PASIG PASS PORTAL APPLICATION

ITBS SMART COUNTRY ECOSYSTEM APP’S PRIVACY POLICY

The ITBS Information Technology Business Solutions Corp. (ITBS) Smart Country Ecosystem secures the personal information entrusted to it by the users and gives primordial importance to their privacy and so therefore, this Privacy Policy is developed in accordance with DILG Memorandum Circular No. 2005-69, issued July 21, 2005, reiterating the maintenance and updating the records of all Inhabitants of the Barangay, in connection with Republic Act 10121 known as the Philippine Disaster Risk Reduction and Management Act of 2010 in connection with disaster response purpose, and for other purposes pursuant to Republic Act No. 11032, or the Ease of Doing Business and Efficient Government Service Delivery Act of 2018, Republic Act No. 8792 or the "Electronic Commerce Act of 2000", states as its objective to facilitate domestic and international dealings, transactions, arrangements agreements, contracts and exchanges and storage of information through the utilization of electronic, optical and similar medium, mode, instrumentality and technology to recognize the authenticity and reliability of electronic documents related to such activities and to promote the universal use of electronic transaction in the government and general public, Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Concerns Act, and in compliance to the Implementing Rules and Regulations pertaining to Republic Act No. 10173 known as the Data Privacy Act of 2012, an act Protecting Individual Personal Information In Information and Communication System in the Government and Private Sector, Creating for this Purpose a National Privacy Commission, and to Republic Act No. 11055 known as Philippine Identification Act, and Local Government Code of the Philippines Section 16, General Welfare Clause.

This Privacy Policy will give you an overview on how the Personal and Sensitive Personal information, as defined in the abovementioned laws, are strictly collected, used, and shared for the greater good. The developer ensures that the collection, usage, and sharing of the personal and sensitive personal information strictly follows the standards of security and confidentiality with respect to the user.
NOTE: This version of the ITBS Smart Country Ecosystem App is specially modified and customized with the aforementioned laws with its objectives and purposes, and in relation with DILG Memorandum Circular No. 2005-69 and to the RESPONSE Cluster functions as stated on the RA 10121, IRR Rule 3, Section 2 in order to serve its purpose in the context of Emergency, Crisis and Disaster management using an accurate data and information from the grass-roots level to address priorities and concerns during emergencies and disasters.

Data Processing System

Upon registration to the application, the Data Subject, as defined in the RA 10173, will be asked to provide their personal information and accept the terms and conditions by saving the information with their consent. The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of personal data for profiling, or processing for direct marketing, and data sharing. The purpose will be determined and declared before or, as soon as reasonably practicable, after collection. Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.

This will be used for major purposes such as Citizen Registration, Repatriation for OFW/s, OF/s and Foreign Tourists, PNPKI application and for Health Services, Social Services and other Government Services during Emergencies, Crisis and Disaster Response Management. The information gathered will be shared with concerned government agencies. It will also be shared with the Local Government Unit/s (Barangay, Municipalities City/s) who analyze, utilize and update the data provided by the application in digital form in compliance with the DILG Memorandum Circular No. 2005-69, issued July 21, 2005, requiring the maintenance and updating of record of all Inhabitants of the Barangay. The personal information will be asked in order to access the application services up to the fullest extent possible.

The Data Subject may have a choice not to disclose their personal information to the application. However, they may not be able to access the whole functionality of the application, and the benefits accruing to the constituent.

What are the Personal Information collected and how are they used?
Any personal or private information collected through the mobile application shall be used for any legitimate purposes as provided by the law. This information may be shared to any authorized personnel who may need it to continue and complete processes.

When you register to the application, name, address, contact number, and date of birth will be asked. This data will be securely recorded and will be used for the aforementioned purposes as necessary.
The facial ID will be recorded, thru the smart phone’s camera, which will serve as the biometric requirements of the Data Subject in compliance to RA 11055, Section 7, B, (1) upon registration which could also be used in any government services/transactions in relation to RA 11032 also known as Ease of Doing Business and Efficient Government Service Delivery Act of 2018. The facial ID could be used to verify that the registrant actually exists and prevent fraudulent and phony claims during distribution of Social, Health and other Government Services in times of Emergency, Crisis and Disaster.
Since the application is designed to be implemented per family, the registrant will be asked to register his or her family members in the application in order to establish a family tree or genealogy and determine the kind and quantity of help to be given. Those individual/s living in the same address but not a family member such as Househelp, Boarders or Renter shall also be registered.
Other citizen category/s in different sectors must be registered and classified as Senior Citizen, Single Parent/s and Person with Disability/s (PWD).
Every household shall be categorized based on their tenurial status as owner, sharer, renter or boarder/s.
In some features of the application, a VALID ID will be required for verification purposes.
The Data Subject exact address will be accurately plotted in a Geographical Information System (GIS) via GPS in order to determine the exact location of the address. This GIS will be viewed by authorized personnel in their respective LGU/s.
Some of the features of this application require the Data Subject to take an assessment to determine their health status thru Telemedicine. Whatever their answers may be per question will be securely recorded and will only be disclosed to healthcare professionals who have better understanding with regards to the results in connection with the present Pandemic Crisis situation (COVID-19) or with other medical concerns. Every individual results may be viewed by authorized healthcare personnel to protect one’s privacy. The records will only show the contact number, address, and assessment result in compliance with Republic Act No. 11332 known as “Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act” and in accordance with Republic Act No. 10173.

Disclosure of Personal Information
The personal information of the user shall not be disclosed without their consent. However, once the user agrees to the Terms and Conditions set by the application, this means that the user agrees that personal information will be disclosed to authorize personnel only for any legitimate and beneficial purpose it may serve.

Disclosure to Healthcare Professional
To highlight even more the functionality and importance of the application system in today’s crisis, an authorized healthcare professional will be given access to the selected information needed by the health sector in order to assess and analyze the current situation faced by the sector. The authorized personnel will be given access to the assessment result, location, contact number, and other personal information that may be needed to contact the citizen concerned.

Disclosure to Government Official
Since this app aims to promote transparency and streamline processes for the government, the information provided will be disclosed to authorized government official for the purpose of monitoring and verifying the help and assistance extended to the citizen. The information that will be disclosed to the authorized government official are the following: user’s VALID ID, name, address, and contact number.

Deactivation and Re-Activation of Account
The ITBS as the Data Processor will only conduct any actions and assistance to the Government/Institutions as the Data Controller relative to deactivation and Re-Activation of any Data Subject records and information will be based on the conducted validation and verification of the Administrator (end-user) from the affiliated government unit/agencies/office or other institutions, which is complied in any grounds as stated on the provision based on RA 11055, IRR, Section 9 and 10.

Amendment or Change of Entries

The ITBS as the Data Processor shall comply in any provisions reiterated in RA 11055, IRR, Section 11 and RA 10173.

The OTP will be used to access the CITICEN REGISTRATION MANAGEMENT SYSTEM (CRMS) GENERATOR. This feature is where the approved applicant may generate a unique digital signature in the form of a QR Code. Prior to the generation of a QR Code, however, the approved applicant shall be required to upload a set of government-issued IDs to again authenticate and validate the approved applicant. These digital copies will be saved in the application and may be used for future authentication and validation of the approved applicant.

The apps have an ADD DOCUMENT feature. This is where legal documents are uploaded for transmission to the receiver. Prior to transmission, the system shall prompt the approved applicant (now referred to as the “Sender”), to fill out, among others, the Name of Sender, the Name of Addressee and the Purpose/Nature of the document to be transmitted. In turn, the system shall automatically generate the Date and Time and the Reference Number of the document. This unique Reference Number shall also contain the Region, Province, City, Barangay, Citizen ID number and the IMEI number of the Sender. This information is then embedded on the QR Code and is attached to the document as a stamp of its authenticity.

Finally, to verify the authenticity of the digital signature on the document, the receiver may either use the VERIFY Button of the application or the camera of the smart phone (with the ability to read a QR Code). With the VERIFY button command, a screen shall prompt the receiver to input the Document Title/Reference Number or, by using the phone camera, scan the QR Code. Either of these actions will display the information embedded in the digital signature attached to the document. The document will only be considered valid once the details generated from the QR Code match the details written in the document, otherwise, the QR Code is deemed falsified. To further enhance the integrity of the system, Reference Numbers are blockchained for historical verification.

Layers of Security:

Https/ SSL certificate;
One Time Password (OTP);
Data Encryption; AES algorithm 128-256 bit;

Upon log-in: token will be generated by the server and will be sent to the mobile phone, once token accepted and matched, the data will be decrypted;
Edit Profile: data encrypted before sending to the server, once token matched the encrypted, the data will be decrypted.

BACK-END USER-INTERFACE DATA PRIVACY SAFETY FEATURES PROCESS

1. BARANGAY LEVEL:

Barangay Admin / Secretary/ or BDRRMO:

The Barangay conducts registration through its Certified Registration Officer (CRO) and could verify newly registered barangay inhabitant (Citizen) based on its Full Name, Middle Name, Last Name, Age, Address, Contact Number and Blood Type, pertaining on the submitted Government IDs and Documents as proof of his/her registration using the Mobile Registration App (MRP). If the Data Subject (person owned the personal information) has unable to submit any required IDs and documents, his/her registration status will be on PENDING STATUS from the Barangay Admin User-Interface/Dashboard during the suggested period of time, until the required IDs and Documents will be submitted. The Data Subject will receive ”daily, weekly, or monthly” notification, reminding to submit their required documents within six (6) months in order to verify all entries of information during registration for Barangay Certification purposes.

The Barangay Admin User-Interface/Dashboard has automatic access point to the Local Civil Registry (LCR) User-Interface/Dashboard for validation, verification of the submitted data/information and documents from the Barangay Inhabitant Records Registration System (BIRRS). The LCR will conduct verification and validations of the submitted data/information of documents from the BIRRS based on their records of documents such as Birth Certificate, Marriage Certificate, Death Certificate, and Alien Registration Certificate for the authentication process of the Barangay Inhabitant Registration Information (BIRI).

The Barangay Administrator/ Secretary/ or BDRRMO has their access to their User-Interface/Dashboard with filtered and limited information of the basic Data Subject Information (DSI) only such as; First Name, Middle Name, Last Name, Age, Gender, Address, Blood Type, Contact Number/Email Address and Facial ID.

The Barangay Administrator/ Secretary/ or BDRRMO can also monitor the daily progress of the Barangay Inhabitant Registrations, conducted by its CRO which is accredited by the Local Government Unit (LGU) through its LCR.

The Barangay Inhabitant Records Registration (BIRR) actions, facilitated by CROs can be monitor the numbers of registered inhabitants within particular Purok or Communities, also the Basic Personal Information of the registered inhabitants on a daily basis, especially during registration implementation through the BIRRS.

DISCLAIMER: From Barangay User-Interface to LCR User-Interface;

the Data Subject are able or can be update or amend his/her personal information without further restrictions within the suggested period of time while it is not yet been certified by the Barangay Admin Authorized Officer/s through its user-Interface and or authenticated by LCR through its User-Interface based on the submitted IDs and Documents .
- Once the Data Subject personal information has been certified by the Barangay Admin Authorized Officer/s and already been transmitted to LCR, the Data Subject’s intention to update or amend his/her information will be subject to be under the RESTRICTION PROCESS.
The system is only for Barangay Inhabitant Records Registration purposes, pursuant to DILG-MC 2005-69 in connection with RA 10121, using a digital form through Mobile Application and it could serve as back-up file of the LCR for any purposes it may serve with their exciting documents in their Local Civil Registry Management System (LCRMS).

2. CITY/MUNICIPALITY LEVEL:

• Local Civil Registry: The LCR is the only authorized agency/office to have the full access of the Citizen Registration Management System (CRMS) with highly Restrictions Policy Process (RPP) before can access a certain Data Subject profile.

Restriction Process Flow: If the Data Subject (DS) requested to update his/her registered information, the DS must have to send a request with attached or uploaded documents through Mobile Application. The DS must filled-up a form through Mobile App in order to input the exciting information vs the information which are needed to be amended. The amendment form must be fully filled-up stated its purpose of correction together with the uploaded or attached documents as basis for the validation, verification and authentication purposes of the LCR. (this is the safety features to process the requested profile amendments)
Personal Information Correction/Amendment Process:

The Data Subject must send a request form using the Citizen Mobile App attached with the uploaded IDs and Documents, and stated its purpose of correction or amendments;
The LCR will be notified by the request from the Citizen Mobile App and will be monitored through its User-Interface/Dashboard;
The LCR will send a notification/acknowledgement to the requesting Data Subject through SMS or via email to inform that the request is under process;
When the LCR already verified, validated the request based on its purpose with its transmitted IDs and Documents, the LCR will send a permission request to the requesting Data Subject via SMS/email to allow the Data Controller to view/open their profile in order to facilitate the requested correction or amendment of its personal information record; When the LCR already verified, validated the request based on its purpose with its transmitted IDs and Documents, the LCR will send a permission request to the requesting Data Subject via SMS/email to allow the Data Controller to view/open their profile in order to facilitate the requested correction or amendment of its personal information record;
The requesting Data Subject will receive request from the LCR via SMS/email;
When the Data Subject allows LCR to view/open his/her profile for the specific purposes, the Data Subject must click the ALLOW BUTTON to send his/her consent.
The Data Subject consent will be sent by the system by sending One Time Password (OTP) to LCR User-Interface/Dashboard in order to allow the Data Controller to view/open a certain data subject profile to facilitate the correction or amendment request.
After the requested amendment or correction of personal information based on its purpose, the requesting Data Subject will be receiving a notification from LCR system stating that his/her request has already been corrected or amended and authenticated.
After all the corrections or amendments process has been done, the Citizen Registration Management System (CRMS) managed and controlled by LCR will send a notification of correction or amendment of certain Data Subject profile to specific Barangay/s through their BIRRS and will be automatically updated to their system upon acknowledgement of the system notification.

DRRMO Command Center: is the repository of all data used in Emergency, Crisis and Disaster management purposes.

- The DRRMO Command Center has its own Dashboard with access of information and topography of projected population of each Purok, Sitios, Areas and Subdivisions within specific Barangays in GIS Maps.
- The DRRMO Command Center dashboard also has its access of the Data Subject Information parameters and Classifications used for Emergency, Crisis and Disaster management purposes but not limited to;
Data Subject Personal Information:

Full Name
Date of Birth
Place Birth
Blood Type
Facial ID
Gender

Inhabitant Classifications:

Total populations based on its required age bracket;
Numbers of Senior Citizen per Purok, Sitos, Areas and Subdivision;
Numbers of Single Parents per Purok, Sitos, Areas and Subdivision;
Numbers of Person with Disability per Purok, Sitos, Areas and Subdivision;
Numbers of Alien Residents per Purok, Sitos, Areas and Subdivision;
Numbers of Indigenous People per Purok, Sitos, Areas and Subdivision; Professions/Job description and skills of every persons per Purok, Sitos, Areas and Subdivision;

DRRMO Command Center: is the repository of all data used in Emergency, Crisis and Disaster management purposes.

The DRRMO Command Center has its own Dashboard with access of information and topography of projected population of each Purok, Sitios, Areas and Subdivisions within specific Barangays in GIS Maps.
The DRRMO Command Center dashboard also has its access of the Data Subject Information parameters and Classifications used for Emergency, Crisis and Disaster management purposes but not limited to;
Data Subject Personal Information:

 Full Name
Date of Birth
Place Birth
Blood Type
Facial ID
Gender
Total populations based on its required age bracket;
Numbers of Senior Citizen per Purok, Sitos, Areas and Subdivision;
Numbers of Single Parents per Purok, Sitos, Areas and Subdivision;
Numbers of Person with Disability per Purok, Sitos, Areas and Subdivision;
Numbers of Alien Residents per Purok, Sitos, Areas and Subdivision;
Numbers of Indigenous People per Purok, Sitos, Areas and Subdivision;
Professions/Job description and skills of every persons per Purok, Sitos, Areas and Subdivision;

City Social Services Department: is the only authorize to utilize the Social Services Data Management System (SSDMS) especially during Emergency, Crisis and Disaster management.

The City Social Services has access of information of the Personal Information by the Barangay Inhabitant the same as the DRRMO Command Center.

City Health Department: is the only authorize to utilize the MSART Dashboard that serve as Telemedicine Dashboard System for public health concern.

Collection and Use of Non-Personal Materials and Information

Aside from personal information, the application and the system also collect non-personal information that does not completely concern the user. The authorized personnel may view, share, transfer, and use the non-personal information for whatever purpose it may serve as long as it is legitimate and beneficial to the government.

Some non-personal information, such as zip code/area code, occupation, source of income, and some minor details about the family, will also be collected along the process. This information will be useful to the government in analyzing a given situation.
Since the application also has a report feature, the reports sent by the users, including pictures and other details, may be acted on appropriately and efficiently.

Note that any non-personal information combined with any personal information will be considered as personal thus, guidelines for personal information shall be followed.
Protection of Personal Information
Aside from the functionality of the system, the developers also give importance to the data collected and the role it plays in formulating the solution for a crisis. Along with this, equal importance is given to the security of the personal information collected by the application. The system uses a private cloud where all the information obtained will be securely stored by utilizing advance security technologies and methodologies. These security measures are updated regularly to counter new and more sophisticated threats.
Finally, personal data is aggregated and kept in a form which does not permit identification of data subjects.

Privacy Policy Updates
In order to cope with the continuously changing security of the system (in order to completely protect the collected information), the privacy policy of the application also changes from time to time. The developer has the right to amend, update, and change the privacy policy of the application depending on the amendment on the reference law and also based on the changes done on the security of the application.
Integrity and Retention of Personal Information
The information gathered by the application will be updated, stored, and retained in the databank as long as they serve their purpose. Even after a crisis, this information may still be used for community development and in building-back better. Otherwise, the information may be disposed in a secured and proper manner in such a way that it cannot be processed anymore by any unauthorized entity.
Privacy Rights of the Users
In general, the right of the user, as contained in the Republic Act No. 10713, is paramount in the development of the system. This includes the right to keep his information updated and/or corrected. Any requests that are deemed unnecessary and inappropriate will be declined and rejected.
Use of Cookies
What are cookies? These are small data files that are being written in to the user’s device once the application has been visited. These cookies have been put in to use in order to maximize the functionality of the application and provide a better user experience. Also, these cookies provide aid in the secure collection of information, more specifically the non-personal one. However, these cookies also give access to the collection of the different identifiers such as Internet Protocol (IP) Address, which, as per the law, are considered as personal information.
Privacy Questions

If the user has complaints/questions regarding the privacy policy of the application, or any matters involving the system, queries to the developer may be made through the ‘Help’ icon on the dashboard of the application. An authorized personnel shall monitor the users’ complaints and respond to it if needed.