Privacy Policy

Purpose

The purpose of this DATA PRIVACY MANUAL (hereinafter referred to as the “MANUAL) is to serve as a guide or handbook for ensuring compliance of the Data Privacy Act of 2012 by UBX PH (hereinafter referred to as “UBX”). This MANUAL defines the Company’s Privacy Management Program and enumerates its internal rules, policies, and procedures in relation to the protection and security in the data lifecycle of personal information of UBX Data Subjects. This shall be developed to reflect up-to- date changes in the Philippine laws on data protection, pertinent laws, regulations, and global industry standards.

Scope

This applies to all internal and external parties who conduct business with UBX. Internal parties include, but are not limited to the Board of Directors, Senior Management, Executives, and all regular UBX Employees. External parties include, but are not limited to, contractors, vendors, consultants, independent services contractors, on-the-job trainees and other third parties considered by the Bank.

Definition of Terms

  1. Asset: Anything that has value to the Company.
  2. Availability: The property of being accessible and usable upon demand by an authorized entity.
  3. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities or processes.
  4. Consent of the Data Subject: This refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.
  5. Data Exporter: This shall mean the Personal Information Controller that transfers the Personal Data pursuant to a Data Sharing Agreement.
  6. Data Importer: This shall mean the controller who agrees to receive from the Data Exporter Personal Data for further processing pursuant to a Data Sharing Agreement.
  7. Data Subject: This refers to: (i) an individual whose personal, sensitive personal, or privileged information is processed; (ii) an individual who has provided his or her information to UBX through any channel or means whether as a Personal Information Controller or a Personal Information Processor; and (iii) upon his or her consent, such information shall be shared by Data Exporter with Data Importer, to which UBX may either be of the two or both.
  8. Data Processing: This refers to any operation or any set of operations performed upon Personal Information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal information are contained or are intended to be contained in a filing system.
  9. Data Sharing: This refers to the disclosure or transfer to a third party of Personal Data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information concerned. The term excludes outsourcing, or the disclosure or transfer of Personal Data by a personal information controller to a personal information processor.
  10. Encryption: This refers to the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot to protect the exposure of data or information to unintended recipients.
  11. Event: This refers to any observable occurrence in a system or network that may indicate negative consequence.
  12. Information Security: Preservation of confidentiality, integrity, and availability of information assets; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
  13. Integrity: The property of safeguarding the accuracy and completeness of assets.
  14. Personal Data: This shall refer collectively to the Personal Information and Sensitive Personal Information.
  15. Personal Information: This refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity
    holding the information, or when put together with other information would directly and certainly identify an individual.
  16. Personal Information Controller (“PIC”): This refers to the Parties of this Agreement, both of which control the processing of Personal Information or instructs another party to process Personal Information on its behalf.
  17. Personal Information Processor (“PIP”): This refers to any natural or juridical person or any other body to whom PIC may outsource or instruct the processing of personal information pertaining to a data subject.
  18. Personal Data Breach: This refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information transmitted, stored, or otherwise processed. It shall also refer to (i) any act or omission that compromises or may compromise either the security, confidentiality or integrity of the Data Subject’s Personal Information, or the physical, technical, administrative or organizational safeguards put in place by the Parties that relate to the protection of the security, confidentiality or integrity of Data Subject’s Personal Information, or (ii) receipt of a complaint in relation to the privacy practices of the Parties or a breach or alleged breach relating to privacy practices.
  19. Pseudonymization: It is a security technique for replacing sensitive data with realistic fictional data which cannot be attributed to a specific individual without additional information which is to be kept separately and subject to technical and organization measures to ensure non-attribution to an identified or identifiable person.
  20. Security Incident: This is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.
  21. Sensitive Personal Information: This refers to personal information (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified.

Data Privacy Office Organization

 

Section 1. Mission Statement
Data Privacy Office aims to protect the privacy of UBX Data Subjects and ensures the proper use and disclosure of their personal data. DPO fosters a corporate culture that values privacy through awareness and meaningful guidance on data protection based on international standards.

Section 2. Jurisdiction of the National Privacy Commission
UBX recognizes that the National Privacy Commission may conduct compliance audit and inspection to the Company’s internal and external operations, as well as its mandatory documentary submissions. The Commission may review and inspect data sharing agreements, outsourcing agreements, and such other similar contracts involving processing of personal data. The Commission may also subject the company to investigation on an ad hoc basis on grounds of any reported violation of the rights and freedoms of data subjects and other matters necessary to ensure effective implementation of the Data Privacy Act and this MANUAL.

Section 3. Registration with the National Privacy Commission

Data Protection Officer
UBX shall identify a Data Protection Officer who shall be duly authorized by the Board of Directors to function and take such role and responsibilities as provided in this MANUAL. The appointed Data Protection Officer shall be registered with the National Privacy Commission. The Data Protection Officer shall be accountable for the registration requirements and other regulatory orders by the National Privacy Commission.

Data Processing Systems
UBX shall register with the National Privacy Commission its data processing systems. All information and communication technology and network systems that store and process Personal Data shall be compiled by the Data Privacy Office for documentation.

Section 4. Data Privacy Office
There shall be a Data Privacy Office composed of Data Protection Officer (DPO) as its head. The DPO may be assisted by Compliance Officer/s for Privacy (COP).

Section 5. Functions of the Data Protection Office
The Data Privacy Office shall oversee the compliance of the organization with the DPA, its IRR, and other pertinent data protection standards, with the following roles and responsibilities under the law:

  1. Monitor the Company’s compliance with the DPA, its Implementing Rules and Regulations, issuances by the National Privacy Commission, and other applicable laws and policies;
  2. The Office shall collect information to identify the processing operations, activities, measures, projects, programs, or systems of the company, and maintain a record thereof;
  3. DPO shall analyze and check the compliance of processing activities, inform, advise, and issue recommendations to the Company;
  4. Ascertain renewal of accreditations or certifications necessary to maintain the required standards in Personal Data processing and
  5. Advice UBX about the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
  6. Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of UBX;
  7. Advise UBX regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of Personal Data);
  8. Ensure proper data breach and security incident management by UBX, including the latter’s preparation and submission to the Commission of reports and other documentation concerning security incidents or data breaches within the prescribed period;
  9. Inform and cultivate awareness on privacy and data protection within the Company, including all relevant laws, rules and regulations and issuances of the Commission;
  10. Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of UBX relating to privacy and data protection, by adopting a privacy by design approach;
  11. Serve as the contact person of UBX vis-à-vis data subjects, the Commission and other authorities in all matters concerning data privacy or security issues or concerns;
  12. Cooperate, coordinate and seek advice of the Commission regarding matters concerning data privacy and security; and
  13. Perform other duties and tasks that may be assigned by UBX that will further the interest of data privacy and security and uphold the rights of the data subjects.

Chapter 1 – Data Privacy Principles

 

Section 1. Legitimate Purpose
Personal Data shall only be processed only if not otherwise prohibited by law, and when at least one of the following conditions exists:

  1. Affirmative consent of the UBX Data Subjects;
  2. Processing is necessary and related to the fulfillment of a contract with the Data Subject
    or to take steps at the request of the data subject prior to entering into a contract;
  3. Processing is necessary for compliance with a legal obligation by UBX;
  4. Processing is necessary to protect vitally important interests of the Data Subject, including
    life and health;
  5. Processing is necessary to respond to national emergency, to comply with the
    requirements of public order and safety, or to fulfill functions of public authority which
    necessarily includes the processing of Personal Data for the fulfillment of its mandate; or
  6. Processing is necessary for the purposes of the legitimate interests pursued by the company or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedom of the Data Subject which require protection under the Philippine Constitution.

Section 2. Consent
If processing of Personal Data of UBX Data Subjects is necessary and it is beyond what they have initially consented to, the Company shall acquire affirmative consent through an opt-in mechanism or platform. Consent shall include the following:

  1. Purpose and extent of the consent;
  2. Time-bound validity;
  3. Personal Data to be collected;
  4. Period of collection;
  5. Opt-out option and warranty that UBX Data Subjects’ data shall be disposed from processing systems after the retention period or upon opt-out; and
  6. Identity of the Personal Information Controller/s and/or Personal Information Processor/s that will be given access to their Personal Data.

Section 3. Transparency
UBX shall notify the Data Subjects how their Personal Data are being processed. Data Subjects shall be granted access to data concerning them and the Data Subject has the right to demand the correction of inaccurate or misleading data.

Section 4. Proportionality
UBX shall only collect Personal Data of the Data Subjects to the extent necessary for achieving determined purposes.

Section 5. Accuracy
Personal Data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing.

Section 6. Rights of Data Subjects

  1. Right to be Informed
    Data Subjects have the right to demand the details about the type of Personal Data, the purpose of processing, and how they are being processed in systems, including the existence of automated decision-making and profiling systems.
  2. Right to Access
    Data Subjects shall have the right to reasonable access to their Personal Data, upon demand.
  3. Right to Dispute
    Data Subjects have the right to dispute inaccuracy or error of their Personal Data. Any request must be documented by the relevant unit and must be resolved within reasonable time.
  4. Right to Reject Further Processing
    Data Subjects have the right to suspend, withdraw, and remove their Personal Data in systems which are falsely collected or unlawfully processed. They have the right to object or opt-out if their Personal Data are used for unsolicited commercial speech or advertising purposes or market or opinion research.
  5. Right to Data Retention and Disposal
    Data collected must only be kept for a specific period relevant to the purpose upon which the data has been collected for, subject to the terms and conditions Data Subjects have consented for. After the retention period, Personal Data shall be irrecoverably and securely disposed.
  6. Right to Secure Data Portability
    Data Subjects have the right to obtain their Personal Data in an electronic or structured format that is commonly used and allows for further use.
  7. Right to be Indemnified for Damages
    Data Subjects have the right to be indemnified for any damages sustained due to such violation of their rights to privacy through inaccurate, false, unlawfully obtained or unauthorized use of their Personal Data.
  8. Right to File a Complaint
    Data Subjects may file their complaint or any concerns with the Data Privacy Office at 33/F UnionBank Plaza, Meralco Avenue corner Onyx Road, Pasig City, and/or with the National Privacy Commission through www.privacy.gov.ph.

Chapter 2 – Data Classification


Section 1. Defining Information
UBX shall maintain a comprehensive and up-to-date database containing details of its information assets for defining its value, criticality, sensitivity and legal implications.

Section 2. Classifying Information
All corporate business units, process owners, and project teams shall adhere to the Information Classification Framework of UBX whether as Confidential, Public, Internal Use Only, or Private, as defined in this Manual.

Section 3. Personal Data Classification

  1. Confidential – Personal Data
    Personal Data should be classified as “Confidential – Personal Data” as the occurrence of unauthorized disclosure, modification, and destruction of the data or information could potentially bring severe and adverse impact to the Data Subject.
  2. Private – Sensitive Personal Information
    Sensitive Personal Information shall be classified as Private, which shall not be viewable or processed by unauthorized persons or unintended recipients. Processing of these data shall be done in sanitized and/or anonymized manner.

Section 4. Personal Data Classification Matrix

Personal Data Attribute
Full Name
Gender or Sex
Place of Birth
Date of Birth
Mother’s Maiden Name
Citizenship or Nationality
Alien Certificate of Registration
Passport Number
Present Address
Permanent Address
Home Number
Mobile Number
Email Address
Civil Status
Tax Identification Number
SSS or GSIS Number
Health Information
Job Position or Rank
Source of Funds
Other transactional data

Category
Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Personal Information
Personal Information
Personal Information
Personal Information
Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Personal Information
Sensitive Personal Information
Sensitive Personal Information

Chapter 3 – Processing of Personal Data

This Chapter lays out the various data lifecycles or processing systems in existence within the organization – from the collection of Personal Data, to their actual use, storage, disclosures, retention, and destruction. Personal Data is to be safeguarded using a combination of technical access controls and robust procedures, with all changes supported by Data Privacy and Internal Audit controls.

Section 1. Collection
UBX collects Personal Data of Data Subjects from the following sources: 1) information the Company collects about the Data Subjects when they contact the Company through authorized representatives and channels; and 2) information the Company collects about Data Subjects from public records and from other available sources authorized to disclose their Personal Data.

  1. Collection on Recruitment
    UBX may collect Personal Data of potential employee-candidates containing job- related credentials through job fair events, open house for recruitment, third party referrals, social media platforms, information available in public, curriculum vitae submitted to the Company through email and other web-based platforms, and any other sources which the company found reasonable.
  2. Collection on Employment Onboarding
    In the normal course of UBX legitimate business transactions and human resources activities, UBX collects the following types of Personal Data:
    1. Personal identification information, such as name, permanent address, present address, date of birth, gender, citizenship, work-related photograph, signature specimen, mobile number, home phone number, email address, and other contact details;
    2. Government-issued identification numbers relevant for purpose of payroll and compliance with statutory requirements, such as Tax Identification Number, Social Security System number, PAG-IBIG number, Unified Multi-Purpose ID;
    3. Health information from reports in pre-employment medical examination, annual physical examination, and executive check-ups;
    4. Immigration, right-to-work and residence status, as may be applicable;
    5. Family and emergency contact details;
    6. Job-related, compensation, and benefits-related information;
    7. Educational and training information;
    8. Recruitment and performance-related data;
    9. Information related to your usage of company assets;
    10. Information needed for compliance and risk management, such as background
      investigations in credit data and security checks; and
    11. Information as may be required by Government Regulators, such as, but not
      limited to, Securities and Exchange Commission, Department of Labor and Employment.
  3. Format of Data to be Collected
    Personal Data collected by the Company may be in digital or electronic format and paper- based or physical format.

Section 2. Use
UBX processes Personal Data of the Data Subjects only when there is lawful basis under the law, upon their express consent, and/or to fulfill contractual obligations.

  1. Data Owners
    UBX shall identify the data owners who will be responsible for defining the valid use and corresponding security level that will be implemented.
  2. Authorized Representatives
    UBX shall ensure that only authorized employees or personnel, who have the proper authority are involved in the processing of Personal Data.
  3. Prohibition on Unauthorized Processing
    It shall be absolutely prohibited for authorized employees or personnel to use Personal Data they have access and visibility to for their own private purposes or to make the same accessible or available to any unauthorized persons or entities, as well as unintended recipients thereof.
  4. Third Party Risk Management
    The processing of Personal Data by third-party service providers shall be enforced by a written agreement in which the rights and duties of UBX and the third-party service providers are specified.
  5. Duty on Confidentiality
    All authorized representatives, personnel, and third-party service providers shall sign Non- Disclosure Agreement warranting the data security of the Personal Data they are processing. All employees with access to Personal Data shall operate and hold Personal Data under strict confidentiality if the same is not intended for public disclosure. The confidentiality agreement signed by UBX Employees and Representatives is binding even after resignation or termination of employment. Third party service providers shall sign Non-Disclosure Agreements and shall adhere to the security standards and privacy policies imposed by UBX.
  6. Use on Human Resources
    UBX processes employees’ Personal Data for the following purposes: 1) workforce planning, recruitment and staffing; 2) workforce administration, payroll, compensation and benefit programs; 3) performance management, learning and development; 4) advancement and succession planning; 5) legal compliance; 6) workplace management; 7) internal reporting; 8) audit; 9) to protect UBX, its workforce, and the public against injury, theft, legal liability, fraud or abuse; and 10) other legal and customary business-related purposes.

Section 3. Storage
Personal Data of UBX Data Subjects shall only be stored in the well-managed environment, whether physical or electronic. The Company shall take the necessary, effective, and efficient mechanisms and precautions to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction while in the company’s control.

  1. Storage Governance
    Personal Data Classification determines the type of data storage and the necessary level of infrastructure security. The integrity and stability of the databases and/or storage media must be maintained always.
  2. Third-Party Managed Environment
    Subject to the Company’s policies, Personal Data may be stored in third-party managed environment upon completion and approval of appropriate security, risk, legal, compliance, and privacy impact assessments.
  3. Physical Storage Medium
    Physical forms and documents containing Personal Data shall be stored in physical vaults for long term storage, or within sealed envelopes or containers for short term storage or during transfers between physical locations.
  4. Managing Data Storage
    Day-to-day data storage must ensure that current data is readily available to authorized users and that archives are both created and accessible in case of need.
  5. Setting Up New Storage
    Subject to Security and Risk Management Policies, storage must be fully tested for both business logic and processing, prior to operational usage.
  6. Systems Operations and Administration
    UBX systems shall be managed by suitably qualified systems administrators who must be knowledgeable with information security and data privacy risks which need to be managed.
  7. Business Continuity
    Subject to the Company’s policies, back-up of UBX data files and the ability to recover such data is a top priority. Information systems owners must ensure that adequate back-up and system recovery procedures are in place in order to protect the integrity of Personal Data.

Section 4. Access
Due to the sensitive and confidential nature of the Personal Data under the custody of the Company, authorized representative of the UBX shall be allowed to access such Personal Data.

  1. Role-Based Only Access
    UBX shall only grant access to Personal Data, information, and corporate proprietary information to authorized employees and representatives who have legitimate business purpose for accessing such data.
  2. Role-Based Access Review
    Granted access to authorized employees and representatives shall be reviewed by the Company and respective business unit on a regular basis, subject to Internal Audit policies. Special reviews may also be conducted in cases of changes in role of personnel and in cases of investigation or fraud involving privileged access.
  3. Privileged Access to Sensitive Data
    All access by individuals to Sensitive Personal Information as enumerated under Personal Data Classification shall be controlled by reasonable measures to prevent access by unauthorized individuals or users. Privileged access to Sensitive Personal Information or any confidential information does not, in any way, imply authorization for copying, further dissemination, or any use or processing other than that which the privileged access users were authorized.
  4. Authorized Access Delegation
    Data owners may delegate the ability to approve access to Sensitive Personal Information and confidential proprietary information to trusted individuals in designated roles. Delegation of access approval responsibility by data owners shall be approved and cleared with the Business Unit Head and Data Privacy Office to ensure proper tracking.
  5. Physical Storage Medium
    Physical forms and documents containing Personal Data shall be stored in physical vaults for long term storage, or within sealed envelopes or containers for short term storage or during transfers between physical locations. The physical container shall only be accessed by authorized personnel and shall always be locked. Access to the physical containers shall be logged by the owner or custodian of the facility.
  6. Data Extraction
    Data and/or processing system owners shall maintain logging and monitoring system of all data extractions from the Company’s systems that store and process Personal Data. Data Privacy Office shall be given access to the logging and monitoring system to ensure proper data governance in retrieval of files and data from the Company’s processing systems.

Section 5. Transfers and Disclosures
All data in whatever form and nature shall be transferred via UBX-approved medium through secure, encrypted means and/or password protection mechanism, subject to the Company’s policy and the corresponding approval of the Business Unit Head involved.

  1. Medium of Data Transfer
    Secure medium of data transfer may be in the form of universal service bus, portable hard drive, web-based applications, email platform, and the like, which are certified and approved by UBX based on password and encryption standards and policies
  2. Disclosures on Human Resources
    UBX may disclose employees’ Personal Data for legitimate purposes in the following circumstances to:
    1. Any government entity, subdivision, agency, or instrumentality pursuant to statutory requirements prescribed by law, including, but not limited to, local government units, Bureau of Internal Revenue, Social Security System, Home Development Mutual Fund, Department of Labor and Employment, and Securities and Exchange Commission.
    2. Third parties that perform services on behalf of UBX, including, but not limited to, health maintenance organization provider, partner companies which provide value added service to the employees, and employee engagement partners;
    3. Third parties that contracted UBX to perform services for them and/or for their
      clients or customers;
    4. Any recipient as applicable court order or law would provide;
    5. Any recipient with employees’ affirmative consent or upon the employees’ consent,
      including but not limited to subsequent employer upon severance of ties from UBX,
      employment verification for visa and bank services; and
    6. Any recipient when reasonably necessary.
  3. International Transfer
    To improve the Company’s products and services, it may engage third party service providers whose infrastructure may reside outside the Philippines. Where such data transfers occur, UBX assures Data Subjects that adequate protection exists through appropriate contractual arrangements or as may be prescribed by law.
  4. Modes of Transfer of Personal Data within the Organization, or to Third Parties
    Transfers of Personal Data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing Personal Data.

Section 6. Data Sharing
Data Sharing applies when Personal Data is disclosed by Personal Information Controller to another Personal Information Controller for purposes of enhancement, monetizing, providing public services as provided by law, or any legitimate business purposes.

  1. Data Exporter and Data Importer
    For purposes of Data Sharing, both Personal Information Controllers may either be the Data Exporter or the Data Importer of the Personal Data, or both.
  2. Tests in Determining Data Sharing
    1. Data Exporter asks for the affirmative consent by the Data Subject to disclose their Personal Data with the Data Importer for a specified purpose.
    2. Data Importer stores the disclosed Personal Data from the Data Exporter in its own storage infrastructure environment.
    3. Both the Data Exporter and Data Importer invoke controllership over the Personal Data disclosed.
    4. Data Importer monetizes or utilizes the disclosed Personal Data for determined business purpose.
    5. Both parties introduce revenue scheme on the shared Personal Data.
    6. Data Importer conducts further processing beyond what the intended purpose of the Data Exporter.
    7. Data Importer uses the disclosed Personal Data and combine them with its own data sets for enhancement and further processing such as, but not limited to, credit scoring.
  3. Prohibition on Receiving “Toxic Data”
    UBX, as Data Importer, shall not receive any “Toxic Data” or any Personal Data acquired by unlawful means or without affirmative consent by the Data Subjects.
  4. Data Sharing with Government
    All requests of disclosure, subpoena, or any similar government or regulatory orders to disclose information or Personal Data by UBX shall be coursed through Legal and/or Data Privacy Office regardless of what form and nature of data the government order is requesting for.

Section 7. Retention
Retention of Personal Data shall only for as long as necessary for the following circumstances: 1) the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; 2) the establishment, exercise or defense of legal claims; and 3) the legitimate business purposes, which must be consistent with the standards followed by the applicable industry or approved by appropriate government instrumentalities, agencies, or bureaus.

Section 8. Disposal
Data Disposal is mandatory upon the expiration of the retention period or when Data Subjects expressly requests for the disposal or deletion of their Personal Data, subject to the terms and conditions and contractual obligations of UBX.

  1. Irrecoverable Disposal
    Personal Data shall be disposed in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
  2. Outsourced Service Providers
    Personal Data shall not be stored in the information and communication system and filing system of the outsourced service providers or Personal Information Processors upon termination of contract and/or services.
  3. Certificate of Irrecoverable Disposal
    The service provider or the Processor shall procure a notarized attestation to warrant that UBX data is no longer retained and irrecoverably disposed in their processing systems.

Chapter 4 – Security Measures

As Personal Information Controller or Processor, UBX ensures reasonable and appropriate physical, technical and organizational measures for the protection of Personal Data. Security measures aim to maintain the availability, integrity and confidentiality of Personal Data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

Section 1. Organizational Security Measure

  1. Conduct of Data Protection Workshop and Trainings
    Data Privacy Office shall ensure that employees, representatives, official service providers, partners, and contractors undergo Data Privacy workshops and trainings, at least once a year or as often as necessary.
  2. Orientation for New Employees
    All new employees shall undergo Data Privacy awareness orientation.
  3. Conduct of Privacy Impact Assessment
    UBX shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects, and systems involving the processing of Personal Data.
  4. Privacy Impact Assessment in Business Development
    All corporate units, business process owners, product managers, project teams, and other forms of business development groups that involve processing of Personal Data shall conduct Privacy Impact Assessment with the Data Privacy Office in order to determine the privacy and security risks involved in their respective processes, projects, products, and various forms of technological solutions involving Personal Data.
  5. Documentation of Data Protection Policies
    The Data Privacy Office shall document all data protection policies and ensure their compliance by all employees and representatives.
  6. Review of Privacy Manual
    This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.

Section 2. Physical Security Measures
UBX shall establish procedures intended to monitor and limit access to the facilities containing the Personal Data, including the activities therein to ensure that mechanical destruction, tampering and alteration of Personal Data under the custody of the Company are protected from man-made disasters, power disturbances, external access, and other similar threats.

  1. Access Procedure of Agency Personnel
    Only authorized personnel shall be allowed inside the data room. Other personnel may be granted access to the data room upon filing of an access request form with the Data Protection Officer and approval thereof.
  2. Monitoring and Limitation of Access to Room or Facility
    All employees and representatives authorized to enter and access the data room or facility must fill out and register with the online registration platform of UBX, and a logbook placed at the entrance of the secure data room. They shall indicate date, time, duration and purpose of each access.
  3. Design of Office Space or Work Station
    The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of Personal Data.
  4. Persons involved in the Processing, and their Duties and Responsibilities
    Personnel involved in processing shall always maintain confidentiality and integrity of Personal Data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room.

Section 3. Technical Security Measures
UBX shall implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of Personal Data, particularly the computer network in place, including encryption and authentication processes that control and limit access. Available technological use and tools for encryption, masking, anonymization or pseudonymization of Personal Data should be used for data protection, subject to industry standards, policy and recommendations.

  1. Data Encryption
    Electronic data in whatever form shall be encrypted whether at rest or in transit.
  2. Storage and Device Encryption
    Database, system, devices, and all other assets that store electronic files shall be encrypted at all times to prevent unauthorized access.
  3. Pseudonymization
    Personal Data, in whatever form, shall be subjected to pseudonymization and/or redaction, as the case may be, to prevent identification of Data Subjects in the processing activities.
  4. Data Loss Prevention
    UBX shall implement enterprise-wide Data Loss Prevention (DLP) policies.

     

    1. Purpose
      1. The DLP policy shall be implemented, at all times, to maintain confidentiality and integrity of Personal Data and other confidential and proprietary information of the Company.
      2. The DLP policy shall promptly discover and remedy any Security Incident, Personal Data Breach or misuse of any data.
      3. The DLP policy shall expeditiously reduce the probability of Security Incident or Personal Data Breach.
    2. Scope
      1. UBX shall access and examine data processing systems, computers, information technology assets, resources and all data whether in transit or at rest, which utilize its assets in any manner whatsoever.
      2. Subject to the Personal Data Classification Matrix and Data Classification Policy, the following data shall be subjected to DLP monitoring in all systems, computers, and other IT assets:
        1. Full Name
        2. Account Number
        3. Financial Information
        4. Credit Card Number
        5. Transactional Data
        6. Health Information
        7. Sensitive Personal Information such as religion, age, gender, ethnicity, and other information that can discriminate Data Subjects.
      3. UBX shall monitor all network activities of individual computer users of Company’s assets.
      4. UBX shall conduct a forensics analysis of the Company’s assets, and the use and usage of such assets.
    3. Procedure
      1. The Data Protection Officer (DPO) shall take reasonable measures to secure Personal Data and other confidential and protected information by using, among other techniques and methods, DLP software tools and equipment to monitor, identify, and block any unauthorized disclosure of Personal Data, and other protected information, whether intentionally or unintentionally.
      2. DPO shall prescribe mechanisms that can identify and address areas of high risk for the unauthorized release of Personal Data, protection information and the misuse of data and applications.
      3. DPO may exercise the following rights of the or to take one or more actions if the DPO reasonably determines that such action is necessary or appropriate to:
        1. Protect the integrity or security of Personal Data or protected information or the Company’s assets;
        2. Protect the Company from incurring liability;
        3. Reduce the risk of the deliberate or unwitting disclosure of Personal Data or protected information or security features of the Company’s network and/or architecture that are not publicly known;
        4. Investigate unusual or excessive activity typically associated with illegal activity or activity that may be in violation of Acceptable Use of Information Technology Device Policy, Bring-Your-Own-Device Policy, and other related policies;
        5. Investigate credible allegations of illegal activity or violations of Company’s policies; or
        6. Comply with law or compulsory legal process.
    4. Probable Violations
      1. Confirmation
        1. In the event that UBX is made aware of a probable violation of a policy through the misuse of Information Technology asset, the incident shall be recorded in secure records system.
        2. A notification and description of the incident shall be sent to the DPO, as the case may be, for further review and analysis.
        3. If the DPO concurs that a probable violation has occurred or is likely to occur, notice shall be sent to the immediate superior of the violator.
      2. Notifications
        1. Upon receiving the notifications, the DPO shall initiate proper
          administrative procedure with the Human Resources and the immediate superior or business
      3. Sanctions
        1. UBX employees and third-party service providers are expected to cooperate with the DPO with respect to the implementation of the DLP policy.
        2. Any person who knowingly attempts to circumvent, bypass, defeat, or disrupt any device, method, or technology implemented by the Company for purposes of implementing the DLP policy shall be subjected to appropriate disciplinary and remedial actions, subject to the Company’s Code of Conduct and policies on the matter.
    5. Operating Procedures
      The DPO may adopt such operating procedures to further implement DLP policy as may be appropriate, provided that, such operating procedures are not in conflict with any provision of DLP policy or this MANUAL.
  5. Using the Standards of Information Security Management Systems (ISO/IEC 27000)
    Data Privacy Office shall utilize the standards set forth by Information Systems Management Systems (ISMS) under the ISO/IEC 27000 family as systematic approach to managing Personal Data in the processing systems of the Company to maintain security and privacy of Data Subjects.

Chapter 5 – Personal Data Breach and Security Incident Management

This Chapter enumerates the policies and procedure if and when the Company is subjected to Personal Data Breach and/or Security Incident, which shall complement Information Security Policies on Cyber-Attack Response and Security Incident Reporting and Personal Data Breach Notification, as well as the National Privacy Commission Circular No. 16-03 on Personal Data Breach Management.

Section 1. Data Breach Response Team
There shall be a Data Breach Response (hereinafter referred to as “DBR”) Team to ensure that Security Incidents and/or Personal Data Breach management are being handled with vigilance and diligence required by the Data Privacy Act. The DBR Team shall be co-headed by the Data Protection Officer (DPO)

  1. Composition
    It shall be composed of Data Privacy Officer, Chief Technology Officer, and in conjunction with the relevant Business Unit deemed necessary for the task, and third parties as may be required by the DBR.
  2. Functions
    1. Implement this Personal Data Breach and Security Incident Management Policy and Procedure;
    2. Manage Security Incidents and Personal Data Breaches; and
    3. Determine compliance by UBX with the relevant provisions of the Data Privacy Act, its Implementation Rules and Regulations, and all related issuances by the National
      Privacy Commission on Personal Data Breach Management.
    4. Update the Board of Directors and Senior Management on the developments of the
      incident and/or breach, as soon as may be possible.

Section 2. Mitigating Measures

  1. Conduct of a privacy impact assessment to identify attendant risks in the processing of personal data. It shall take into account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
  2. Data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
  3. Implementation of appropriate security measures that protect the availability, integrity and confidentiality of personal data being processed;
  4. Regular monitoring for security breaches and vulnerability scanning of computer networks;
  5. Capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
  6. Procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the effectiveness of the security measures.

Section 3. Procedure for Recovery and Restoration of Personal Data
UBX shall always maintain a backup file for all Personal Data under its custody. In the event of a Security Incident or Data Breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

  1. Detection
    1. UBX Personnel or DBR Team members detecting or receiving information relating to a suspected Security Incident or Personal Data Breach shall ensure that the following are logged:
      1. Date and time of discovery
      2. Nature or origin of the threat, incident and/or breach
      3. Probable or verified cause
      4. Details of resolution or action taken
      5. Name/s of personnel who took action.
    2. The Data Protection Office shall be immediately notified upon confirmation of a Security Incident or Personal Data Breach to convene the DBR Team and trigger the necessary response procedures.
    3. Discovery of Vulnerability in the data processing system that would allow access to personal data shall prompt the DBR Team to conduct an assessment and determine if a Personal Data Breach has occurred.
  2. Response
    1. The DBR Team shall be convened with the necessary Business Unit involved and third parties, as may be applicable, to plan the specific actions to be taken and assign tasks to respective DBR Team members.
    2. If the incident has been determined to involve Personal Data of individuals or classified as Personal Data Breach, the Data Protection Officer, in parallel to any on- going investigation and response procedures being conducted, will engage UnionBank’s Data Privacy Office to further analyze the scope of the Personal Data Breach, identify affected data subjects; and determine any legal, regulatory, contractual, and risks ramifications.
    3. Reasonable efforts will be made by the DBR Team to obtain written approval by any Senior Management concerned, or as may be applicable, prior to reporting or disclosing Security Incident or Personal Data Breach to external parties, taking into utmost consideration the nature of the Company’s reputation and that of its stakeholders.
    4. No member of DBR Team shall be authorized to speak on behalf of UBX, unless otherwise appointed by the Board of Directors.
  3. Recover
    The DBR Team shall exert all necessary efforts to restore the availability, confidentiality, and integrity of the system, data, and information involved in the Security Incident or Personal Data Breach.
  4. Identify
    The DBR Team shall exert all necessary efforts to identify the perpetrator or cause of the Security Incident or Personal Data Breach. The Team shall also identify remediation actions to prevent the same incident or breach from happening again.

Section 4. Personal Data Breach Notification
UBX shall notify the National Privacy Commission and Data Subjects affected when the following conditions occur:

    1. When sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud;
    2. Reasonably believed to have been acquired by an unauthorized person; and
    3. Such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
  1. Delegated Authority of Data Protection Officer
    The Data Protection Officer shall have delegated authority to decide and determine the need to notify the National Privacy Commission and Data Subjects affected as required by NPC Circular No. 16-03, taking into utmost consideration the nature of the Company’s reputation.

