In 2018, the National Privacy Commission launched its Data Protection Officer Accountability, Compliance and Ethics Program aiming to establish a skills benchmark for DPOs to address the high demand for adequate capacity-building mechanisms for aspiring privacy professionals in the Philippines.
With the initial success of the DPO Level 1 Certification, the PHIL-DPO Program now seeks to expand the scope and breadth of the DPO ACE by accrediting qualified trainers who are able to educate the public on key concepts involving the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other issuances of the NPC.
Interested applicants may signify their intent to apply for accreditation by emailing a letter of intent (LOI) to PHIL DPO at [email protected]. with a brief description of your company, your training services, your training experience, and why you are applying for accreditation.
We need to gather documents to determine your qualification. The specific documents can be found in the FAQs portion and the T3 Procedural Guidelines. Upon request, please submit the digital copies of the files to PHIL DPO at [email protected].
We will begin evaluating your application upon submission of the complete documents. We may reach out to you to gather more information when circumstances require.
We will release a Certificate of Accreditation after we find you suitable and qualified. A digital copy of the certificate will be provided to you via email.
Once the accreditation is granted, it must also be maintained. Remember that you have undertakings and obligations as an accredited institution, and you must comply with them in good faith.
For more information you may refer to your procedural guidelines or FAQs below.
1. A letter should be emailed to [email protected], signifying intent (Letter of Intent, LOI) and containing:
a. Name of an APT/IPT,
b. Rationale of application relating to data privacy, and
c. A short background on data privacy trainings conducted
LOI could be a formal letter in either MS Word or PDF format.
LOI could also be a brisk email correspondence.
2. Attend an initial T3 briefing for a backgrounder on the program and to better understand requisites and deliverables to NPC.
3. Within 15 business days from the submission of the Letter of Intent, must submit all necessary documentary requirements, notarized where applicable, and updated, especially for government-issued permits and licenses. Softcopies are acceptable, but must be followed in due course by the hardcopies.
4. Preliminary Evaluation will take place, after which deficiencies will need submission. Those with complete documents will pass preliminary evaluation.
5. Auditing of documents will entail a more in-depth, yet face-value only scrutiny of documents as to truthfulness of information provided — without going into a formal investigation.
6. Upon agreement of the auditing body, a candidate with complete and acceptable documents will be endorsed to Privacy Commissioner Raymund Enriquez Liboro for final approval together with the Deputy Privacy Commissioners and NPC management.
7. A batch of new candidates awarded provisional accreditation will be published on the official NPC website.
8. A congratulatory briefing will apprise the new batch of T3 entities of the next steps as to reporting, partnerships, monitoring, and standardization of instruction methods and deliverables.
9. Sit-in audits of PHIL DPO and other NPC team members to monitor progress and identify areas for improvement and cooperation.
10. A good track record with PHIL DPO-NPC merits renewal of provisional accreditation for another year.
Q: What are the documentary requirements?
A: The main documentary requirements are:
1. Business Registration
Registration as trainer with the Department of Trade and Industry (DTI), Bureau of Internal Revenue or Philippine Regulations Commission.
Updated Business Permit
DTI or Securities and Exchange Commission (SEC) Certificate of Registration
Articles of Incorporation or Partnership mentioning training services
Other documents showing conduct of training services
* For government entities, including GOCCs and State Universities and Colleges (SUCs), the Charter shall be in lieu of the foregoing
2. Proof of Training Experience
At least one (1) year experience as Trainer, Instructor or Teacher
Calendar of Activities as Trainer or Instructor
Proof of operations as training provider for at least one (1) year
Calendar of Annual Course Offerings or Programs
3. Good moral standing for APTs, and good legal standing for IPTs
No pending criminal, civil or administrative case(s) before:
No pending criminal, civil or administrative case(s) before:
Department of Labor and Employment
4. Technical knowledge on Data Privacy
At least twenty-five (25) hours of attended trainings, seminars, orientations, or professional experience in the field of Data Privacy whether conducted by the NPC or external providers
*Preference is given to trainings conducted by the NPC
Trainers, mentors, and educators of the APT must have at least twenty-five (25) hours of attended trainings, seminars, orientations, or professional experience in the field of Data Privacy whether conducted by the NPC or external providers
*Preference is given to trainings conducted by the NPC
Q: What lessons should be included in the draft curriculum?
A: Both APTs or IPTs must submit a training curriculum with course description, objectives and syllabi patterned after NPC’s Five Pillars of Compliance, as found within existing DPO ACE training materials.
Q: Can NPC give us a template for the Five Pillars?
A: The template for the lessons, also in the DPO ACE Review Notes, is included below:
Aspects of Informational Privacy
Policy, Scope, Mandate and Functions
Data Privacy Principles
Security Measures (Organizational, Technical, Physical)
Rights of the Data Subject
Consequences of Complaints Filed
Transparency; Right to Information
Role of DPO in Transparency
Right to Access
Principle of Legitimate Purpose
Legitimate Purpose in Processing including SPI
Data Subject’s Rights
Principle of Proportionality
Instances where a PIC or PIP is allowed to designate a COP
Position of a DPO or a COP in the Organization
Conflict of Interest
Independence and Autonomy
Duties and Responsibilities
Supporting the DPO
Definition and Scope
Objectives of Conducting a PIA
When is PIA Necessary?
