Equicom Services, Inc.

Privacy Policy

DATA PRIVACY AND PROTECTION POLICY

Purpose

Protecting the security and privacy of customers, clients, and employee personal data is important to Equicom Services, Inc. (“EquiServe”). Through this policy, which will be known as the “Data Privacy and Protection Policy”, EQUISERVE operates in compliance with applicable laws on data privacy protection and data security, specifically, to Republic Act 10173 (“R.A. 10173”) of the Republic of the Philippines. The Data Privacy and Protection Policy supplements this national law and its implementing rules.

EQUISERVE is committed to local and international compliance with data protection laws. This Data Privacy and Protection Policy applies to all EQUISERVE sites and employees and is based on globally accepted, basic principles on data protection.

Ensuring data protection is the foundation of trustworthy business relationships and the reputation of EQUISERVE as a vendor, client, partner and employer. The Data Privacy and Protection Policy provides one of the necessary framework conditions for usage, collection, storage, control, and destruction of confidential personal information whether in electronic or physical form.

R.A. 10173 will take precedence in the event that it conflicts with EQUISERVE’s Data Privacy and Protection Policy, or in cases where it has stricter requirements than this Policy.

Scope

The privacy protection standards and requirements contained in this Policy shall apply to all EquiServe sites that deal with the processing, collection, storing, or transfer of personal data, acting as a Personal Information Controller or as a Personal Information Processor.

Definition of Terms

  • Personal Information Controller – refers to the company or person who controls the processing of personal data, or instructs another to process personal data on its behalf.
  • Personal Information Processor – refers to the company or person to whom a personal information controller may outsource or instruct the processing of personal data.
  • Data Subject – refers to an individual whose personal, sensitive personal, or privileged information is processed.
  • Consent of the Data Subject – refers to any freely given, specific, informed indication of the will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by data subject to do so.
  • Personal Information/Data – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly  ascertained such as birth date, gender, race, height, home address, civil status, government numbers (SSS, Philhealth, HDMF, TIN, Driver’s License, Passport), name of parents,  spouse or children.
  • Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing if the personal data are contained or are intended to be contained in a filing system.

Processing of Personal Data

Purpose of Processing Personal Data – EQUISERVE may process Personal Information and Data that is reasonably adequate for and relevant to the following applicable purposes:

  1. For human resources and personnel management processes which may include recruitment, workforce planning, training and performance management, compensation and benefits, leave and benefits management, pay slip distribution, employee information and skill management, employee survey, exit interviews and processed record, and health and safety. In such a case, EQUISERVE acts as a Personal Information Controller.
  2. For Personal Data from personnel of suppliers and vendors, contributors, clients and prospects and visits. In such a case, EQUISERVE also acts as a Personal Information Controller.
  3. For business process execution and management processes which may include any activities or services done by EQUISERVE on behalf of or for the client. In such a case, EQUISERVE acts as a Personal Information Processor.

Rules to Follow While Processing Personal Data – Each EQUISERVE Center Site and its employees, including its suppliers, in processing personal information/data must observe the following principles.

  1. Personal information must be processed fairly and lawfully.
  2. Processing should ensure data quality.
  3. Personal Information must be processed with transparency. The data subject must be aware of the nature, purpose and extent of the processing of his or her personal data, including the risks involved, the identity of personal information controller, his or her rights as a data subject and how these can be exercised.
  4. Personal Information must be processed for one or more, declared, specified and lawful purpose(s) and may not be processed incompatibly with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible.
  1. The processing of Personal Data must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purposes for which the data is processed.
  1. Personal Information must be accurate and kept up to date in such a way as to give a true picture of the current situation of the data subject.
  1. Any authorized further processing shall have adequate safeguards.
  2. Personal Information must not be kept for longer than is necessary. Information shall be erased when they have ceased to be necessary or relevant for the purpose for which they were obtained or recorded.
  1. Personal information shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public or prejudice the interests of the data subjects.
  1. Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Information as well as against accidental loss, destruction of or damage to that information.
  1. The collection of information by fraudulent, unfair or illicit means is prohibited.

