Transcription
Republic of the PhilippinesNATIONAL PRIVACY COMMISSIONDATA SECURITY AND COMPLIANCE OFFICEData Security and Technology Standards DivisionADVISORY ON THE ADOPTION OF INTERNATIONAL DATA PROTECTIONSTANDARDNO. 2021-002ISO/IEC 29151 – Information technology – Security techniques – Code ofpractice for personally identifiable information protectionWHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act of 2012,provides that it is the policy of the State to protect the fundamental human right of privacy ofcommunication while ensuring free flow of information to promote innovation and growth. TheState also recognizes its inherent obligation to ensure that personal information in informationand communications systems in the government and in the private sector are secured andprotected;WHEREAS, pursuant to Section 7 of the Data Privacy Act of 2012, the National PrivacyCommission is charged with the administration and implementation of the provisions of the law,which includes ensuring the compliance by personal information controllers with the provisionsof the Act and with international standards for data protection, and carrying out efforts toformulate and implement plans and policies that strengthen the protection of personalinformation in the country, in coordination with other government agencies and the privatesector;WHEREAS, Section 9 of the Implementing Rules and Regulations of the Data Privacy Act of 2012provides that, among the Commission’s functions, is to issue guidelines for organizational,physical and technical security measures for personal data protection, taking into account thenature of the personal data to be protected, the risks presented by the processing, the size of theorganization and complexity of its operations, current data privacy best practices, cost of securityimplementation, and the most appropriate standard recognized by the information andcommunications technology industry, as may be necessary;WHEREFORE, in consideration of these premises, the National Privacy Commission herebyissues this advisory on the adoption of ISO/IEC 29151 as guide in implementing controls for dataprotection.Ref No.: DSTSD-21-00222NPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
Scope of the International Standard (IS) 1This document establishes control objectives, controls and guidelines for implementingcontrols, to meet the requirements identified by a risk and impact assessment related to theprotection of Personally Identifiable Information (PII).In particular, this document specifies guidelines based on ISO/IEC 27002, taking intoconsideration the requirements for processing PII which may be applicable within the contextof an organization’s information security risk environment(s).This document is applicable to all types and sizes of organizations acting as PII controllers (asdefined in ISO/IEC 29100), including public and private companies, government entities, andnot-for-profit organizations, which process PII.RequirementsThis IS provides additional implementation guidance for personal data protection that are inthe Information Security Management System (ISMS) guidance in ISO/IEC 27002.The same requirements found in the annex of ISO/IEC 27001 and ISO/IEC 27002 applies tothis standard. Information security policiesOrganization of information securityHuman resource securityAsset managementAccess controlCryptographyPhysical and environmental securityOperations securityCommunications securitySystem acquisition, development and maintenanceSupplier relationshipsInformation security incident managementInformation security aspects of business continuity managementComplianceAdditional guidance of implementation for personal data protection can be seen in Annex B ofthis he scope is directly lifted from the International Standard (IS) document, terms may be different from the DPA, but it hasa similar meaning to the DPA terms. Refer to Annex A for the comparison of terms.Ref No.: DSTSD-21-00222NPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
The annex contains implementation guidance for the privacy principles stated in ISO/IEC29100 – Privacy framework. Consent and choicePurpose legitimacy and specificationCollection limitationData minimizationUse, retention and disclosure limitationAccuracy and qualityOpenness and transparencyPII principal participation and accessAccountabilityInformation securityPrivacy complianceBenefitsThe number of organizations, whether in public or private sectors, managing personal data isincreasing. The societal expectation for the protection of the individual’s privacy and thesecurity of data relating to the individual is increasing. The National Privacy Commission(NPC) released its first circular (NPC Memorandum Circular 16-01) about the security ofpersonal data in government agencies last 2016. The NPC Circular 16-01 is issued to assistgovernment agencies engaged in the processing of personal data and help implement moredetailed policies and procedures, which reflect its specific operating requirements. Section 6 ofthis circular recommends the control set stated in ISO/IEC 27002 as the minimum standard toassess any gaps in the agency’s control framework. This also provides guidelines fororganizations that were able to conduct privacy impact assessments and