TITLE DATA PRIVACY AND PROTECTION POLICY

OBJECTIVE To ensure that any personal information collected by the Company is used
fairly, stored safely and not disclosed unlawfully.
SCOPE This policy applies to all ONET employees across all sites.

1. PURPOSE

 Protecting the security and privacy of customers, clients, and employee personal data is
important to Outsource Network (“ONET”). Through this policy, which will be known as
the “Data Privacy and Protection Policy”, ONET operates in compliance with applicable
laws on data privacy protection and data security, specifically, to the Republic Act 10173
(“R.A. 10173”) of the Republic of the Philippines. The Data Privacy and Protection Policy
supplements this national law and its implementing rules.

 ONET is committed to local and international compliance with data protection laws. This
Data Privacy and Protection Policy applies to all ONET sites and employees and is based
on globally accepted, basic principles on data protection.

 Ensuring data protection is the foundation of trustworthy business relationships and the
reputation of ONET as a vendor, client, partner and employer. The Data Privacy and
Protection Policy provides one of the necessary framework conditions for usage,
collection, storage, control, and destruction of confidential personal information
whether in electronic or physical form.

 R.A. 10173 will take precedence in the event that it conflicts with ONET’s Data Privacy
and Protection Policy, or in cases where it has stricter requirements than this Policy.

2. SCOPE

The privacy protection standards and requirements contained in this Policy shall apply to all
ONET sites that deal with the processing, collection, storing, or transfer of personal data, acting
as a Personal Information Controller or as a Personal Information Processor.

3. DEFINITION OF TERMS

Personal Information Controller – refers to the company or person who controls the
processing of personal data, or instructs another to process personal data on its behalf.
 Personal Information Processor – refers to the company or person to whom a personal
information controller may outsource or instruct the processing of personal data.

Data Subject – refers to an individual whose personal, sensitive personal, or privileged

information is processed.

Consent of the Data Subject – refers to any freely given, specific, informed indication of
the will, whereby the data subject agrees to the collection and processing of his or her
personal, sensitive personal, or privileged information. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of a data subject
by a lawful representative or an agent specifically authorized by data subject to do so.

Personal Information/Data – refers to any information whether recorded in a material

form or not, from which the identity of an individual is apparent or can be reasonably
and directly ascertained such as birth date, gender, race, height, home address, civil
status, government numbers (SSS, Philhealth, HDMF, TIN, Driver’s License, Passport),
name of parents, spouse or children.

Processing – refers to any operation or any set of operations performed upon personal
data including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data. Processing may be performed through automated means, or
manual processing if the personal data are contained or are intended to be contained in
a filing system.

4. PROCESSING OF PERSONAL DATA

4.1 Purpose of Processing Personal Data

ONET may process Personal Information and Data that is reasonably adequate for and
relevant to the following applicable purposes:

1. For human resources and personnel management processes which may include
recruitment, workforce planning, training and performance management,
compensation and benefits, leave and benefits management, pay slip distribution,
employee information and skill management, employee survey, exit interviews and
processed record, and health and safety. In such a case, ONET acts as a Personal
Information Controller.
2. For Personal Data from personnel of suppliers and vendors, contributors, clients and
prospects and visits. In such a case, ONET also acts as a Personal Information
Controller.
3. For business process execution and management processes which may include any
activities or services done by ONET on behalf of or for the client. In such a case, ONET
acts as a Personal Information Processor.

4.2 Rules To Follow While Processing Personal Data

Each ONET Center Site and its employees, including its suppliers, in processing personal
information/data must observe the following principles:

1. Personal information must processed fairly and lawfully.

2. Processing should ensure data quality.
3. Personal Information must be processed with transparency. The data subject must
be aware of the nature, purpose and extent of the processing of his or her personal
data, including the risks involved, the identity of personal information controller, his
or her rights as a data subject and how these can be exercised.
4. Personal Information must be processed for one or more, declared, specified and
lawful purpose(s) and may not be processed incompatibly with those purposes.
Further processing of the data for historical, statistical or scientific purposes shall not
be considered incompatible.
5. The processing of Personal Data must be adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and specified purposes for which the data is
processed.
6. Personal Information must be accurate and kept up to date in such a way as to give a
true picture of the current situation of the data subject.
7. Any authorized further processing shall have adequate safeguards.
8. Personal Information must not be kept for longer than is necessary. Information shall
be erased when they have ceased to be necessary or relevant for the purpose for
which they were obtained or recorded.
9. Personal information shall be disposed or discarded in a secure manner that would
prevent further processing, unauthorized access, or disclosure to any other party or
the public or prejudice the interests of the data subjects.
10. Appropriate technical and organizational measures must be taken against
unauthorized or unlawful processing of Personal Information as well as against
accidental loss, destruction of or damage to that information.
11. The collection of information by fraudulent, unfair or illicit means is prohibited

