Information Security

What is Data Privacy?

The right of an individual not to have private information about himself disclosed, and to live freely from surveillance and intrusion.

The right of an individual not to have private information about himself disclosed, and to live freely from surveillance and intrusion.

Data Privacy is a Law

REPUBLIC ACT NO. 10173

Data Privacy Act of 2012 

A direct disobedience of the Data Privacy Act is punishable under the Philippine Law.


Data Collection

Collection of Data must be:

• Declared, Specified, Legitimate 

• The customer must be provided information regarding the purpose and extent of processing (automated processing for profiling, direct marketing, data sharing, etc). 

• Purpose determined and declared before or asap after collection 

• Only personal data that is necessary and compatible with declared purpose shall be collected

Data Processing

Personal data shall be processed fairly and lawfully

• Right to refuse, withdraw consent, object 

• Information provided to customer must always be in clear and plain language 

• Processing must be in a manner compatible with declared, specified, and legitimate purpose 

• Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed 

• Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards.

Compliance

How Do We Comply?

Sample spiels in accordance to a specific scenario as follows:

Information Modification and Changes

Customer Information Modification

“We will be collecting your personal information to update your customer profile. This is information shall be kept in our system as long as you are a subscriber of Cignal TV. This may also be used to reach out to you for our customer satisfaction survey, announcements, special promos and bill reminders. Is this okay with you?”

Customer Information During Services

Service Call/ Truck Roll

“We will be collecting your personal information to reach out to you to confirm your service call appointment. This information will be shared to our legitimate contractors who will fulfil your request. This information shall be kept in our system as long as you are a subscriber of Cignal TV. This may also be used to reach out to you for our customer satisfaction survey, announcements, special promos and bill reminders. Is this okay with you?”

Customer Information Verification

Verification process to Safeguard Customer’s Personal Data

PID GUIDELINES

Account holder. Never volunteer information. Always ask it from customer and confirm only. 

Authorized person. Never volunteer information. Always ask it from customer and confirm only. 

3rd party, unauthorized. Never volunteer nor confirm information. Advise to have account holder call to have him authorized.

Customer Information During Customer Call-out

Activation Callout

“Can you please provide me your address so I can verify if it’s the same address on your application form?” “Personal information gathered from this call shall be used to assess your application and will be used as your customer profile when approved. This information shall be kept in our system as long as you are a subscriber of Cignal TV. This may also be used to reach out to you for our customer satisfaction survey, announcements, special promos and bill reminders. Is this okay with you?”

Customer Says No

Customer Non-compliance

If customer says NO, create a ticket to Opt out customer. Data to be sent to Cignal’s Data Privacy Committee and CEG RA for exclusion to CSAT.

Republic Act 10173 - Data Privacy Law

Section 24: Surveillance of Suspects and Interception of Recording of Communications

Section 7 of Republic Act No. 9372

Otherwise known as the "Human Security Act of 2007”, is hereby amended to include the condition that the processing of personal data for the purpose of surveillance, interception, or recording of communications shall comply with the Data Privacy Act, including adherence to the principles of transparency, proportionality, and legitimate purpose.

Compliance

How Do We Comply?


Include in IVR / Agents' Script:

Hotline, LWR Opening Spiel

“To ensure the quality of our service, this call may be recorded.”

Section 24: Customer's Data Rights

Right to be Informed

• The customer has a right to be informed whether personal data shall be, are being, or have been processed <To comply: Disclosures before collecting personal data and recording of call; feedback after account info had been modified>

• The customer shall be notified and furnished with information indicated here-under before the entry of his or her personal data into the processing system of the personal information controller <c/o LEGAL>


Right to Object

Heading 1 text goes here

The customer shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The customer shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph. <To comply: OPT-OUT PROCESS>

Right to Access

The customer has the right to reasonable access to, upon demand, the following:

• Contents of his or her personal data that were processed 

• Sources from which personal data were obtained 

• Names and addresses of recipients of the personal data 

• Manner by which such data were processed 

• Reasons for the disclosure of the personal data to recipients, if any; 

• Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject 

• Date when his or her personal data concerning the customer were last accessed and modified; and 

• The designation, name or identity, and address of the personal information controller.

<Access – Account Portal?

Right to Rectification


• The customer has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly 

• If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject. <To comply: ACCOUNT MODIFICATION PROCESS>

Right to Erasure or Blocking


The customer shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system. <c/o LEGAL>

Right to Damages


The customer shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject. <LEGAL>

<To comply: All customer contact where customers threaten to escalate a data privacy concern must follow the VIP process where the information above may be shared>

Assessment

True or False:

  • All customer contact where customers threaten to escalate a data privacy concern must follow the VIP process where the information above may be shared.
  • All customer contact where customers threaten to escalate a data privacy concern must be opted out and create a ticket where data to be sent to Cignal's Data Privacy Committee.

Put a tick on the radio button next to the statement that is TRUE.

Put a tick on the radio button next to the statement that is FALSE.

Untitled text matching question

  • Right to be informed
    The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller
  • Right to object
    The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.
  • Right to rectification
    If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information
  • Right to Damages
    The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data,

Is the right of an individual not get his personal details disclosed so that he/she may be free from any sort of intrusion or surveillance.

  • Information Technology
  • Information Collection
  • Data Processing
  • Data Privacy

Under the Right of Data Subject which is the customer, select all that applies scoped by customer's right to access.

  • Sources from which personal data were obtained
  • Reasons for the disclosure of the personal data to recipients, if any;
  • Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject
  • Access the information on other accounts other than that of his/her own

Capturing a customer's interaction and transaction via recording tools fall under which Act?

  • Information Secrecy Act of 2007
  • Human Security Act of 2007
  • Data Privacy Act of 2007
  • Information Security Act of 2007

Under general principles, in collection, processing and retention, personal data shall be processed ______________ and __________________.

  • secretly
  • fairly
  • lawfully
  • abruptly

Which statement is not correct about data privacy?

  • Never volunteer information.
  • Let the customer provide the information and confirm only.
  • Ask for the account owner should an unauthorized person transacts on behalf of the customer involving critical information.
  • It would be okay to sometimes give out personal information proactively

How do you comply to a customer's right to be informed?

  • All customer contact where customers threaten to escalate a data privacy concern must follow the VIP process where the information above may be shared.
  • Disclosures before collecting personal data and recording of call; feedback after account info had been modified
  • Follow Account Modification Process
  • None among the choices

Data Privacy is a ___________?

  • Right
  • Privilege
  • Choice
  • Price to Pay

Cignal Postpaid customer will be able to get hold of their SOA through self-help options via?

  • Cignal Webchat
  • Cignal Account Portal
  • Cignal Care
  • SMS Text Message