SCP Data Protection Policy

The SCP Data Protection Policy is applicable to all staff (regardless of the type of employment or contractual arrangement) and to the extent practiceable, to donors, beneficiaries, partners, suppliers, guests, volunteers, consultants, and other persons working for SCP who may receive personal information from SCP, have access to personal data collected or processed by or on behalf of the SCP, or who provide information to SCP.

SECTION 1: PURPOSE

Save the Children Philippines (“SCP”) is committed to using Personal Data responsibly and to ensuring that all Staff understand and comply with their responsibilities under this Data Protection Policy (“Policy”) and the law. This Data Protection Policy follows and is consistent with the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), other issuances of the National Privacy Commission (NPC), and other relevant laws of the Philippines. SCP recognizes that the correct and lawful treatment of Personal Data is a critical responsibility. Failure to adequately protect Personal Data could result in harm to others, reputational damage, loss of income or fines for serious breaches.


This Policy sets out the principles SCP applies in handling and safeguarding Personal Data entrusted to SCP and sets out the obligations of staff in relation to Personal Data SCP holds or Processes. Each staff has a responsibility in securing and protecting the Personal Data in SCP’s care. 


This data protection policy ensures that SCP:

  • complies with data protection law under the Data Privacy Act of 2012;
  • follows good data protection practices;
  • protects the rights of children and their families, employees, partners, volunteers, resource person, applicants, suppliers, and/or business contacts, among others;
  • is open about how it stores and processes individuals’ data;
  • protects itself from the risk of a data breach.

This Policy is mandatory for all Staff, and all Staff must read and comply with this Policy and any related procedures and guidance. 

SECTION 2: PRINCIPLES

Save the Children Philippines has developed this Privacy Policy to protect privacy and Personal Data collected and to demonstrate its commitment to keeping personal information collected safe. The Policy contains information about Save the Children's responsibilities, rights of data subjects, the information that may be collected by Save the Children Philippines, and how it will be used.


Personal information is any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. This includes sensitive information. The type of information collected will depend on the relationship with Save the Children Philippines. Personal information is collected from beneficiaries, partners, donors, members of the public, online users of the Save the Children Philippines website, and Save the Children Philippines personnel (including employees, officers, trustees, delegates, volunteers, candidates for volunteer work and prospective employees).


The primary purpose for collecting personal information from individuals is to provide services to children, including planning, funding, monitoring and evaluating our services. Save the Children Philippines takes reasonable steps to ensure that the personal information it collects, uses, retains or discloses is accurate, complete and up-to-date and is protected from misuse, interference, loss, unauthorized access, modification or disclosure.

SECTION 3: POLICY STATEMENT(S)

Personal Data Protection Principles

SCP must be able to demonstrate compliance with the following data protection principles:

  • Lawfulness, Fairness and Transparency
    • Personal Data must be processed in a fair, lawful and transparent manner. The purpose for processing a person’s data should be determined and disclosed before its collection or as soon as practicable. The consent of the data subject on the collection and processing of his/her data should first be obtained, subject to exemptions provided by laws and regulations. In obtaining his/her consent, the data subject must be informed of the nature, purpose, and extent of the processing of such personal data, including the risks and safeguards involved, the identity of the personal information controller, his rights as a data subject as well as how these can be exercised. Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.
  • Legitimate Purpose
    • Personal Data must only be collected for specified, 
      explicit and legitimate purposes. The principle of legitimate purpose requires that the collection and processing of information must also be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy. In other words, personal data should be processed fairly and lawfully.
  • Proportionality
    • The principle of proportionality requires that the processing of personal information must be relevant to and must not exceed the declared purpose. The personal information may be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained.
  • Minimal
    • Processing Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are Processed. Where possible, SCP must apply anonymization to Personal Data to reduce the risks to the Data Subjects concerned
  • Accuracy/Data Quality
    • Personal Data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified in a timely manner.
  • Storage Period Limitation
    • Personal Data must be kept for no longer than is necessary for the purposes for which the Personal Data are Processed.
  • Integrity and Confidentiality
    • Appropriate technical or organizational measures must be adopted to ensure the security of Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure.
  • Accountability
    • Personal Information Controllers (PIC) must be responsible for and be able to demonstrate compliance with the principles outlined above.

