DATA PRIVACY MANUAL

 

BACKGROUND

The National Privacy Commission (NPC) issued an Advisory and a Memorandum Circular in compliance to the Republic Act (RA) No. 10173, otherwise known as the Data Privacy Act of 2012. The RA No. 10173 aims to protect personal data in information and communication systems and company filling system on both in the government and the private sector.

CAGELCO I care for your personal information and take your privacy seriously.  We are committed to ensuring that your personal information is protected from collection to disposal. 

This Manual aims to inform prospective customers, existing customers, employee and stakeholders of the Company’s Data Protection and Security Measures, and to guide them in the exercise of their Rights under the Data Privacy Act and other relevant regulations and policies.

In compliance to the law, CAGELC01 shall designate the following persons and members of Data Privacy Committee with special function, like: a) Data Protection Officer, Personal Information Controller and Compliance Officer for Privacy.

 

PURPOSE:

This policy is hereby adopted by the Coop/Company to:

• Comply the obligation set forth under the Data Privacy Act and the regulation of the National Privacy Commission;
• Ensure the fair and lawful processing of the personal data of data subjects, including employees, member-consumer’s owners, stakeholders and other individuals.
• Ensure confidentiality, integrity and availability of personal data under the control of the Coop/Company.
• Protect the company from reputational and legal risks that may result from non-compliance with the Data Privacy Act.

SCOPE AND LIMITATIONS:

           

The manual shall govern the Processing of Personal Data of Data Subject by the Coop. All personnel of this organization/coop, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Privacy Manual.

 

 

DEFINITIONS OF TERMS:

               

Authorize Personnel - any individual trained through management to be permitted to perform assigned duties in a safe and effective manner.

 

Compliance Officer for Privacy – or COP refers to an individual dully authorized by the company to perform some of the functions of the DPO for a sub-office, or component unit if any, as well as implementation of this Manual.

Data Processing System – refers to the structure and procedures by which Personal data is collected and further processed  by the Coop in its Information and Communication System/s and or relevant Filling System/s, including the purpose and intended output of the Processing as specified in ANNEX  A hereof.

 

Data Protection Officer – or DPO refers to the officer duly designated by the Coop to be accountable for the latter’s compliance with the Data Privacy Act, its IRR, and any other government-issued data privacy regulations and issuances, as well as implementation of the Manual.

 

Data Sharing – refers to the disclosure or transfer to a third party of Personal Data under the control or custody of the Coop.

 

Data Subject – refers to an individual whose Personal, Sensitive Personal and/or Privileged Information is processed. It refers to employees (whether probationary, regular, contractual, or project, trainees, applicants, members of the board of directors, consultants, customers, suppliers, contractors/subcontractors, service provider, office visitors, and other persons whose Personal data are collected and processed  by the Coop as an integral and necessary parts of its business operations.

 

Filing System – refers to any set of information relating to a natural or juridical person to the extent that, although the information neither is nor processed by equipment operating automatically in response to instructions given for that purpose.

 

Information and Communications System – refers to a system for generating, sending, receiving, storing or other Processing electronic data messages, or electronic documents, and includes the computer system or other similar device by which data is recorder, transmitted or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document.

 

Personal Data – refers to all type of Personal Information collected and processed by the Coop. information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers.

 

Personal Data Breach – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, Personal data Transmitted, stored, or otherwise processed.

Personal Information Processor – or PIP refers to any natural or juridical person, or any other body, to whom a PIC, including the Coop/Company, outsources, or give instruction as regards the Processing of Personal Data of a Data Subject or group of Data Subjects.

 

Privacy Impact Assessment – is a process undertaken and used to evaluate and manage the impact on privacy of a particular program, project, process, measure, system or technology product of the company or its PIP/s.

 

Processing – refers to any operations or set of operations performed upon Personal Data including, but not limited to, its collection, recording, organizations, storage, updating or modification, retrieval, consultations, use, consolidations, blocking, erasure or destructions. Processing may be performed through automated means of by manual processing.

 

Sensitive Personal Information – refers to Personal Information:

1. About an individual’s race, ethnic origin, marital, status, age, color and religious, philosophical or political affiliations;
2. About individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual;
3. Issued by government agencies peculiar to an individual, which includes, but is not limited to social security numbers, previous or current health records, licenses or its denials, suspensions, or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.