implement theidentified controls to mitigate the determined risks.Annex C illustrates the relative subclauses of ISO/IEC 29151 to the NPC Circular 16-01requirements.For organizations that are already implementing or will be implementing the requirement andguidance on ISO/IEC 27001 and ISO/IEC 27002 respectively, this IS will help further enhancetheir control set as it gives a broad range of additional guidance in personal data protection.Guide for AdoptionThe IS provides guidelines in identifying and establishing controls specifically for dataprotection in addition to the guidelines stated in ISO/IEC 27002 and NPC MemorandumCircular 16-01 and it could be a suitable direction concerning the identified risks afterconducting privacy impact assessments in implementing controls.Ref No.: DSTSD-21-00222NPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
PICs and PIPs who will use this IS within their organizations shall still follow the DPA’sterminologies, its IRR, and other relevant issuance. The guidance for comparing the terms is inAnnex A. The IS does not amend the DPA, its IRR, and other relevant issuances of the NPC. Inthe event of a conflict between the provisions of the IS and the compliance requirements statedin the DPA, its IRR, and other relevant issuances of the NPC, the latter shall prevail.The IS were adopted as Philippine National Standards (PNS) by the Bureau of PhilippineStandards (BPS) upon the recommendation of the Subcommittee on Information security,cybersecurity and privacy protection (SC 1) and the Technical Committee on InformationTechnology (BPS/TC 60). BPS/TC 60 is in charge of the review and adoption of relevantInternational Standards that will be distributed here in the Philippines.The copy of the standards is available for a minimal fee at the Standards Data Center of the BPS– 3F DTI Bldg., 361 Sen. Gil Puyat Ave., Makati City. For quotation, please email BPS atbps@dti.gov.ph.Recommended by:Digitally signed byMagtalas Kelvin SantosDate: 2021.07.0911:23:10 08'00'KELVIN S. MAGTALASOIC-Chief, DSTSDRecommending Approval:Digitally signed byNaga John Henry DuDate: 2021.07.1321:32:40 08'00'JOHN HENRY D. NAGAOIC-Director, DASCOApproved by:Digitally signed byLiboro RaymundEnriquezDate: 2021.07.2609:42:01 08'00'RAYMUND ENRIQUEZ LIBOROPrivacy CommissionerRef No.: DSTSD-21-00222NPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
Annex A – DPA and ISO/IEC 29100 Terms and definitionsDPA of 2012TermPersonal informationDefinition Refers to any information whether recorded in a material form or not,from which the identity of an individual is apparent or can bereasonably and directly ascertained by the entity holding theinformation, or when put together with other information woulddirectly and certainly identify an individual.TermPersonal Information Controller (PIC)Definition refers to a natural or juridical person, or any other body who controlsthe processing of personal data, or instructs another to processpersonal data on its behalf.The term excludes:1. A natural or juridical person, or any other body, who performssuch functions as instructed by another person or organization;or2. A natural person who processes personal data in connectionwith his or her personal, family, or household affairs;There is control if the natural or juridical person or any other bodydecides on what information is collected, or the purpose or extent of itsprocessing; privacy stakeholder (or privacy stakeholders) thatdetermines the purposes and means for processing personallyidentifiable information (PII) other than natural persons who use datafor personal purposesTermPersonal Information Processor (PIP)Definition refers to any natural or juridical person or any other body to whom apersonal information controller may outsource or instruct theprocessing of personal data pertaining to a data subjectRef No.: DSTSD-21-00222ISO/IEC 29100Personally Identifiable Information (PII)any information that (a) can be used to identify the PII principal towhom such information relates, or (b) is or might be directly orindirectly linked to a PII principalPII Controllerprivacy stakeholder (or privacy stakeholders) that determines thepurposes and means for processing personally identifiableinformation (PII) other than natural persons who use data forpersonal purposesPII processorprivacy stakeholder that processes personally identifiableinformation (PII) on behalf of and in accordance with theinstructions of a PII controllerNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
