CIBI Data Privacy Statement
CIBI Information Inc., recognizes the importance of data protection and security of personal, sensitive and privileged information that we collect from you, our valued clients, and third party data source partners in accordance with the Data Privacy Act of 2012. This privacy policy informs you of our privacy practices and further describes the way we may collect, use, protect, store, disclose and dispose information; including those which also may be collected through third-party providers, data source partners, websites, applications and/or any other online activity.
DEFINITION OF TERMS
- Personal Information refers to any information, whether recorded in material form, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Sensitive Personal Information refers to personal information about an individual’s race, marital status, age, color, and religious, philosophical, or political beliefs; health, education, genetic information, sexual life or involvement of a person in a legal proceeding. It may also include, social security numbers, health records and licenses, pin codes and account numbers.
- Privileged Information refers to any form of data, which, under the Rules of Court and other pertinent laws constitute privileged communication.
- Data subject – refers to an individual whose personal, sensitive or privileged information is processed.
- Processing – refers to any operation or any set of operations performed upon personal, sensitive and privileged information including but not limited to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing if the personal data are contained or are intended to be contained in a filing system.
The processing of personal, sensitive and privileged information is generally prohibited to be processed without your consent.
PERSONAL INFORMATION WE MAY COLLECT
The personal data we may collect from you or from your authorized representative are the following, but not limited to:
Hiring and Recruitment (Applicant’s Information)
- Name
- Address
- Contact Number
- Sex
- Birthdate
- Place of Birth
- Citizenship
- Civil Status
- Religion
- Age
- Height
- Weight
- Government Numbers
- Family Background
- Educational Background
- Employment History
CIBI Employment (Employees Information)
- Name
- Address
- Contact Number
- Sex
- Birthdate
- Place of Birth
- Citizenship
- Civil Status
- Religion
- Age
- Height
- Weight
- Government Numbers
- Family Background
- Educational Background
- Employment History
Clients
- Contract
- Authorized signatories name
- Valid IDs such as
- TIN
- Passport
- Drivers License
- SSS
- Resume or Application form
- Name
- Birthdate
- Gender
- Civil Status
- SSS Number
- Address
- School Details such as
- School Name
- Course
- Date Graduated
- Character References such as
-
- Name of Character Reference
- Contact Number or email
- Employment History
-
- Employers Name
- Employment inclusive dates
- Position
- Business Accreditation Application Form
- Company Name
- Address
- Contact Number
- Email Address
- Contact Person or Owner’s Name
Social Media Profile and/or postings and information
- Websites
Any other personal information appearing from other publicly available sources.
MEANS TO COLLECT
We may collect your information in several ways:
Client endorsements
- For those clients who are availing the following services
- Identity Verification
- Educational verification
- Character verification
- Residence or Address verification
- Employment Verification
- Business Verification
- For those companies who signed an agreement with CIBI
- Commercial Agreement
- Partnership agreement
Website and Facebook
- When you message and inquire in Facebook or CIBI website for a service quotation and product information you will be asked to provide personal information such as your name, e-mail address, location (region and city) and mobile number. We may collect information through online automated methods including the use of cookies, web beacons and IP addresses
Mobile Applications and Portals
- When you download or inquire through our mobile applications, you will be asked to provide personal information prior to processing your inquiries.
Events
- On each event hosted or co-hosted by CIBI, we may require registrants to sign-up in a registration sheet. Registrants will be required to provide their name, email address, location, and contact number will be asked for purposes as indicated in this Privacy Policy.
Data source partners
- We may collect information through our data source partners where the appropriate data sharing agreements are executed and signed.
Third party service providers
- Our third party providers may collect information about you from character references, former employers, educational institutions, courts, local agencies and regulatory bodies.
Recruitment Application Forms
- Upon intent to apply for any vacancies in CIBI, an application form will be filled up by the potential candidate which may include name of applicant, address, contact number, sex, age, birthdate, place of birth, citizenship, civil status, religion, height, weight, government numbers, family background, educational background and employment history.
Employment Data Sheet and 201 Records
- Upon hiring and employment, the following data will be requested such as Diploma, Transcript of Records, Employment Certificate, NBI clearance, Health clearance, SSS No, TIN, Pag-Ibig number, Philhealth Number
PURPOSE OF PROCESSING
Personal information may be used by CIBI for the following purposes:
Service Delivery
- Upon client engagements, CIBI shall request certain personal, sensitive and privilege information of individuals from the client in order to deliver the services availed of from CIBI.
Verification
- Customer interface
- In processing of inquiries and payments for your availment of CIBI services and after-sales services;
- In confirming your identity, and protecting you against malicious use of information;
- For promoting quality assurance, including callouts for product, service satisfaction purposes, and receiving and processing of customer feedback;
- For conducting research, including updating of records, surveys, satisfaction index and similar studies;
- For customer profiling intended for product developments.
Website
- To fulfill your requests and respond to your queries such as:
- Availment of services;
- Attending to feedbacks, comments and suggestions;
- Informing you of changes, improvements and introduction of services and after-sales services
- Subscription to newsletter and other marketing information including but not limited to events, promos, and offerings.
