Jabez Management Solutions Inc. hereby implements this policy in accordance with Republic Act No. 10173 or the DATA PRIVACY ACT OF 2012 (DPA and its implementing rules and Regulations (IRR), which aims to protect the fundamental human right to privacy and communication while ensuring the free flow of information in order to promote innovation and growth.
Jabez Management Solutions Inc. respects our clients' right to privacy when it comes to their personal information. This policy ensures that all personal data collected from our clients is processed in accordance with the general principles of transparency, lawfulness, and proportionality. This policy acts as a roadmap for enforcing our clients' DPA rights.
“Data Subject” – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
“Personal data” refers to all types of personal information;
“Personal Information” – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
“Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
“Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;
“Privileged information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;
“Sensitive personal information” refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its
denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.
“Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
“Personal information controller (PIC)” refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.
“Personal information processor (PIP)” refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
The processing of the personal data, JMSI and its service provider agents / employees shall observe to the following principles.
Transparency - The data subject must be aware of the nature, purpose, and extent of the processing.
The identity the contact details of personal information controller.
The Rights as a data subject, and how these can be exercised.
“Legitimate purpose” The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. No further processing without the consent of the data subjects.
“Proportionality” The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose
Data subject has the following rights in relation with the processing of his/her data. This should respect the rights of data subjects.
Right to be informed:
a) Description of the personal data to be entered into the system;
b) Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
c) Basis of processing, when processing is not based on the consent of the data subject;
d) Scope and method of the personal data processing;
e) The recipients or classes of recipients to whom the personal data are or may be disclosed;
f) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
g) The identity and contact details of the personal data controller or its representative;
h) The period for which the information will be stored; and
i) The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission.
Right to Access:
The data subject has the right to reasonable access to, upon demand, the following:
a) Contents of his or her personal data that were processed;
b) Sources from which personal data were obtained;
c) Names and addresses of recipients of the personal data;
d) Manner by which such data were processed;
e) Reasons for the disclosure of the personal data to recipients, if any;
f) Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
g) Date when his or her personal data concerning the data subject were last accessed and modified; and
h) The designation, name or identity, and address of the personal information controller.
Right to Object:
The data subject shall be entitled to object to his or her processing of personal data including direct marketing, automated processing or profiling without his/her consent.
When a data subject objects to or withdraws consent, the personal information controller must stop processing the personal data unless the following conditions are met:
a) Pursuant to a subpoena, personal data is necessary;
b) The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
c) The information is being collected and processed as a result of a legal obligation.
Right to Erasure or Blocking
The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.
Conditions:
a) The personal data is incomplete, outdated, false, or unlawfully obtained;
b) The personal data is being used for purpose not authorized by the data subject;
c) The personal data is no longer necessary for the purposes for which they were collected;
d) The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
e) The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
f) The processing is unlawful;
g) The personal information controller or personal information processor violated the rights of the data subject.
Damages
The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data.
To File a Complaint
If your personal data was misused, maliciously disclosed, or inappropriately disposed of, or if any of your data privacy rights were breached, you have the right to file a complaint with NPC.
To Rectify
The data subject has the right to dispute the inaccuracy or error in the personal data. Data subject must request the information controller to correct the error. The data subject must ensure the accessibility of both the new and the retracted information.
Right to Data Portability.
Data subject has right to obtain from PIC a copy of his or her personal data in an electronic or structured format that is commonly used and allows for further use by the data subject. The data subject has power over the processing of his or her personal data based on consent.
The data subject has the following rights:
a) Obtain and electronically move, copy or transfer your data in a secure manner, for further use.
b) Manage your personal data in their private device
c) Transmit their data from the PIC to another
Transmissibility of Rights of the Data Subject.
A data subject can exercise another person's right as a data subject if he or she is allowed as
a "legal Assignee."
Conditions:
a) Any time after the death of the data subject
b) Data subject is incapacitated or incapable of exercising his/her rights.
c) For minors, parents/guardian may be responsible for asserting rights on their behalf.
Limitation on Rights
The provisions of the law concerning the transmissibility of rights and the right to data portability will not apply if the processed personal data are used solely for the purposes of scientific and statistical research and, as a result, no activities are performed or decisions are made about the data subject with the assurance that the personal data will be held in strict confidentiality and usability.
Data should be held under strict confidentiality and used only for declared purpose. Not applicable to processing of data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.
Collection
JMSI gathers basic contact details from clients and consumers, such as their full name, location, email address, contact number, account numbers, type of account and outstanding balance. Data subject’s co-maker or reference person together with their contact details are sometimes included in the information provided by our client.
JMSI is ensured that data obtained from clients via email/SFTP is only sent to approved personnel (Executive assistance, IT, Team Leader, and/or admin) and is encrypted or password protected.
Furthermore, additional data acquired directly from the data subject through negotiation made by the agent will not be disclosed to anyone except for PIC (Client). This information gathered consists of the collection’s actions made for the account as well as updates on data subject’s personal information.
The information’s received will be use by agents for collections purposes only and will not be used for any other purposes for that matter.
Storage, Retention and Destruction
JMSI is ensure that personal data under its custody are protected against any accidental or unlawful disclosure, destruction, or processing by providing security measures.
All PCs used by our personnel who have access to data subjects' personal information are password-protected. These passwords are private and should not be shared with anyone other than the owner of the user ID.