All Staff shall adhere to these principles when Processing Personal Data. Any suggestions for improvements as to how SCP Processes Personal Data should be sent to the DPO.


Staff shall undertake data protection training within 3 months of joining SCP. This must be refreshed every 12 months, or more frequently if directed.

Lawfulness, Fairness and Transparency of Processing

Whenever Personal Data is Processed, there must be one of the following legal bases present:

  • the Data Subject has given his or her Consent;
  • b) the Processing is necessary for the performance of a contract with the Data Subject;
  • the Processing is necessary to meet legal compliance obligations;
  • the Processing is necessary to protect the Data Subject’s vital interests
    including his or her life and health;
  • the Processing is necessary for the performance of a task carried out to respond to national emergency or in the public interest or safety;
  • the Processing is necessary for the fulfillment of constitutional or statutory management of a public authority; or
  • the Processing is necessary to pursue SCP’s legitimate interests.

Consent

SCP must identify and document the legal basis being relied on for each Processing activity. Where Consent is relied upon, SCP must ensure the following:

  • Consent must be clearly indicated by a statement or positive action.
  • Consent requires affirmative action, so a pre-ticked box would not meet this requirement.
  • The Data Subject has the right to withdraw Consent at any time, and SCP must be able to honor this promptly.
  • Whenever Personal Data Processing is based on the Data Subject's Consent, SCP shall retain a record of such Consent.
  • Where collection of Personal Data relates to a child under the age of 18, and
  • SCP is relying on Consent to Process that Personal Data, SCP must ensure that the child can understand the implications of the collection and processing of their Personal Data. Parental or guardian consent should be sought (unless this is not in the child’s best interests).
  • Unless another legal basis of Processing is being relied upon, where Sensitive Personal Information is being collected, Express Consent of the Data Subject will be required to Process this data.

Children

SCP recognizes that children require specific protection with respect to their Personal Data. SCP shall ensure that the principle of fairness and the best interests of the child are central to all Processing of children’s Personal Data. Consent is one possible legal basis for Processing children’s Personal Data, but SCP recognizes other more appropriate basis (such as vital interests, legitimate interests or legal obligation).

Transparent Processing

  • Privacy Notices
    • Either before or at the time of collection of any Personal Data, SCP is required to:
      • inform Data Subjects about what kind of Personal Data SCP collects;
      • the reason for collecting the Personal Data;
      • the purposes of the Processing; 
      • the legal basis which is being relied upon;
      • the Data Subjects’ rights in relation to the Personal Data; 
      • security measures taken in relation to the Personal Data;
      • whether SCP transfers Personal Data to third parties;
      • the retention period and any potential transfers of Personal Data outside the Philippines

SCP will provide this information to Data Subjects in privacy notices.

  • Children
    • If Personal Data is collected from children, clear privacy notices must be specifically tailored for children, so that they are able to understand what will happen to their Personal Data, and what rights they have.

Data Retention

In general, Personal Data should only be retained/stored for as long as necessary for the purposes for which it was collected. There are, however, certain types of data which SCP must retain for a certain period. SCP will develop its Record Retention Schedule that will set out the specific retention periods for certain categories of data.

Privacy Impact Assessments (PIA)

The Information Owner must carry out a Privacy Impact Assessment (‘PIA’), using the SCP PIA_template when:

  • planning or procuring any new system or Process involving the Processing of Personal Data,
  • making any significant change to an existing system or Process, or
  • planning to initiate or change a Process to collect, use or store any Sensitive Personal Data.

The Information Owner must ensure that the system or Process complies with the Personal Data Protection Principles (listed above in section 1) and minimizes any privacy 
risks. 

