I. Definition of Terms

  1. "Act" refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012;
  2. "BITSI" refers to Bicol Isarog Transport System, Inc.;
  3. "Commission” refers" to the National Privacy Commission;
  4. “Data Processing System” refers to the structure and procedure by which personal data is collected and further processed in BITSI’s information and communications system or relevant filing system, including the purpose and intended output of the processing;
  5. “Digital Ocean” refers to Digital Ocean, Inc., a cloud server operator based in New York, United States of America.
  6. “Employee” refers to those who are defined as such under the relevant Philippine labor laws;
  7. “HR Department” refers to BITSI’s Human Resources Department;
  8. “IRR” refers to the Implementing Rules and Regulations of the Act;
  9. “J6W” refers to J6W, Inc., a corporation duly organized and existing under the laws of the Republic of the Philippines, and BITSI’s technology solutions provider;
  10. “Manual” refers to this Customer Privacy Manual;
  11. “Personal Data” refers to all types of personal information;
  12. “Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
  13. “Personal Information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
  14. “Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data;
  15. “Public Authority” refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions;
  16. “Rank and File Employee” refers to those who are defined as such under the relevant Philippine labor laws;
  17. “Security Incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data, including incidents that would result to a personal data breach, if not for safeguards that have been put in place; and
  18. “Sensitive Personal Information” refers to personal information:
    1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
    2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
    3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    4. Specifically established by an executive order or an act of Congress to be kept classified.
  19. “Website” refers to https://bicolisarog.com;

II. Introduction

BITSI is a corporation duly registered under the laws of the Republic of the Philippines, primarily for the purpose of operating bus transportation services. BITSI’s customers are allowed to book transportation through the Website, after providing Personal Data.

This Manual was created in order to give you, our dear customers, an idea: [a] why BITSI collects information from you, [b] how the information you provide is processed, [c] who are allowed to access the information you provide, [d] how the information you provide is protected, and [e] how you can correct wrong information, and obtain remedies for grievances.

Rest assured that BITSI respects and values your data privacy rights, and makes sure that all personal data collected from you are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

Thus, BITSI promulgates this Customer Privacy Manual, in compliance with the the Act, the IRR, and the other issuances of the Commission.

III. Scope and Limitations

This Manual covers only BITSI customers who book transportation services through the Website, and BITSI employees who handle Personal Data that these customers provide.

All customers and employees are expected to read, observe, and abide by the policies and rules set out in this Manual, the Act, the IRR, and other issuances of the Commission.

Queries may be directed to relevant BITSI officers, in accordance with the procedure provided further below.

IV. General Customer and Employee Responsibility

A. Customer Responsibility

By using the Website, and by providing Personal Data therein, the customer is expected to have read BITSI’s Privacy Policy, and to have granted consent to the Processing of Personal Data, by clicking the “I Agree” button. It is the customer’s responsibility to carefully ready this Manual, and the Privacy Policy before giving consent. If the customer does not agree, then he or she must stop the registration process immediately.

B. Employee Responsibility

All BITSI employees are expected to respect and protect customers’ Personal Data. Customers’ Personal Data, which an employee may come to have knowledge of during the ordinary course of his or her employment with BITSI, shall be used only for the purposes in Part V(C) below, and shall not be disclosed to any person, other than those who are expected to received them in the ordinary course of the performance of their duties.

Employees are required to exercise their best discretion in the Processing of Personal Data, with due regard to their responsibilities, as laid out in this manual, and as indicated in the Act, the IRR, and other issuances of the Commission.

Personal Data shall not be disclosed even after resignation, termination of contract, or other contractual relations, unless consented to by the customer who owns the Personal Data.

Penalties for violations of this Manual shall be governed by BITSI’s Employee Code of Conduct.

This Manual may be revised by BITSI, as the exigencies of its business require. Customers and employees will be duly informed of such changes, through appropriate noticess.

V. Processing of Personal Data

A. General Policies

In the processing of customers’ Personal Data, BITSI strictly adheres to the principles of transparency, legitimate purpose, and proportionality.

  1. Transparency

    The customer must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of BITSI as the personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.

  2. Legitimate purpose

    The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.

  3. Proportionality

    The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

B. Data Collection

Before booking bus transportation services, customers are expected to fill-up an online registration form. Through this form, an employee may be requested to provide the following pieces of information, among others:

  • First Name;
  • Last Name;
  • Address;
  • E-mail Address;
  • Birthday; and
  • Contact Number

In the future, registration may also be done by providing BITSI access to the customers’ personal information in their Facebook page.