 

               

 

I. PROCESSING OF PERSONAL DATA

SECTION 1:  WHAT WE COLLECT

1. From prospective and existing customers, including customers with terminated services  

1. Information you provide to us when you apply for service, such as your name, address, phone number, email address, Tax Identification Number (TIN), evidence of authority to occupy (e.g., Marriage Contract, contract of lease, Transfer Certificate of Title, Special Power of Attorney (SPA), Undertaking / Authorization from owner of the premises) and, if applicable, details of your authorized representative;
2. Information you give us when you communicate with CAGELCO I and/or any of our representatives (e.g., Consumer Welfare Desk Officer (CWDO), Tellers, etc.), such as with respect to inquiries and complaint details on the quality and reliability of electric service;
3. Responses you or your representative provide when you participate in our customer surveys;
4. Information you provide for verification purposes (e.g., to facilitate refunds or to avail of zero-rated VAT transactions), such as photocopy of a valid / government-issued identification card or foreign passport;
5. Information you fill out in any form on our website, such as, when you wish to contact us to lodge your concerns, to register at our customer portal, to avail of our on-line application, outage notifications, and billing and/or payment services;
6. Any other information you voluntarily provide for any legitimate purpose declared at point of collection of such information.

  B.   From prospective, active and separated employees 

1. Information you submit when you apply at CAGELCO I for work, including what is contained in your resume or curriculum vitae and application form (e.g., work references);
2. Information we collect during the processing of your application, such as testing results, employment offer, results of character investigation, and pre-employment medical assessment;
3. Information we collect and maintain about you during your employment, such as your payroll information, including but not limited to government mandated and third party remittances like SSS, Philhealth, and Pag-ibig contributions, taxes, bank account information; wages; entitlements and benefits ; health and welfare benefits; medical and dental care records; beneficiary and emergency contact information; training and certifications, performance evaluation; sanctions; employment changes / work history;
4. Information we retain about you even after your separation from service, such as beneficiaries, and contact information;
5. Any other information you voluntarily provide for any legitimate purpose declared at point of collection of such information.

  C.   From Vendors, Suppliers or Contractors  

1. Information you submit to CAGELCO I in your application for accreditation, use of supply chain application system, and/or processing of payments, such as, your name, tax identification number, address, contact details, educational attainment, work experience and banking information;
2. Any other information you voluntarily provide for any legitimate purpose declared at point of collection of such information.

  D.   From Board of Directors  

1. The information you submit to us when you become a board of director of or in the course of being a board of director of CAGELCO I like your name, address, contact details, marital status, government issued identification, and if applicable, details of your authorized representative and heir/s;
2. Any other information you voluntarily provide for any legitimate purpose declared at point of collection of such information.

  E.   From Guests / Visitors   

1. The information you provide when you enter our premises such as your name, address, vehicle type and plate number or conduction sticker number;
2. Any other information you voluntarily provide for any legitimate purpose declared at point of collection of such information.

 

SECTION 2: WHAT WE DO WITH THE INFORMATION WE GATHER

CAGELCO I stores, processes, and analyze the information that you provide to us for purposes, including, but not limited to:

  A.   For our customers  

1. providing and continuously improving our electric services, as well as managing your account, responding to your inquiry, concern or complaint
2. verifying your identity when you access your account through the various customer engagement channels (e.g., e-mail, website, via phone call, walk-in)
3. sending messages related to your services such as outage notifications, updates, alerts, and other information that you request
4. verifying your identity and eligibility to claim refunds

  B.   For our prospective, active and separated employees  

1. evaluating your eligibility for initial employment, including the verification of your qualifications and character references (background checking)
2. administering your pay, legal  deductions, entitlements, and benefits
3. complying with applicable legal and regulatory requirements and submissions
4. conducting performance reviews and rewards
5. establishing appropriate training and/or developmental interventions
6. administering disciplinary action and sanction
7. collecting and maintaining contact information
8. maintaining your employment records
9. processing employee work-related claims (e.g. worker compensation, insurance claims, etc.)
10. developing health and wellness programs

  C.   For our Vendors, Suppliers or Contractors  

1. verifying and confirming your identity as a vendor as part of your accreditation
2. conducting business with you
3. establishing and managing business relationships with you
4. facilitating the payment of your invoices for any goods or services you have delivered/rendered
5. complying with statutory, legal and regulatory requirements
6. updating or maintaining your vendor account information
7. establishing details of your authorized contact persons for the goods and/or services you supply
8. responding to your questions, comments, and feedback or informing you about our requirements, programs, or advisories by letter, e-mail, telephone or other media for internal administrative purposes, such as auditing, data analysis, database records management

  D.   For our Board of Directors   

1. maintaining our board of director roster
2. handling allowances or any other payments
3. facilitating communications with you, including responding to your queries and requests, sending notices of general meetings, annual reports and minutes of meetings to you
4. evaluating qualification requirements and screening of candidates during election of board of directors
5. for legal and reportorial requirements purposes

  E.   For our visitors / guests  

1. establishing your identity
2. recording the purpose of your visit
3. monitoring visitor’s activities inside the company premises, including way in and way out of equipment, vehicle, etc.