- To improve web analytics, for purposes of optimizing web usage and for market research
- To fulfill your requests and respond to your queries such as:
- Availment of services;
- Attending to feedbacks, comments and suggestions;
- Informing you of changes, improvements and introduction of services and after-sales services
- Subscription to newsletter and other marketing information including but not limited to events, promos, and offerings.
Events
- Personal information collected will be used for post event evaluation. This will also be used for remarketing provided that the registrant has voluntarily accepted the consent of receiving newsletter and other marketing information.
USE AND DISCLOSURE OF PERSONAL INFORMATION
As a provider, we are permitted by law to make certain uses and disclosures of your personal data. Your personal data shall be used and disclosed for the following, but not limited to;
CLIENTS
Personal data may be shared with clients in their availment of CIBI services.
GOVERNMENT
We may use your personal data to perform accounting, auditing, billing, reconciliation, and collection activities. Payment activities include disclosure and submission of claims to insurance companies (such as PhilHealth).
OPERATION
We may use and disclose your personal data in conducting our verification, KYC, etc. Operational activities include review of accuracy and completeness. In cancelling of transaction, personal data will be used for verification. If ownership of our organization should change, your personal data may be disclosed to the new entity.
THIRD PARTY SUPPLIER OR BUSINESS PARTNER
In other operational activities, we are acquiring the services of third parties performing activities for or in our behalf whom we may share and disclose your personal information.
BUSINESS OPERATION
We may use your personal data for business purposes to provide the services you availed, to inform you about our products and services. We may also use your personal data for analysis, audits, crime/fraud monitoring and prevention, security, developing new products and/or services.
PERSONAL REPRESENTATIVE
We may disclose your personal data to your duly authorized personal representative.
LEGAL ACTIONS or LAW ENFORCEMENT
We may disclose your personal data when required by the law and/or government authorities, such as in the course of legal proceedings such as receipt of subpoena from the court of law.
we may also disclose certain personal data as we believe is required, necessary, or appropriate under the following: (a) under applicable law, including laws outside your country of residence; (b) to comply with legal processes and/or respond to requests from competent public and government authorities including public and government authorities outside your country of residence; (c) to enforce our terms and conditions; (d) to protect our operations and those of any of our affiliates; (e) to protect our rights, privacy, security, safety, and physical and intellectual property, and/or rights of our affiliates, you, or others; and (f) to allow us to pursue available remedies or limit the damages that we may sustain.
OTHER ACTIVITIES
To perform other activities consistent with this Notice.
We do not sell your personal data to marketing companies outside of our organization.
We generally process your personal data only for those purposes that we have transmitted or communicated with you. If we use it for other (closely related) purposes, additional data protection measures will be implemented, if required by law.
YOUR RIGHTS
We recognize and take seriously our responsibility to protect the personal data you entrust to us from loss, misuse or unauthorized access. The following is a summary of your rights regarding your personal data:
- Right to access your personal data with us
- Right to request restriction of access
- Right to limit and prevent disclosure
- Right to amend or update personal data
- Right to authorize other uses
- Right to receive notice of privacy breaches
- Right to request destruction of personal data
MANAGE YOUR PERSONAL DATA
If you would like to correct, update, delete, or request access to the personal information that you have provided to us, you may contact our Data Protection Officer.
We encourage you to keep your personal settings and personal data complete and current.
STORAGE OF PERSONAL DATA
We have a Records Retention Policy and abide with other laws that provide higher privacy protection such as RA10173.
The information we collect may be stored and processed in servers in our Head Office in Makati City, Philippines and wherever our service providers have facilities around the globe and in accordance with local laws.
RETENTION PERIOD
We will retain your personal data for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law. We retain the personal data we collect only if we need it to support justifiable business requirements or when our lawful purposes for using the information are still relevant. When we no longer require personal data we or our third party suppliers will securely delete and/or archive the information.
CHANGES TO THIS PRIVACY NOTICE
Our products and services are dynamic and the form and nature of the services may change from time to time without prior notice to you. For this reason, we reserve the right to change or add to this privacy notice from time to time and will post any material revisions on our websites.
We will post a prominent notice on our privacy notice page to notify you of any significant changes to this privacy notice, and will indicate at the top of the notice when it was most recently updated. We encourage you to check back often to review the latest version.
The new privacy notice will be effective upon posting. If you do not agree to the revised notice, you should alter your preferences. By continuing to access or make use of our services after the changes become effective, you agree to be bound by the revised privacy notice.
CONTACT US
If you have questions or concerns about our privacy practices, you can contact us by using our website www.cibi.com.ph or send an email to our Data Protection Officer listed below. Please include your contact information and a detailed description of your request or privacy concern.
Data Protection Officer: Ellen B. Co
Email: dpo@cibi.com.ph / eco@cibi.com.ph
I have read and hereby understood the above privacy notice and freely give my consent to the processing of my personal data.
CIBI website uses cookies to ensure you get the best browsing experience. By continuing to visit this site, you agree to our Privacy Policy and accept our use of such cookies.
CIBI is committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal information about you before, during and after your attendance at CIBI organized/sponsored events, in accordance with the Data Privacy Law of 2012, its IRR and NPC issuances.
CIBI as an organizer of an event is a Personal Information Controller of your personal data and we value your privacy and aim to uphold the same when processing your personal data.
Accordingly, this Privacy Notice will explain to you briefly how we intend to process your information in relation to CIBI organized/sponsored events.