TermData SubjectPII PrincipalDefinition refers to an individual whose personal, sensitive personal, or privileged natural person to whom the personally identifiable informationinformation is processed(PII) relates.Note: Depending on the jurisdiction and the particular data protectionand privacy legislation, the synonym “data subject” can also be usedinstead of the term “PII principal”TermPersonal Data BreachPrivacy breachDefinition refers to a breach of security leading to the accidental or unlawful situation where personally identifiable information is processed indestruction, loss, alteration, unauthorized disclosure of, or access to, violation of one or more relevant privacy safeguardingpersonal data transmitted, stored, or otherwise processed. A personal requirementsdata breach maybe in the nature of:1. An availability breach resulting from loss, accidental orunlawful destruction of personal data;2. Integrity breach resulting from alteration of personal data;and/or3. A confidentiality breach resulting from the unauthorizeddisclosure of or access to personal data.TermSensitive Personal Information (SPI)Sensitive PIIDefinition refers to personal information:category of personally identifiable information (PII), either whose1. About an individual’s race, ethnic origin, marital status, age, nature is sensitive, such as those that relate to the PII principal’scolor, and religious, philosophical or political affiliations;most intimate sphere, or that might have a significant impact on2. About an individual’s health, education, genetic or sexual life of the PII principala person, or to any proceeding for any offense committed or Note: In some jurisdictions or in specific contexts, sensitive PII is definedalleged to have been committed by such individual, the disposal in reference to the nature of the PII and can consist of PII revealing theof such proceedings, or the sentence of any court in such racial origin, political opinions or religious or other beliefs, personal dataon health, sex life or criminal convictions, as well as other PII that mightproceedings;3. Issued by government agencies peculiar to an individual which be defined as sensitive.includes, but is not limited to, social security numbers, previousor current health records, licenses or its denials, suspension orrevocation, and tax returns; and4. Specifically established by an executive order or an act ofCongress to be kept classified.Termprocessingprocessing of PIIRef No.: DSTSD-21-00222NPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
Definition refers to any operation or any set of operations performed uponpersonal data including, but not limited to, the collection, recording,organization, storage, updating or modification, retrieval, consultation,use, consolidation, blocking, erasure or destruction of data;operation or set of operations performed upon personallyidentifiable information (PII)Note: Examples of processing operations of PII include, but are not limitedto, the collection, storage, alteration, retrieval, consultation, disclosure,anonymization, pseudonymization, dissemination or otherwise makingavailable, deletion or destruction of PII.Termthird partythird partyDefinition Mentioned but nit definedprivacy stakeholder other than the personally identifiableinformation (PII) principal, the PII controller and the PIIprocessor, and the natural persons who are authorized to processthe data under the direct authority of the PII controller or the PIIprocessorTermconsentconsentDefinition refers to any freely given, specific, informed indication of will, hereby PII principal’s freely given, specific and informed agreement to thethe data subject agrees to the collection and processing of personal processing of their PIIinformation about and/or relating to him or her. Consent shall beevidenced by written, electronic or recorded means. It may also begiven on behalf of the data subject by an agent specifically authorizedby the data subject to do so.Ref No.: DSTSD-21-00222NPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.ph
Annex B –ISO/IEC 27002 and ISO/IEC 29151 MatrixThis table illustrates the clauses in 27002 and if it contains additional guidance for data protection in ISO/IEC 29151.ISO/IEC 27002TitleClause55.15.1.15.1.2ClauseInformation security policiesManagement direction for informationsecurityPolicies for information securityReview of the policies for information security6Organization of information security7Human resource nal organizationInformation security roles and responsibilitiesSegregation of dutiesContact with authoritiesContact with special interest groupsInformation security in project managementMobile devices and teleworkingMobile device 2.26.2.3Prior to employmentScreeningTerms and conditions of employmentDuring employmentManagement responsibilitiesInformation security awareness, education andtrainingDisciplinary process7.17.1.27.1.37.27.2.2Ref No.: DSTSD-21-0022277.2.37.2.4ISO/IEC 29151TitleInformation security policiesManagement directions for informationsecurityPolicies for information securityReview of the policies for informationsecurityOrganization of information securityInternal organizationInformation security roles and responsibilitiesSegregation of dutiesContact with authoritiesContact with special interest groupsInformation security in project managementMobile devices and teleworkingMobile device policyTeleworkingHuman resource securityPrior to employmentScreeningTerms and conditions of employmentDuring employmentManagement responsibilitiesInformation security awareness, educationand trainingDisciplinary processNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: YesYesYesNoYesNoYesNoNoNoNoNoNoYesYesYes