Before data collection, a customer is requested, if he or she so agrees, to give consent to the Processing of Personal Data by BITSI, through the “I Agree” button in the Website, subject to the duties and responsibilities found in Part IV of this Manual.

By booking transportation services, a customer also provides information such as travel dates, travel origins, and travel destinations.

C. Data Use

The Personal Data collected from customers will be used for the following purposes:

  1. Marketing and research
  2. Information dissemination;
  3. Insurance claims;
  4. Travel protection and safety; and
  5. Identity verification

BITSI may need to disclose employees’ Personal Data to related entities, contracting parties, partners and other organizations, for purposes related to those above enumerated. These may include

  1. Health and safety purposes (such as to medical providers, employee assistance providers, insurers, investigators or regulators);
  2. Third parties who provide services to BITSI, so that such organizations and contractors can assist BITSI with the purposes for which BITSI uses your information, including marketing service providers, online service providers such as J6W and Digital Ocean, data processing, data analysis, document management, research, investigation, insurance, surveillance, and information-vetting;
  3. Public service departments and other bodies where BITSI is required by law;
  4. A customer’s authorized representatives; and
  5. Law enforcement and national security agencies, and other Public Authorities, as required or authorized by law.
D. Storage

BITSI takes steps to ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.

Official customer information are stored in cloud servers operated and maintained by Digital Ocean, physically located in Singapore, and the United States. The security features of the servers are more particularly explained in Part VI of this Manual.

E. Reproduction and Transfer

Personal Data transmitted to BITSI shall not be reproduced, unless done for the official purposes mentioned in Part C above. As far as practicable, reproduced customer information shall be anonymized, in those instances where anonymization will not defeat the specific purpose for Processing. In case copies are made, whether physical or digital, these copies shall be subject to the same standards of confidentiality, protection, and privacy, as the original. All privacy protection measures in this Manual also apply to the copies.

Information stored in Digital Ocean’s servers are backed-up regularly.

BITSI personnel who handle customer information are expected to abide by the rules and regulations set out in this Manual, and those provided in the Act, the IRR, and other issuances of the NPC.

F. Retention Disposal

Information shall be retained for such periods as may be necessary to accomplish the purposes mentioned in Part C above. After the purpose has been satisfied, digital copies shall be deleted, and physical copies shall be shredded. The same principles shall apply to copies.

G. Access

Due to the sensitive and confidential nature of the Personal Data under the custody of the company, only the following have access to a customer’s Personal Data:

  1. The customer;
  2. BITSI’s authorized representatives, which may include its President, Assistant Vice Presidents, members of the Board of Directors, Sales Development Head, Sales Operations Specialist, and DPO, among others;
  3. J6W and its authorized representatives; and
  4. Digital Ocean and its authorized representatives

Processing and access shall be done for the purposes mentioned in item C above.

H. Disclosure and Sharing

All employees and personnel of BITSI shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal Data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data. Part IV of this Manual remains in full effect.

VI. Security Measures

A. Organizational Security Measures
  1. Data Protection Officer

    The designated Data Protection Officer is Mr. Reynaldo L. Sumat.

  2. Duties and Functions

    The Data Protection Officer’s duties and functions, are as follows:

    1. Monitor BITIS’s compliance with the Act and its IRR, issuances by the Commission, and other applicable laws and policies, and for this purpose, (i) collect information to identify the processing operations, activities, measures, projects, programs, or systems of BITSI, and maintain a record thereof, (ii) analyze and check compliance with processing activities, including the issuance of security clearances to and compliance by third-party service providers, (iii) inform, advise, and issue recommendations to BITSI, (iv) ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing, and (v) advice BITSI as regards the necessity of executing Data Sharing Agreements or outsourcing agreements with third parties, and ensure their compliance with the law;
    2. Conduct, or cause and monitor the conduct, of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of BITSI;
    3. Advice BITSI regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
    4. Handle Personal Data Breach and Security Incident management by BITSI, and monitor management of the foregoing by third parties to whom they may delegate processing activities;
    5. Prepare and submit, or cause the preparation and submission, to the Commission, of reports and other documentation concerning Security Incidents of Personal Data Breaches;
    6. Inform and cultivate awareness on privacy and data protection within the organization of BITSI, including all relevant laws, rules and regulations and issuances of the Commission;
    7. Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of BITSI relating to privacy and data protection, by adopting a privacy by design approach;
    8. Serve as the contact person of BITSI vis-à-vis data subjects, the Commission, and other authorities in all matters concerning data privacy or security issues or concerns and the BITSI;
    9. Cooperate, coordinate, and seek the advice of the Commission regarding matters concerning data privacy and security; and
    10. Perform other duties and tasks that may be assigned by the BITSI that will further the interest of data privacy and security and uphold the rights of the data subjects.
  3. Development Training

    BITSI shall ideally sponsor a mandatory training on data privacy and security on such periods that it may set. For personnel directly involved in the processing of Personal Data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.