Registration and Communication
For purposes of registration and communicating official event notices or updates, we may collect basic information about you such as your name, organization, and contact information.
Documentation and Conduct of Event
To facilitate documentation and the actual conduct of event, we may also collect and process other personal data like photographs, as well as audio and video recordings. Should you wish that your image or audio be not recorded and/or later published, you may inform us via the contact information below or through any of our representatives during the event itself.
We are committed to protecting your personal data from loss, misuse, and any unauthorized processing activities, and will take all reasonable precautions to safeguard its security and confidentiality. Neither will we disclose, share, or transfer the same to any third party without your consent.
Unless you agree to have us retain your personal data to contact you regarding future similar activities, your data will only be kept for a limited period after the event to allow for any legal, accounting, and/or reporting responsibilities on our end. After which, they will be disposed of in a safe and secure manner.
CIBI’s Legitimate Interests
For purposes of receiving feedback and improve our future events, we may collect feedback or survey information provided by you.
For safety and security purposes, CCTV recordings are strategically positioned all throughout the venue.
We recognize your rights with respect to your personal data. Should you wish to exercise any of them or if you have any concerns regarding our processing activities, you may contact our Data Protection Officer: dpo@cibi.com.ph or visit our website.
Dear Guests and Visitors,
Welcome to CIBI!
We respect every individual’s right to privacy as much as we aim to ensure the safety and security of everyone inside CIBI premises, so please take the time to read this Privacy Notice explaining how we process the information we collect from or generate about you once you enter CIBI premises.
WHAT WE COLLECT
We collect basic information about you by asking you to sign our official logbook and requiring you to deposit proof of identity (ID) for verification purposes. Video footage is also being recorded via a CCTV system installed in CIBI entry, exit points and within the premises.
WHY WE COLLECT THEM
While we collect the data primarily as a security measure, they also help us investigate reported violations of CIBI policies and other applicable laws, and generate statistics useful for planning and service improvement purposes.
HOW WE USE, STORE, AND RETAIN THEM
Your data are kept in a place under the custody of at least one administrative personnel who is on duty within CIBI’s working hours. Only authorized CIBI employees and security personnel has access to them. We dispose of the logbooks one (1) year from the date of collection unless required by law to retain them for a longer period. CCTV footages, on the other hand, are stored for thirty (30) days before being automatically deleted. We do NOT transfer or share your personal data with other persons or organizations unless required by law.
HOW YOU MAY EXERCISE YOUR RIGHTS
You have rights under the law regarding your personal data. Should you wish to exercise them, or if you just happen to have some questions, you may contact our Data Protection Officer: dpo@cibi.com.ph
Thank you and we hope you enjoy your stay!
CIBI INFORMATION INC., understand that your privacy is important to you. CIBI may process your personal and sensitive data in their capacity as personal information controllers. We are committed to respecting your privacy and protecting your personal data, which is any information that is capable of identifying you as an individual person.
This Recruitment Privacy Notice (“Privacy Notice”) describes how we handle and protect your personal data in connection with CIBI’s recruiting processes and programs.
This Privacy Notice only applies to the personal data of job applicants, potential candidates for employment, and our recruiting programs and events. It does not apply to our employees, contractors or clients, or other personal data that CIBI collects for other purposes.
As used in this Privacy Notice, “personal data” means any information that identifies job applicants and potential candidates for employment with us, either submitted as part of the online application and/or through alternative channels (e.g., via professional recruiting firms).
We will process your personal data in accordance with this Privacy Notice, unless such processing conflicts with the requirements of applicable law, in which case, the applicable law will prevail.
By submitting your personal data to us, you acknowledge that:
- You have read and understood this Privacy Notice and agree to the use of your personal data as set out herein.
- You are not required to provide any requested information to us, but failing to do so may result in not being able to continue your candidacy for the job for which you have applied.
- All your representations are true and correct to the best of your knowledge and belief, and you have not knowingly omitted any related information of an adverse nature. Providing any inaccurate information may make you ineligible for employment.
- This Privacy Notice does not form part of any contract of employment offered to candidates hired by CIBI.
Personal Data We Collect
We usually collect personal data directly from you when you apply for a role with us, such as your name, address, contact information, work and educational history, achievements, and test results. We also may collect personal data about you from third parties, such as your references, prior employers, and third party employment background check providers, to the extent this is permitted by applicable law.
Sensitive personal data is a subset of personal data and includes race, health, education, philosophical and religious beliefs, sexual orientation, as well as other categories as enumerated under RA 10173. We do not seek to obtain and will not collect such data about a candidate unless required by recruitment processing and profiling needs but always subject to protection in compliance with RA 10173.
Use of Personal Data
We collect and use your personal data for legitimate human resources and business management reasons including:
- identifying and evaluating candidates for potential employment, as well as for future roles that may become available;
- recordkeeping in relation to recruiting and hiring;
- conducting criminal history checks as permitted by applicable law;
- protecting our legal rights to the extent authorized or permitted by law; or
- emergency situations where the health or safety of one or more individuals may be endangered.
We may also analyze your personal data or aggregated/pseudonymized data to improve our recruitment and hiring process and augment our ability to attract successful candidates.
We may desire to retain your personal data to consider you for future employment opportunities.