After three months (3) have passed since the account was fully paid or withdrawn, all soft and hard copies received and gathered, including recordings, will be deleted from the system and destroyed using a cross-cut shredder.
Disclosure and Sharing
All JMSI, maintains the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. They will be required to sign the “information security policy acknowledgement” which states the personnel’s responsibility as an owner of the personal data in relation to privacy.
JMSI does not share personal data to any other PIP or third party other than the PIC it is.
JMSI is implemented reasonable and appropriate physical, technical and organizational measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
i. Organization Security Measures
JMSI, considered the human aspect of data protection.
Data Protection officer (DPO) Compliance officer for privacy (CPO) and overall compliance officer for privacy (Overall COP).
ii. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
The designated Data Protection Officer is Mr. Michael Razo who is concurrently serving as the Executive Director/ President of the organization. JMSI COPs will be assigned to all quality analysts. Furthermore, Mr. Michael Razo has been designated as the overall COP.
iii. Functions of the DPO, COP and Overall COP.
JMSI is created a Data Privacy Team that will consist of the DPO, COPs and Overall COP. The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
iv. Training or Seminars on DPA
JMSI is conducted mandatory data privacy and security trainings and seminars to all personnel who are directly involved in the processing of personal data at least once a year.
v. Conduct of Privacy Impact Assessment (PIA)
At least once a year, the DPO is conducted a PIA on JMSI activities, projects, and/or systems relating to personal data processing. This assessment will aid in determining potential threats and risks in the processing of personal data, as well as what control measures can be created or developed to mitigate such risks.
vi. Duty of Confidentiality
All employees have been signed a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality
and report any suspected or confirmed security breach or incident to their immediate superior DPO or COPs.
vii. Review of Privacy Manual
This Manual is being reviewed and evaluated annually to ensure up to date. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices. This is also important in determining whether any policies need to be revised or developed in order to improve our current data protection practices.
JMSI is implemented physical access control to protect personal data.
Format of data to be collected
Personal data received from PIP is typically in digital/electronic format, either sent via email or accessed through PIP's Eagle system.
Storage type and location
All electronic personal data processed by JMSI is stored on the JMSI Eagle system. All data from the Eagle system is primarily stored on the JMSI Data Server. JMSI users can only access the data via the Eagle system. For complaints / teams that still use hard copies as the
(contract master), these are kept in a locked steel cabinet at the end of each work schedule.
Design of office space/work station
To ensure and maintain the privacy of personal data, each workstation has its own cubicle.
Persons involved in processing, and their duties and responsibilities
All personnel who are involved in processing personal data are not allowed to bring their own gadgets except for their Unit Head / Team Leaders. Storage device of any form as well as pen and paper when entering their workstation. This is to maintain confidentiality of personal and prevent any unauthorized transfer data.
Modes of transfer of personal data within the JMSI, or to third parties
Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Even if the data to be sent is just within the organization.
Retention and disposal procedure
JMSI retained personal data in its custody within the retention period only. JMSI is ensure the deletion of electronic/digital personal data and the destruction of hard copies after the retention period has expired by using a cross cut shredder.
JMSI is implemented technical security measures to make sure that there are appropriate and sufficient safeguards.
These includes the following:
Monitoring for security breaches
JMSI shall employ an intrusion detection system to monitor security breaches and notify the organization of any attempt to interrupt or disrupt the system.
Security features of the software/s and application/s used
JMSI shall first review and evaluate software applications before installing them in the organization's computers and devices to ensure that security features are compatible with
overall operations.
Process for regularly testing, assessment of effectiveness of security measures
JMSI shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on regular schedule.
Encryption, authentication process, and other technical security measures that control and limit access to personal data
JMSI uses encryption to safeguard personal data during storage and transmission via Virtual Private Network (VPN), a secure network implemented over an insecure medium and created by using encrypted tunnels for communication between endpoints.
JMSI, developed and implemented policies and procedures for the management of a personal data breach, including security incidents.
This includes:
a. Creation of a Data Breach Response Team
A Data Breach Response Team comprising of (5) five officers will ensure immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the effects of the incident or breach.
b. Measures to prevent and minimize occurrence of breach and security incidents
JMSI is regularly conducted a Privacy Impact Assessment at least one year or as necessary. Penetration test are performed annually to find vulnerabilities in the computer network. Personnel who are directly involved in the processing of personal data must attend privacy trainings and seminars. Policies and procedures
must also be reviewed at least once a year or whenever any security incidents or suspected data breaches are discovered.
c. Procedure for recovery and restoration of personal data
Since data are managed and stored internally and does not use cloud-based system, the system is less prone to data breaches JMSI maintained by a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
d. Notification protocol
The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. The management may decide to delegate the
actual notification to the head of the Data Breach Response Team.
e. Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, to be submitted to management and the NPC, within the prescribed period.
Inquiries and Complaints
Every data subject has the right to reasonable access to his or her personal data being processed by the personal information controller or personal information processor. These rights include: (1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data.
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of JMSI, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write or email to JMSI at jabezmsi@gmail.com, together with their contact details for reference.
Complaints shall be filed in three (3) printed copies, or sent to jabezmsi@gmail.com, The concerned department or unit shall confirm with the complainant its receipt of the complaint.