  4. Due Diligence

    BITSI has conducted, and continues to conduct, due diligence and privacy impact assessments, on its customer information systems. It has hired the services of a third-party law firm, for the conduct of the assessment.

    It undertakes to conduct due diligence and privacy impact assessments relative to all activities, projects and systems involving the processing of Personal Data.

  5. Recording of Activities

    Activities carried out by the Data Protection Officer, and the organization itself, to ensure compliance with the Act, the IRR, and the Commission’s policies, shall be documented and recorded.

  6. BITSI’s Duty of Confidentiality

    All BITSI employees, especially those who have access to customers’ Personal Data, will be asked to sign a Non-Disclosure Agreement.

    Employees are covered by the obligations under this Manual, especially those laid out in Part IV. They are also covered by the Access Code Policy below.

  7. J6W’s Duty of Confidentiality

    BITSI is currently in the process of negotiating an Outsourcing/Confidentiality Agreement with J6W. In the meantime, J6W’s employees are covered by Non-Disclosure Agreements.

  8. Digital Ocean’s Duty of Confidentiality

    Digital Ocean’s Privacy Policy is set out in https://www.digitalocean.com/legal/privacy/. The terms and conditions of their service are found in https://www.digitalocean.com/legal/terms/.

  9. Privacy Manual Updates

    This Manual shall be reviewed and evaluated annually, or as major changes in BITSI’s policy and information systems arise. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.

B. Physical Security Measures
  1. Data Format

    Personal data in the custody of the organization is in digital format, and stored in Digital Ocean’s servers.

  2. Storage

    Digital Ocean’s “datacenters are co-located in some of the most respected datacenter facility providers in the world. [It] leverage[s] all of the capabilities of these providers including physical security and environmental controls to secure [its] infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by [its] datacenter facilities includes but is not limited to:

    • 24/7 Physical security guard services;
    • Physical entry restrictions to the property and the facility;
    • Physical entry restrictions to [its] co-located datacenter within the facility;
    • Full CCTV coverage externally and internally for the facility;
    • Biometric readers with two-factor authentication.
    • Facilities are unmarked as to not draw attention from the outside;
    • Battery and generator backup;
    • Generator fuel carrier redundancy; and
    • Secure loading zones for delivery of equipment.”
    (See https://www.digitalocean.com/security/)
  3. Access

    Digital Ocean’s “ infrastructure is secured through a defense-in-depth layered approach. Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.

    Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. [It] consider[s] any system which houses customer data that [it] collect[s], or systems which house the data customers store with [it] to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.

    Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure.”

    “The security and data integrity of customer Droplets is of the utmost importance at Digital Ocean. As a result, [its] technical support staff do not have access to the backend hypervisors where virtual servers reside nor direct access to the NAS/SAN storage systems where snapshots and backup images reside. Only select engineering teams have direct access to the backend hypervisors based on their role.

    (See https://www.digitalocean.com/security/)
  4. Reproduction, Transfer, Retention, and Disposal

    The reproduction, transfer, retention, and disposal of Personal Data shall be governed by the relevant portions of Part V above.

C. Technical Security Measures
  1. Digital Ocean

    Digital Ocean has a “[s]ecurity team utiliz[ing] monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following its incident reporting and response procedures.” (See https://www.digitalocean.com/security/.)

    The servers’ security features, are as follows (see https://www.digitalocean.com/security/compliance/):

    Digital Ocean supports the new General Data Protection Regulation (GDPR), which is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The Philippines’ privacy laws draw influence from these European privacy laws.

  2. J6W

    J6W currently has a one-man security team. It partly relies on Digital Ocean for the provision of security services. J6W has its own blend of hardware firewalls that prevent unauthorized access to confidential information.

    Should there be a breach, J6W’s response is to shutdown the service affected.

  3. BITSI

    BITSI partly relies on Digital Ocean and J6W in securing the customer information located in Digital Ocean’s servers. BITSI has a team of information technology professionals in its ranks.

VII. Breach and Security Incidents

A. Data Breach Response Team

BITSI’s current Risk Management Team is hereby designated ipso facto, as its Data Breach Response Team. The Data Protection Officer shall head the team. This team shall be responsible for ensuring immediate action in the event of a Security Incident. The team shall conduct an initial assessment of the Security Incident or Personal Data Breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

The names of the team members shall be disseminated, as soon as appointed.

Aside from the functions and duties enumerated in this manual, the team shall also have the functions and duties laid out in the Act, IRR, and other issuances of the NPC.