SECTION 3: PRIVACY NOTICE

Information on collection and processing of Personal data of the Data Subject shall be relayed to the Data Subject through a Privacy Notice, which shall substantially be in the form prescribed in ANNEX B. The Coop Authorized Personnel shall inform the Data Subject of the purpose/s for the collection and processing of personal data, extent of Processing of Personal data, and the rights of the data subject with regard to privacy and data protection.

SECTION 4: CONSENT

                The Consent of the Data Subject shall be evidences by written, electronic or recorded means, substantially in the form prescribes in ANNEX C, Consent Form may also be given on behalf of the Data Subject by a lawful representative or authorized by the Data Subject.

 SECTION 5: DATA DISCLOSURE AND SHARING

We may share with or disclose your Personal Data to:

1. any collection agency, payment center or similar service providers for facilitation of payment for the services we provided you;
2. meter reading, bill SOA Delivery or any meter reading provider, electric services contractor or other service providers we engaged to perform our obligations under our contract with you;
3. any of our consultant, adviser or auditor performing services in connection with your account or we have engaged in connection with our operations;
4. any quasi-judicial or judicial tribunal where we have reason to believe that disclosing your Personal Data is necessary for establishing a legal claim or defence, including to obtain legal advice, to exercise our rights those of our affiliates or subsidiaries or to institute any legal action, whether under our contract with you or against any third party; or
5. any person as required or permitted by law, rule or regulation or by any decision or order of any court or government agency.

 

Any access to Personal Data will be limited to the person who requires your Personal Data to perform the functions for which personal information has been collected, and as required or allowed by law. We do not sell, trade, or otherwise transfer your Personal Data to third parties. If shared, we will, at your request, provide you with details of the companies with whom we have shared your Personal Data.

 

Whenever the Coop discloses or transfers Personal Data under its control to another PIC, it shall execute a Data Sharing Clause in the Contract.( ANNEX L – Data Sharing /Outsourcing Clause )

 

SECTION 6: AUTOMATIC COLLECTION OF INFORMATION AND HOW WE USE COOKIES

By using our website and /or using services through it, you agree to the use of cookies, either via the CAGELCO I website, email or SMS communications. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer. However, this may prevent you from taking full advantage of our website.

A cookie is a small file, which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyze data about web page traffic and improve our website to enhance your browsing experience. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

We receive and store certain types of information (such as the amount of time you spend on the site and the number of views you made on each page, the IP address of your device, and the browser and operating system that you are using) when you interact with our website, mobile website, emails and online advertising to monitor proper functionality, determine areas for continuous improvement and to support website requirements. This information is gathered automatically, temporarily stored in log files and removed from the system at a certain point.

 

SECTION 7: LINKS TO OTHER WEBSITES

Our website and facebook page contains links, which may lead you to other websites beyond our control and not covered by this Privacy Policy.  If you access other sites using the links provided, the operators of those sites may collect information from you, which may be used by them in accordance with their own privacy policy. We are not responsible for the protection and privacy of any personal information that third parties may collect, store and use through their website/page.  Therefore, you should exercise caution and carefully study the privacy policy of each website/page you visit.  

 

SECTION 8: LOGS COLLECTION

Your personal information may be collected by our logging processes in case of logical and physical access to our systems and/or premises.  When necessary, personal information may be retrieved for security purposes.

 

SECTION 9: PERSONAL DATA RETENTION AND DISPOSAL

  We keep your personal data only for as long as necessary:

1. 1. for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purpose has been completed or terminated;
   2. for the establishment, exercise or defense of legal claims; or
   3. for other business purposes, that are consistent with standards established or approved by regulatory agencies governing CAGELCO I

Thereafter, your personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.  

 

II. SECURITY MEASURES

 

We are committed to ensure that your information is secure. CAGELCO I shall undertake and implement reasonable organizational, physical, and technical security measures in collecting, receiving, transmitting, storing, and disposing your personal information.

