CAPITAL SHIPMANNING PHIL., INC. ( CSPI ) is a Philippine-based manning agent that supplies Filipino Seafarers worldwide. Part of the CSPI’s day-to-day operations is to collect , manage , process and large quantities of personal data whether offline or online.
Transparency in data collection, handling and storage while ensuring its compliance within the legal and moral boundaries of Republic Act No.10173’s, also known as The Data Privacy Act of 2012, rules and provisions are of utmost importance.
DEFINITION OF TERMS
- Data Privacy Act or DPA refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations;
- Data Subject refers to an individual whose Personal Information, Sensitive Personal Information, or Privileged Information is processed;
- Company refers to Capital Shipmanning Phils., Inc. or CSPI
- Personal Data collectively refers to Personal Information, Sensitive Personal Information, and Privileged Information;
- Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
- Processing refers to any operation or set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system;
- Privileged Information refers to any and all forms of Personal Data, which, under the Rules of Court and other pertinent laws constitute privileged communication;
- Security Incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
- Sensitive Personal Information refers to Personal Data:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
SCOPE AND LIMITATIONS
- All personal data and information that CSPI collects processes, and stores as necessary for the company to execute its business operations
- All CSPI Inc. employees, shareholders, consultants, and third-party service providers that process personal data and information for on behalf of CSPI and/or is provided personal data and information by CSPI as necessary or required by CSPI to operate its business processes.
- All Data Subjects from whom CSPI requests for personal data or information as necessary or required by CSPI to operate its Business processes. This includes clients, principals, recruits, and applicants as well as all CSPI employees, shareholders, consultants, and third-party service providers.
- All physical areas that CSPI has under their control, where data subjects congregate or share their personal data and information or where that data is processed, stored, or disposed.
- Such data and information construed and elucidated in Republic Act No. 10173 or also known as the “Data Privacy Act of 2012” or on its Implementing Rules and Regulations. However, personal, whether or not sensitive, data and information will not include information that is in the public domain, or information that falls into the public domain, unless such information falls into the public domain by disclosure or other acts of the violator, or through the fault of the violator.
POLICY ON THE PROCESSING OF PERSONAL DATA
CSPI shall adhere and comply to the prescribed principles of Data Privacy as mandated by the Data Privacy Act. All Processing of Personal Data within the Company should be conducted in compliance with the following data privacy principles as espoused in the Data Privacy Act:
a. Transparency. The Data Subject must be aware of the nature, purpose, and extent of the processing of his or her Personal Data by the Company, including the risks and safeguards involved, the identity of persons and entities involved in Processing his or her Personal Data, his or her rights as a Data Subject, and how these can be exercised. Any information and communication relating to the Processing of Personal Data should be easy to access and understand, using clear and plain language.
b. Legitimate purpose. The Processing of Personal Data by the Company shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
c. Proportionality. The Processing of Personal Data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the Company only if the purpose of the Processing could not reasonably be fulfilled by other means.
POLICY ON DATA SECURITY MEASURES
CSPI shall implement organizational, physical and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident. The security measures shall be categorized as follows:
- Organizational Security Measures
CSPI shall appoint a Data Privacy Officer who is responsible for ensuring the Company’s compliance with applicable laws and regulations as well as the implementation of the provisions of this policy
The DPO’s functions and responsibilities shall particularly include, among others:
- Monitoring the Company’s Personal Data Processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized agents;
- Acting as a liaison between the Company and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements mandated by the Data Privacy Act, as well any other applicable data privacy laws and regulations;
- Developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the Data Privacy Act and other applicable laws and regulations on Personal Data privacy;
- Acting as the primary point of contact whom Data Subject may coordinate and consult with for all concerns relating to their Personal Data;
- Formulating capacity building, orientation, and training programs for employees, agents or representatives of the Company regarding Personal Data privacy and security policies;
- Preparing and filing the annual report of the summary of documented security incidents and Personal Data breaches, if any, as required under the Data Privacy Act, and of compliance with other requirements that may be provided in other issuances of the National Privacy Commission.
CSPI shall conduct periodic Privacy Impact Assessments to assure that their data privacy security measures are adequate, valid, current, and effective
CSPI shall conduct periodic Data Security Breach Incident Management Drills to assure that their data privacy breach incident management protocols including their Incident Reporting and Communication to NPC are adequate, valid, current, and effective (See Security Incident Management Policy)
POLICY ON INQUIRIES AND COMPLAINTS
Any data subject may inquire about the nature and extent of processing that CSPI will do to his or her personal data or if they would like to file a complaint due to the mishandling of their personal data they may do so by employing one of the following options:
- Submitting a formal letter of inquiry or complaint addressed to the Data Protection Officer of CSPI either personally or thru email addressed to the DPO at firstname.lastname@example.org
- Submitting an inquiry or complaint through email to be sent to all inquiries and complaints will be forwarded to CSPI’s Committee on Data Privacy for proper disposition, evaluation, and final resolution within receipt and acknowledgement of the inquiry or complaint.
Any violation of this policy and/or the Data Privacy Act may be liable for penalties set forth and prescribed under Chapter VIII (Penalties) of the Republic Act No. 10173 or also known as the “Data Privacy Act of 2012”, whatever is applicable.
This Policy in part or as a whole shall be documented and communicated to all CSPI’s employees, consultants, shareholders, partners, or relevant third-party service providers to inform them of CSPI’s Commitment and Compliance to Data Privacy and the Data Privacy Act of 2012.
Authorized and Approved by:
ROSARIO ELENA L. ABILO
Data Privacy Officer - CSPI
CAPT. ALEXANDER G. ABILO
President – CSPI