Butuan City Water District (BCWD) Data Privacy Policy

1. Policy Declaration

   It is the policy of BCWD to protect all forms of personal information (data) that have been processed from its data subject while performing its mandate which is to provide potable water within its jurisdiction.

2. Legal Basis

   This policy is adopted pursuant to Republic Act no. 10173 otherwise known as an act protecting individual personal information in all information and communications systems in the government and the private sector (Data Privacy Act of 2012)

3. Objective

   BCWD shall implement appropriate data protection policies that provide for organization, physical, and technical security measures, and for such purpose, take into account the nature, scope, context and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects.

   1. The policies shall implement data protection principles both at the time of the determination of the means for processing and at the time of the processing itself.
   2. The policies shall implement appropriate security measures that, by default, ensure only personal data which is necessary for the specified purpose of the processing are processed. It shall determine the amount of personal data collected, including the extent of processing involved, the period of their storage, and their accessibility.
   3. The polices shall provide for documentation, regular review, evaluation, and updating of the privacy and security policies and practices

4. Scope of Application

   This policy applies to the processing of all types of personal information of every Department/Division/online as the case maybe, from the data subject by reason of Consent, Contractual Necessity, Legal Obligation, Vital Interest, Public Interest and Legitimate Interest.

   Data Subject includes but not limited to;

   1. Concessionaires
   2. Employees/Contract of Service / Job Orders/ Project Base
   3. Job Applicants
   4. Prospect Suppliers/Bidders
   5. Sub-Contractors and the likes

5. General Data Privacy Adhered Principles

   Personal information must, be:

   1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
   2. Processed fairly and lawfully;
   3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
   4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
   5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
   6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, that adequate safeguards are guaranteed by said laws authorizing their processing.
   7. BCWD through concerned department heads must ensure implementation of personal information processing principles set out herein (Office Order No. 23-A061).

6. Lawful Processing of Personal Data

   1. The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable;
   2. The processing involves the personal information of a data subject who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the said agreement;
   3. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
   4. The processing is necessary to protect vitally important interests of the data subject, including his or her life and health;
   5. The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;
   6. The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority; or
   7. The processing is necessary to pursue the legitimate interests of the personal information controller, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution.

7. Data Protection Officer (DPO) Function

   BCWD designated its Data Protection Officer (DPO) and an assistant DPO if it deems necessary, thru an Office Order, who is accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security (Office Order No. 551)To carry out this function, the DPO should:

   1. Monitor the organization’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. This includes collecting information about the personal data processing, analyzing and checking compliance and any accreditations or certifications, and providing advice and recommendations on legal requirements;
   2. Ensure the conduct of Privacy Impact Assessments;
   3. Advice the organization regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
   4. Ensure proper data breach and security incident management by organization;
   5. Inform and cultivate awareness on privacy and data protection;
   6. Advocate for the development, review and/ or revision of policies, guidelines, projects and/ or programs relating to privacy and data protection, by adopting a privacy by design approach;
      • Serve as the contact person of the organization vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security;
      • Cooperate, coordinate and seek advice of the NPC;
      • Perform other duties and tasks that may be assigned by the organization that will further the interest of data privacy and security and uphold the rights of the data subjects.

   The name of the DPO need not be published. However, it should be made available upon request by a data subject or the NPC. For this purpose, the contact details of the DPO should include the following information:

   1. Title or designation
   2. Postal address
   3. A dedicated telephone number
   4. A dedicated email address

8. Data Breach Response Team Function

   The Creation of a Data Breach Response Team (Office Order No. 030-2022), shall have at least one (1) member with the authority to make immediate decisions regarding critical action, if necessary. The team shall be responsible for the following (Sec. 5, NPC Circular 16-03)

   1. Implementation of the security incident management policy of BCWD or its personal information processor;
   2. Management of security incidents and personal data breaches; and
   3. Compliance by the BCWD or its personal information processor with the relevant provisions of the Act, its IRR, and all related issuances by the Commission on personal data breach management;

   Ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirements.

9. General Security Measures

   Data Breach is a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access or of unauthorized processing of personal data Compromises the availability, integrity, or confidentiality of personal data. A security incident management policy is implemented herein for the purpose of managing security incidents, including personal data breaches. Thus, BCWD Departments/Divisions involved in personal data processing are directed to practice personal data breach prevention in line with their respective processes such as;

   1. Regularly conduct a privacy impact assessment;
   2. Have a working data governance policy;
   3. Implement security measures;
   4. Make sure personnel are trained;
   5. Regularly review policies and procedures
   6. Be aware of threats

10. BCWD's Privacy Notice Implementation

    Personal Data Collected/ Usage / Protection Measure/Access and Correction:

    1. For processing Contracts to its concessionaire, inquiries and requests, BCWD may collect the following personal information from its concessionaires, Employee, Retirees, Resigned employees, Job Applicants, Disengaged Job Orders, Project based and contract of service when they manually or electronically submit their personal data, as the case maybe, by any of the reason stated above, to wit:

       • Name
       • Contact information or email;
       • Addresses;
       • Educational/ backgrounds etc;
    2. The collected personal information is utilized solely for, Service Connection Contracts, Employment Contracts, documentation and other processing purposes within the BCWD and is not shared with any outside parties. Such personal information may be forwarded to appropriate internal units for their own processes, action and response, and provide to its data subject appropriate updates and advisories in a legitimate format and in an orderly and timely manner.
    3. Only authorized BCWD personnel has access to these personal information, the exchange of which will be facilitated through email and hard copy. Generally, they will be stored in a database and/or cabinet files for two years after inquiries and requests are acted upon, except for personal information utilized under Concessionaire’s Contract and Employment Contracts by which they will be maintained throughout the contract duration.
    4. The Data Subjects have the right to ask for a copy of any personal information which BCWD holds by reason abovementioned, as well as to ask for it to be corrected they think it is wrong. To do so, please contact our Data Protection Officer, Mr. Joseph Tantoy, through the following email address: bcwdrecords@gmail.com

11. Reporting

    BCWD through the data breach response team shall notify within 72 hours upon knowledge of, or when there is reasonable belief that a personal data breach has occurred.

    Notification of a data breach is mandatory when:

    1. The personal data involves:
       1. Sensitive personal information or
       2. Any other information that may be used to enable identity fraud;
    2. There is reason to believe that the information may have been acquired by an unauthorized person; and
    3. The unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

12. Effectivity

    This Policy shall take effect immediately after thirty (30) days posting in Three Conspicuous places in the office premises namely, the Bulletin Boards near Commercial Department, Pipeline Appurtenances Maintenance Department (PAMD) and HRD Division.