Records of all PIAs and approvals must be maintained. Any questions about the PIA Process should be referred to the DPO.

Data Subject Rights

Data Subjects (including children) have the following rights:

  • Right to be informed
    • Data Subjects have a right to know about SCP’s Personal Data protection and data Processing activities, details of which will be contained in SCP’s privacy notices.
  • Right of access
    • Data Subjects can request information about the Personal Data SCP holds about the Data Subject. They have the right to access specific details with respect to the processing of his/her personal information, the manner by which such data are processed and the designation or identity of the personal information controller.
  • Right to object
    • Unless SCP has overriding compelling legitimate grounds for such Processing, Data Subjects may object to SCP using their Personal Data for direct marketing purposes (including profiling) or for research or statistical purposes and may also object if SCP is Processing their data on the grounds of legitimate interest.
  • Right to erasure or blocking
    • Data Subjects have a right to suspend, withdraw, or order the blocking, removal or destruction of data held about them upon discovery and substantial proof of specified instances enumerated in the Data Privacy Act 2012 Implementing Rules and Regulations, unless SCP has reasonable grounds to refuse the erasure.
  • Right to damages
    • Data Subjects may claim compensation for damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of his/her rights and freedoms as data subject.
  • Right to rectify
    • Data Subjects have the right to dispute and have corrected any inaccuracy or error in the data SCP holds about them.
  • Right to data portability
    • Data Subjects can ask SCP to provide copies of Personal Data held about them in a commonly used and easily storable format. It allows the Data Subjects to electronically move, copy of transfer their data in a secure manner for further use.
  • Right to file a complaint
    • Data Subjects have the right to file a complaint with the National Privacy Commission if personal information has been misused, maliciously disclosed, or improperly disposed, or that any of the data privacy rights have been violated.

Subject Access Requests (SARs)

When requests from Data Subjects in relation to the Data Subject’s Rights listed above are received by a Staff member, the Staff member must immediately contact the DPO at legalservices.ph@savethechildren.org. The Staff member shall not respond directly or disclose any information to the Data Subject. 

Requests from Third Parties

If a request for information regarding data SCP holds is received from a third party (including the authorities or regulators), the recipient must not directly disclose any information to the requestor. The recipient should immediately notify the DPO at legalservices.ph@savethechildren.org and the DPO shall accordingly act on the request.

Transfer of Data to Third Parties

If SCP is using any third-party supplier or business partner (Supplier) to Process Personal Data on SCP’s behalf, the relevant Manager/Unit Head is responsible for ensuring that a contract is in place with the Supplier which meets the requirements of 
applicable data protection legislation. The relevant Manager/Unit Head should also ensure that the Supplier has agreed to adopt security measures to safeguard Personal Data that are appropriate to the associated risks. 

If SCP is Processing Personal Data jointly with an independent third party, SCP must explicitly agree in the contract with that third party what each party’s respective responsibilities are with respect to Personal Data.

Cross-border Data Sharing or Transfer

Before sharing or transferring Personal Data out of the Philippines, SCP must ensure that adequate safeguards are in place and the requirements under the Data Privacy Act of 2012 are complied with. 
New processes which potentially include transfers of Personal Data outside of the Philippines should not be initiated without prior consultation with the DPO and SCP Legal and Compliance Unit.

Data Security
It is important that SCP Staff keep all Personal Data safe and secure, whether held physically or electronically, and not disclose or allow access to unauthorised persons.

SCP will take steps to ensure that there are adequate administrative and technical measures to secure Personal Data held by SCP. SCP’s DPO will be responsible for reviewing SCP’s administrative measures. SCP’s IT Manager will be responsible for reviewing SCP’s technical measures under the supervision of the Director for Human Resource, Administration and IT. SCP will also take steps as an organisation to ensure that Staff, and others to whom this Policy applies, are aware of their obligations in relation to Personal Data generally and take security precautions.

