About the T3 Program

In 2018, the National Privacy Commission launched its Data Protection Officer Accountability, Compliance and Ethics Program aiming to establish a skills benchmark for DPOs to address the high demand for adequate capacity-building mechanisms for aspiring privacy professionals in the Philippines.

The Purpose Behind the T3

With the initial success of the DPO Level 1 Certification, the PHIL-DPO Program now seeks to expand the scope and breadth of the DPO ACE by accrediting qualified trainers who are able to educate the public on key concepts involving the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other issuances of the NPC.

1

Letter of Intent

Interested applicants may signify their intent to apply for accreditation by emailing a letter of intent (LOI) to PHIL DPO at [email protected]. with a brief description of your company, your training services, your training experience, and why you are applying for accreditation.

2

Submit Documents

We need to gather documents to determine your qualification. The specific documents can be found in the FAQs portion and the T3 Procedural Guidelines. Upon request, please submit the digital copies of the files to PHIL DPO at [email protected].

3

Evaluation

We will begin evaluating your application upon submission of the complete documents. We may reach out to you to gather more information when circumstances require.

4

Approval of Accreditation

We will release a Certificate of Accreditation after we find you suitable and qualified. A digital copy of the certificate will be provided to you via email.

5

Maintenance of Accreditation

Once the accreditation is granted, it must also be maintained. Remember that you have undertakings and obligations as an accredited institution, and you must comply with them in good faith.

For more information you may refer to your procedural guidelines or FAQs below.

A. What are the steps for accreditation?

1. A letter should be emailed to [email protected], signifying intent (Letter of Intent, LOI) and containing:
a. Name of an APT/IPT,
b. Rationale of application relating to data privacy, and
c. A short background on data privacy trainings conducted

  • LOI could be a formal letter in either MS Word or PDF format.

  • LOI could also be a brisk email correspondence.

2. Attend an initial T3 briefing for a backgrounder on the program and to better understand requisites and deliverables to NPC.
3. Within 15 business days from the submission of the Letter of Intent, must submit all necessary documentary requirements, notarized where applicable, and updated, especially for government-issued permits and licenses. Softcopies are acceptable, but must be followed in due course by the hardcopies.
4. Preliminary Evaluation will take place, after which deficiencies will need submission. Those with complete documents will pass preliminary evaluation.
5. Auditing of documents will entail a more in-depth, yet face-value only scrutiny of documents as to truthfulness of information provided — without going into a formal investigation.
6. Upon agreement of the auditing body, a candidate with complete and acceptable documents will be endorsed to Privacy Commissioner Raymund Enriquez Liboro for final approval together with the Deputy Privacy Commissioners and NPC management.
7. A batch of new candidates awarded provisional accreditation will be published on the official NPC website.
8. A congratulatory briefing will apprise the new batch of T3 entities of the next steps as to reporting, partnerships, monitoring, and standardization of instruction methods and deliverables.
9. Sit-in audits of PHIL DPO and other NPC team members to monitor progress and identify areas for improvement and cooperation.
10. A good track record with PHIL DPO-NPC merits renewal of provisional accreditation for another year.

B. Documentary Requirements

Q: What are the documentary requirements?
A: The main documentary requirements are:
1. Business Registration

APT
  • Registration as trainer with the Department of Trade and Industry (DTI), Bureau of Internal Revenue or Philippine Regulations Commission.

IPT
  • Updated Business Permit

  • DTI or Securities and Exchange Commission (SEC) Certificate of Registration

  • Articles of Incorporation or Partnership mentioning training services

  • Other documents showing conduct of training services

* For government entities, including GOCCs and State Universities and Colleges (SUCs), the Charter shall be in lieu of the foregoing

2. Proof of Training Experience

APT
  • At least one (1) year experience as Trainer, Instructor or Teacher

  • Calendar of Activities as Trainer or Instructor

IPT
  • Proof of operations as training provider for at least one (1) year

  • Calendar of Annual Course Offerings or Programs

3. Good moral standing for APTs, and good legal standing for IPTs

APT
  • No pending criminal, civil or administrative case(s) before:

    • NPC

    • DTI

    • BIR

    • Courts/quasi-judicial agencies

IPT
  • No pending criminal, civil or administrative case(s) before:

    • SEC

    • BIR

    • Department of Labor and Employment

    • Courts/quasi-judicial agencies

4. Technical knowledge on Data Privacy

APT
  • At least twenty-five (25) hours of attended trainings, seminars, orientations, or professional experience in the field of Data Privacy whether conducted by the NPC or external providers

*Preference is given to trainings conducted by the NPC

IPT
  • Trainers, mentors, and educators of the APT must have at least twenty-five (25) hours of attended trainings, seminars, orientations, or professional experience in the field of Data Privacy whether conducted by the NPC or external providers

*Preference is given to trainings conducted by the NPC

C. The Curriculum

Q: What lessons should be included in the draft curriculum?
A: Both APTs or IPTs must submit a training curriculum with course description, objectives and syllabi patterned after NPC’s Five Pillars of Compliance, as found within existing DPO ACE training materials.

Q: Can NPC give us a template for the Five Pillars?
A: The template for the lessons, also in the DPO ACE Review Notes, is included below:

DPO ACE Course Outline
Module 1: Introduction to Data Privacy Act

Aspects of Informational Privacy
Definition
Policy, Scope, Mandate and Functions
Key Terms
Data Privacy Principles
Security Measures (Organizational, Technical, Physical)
Rights of the Data Subject
Consequences of Complaints Filed

Module 2: Data Privacy Principles

Transparency; Right to Information
Privacy Notice
Role of DPO in Transparency
Right to Access
Principle of Legitimate Purpose
Consent
Legitimate Purpose in Processing including SPI
Compliance Framework
Data Subject’s Rights
Principle of Proportionality

Module 3: Appointing a Data Protection Officer

Legal Basis
General Qualifications
COP
Instances where a PIC or PIP is allowed to designate a COP
Position of a DPO or a COP in the Organization
Conflict of Interest
Confidentiality
Subcontracting
Independence and Autonomy
Duties and Responsibilities
Supporting the DPO

Module 4: Privacy Impact Assessment

Definition and Scope
Objectives of Conducting a PIA
When is PIA Necessary?
Is PIA Required?
Benefits of PIA
Components of PIA
Stakeholder Involvement in PIA
Records of Processing Activities
PIA and Privacy By Design
PIA Provides an Initial Step Towards Accountability
Data Life Cycle
Determination of Security Measures
Identifying and Rating Privacy Risks
Privacy Risk Mapping
Approaches to Risk Management
Duty of DPO in Relation to PIA
PIA Process

Module 5: Privacy Management Program

Five Pillars of NPC
The Data Privacy Accountability and Compliance
Framework
Compliance with the DPA
What is PMP?
PMP Objectives
Importance of a PMP
PMP Guide
Key Components
WHAT DOES A PMP LOOK LIKE?
Governance, DPO, Records of Processing Activities, Risk Assessment, Registration, Policies and Procedures, Data Security, Capacity Building, Breach Management, Notification, Third Party Management, Communication, Understanding of Privacy Ecosystem, Oversight and Review Plan, Assess and Revise Program Controls
Supporting Documents of a PMP

Module 6: Security Measures and Handling Third Party Risks

Security Measures
Organizational Security Measures: Examples, Compliance Officers, Data Protection Policies, Records of Processing Activities, Management of Human Resources, Processing of Personal Data, and Contracts with PIPs
Physical Security Measures
Technical Security Measures
Examples involving Consent and DSA (NPC Circ 16-02)
Managing Third Party Risks
General Principles for Data Sharing
When Consent of Data Subject is Required
Contents of a DSA
When is a DSA Considered Terminated
Outsourcing/Subcontracting
Outsourcing Agreement

Module 7: Breach Management

Definition of Terms
Personal Data Breach Management Guidelines
Security Incident Management Policy
Data Breach Response Team
Implementation of Security Measures and Privacy Policies
Mandatory Notification/Requirements
Contents of the Notice
Full Report
Concealment or Failure to Disclose
Annual Security Incident Report
How to File an Annual Report

Annex

NPC Circular 18-01
NPC Circular 18-02

Q: What other lessons can we add aside from those already in the DPO ACE training materials to piqué interest of trainees?
A: Curriculum must contain essential provisions of the Data Privacy Act, its IRRs, and updates on current NPC issuances.

