OBJECTIVE To ensure that any personal information collected by the Company is used
fairly, stored safely and not disclosed unlawfully.
SCOPE This policy applies to all ONET employees across all sites.
1. PURPOSE
Protecting the security and privacy of customers, clients, and employee personal data is
important to Outsource Network (“ONET”). Through this policy, which will be known as
the “Data Privacy and Protection Policy”, ONET operates in compliance with applicable
laws on data privacy protection and data security, specifically, to the Republic Act 10173
(“R.A. 10173”) of the Republic of the Philippines. The Data Privacy and Protection Policy
supplements this national law and its implementing rules.
ONET is committed to local and international compliance with data protection laws. This
Data Privacy and Protection Policy applies to all ONET sites and employees and is based
on globally accepted, basic principles on data protection.
Ensuring data protection is the foundation of trustworthy business relationships and the
reputation of ONET as a vendor, client, partner and employer. The Data Privacy and
Protection Policy provides one of the necessary framework conditions for usage,
collection, storage, control, and destruction of confidential personal information
whether in electronic or physical form.
R.A. 10173 will take precedence in the event that it conflicts with ONET’s Data Privacy
and Protection Policy, or in cases where it has stricter requirements than this Policy.
2. SCOPE
The privacy protection standards and requirements contained in this Policy shall apply to all
ONET sites that deal with the processing, collection, storing, or transfer of personal data, acting
as a Personal Information Controller or as a Personal Information Processor.
3. DEFINITION OF TERMS
Personal Information Controller – refers to the company or person who controls the
processing of personal data, or instructs another to process personal data on its behalf.
Personal Information Processor – refers to the company or person to whom a personal
information controller may outsource or instruct the processing of personal data.
Consent of the Data Subject – refers to any freely given, specific, informed indication of
the will, whereby the data subject agrees to the collection and processing of his or her
personal, sensitive personal, or privileged information. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of a data subject
by a lawful representative or an agent specifically authorized by data subject to do so.
Processing – refers to any operation or any set of operations performed upon personal
data including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data. Processing may be performed through automated means, or
manual processing if the personal data are contained or are intended to be contained in
a filing system.
ONET may process Personal Information and Data that is reasonably adequate for and
relevant to the following applicable purposes:
1. For human resources and personnel management processes which may include
recruitment, workforce planning, training and performance management,
compensation and benefits, leave and benefits management, pay slip distribution,
employee information and skill management, employee survey, exit interviews and
processed record, and health and safety. In such a case, ONET acts as a Personal
Information Controller.
2. For Personal Data from personnel of suppliers and vendors, contributors, clients and
prospects and visits. In such a case, ONET also acts as a Personal Information
Controller.
3. For business process execution and management processes which may include any
activities or services done by ONET on behalf of or for the client. In such a case, ONET
acts as a Personal Information Processor.
Each ONET Center Site and its employees, including its suppliers, in processing personal
information/data must observe the following principles:
In all cases, ONET must ensure that the transfer or processing of Personal Data is done with
proper and reasonable security and protection. It must be ensured that the receiving entity or
any third party provider provides the same adequate level of protection.
6. RETENTION OF DATA
Storage of Personal Data by ONET must be made in accordance with the following rules:
a.The reasonable length of time a Personal Data is kept must be reviewed periodically.
b. Such retention must conform to the purpose/s for which it was taken, and must not
be kept after the purpose/s has/have been accomplished.
c. All Personal Data must be deleted or anonymized in a secured manner ensuring
protection from unlawful or wrongful access.
d. Retained Personal Data must be accurate, archived and updated and it must be
securely deleted once it goes out of date. It is the responsibility of the Data Subject to
inform ONET of any inaccuracy or update to his/her personal data. However, ONET
will exert commercially reasonable effort to maintain its database as accurate and
updated as possible.
Where ONET shares Personal Data among its subsidiaries, those subsidiaries must
agree what to do with such Personal Data once they no longer need to share the
information.
7. INFORMATION SECURITY
a. ONET must ensure that only authorized people can access, alter, disclose or destroy
Personal Data and that those people only act within the scope of their authority in
relation to Personal Data. A system must be created to:
(i) protect Personal Data from accidental loss, alteration, or destruction and
(ii) also make such Personal Data recoverable to prevent any damage or
distress to the Data Subjects concerned.
b. Safeguards must be placed to protect Personal Data which safeguards may include
physical and environment security such as facilities, workstation and integrity access
control; computer security such as security devices and encryption; employee security
awareness such as new hire and annual training. Every ONET site must implement a
risk assessment and must be accountable for the organizational, policies and
procedures and documentation requirements.
d. In case of any Personal Data breach, ONET must engage a breach-management plan
which includes at least the following:
ii. Breach Containment and Recovery – ONET must resolve the incident by
applying a recovery plan and, where necessary, procedures for damage
limitation.
iii. Risk Assessment – ONET must assess associated risks, such as the adverse
consequences for individuals; seriousness of the breach; and risk of repetition.
iii. Breach Notification – ONET must inform the people concerned about an
information security breach, the appropriate data protection authority, and
other appropriate parties such as the police and the banks, as the case maybe.
iv. Process Evaluation – An investigation must be conducted to determine the
cause of the breach and evaluate the effectiveness of the response made.
Policies and procedures must be addressed accordingly.
