CPI Outsourcing only collects information necessary for the delivery of the services provided by the organization. Data collected can include but is not limited to:
• Full Name;
• Email Address;
• Government numbers; and,
• Employee Information from Client Organization.
Usage of Data
Collected information is used solely for the delivery of services rendered by CPI Outsourcing to its customers. The data of CPI Outsourcing's employees are used for salary processing, benefits, performance evaluation, and other reasonable organizational use.
Storage, Retention, and Destruction/Disposal
Any stored personally-identifiable information within CPI Outsourcing is protected by appropriate security controls. These controls are in place to avoid any accidental or malicious destruction, unauthorized alteration, unauthorized disclosure, and any processing not stated in the agreements between CPI Outsourcing and its clients/employees. Unless stated in agreements otherwise, CPI Outsourcing shall retain a copy of all information gathered for a period not longer than five (5) years. After this period, the information shall be deleted, disposed, or destroyed in a secure manner.
CPI Outsourcing recognizes the sensitive and confidential nature of the data under it's custody. As such, the organization limits data access only to authorized personnel. In addition to this, CPI Outsourcing assign access rights following the concept of least privilege(i.e., individuals are only given access to data they need to perform their responsibilities).
For example, client data is only accessible by the employees assigned to that specific customer. Employees are never given access rights in access to what is needed.
Disclosure and Sharing
All CPI Outsourcing employees are to preserve the confidentiality of all personally identifiable data that comes to their knowledge and custody. This obligation shall be maintained even after resigantion or termination of contract as stated in the Secrecy Agreement. Personal information shall only be disclosed in pursuant to lawful purposes and authorized recipients. When legally allowed, data subjects and interested parties will be notified of any lawful requests for data disclosure as soon as possible.
CPI Outsourcing is currently following industry best practices for Information Security. This is to ensure the preservation of the confidentiality, integrity, and the availability of all data under the organization's custody. A brief overview of our controls maybe seen below.
CPI Outsourcing's Data Protection Officer(DPO) is Robert Joseph M. Tolentino, Mr. Tolentino is also the Information Security Officer for the organization.
The Data Protection Officer shall be the individual to oversee CPI Outsourcing's compliance to the DPA, its IRR, and other information security related industry standards that the organization follows.
CPI Outsourcing also conducts the following organization security controls but is not limited to:
• Conducting of risk assessments;
• Change management;
• Human resource security;
• Confidentiality/Secrecy agreements,
• Vendor/Supplier management;
• Document control; and,
• Assessments of management system performance (internal and external).
Data in CPI Outsourcing's custody may take form of both physical and digital formats. the security of the assets where these information are stored must also be ensured.
Some examples of physical security measures are as follows:
• Perimeter controls;
• Environmental safety controls, programs, and procedures;
• Physical access controls;
• Asset retention and disposal procedures;
• Secured working areas; and,
• Data/Information transfer policies and procedures.
Technology is a vital aspect to any modern business today. CPI Outsourcing supplements its other security measures through the use of the technical controls listed below:
• Utilization of firewalls/intrusion detection and prevention systems;
• Network security;
• Cryptography controls;
• Security considerations for use of software and systems; and,
• Email controls.
This is a non-exhaustive list of CPI Outsourcing's technical controls.
Breach Security Incidents
In case of any information security incidents, a team of respondents are ready within CPI Outsourcing. The incident response team is responsible for the immediate action necessary when a breach has been confirmed. This team shall follow the information Security Incident Management Procedures containing, handling, solving, and learning from incidents.
In the case of information incidents, affected data subjects and all interested parties will be notified as soon as possible. Incident reports will also be submitted to these interested parties in addition to the National Privacy Commission(NPC).
Inquiries and Complaints
CPI Outsourcing recognizes the right of its data subjects to inquire or request for information regarding the processing of their personally-identifiable information. For any inquiries, please contact the organization at firstname.lastname@example.org and state your concern. our representative will acknowledge and confirm the authenticity of the complaint from the complainant as soon as possible.