Q: Can we add more creative data privacy learning material?
A: Yes, provided that PHIL DPO was able to review and approve such lessons.

D. How do we Audit?

Step 1: Documents Evaluation

The first stage of the audit process shall revolve around checking the completeness, veracity, and authenticity of documents submitted.

Step 2: Academic Evaluation

This next evaluation process shall revolve around the adequacy, conformity, and competitiveness of the curriculum submitted compared to the DPO ACE Level 1 module.

Step 3: Profile Evaluation

At this step, the Committee shall evaluate the capability, good standing, and technical qualifications of the applicants based on the documents submitted, publicly available information, personal knowledge, and further findings of the Audit Committee in the first two previous steps.
Finally, the Committee, on its own initiative, may check the profile of the APT / IPT to further verify their suitability as an accredited trainer by conducting the following activities:

1. Phone calls to the APT / IPT applicants
2. Schedule online meetings and interviews

Should the Committee find no deficiencies in the application, it shall prepare a Resolution indicating that the applicant has satisfactorily complied with all the requirements of the NPC, and that said applicant is recommended to be granted the provisional accreditation.

IV. The Obligations and Undertakings of the Accredited APT/IPT

Q: After PHIL DPO grants provisional accreditation, what do we do next?
A: The obligations and responsibilities of an accredited APT/IPT are:

  • Submit a quarterly report to be submitted within 30 days into the new quarter.
    1. The report should contain, among others, the following details:

      1. Name of Training Provider

      2. Accreditation Number

      3. Date(s) and Venue(s)

      4. Attendance sheets

      5. Group photo(s)

      6. Speakers, Mentors, Educators who conducted the training

  • Submit a summary report of the speaker’s evaluation of each training session.

  • They must allow NPC personnel access, audience, or entry during training sessions for observation and proper monitoring.

  • Educate, train or instruct at least three hundred (300) individuals within the one-year duration of the provisional accreditation.

  • Ensure at least eighty percent (80%) passing rate of trainees who will undergo the DPO ACE Certification Exam.

  • Undergo trainings, seminars and other capacity-building activities that NPC may require for Trainers.

  • Attend a roundtable discussion held by NPC to receive updates on privacy law amendments, issuances and initiatives.

  • Submit to NPC trainee-accomplished feedback forms. • Pass a program review held by NPC or a relevant regulator.

  • NPC shall add requirements as the need arises. Always keep posted for announcements in the NPC website.


V. The Limitations

Q: Can we transfer authority of provisional accreditation to other persons/entities?
A: No. Provisional accreditation awarded by PHIL DPO-NPC is exclusive to a particular APT/IPT and cannot be leased, rented out to, or borrowed by another entity or person, for whatever reason.

Q: Can we change speakers/resource persons if they cannot make it to a conference/training session?
A: Last-minute substitution of speakers and resource persons is prohibited.

Q: What if said resource person has a valid emergency?
A: A letter of approval from PHIL DPO-NPC must first be acquired.

Q: Can an accredited organization collaborate with another accredited organization?
A: An organization (Institutional Privacy Trainer; IPT) awarded provisional accreditation may not partner with another accredited organization (IPT).

Q: What if we have a lot of trainees who signed up and we need help in teaching them?
A: You can still ask for help from other T3-accredited individuals. An organization (IPT) awarded provisional accreditation is allowed to partner with an individual (Accredited Privacy Trainer; APT) granted provisional accreditation.

VI. Period of Validity

Q: How long will we be able to use our provisional accreditation?
A: Provisional accreditation is valid for one year, granted acceptability within audit standards.

Q: Do we need to file for renewal? When?
A: Yes. Renewal should be within 60 business days before expiration of the current provisional accreditation.