It is a duty for ONET and employees to co-operate with and to respond diligently and
appropriately to any inquiry or request made by appropriate local data protection
authorities. Such request may include an audit inquiry or a request for ONET to be
audited, if deemed necessary, and to comply with the advice of Data Protection
Authorities on any issue regarding these standards or compliance with privacy laws.
9. SANCTIONS
Any employee who has attempted to breach, or allegedly or has in fact breached, this
Policy, whether by negligence or willful misconduct, will be subject to disciplinary
sanctions upon ONET’s sole discretion up to and including termination of employment,
in accordance with Company Code of Conduct, RA 11073, and its implementing rules
and regulations.
MARICEL P. PUSING
Sr. Business Partner, Human Resources
MARLO R. CRUZ
SHERRIE D. BUGARIN President/CEO
Administrative and Purchasing Officer, Human
Resources
A. RECRUITMENT AND HUMAN RESOURCES DATA PRIVACY GUIDELINES
1. Data Collection
2. Information Update
b. All 201 files or any document which contains personal information of employees,
trainees and job applicants should be kept and maintained inside a filing cabinet or
drawer with lock inside the HR office wherein unauthorized people cannot see it.
c. Electronic files from the recruitment portal and HRIS (Human Resource Information
System) must be stored in the central file server protected with strong password.
d. If data is stored on removable media (like flash drive), this should be locked away
securely when not being used.
e. All filing cabinets and drawers containing 201 files and personnel records of active
and separated employees of up to one (1) year must be placed inside the HR office.
f. Personnel records of separated employees of more than 1 year shall be transferred
to the warehouse for storage through the Administration Department. Boxes
containing the 201 files or any personnel records must be properly labelled prior to
turnover to the Administrative Staff:
i. Box Number
ii. List of separated employees posted outside the box (if 201 file or
recruitment related files)
iii. List of files or folders (if statutory benefits related files)
Electronic inventory of all 201 files, recruitment files and statutory files transferred
to the warehouse shall be maintained and kept by respective owners or responsible
persons.
4. Data Access
a. Any personal data of employees shall not be shared or disclosed to any person,
within or outside the company.
b. The Company shall restrict internal access to employee records and only the HR
personnel shall be authorized to retrieve certain information from the 201 file.
c. Only the following personnel under these sections are authorized to have access
and process personal information of employees:
i. Recruitment
ii. Employee Relations
iii. Compensation and Benefits
iv. Payroll
d. Any request for retrieval of data should be made in writing and shall pass through
the approval of the HR Head.
e. Retrieval of physical document shall only be allowed by the HR Head within the HR
Office. Taking it outside the HR office is prohibited.
f. All approved information/data requests or retrieval shall be logged accordingly for
monitoring and security purposes. This can be done either through a logbook or
electronically by respective owners or responsible person.
5. Destruction
6. Sanctions
a. Any employee who has violated this policy, whether by negligence or willful
misconduct, will be subject to disciplinary action in accordance with ONET’s Code
of Conduct.
AGS Fourwinds is the authorized storage provider of ONET and will collect the record boxes for
storage and ensuring appropriate and secure environment for the warehousing of ONET
records.
The requesting department will fill-out a service request form provided by the AGS
Fourwinds indicating the following information priority, services, transaction codes and
file codes.
The Records Custodian collects in two years from each department the semi-active and
inactive material and its supporting documents for storage.
The record boxes collected must be sealed and contains information such as codes,
destruction date, owner, etc.
3. Updating of Information
The Records Custodian is responsible in updating the master list every two (2) months,
specifies the location of records stored offsite and ensures that records schedule is
appropriately implemented and that all semi-active or inactive material is sent to offsite
storage.
The Records Custodian is responsible for records reviews and inventory to make sure
that record boxes are complete and intact.
4. Processing
The Records Custodian will ask the requesting department to provide the following
information.
The Records Custodian will get a list of authorized staff from the different departments
and their corresponding signatures who can exclusively access the record boxes stored
at the facility.
The Records Custodian shall provide a soft copy of “Records Management Service
Request Form (RM-SRF)”. AGS Four Winds shall provide the following services for
records management: Pick-up, Delivery, Access, Permanent Pullout, Permanent
Destruction, Indexing, Cataloguing, Supplies and Other Services.
5. Data Storage
AGS Four Winds representative carries a system generated Work Instruction Sheet
that is received and signed by ONET’s representative to acknowledge receipt and
completion of the request.
AGS Four Winds will prepare a monthly inventory movement or status report for
ONET.
6. Access to Data
Only the Records Custodian has exclusive e access to the company’s records.
Only AGS Four Winds representatives are allowed to access the records and can enter
the storage area for confidentiality and security reason. The Records Custodian shall
wait at the viewing room. All record boxes shall have a unique barcode that will be
used to track the movements of each box. The records are scanned in and out of the
facility, from the delivery truck to the customer premise, from the receiving area to
their corresponding location racks.
Should ONET require a physical access to the records, a written request through the
Records Management Service Request Form (RM-SRF) must be received by fax or
email to AGS Four Winds confirming the details of the request, the authorized
signatory, and the name and signature of the designated company representative
who will physically retrieve the boxes from AGS Four Winds representative in the
facility. The Company representative must bring the original written request to AGS
Four Winds and present a valid ID in order to retrieve the boxes from the AGS Four
Winds premises. AGS Four Winds will acknowledge the request and arrange for the
appropriate service to be provided.
7. Destruction
8. Sanction