Data Recipients
We share your personal data with other third-party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening and testing, and improving our recruiting practices. Moreover, we will endorse your application within the Equicom Group affiliates for any available position/s that you may be fit in.
We maintain processes designed to ensure that any processing of personal data by third-party service providers is consistent with this Privacy Notice and protects the confidentiality, availability, and integrity of your personal data. We put in place contractual provisions with our third-party providers to ensure adequate data protection of your personal data.
In addition, in the event of a re-organization, merger, sale, joint venture, assignment, or other transfer or disposition of all or any portion of our business, we may disclose or transfer your personal data.
Data Retention
If you accept an offer of employment by us, any relevant personal data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with specific country requirements. If we do not employ you, we may nevertheless continue to retain and use your personal data for a period of time (1 year) for system administration purposes, to consider you for potential future roles, and to perform research. If you elect to join a recruiting program, we may retain your personal data to consider you for future employment opportunities.
Security
We have implemented generally accepted standards of technical, physical and organizational security measures to protect personal data from loss, misuse, alteration, or destruction. Only authorized personnel of CIBI and of our third-party service providers are provided access to personal data, and these employees and third-party service providers are required to treat this information as confidential.
Your Rights
We take reasonable steps that are designed to keep your personal data accurate, complete, and up-to-date for the purposes for which it is collected and used. We also have implemented measures that are designed to ensure that our processing of your personal data complies with this Privacy Notice and is protected based on RA 10173 standards.
You may have the right to request access to the personal data that we have collected about you for the purposes of reviewing, modifying, or requesting deletion of the data. You may have the right to request a copy of the personal data we have collected about you.
If you would like to make a request to access, review, or correct the personal data we have collected about you, or to discuss how we process your personal data, please contact our Data Protection Officer Ms. Ellen Co: eco@cibi.com.ph.
To help protect your privacy and security, we will take reasonable steps to verify your identity before granting you access to your personal data. We will make reasonable attempts to promptly investigate, comply with, or otherwise respond to your requests as may be required by applicable law. Depending upon the circumstances and the request, we may not be permitted to provide access to personal data or otherwise fully comply with your request; for example, where producing your information may reveal the identity of someone else. We reserve the right to charge an appropriate fee for complying with your request where allowed by applicable law, and/or to deny your requests where, in the Firm’s discretion, they may be unfounded, excessive, or otherwise unacceptable under applicable law.
In addition, and where granted by applicable law, you may have the right to lodge a complaint with the National Privacy Commission.
We do not make recruiting or hiring decisions based solely on automated decision-making.
GUIDELINES TO PROTECTING PERSONAL & SENSITIVE DATA WHEN WORKING REMOTELY
As CIBI is implementing measures to control and prevent the spread of COVID-19 which includes more employees working remotely than usual. Below are some guidelines that should be followed strictly in order to keep CIBI’s commitments to its employees and clients towards protecting personal & sensitive data when working away from the office.
A. Devices
- Take extra care that devices, such as USBs, phones, laptops, PCs or tablets are not lost or misplaced;
- Make sure that any device has the necessary updates, such as operating system updates (like iOS or Android) and software/antivirus updates;
- Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimize who else can view the screen, particularly if working with sensitive personal data;
- Lock your device if you do have to leave it unattended for any reason;
- Make sure your devices are turned off, locked, or stored carefully when not in use,
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is lost or stolen or misplaced.
- When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible and report it as soon as possible to the Data Protection Officer of the Company via email.
B. Physical and Electronic Files
- Make sure any files containing personal & sensitive data are kept in a secure place;
- While in use, make sure not to leave it unattended where unauthorized individuals may read or get hold of it.
- Make sure that you do not lose any documents while using them in your work area at home or any other place outside the office.
C. Emails
- Follow any applicable policies in your organization around the use of email;
- Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted/password protected and avoid using personal or confidential data in subject lines;
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails, involving large amounts of personal data or sensitive data.
D. Cloud and Network Access
- Where possible only use your organization’s trusted networks or cloud services, and complying with any organizational rules and procedures about the cloud or network access, login and, data sharing;
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
Upon receipt of this Advisory, you hereby acknowledge that you have read, understood and strictly adhere to these guidelines in order to protect and secure personal & sensitive data within your control and custody while in a Work From Home Set up.
Any issues, concerns or report of breach please contact the Office of the Data Protection Officer at dpo@cibi.com.ph
CIBI Information Inc., in compliance with Section 12 of the Data Privacy Act of 2012 on the criteria of lawful processing of personal information, shall strive to acquire the consent of data subjects prior to the processing of its personal data. However, if the acquisition of consent proves to be challenging and/or impractical, we, in CIBI shall commit to process data only according to the following legitimate interests of our clients:
CIBI Services | Legitimate Interest | |
---|---|---|
Know Your Customer (KYC) | Fraud Detection and Prevention | Due diligence procedure to validate the identity of an individual prior to employment or business transaction purposes |
Pre-Employment Verification | Prevent fraud by validating the genuineness and authenticity of the declarations made by an individual | |
Full Individual Report | ||
Directorship | ||
Negative Records | Crime Prevention | Share intelligence about individuals and concerns that may have negative impact to businesses’ |
Credit Report/Score | Prevent abuse of the financial system | Determine the credit worthiness of an individual in order to provide lending services according to the financial capability of the applicant to pay its debt |
CIBI Iinformation Inc., respects the rights of data subjects under the Data Privacy Act of 2012. Data subjects may exercise their rights by filling out the Request for Implementation of Rights Form. Please be informed that the exercise of these rights is not absolute and are subject to guidelines stated below.
