ORDINANCE NO: 2023-541
Authored by Hon. Sam Tyra F. Co
"AN ORDINANCE OPERATIONALIZING REPUBLIC ACT NO. 10173, OR THE DATA PRIVACY ACT OF 2012 IN THE CITY OF PAGADIAN, AND PROVIDING GUIDELINES THEREFOR"
WHEREAS, Article II, Section 24 of the 1987 Constitution provides that the State recognizes the vital role of communication and information in nation-building. At the same time, Article II, Section 11 thereof emphasizes that the State values the dignity of every human person and guarantees full respect for human rights; 
	WHEREAS, on 15 August 2012, Republic Act No. 10173 entitled "An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission and for Other Purposes," also known as the Data Privacy Act of 2012 (DPA), was enacted; 
	WHEREAS, Section 2 of the DPA provides that is the policy of the State to protect the fundamental human right of privacy while ensuring the free flow of information to promote innovation and growth. The State also recognizes its inherent obligation to ensure that personal information in information and communications system in the government and in the private sector are protected; 
	WHEREAS, Article XIV, Section 486 (c) of the Local Government Code of the Philippines, provides that the Information Officer shall exercise such other powers and perform such other duties and functions as may be prescribed by law or ordinance;
	WHEREAS, all LGUs processing personal or sensitive personal information (collectively, personal data) are considered as personal information controllers having obligations under the DPA; 
	WHEREAS, the National Privacy Commission (NPC), created under the DPA is an independent body tasked to administer and implement the provisions of the DPA, and to monitor and ensure compliance of the country with international standards set for data protection; 
	WHEREAS, pursuant to Section 7 of the DPA, the NPC is charged with carrying out efforts to formulate and implement plans and policies that strengthen the protection of personal information in the country, in coordination with other government agencies and the private sector; 
	WHEREAS, recognizing the vital role of data in driving government decisions, policies, public services, and innovation that will benefit its constituents, with the aim of improving the delivery of basic goods and services, the City Government of Pagadian deems it necessary to provide a local mechanism for its offices to abide by the provisions of the DPA for the processing of personal data to its offices to abide by the provisions of the DPA for the processing of personal data of its constituents as data subjects, whereby the people's right to data privacy is respected and upheld, subject to limitations provided by law; 
	NOW THEREFORE, BE IT ORDAINED, by the Sangguniang Panlungsod of the City of Pagadian, in session assembled: 
SECTION 1.	TITLE. - This Ordinance shall be known as the "Data Privacy Ordinance of Pagadian City." 	
SECTION 2. 	DEFINITION OF TERMS. - The terms used in the DPA and its Implementing Rules and Regulations (IRR), as amended, are adopted herein. 
SECTION 3.	COVERAGE. - This Ordinance shall cover all departments and offices under the City of Pagadian. 
SECTION 4. 	GENERAL DUTIES AND OBLIGATIONS. - The following are the general duties and obligations of the City Government of Pagadian as a personal information controller (PIC):
Personal data shall be processed for the purpose of facilitating the performance of its public functions and the provision of public services pursuant to its mandate. In all instances, it shall adhere to the general data privacy principles of transparency, legitimate purpose, and proportionality;

Reasonable and appropriate safeguards shall be implemented for the protection of personal data of data subjects of the City Government of Pagadian, whether internal (officials, employees, job order, contract of service, casual, etc.) or external (clients, visitors, other stakeholders, etc.);

The rights of the data subjects shall be upheld, subject to limitations as may be provided for by law. The free exercise of applicable rights shall be enabled through mechanisms that are clear, simple, straightforward, and convenient for the data subjects; and 

The data privacy right of the affected data subjects shall be harmonized with the right to information on matters of public concern. It is recognized that both rights are imperative for transparent, accountable, and participatory governance, and are key factors for the effective and reasonable public participation in social, political, and economic decision-making. 
SECTION 5. 	SPECIFIC COMPLIANCE REQUIREMENTS. - The following specific compliance requirements under the DPA, its IRR as amended, and relevant issuances of the NPC, are hereby set out as follows: 
Designation of a Data Protection Officer (DPO). - Pursuant to Section 21 of the DPA, PICs shall designate individual/s who shall facilitate and ensure the PIC's responsibility and accountability for the organization's compliance with the DPA. The following are hereby designated: 

The Data Protection Officer (DPO), tasked with the duties and responsibilities of ensuring compliance of the City Government of Pagadian with the DPA, its IRR, are other NPC issuances, shall be designated by the Local Chief Executive (LCE).

