DATA PRIVACY STATEMENT

Updated: 13 hours ago

THE PHILIPPINE CLEARING HOUSE CORPORATION

_____AS PERSONAL INFORMATION PROCESSOR ___


Data Privacy Statement



In the performance of its services as an Operator of a checks-clearing house and a funds-transfer electronic network of banks, the Philippine Clearing House Corporation (PCHC) gets to receive Personal Information which are processed by it to carry out the instructions of banks using its facilities (the “Bank Participants”). As a Personal Information Processor (PIP), PCHC is dedicated to protecting data privacy and safeguarding the Personal Information indicated on items transmitted to it by the Bank Participants for clearing and funds-transfer purposes.

PCHC will comply with the obligations as a Personal Information Processor under the provisions of the Data Privacy Act (DPA) of 2012, its Implementing Rules and Regulations, issuances by the National Privacy Commission (NPC), and supporting laws and rules (collectively, the “Data Privacy Directives”) as regards any Personal Information that PCHC processes on behalf of the Bank Participants in connection with their availment of the following PCHC facilities :

1. Check Image Clearing System (CICS)

2. Philippine EFT System Operations Network (PESONet)

3. Project Abstract Security System (PASS 5)

4. Philippine Domestic Dollar Transfer System (PDDTS)


Terms defined in the DPA of 2012 will have the same meaning herein. Procedures are put in place by PCHC to monitor compliance with the Data Privacy Directives and the obligations specified herein.



I. Representations of PCHC


a) The following data privacy principles apply to all Personal Information processed by PCHC:


1. Transparency


Any information and communication relating to the processing by PCHC of Personal Information should be easy to access and understand.


2. Legitimate purpose


The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.


3. Proportionality


The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Information shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.


b) PCHC implements reasonable and appropriate organizational, physical and technical security measures to protect any Personal Information, accessed or processed by PCHC, against unlawful or accidental loss, destruction, alteration or disclosure.


c) Personal Information are not to be retained longer than necessary. Data no longer needed shall be securely destroyed.


d) PCHC takes reasonable steps to ensure the reliability and compliance to policies of its employees and third party service providers who may have access to the Personal Information processed as part of PCHC services. Employees and third party service providers are to operate under strict confidentiality, and this obligation will continue after termination of employment or contractual services.


e) PCHC will provide assistance and information to the Bank Participants in connection with requests of their customers relative to the exercise of their rights.


f) PCHC has designated an individual who functions as data protection officer or compliance officer to ensure compliance with Data Privacy Directives.



II. Compliance, Awareness And Sanctions


a) Compliance with the Data Privacy Directives is mandatory and will be strictly monitored.


b) Employees will be subjected to disciplinary action if found to have permitted unauthorized disclosure or processing of Personal Information. PCHC and employees can face prosecution and penalties for breach of Data Privacy Directives or misuse of PCHC’s system or information.

c) Data Privacy policies are disseminated to all PCHC employees and third parties through office memos, awareness trainings and other means of communication/reporting.



III. Processing of Personal Information

a) Collection


As a Clearing House Operator for the banking industry, PCHC receives and processes Personal Information of/from clients of the Participating Banks. The types of Personal Information received by PCHC as a PIP are as follows:


1. Account Name

2. Account Number

3. Address

4. Contact Phone Number

5. Client’s signature -in transactions that require signature of Client for processing

6. Email address

7. Name of Contact Person

8. Tax Identification Number (TIN) - for some systems


b) Use

The Personal Information received by PCHC are processed by it for the following purpose and under the following systems and conditions:



Name of Description of Personal Data Purpose Period of Retention*

Processing

System


CICS Account Name Check Clearing 10 YEARS

Account Number

Specimen Signature


PESONet Sender Account Name Electronic Payment or 10 YEARS

Sender Account Number Fund-transfer Instruction

Sender Address

Receiver Account Name

Receiver Account Number

Receiver Address

PAS5 Importer Name Electronic Payment or Fund- 10 YEARS

transfer Instruction for

collection duties at BOC


PDDTS RTGS/PvP Sender Account Name Electronic Payment or Fund 10 YEARS

Sender Account Number Transfer Instruction for USD

Sender Address currency

Receiver Account Name

Receiver Account Number

Receiver Address

* Period of Retention is computed from date of Clearing of the Payment Demand or Fund-transfer Instruction, as the case may be.


c) Storage


1. As a PIP, PCHC ensures that all transactions containing Personal Information from Participating Banks are stored in Information and Communications System or external storage devices which shall be retained for ten (10) years.