B. Preventive Measures

The organization shall regularly conduct a due diligence and privacy impact assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of its computer networks. Personnel directly involved in the Processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.

C. Recovery and Restoration

The organization shall always maintain a backup file for all Personal Data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

D. Notification protocol

The Data Protection Officer shall inform the management of the need to notify the Commission, and the employee affected by a Security Incident within the period prescribed by law.

Management may decide to delegate the actual notification to the head of the Data Protection Officer.

E. Security Incident Reports

The Data Breach Response Team shall prepare a detailed documentation of every Security Incident, to be submitted to the management, and the Commission if notification is required.

F. Employee Responsibility

Employees must look after the customers’ privacy and security. If there is any reason for an employee to suspect that there is a Security Incident, employees must inform the Data Protection Officer, or any member of the Data Breach Response Team, immediately.

G. Customer Responsibility

While BITSI and its associates seek to protect customers’ Personal data, customers must also look after their own privacy and security. If there is any reason for a customer to suspect that there is a Security Incident, he or she must inform BITSI, through the Data Protection Officer, or any member of the Data Breach Response Team, immediately.

H. Breach Detection and Response Methods

The Data Breach Response Team shall have its own sets of rules for monitoring and breach detection which will not be disclosed to to customers, and to employees, aside from selected members of management, so as to retain the methods’ potency, and effectivity.

I. Digital Ocean’s and J6W’s Breach Response

Digital Ocean’s, and J6W’s breach response shall be in accordance with their respective internal breach management policies.

VIII. Access Code Policy

During the course of employment, employees may be provided with official company access codes for websites, e-mails, and other systems. It is highly possible that these codes may grant an employee access to customers’ sensitive Personal Data. To ensure that Personal Data are protected, access codes are governed by the following rules.
  1. An employee shall not disclose his or her access code to any other person, unless authorized by the Data Protection Officer, the head of the HR Department, and the head of the employee’s department.
  2. Upon the termination of his or her employment, an employee shall disclose the access code to the Data Protection Officer, who shall immediately create another access code for the account, and delete the old one.
  3. The Data Protection Officer shall have a masterlist of access codes, which only he, BITSI’s President, and members of BITSI’s Board of Directors may access.
  4. Official company accounts may be accessed only by the grantee of the account, BITSI’s President, and members of BITSI’s Board of Directors. Other persons may be allowed to access accounts, through official Board Resolutions.

IX. Digital Worksheet Policy

In the conduct of their functions, employees may be required to Process Personal Data in digital worksheets such as Microsoft Word, and Microsoft Excel, i.e. when preparing salary reports, government filings, etc. The use of digital worksheets in processing Personal Data shall be governed by the following rules.

  1. Personal Data shall be Processed, only insofar as may be necessary to accomplish official functions.
  2. Worksheets shall shall be transmitted only to those who are authorized to receive them, taking into consideration the nature of the work performed, the objective to be accomplished, and the relation of the communication thereto, and strictly in accordance with Part IV(C) of this Manual.
  3. Upon the creation of a final version of a worksheet, all employees who handled the same shall delete all older versions, and shall only retain the final version.
  4. Heads of departments shall compile and secure all final versions of worksheets created by their subordinates.
  5. Upon the termination of his or her employment, an employee shall transmit all works in progress, and final worksheets, to the head of the department. Thereafter, he or she must delete all worksheets in his possession.

X. Inquiries, Complaints, and Information Update

Every BITSI customer has the rights provided under the Act, IRR, and other issuances of the Commission.

Customers may inquire or request for information regarding any matter relating to the processing of their Personal Data under BITSI’s custody, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization’s Data Protection Officer, with address at No. 96 Mirasol St., Brgy. San Roque, Cubao City, to briefly discuss the inquiry.

Requests for update of information may be addressed to the Data Protection Officer at at No. 96 Mirasol St., Brgy. San Roque, Cubao City.

Complaints shall be filed in three (3) printed copies, before BITSI’s Data Protection Officer, at No. 96 Mirasol St., Brgy. San Roque, Cubao City. The Data Protection Officer shall confirm with the complainant its receipt of the complaint.

XI. Disclaimer

Payments by customers are done through a third-party payment service provider. Personal Data disclosed to BITSI, and those disclosed to the third-party payment service provider, are mutually exclusive, and are not exchanged between the two entities. Disclosure to one is not tantamount to disclosure to the other.

BITSI does not purport to exercise control or supervision over the activities of the third-party payment service provider.

XII. Effectivity

The provisions of this Manual are effective this __ day of ___________, 2018, until revoked or amended by this company, through a Board Resolution.