BITSI is a corporation duly registered under the laws of the Republic of the Philippines, primarily for the
purpose of operating bus transportation services. BITSI’s customers are allowed to book transportation
through the Website, after providing Personal Data.
This Manual was created in order to give you, our dear customers, an idea: [a] why BITSI collects
information from you, [b] how the information you provide is processed, [c] who are allowed to access the
information you provide, [d] how the information you provide is protected, and [e] how you can correct wrong
information, and obtain remedies for grievances.
Rest assured that BITSI respects and values your data privacy rights, and makes sure that all personal data
collected from you are processed in adherence to the general principles of transparency, legitimate purpose,
and proportionality.
Thus, BITSI promulgates this Customer Privacy Manual, in compliance with the the Act, the IRR, and the other
issuances of the Commission.
This Manual covers only BITSI customers who book transportation services through the Website, and BITSI
employees who handle Personal Data that these customers provide.
All customers and employees are expected to read, observe, and abide by the policies and rules set out in
this Manual, the Act, the IRR, and other issuances of the Commission.
Queries may be directed to relevant BITSI officers, in accordance with the procedure provided further below.
By using the Website, and by providing Personal Data therein, the customer is expected to have read BITSI’s Privacy Policy, and to have granted consent to the Processing of Personal Data, by clicking the “I Agree” button. It is the customer’s responsibility to carefully ready this Manual, and the Privacy Policy before giving consent. If the customer does not agree, then he or she must stop the registration process immediately.
B. Employee Responsibility
All BITSI employees are expected to respect and protect customers’ Personal Data. Customers’ Personal Data,
which an employee may come to have knowledge of during the ordinary course of his or her employment with
BITSI, shall be used only for the purposes in Part V(C) below, and shall not be disclosed to any person,
other than those who are expected to received them in the ordinary course of the performance of their
duties.
Employees are required to exercise their best discretion in the Processing of Personal Data, with due regard
to their responsibilities, as laid out in this manual, and as indicated in the Act, the IRR, and other
issuances of the Commission.
Personal Data shall not be disclosed even after resignation, termination of contract, or other contractual
relations, unless consented to by the customer who owns the Personal Data.
Penalties for violations of this Manual shall be governed by BITSI’s Employee Code of Conduct.
This Manual may be revised by BITSI, as the exigencies of its business require. Customers and employees will
be duly informed of such changes, through appropriate noticess.
In the processing of customers’ Personal Data, BITSI strictly adheres to the principles of transparency, legitimate purpose, and proportionality.
The customer must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of BITSI as the personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Before booking bus transportation services, customers are expected to fill-up an online registration form. Through this form, an employee may be requested to provide the following pieces of information, among others:
In the future, registration may also be done by providing BITSI access to the customers’ personal
information in their Facebook page.
Before data collection, a customer is requested, if he or she so agrees, to give consent to the Processing
of Personal Data by BITSI, through the “I Agree” button in the Website, subject to the duties and
responsibilities found in Part IV of this Manual.
By booking transportation services, a customer also provides information such as travel dates, travel
origins, and travel destinations.
The Personal Data collected from customers will be used for the following purposes:
BITSI may need to disclose employees’ Personal Data to related entities, contracting parties, partners and other organizations, for purposes related to those above enumerated. These may include
BITSI takes steps to ensure that personal data under its custody are protected against any accidental or
unlawful destruction, alteration and disclosure as well as against any other unlawful processing.
Official customer information are stored in cloud servers operated and maintained by Digital Ocean,
physically located in Singapore, and the United States. The security features of the servers are more
particularly explained in Part VI of this Manual.
Personal Data transmitted to BITSI shall not be reproduced, unless done for the official purposes mentioned
in Part C above. As far as practicable, reproduced customer information shall be anonymized, in those
instances where anonymization will not defeat the specific purpose for Processing. In case copies are made,
whether physical or digital, these copies shall be subject to the same standards of confidentiality,
protection, and privacy, as the original. All privacy protection measures in this Manual also apply to the
copies.
