Data Privacy Policy and Procedure

ARTICLE I GENERAL PROVISION

SECTION 1. TITLE

This shall be known as Cooperative Health Management Federation’s Data Privacy Policy and Procedure.

SECTION 2. SCOPE

This Policy and Procedure applies to all natural or juridical persons, or any other body in the government or private sector engaged in the processing of personal data within and outside of the Philippines, subject to the application of the Data Privacy Act, and National Privacy Commission.

SECTION 3. GENERAL CONCEPTS

This privacy policy is committed in protecting and addressing concerns in the use of all information collected and how this information is being utilized. This ensures that individual’s personal information & member Cooperative’s information is secured and protected.

SECTION 4. POLICY

Cooperative Health Management Federation(1COOPHealth) protects the confidentiality, privacy and security of all individual members and member Cooperative according to law, ethical guidelines, and industry best practices. This policy also applies to each 1COOPHealth’s members, management & staff. All are expected to communicate this policy and must be familiar with, understand, and follow the procedures in this policy.

SECTION 5. DEFINITION OF TERMS

Cooperative means Cooperative Health Management Federation, a cooperative registered under Cooperative Development Authority (CDA) under Registration No. 9520-160248-1.

Member Individual means any person who availed and patronizes the products and services of the Cooperative and whose personal information is processed.

Member Cooperative means those Cooperative duly registered under CDA which are willing to patronize the services of Cooperative.

Data Privacy Act means the Data Protection Act 2018 which implements the General Data Protection Regulation.

Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

Responsible Person – means any person and or (Data Privacy Officer) responsible for data protection within the Cooperative.

Membership System – means a register of all systems or contexts in which personal data is processed by the Cooperative.

Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings.

ARTICLE II
PROCESSING OF PERSONAL INFORMATION

SECTION 1. DATA PRIVACY PRINCIPLES

The Cooperative is committed to processing data in accordance with its responsibilities under the Data Privacy Act of 2018.

DPA requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

SECTION 2. MEMBER’S INFORMATION

INDIVIDUAL MEMBER’S PERSONAL INFORMATION
• Name
• Mailing Address
• Phone Number
• Email Address
• Birthdate

INDIVIDUAL MEMBER’S SENSITIVE PERSONAL INFORMATION
• Medical Data
• Sexual Identity
• Civil Status
• Age

This policy on collecting sensitive personal information does not gather any of sensitive personal information, such as your social security number, driver’s license number, race, ethnicity, religion, political associations, or details on your criminal background.

COOPERATIVE MEMBER’S INFORMATION SHEET
• Name of Cooperative
• Mailing Address
• CDA Registration No.
• Date of Registration
• Taxpayer’s Identification No.
• Category of Cooperative
• Type of Cooperative
• Current No. of Members
• Contact No.
• Email Address
• Affiliation/s
• Name of Officer

Member’s information may be stored for an extended period of time, depending on how the Cooperative needs to use the information. The Cooperative will keep the email address and name on file as long as the members are enrolled and enjoys the benefits and privileges of the membership. In addition, The Cooperative may need to keep the billing information for an extended period of time to maintain the internal transaction records solely for archiving purposes subject to measures required by the DPA and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and lawful measures.

SECTION 3. HOW THE INFORMATION COLLECTED IS USED
Responsible Officer collects the following personal information from our member individual and member Cooperative subject to compliance with the requirement of DPA of 2018. The Cooperative uses the information to help utilize everything 1COOPhealth has to offer. This includes:

• Creating and maintaining an account
• Recording customer availed services
• Fulfilling customer service requests
• Communicating new products and services

ARTICLE III
RIGHTS OF THE DATA SUBJECT

SECTION 1. RIGHTS OF THE DATA SUBJECT
The data subject is entitled to:
• Be informed on the purpose for which information collected is being processed.
• The information declared shall not be amended without prior notification of data subject

SECTION 2. TRANSMISIBILITY OF RIGHTS OF THE DATA SUBJECT

The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising his rights.

CHAPTER IV
SECURITY OF PERSONAL INFORMATION

SECTION 1. CONFIDENTIALITY REQUIREMENTS
All employee and staff must comply with a confidentiality agreement that each maintains an appropriate organizational confidentiality an access to information is granted based upon employee’s role. Only the “minimum necessary” information may be accessed, used, or disclosed, unless the information is being used or disclosed for the principal purposes in relation to the health agreement entered into by the data subject.

ARTICLE V
ACCOUNTABILITY FOR VIOLATIONS OR BREACHES

SECTION 1. PRINCIPLE OF ACCOUNTABILITY
Any person who inappropriately access, use or disclose such information either recklessly, out of curiosity, with malicious intent, or for other unauthorized reasons will be investigated. The Cooperative shall never tolerate nor condone any unlawful, and unethical activity of its directors, officers and employees. All personnel of the Federation are highly encouraged to challenge inappropriate behavior and report any forms of misconduct or violations of the provisions of this Code committed by fellow officers or employees. Any discipline will be determined, on a case-by-case basis, based on the outcome of the investigation, the individual’s intent, the impact of the violation in a manner consistent with this policy. Unauthorized use and/or access to confidential information may be grounds for disciplinary action.

SECTION 2. TYPES OF VIOLATIONS OR BREACHES
• Inadvertent access to member records.
• Discussing member information with others when not required for job.
• Discussing member information in public areas.
• Leaving logged-in computer unattended in an accessible area with member information visible.
• Improperly disposing of confidential member information.

SECTION 3. PENALTY FOR VIOLATIONS OR BREACHES
In order to effectively implement the provisions of this Code, offenses that call for/ merit disciplinary action are classified under five types of heading: Light Penalty, Habitual Penalty, Gross Penalty, Grave Penalty, and Capital Penalty. This classification is made in accordance with the disciplinary action that the offense merits. The corresponding disciplinary actions are the following:

1. Termination of employment
2. Suspension of employment
3. Criminal Liability

ARTICLE VI
REFERENCES & ATTACHMENTS

SEC. 1 REFERENCES:
• National Privacy Commission Tool Kit
• 1COOPhealth Articles of Cooperation and By-Laws
• 1COOPhealth Employee Code of Conduct

SEC. 2 ATTACHMENTS:
• Enrollment Application Form (EAF)
• Member’s Information Sheet (MIS)

ARTICLE VII
EFFECTIVITY

The provision of this Data Privacy Policy & Procedure is effective this 13th day of May 2024 until revoked or amended by the Cooperative, through Board Resolution.

TABLE OF REVISIONS
Date Description of Change(s)
May 07, 2024 Draft on Data Privacy Policy & Procedure