A website that collects and handles data or information (also known as personal information) should have this document to enable the users to know how their data or information is collected and processed. A website owner or PIC should provide specific information as to how the personal information of users is processed.
Processing refers to any act by which data or information pertaining to the user is:
- Modified or updated,
- Combined or aggregated, or
Personal Information refers to information about the user whether alone or combined with other pieces of information which tend to ascertain their identity. This can be directly ascertained (eg. the full name of the user) or indirectly by combination of pieces of information (eg. the date of birth of the user, address, contact information).
For the processing of Personal Information to be lawful, any of the following conditions must be complied with:
- The user must have given his or her consent prior to the collection, or as soon as possible;
- The processing involves the personal information of the user who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the user prior to entering the said agreement;
- The processing is necessary for compliance with a legal obligation to which the owner of the website (Personal Information Controller) is subject;
- The processing is necessary to protect vitally important interests of the user, including his or her life and health;
- The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;
- The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority; or
- The processing is necessary to pursue the legitimate interests of the owner of the website (Personal Information Controller), or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the user, which require protection under the Philippine Constitution.
Other specific types of personal information are Sensitive Personal Information and Privileged Information, for which stricter rules apply due to the sensitive nature of the data. Sensitive Personal Information and Privileged Information can only be processed when this is justified.
Sensitive Personal Information is:
- information about the user's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic information, sexual life
- information regarding a proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- information issued by government agencies related to the user which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- information that is specifically established by law or regulation to be kept classified.
Privileged Information refers to any and all forms of data or information, which cannot be disclosed due to its confidential nature. An example of privileged information is the communication between a lawyer and a client.
How to use this document
- Description of the data or information to be entered into the website's system;
- Purposes for which they are being or will be processed;
- Criteria or Basis of processing, when processing is not based on the consent of the user;
- Scope and method of the processing;
- The recipients or classes of recipients to whom the personal data are or may be disclosed such as third parties;
- Methods utilized for automated access, if the same is allowed by the user, and the extent to which such access is authorized;
- The identity and contact details of the personal information controller or its personal information processor;
- The identity and contact details of the Data Privacy Officer if one is appointed;
- The period for which the information will be stored; and
- The existence of their rights as data subjects.
This document is governed by the Provisions of R.A. 10173 or the Data Privacy Act of 2012 and its rules and regulations.
How to modify the template
You fill out a form. The document is created before your eyes as you respond to the questions.
At the end, you receive it in Word and PDF formats. You can modify it and reuse it.