Is PIA Required?
Benefits of PIA
Components of PIA
Stakeholder Involvement in PIA
Records of Processing Activities
PIA and Privacy By Design
PIA Provides an Initial Step Towards Accountability
Data Life Cycle
Determination of Security Measures
Identifying and Rating Privacy Risks
Privacy Risk Mapping
Approaches to Risk Management
Duty of DPO in Relation to PIA
Five Pillars of NPC
The Data Privacy Accountability and Compliance
Compliance with the DPA
What is PMP?
Importance of a PMP
WHAT DOES A PMP LOOK LIKE?
Governance, DPO, Records of Processing Activities, Risk Assessment, Registration, Policies and Procedures, Data Security, Capacity Building, Breach Management, Notification, Third Party Management, Communication, Understanding of Privacy Ecosystem, Oversight and Review Plan, Assess and Revise Program Controls
Supporting Documents of a PMP
Organizational Security Measures: Examples, Compliance Officers, Data Protection Policies, Records of Processing Activities, Management of Human Resources, Processing of Personal Data, and Contracts with PIPs
Physical Security Measures
Technical Security Measures
Examples involving Consent and DSA (NPC Circ 16-02)
Managing Third Party Risks
General Principles for Data Sharing
When Consent of Data Subject is Required
Contents of a DSA
When is a DSA Considered Terminated
Definition of Terms
Personal Data Breach Management Guidelines
Security Incident Management Policy
Data Breach Response Team
Implementation of Security Measures and Privacy Policies
Contents of the Notice
Concealment or Failure to Disclose
Annual Security Incident Report
How to File an Annual Report
NPC Circular 18-01
NPC Circular 18-02
Q: What other lessons can we add aside from those already in the DPO ACE training materials to piqué interest of trainees?
A: Curriculum must contain essential provisions of the Data Privacy Act, its IRRs, and updates on current NPC issuances.
Q: Can we add more creative data privacy learning material?
A: Yes, provided that PHIL DPO was able to review and approve such lessons.
Step 1: Documents Evaluation
The first stage of the audit process shall revolve around checking the completeness, veracity, and authenticity of documents submitted.
Step 2: Academic Evaluation
This next evaluation process shall revolve around the adequacy, conformity, and competitiveness of the curriculum submitted compared to the DPO ACE Level 1 module.
Step 3: Profile Evaluation
At this step, the Committee shall evaluate the capability, good standing, and technical qualifications of the applicants based on the documents submitted, publicly available information, personal knowledge, and further findings of the Audit Committee in the first two previous steps.
Finally, the Committee, on its own initiative, may check the profile of the APT / IPT to further verify their suitability as an accredited trainer by conducting the following activities:
1. Phone calls to the APT / IPT applicants
2. Schedule online meetings and interviews
Should the Committee find no deficiencies in the application, it shall prepare a Resolution indicating that the applicant has satisfactorily complied with all the requirements of the NPC, and that said applicant is recommended to be granted the provisional accreditation.
IV. The Obligations and Undertakings of the Accredited APT/IPT
Q: After PHIL DPO grants provisional accreditation, what do we do next?
A: The obligations and responsibilities of an accredited APT/IPT are:
The report should contain, among others, the following details:
Name of Training Provider
Date(s) and Venue(s)
Speakers, Mentors, Educators who conducted the training
Submit a summary report of the speaker’s evaluation of each training session.
They must allow NPC personnel access, audience, or entry during training sessions for observation and proper monitoring.
Educate, train or instruct at least three hundred (300) individuals within the one-year duration of the provisional accreditation.
Ensure at least eighty percent (80%) passing rate of trainees who will undergo the DPO ACE Certification Exam.
Undergo trainings, seminars and other capacity-building activities that NPC may require for Trainers.
Attend a roundtable discussion held by NPC to receive updates on privacy law amendments, issuances and initiatives.
Submit to NPC trainee-accomplished feedback forms. • Pass a program review held by NPC or a relevant regulator.
NPC shall add requirements as the need arises. Always keep posted for announcements in the NPC website.
V. The Limitations
Q: Can we transfer authority of provisional accreditation to other persons/entities?
A: No. Provisional accreditation awarded by PHIL DPO-NPC is exclusive to a particular APT/IPT and cannot be leased, rented out to, or borrowed by another entity or person, for whatever reason.
Q: Can we change speakers/resource persons if they cannot make it to a conference/training session?
A: Last-minute substitution of speakers and resource persons is prohibited.
Q: What if said resource person has a valid emergency?
A: A letter of approval from PHIL DPO-NPC must first be acquired.
Q: Can an accredited organization collaborate with another accredited organization?
A: An organization (Institutional Privacy Trainer; IPT) awarded provisional accreditation may not partner with another accredited organization (IPT).
Q: What if we have a lot of trainees who signed up and we need help in teaching them?
A: You can still ask for help from other T3-accredited individuals. An organization (IPT) awarded provisional accreditation is allowed to partner with an individual (Accredited Privacy Trainer; APT) granted provisional accreditation.
VI. Period of Validity
Q: How long will we be able to use our provisional accreditation?
A: Provisional accreditation is valid for one year, granted acceptability within audit standards.
Q: Do we need to file for renewal? When?
A: Yes. Renewal should be within 60 business days before expiration of the current provisional accreditation.