Each of the rights listed below may be exercised by submitting this request at CIBI Head Office in Makati City in person or by proxy, as well as by e-mail to dpo@cibi.com.ph. Please complete in block letters and tick “X” where necessary. Fields marked with * are required for the application to be processed.
Guidelines
Fees
CIBI may charge a “reasonable fee” to comply with a subject access request for the administrative costs of complying with the request if:
- it is manifestly unfounded or excessive; or
- a data subject requests further copies of their data following a request.
CIBI should base the reasonable fee on the administrative costs of complying with the request. If CIBI decides to charge a fee, the data subject should be contacted promptly and inform them. CIBI do not need to comply with the request until CIBI have received the fee. Alternatively, CIBI may refuse to comply with a manifestly unfounded or excessive request.
Responding To A Request
CIBI must comply with a request without undue delay and at the latest within one month of receipt of the request or within one (1) month of receipt of:
- any requested information to clarify the request;
- any information requested to confirm the requester’s identity or
- a fee (only in certain circumstances)
CIBI should calculate the time limit from the day the request was received (whether it is a working day or not) until the corresponding calendar date in the next month.
Extension Of Time To Respond
CIBI can extend the time to respond by two (2) months if the request is complex or CIBI has received a number of requests from the data subject. CIBI must let the data subject know within one month of receiving their request and explain why the extension is necessary.
Validation of Identity
If CIBI has doubts about the identity of the person making the request, CIBI can ask for more information. However, it is important that CIBI only request information that is necessary to confirm who they are. The key to this is proportionality.
CIBI needs to let the data subject know as soon as possible that CIBI needs more information from them to confirm their identity before responding to their request. The period for responding to the request begins when CIBI receive the additional information.
Refusal to Comply with a Request
CIBI can also refuse to comply with a subject access request if it is:
- manifestly unfounded; or
- excessive.
Denial of Request
CIBI must inform the data subject without undue delay and within one month of receipt of the request. CIBI should inform the data subject about:
- the reasons CIBI is not taking action;
- their right to make a complaint to NPC
- their ability to seek to enforce this right through a judicial remedy.
CIBI should also provide this information if requesting for a reasonable fee or need additional information to identify the data subject.
CIBI Information Inc., is committed to handling personal and sensitive data in compliance with the Data Privacy Act of 2012, its IRR, and the issuances of the National Privacy Commission. If you want to file a compliant for any privacy violation under the law, please be guided on the procedures below:
Types of Complaints Concerned
All complaints about CIBI’s processing of Personal and Sensitive data will be handled in line with the procedure set out in HANDLING COMPLAINTS below. Examples of the types of complaints that may be raised by the data subject may include the following:
- Unfair or unlawful processing of personal data
- Misuse of your personal data
- Unauthorized access to your personal data
- Loss or deletion of your personal data
Handling Data Subject’s Complaints
CIBI will engage positively and resolve your complaint satisfactorily without you having to refer your complaint to the National Privacy Commission. Please take note that under Section 4 of NPC Circular 16-04 Rules of Procedure, the data subject is required to notify CIBI for any form of personal data breach and be given an opportunity to address such breach. To help us deal with your complaint, please provide a full written explanation of your concerns by completing the Data Protection Complaint Form below and follow the steps as provided.
Steps in Filing a Complaint
Step 1: Complete and submit the Complaint Form and send it to the Data Protection Officer to the email address: dpo@cibi.com.ph.
Step 2: To assist us in dealing with your complaint, please provide the following:
- Full name and any government issued IDs or passport of the person lodging the complaint;
- A clear photocopy of the IDs or passport
Step 3: You will receive a communication within three (3) business days from CIBI’s acknowledgment receipt of your complaint.
Step 4: Your complaint will be treated confidentially and fully investigated where necessary. During this process, you may receive additional communications from our data protection officer to investigate your concern. If you have not provided enough information in your complaint, we will let you know the further information needed to process your complaint.
Step 5: Once the information related to your complaint is complete, we will contact you within thirty (30) days to propose a solution. This deadline may be extended in certain circumstances, depending on the nature of the complaint.
Step 6: If the solution proposed resolves your complaint, the Data Protection Office will close the matter.
Step 7: Should you remain unsatisfied with the outcome of the review by the Data Protection Officer or you have not received an answer within the above-mentioned deadline, you may then seek further recourse by contacting our President and CEO.
DATA PROTECTION COMPLAINTS FORM
If you believe that the processing of your Personal data by CIBI has caused you a damage or has not been processed according to Data Privacy Act of 2012 and its IRR, you can fill out the present Data Protection Complaint Form.
This Form is to be sent by email to the Data Protection Officer of CIBI at the following email address: dpo@cibi.com.ph.
