PHILLABOR IT & Data Protection Policy

by | May 14, 2025 | Business Process Outsourcing

Introduction

PHIL LABOR (PL) is committed to managing personal information in accordance with the Republic Act No. 10173, otherwise known as the Data Privacy Act and the PL Privacy Policy.  This document sets out the processes and control measures put in place by PL to be followed by our staff to ensure Data Protection and Privacy for our customers and clients. Data Protection involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information. Accordingly, PL needs to be prepared to provide data protection for all parties involved. Adherence to this procedure will ensure that PL can contain, assess and respond to data protection expeditiously and mitigate potential harm to the person(s) affected. This document should be read in conjunction with PL’s Privacy Policy, which is the process in how PL legally and ethically collects client personal information.

Purpose 

PHIL LABOR is legally required under the Republic Act No. 10173, otherwise known as the Data Privacy Act to ensure the security and confidentiality of the information/data it processes on behalf of its clients and employees. Information/data is one of our most important assets and each one of us has a responsibility to ensure the security of this information. Accurate, timely, relevant, and properly protected information/data is essential to the successful operation of PL in the provision of services to our clients. Sometimes a breach of information/data security may occur because this information/data is accidentally disclosed to unauthorized persons, or lost due to a fire or flood, or stolen as a result of a targeted attack, or the theft of a computer, mobile or electronic device. The purpose of this policy is to ensure that an international standardized management approach is implemented throughout the organization. This policy is mandatory and by accessing any of PL’s Information/data, users are agreeing to abide by the terms of this policy.

Scope 

This policy represents the PL position and takes precedence over all other relevant policies which may have been developed. The policy applies to all PL employees, service providers, contractors and third parties who access, use, store or process information on behalf of PL. This policy is authorized by the management of PL. The objective of this Policy is to minimize the risk associated with data protection and consider what action is necessary to secure personal data and prevent breaches.

Legislation 

PL has an obligation to abide by all relevant Philippine legislation. The relevant acts, which apply in Philippine law to Information Systems, include but are not limited to:  Republic Act No. 10173, otherwise known as the Data Privacy Act

Definition/Types of Breach 

For the purpose of this Policy, data protection includes both internal (PHIL LABOR) and external (clients) data. 

The Purpose of Data protection is to alleviate the possibility of an incident or security breach, an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to PL assets and/or reputation. 

An incident includes but is not restricted to, the following: 

  1. Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g., loss of laptop, USB stick, iPad/tablet device, or paper record) 
  2. Equipment theft or failure 
  3. Unauthorized use of, access to, or modification of data or information systems 
  4. Attempts (failed or successful) to gain unauthorized access to information or IT system(s)
  5. Unauthorized disclosure of sensitive / confidential data 
  6. Website defacement 
  7. Hacking attack 
  8. Unforeseen circumstances such as a fire or flood 
  9. Human error 
  10. ‘Blagging’ offenses where information is obtained by deceiving the organization who holds it

Policy 

This policy is put into place to define the appropriate measures that are put in to place to reduce or alleviate the possibility of unintentional data loss for Phil Labor and our clients. In the sections below will be described the mitigations put place to ensure Data Protection.

Data Protection Plan

Persons Responsible

Any individual who accesses, uses, or manages information is responsible for reporting data breach and information security incidents immediately to the IT Manager – Rafael Pamintuan –  rafael@boomering.ph and Phil Labor’s General Manager – Jeff Collinson –  operations@phillabor.com.

Implemented Data Protection Measures

1. Disable USB access: This will disable a user’s read, write and execute access to any of the USB ports. Only the mouse, keyboard, and headsets will function.

2. Disable File and Printer Sharing: This will disable the user to print any files or to share the files via network drives or Network shared folder or device.

3. Computer hard drives are reformatted when workstations are reassigned. And periodic routines wipe hard drives to ensure no client data is stored on local computers by staff employed at the request of Clients.

4. For WFH employees the Internet router is set to WPA-2 settings and all passwords have been changed from default to longer secure passwords. Employees are notified not to use public WIFI to conduct company business.

5. Employees are notified to use unique passwords that are as long and complex to be remembered. And to use a password manager to remember passwords. Also, all employees are informed not to share passwords with anyone.

5. Port Blocking: This will disable all of the ports that can be used for advanced file sharing such as FTP, SFTP, SSH, Telnet, RPC portmap, NetBIOS, etc.

6. Website whitelisting: This only allows specific and approved websites to be accessible to the user.

7. Enabling timeframe/period only: This will allow a user to be able to sign in or out from their respective workstation based on and approved time interval and their shift schedule.

8. Auto-Lock Feature: The workstation will automatically shut-down or lock if the employee does not use the computer for a predetermined amount of time.

9. Third Party Employee Monitoring Systems: Phil Labor uses third-party software to monitor employee activity, keystrokes, web activity, social media, and periodically taking screenshots, and produces monthly reports for our clients. Specialist Cyber Security monitoring using AI is available to Clients at additional cost. This sets normal working patterns, access, etc tailored to each Client staff. Should the staff member vary from the norms then this would be flagged for reporting and investigation. 

10.Work from Home (WFH): With many of the staff working from home this presents other challenges that are not normally an issue during regular office working situations. In the Office environment Clients have to specifically approve for their staff to have access to their Mobile Phones when shifted on. Such devices can be used to take photos of sensitive data (e.g. Customer Lists) on their monitor, or other data around them. In addition, office work is recorded by CCTV which discourages staff to perform inappropriate actions. Working from Home CCTV and Mobile Phone control are not possible.  

The majority the staff work directly for clients, so it is also the responsibility of the clients to put processes and systems in place to ensure Data Protection. This can come in many forms, such as Remote login to client-controlled servers, i.e., for email, work drives in secure locations. Also, security control on Mobile Phone work applications. 

Process controls can be to contain data in secure cloud folders that can be viewed, rather than staff accessing email accounts with attachments that may be downloaded.

11. Clients could enhance security by their offshored staff accessing the Internet via a VPN to access directly the Clients servers giving enhanced protection from hacking etc. Also staff WFH are vulnerable to security attacks when they are using a shared Internet connection at home, or in a public place in an emergency when internet or power is not working at home. VPN will be used whenever Remote Access is required.

12. Antivirus is installed on all company computers. It is configured to update hourly as well as “real-time” scanning. It is the responsibility of every employee to run a weekly virus scan check on their computers.

13. The company uses a firewall on network equipment with no direct port forwarding allowed. 

14. All computers have the software Firewall enabled.

15. Operating System Patches are automatically downloaded and installed as necessary, as well as all software is automatically updated.

16. Staff are not to open email attachments unless they are expecting it and it is sent from a trusted sender. Staff should also be wary of emails that ask for sensitive or personal financial information. Staff should not click on links in an email unless they know where the link will lead and the sender of the email is trusted.

17. Staff are not to click the YES button on pop-ups in a web browser. If a popup for a virus or spyware has been detected, then they are to immediately exit the window. Online banking should only be conducted with a secure browser, this is observed by seeing the Lock in the URL title of the website.

18. Staff are to observe caution about posting Personal Information in Social Media.

Enforcement

PL reserves the right to take such action as it deems appropriate against users who breach the conditions of this policy. PL employees who breach this policy may be denied access to the organization’s information technology resources, and may be subject to disciplinary action, including suspension and dismissal as provided for in the PL disciplinary procedure.