Legal
The Legal Counsel will provide needed legal support related to the privacy, which include among others:
a. Interpretations of legal requirements related to privacy.
b. Advise the DPO on exception request for the privacy policy.
c. Review agreements for third party disclosures of Personal Data about employees, field staff, customers, contractors, vendors and third parties.
d. Advice and support negotiation and drafting of appropriate privacy language for agreements with Third Parties.
2. Human Resource
a. The HR will support the effective implementation of this policy through the following initiatives:
b. Organized (logistics, schedule, attendance of participants) training and awareness campaign on privacy policies and business requirements with the support from the Data Privacy Office of RuralNet for all employees especially those who are directly engaged in the processing of personal data.
c. Seek the advice of the DPO in establishing privacy accountability within RuralNet and communicating appropriate disciplinary guidelines.
d. Evaluate significant changes to existing process related to handling of employees’ Personal Data in coordination with the DPO and Legal Counsel.
3. Operations and Business Departments
Ensure compliance to this data privacy policy through the following activities among others:
a. Verify data subject identity to make sure that PII and SPI is shared only with legitimate data subject or authorized representative.
b. Establish and implement rules for appropriate sharing of Personal Data with callers
c. Recognize privacy events which represent a potential breach of Personal Data privacy and report promptly to the department head.
d. Require privacy training as recommended by the Data Privacy Office to ensure that each employee has knowledge and understanding of the responsibility of RuralNet to protect Personal Data under its custody and control, the general requirements of this Data Privacy Policy and the significance that data privacy breaches may have to the brand and reputation of RuralNet.
Contact us today if you have any questions about our
programs, your insurance policy, or partnership opportunities.