The information collected in this form is intended to enable our Data Protection Officer to respond to your Complaint. They will be archived after the Complaint has been treated for (5) five years and then deleted. For any question related to this Complaint/Request Form, please send your request at the following email: dpo@cibi.com.ph
DATA BREACH/INCIDENT REPORT NO. 2020
In the event of a breach of personal data breach or security incident occurring, it is vital to ensure that it is dealt with immediately and appropriately to minimize the impact of the breach and prevent a recurrence.
If an employee/staff/subcontractor/intern of CIBI becomes aware of an actual, potential or suspected breach of personal data security, he/she must report the incident to its Unit Head and the Unit had to report such an incident to databreach@cibi.com.ph
Please refer to the Personal Data Breach Management Procedure Manual in filling out this report, herein attached as Appendix 2.
APPENDIX 1 – CHECKLIST FOR ASSESSING SEVERITY OF THE INCIDENT
How serious is the incident?
Level 1: Local Incident:
- Is this a local incident?
- Local incident = limited disruption to services; no serious threat to the privacy of individuals; no threat to CIBI being sued by data subject or client for data privacy breach
- Can the consequences of the privacy breach, loss or unavailability of the asset be managed locally within normal operating procedures?
- If so, manage the incident according to the Data Security Breach Management Procedure
Level 2.a: Minor Emergency Type A – Unlikely to Escalate into a Major Emergency:
- Is this a Minor Emergency (type A)?
- Minor Emergency (type A) = Disruption to the functioning capacity of a key service. Situation or incident (actual or potential) which poses a threat to the privacy of an individual/s at a minor level but may escalate to Type B.
- Do containment and recovery require assistance from other members of staff within CIBI or support teams outside CIBI?
- Does the breach require a notification to the CIBI’s senior managers?
- If so, the Lead Investigator (liaising with the Data Privacy Management Team) will decide who else needs to assist or be made aware of the breach e.g. Chief Financial Officer, President and CEO & Head of Information Security and so on.
Level 2.b: Minor Emergency Type B or Level 3: Major Emergency
- Is this a major incident?
- Does this involve a breach where personal data has been put at risk for identity fraud, acquired by unauthorized person; and there is reason to believe that the unauthorized acquisition is likely to give rise to a real risk of serious harm;
- Does containment and recovery, or the consequences of the loss or unavailability of the asset, data privacy impact to individuals require significant CIBI resources beyond normal operating procedures?
- If so, escalate the incident to the Critical Response Team to email address: criticalbreach@cibi.com.ph
The incident level is defined by:
- Does the incident need to be reported immediately to the NPC? It falls under the criteria for reporting under NPC Circular 16-03 (Personal Data Breach Management), all incidents in which personal data has been put at risk for identity fraud, acquired by unauthorized person; and there is reason to believe that the unauthorized acquisition is likely to give rise to a real risk of serious harm?
- How important an information asset is to the CIBI business process or function
- Whether the asset is a vital record. Is it unique – once lost, lost forever? Will its loss have adverse financial legal, liability or reputational consequences to CIBI?
- Is it business-critical? Do you rely on access to this particular information asset or you can turn to reliable electronic copies or alternative manual processes e.g. paper files if the information asset is unavailable.
- How urgently access would need to be restored to an information asset to resume business or, if a workaround will keep business moving in the short term, to return to the required standard of service
- Does the loss or breach of data security involve high risk personal data, i.e.:
- Sensitive personal data (as defined in the Data Privacy Act) relating to an identifiable individual’s
- racial or ethnic origin;
- sex or gender
- political opinions or religious or philosophical beliefs;
- Medical condition/physical or mental health or condition
- sexual life;
- commission or alleged commission of any offence, or
- proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
- Sensitive personal data (as defined in the Data Privacy Act) relating to an identifiable individual’s
- Information that could be used to commit identity fraud such as personal bank account and other financial information and Government Issued IDs and copies of passports and visas;
- Personal information relating to vulnerable adults and children;
- Detailed profiles of individuals; including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed;
- Security information that would compromise the safety of individuals if disclosed.
APPENDIX 2 – PERSONAL DATA MANAGEMENT BREACH PROCEDURE GUIDELINES
INTRODUCTION
CIBI Information, Inc. (“CIBI”) is obliged under the Data Privacy Act of 2012 and its Implementing Rules and Regulations to keep personal data safe and secure and to respond promptly and appropriately to data security breaches (including reporting such breaches to the National Privacy Commissioner in certain cases). It is vital to take prompt action in the event of any actual, potential or suspected breaches of data security or confidentiality to avoid the risk of harm to individuals, damage to operational business and severe financial, legal and reputational costs to CIBI.
PURPOSE
The purpose of these procedures is to provide a framework for reporting and managing data security breaches affecting personal or sensitive personal data (defined below) held by CIBI. These procedures are a supplement to the CIBI’s Data Protection Policy which affirms its commitment to protect the privacy rights of individuals in accordance with Data Protection legislation.
WHAT IS A PERSONAL DATA SECURITY BREACH?
A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by CIBI in any format. Personal data security breaches can happen for a number of reasons, including:
- the disclosure of confidential data to unauthorized individuals;
- loss or theft of data or equipment on which data is stored;
- loss or theft of paper records;
- inappropriate access controls allowing unauthorized use of information;
- suspected breach of the CIBI’s IT security and Acceptable Use policies;
- attempts to gain unauthorized access to computer systems, e.g. hacking;
- records altered or deleted without authorization by the data “owner”;
- viruses or other security attacks on IT equipment systems or networks;’
- breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information
- confidential information left unlocked in accessible areas;
- leaving IT equipment unattended when logged-in to a user account without locking the screen to stop others accessing information;
- emails containing personal or sensitive information sent in error to the wrong recipient.