The DPO shall be: 

Consulted at the earliest stage possible on all issues relating to privacy and data protection of all personal data processing systems;

Provided with resources necessary to keep themselves updated with the developments in data privacy and security; 

Granted appropriate information and access, where necessary, to the details of personal data processing activities of the departments and offices; 

Invited to participate in the appropriate meetings of any department and office to represent the interest of data privacy; 

Consulted promptly in the event of a personal data breach or security incident; and

Included in all relevant working groups that deal with personal data processing activities. 

The DPO or his or her authorized representative/s shall create the necessary user accounts in the applicable NPC system/s for compliance with the requirements for registration and personal data breach notification and management; 

The DPO shall ensure that data privacy awareness seminars and other necessary trainings for the personnel of the City Government of Pagadian are duty conducted; and 
The contract details of the DPO should be made available and easily accessible on the official website and social media page/s and should include the following information: 

Title or designation - the name of the DPO need not be published but should be made available upon request by a data subject;

Postal address; and 

Dedicated telephone number and email address. 

Conduct of Privacy Impact Assessment. - All departments and offices as process owners shall conduct a privacy impact assessment (PIA) on any personal data processing system prior to their adoption, use, or implementation. 

For existing systems, the DPO shall be consulted by the respective process owners on the appropriateness of conducting a PIA and the reasonable timeframe to accomplish the same; 

For both existing and proposed systems, there may be a determination that the conduct of a PIA is not necessary if the processing involves minimal risks to the rights and freedoms of data subjects, taking into account the recommendations from the DPO. In making this determination, the following should be considered: 

Size and sensitivity of the personal data being processed; 
Duration and extent of processing; 
Likely impact of the processing to the life of data subject; and 
Possible harm in case of a personal data breach;

The conduct of PIA may be outsourced to a third-party service provider, as may be recommended by the DPO subject to the laws, rules, and regulations applicable to government procurement; 

The relevant issuances and other information, education, and communication materials of the NPC on PIA and other relevant issuances shall serve as additional guidance; and 

The results of the PIA conducted shall be made the basis for the preparation of the Privacy Management Program, the Privacy Manual, and the crafting of the appropriate privacy notices specific to the personal data processing activities being undertaken by the pertinent departments and offices and other applicable policies relevant to data privacy and security. 

Adoption of a Privacy Management Program and Privacy Manual. - The City Government of Pagadian shall prepare a Privacy Management Program, which shall contain, among others, the necessary policies and processes that remediates the gaps identified in the PIA and a Privacy Manual, as may be supplemented by the existing or prospective codes, guides, manuals, privacy notices, ordinances, policies, and other documented information on processes that may deal with any data privacy matter. 

The DPO shall be tasked to ensure that all relevant records and other documentation on data privacy are maintained and kept up to date; and 

The Privacy Management Program and Privacy Manual shall be subject to regular review, evaluation, and updating, where appropriate, considering the best practices and national and/or international standards for data privacy and security. 

Implementation of security measures. - Reasonable and appropriate organizational, technical, and physical security measures shall be implemented by all departments and offices processing personal data. 

The determination of what is reasonable and appropriate shall take into account the following factors as determined following the PIA conducted: 
Nature and volume of the personal data to be protected; 
Risks of the processing to the involved data subjects; 
Size of the department or office and complexity of its personal data processing activities; 
Current data privacy best practices; and 
Cost of implementation;

The security measures to be implemented shall ensure the protection of personal data against any unlawful processing and the confidentiality, integrity, and availability of the personal data being processed. The DPO in consultation and coordination with the City Mayor's Office-Information Technology Division (CMO-IT) shall make the appropriate determination and recommendation on the measures and policies to be implemented. These may include back-up solutions, access controls, secure log files, acceptable use, encryption, and data disposal mechanisms, among others, for any personal data processing activity, whether done through paper-based or electronic systems. 