Please refer to SCP’s Data Protection Manual and other related IT security policies which sets out in more detail the relevant precautions Staff are required to take to ensure data security, including the secure use of email, internet and mobile devices (e.g. 
phones, tablets, laptops).

Data Breaches and Notification

A Data Breach includes but is not limited to the following:

  • unauthorised disclosure of Personal Data;
  • loss or theft of confidential or sensitive data;
  • loss or theft of equipment on which Personal Data is stored (e.g. loss of a laptop, USB stick, iPad/tablet device, or paper record);
  • unauthorised use of, access to or modification of IT, data or information systems (e.g. via a hacking attack); and
  • attempts (failed or successful) to gain unauthorised access to IT, data or information systems.

If any member of Staff, or other person learns of a suspected or actual Personal Data Breach, it must be reported to legalservices.ph@savethechildren.org immediately. The report should include as many details of the incident as possible, including date and time of the breach (if known), the nature of the information concerned, and how many individuals are involved.

IT Security will perform incident management and take appropriate remedial measures in a timely manner. 

Staff shall report any Data Breach within 72 hours of becoming aware of such breach. Refer to the Data Breach Reporting Timeline for more details.

Policy Breaches

If you suspect that this Policy may have been breached in any other way, please contact the DPO at legalservices.ph@savethechildren.org. Alternatively, you may wish to follow SCP’s Whistleblowing Policy and Procedures.

Breaches of this Policy and/or any law may result in disciplinary action. 

SECTION 4: DEFINITIONS

Word/Term Definition
Consent Refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
Data Protection Officer The person required to be appointed in specific circumstances under the Data Privacy Act of 2012 (DPA). 
Data Subject Refers to an individual whose personal, sensitive personal, or privileged information is processed.
Information Owner The person responsible for any Personal Data collected, held, used and/or stored. 
Personal Data/Personal Information It refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal Information Controller (PIC)

Refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:

  1. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
  2. A natural person who processes personal data in connection with his or her personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing.


SCP will frequently be a data controller and remain responsible for Personal Data even if SCP is using a third-party Personal Information Processor (e.g. another organisation or individual such as a supplier, partner or contractor) to carry out the Processing.
Personal Information Processor (PIP) Refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
Personal Data Breach Refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Privacy Impact Assessment (PIA)

A process undertaken and used to evaluate and manage impacts on privacy of a particular program, project, process, measure, system or technology product of a PIC or PIP program, project, process, measure, system or technology product of a PIC or PIP.

This is an instrument for assessing the potential impacts on privacy of a process, information system, program, software module, device or other initiative which processes personal information and in consultation with stakeholders, for taking actions as necessary to treat privacy risk. These 
are Tools and assessments used to identify and reduce risks of a data Processing activity.
Process/Processing

Refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
Sensitive Personal Information

Refers to personal information:

  1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
  3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  4. Specifically established by an executive order or an act of Congress to be kept classified.
Staff

All types of employees of SCP regardless of the type of employment or contractual arrangement.
Relevant Manager

A unit head, manager, or relevant officer managing the collection of personal data.

SECTION 5: RELATED DOCUMENTS

1

Policies:

  • Child Safeguarding Policy
  • Code of Conduct
  • Whistleblowing Policy and Procedure
  • Other relevant IT or IT Security Policy/ies

Data Privacy Act of 2012 related policies, procedures and guidance:

  • SCP_Data_Breach_Management_Procedure
  • SCP_Data Breach Management Timeline
  • SCP_Data_Protection Manual
  • SCP_Privacy Impact Assessment (PIA) Template
  • SCP Consent Forms
2

Human Resources

  • Employee Privacy Notices
  • Disciplinary Action Policy
3

Other References

  • SCI Data Protection Policy
  • Intra STC Data Transfer and Security Agreement
  • Framework Notice of Adherence to the Intra STC Data Transfer and Security Agreement
Back
Back to top