Information stored in Digital Ocean’s servers are backed-up regularly.
BITSI personnel who handle customer information are expected to abide by the rules and regulations set out
in this Manual, and those provided in the Act, the IRR, and other issuances of the NPC.
Information shall be retained for such periods as may be necessary to accomplish the purposes mentioned in Part C above. After the purpose has been satisfied, digital copies shall be deleted, and physical copies shall be shredded. The same principles shall apply to copies.
Due to the sensitive and confidential nature of the Personal Data under the custody of the company, only the following have access to a customer’s Personal Data:
Processing and access shall be done for the purposes mentioned in item C above.
All employees and personnel of BITSI shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal Data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data. Part IV of this Manual remains in full effect.
The designated Data Protection Officer is Mr. Reynaldo L. Sumat.
The Data Protection Officer’s duties and functions, are as follows:
BITSI shall ideally sponsor a mandatory training on data privacy and security on such periods that it may set. For personnel directly involved in the processing of Personal Data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
BITSI has conducted, and continues to conduct, due diligence and privacy impact assessments, on its
customer information systems. It has hired the services of a third-party law firm, for the conduct of
the assessment.
It undertakes to conduct due diligence and privacy impact assessments relative to all activities,
projects and systems involving the processing of Personal Data.
Activities carried out by the Data Protection Officer, and the organization itself, to ensure compliance with the Act, the IRR, and the Commission’s policies, shall be documented and recorded.
All BITSI employees, especially those who have access to customers’ Personal Data, will be asked to sign
a Non-Disclosure Agreement.
Employees are covered by the obligations under this Manual, especially those laid out in Part IV. They
are also covered by the Access Code Policy below.
BITSI is currently in the process of negotiating an Outsourcing/Confidentiality Agreement with J6W. In the meantime, J6W’s employees are covered by Non-Disclosure Agreements.
Digital Ocean’s Privacy Policy is set out in https://www.digitalocean.com/legal/privacy/. The terms and conditions of their service are found in https://www.digitalocean.com/legal/terms/.
This Manual shall be reviewed and evaluated annually, or as major changes in BITSI’s policy and information systems arise. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
Personal data in the custody of the organization is in digital format, and stored in Digital Ocean’s servers.
Digital Ocean’s “datacenters are co-located in some of the most respected datacenter facility providers in the world. [It] leverage[s] all of the capabilities of these providers including physical security and environmental controls to secure [its] infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by [its] datacenter facilities includes but is not limited to:
Digital Ocean’s “ infrastructure is secured through a defense-in-depth layered approach. Access to the
management network infrastructure is provided through multi-factor authentication points which restrict
network-level access to infrastructure based on job function utilizing the principle of least privilege.
All access to the ingress points are closely monitored, and are subject to stringent change control
mechanisms.
Systems are protected through key-based authentication and access is limited by Role-Based Access
Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. [It]
consider[s] any system which houses customer data that [it] collect[s], or systems which house the data
customers store with [it] to be of the highest sensitivity. As such, access to these systems is
extremely limited and closely monitored.
Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused
to ensure that your data remains secure.”
“The security and data integrity of customer Droplets is of the utmost importance at Digital Ocean. As a
result, [its] technical support staff do not have access to the backend hypervisors where virtual
servers reside nor direct access to the NAS/SAN storage systems where snapshots and backup images
reside. Only select engineering teams have direct access to the backend hypervisors based on their role.
The reproduction, transfer, retention, and disposal of Personal Data shall be governed by the relevant portions of Part V above.
Digital Ocean has a “[s]ecurity team utiliz[ing] monitoring and analytics capabilities to identify
potentially malicious activity within our infrastructure. User and system behaviors are monitored for
suspicious activity, and investigations are performed following its incident reporting and response
procedures.” (See https://www.digitalocean.com/security/.)
The servers’ security features, are as follows (see
https://www.digitalocean.com/security/compliance/):
Digital Ocean supports the new General Data Protection Regulation (GDPR), which is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The Philippines’ privacy laws draw influence from these European privacy laws.