4.3 Additional rules to follow when ONET act as Data Controller

ONET, when acting as a Data Controller, must comply with the following additional
requirements:

1. The registration requirement with the National Privacy Commission required by RA

10173.
 2. Consent to process Personal Information must first be given by the Data Subject
before collection, processing, or storage of any Personal Data, unless laid down
otherwise by law. Every Data Subject must be informed of the purpose for which
Personal Data is collected, stored, or processed;
3. ONET shall provide the Data Subject with the identity and address of the Data
Controller or his representative, if any; the purposes of the processing, the recipients
or categories of recipients of the data, the existence of the right of access to and the
right to rectify, erasure and objection the data concerning him/her.

5.TRANSFER OF DATA TO THIRD PARTY PROVIDERS

In all cases, ONET must ensure that the transfer or processing of Personal Data is done with
proper and reasonable security and protection. It must be ensured that the receiving entity or
any third party provider provides the same adequate level of protection.

6. RETENTION OF DATA

Storage of Personal Data by ONET must be made in accordance with the following rules:

a.The reasonable length of time a Personal Data is kept must be reviewed periodically.
b. Such retention must conform to the purpose/s for which it was taken, and must not
be kept after the purpose/s has/have been accomplished.
c. All Personal Data must be deleted or anonymized in a secured manner ensuring
protection from unlawful or wrongful access.
d. Retained Personal Data must be accurate, archived and updated and it must be
securely deleted once it goes out of date. It is the responsibility of the Data Subject to
inform ONET of any inaccuracy or update to his/her personal data. However, ONET
will exert commercially reasonable effort to maintain its database as accurate and
updated as possible.
Where ONET shares Personal Data among its subsidiaries, those subsidiaries must
agree what to do with such Personal Data once they no longer need to share the
information.
7. INFORMATION SECURITY

a. ONET must ensure that only authorized people can access, alter, disclose or destroy
Personal Data and that those people only act within the scope of their authority in
relation to Personal Data. A system must be created to:

(i) protect Personal Data from accidental loss, alteration, or destruction and

(ii) also make such Personal Data recoverable to prevent any damage or
distress to the Data Subjects concerned.

b. Safeguards must be placed to protect Personal Data which safeguards may include
physical and environment security such as facilities, workstation and integrity access
control; computer security such as security devices and encryption; employee security
awareness such as new hire and annual training. Every ONET site must implement a
risk assessment and must be accountable for the organizational, policies and
procedures and documentation requirements.

c. Security requirements of local laws must be complied with. IT standards must

conform to local and contractual requirements. Therefore, Information Security
officers must always refer and keep up-to-date regarding applicable specific or local
security standards when addressing security of Personal Data.

d. In case of any Personal Data breach, ONET must engage a breach-management plan
which includes at least the following:

i. Breach Containment and recovery – ONET must resolve the incident by

applying a recovery plan and, where necessary, procedures for damage
limitation.

ii. Breach Containment and Recovery – ONET must resolve the incident by
applying a recovery plan and, where necessary, procedures for damage
limitation.

iii. Risk Assessment – ONET must assess associated risks, such as the adverse
consequences for individuals; seriousness of the breach; and risk of repetition.

iii. Breach Notification – ONET must inform the people concerned about an
information security breach, the appropriate data protection authority, and
other appropriate parties such as the police and the banks, as the case maybe.
 iv. Process Evaluation – An investigation must be conducted to determine the
cause of the breach and evaluate the effectiveness of the response made.
Policies and procedures must be addressed accordingly.

8. COOPERATION WITH DATA PROTECTION AUTHORITIES

It is a duty for ONET and employees to co-operate with and to respond diligently and
appropriately to any inquiry or request made by appropriate local data protection
authorities. Such request may include an audit inquiry or a request for ONET to be
audited, if deemed necessary, and to comply with the advice of Data Protection
Authorities on any issue regarding these standards or compliance with privacy laws.