WHO DO THESE PROCEDURES APPLY TO?
These procedures apply to all users of CIBI data, including:
- any person who is employed by CIBI or is engaged by CIBI who has access to CIBI data in the course of their employment or engagement for administrative, research and/or any other purpose;
- Management Committee
- any student/intern/trainee of CIBI who has access to CIBI/Client data in the course of their internship for administrative, research and/or any other purpose;
- individuals who are not directly employed by CIBI, but who are employed by contractors (or subcontractors) and who have access to CIBI/Client data in the course of their duties
hereinafter, collectively referred to as “Members”.
WHAT TYPES OF DATA DO THESE PROCEDURES APPLY TO?
These procedures apply to:
- all personal data created or received by CIBI in any format (including paper records), whether used in the workplace, stored on portable devices and media, transported from the workplace physically or electronically or accessed remotely;
- personal data held on all CIBI IT systems managed centrally by the IT Department, and locally by the individual CIBI Sites;
- personal data accessed by CIBI Members as part of the service provided to its clients;
- any other IT systems on which CIBI data including Client data accessed by CIBI members is held or processed.
WHO IS RESPONSIBLE FOR MANAGING PERSONAL DATA SECURITY BREACHES?
Personal data security breaches are managed by the Data Privacy Management Team composed of the Information Security Officer, Data Protection Officer, Legal Compliance Officer and HR Employee Relationship Officer. In emergency situations, CIBI’s Critical Response Team will take over responsibility for managing the incident. The Critical Response Team is composed of the President and CEO, Chief Financial Officer, and VP for Sales.
Data Privacy Organizations | Members |
---|---|
Data Privacy Management Team |
|
Critical Response Team |
|
Lead Investigator |
|
PROCEDURE FOR REPORTING PERSONAL DATA SECURITY BREACHES
In the event of a breach of personal data security occurring, it is vital to ensure that it is dealt with immediately and appropriately to minimize the impact of the breach and prevent a recurrence.
If a member of CIBI becomes aware of an actual, potential or suspected breach of personal data security, he/she must report the incident to its Unit Head and the Unit had to report such an incident to databreach@cibi.com.ph
PROCEDURE FOR MANAGING DATA SECURITY BREACHES
In line with best practice, the following five steps should be followed in responding to a data security breach:
Step 1: Identification and initial assessment
Step 2: Containment and Recovery
Step 3: Risk Assessment
Step 4: Notification
Step 5: Evaluation and Response
STEP 1: Identification and Initial Assessment of the Incident
If a member of CIBI considers that a data security breach has occurred, this must be reported immediately to the Unit Head. The Unit Head must inform the Data Privacy Management Team about the incident by sending an email: databreach@cibi.com.ph. The Unit Head should submit a Data Security Breach Report Form (Appendix 1) without delay. The Report Form will assist the Data Privacy Management Team in conducting an initial assessment of the incident by establishing:
- if a personal data security breach has taken place; if so:
- what personal data is involved in the breach;
- the cause of the breach;
- the extent of the breach (how many individuals are affected);
- the harms to affected individuals that could potentially be caused by the breach;
- how the breach can be contained.
Following this initial assessment of the incident, the Data Privacy Management Team will investigate the incident or appoint an investigator (e.g. IT Head for IT-related incidents, etc.) and will decide if it is also necessary to appoint a group of relevant CIBI stakeholders to assist with the investigation. Any records relating directly to an investigation will be retained by the Data Privacy Management Team The Lead Investigator (if appointed), liaising with the Data Privacy Management Team will determine the severity of the incident using the checklist in Appendix 2 and by completing Section 2 of the Data Security Breach Report Form (Appendix 1) (i.e. s/he will decide if the incident can be managed and controlled locally or if it is necessary to escalate the incident to CIBI’s Critical Response Team to email address: criticalbreach@cibi.com.ph.
The severity of the incident will be categorized as level 1, 2a, 2b or 3.
Level 1 classed as a Local Site Incident | Both managed and controlled by the Data Privacy Management Team |
Level 2 (a) classed as a Minor Emergency Type (A) | |
Level 2 (b) classed as Minor Emergency Type (B) | |
Level 3 classed as a Major Emergency | Escalated to Critical Response Team which is responsible for the management and close out of the incident |
Step 2: Containment and Recovery
Once it has been established that a data breach has occurred, CIBI needs to take immediate and appropriate action to limit the breach.
The Lead Investigator, liaising with the Data Privacy Management Team and relevant CIBI members/managers, will:
- Establish who within the CIBI needs to be made aware of the breach (e.g. IT Services, Operations, Legal, Sales Office) and inform them of what they are expected to do to contain the breach (e.g. isolating/closing a compromised section of the network, finding a lost piece of equipment, changing access codes on doors, etc.)
- Establish whether there is anything that can be done to recover any losses and limit the damage the breach can cause (e.g. physical recovery of equipment/records, the use of back-up tapes to restore lost/damaged data).