Additional rules to follow when EQUISERVE act as Data Controller – i.EQUISERVE, when acting as a Data Controller, must comply with the following additional requirements:

  1. The registration requirement with the National Privacy Commission required by RA 10173.
  2. Consent to process Personal Information must first be given by the Data Subject before collection, processing, or storage of any Personal Data, unless laid down otherwise by law. Every Data Subject must be informed of the purpose for which Personal Data is collected, stored, or processed;
  3. EQUISERVE shall provide the Data Subject with the identity and address of the Data Controller or his representative, if any; the purposes of the processing, the recipients or categories of recipients of the data, the existence of the right of access to and the right to rectify, erasure and objection the data concerning him/her.

Transfer of Data to Third Party Providers

In all cases, EQUISERVE must ensure that the transfer or processing of Personal Data is done with proper and reasonable security and protection. It must be ensured that the receiving entity or any third party provider provides the same adequate level of protection.

Retention of Data

Storage of Personal Data by EQUISERVE must be made in accordance with the following rules:

  1. The reasonable length of time a Personal Data is kept must be reviewed periodically.
  2. Such retention must conform to the purpose/s for which it was taken, and must not be kept after the purpose/s has/have been accomplished.
  3. All Personal Data must be deleted or anonymized in a secured manner ensuring protection from unlawful or wrongful access.
  4. Retained Personal Data must be accurate, archived and updated and it must be securely deleted once it goes out of date. It is the responsibility of the Data Subject to inform EQUISERVE of any inaccuracy or update to his/her personal data. However, EQUISERVE will exert commercially reasonable effort to maintain its database as accurate and updated as possible.
  5. Where EQUISERVE shares Personal Data among its subsidiaries, those subsidiaries must agree what to do with such Personal Data once they no longer need to share the information.

The “Document Retention and Destruction Policy contains the breakdown of the detailed retention periods of all files and/or documents which contain personal data. Upon the lapse of the designated retention period, said files and/or documents are disposed of accordingly.

Data Destruction

EquiServe shall destroy / dispose of, in a manner rendering data unreadable and inaccessible, all information or data after it has been retained for the period specified in the “Document Retention and Destruction Policy”

As to the process of destruction or disposal, kindly refer to “Document Retention and Destruction Policy” for its details.

No personal data or information shall be destroyed or disposed of without first acquiring the approval of EquiServe’s Data Protection Officer and Information Security Officer. Any form of destruction or disposal of data or information without the aforementioned approval shall subject the party performing the disposal and destruction to disciplinary action.

Information Security

EQUISERVE must ensure that only authorized people can access, alter, disclose or destroy Personal Data and that those people only act within the scope of their authority in relation to Personal Data. A system must be created to:

  • protect Personal Data from accidental loss, alteration, or destruction and
  • also make such Personal Data recoverable to prevent any damage or distress to the Data Subjects concerned.

Safeguards must be placed to protect Personal Data which safeguards may include physical and environment security such as facilities, workstation and integrity access control; computer security such as security devices and encryption; employee security awareness such as new hire and annual training. Every EQUISERVE site must implement a risk assessment and must be accountable for the organizational, policies and procedures and documentation requirements.

Security requirements of local laws must be complied with. IT standards must conform to local and contractual requirements. Therefore, Information Security officers must always refer and keep up-to-date regarding applicable specific or local security standards when addressing security of Personal Data.

In case of any Personal Data breach, EQUISERVE must engage a breach-management plan which includes at least the following:

  • Breach Containment and recovery – EQUISERVE must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.

  • Breach Containment and Recovery – EQUISERVE must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.

  • Risk Assessment – EQUISERVE must assess associated risks, such as the adverse consequences for individuals; seriousness of the breach; and risk of repetition.

  • Breach Notification – EQUISERVE must inform the people concerned about an information security breach, the appropriate data protection authority, and other appropriate parties such as the police and the banks, as the case maybe.

  • Process Evaluation – An investigation must be conducted to determine the cause of the breach and evaluate the effectiveness of the response made. Policies and procedures must be addressed accordingly.

