Kythe Foundation Inc. Data Privacy Policy

I. Introduction

Kythe Foundation Inc. respects and values data privacy rights, and makes sure that all personal data collected from beneficiaries, sponsors and other stakeholders are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its implementing Rules and Regulations, and other relevant policies, including issuance for the National Privacy Commission.

II. Definition of Terms

  1. “Data subject”refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
  2. “Personal information” refers to any information whether recorded in a material form or not, from which the entity or an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify the individual.
  3. “Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
  4. “Demographic data” refers to the basic information the Kythe team gathers from beneficiaries such as age, sex, place of residence, number of family members, and the like.
  5. “Family Background” refers to the information about the family’s lifestyle and dynamics to determine eligibility for financial or medical support.
  6. “Medical History” refers to the patient’s illness and treatment experience
  7. “Monthly progress reports” refers to the updates of the patient’s response to medication and medical procedures.
  8. “Government issued certificates” refers to documents issued by government institutions.
  9. “Family Support Program” refers to the Foundation’s program of financial, medical support to the patient and the family.
  10. “Child Life Program” refers to the psychosocial support the Foundation provides the patients while confined in the hospital.
  11. “Celebrate Life Parties” refers to the monthly gathering of patients and sponsors to celebrate the fact the patient were able to survive cancer and other chronic-illnesses.
  12. “Partner Relations Program” refers to the Foundation’s program to mobilize resources to support the programs and operation expenses.
  13. “Communication” refers to the Foundation’s mechanism to inform all stakeholders about the Foundation’s programs and activities, especially thru social media.
  14. “Administration and Finance” refers to the Foundation’s human resource and finance operations.

III. Scope and Limitations

All personnel of Kythe Foundation, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Privacy Manual.

IV. Processing of Personal Data

A. Collection
The Kythe Foundation collects the basic contact information of beneficiaries, sponsor and volunteers including their full name, address, contact number.

1. Collecting data from parents/ legal guardian
  1. Collector explains the content of the written informed consent to the parent by using language easily understood by all parties.
  2. A verification process is undertaken by the collector by asking legal guardian to express in their own words understanding of the informed consent.
  3. Collector then requests parent/legal guardian to sign informed consent. If parent/legal guardian is not able to sign due to disabilities and the like, collector will request for a thumbmark witnessed by a non-relative i.e. co-parent
  4. Collector checks all information has been accomplished, and once checked signs the informed consent
2. Collecting Data under the Family Support Program
  1. Who collects-members of the Family Support Program Team are authorized to collect data from parents.
  2. Type of data- Personal data, demographic, family background, medical history and hospital records, medical abstract, economic condition, support system, monthly progress reports, copies of government-issued certificates, identification cards of parents and child, birth certificates and photo of patient
  3. Mode of collecting information- one-on-one interview in a closed-door room and documents and accessed on-line (Private Messenger and email). Documents submitted by parents are verified through the interview.
  4. Purpose of collecting information- screening, monitoring and updating of patients and family’s information to qualify for the Family Support Program services (for example medical, financial, scholarship support).
3. Collecting data during Celebrate Life Parties
  1. Who collects- Child Life Coordinators, Kythe personnel and authorized representatives from parents
  2. Type of data- demographic, photo (soft and hard copies) , audio and video
  3. Mode of collecting- written and audio-visual recordings in and out of the hospital during Kythe-related activities
  4. Purpose of collecting information- documentation, program implementation, monitoring and evaluation and resource mobilization
4. Collecting data under the Volunteer Program
  1. Who collects- Volunteer Coordinator collects data from prospective volunteers on-line and prior to Volunteer Orientations.
  2. Type of data- demographic, contact details, company or organization name, skills and interests and preferred volunteer schedule, photo, audio-video
  3. Mode of collecting – on-line, website, manual recording
  4. Purpose of collecting- program planning, implementation, monitoring and evaluation and resource mobilization
5. Collecting data under the Partner Relations Program
  1. Who collects- Partner Relations Manager and team
  2. Type of data- Contact details, company profile
  3. Mode of collecting- one-on-one interview in the office, Kythe office mutually agreed venue, on-line, email
  4. Purpose of collecting- resource mobilization, retention and sustainability
6. Collecting data under the Communications Program
  1. Who collects- Communications Personnel
  2. Type of information- basic information of clients and customers including their full name address, email address contact number together with the products they would like to purchase.
  3. Mode of collecting- on-line (email, messenger, social media)
  4. Purpose of collecting-selling of products, warranty tracking of purchased items and inventory of products, inquiries of Kythe services and products, implement, monitor and evaluate communication program
7. Collecting data under Admin and Finance
  1. Who collects- Finance Officer and ED
  2. Type of information- demographic, contact details, educational and work background, licenses, ID’s, government issued documents, medical certificate, references, family background.
  3. Mode of collecting- email and manual (hard copies)
  4. Purpose of collecting- HR and 201 File, compliance to government requirements and health insurance

B. Use
Personal data collected shall be used the Foundation for documentation purposes and for reporting progress of Kythe personnel, patient and families and retention of volunteers and sponsors.

C. Storage, Retention and Destruction
The Foundation will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The Foundation will implement appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall not be retained for a period longer than three (3) years. After three (3) years, all hard and soft copies of personal information shall be disposed and destroyed through secured means.

D. Access
Due to the sensitive and confidential nature of the personal data under the custody of the Foundation, only the patient/family and the authorize employee of the Kythe Foundation shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals. 

E. Disclosure and Sharing
All employees and personnel of the Foundation shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to al lawful purpose, and to authorize recipients of such data.

V. Security Measures

A. Organization and Security Measures

  1. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
    The Designated Protection Officer is Ms. Rhenzel Aivy Fausto, who is concurrently serving as the Communications and Data Protection Officer of the organization.
  2. Functions of the DPO
    The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of the Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
  3. Conduct of training or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security. The organization shall sponsor mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
  4. Conduct of Privacy Impact Assessment (PIA)
    The Foundation shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct of PIA to a third party.
  5. Recording and documentation of activities carried out by the DPO, or the organization
    The Foundation shall sponsor a mandatory training on data privacy at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance in relevant trainings and orientations, as often as necessary.
  6. Duty of confidentiality
    All employees of the Foundation will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
  7. Review of Privacy Manual
    This manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
B. Physical Security Measures
  1. Format of data to be collected
    Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format.
  2. Storage type and location (filing cabinets)
    All personal data being processed by the Foundation shall be stored in a safe location, where paper-based document are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by the company.
  3. Access procedure of agency personnel
    Only authorize personnel shall have access to the storage space. For this purpose, they shall be given a duplicate of the key to the storage space. Other personnel may be granted access to the room upon filing of an access request form with the Data Privacy Officer and Executive Director and the latter’s approval thereof.
  4. Monitoring and limitation of access to room or facility
    All personnel authorized to enter and access the data storage space must fill-out the registration form of the organization and the logbook kept by the DPO. They shall indicate the date, time, duration and purposed of each access.
  5. Design of office space/work station
    The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
  6. Persons involved in processing and their duties and responsibilities
    Persons involved in the processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when accessing the data storage space.
  7. Modes of transfer of personal data within the organization or to third parties
    Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all documents. Facsimile technology shall not be used for transmitting documents containing personal data.
  8. Retention and disposal procedure
    The Foundation shall retain the personal data of beneficiaries and sponsors for three (3) years from the data of purchase. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.
C. Technical Security Measures
  1. Monitoring for security breaches
    The Foundation shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system.
  2. Security features of the software/s and application/s used
    The Foundation shall first review and evaluate software applications before the installation thereof in computers and devices of the Foundation to ensure the compatibility of security features with over-all operations.
  3. Process for regularly testing, assessment and evaluation of effectiveness of security measures
    The organization shall review security policies, conduct vulnerability assessments and perform penetration testing within the Foundation on regular schedule to be prescribed by the appropriate department or unit.
  4. Encryption, authentication process and other technical security measures that control and limit access to personal data
    Each personnel with access to personal data shall verify his or her identity using a secure authentication process.

VI. Breach and Security Incidents

  1. Creation of a Data Breach Response Team
    A Data Breach Response Team composing of three (3) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
  2. Measures to prevent and minimize occurrence of breach and security incidents
    The Foundation shall regularly conduct a Privacy Impact Assessment to identify the risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
  3. Procedure for recovery and restoration of personal data
    The Foundation shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach. It shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach
  4. Notification Protocol
    The head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
  5. Documentation and reporting of security incidents or a personal data breach
    The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.

VII. Inquiries and Complaints

Data subjects may inquire or request for information regarding any matter to the processing of their personal data under the custody of the Foundation, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at [email protected] and briefly discuss the inquiry, together with their contact details for reference.

VIII. Effectivity

The provision of this Manual are effective this 2nd day of January 2019, until revoked or amended by the Foundation, through a Board Resolution.

IX. Annexes

  1. Consent form
  2. Inquiry summary form
  3. Access request form
  4. Privacy notice
  5. Request for correction or erasure
  6. Non-disclosure agreement