9. SANCTIONS
Any employee who has attempted to breach, or allegedly or has in fact breached, this
Policy, whether by negligence or willful misconduct, will be subject to disciplinary
sanctions upon ONET’s sole discretion up to and including termination of employment,
in accordance with Company Code of Conduct, RA 11073, and its implementing rules
and regulations.

Prepared by: Approved by:

MARICEL P. PUSING
Sr. Business Partner, Human Resources
MARLO R. CRUZ
SHERRIE D. BUGARIN President/CEO
Administrative and Purchasing Officer, Human
Resources
A. RECRUITMENT AND HUMAN RESOURCES DATA PRIVACY GUIDELINES

1. Data Collection

a. The Recruitment Personnel shall be responsible in collecting and processing

information as part of the screening and hiring process where job applicants are
required to submit their resume and input personal information through the
recruitment portal.
b. Hard copies of data or documents collected during hiring process shall be endorsed
to Employee and Labor Relations Specialist for creation of 201 file.
c. The Compensation and Benefits Personnel shall also have access to the personal
information of employees for processing of statutory and healthcare benefits such
as government numbers, civil status, birthday and personal information of
dependents.
d. The Compensation and Benefits Specialist shall be responsible in updating
personnel information as necessary. Any document received or submitted
subsequently by employees for update purposes shall go directly to the 201 File of
the employee.
e. Personal data of employees including salary details is also shared with Payroll
Officer as required in administering payout of salaries.
f. All personal information of employees being transferred to authorized personnel
should be password protected if transmitted through email or removable media.

2. Information Update

a. It is the employee’s obligation to inform the HR Department on any change in the

information contained in the 201 file i.e., civil status, address, contact numbers and
names of dependents or beneficiaries.
b. Notification to HR Department must be done within thirty days after the
commencement date of any change in personal information of an employee.
c. Supporting documentation is required prior to updating of some information in the
system. Only upon receipt of these documents that any personal information
change may take effect.

Amendment Requirement/s Agency to be updated

1. Civil Status/ Maiden Marriage Certificate SSS, Philhealth, HDMF,
Name to Married Name BIR
2. Additional Dependent Birth Certificate SSS, Philhealth, HDMF,
BIR

d. Update of some personal information of employees such as contact number, home

address, and number of dependents shall be initiated by the Human Resource
Department yearly to keep the information accurate and up to date.
3. Data Storage

a. HR Employees handling sensitive or confidential information should make sure

documents and printouts are not left where unauthorized people could see it.
Ensure to lock the monitor screen when leaving the workstation or when the
computer is not in use.

b. All 201 files or any document which contains personal information of employees,
trainees and job applicants should be kept and maintained inside a filing cabinet or
drawer with lock inside the HR office wherein unauthorized people cannot see it.
c. Electronic files from the recruitment portal and HRIS (Human Resource Information
System) must be stored in the central file server protected with strong password.
d. If data is stored on removable media (like flash drive), this should be locked away
securely when not being used.
e. All filing cabinets and drawers containing 201 files and personnel records of active
and separated employees of up to one (1) year must be placed inside the HR office.
f. Personnel records of separated employees of more than 1 year shall be transferred
to the warehouse for storage through the Administration Department. Boxes
containing the 201 files or any personnel records must be properly labelled prior to
turnover to the Administrative Staff:
i. Box Number
ii. List of separated employees posted outside the box (if 201 file or
recruitment related files)
iii. List of files or folders (if statutory benefits related files)

Electronic inventory of all 201 files, recruitment files and statutory files transferred
to the warehouse shall be maintained and kept by respective owners or responsible
persons.

An acknowledgement receipt upon turnover to Administration Department must be

properly filed in a folder for monitoring and control purposes.

4. Data Access

a. Any personal data of employees shall not be shared or disclosed to any person,
within or outside the company.
b. The Company shall restrict internal access to employee records and only the HR
personnel shall be authorized to retrieve certain information from the 201 file.
c. Only the following personnel under these sections are authorized to have access
and process personal information of employees:
i. Recruitment
ii. Employee Relations
 iii. Compensation and Benefits
iv. Payroll

d. Any request for retrieval of data should be made in writing and shall pass through
the approval of the HR Head.
e. Retrieval of physical document shall only be allowed by the HR Head within the HR
Office. Taking it outside the HR office is prohibited.
f. All approved information/data requests or retrieval shall be logged accordingly for
monitoring and security purposes. This can be done either through a logbook or
electronically by respective owners or responsible person.

