The Data Privacy Act (DPA) of 2012 is about protecting individual personal information. When we succeed in protecting personal data, we also succeed in mitigating risks, threats and harms to individuals.
Data has a life. It has a beginning and it must end sometime, somewhere, as I often say to company executives who ask me how not to violate the DPA. I always tell them to train their focus on how to protect the data. If you can’t protect it, don’t collect it. And to protect it, you need to observe the stages of the data life cycle, which is the lynchpin of a risk-based approach to data privacy.
The data life cycle is the sequence of stages that a set of personal data goes through from initial creation or collection, to storage, usage, transfer and eventual destruction or deletion at the end of its useful life. Section 26 of the Data Privacy Act’s implementing rules and regulations specifically prescribes personal information controllers (PIC) and processors (PIP) to maintain systematic records of an organization’s data flow, with the five stages of the data life cycle as the organizing principle. Incidentally, each stage of the cycle is also an area of vulnerability, for which appropriate measures should be considered.
Data collection or creation is mainly about what data sets are collected, how they were collected, the purpose behind the collection and how consent is obtained. Personal data may be collected through manual or automatic entry directly from data subjects. It may also be acquired from an already existing source, and may also be generated in real-time, for instance, out of connected devices.
Storage has to do with where the data is or will be stored, and whether the storage is being outsourced. Effective security measures in this stage are focused on preventing data leakages.
Usage is about how the data is viewed, processed, modified and saved. Protecting data at this stage involves being able to apply role-based controls, and giving secure access to data only to users who have legitimate need of it.
Transfer involves disclosure or sharing, and the purpose for such disclosure.
Finally, deletion or destruction of data addresses when and how data will be disposed of and by whom.
When executed properly, observing the five stages of the data life cycle would enable an organization to institutionalize data minimization, and thereby systematically reduce its security risk profile down to the bare minimum. As they say, the less data you have, the less attractive you are to attackers, and the less damaging a breach will be.
If you have questions, feel free to contact the National Privacy Commission via [email protected]