MENU

The National Academy of Science and Technology (NAST) respects your right to privacy and wants you to be aware on how we collect, use, and share your personal data. This Privacy Policy covers our data processing practices and describes your data privacy rights under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, issuances of the NPC, and other relevant data protection and privacy laws (collectively referred to as Privacy Laws).
 
What personal data we collect from you
NAST collects personal data which include your full name, address, email address, contact number, educational background, work experiences and such other data needed in connection with its mandated functions.

Why we collect your data
Personal data collected shall be used by NAST for documentation, evaluation and processing, and mandatory reporting purposes as permitted or required by law.
As a primary recognition body on science and technology, data collected shall be used in evaluating, processing, selecting and awarding the most deserving individual, group or organization.
As a higher advisory body to the President and the Cabinet in matters related to science and technology, personal data collected may be used for such purposes.
 
How your data is used, protected and retained
NAST is committed to protecting your personal data. We use reasonable and appropriate organizational, physical and technical measures to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of your personal data.
 
Your Data Privacy Rights
In accordance with Privacy Laws, we are committed to upholding your rights in relation to your personal data.

You have the right to request a copy of your personal data, to correct, modify or erase your personal data from our systems, databases, and processes subject for applicable rules and regulations. To do so, please contact NAST Secretariat, through the following email address: secretariat@nast.dost.gov.ph.
 
 
NAST Manual and Guidelines on Data Privacy Laws

I. Background

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.

It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.

II. Introduction

This Privacy Manual is hereby adopted by the National Academy of Science and Technology (NAST) in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. This organization respects and values data privacy rights, and makes sure that all personal data collected are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

This Manual contains information on data protection and security measures, and may serve as guide in exercising rights under the DPA.

III. Definition of Terms

  • Data Subject – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
  • Information System – refers to a computer software designed to collect, process, store, and distribute information
  • Personal Information – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Processing - refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

IV. Scope and Limitations

All personnel regardless of the type of employment or contractual arrangement, members, consultants and clients of NAST must comply with the terms set out in this Privacy Manual.

V. Processing of Personal Data

a. Collection

NAST collects the basic information of its members, employees, consultants, and clients and customers, including their full name, address, email address, contact number, together with their educational background, work experiences and other information necessary in pursuance of its mandate.

b. Use

Personal data collected shall be used by NAST for documentation, evaluation and processing, and mandatory reporting purposes as permitted or required by law.

As a primary recognition body on science and technology, data collected shall be used in evaluating, processing, selecting and awarding the most deserving individual, group or organization.

As a higher advisory body to the President and the Cabinet in matters related to science and technology, personal data collected may be used for such purposes.

c. Storage, Retention and Destruction

NAST ensures that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. NAST will implement appropriate security measures in storing collected personal information, depending on the nature of the information.

All information gathered shall be retained for a period allowed or as prescribed by law. After such period, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.

d. Access

Due to the sensitive and confidential nature of the personal data under the custody of NAST, only the authorized representative/s of the NAST shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.

e. Disclosure and Sharing

All employees and personnel of NAST shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of NAST shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

VI. Security Measures

a. Organization of Security Measure

i.Creation of Data Privacy Policy Committee

Chair:                                                   Director IV

Compliance Officer:                            Chief Administrative Officer

Data Protection Officer/s:                    Chief Science Research Specialist

                                 (alternate)                                Planning Officer III

Data Security Officer:                          IT Officer I

Personal Information Controllers or Processors:

Senior Science Research Specialist (Advisory)

Senior Science Research Specialist (Recognition)

Senior Science Research Specialist (Philippine Science Heritage Center)

Science Research Specialist II (Scientific Linkages)

Chief Administrative Officer (Human Resources)

IT Officer I (Management Information System)

ii. Role and Responsibility

1. Compliance Officer

Compliance Officer shall monitor and ensure compliance with applicable laws and regulations for the protection of data privacy and security