The data sharing and outsourcing arrangements shall be subject to the execution of the appropriate agreements as may be determined by the City Legal Officer in consultation with the DPO. For this purpose, the relevant issuances of the NPC shall be observed accordingly. 
Security Incident Management; Personal Data Breach Management. - The following policies and procedures are set out for the purpose of managing security incidents, including personal data breaches: 

Data Breach Response Team (DBRT). A data breach response team shall be responsible for the following actions: 
Assess and evaluate all security incidents, including personal data breaches; 
Restore integrity to the affected information and communications systems; 
Recommend measures for mitigation and remedies on any resulting damage to the City of Pagadian and the affected data subjects; 
Comply with the mandatory notification and other reporting requirements indicated in the appropriate NPC issuance; and
Coordinate with the appropriate government Computer Emergency Response Team (CERT) and law enforcement agencies, where appropriate. 

Incident Response Procedure. The DBRT shall recommend the actual procedure or manual for the timely discovery and management of security incidents. This shall include: 

Identification of person or persons responsible for regular monitoring and evaluation of security incidents; 
Reporting lines in the event of a personal data breach; 
Evaluation of the security incidents or personal data breaches as to its nature, extent and cause, the adequacy of safeguards in place, immediate and long-term impact of the personal data breach, and its actual and potential harm and negative consequences to affected data subjects;
Procedures for contacting law enforcement, if necessary; 
Conduct of investigations on the security incident, including personal data breaches; 
Procedures for notifying the NPC and data subjects when the personal data breach is subject to mandatory notification requirements; 
Procedures for assisting affected data subjects to mitigate the possible harm and negative consequences in the event of a personal data breach. 
Funding. The funding requirements needed for this Ordinance shall be provided for through an Appropriation Ordinance. 
SECTION 6.	RIGHTS OF DATA SUBJECTS; MECHANISMS FOR THE EXERCISE OF RIGHTS. - The relevant NPC issuances on data subject rights, the guidance on transparency, procedures for exercise of rights, and appropriate templates indicated therein, are hereby adopted. 
SECTION 7.	REMEDIES. - The DPO, in coordination with the City Legal Officer and the concerned department or office as the process owner, shall endeavor to address and resolve all data subject clarifications, complaints, concerns, questions, and personal data breaches, and other similar matters without undue delay, following the applicable provisions of Republic Act No. 11032 or the Ease of Doing Business and Efficient Government Service Delivery Act of 2018 and its implementing Rules and Regulations. 
SECTION 8. 	INTERPRETATION. - Any doubt in the interpretation of any provision of this Ordinance and corresponding policies shall be construed in a manner that accords the highest respect for the data privacy, and liberally interpreted in a manner mindful of the rights and interests of data subjects. 
SECTION 9.	TRANSITORY PROVISION. - Departments and Offices affected by the implementation of this Ordinance shall be given six (6) months transitory period from the effectivity of the Ordinance to comply with its requirements. 
SECTION 10. SEPARABILITY CLAUSE. - If any section or part of this Ordinance is held unconstitutional or invalid, the other sections or provisions not otherwise affected shall remain in full force or effect. 
SECTION 11.	REPEALING CLAUSE. - All other ordinances, orders, issuances, rules, and regulations, which are inconsistent with the provisions of this Ordinance are hereby repealed, amended, or modified accordingly. 
SECTION 12. EFFECTIVITY CLAUSE. - This Ordinance shall take effect fifteen (15) days after publication. 
ENACTED AND APPROVED by the Sangguniang Panlungsod (14th City Council) during its 41st Regular Session on 12 July 2023 at the SP Session Hall, 4th Floor City Commercial Center (C3), Santiago District, Pagadian City.