Data Breach Log

Personal data breach may occur due to different causes (e.g, unauthorized access, accidental deletion, etc,). EquiServe shall keep and maintain a record of all incidents relating to personal data breaches. The Data Breach Log shall be the main basis of the breach incident reports that have to be submitted to the National Privacy Commission annually.

As such, the Data Breach Log must contain the following:

  1. Name of respondent/person reporting the incident;
  2. Name of the erring maven/employee;
  3. Client account (for operations)/department (for support) exposed;
  4. Name of immediate supervisor of erring maven/employee;
  5. Type/nature of breach;
  6. Date of the breach incident;
  7. Date of discovery of the incident;
  8. Brief description of the incident;
  9. List of personal information exposed;
  10. Actions taken at the time of discovery of the breach;
  11. Status of the incident

Compliance of Employees

Every employee of EquiServe is mandated to be aware of and to comply with all actions necessary to ensure compliance with the Data Privacy Act. As such, the following must be a compulsory undertaking for every employee prior deployment to production:

  1. FOR NEW HIRES AND RETURNING EMPLOYEES – during their onboarding, they must:

    • Attend Data Privacy and Information Security (InfoSec) Awareness  Training.

    • Pass BOTH the Data Privacy Assessment Exam and the InfoSec Assessment Exam.

    • Sign BOTH the Agreement to comply with EquiServe’s Data Privacy and InfoSec Policies.

  2. FOR EXISTING / OLD EMPLOYEES
    • Undertake the same above-mentioned tasks on an annual basis.

    • Awareness Training and Assessment Exams shall be given every third Monday of January.

A memorandum regarding this matter has been released and cascaded by the Human Resource Department whereby the following actions can be made in case of non-compliance of employees:

  1. IT Department can temporarily disable the accounts of the employees who have not yet passed their exams;
  2. HRD can impose the necessary sanctions for non-compliance in accordance with Section 21 Data Privacy Table of Offenses

Schedule of Review of Policies

All policies pertinent to the compliance to the Data Privacy Act shall be reviewed annually by the Data Privacy Management Team. Said review shall be conducted January of each year.Any significant changes should be noted on the Policy Revision History of each policy. Should there be no significant changes on a particular policy, the team shall simply note the date of its review.

Privacy Impact Assessment (PIA) Updates

EquiServe conducts a Privacy Impact Assess (PIA) to be able to identify its risk areas in the conduct of its day-to-day business. Each department and campaign from both the support and operations team shall conduct its own PIA and ensure that the PIA is up to date.

A department or campaign head shall be a member of the Data Privacy Committee and each head shall serve as the “Process Owner” for their respective Department or Campaign. Any changes on the Process Owners must be communicated to the Data Privacy Management Team for the appropriate action (e.g. revision of DP Committee Members Memo) to be taken.

For new campaigns, a PIA Briefing must first be conducted prior to the accomplishment of its PIA Form / Report. The PIA Forms / Reports are to be reviewed on an annual basis, March of each year for purposes of monitoring and mitigating identified risks.

Website Content

In relation to Data Privacy Compliance, EquiServe’s official website must contain the following:

  1. Privacy Notice;
  2. Cookies Banner / Policy;
  3. Data Protection Officer Contact Information;
  4. Data Subject Request to Access / Modify Data Form;
  5. Exercise of Data Subject Rights;
  6. Breach Reporting Mechanism.

The IT department shall ensure that the above-mentioned items are easily and conveniently found by all website visitors.

Cooperation with Data Protection Authorities

It is a duty for EQUISERVE and employees to cooperate with and to respond diligently and appropriately to any inquiry or request made by appropriate local data protection authorities. Such request may include an audit inquiry or a request for EQUISERVE to be audited, if deemed necessary, and to comply with the advice of Data Protection Authorities on any issue regarding these standards or compliance with privacy laws.

Sanctions

Any employee who has attempted to breach, or allegedly or has in fact breached, this Policy, whether by negligence or willful misconduct, will be subject to disciplinary sanctions upon EQUISERVE’s sole discretion up to and including termination of employment, in accordance with Company Data Privacy Table of Offenses, Code of Conduct, RA 11073, and/or its implementing rules and regulations.

Book A Call
Book A Call