SECTION 1: Organizational Security Measures

All employees with access to Personal Data shall operate and hold such Personal Data under strict confidentiality, unless it qualifies as Public Personal Data. This obligation shall apply even after the employee has left the company for whatever reasons. A Confidentially Clause substantially in the form prescribed in ANNEX D hereof shall be incorporated into the employment contracts of employees, particularly Authorized Personnel.

The PIC-Cagelco1 shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. (It may choose to outsource the conduct a PIA to a third party)

SECTION 2: Physical Arrangement/Facilities

                Access to Customer and Employee personal information is limited to authorized personnel of the specific departments collecting or processing the information. Aside from access restriction, the storage facilities for the hard copies of documents containing personal information are also secured (i.e. locked) in cabinets. Only authorized personnel can open.

                The storage unit is placed in areas that are not usually accessible to the public, safe from physical hazards such as rain, wind and dust, and located in areas manned by the authorized personnel. Security is also provided for the entire Coop Offices including areas where the hard copies of such documents are kept and secured.

 

SECTION 3: Information Technology

Cagelco1 shall take reasonable steps to protect the personal information in its possession from misuse, loss or unauthorized access, modification or disclosure. As most of the personal information of customers, employees, suppliers are stored in the Coop Databases.

Physical access to the servers and network equipment is highly restricted to authorized personnel only. Various security devices and facilities are employed to safeguard the coop network and its systems. 24-hour security is also provided to secure the areas where the Coop servers are located.

The Coop shall use web application firewall to protect its servers and databases from malicious online attacks. And shall regularly read the firewall logs to monitor security breach and alerts itself of any authorized attempt to access the Coop Network.

Internal Policy such as Computer Network and Internet Use (ANNEX E) must be adopted and implemented. Users should take appropriate measures to ensure that any medium or device you use to monitor or manage your account is secure and not accessible to anyone without permissions. Password used to access Personal Data should be of sufficient strength to deter password attacks.

 

 

 

1. 3. MANAGEMENT OF SECURITY INCIDENT AND SECURITY BREACH

The Cagelco1 Data Privacy Committee is tasked to ensure that all security incident or data breach are managed and resolved effectively.  Periodically review the existing policies and procedures of the Coop with the regard to Data Privacy, including this Data Privacy Manual and its implementation.

Creation of Data Breach Response Team, responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

The DPO, on the other hand, is tasked to consolidate all reported security incidents/data breach and submit a summarized report to the NPC annually.

Further, the Authorized Personnel is required to regularly evaluate the plan, incident reports, and data breaches experienced by the Coop every year to determine the effectiveness of the plan and recommended remedial measures to address noted deficiencies.

 

1. 4. INQUIRIES,  NOTIFICATION AND COMPLAINTS

Inquiries, notification, and complaints of the Data Subjects in relation to the exercise of the foregoing Rights (as stated at ANNEX J ) shall be received, acknowledged, and resolved by the Coop in accordance with the guidelines provided under the CWDO Policies and Procedures, subject to monitoring by the DP Committee.

Whenever such Personal Data shall be used for direct marketing, profiling, historical or scientific purpose/s, the Data Subject must be notified.

In case of complaints for data privacy violation, the Data Privacy Committee shall convene as an investigation committee to verify the allegations, recommend actions, particularly when the violation is serious, or causes or has the potential to cause material damage to the Coop or any of its Data Subjects. Such recommendation shall be submitted to the management for approval.

 

EFFECTIVITY

This manual was approved by the Board of Directors of the Cagelco1 on January 27, 2020 and shall take effect immediately, until revoked or amended by this company.

CHANGES TO THE DATA PRIVACY

Cagelco1 may change this Privacy Policy from time to time. If Cagelco1 makes any significant change in the collection, use, and protection of personal data, Cagelco1 will provide you notice through the Services or by some other means, such as email. It is encouraged that you periodically review the Privacy Policy in the Cagelco1 Bulletin board, form posting and website for the latest information.

 

ANNEXES

ANNEX A: List of Data Processing System

ANNEX B: Privacy Notice

ANNEX C: Consent Form

ANNEX D: Confidentiality Clause

ANNEX E. Network Infrastructure Usage Policy

ANNEX F: Password Creation/Update Policy

ANNEX G: E-mail Disclaimer

ANNEX H: CCTV Privacy and Consent Notices

ANNEX I: CCTV Camera Review Request Form

ANNEX J: Rights of Data Subject

ANNEX K: Duties and Responsibilities of Designated DPO, CPO and PIC

ANNEX L: Data Sharing Agreement Clause

ANNEX M: Data Processing/Network System Incident Report Form