- Establish if it is appropriate to notify affected individuals immediately (e.g. where there is a high level of risk of serious harm to individuals).
- Where appropriate (e.g. in cases involving theft or other criminal activity), inform the National Privacy Commission.
Step 3: Risk Assessment
In assessing the risk arising from a data security breach, the relevant CIBI stakeholders are required to consider the potential adverse consequences for individuals, i.e. how likely are adverse consequences to materialize and, if so, how serious or substantial are they likely to be. The information provided at Stage 1 on the Data Security Breach Report Form will assist with this stage.
The Lead Investigator and Data Protection Officer in conjunction with the head of unit/function/CIBI site in which the incident occurred will review the incident report to:
- Assess the risks and consequences of the breach:
- Risks for individuals:
- What are the potential adverse consequences for individuals?
- How serious or substantial are these consequences?
- How likely are they to happen?
- Risks for CIBI:
- Strategic & Operational
- Compliance/Legal
- Financial
- Reputational
- Continuity of Service Levels
- Determine, where appropriate, what further remedial action should be taken on the basis of the incident report to mitigate the impact of the breach and prevent repetition.
The Lead Investigator and Data Protection Officer will prepare an incident report setting out (where applicable):
- a summary of the security breach;
- the people involved in the security breach, (such as employees, contractors, external clients, vendors);
- details of the information, IT systems, equipment or devices involved in the security breach and any information lost or compromised as a result of the incident;
- how the breach occurred;
- actions taken to resolve the breach;
- impact of the security breach;
- unrealized, potential consequences of the security breach;
- possible courses of action to prevent a repetition of the security breach;
- side effects, if any, of those courses of action;
- recommendations for future actions and improvements in data protection as relevant to the incident.
The incident report will then be furnished to the Head of the Unit (as appropriate) affected by the breach. Such Head will request relevant employee to update the risk registers at the appropriate levels where necessary. Any significant risks will be reported to the Data Privacy Management Team.
Step 4: Notification
On the basis of the evaluation of risks and consequences, the Data Protection Officer and others involved in the incident as appropriate, will determine whether it is necessary to notify the breach to others outside CIBI. For example:
- individuals (data subjects) affected by the breach;
- the National Privacy Commission;
- other bodies such as regulatory bodies
- corporate counsel.
As well as deciding who to notify, the Data Protection Officer must consider:
- What is the message that needs to be put across?
In each case, the notification should include as a minimum:
- a description of how and when the breach occurred;
- what data was involved;
- what action has been taken to respond to the risks posed by the breach.
When notifying individuals, the Data Protection Officer should give specific and clear advice on what steps they can take to protect themselves, what CIBI is willing to do to assist them and should provide details of how they can contact CIBI for further information (e.g. contact information details of the DPO in the CIBI website).
How to communicate the message?
What is the most appropriate method of notification (e.g. are there large numbers of people involved? Does the breach involve sensitive data? Is it necessary to write to each individual affected? Is it necessary to seek legal advice on the wording of the communication?).
- Why are we notifying?
Notification should have a clear purpose, e.g. to enable individuals who may have been affected to take steps to protect themselves (e.g. by cancelling a credit card or changing a password), to allow regulatory bodies to perform their functions, provide advice and deal with complaints, etc.
In accordance with National Privacy Commission Circular 16-03 (Personal Data Breach Management), all incidents in which personal data has been put at risk for identity fraud, acquired by unauthorized person; and there is reason to believe that the unauthorized acquisition is likely to give rise to a real risk of serious harm must be reported to the National Privacy Commission within 72 hours from knowledge of the personal data breach, based on available information. Follow up report should be submitted within five (5) days from knowledge of the breach, unless allowed a longer period by the Commission
Any contact with the National Privacy Commission should be made through the Data Protection Officer. Initial contact with the Commission should be made by the Data Protection Officer within two working days of becoming aware of the breach, outlining the circumstances surrounding the incident. This initial contact may be by e-mail and must not involve the communication of personal data. In cases where the decision is made by the Lead Investigator and Data Protection Officer/ not to report a breach, a brief summary of the incident with an explanation of the basis for not informing the Commissioner will be retained by the Data Protection Officer.
Step 5: Evaluation and Response
Subsequent to a data security breach, a review of the incident by the Data Privacy Management Team in consultation with the relevant stakeholders in CIBI will take place to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved. All data security breach reports should be sent to the Data Privacy Management Team who will use these to compile a central record (log) of incidents. The Data Protection Officer will report on incidents to Management Committee at least on a quarterly basis in order to identify lessons to be learned, patterns of incidents and evidence of weakness and exposures that need to be addressed. For each serious incident, the Data Privacy Management Team and Data Protection Officer will conduct a review to consider and report to the Board on the following:
- What action needs to be taken to reduce the risk of future breaches and minimize their impact?
- Whether policies procedures or reporting lines need to be improved to increase the effectiveness of the response to the breach?
- Are there weak points in security controls that need to be strengthened?
- Are employees and users of data aware of their responsibilities for information security and adequately trained?
- Is additional investment required to reduce exposure and if so what are the resource implications?
CIBI reserves the right to amend or revoke these procedures at any time without notice and in any manner in which CIBI sees fit at the absolute discretion of CIBI.
- Risks for individuals: