Downloadables FAQs

About the T3 Program

In 2018, the National Privacy Commission launched its Data Protection Officer Accountability, Compliance and Ethics Program aiming to establish a skills benchmark for DPOs to address the high demand for adequate capacity-building mechanisms for aspiring privacy professionals in the Philippines.

The Purpose Behind the T3

With the initial success of the DPO Level 1 Certification, the PHIL-DPO Program now seeks to expand the scope and breadth of the DPO ACE by accrediting qualified trainers who are able to educate the public on key concepts involving the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other issuances of the NPC.

1

Letter of Intent

Interested applicants may signify their intent to apply for accreditation by emailing a letter of intent (LOI) to PHIL DPO at [email protected]. with a brief description of your company, your training services, your training experience, and why you are applying for accreditation.

2

Submit Documents

We need to gather documents to determine your qualification. The specific documents can be found in the FAQs portion and the T3 Procedural Guidelines. Upon request, please submit the digital copies of the files to PHIL DPO at [email protected].

3

Evaluation

We will begin evaluating your application upon submission of the complete documents. We may reach out to you to gather more information when circumstances require.

4

Approval of Accreditation

We will release a Certificate of Accreditation after we find you suitable and qualified. A digital copy of the certificate will be provided to you via email.

5

Maintenance of Accreditation

Once the accreditation is granted, it must also be maintained. Remember that you have undertakings and obligations as an accredited institution, and you must comply with them in good faith.

For more information you may refer to your procedural guidelines or FAQs below.

IPTs (Institutional Privacy Trainers)

Development Academy of the Philippines

The Development Academy of the Philippines is a Government-Owned and Controlled Corporation established in 1973 with original charter created by Presidential Decree 205, amended by Presidential Decree 1061 and further amended by Executive Order 288.

View Webpage >>

People Management Association of the Philippines (PMAP)

The Preeminent Organization of People Managers and HR Practitioners in the country The People Management Association of the Philippines (PMAP) is a strictly professional, non-stock, not-for-profit organization of over 1,800 member companies and individual management executives engaged or interested in human resource management (HRM) and industrial relations (IR) work. Founded in 1956, PMAP continues the tradition of its forefathers in advancing the profession, the science and the art of HRM. With twenty-nine (29) Chapters throughout the Philippines, PMAP has built a solid reputation as a premier national association proven by the success of its various advocacies, programs and initiatives.

View Webpage >>

Lights Consultancy, OPC (Lights Institute)

The LIGHTS Institute is a research and consulting firm built around the pillars of law, technology, and human rights. Our current focus area is privacy and data protection. We also design and deliver instructional courses in support of our management consultancy work.

View Webpage >>

Privacy Key Specialists PH, Inc.

Privacy Key Specialists is a consulting services firm composed of lawyers, IT and communications specialists for business and data privacy, privacy protection and compliance. We believe in the importance of data privacy and are committed to protecting your personal data. We also co-hosted DPO 23 for security and protection service providers & was a finalist in the DPO 2021 excellence awards

View Webpage >>

Straits Interactive Training and Services Inc.

Helping our Community accelerate trust through Competency, Consulting and Capability.

View Webpage >>

Yisrael Solutions and Training Center Inc.

“Your reliable Learning and Solutions partner in the Digital World”

View Webpage >>

Process Synergy, Inc.

Center of excellence for business processing.

View Webpage >>

CENTER FOR RESEARCH AND COMMUNICATION FOUNDATION INC.

“The Research and Consultancy Link to Philippine Business Opportunities” Founded in 1967 as a think tank applying economic insights to address business needs, CRC has grown to become one of the Philippines’ most important research and advisory firms. It has continuously provided innovative business advice, tapping a diverse pool of experts across a tapestry of different fields, including infrastructure and industry; energy; transportation and logistics; food and agribusiness; health and wellness; digital technology and analytics; and education.

View Webpage >>

ADM & Partners

ADM is your data privacy partner. We are engaged in data privacy protection, awareness, compliance, and consultancy services. Our goal is to help individuals enforce their privacy rights, to ensure that organizations comply with data privacy rules, and to develop privacy professionals.

View Webpage >>

GLOBALKNOWLEDGE PH INC.

“Empowering Filipinos thru Education and Certification”

View Webpage >>

APTs (Accredited Privacy Trainers)

DR. ROLANDO R. LANSIGAN

Dr. Rolando R. Lansigan is a privacy practitioner since 2016 being the first Chief of the Compliance and Monitoring Division of the National Privacy Commission. Has trained more than 1,000 Certified Data Protection Officers (DPOs) and has spoken to more than 300 conferences and seminars in national and international Data Privacy events. As an advocate of data privacy, he believes that “compliance to data privacy laws is an investment, not an expense”.

Email: [email protected]

ATTY. KARL JOHN A. BAQUIRAN

ATTY. KAYZER ALDRIN Z. SABA

Since 2017, Atty. Kayzer Aldrin Z. Saba, through KZS Law Office, has been providing seminars and trainings on Data Privacy Compliance to schools, human resource practitioners, non-profit organizations, and banks. Atty. KZS is a legal practitioner in the field, and currently serves as the DPO and Data Protection Unit Head of a universal bank in the country. His mission has always been to make the DPA understandable to different sectors by contextualizing his discussions on an industry-level.

Email: [email protected]
Contact #:09663220496

» T3 Website FAQs

» Training the Trainers Program Procedural Guidelines

» APT Application Form

» IPT Application Form

» APT Affidavit of No Pending Case

» APT Testimonial of GMC

» IPT Secretary Certificate

» APT Undertaking

» IPT Undertaking

Q: What is the T3 Program?

A: In 2018, the National Privacy Commission (NPC or Commission) launched its Data Protection Officer (DPO) Accountability, Compliance and Ethics (ACE) Program with the aim to establish a skills benchmark for DPOs to address the high demand for adequate capacity-building mechanisms for privacy professionals in the Philippines.

With the initial success of the DPO Level 1 Certification, the PHIL-DPO Program now seeks to expand the scope and breath of the DPO ACE Program through the Training the Trainers Program (T3).

Under the T3 Program, the NPC will give special recognition to trainers who are able to demonstrate the capacity, expertise, and qualifications to educate the public on key concepts and correct interpretation of the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and other NPC issuances. The trainers will likewise be regularly guided by the NPC to ensure that they are kept updated of emerging privacy concepts, trends, and developments.

Q: Who may apply under the T3 program?

A: Application for Institutional Privacy Trainers (“IPT”) is open to both private and public institutions, including government-owned and controlled corporations. Application for Accredited Privacy Trainers (“APT”) is likewise available for individual practitioners or trainers.

Q: Before I apply, what must I consider?

A: The special recognition given by the NPC to trainers is based not only on the capacity, expertise, and qualifications of the trainers, but also on demonstrable proof that their students are competent to be Data Privacy professionals. Following this principle, applicants must meet following obligations during their accreditation:

  1. To submit training curriculum with course description, objectives and syllabi patterned after existing NPC DPO ACE Training and Certification Program;
  2. To educate, train or instruct at least three hundred (300) individuals within the duration of the accreditation;
  3. To ensure at least eighty percent (80%) passing rate of trainees who will undergo the DPO ACE Certification Exam to be conducted by the NPC;
  4. To submit quarterly reports to NPC as to the progress of training and individuals enrolled;
  5. To provide NPC with training schedules, meeting links and other means to allow NPC to periodically observe training sessions; and
  6. To undergo trainings, seminars, and other capacity-building activities that NPC may require for Trainers.

Q: How do I apply for accreditation?