9.2.49.2.59.2.69.39.3.19.4Termination or change of employmentTermination or change of employmentresponsibilitiesAsset management7.37.3.28Responsibility for assetsInventory of assetsOwnership of assetsAcceptable use of assetsReturn of assetsInformation classificationClassification of informationLabeling of informationHandling of assetsMedia handlingManagement of removable mediaDisposal of mediaPhysical media .38.3.28.3.38.3.4Business requirements for access controlAccess control policyAccess to networks and network servicesUser access managementUser registration and de-registrationUser access provisioningManagement of privileged access rightsManagement of secret authenticationinformation of usersReview of user access rightsRemoval or adjustment of access rightsUser responsibilitiesUse of secret authentication informationSystem and application access control9.19.1.29.1.39.29.2.29.2.39.2.4Access controlRef No.: on or change of employmentTermination or change of employmentresponsibilitiesAsset managementResponsibility for assetsInventory of assetsOwnership of assetsAcceptable use of assetsReturn of assetsInformation classificationClassification of informationLabeling of informationHandling of assetsMedia handlingManagement of removable mediaDisposal of mediaPhysical media transferAccess controlBusiness requirements for access controlAccess control policyAccess to networks and network servicesUser access managementUser registration and de-registrationUser registration and de-registrationManagement of privileged access rightsManagement of secret authenticationinformation of usersReview of user access rightsRemoval or adjustment of access rightsUser responsibilitiesUse of secret authentication informationSystem and application access controlNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: YesYesYesNoNoNoNoNoYesYesYesNoNoNoNoNoNo
9.4.19.4.29.4.39.4.49.4.5Information access restrictionSecure log-on proceduresPassword managementUse of privileged utility programsAccess control to program source hic controlsPolicy on the use of cryptographic controlsKey 11.2.711.2.811.2.9Secure areasPhysical security perimeterPhysical entry controlsSecuring offices, rooms and facilitiesProtecting against external and environmentalthreatsWorking in secure areasDelivery and loading areasEquipmentEquipment siting and protectionSupporting utilitiesCabling securityEquipment maintenanceRemoval of assetsSecurity of equipment and assets off-premisesSecure disposal or re-use of equipmentUnattended user equipmentClear desk and clear screen .611.2.711.2.811.2.911.2.10Secure areasPhysical security perimeterPhysical entry controlsSecuring offices, rooms and facilitiesProtecting against external and environmentalthreatsWorking in secure areasDelivery and loading areasEquipmentEquipment siting and protectionSupporting utilitiesCabling securityEquipment maintenanceRemoval of assetsSecurity of equipment and assets off-premisesSecure disposal or re-use of equipmentUnattended user equipmentClear desk and clear screen policy12.112.1.112.1.2Operational procedures and responsibilitiesDocumented operating proceduresChange management12.112.1.212.1.3Operational procedures and responsibilitiesDocumented operating proceduresChange graphyPhysical and environmental securityOperations securityRef No.: DSTSD-21-00222101111.1.512Information access restrictionSecure log-on proceduresPassword managementUse of privileged utility programsAccess control to program source codeCryptographyCryptographic controlsPolicy on the use of cryptographic controlsKey managementPhysical and environmental securityOperations securityNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: oNoNoNoNoNoNoNoNoNoYesNoNoNoNoNoNo
12.1.3Capacity managementSeparation of development, testing andoperational environmentsProtection from malwareControls against malwareBackupInformation backupLogging and monitoringEvent loggingProtection of log informationAdministrator and operator logsClock synchronizationControl of operational softwareInstallation of software on operational systems12.1.412.612.6.112.6.212.712.7.1Technical vulnerability managementManagement of technical vulnerabilitiesRestrictions on software installationInformation systems audit considerationsInformation systems audit controls12.612.6.212.6.312.712.7.2Capacity managementSeparation of development, testing andoperational environmentsProtection from malwareControls against malwareBackupInformation backupLogging and monitoringEvent loggingProtection of log informationAdministrator and operator logsClock synchronizationControl of operational softwareInstallation of software on operationalsystemsTechnical vulnerability managementManagement of technical vulnerabilitiesRestrictions on software installationInformation systems audit considerationsInformation systems audit .313.2.4Network security managementNetwork controlsSecurity of network servicesSegregation in networksInformation transferInformation transfer policies and proceduresAgreements on information transferElectronic messagingConfidentiality or non-disclosure .2.413.2.5Network security managementNetwork controlsSecurity of network servicesSegregation in networksInformation transferInformation transfer policies and proceduresAgreements on information transferElectronic messagingConfidentiality or non-disclosure .212.4.312.4.412.512.5.11314Communications securitySystem acquisition, development andmaintenanceRef No.: 12.4.312.4.412.4.512.512.5.21314Communications securitySystem acquisition, development andmaintenanceNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: NoNoNoNoNoNoNoNoNoNoYesNoNoYesNo