      • Support or provide the necessary trainings and certifications to ensure that Data Protection Officer and Data Security Officer are properly trained and equipped with the necessary requirements and knowledge for the role.
      • Support or provide the necessary equipment for the purposes of data protection and security measure.
      • Provide or conduct training, seminars, workshops or orientations on Data Privacy to all NAST employees.
      • Cooperate with and respond to requests from NPC.
      • Represent NAST in the event of an inquiry, an inspection, or an investigation by NPC.
2. Data Protection Officer
      • Establish and implement program controls related to the DPA.
      • Responsible for the assessment and revision of ongoing program controls related to data privacy.
      • Review and update this Privacy Manual.
      • Conduct Privacy Impact Assessment.
      • Ensure the recording and documentation of activities and policies related to Data Privacy.
      • Ensure that the Personal Information Controllers or Personal Information Processors are informed of their roles and responsibilities.
      • Monitor personal data operations carried out by the Personal Information Processor.
      • Monitor personal data controls and processing operations carried out by the Personal Information Controller and Personal Information Processor.
      • Carry out inquiries when necessary and coordinate with other appropriate persons responsible for related disciplines and function within NAST.
      • Advocate for Data Privacy within NAST.
3. Data Security Officer
      • Responsible for any Information System (IS) under its control or custody, including IS that have been outsourced or transferred from a third party for processing, whether domestically or internationally.
      • Implement reasonable and appropriate physical, and technical security measures for the protection of IS collecting personal data.
      • Ensure that any natural person acting under their authority and who has access to personal data, does not process them except upon their instructions, or as required by law.
      • Ensure that the Privacy Notice is in appropriate format and manner; and is provided in the NAST’s main website.
      • Ensure that consent is always displayed on all the IS and accepted whenever personal data is being collected, see Annex 1 for sample format. Privacy Notice shall include all provision of Section V - Processing of Personal Data.
      • Attend to all requests related to data privacy.
4. Personal Information Controller and Processor
      • Responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally.
      • Implement reasonable and appropriate physical, and technical security measures for the protection of personal data.
      • Ensure that any natural person acting under their authority and who has access to personal data, does not process them except upon their instructions, or as required by law.
      • Ensure that Privacy Notice in an appropriate format and manner is always provided and consent is always accepted whenever personal data is being collected, see Annex 1 for sample format. Privacy Notice shall include all provision of Section V - Processing of Personal Data.
      • Attend to all requests related to data privacy.
      • Ensure that Data Subjects are informed of their rights.
5. Data Subject
      • Right to be informed
      • Right to object
      • Right to access
      • Right to rectification
      • Right to erasure or blocking
      • Right to damages
iii. Conduct trainings, seminars, workshops or orientations

NAST shall conduct a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.

iv. Privacy Impact Assessment

NAST shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct of a PIA to a third party.

v. Duty of Confidentiality

All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.

vi. Review of Privacy Manual

This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within NAST shall be updated to remain consistent with current data privacy best practices.

b. Physical Security Measure

i. Format of data to be collected

Personal data in the custody of NAST may be in paper-based/physical format and digital/electronic format.

ii. Storage type and location

All personal data being processed by NAST shall be stored in a locked data room, where paper-based documents are kept, or in a locked filing cabinet while the digital/electronic files are stored in server room, or computers provided and installed by the company.

iii. Access procedure of agency personnel

Only authorized personnel shall be allowed or given access into the data room, server room, or the filing cabinet. For this purpose, they shall each be given a duplicate of the key to the room or the cabinet. Other personnel may be granted access to the room upon filing of an access request form with the Data Security officer or Data Protection Officer and the latter’s approval thereof.

iv. Monitoring and limitation of access to data room, server room or filling cabinet

All personnel authorized to enter and access the data room, server room or filing cabinet must fill out or register into the logbook placed at the entrance of the room or near the filing cabinet. They shall indicate the date, time, duration and purpose of each access.

v. Persons involved in processing, and their duties and responsibilities

Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data room or server room.

vi. Mode of transfer of data within the organization, or to third parties

Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data.

vii. Retention and disposal procedure

All information gathered shall be retained for a period allowed or as prescribed by law. After such period, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.

c. Technical Security Measure

i. Monitoring for security breaches

NAST shall use an intrusion detection system to monitor security breaches and alert the Data Security Officer of any attempt to interrupt or disturb the system.

ii. Security features of the information systems, software and applications

NAST shall first review and evaluate software applications before the installation thereof in computers and devices of NAST to ensure the compatibility of security features with overall operations.

iii. Process for regularly testing, assessment and evaluation of effectiveness of security measures

NAST shall review security policies, conduct vulnerability assessments and perform penetration testing within the agency on regular schedule to be prescribed by the appropriate department or unit.

iv. Encryption, authentication process, and other technical security measures that control and limit access to personal data

Each authorized representative of NAST with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.

VII. Breach and Security Incidents

a. Creation of a Data Breach Response Team

A Data Breach Response Team comprising of five (5) Personal Information Controllers or Processors to be headed by the Data Security Office shall be created. The Data Breach Response Team shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

b. Measures to prevent and minimize occurrences of breach and security incidents

NAST shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.

c. Procedure for recovery and restoration of personal data

NAST shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

d. Notification Protocol

The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.

e. Documentation and reporting procedure of security incidents or a personal data breach

The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.

VIII. Inquiries and Complaints

Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to NAST at secretariat@nast.dost.gov.ph and briefly discuss the inquiry, together with their contact details for reference.

Complaints shall be filed in  , or sent to secretariat@nast.dost.gov.ph. The concerned unit shall confirm with the complainant its receipt of the complaint. The complaint shall be processed in accordance with the procedures to be created for this purpose.

IX. Effectivity

All previous Orders and Issuances inconsistent herewith are deemed superseded and/or revoked accordingly.

This Administrative Order shall take effect immediately.

X. Annexes

  • Data Privacy Notice
  • Consent Form
  • Inquiry Form
  • Access Request Form
  • Request for Correction or Erasure Form
  • Related Laws, Policies and Documents