J6W currently has a one-man security team. It partly relies on Digital Ocean for the provision of
security services. J6W has its own blend of hardware firewalls that prevent unauthorized access to
confidential information.
Should there be a breach, J6W’s response is to shutdown the service affected.
BITSI partly relies on Digital Ocean and J6W in securing the customer information located in Digital Ocean’s servers. BITSI has a team of information technology professionals in its ranks.
BITSI’s current Risk Management Team is hereby designated ipso facto, as its Data Breach Response Team. The
Data Protection Officer shall head the team. This team shall be responsible for ensuring immediate action in
the event of a Security Incident. The team shall conduct an initial assessment of the Security Incident or
Personal Data Breach in order to ascertain the nature and extent thereof. It shall also execute measures to
mitigate the adverse effects of the incident or breach.
The names of the team members shall be disseminated, as soon as appointed.
Aside from the functions and duties enumerated in this manual, the team shall also have the functions and
duties laid out in the Act, IRR, and other issuances of the NPC.
The organization shall regularly conduct a due diligence and privacy impact assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of its computer networks. Personnel directly involved in the Processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
C. Recovery and RestorationThe organization shall always maintain a backup file for all Personal Data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
D. Notification protocolThe Data Protection Officer shall inform the management of the need to notify the Commission, and the
employee affected by a Security Incident within the period prescribed by law.
Management may decide to delegate the actual notification to the head of the Data Protection Officer.
The Data Breach Response Team shall prepare a detailed documentation of every Security Incident, to be submitted to the management, and the Commission if notification is required.
F. Employee ResponsibilityEmployees must look after the customers’ privacy and security. If there is any reason for an employee to suspect that there is a Security Incident, employees must inform the Data Protection Officer, or any member of the Data Breach Response Team, immediately.
G. Customer ResponsibilityWhile BITSI and its associates seek to protect customers’ Personal data, customers must also look after their own privacy and security. If there is any reason for a customer to suspect that there is a Security Incident, he or she must inform BITSI, through the Data Protection Officer, or any member of the Data Breach Response Team, immediately.
H. Breach Detection and Response MethodsThe Data Breach Response Team shall have its own sets of rules for monitoring and breach detection which will not be disclosed to to customers, and to employees, aside from selected members of management, so as to retain the methods’ potency, and effectivity.
I. Digital Ocean’s and J6W’s Breach ResponseDigital Ocean’s, and J6W’s breach response shall be in accordance with their respective internal breach management policies.
In the conduct of their functions, employees may be required to Process Personal Data in digital worksheets such as Microsoft Word, and Microsoft Excel, i.e. when preparing salary reports, government filings, etc. The use of digital worksheets in processing Personal Data shall be governed by the following rules.
Every BITSI customer has the rights provided under the Act, IRR, and other issuances of the Commission.
Customers may inquire or request for information regarding any matter relating to the processing of their
Personal Data under BITSI’s custody, including the data privacy and security policies implemented to ensure
the protection of their personal data. They may write to the organization’s Data Protection Officer, with
address at No. 96 Mirasol St., Brgy. San Roque, Cubao City, to briefly discuss the inquiry.
Requests for update of information may be addressed to the Data Protection Officer at at No. 96 Mirasol St.,
Brgy. San Roque, Cubao City.
Complaints shall be filed in three (3) printed copies, before BITSI’s Data Protection Officer, at No. 96
Mirasol St., Brgy. San Roque, Cubao City. The Data Protection Officer shall confirm with the complainant its
receipt of the complaint.
Payments by customers are done through a third-party payment service provider. Personal Data disclosed to
BITSI, and those disclosed to the third-party payment service provider, are mutually exclusive, and are not
exchanged between the two entities. Disclosure to one is not tantamount to disclosure to the other.
BITSI does not purport to exercise control or supervision over the activities of the third-party payment
service provider.
The provisions of this Manual are effective this __ day of ___________, 2018, until revoked or amended by this company, through a Board Resolution.