.115.1.215.1.315.2Security requirements of information systemsInformation security requirements analysis andspecificationSecuring application services on publicnetworksProtecting application services transactionsSecurity in development and supportprocessesSecure development policySystem change control proceduresTechnical review of applications afteroperating platform changesRestrictions on changes to software packagesSecure system engineering principlesSecure development environmentOutsourced developmentSystem security testingSystem acceptance testingTest dataProtection of test 14.2.614.2.714.2.814.2.914.2.1014.314.3.2Supplier relationshipsInformation security in supplier relationshipsInformation security policy for supplierrelationshipsAddressing security within supplieragreementsInformation and communication technologysupply chainSupplier service delivery managementRef No.: rity requirements of informationsystemsInformation security requirements analysisand specificationSecuring application services on publicnetworksProtecting application services transactionsSecurity in development and supportprocessSecure development policySystem change control proceduresTechnical review of applications afteroperating platform changesTechnical review of applications afteroperating platform changesSecure system engineering principlesSecure development environmentOutsourced developmentSystem security testingSystem acceptance testingTest dataProtection of test dataSupplier relationshipsInformation security in supplierrelationshipsInformation security policy for supplierrelationshipsAddressing security within supplieragreementsInformation and communication technologysupply chainSupplier service delivery managementNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: oYesNoNoYesNoNo
18.1.118.1.218.1.3Monitoring and review of supplier servicesManaging changes to supplier servicesInformation security incidentmanagement16Management of information security incidentmanagementResponsibilities and proceduresReporting information security eventsReporting information security weaknessesAssessment of and decision on informationsecurity eventsResponse to information security incidentsLearning from information security incidentsCollection of evidenceInformation security aspects of businesscontinuity managementInformation security conformityPlanning information security continuityImplementing information security continuityVerify, review and evaluate informationsecurity continuityRedundanciesAvailability of information processing facilitiesComplianceCompliance with legal and contractualrequirementsIdentification of applicable legislation andcontractual requirementsIntellectual property rightsProtection of recordsRef No.: 17.2.21818.118.1.218.1.318.1.4Monitoring and review of supplier servicesManaging changes to supplier servicesInformation security incidentmanagementManagement of information securityincident managementResponsibilities and proceduresReporting information security eventsReporting information security weaknessesAssessment of and decision on informationsecurity eventsResponse to information security incidentsLearning from information security incidentsCollection of evidenceInformation security aspects of businesscontinuity managementInformation security conformityPlanning information security continuityImplementing information security continuityVerify, review and evaluate informationsecurity continuityRedundanciesAvailability of information processingfacilitiesComplianceCompliance with legal and contractualrequirementsIdentification of applicable legislation andcontractual requirementsIntellectual property rightsProtection of recordsNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: oNoNoNoNoNoYesNoNo
18.1.418.1.518.218.2.118.2.218.2.3Privacy and protection of personallyidentifiable informationRegulation of cryptographic controlsInformation security reviewsIndependent review of information securityCompliance with security policies andstandardsTechnical compliance reviewRef No.: ivacy and protection of personallyidentifiable informationRegulation of cryptographic controlsInformation security reviewsIndependent review of information securityCompliance with security policies andstandardsTechnical compliance reviewNPC DASCO DSTSD AdopAd-V1.0, R0.0, 09 July 20215F, Delegation Building, Philippine International Conference Center (PICC) Complex, Pasay City. Tel. no. 632 569 9623URL: http://privacy.gov.ph Email Add: info@privacy.gov.phNoNoNoYesNoNo
Annex C – NPC MC 16-01 and ISO/IEC 29151This table illustrates the relevant clauses of ISO/IEC 29151 to the NPC Memorandum Circular16-01’s requirements.NPC Memorandum Circular 16-01Sec.4 General ObligationsSec.5 Privacy Impact AssessmentSec.6 Control Framework for DataProtectionSec.7 General Rule on Storage of PersonalDataSec.8 Encryption of Personal DataSec.9 Restricted AccessSec.10 Service Provider as PersonalInformation ProcessorSec.11 AuditSec.12 Recommended IndependentVerification or CertificationSec.13 ArchivesSec.14 Access to or M
this circular recommends the control set stated in ISO/IEC 27002 as the minimum standard to assess any gaps in the agency’s control framework. This also provides guidelines for organizations that were able to conduct privacy impact assessments and implement