    1. Data Protection Officer shall inform the Senior Management with full report within twenty-four (24) hours from the fulfillment of the notification requirement.
    2. Senior Management Committee may determine the necessity to update the Board of Directors on the Personal Data Breach and the fulfillment of the notification requirement.
  2. Determination of the Need to Notify
    When there is uncertainty as to the need for notification, Data Protection Officer shall consider the likelihood of harm or negative consequences on the affected data subjects, and how notification to the data subjects could reduce risks arising from the Personal Data Breach reasonably believed to have occurred. Data Protection Officer shall consider if the Personal Data reasonably to have been compromised involves the following:

    1. Information that would likely affect national security, public safety, public order, or public health;
    2. At least one hundred (100) individuals;
    3. Information required by applicable laws or rules to be confidential; or
    4. Personal data of vulnerable groups.
  3. Notification Procedure
    1. UBX, through the Data Protection Officer, shall notify the National Privacy Commission and the affected Data Subjects within seventy-two (72) hours upon knowledge of or reasonable belief by UBX that a Personal Data Breach occurred.
    2. Data Protection Officer shall notify Data Subjects affected, through a secure means of communication, of the nature of the breach, Personal Data possibly compromised, measures taken to address the Personal Data Breach and reduce negative consequences, contact details of government authorities concerned and Data Privacy Officers and Customer Engagement Representatives who can assist affected Data Subjects in mitigating the possible ramifications that can compromise their rights to privacy.
    3. Notification shall be in the form of a report, whether written or electronic, containing the required contents.
    4. Where the notification is transmitted by electronic mail, the Data Protection Officer shall ensure the secure transmission thereof. Upon receipt, the Commission shall send a confirmation to the Data Protection Officer. A report is not deemed filed without such confirmation.
    5. Where the notification is through a written report, the received copy retained by the Data Protection Officer shall constitute proof of such confirmation.
    6. Full report of the Personal Data Breach must be submitted within five (5) days, unless UBX is granted additional time by the Commission to comply.
  4. Content of Notification
    Subject to other requirements as may be provided by the Commission, the notification to the Commission shall include, but not limited to:

    1. Nature of the Breach
      1. Description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
      2. A chronology of the events leading up to the loss of control over the Personal Data;
      3. Approximate number of Data Subjects or records involved;
      4. Description or nature of the Personal Data Breach;
      5. Description of the likely consequences of the Personal Data Breach; and
      6. Name and contact details of the Data Protection Officer or any other accountable persons.
    2. Personal Data Possibly Involved
      1. Description of sensitive personal information involved; and
      2. Description of other information involved that may be used to enable identity fraud.
    3. Measures Taken to Address the Breach
      1. Description of the measures taken or proposed to be taken to address the breach;
      2. Actions being taken to secure or recover the Personal Data that were compromised;
      3. Actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident;
      4. Action being taken to inform the Data Subjects affected by the incident, or reasons for any delay in the notification;
      5. The measures being taken to prevent a recurrence of the incident.
  5. Exemption from Notification Requirements
    The following additional factors shall be considered in determining whether the Commission may exempt UBX from notification:

    1. Security measures that have been implemented and applied to the Personal Data at the time the Personal Data Breach was reasonably believed to have occurred, including measures that would prevent use of the Personal Data by any person not authorized to access it;
    2. Subsequent measures that have been taken by UBX to ensure that the risk of harm of negative consequence to the Data Subjects will not materialize;
    3. Age or legal capacity of the affected data subjects: Provided, that in the case of minors or other individuals without legal capacity, notification may be done through their legal representatives.
    4. In evaluating if notification is unwarranted, the Commission may consider the compliance by UBX with the law and existence of good faith in the acquisition of Personal Data.
  6. Delay in Notification
    Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.
  7. Failure to Notify
    There shall be no delay in the notification if the breach involves at least one hundred (100) Data Subjects, or the disclosure of sensitive personal information will harm or adversely affect the Data Subject.

Section 5. Investigation of a Breach or a Security Incident
Depending on the nature of the incident, or if there is failure or delay in the notification, the Commission may investigate the circumstances surrounding a Personal Data Breach, subject to the Rules of Procedure of the Commission.

Section 6. Documentation and Reporting Procedure of Security Incidents or a Personal Data Breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the Commission, within the prescribed period.

Section 7. Dealing with Personal Information Processor
In case a Personal Data Breach occurs in the Personal Information Processor of the Company, the Processor shall be mandated to notify the Company within twenty-four (24) hours from knowledge of Security Incident or Personal Data Breach to enable the Company to conduct necessary measures to assess the extent and scope of the compromised data, systems, and damage to the integrity, confidentiality, and availability of information. Data Protection Officer of the Processor shall immediately coordinate with the Data Protection Officer to comply with the notification requirements.

Chapter 6. Policy Deviation


Section 1. Deviation
Deviation is any departure from approved and established UBX corporate policies and procedures.

Section 2. Deviation Request
A Deviation Request (DR) is initiated when deviation from policies, standards, processes, and procedures are needed by the Business. By signing the DR, the deviation proponent or owner acknowledges the information security and data privacy risks involved, which shall include the identity of the employees, agents or representatives, particularly those who will have access to Personal Data, subject to acts or omissions punishable by the Data Privacy Act and its Implementing Rules and Regulations, as well as pertinent regulations on data protection.

Section 3. Non-compliance
UBX employees and representatives who fail to comply with the stipulations of this MANUAL and fails to procure the required DR will have to submit a written explanation addressed to the Data Privacy Office indicating why non-compliance was committed. The Data Protection Officer and Human Resources will determine the merits of the case and will determine the necessary course of disciplinary action to pursue, subject to the Code of Conduct and internal policies of the Company.