2. PCHC implements appropriate security measures in storing all received Personal Information. It ensures that Personal Information under its custody is protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.


3. Any document containing Personal Information either in hard copy or in electronic format is classified by PCHC as CONFIDENTIAL information which shall be protected in accordance with PCHC’s Information Security Policies and Management System.


d) Disclosure


1. PCHC discloses Personal Information to its employees and to the drawee/receiving Bank Participants to the extent necessary to perform its services, and to its officers, directors, consultants, cloud platform provider, cloud management service provider, and authorized representatives on a “need-to-know” basis only. It directs its employees, officers, directors, consultants, cloud platform provider, cloud management service provider, and authorized representatives to observe the confidentiality of the Personal Information and prohibits any unauthorized access, improper use, duplication, disclosure, alteration and destruction of any of the Personal Information in whole or in part.


2. Whenever PCHC discloses Personal Information to the employees, officers, directors, consultants, cloud platform provider, cloud management service provider, and authorized representatives of PCHC, as needed, the said employees, officers, directors, consultants, cloud platform provider, cloud management service provider, and authorized representatives of PCHC shall process and hold the Personal Information under strict confidentiality. This obligation shall continue even after termination of their employment or contractual relations with PCHC.


3. PCHC may disclose the Personal Information when so required by proper order of judicial, quasi-judicial or administrative authorities or as needed by an arbitration body or committee authorized by PCHC in aid of investigation provided that PCHC shall, to the extent legally permitted and if reasonably practicable, notify the Bank Participant concerned prior to such disclosure.


IV. Security Measures


a) PCHC recognizes the importance of protecting its information assets, especially of Bank Participants, from unauthorized access, disclosure, modification and destruction. Thus, PCHC has adopted information security policies to ensure the confidentiality, integrity and availability of information.


b) The following information security principles govern the controls for security and management of information:


1. Information must be protected from unauthorized disclosure (confidentiality), maintained as complete, consistent and accurate (integrity), and made available to authorized users when required (availability).


2. Information within the business can take many forms – electronic (stored or in transit), physical (printed or written on paper) or discussed in conversations. Regardless of form, all users covered by this policy are responsible to protect and handle information in accordance with its degree of sensitivity or importance.


3. Information security policies have to be in compliance with legislative and regulatory requirements.


4. Information security awareness, education and training programs will be conducted to all concerned personnel, including their roles in protecting the company’s information assets from any threats.


5. Information will be protected against breach, loss or corruption.


6. Business continuity plans will be tested, maintained and improved.


7. All actual or suspected information security breaches will be reported to the appropriate officer(s) and will be thoroughly investigated.


8. Supporting guidelines, standards, controls and procedures will be implemented at all levels across the PCHC organization to support this policy.


9. Security measures include, but are not limited to, behavioral (good practices in personnel management and acceptable use of resources) or technical measures (e.g. passwords, firewall, system configurations, access controls, etc.).


c. Organization Security Measures


1. PCHC has designated a Data Protection Officer; he was registered as such DPO with the NPC on September 6, 2017. He oversees the compliance of PCHC’s Data Privacy Directives and related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, Security Incident and Data Breach protocol, and inquiry and complaints procedure.


2. PCHC’s Information and Communication Systems /Data Processing System (Philippine Automated Clearing System or PACS) was registered with the NPC on February 20, 2018.


3. PCHC shall sponsor a mandatory training on data privacy at least once a year. For personnel directly involved in the processing of Personal Data, PCHC shall ensure their attendance and participation in relevant trainings and orientations as often as necessary.


4. The Data Privacy Manual of PCHC shall be reviewed and evaluated annually. Privacy and security policies and practices within PCHC shall be updated to remain consistent with current data privacy best practices.


d) Physical Security Measures

1. PCHC office/work areas, storage/file rooms, and computer/server rooms are suitably protected from physical intrusion, theft, fire, flood and other environmental hazards.

2. Critical information processing facilities and other areas where sensitive information is processed or stored are housed in secure areas (e.g. data centers, network equipment rooms).


3. Personal Information in the custody of PCHC, which may be in digital/electronic format and paper-based/physical format, are stored in in a secured data room.


4. PCHC maintains appropriate safeguards against unlawful and unauthorized physical access. Only authorized personnel are allowed inside the data room.


5. The location of data centers and network equipment rooms are kept secure and confidential. These areas are not labeled to hide their location from visitors and guests passing by the area.


6. Data centers and network equipment rooms are equipped with air conditioners, temperature and humidity monitoring system, smoke detectors, fire alarms and fire suppression system to protect and monitor against environmental hazards or conditions.


7. Equipment or facilities critical in the operations of business are equipped with Uninterruptible Power Supply (UPS) system to ensure continuous operation in case of electrical interruption or fluctuation.


8. Photographic, video, audio or other recording equipment such as cameras in mobile devices, which may expose the equipment setup, are not allowed unless authorized.


9. All equipment are maintained in accordance to manufacturer’s specifications and maintenance schedule. Only authorized personnel may perform equipment repairs and maintenance services.


10. Transfers of Personal Information via electronic means are encrypted. Facsimile technology is not used for transmitting documents.


e) Technical Security Measures


1. Information are protected throughout its life cycle from handling, storage or data-at-rest, transmission or data-in-transit, up to the disposal phase.


2. The following guidelines apply to security of electronic data:


2.1. Controls should be in place to guard against unauthorized access, alteration or data leakage.


2.2. Portable devices containing confidential data are also be secured.


2.3. Databases are properly configured, with effective preventive and detective controls, secured access and

continuous monitoring.


3. Various channels used to transmit electronic data have appropriate safeguards.


4. Standards, guidelines and procedures are implemented to define and describe the minimum control requirements for data security.


5. In operations migrated to cloud computing platforms, PCHC ensures that the level of security and data privacy are in compliance with regulatory requirements and internal PCHC controls. PCHC Management shall exercise effective oversight and continuous monitoring as to security and performance of the cloud service providers.


6. Encryption is used to protect information where the risk of loss through theft or interception is high, and there is the potential for a major security breach should said information get into the hands of unauthorized persons.


7. PCHC reviews security policies, conducts vulnerability assessments and performs penetration testing on regular schedule.



V. Breach and Security Incidents

a) PCHC has formed a Data Breach Response Team which provides a 24x7 monitoring of security events to critical systems in the IT operations. On top of this Response Team is the Security Operations Center (SOC) managed by a third-party service provider.


b) The Breach Response Team is responsible for ensuring immediate action in the event of a Security Incident or Personal Data Breach. There is a call tree that describes the details of response team members to support incident response processes. It shall conduct an initial assessment of the incident or breach in order to ascertain its nature and extent.


c) Reporting of security incidents must be done immediately and quickly and containment measures must be implemented as applicable to mitigate and prevent further misuse or damage to other system. It shall execute measures to mitigate the adverse effects of the incident or breach.

d) The members of the Data Breach Response Team are the same personnel assigned to the IT Recovery Team as defined in the Business Continuity Manual of PCHC.


e) Measures to Prevent and Minimize Occurrence of Breach and Security Incidents:


1. PCHC’s Data Protection Officer shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system, recommend risk treatment plan, monitor for security breaches and ensures vulnerability scanning of computer networks to be done regularly.


2. Personnel directly involved in the processing of Personal Information must attend training and seminars for capacity building.


3. Periodic review of policies and procedures being implemented have to conducted.



f) Recovery and Restoration of Personal Data


1. PCHC always maintains a backup copy of file for all Personal Information under its custody.


2. In the event of a Security Incident or Data Breach, PCHC shall always compare the backup with the affected file to determine inconsistencies or alterations resulting from the incident or breach.



g) Notification Protocol


1. The Head of the Data Breach Response Team shall inform PCHC Management of the occurrence of a Security Incident or Data Breach. PCHC shall notify the Bank Participant concerned about such occurrence within twenty-four (24) hours from actual discovery or from reasonable belief of the occurrence thereof.


2. PCHC shall provide the concerned Bank Participant every assistance necessary to enable it to comply with the notification requirement under the Data Privacy Directives.


VI. Inquiries and Complaints

a) If any request or complaint of a Data Subject is made directly with PCHC, PCHC will (a) promptly inform the concerned Bank Participant , and (b) advise the Data Subject to submit his/her request or complaint to the Bank Participant. PCHC shall not be responsible for responding to any Data Subject’s request or complaint.

b) If the Participant Bank is unable to address a Data Subject’s request, PCHC shall, upon request of the Bank Participant, provide reasonable assistance to the Bank to respond to the Data Subject’s request to the extent PCHC is able to and only as required by the Data Privacy Directives.



END-