A: The application procedure can be summed in four easy steps:

  1. Submit your Letter of Intent along with the completed Application Forms by email to [email protected]
  2. Within fifteen (15) days from the submission of the LOI, submit all the documentary requirements. Digital or scanned copies of your documents may be submitted by email to [email protected] In case you submit digital files, you must also submit the hard copies within thirty (30) days from the submission of the LOI.
  3. Wait patiently as the NPC audits your submissions.
  4. After passing the audit, you will be granted an Accreditation Certificate.

The steps for application is provided in detail in the T3 Procedural Guidelines which you may access here.

Q: How do I know if I’m qualified?

A: The applicants must possess the following qualifications to be eligible:

1. Business Registration:

APT
  • Department of Trade and Industry (DTI) or Bureau of Internal Revenue (BIR) Registration as training instructor or consultant
  • Philippine Regulations Commission (PRC) Registration as trainer or instructor as may be applicable
IPT
  • Updated Business Permit
  • DTI or Securities and Exchange Commission (SEC) Certificate of Registration
  • Articles of Incorporation or Partnership indicating training services as the purpose of business
  • Other supporting documents showing that the applicant conducts training services

* For government entities, including GOCCs and State Universities and Colleges (SUCs), the Charter shall be in lieu of the foregoing

2. Proof of Training Experience:

APT
  • At least one (1) year experience as Trainer, Instructor or Teacher
  • Calendar of Activities as Trainer or Instructor
IPT
  • Proof of operations as training provider for at least one (1) year
  • Calendar of Annual Course Offerings or Programs

3. Good Moral Character or Legal Standing

APT
  • No pending criminal, civil or administrative case(s) before:
    • NPC
    • DTI
    • BIR
    • Courts/quasi-judicial agencies
IPT
  • No pending criminal, civil or administrative case(s) before:
    • NPC
    • DTI
    • Department of Labor and Employment
    • Courts/quasi-judicial agencies

4. Technical knowledge on Data Privacy

APT
  • At least twenty-five (25) hours of attended trainings, seminars, orientations, or professional experience in the field of Data Privacy whether conducted by the NPC or external providers

*Preference is given to trainings conducted by the NPC

IPT
  • Trainers, mentors, and educators of the APT must have at least twenty-five (25) hours of attended trainings, seminars, orientations, or professional experience in the field of Data Privacy whether conducted by the NPC or external providers

*Preference is given to trainings conducted by the NPC

5. Curriculum

APT
  • Must submit training curriculum with course description, objectives and syllabi patterned after existing DPO ACE Level 1 Training and Certification Program, or NPC’s 5 Pillars of Compliance. Curriculum must contain essential provisions of the Data Privacy Act, IRR, and NPC issuances.
IPT
  • Must submit training curriculum with course description, objectives and syllabi patterned after existing DPO ACE Level 1 Training and Certification Program, or NPC’s 5 Pillars of Compliance. Curriculum must contain essential provisions of the Data Privacy Act, IRR, and NPC issuances.

Q: What are the documents that I need to submit?

A: The following documents must be completely submitted to ensure the processing of your application:

APT
  • One (1) original, fully accomplished APT Application Form (T3 Form No. 1a S. 2020)
  • One (1) original, notarized APT Deed of Undertaking (T3 Form No. 3a S. 2020)
  • Photocopies of Business Registration Documents
  • Photocopies of documents proving training experience
  • One (1) original, notarized Affidavit of Good Moral Character (T3 Form No. 2a s. 2020)
  • Two (2) testimonials of good moral character made by two disinterested parties (T3 Form No. 2b s. 2020)
  • Photocopies of certificates, documents, and other proof that applicant has at least twenty-five (25) hours of attended trainings, seminars, or orientations relative to data privacy and the Data Privacy Act of 2012, whether conducted by the NPC or external providers
  • Original training curriculum with course description, objectives and syllabi patterned after existing DPO ACE Level 1 Training and Certification Program, or NPC’s five (5) Pillars of Compliance which may be reviewed by the NPC. It must contain essential provisions of the Data Privacy Act, its IRR, and NPC issuances (circulars, advisories, bulletins, et.al.)
  • Original Proposed Calendar of Training Programs and Activities for DPO ACE Level 1 Program
  • Original Proposed schedule of training fees and list of training partners and/ or institutions
  • Proof of Technical Capability to train including facilities, relevant subscriptions, software, and other support mechanisms.
IPT
  • One (1) original, fully accomplished IPT Application Form (T3 Form No. 1b S. 2020)
  • One (1) original, notarized IPT Deed of Undertaking (T3 Form No. 3b S. 2020)
  • Photocopies of Business Registration Documents
  • Photocopies of documents proving training experience
  • Original, notarized Secretary Certificate on no pending cases with the agencies mentioned in Section 2
  • Photocopies of certificates, documents, and other proof that trainers, educators, mentors assigned by the IPT must have at least twenty (25) hours of attended trainings, seminars, or orientations relative to data privacy and the Data Privacy Act of 2012, whether conducted by the NPC or external providers
  • Original training curriculum with course description, objectives and syllabi patterned after existing DPO ACE Level 1 Training and Certification Program, or NPC’s five (5) Pillars of Compliance which may be reviewed by the NPC. It must contain essential provisions of the Data Privacy Act, its IRR, and NPC issuances (circulars, advisories, bulletins, et.al.)
  • Proposed Calendar of Training Programs and Activities for DPO ACE Level 1 Program
  • Original Proposed schedule of training fees and list of training partners and/ or institutions
  • Company profile, list of clients, and list of Speakers, mentors, educators
  • Proof of Technical Capability to train including facilities, relevant subscriptions, software, and other support mechanisms.

Q: What is the existing DPO ACE Curriculum?

A: Applicants must submit a training curriculum with course description, objectives and syllabi patterned after NPC’s DPO ACE Level 1 Certification as follows:

DPO ACE Course Outline
Module 1: Introduction to Data Privacy Act

Aspects of Informational Privacy
Definition
Policy, Scope, Mandate and Functions
Key Terms
Data Privacy Principles
Security Measures (Organizational, Technical, Physical)
Rights of the Data Subject
Consequences of Complaints Filed

Module 2: Data Privacy Principles

Transparency; Right to Information
Privacy Notice
Role of DPO in Transparency
Right to Access
Principle of Legitimate Purpose
Consent
Legitimate Purpose in Processing including SPI
Compliance Framework
Data Subject’s Rights
Principle of Proportionality

Module 3: Appointing a Data Protection Officer

Legal Basis
General Qualifications
COP
Instances where a PIC or PIP is allowed to designate a COP
Position of a DPO or a COP in the Organization
Conflict of Interest
Confidentiality
Subcontracting
Independence and Autonomy
Duties and Responsibilities
Supporting the DPO

Module 4: Privacy Impact Assessment

Definition and Scope
Objectives of Conducting a PIA
When is PIA Necessary?
Is PIA Required?
Benefits of PIA
Components of PIA
Stakeholder Involvement in PIA
Records of Processing Activities
PIA and Privacy By Design
PIA Provides an Initial Step Towards Accountability
Data Life Cycle
Determination of Security Measures
Identifying and Rating Privacy Risks
Privacy Risk Mapping
Approaches to Risk Management
Duty of DPO in Relation to PIA
PIA Process

Module 5: Privacy Management Program

Five Pillars of NPC
The Data Privacy Accountability and Compliance Framework
Compliance with the DPA
What is PMP?
PMP Objectives
Importance of a PMP
PMP Guide
Key Components
WHAT DOES A PMP LOOK LIKE?
Governance, DPO, Records of Processing Activities, Risk Assessment, Registration, Policies and Procedures, Data Security, Capacity Building, Breach Management, Notification, Third Party Management, Communication, Understanding of Privacy Ecosystem, Oversight and Review Plan, Assess and Revise Program Controls
Supporting Documents of a PMP

Module 6: Security Measures and Handling Third Party Risks

Security Measures
Organizational Security Measures: Examples, Compliance Officers, Data Protection Policies, Records of Processing Activities, Management of Human Resources, Processing of Personal Data, and Contracts with PIPs
Physical Security Measures
Technical Security Measures
Examples involving Consent and DSA (NPC Circ 16-02)
Managing Third Party Risks
General Principles for Data Sharing
When Consent of Data Subject is Required
Contents of a DSA
When is a DSA Considered Terminated
Outsourcing/Subcontracting
Outsourcing Agreement

Module 7: Breach Management

Definition of Terms
Personal Data Breach Management Guidelines
Security Incident Management Policy
Data Breach Response Team
Implementation of Security Measures and Privacy Policies
Mandatory Notification/Requirements
Contents of the Notice
Full Report
Concealment or Failure to Disclose
Annual Security Incident Report
How to File an Annual Report

Annex

NPC Circular 18-01
NPC Circular 18-02

Q: Can we add data privacy topics other than those provided by NPC?

A: Yes, trainers may add topics to their training module in addition to the DPO ACE Level 1 curriculum provided the main topics in DPO ACE level 1 are reflected in the submitted training modules. The NPC will also review the additions to determine whether these are aligned with NPC standards.

Q: What do I need to prepare and submit to NPC?

A: As part of NPC’s function to continuously assess your performance, you are required to:

  • Submit a quarterly report to be submitted within 30 days into the new quarter. The report should contain, among others, the following details:
    1. Name of Training Provider
    2. Accreditation Number
    3. Date(s) and Venue(s)
    4. Attendance sheets
    5. Group photo(s)
    6. Speakers, Mentors, Educators who conducted the training
  • Prepare a summary report of the speaker’s evaluation of each training session which should be made available to NPC upon request.

Q: Can we transfer authority of provisional accreditation to other persons/entities?

A: No. Provisional accreditation awarded by is exclusive to the accreditee. It may not be transferred or assigned and you should not allow other individuals, entities, or organizations to benefit from the accreditation afforded by NPC.

Q: How long is my accreditation valid?

A: The recognition is valid for a period of one (1) calendar year counted from the date of accreditation

Q: Do we need to file for renewal? When?

A: Yes. Renewal should be within 60 business days before expiration of the current provisional accreditation. If you do not renew, your accreditation will automatically expire.

Q: Is the T3 Program meant to prohibit or exclude other Training Providers from holding their respective Data Privacy Trainings?

A: No. We, at NPC, acknowledge capacity-building as a powerful approach to create the critical mass of data privacy professionals and advocates who, in turn, will promote the culture of privacy nationwide. The recognition accorded by the NPC through the T3 Program encourages harmony of all training providers with the DPO ACE and is not intended to create exclusivity.

Q: Is the T3 Program meant to replace the NPC DPO ACE Program?

A: No. The T3 Program is a complementary and adjunct program to the NPC DPO ACE Program. The training that will be conducted by trainers recognized under the T3 Program will conform with existing curricula provided by the NPC DPO ACE Level 1. The T3 Program will also be opened to trainers of DPO ACE Levels 2 and 3 in the near future. This ensures that trainings conducted by the accredited trainers are aligned with NPC standards. Moreover, the NPC DPO ACE will regularly train the accredited trainers to ensure that they are kept updated of emerging privacy concepts, trends, and developments.

Q: Will NPC still conduct free PHIL-DPO ACE Level 1 Trainings in view of the T3 Program?

A: The NPC will continue to conduct DPO ACE Level 1 Trainings for the government sector. This is in line with NPC’s enhanced drive to increase government compliance, competitiveness, and privacy culture as the government moves towards the digitization of public services.

Q: I want to learn more.

A: If you want to learn more about the T3 Program and its specific provisions, you may download the T3 Procedural Guidelines in this link: T3 Procedural Guidelines.