5. Destruction

a. Data printouts should be shredded and disposed of securely when no longer

required.
b. Personnel records shall be kept and maintained for a period of five (5) years
after resignation or separation of the employee from the Company. All hard
copies of personnel records of resigned employees shall be destroyed or
shredded after this period. Electronics files or soft copies of personal or
confidential information shall be deleted from the system as well.
c. All information and data collected from unsuccessful job applicants shall be
retained for a period of 12 months. After this period, all files and information
collected shall be destroyed.

6. Sanctions

a. Any employee who has violated this policy, whether by negligence or willful
misconduct, will be subject to disciplinary action in accordance with ONET’s Code
of Conduct.

B. ADMINISTRATIVE UNIT DOCUMENT STORAGE GUIDELINES

1. Authorized Storage Provider

AGS Fourwinds is the authorized storage provider of ONET and will collect the record boxes for
storage and ensuring appropriate and secure environment for the warehousing of ONET
records.

2. Data Collection Procedure by Provider

 The requesting department will fill-out a service request form provided by the AGS
Fourwinds indicating the following information priority, services, transaction codes and
file codes.
  The Records Custodian collects in two years from each department the semi-active and
inactive material and its supporting documents for storage.

 The record boxes collected must be sealed and contains information such as codes,
destruction date, owner, etc.

3. Updating of Information

 The Records Custodian is responsible in updating the master list every two (2) months,
specifies the location of records stored offsite and ensures that records schedule is
appropriately implemented and that all semi-active or inactive material is sent to offsite
storage.

 The Records Custodian is responsible for records reviews and inventory to make sure
that record boxes are complete and intact.

4. Processing

 Each department will identify who is responsible in classifying their records.

 The Records Custodian will ask the requesting department to provide the following
information.

o Specify who opens a new file.

o Specify who does the filing and how often.
o Specify who is responsible for adding to file lists.

 The Records Custodian will get a list of authorized staff from the different departments
and their corresponding signatures who can exclusively access the record boxes stored
at the facility.

 The Records Custodian shall provide a soft copy of “Records Management Service
Request Form (RM-SRF)”. AGS Four Winds shall provide the following services for
records management: Pick-up, Delivery, Access, Permanent Pullout, Permanent
Destruction, Indexing, Cataloguing, Supplies and Other Services.

5. Data Storage
  AGS Four Winds representative carries a system generated Work Instruction Sheet
that is received and signed by ONET’s representative to acknowledge receipt and
completion of the request.
 AGS Four Winds will prepare a monthly inventory movement or status report for
ONET.

6. Access to Data

 Only the Records Custodian has exclusive e access to the company’s records.
 Only AGS Four Winds representatives are allowed to access the records and can enter
the storage area for confidentiality and security reason. The Records Custodian shall
wait at the viewing room. All record boxes shall have a unique barcode that will be
used to track the movements of each box. The records are scanned in and out of the
facility, from the delivery truck to the customer premise, from the receiving area to
their corresponding location racks.
 Should ONET require a physical access to the records, a written request through the
Records Management Service Request Form (RM-SRF) must be received by fax or
email to AGS Four Winds confirming the details of the request, the authorized
signatory, and the name and signature of the designated company representative
who will physically retrieve the boxes from AGS Four Winds representative in the
facility. The Company representative must bring the original written request to AGS
Four Winds and present a valid ID in order to retrieve the boxes from the AGS Four
Winds premises. AGS Four Winds will acknowledge the request and arrange for the
appropriate service to be provided.

7. Destruction

 Records must be disposed once their retention period has expired.

 These records require safeguard and ensure that the records are completely
destroyed with no possibility of retrieval or rebuilding.
 AGS Four Winds uses Shredding as a medium of destruction. AGS Four Winds
promotes environmental conservation which hinders them to use incineration as a
medium of destruction.
 The Records Custodian must witness the destruction process.

8. Sanction

 Non-compliance shall be dealt with in accordance with ONET’s Code of Conduct.