Word for Preparing Capstone Documents

Click Here

Capstone Guidelines

Capstone

Capstone is learning and real-world experience in action.  The students are exposed to a real-life learning experience which opens windows of opportunities for their growth.  Within the span of an academic year, students work in groups in order to address different challenges and situations, and provide possible opportunities for a client organization. 

Proposed Capstone Guidelines

A capstone project, as per recommendation of the Faculty of the College of Computer Studies, should adhere to the following requirements, guidelines, and policies:

A.     Grouping Guidelines

1.      A capstone group should be composed of a minimum of two (2) and a maximum of four (4) members only.  In special cases, a group may have five (5) members upon the approval of the capstone adviser and either the CCS program head/IT coordinator, academic dean, or the Registrar.

2.      The grouping may adhere to any of the following circumstance as regard by the capstone adviser:

a.      Students may choose their own group members;

b.      The capstone adviser may assign a leader and form a group as he or she deemed appropriate and unbiased; or

c.       The capstone adviser may assign a leader for each group and the leader has the prerogative to choose his or her member(s).

Note:

* Guidelines A2b and A2c ensure that outstanding enrolled students in the capstone subject have the capacity to lead a group and there is an even distribution of leaders for the batch. A leader is determined by the capstone adviser (and as per recommendation by the faculty of the CCS) based on the academic performance of the student.

** For Guidelines A2a and A2c, the capstone adviser has no right to force or coerce the leader of a group or the group itself to accept a particular student to become a member of a group. 

3.      In the event a student intends to develop a capstone project alone, the student is required to write a request letter addressed to his or her capstone adviser by stating the circumstances of his or her decision.  Likewise, the letter should be duly signed by the student’s parent or guardian as a form of consent.  Upon approval of the capstone adviser, the letter should be approved and signed by the CCS program head/IT coordinator and the dean of the academic affairs for the request to become final and binding.  Lastly, the student will not be given any provision to join in any group during Capstone 2.  When the student withdraws his or her intention to go solo, a written withdrawal request letter should be addressed to his or her capstone adviser.  The withdrawal period should be observed before the approval of a Capstone project.

4.      After grouping, presentation of three (3) project titles, and the approval of a Capstone project, the students are no longer allowed to dissolve the group for any reason.  The group members of Capstone 1 should be the same group members for Capstone 2.

5.      A group can be dissolved on the following grounds:

a.      Guideline A4 is not meet, specifically the approval of a Capstone project;

b.      A member officially dropped the subject;

c.       A member exceeded the absences ceiling and has been given a grade of 'Dropped' or its equivalent by the capstone adviser;

d.      A member can no longer attend to his or her class due to health concern, life threatening situation, migration, etc; or

e.      A member has been given a failing grade.

6.      When a group has been dissolved with only one (1) remaining member, the remaining member may choose to continue the group’s project or may opt to join another group provided this will take place before the midterm period.  Two (2) or more remaining members should continue the group’s project and are not allowed to disintegrate to join other groups.

7.      Finally, the member(s) of a group have the right to evict a member that does not participate in the group’s undertakings and becomes a liability to the group.  The concerned member(s) should prepare a letter of request for eviction to be addressed to the capstone adviser and duly noted by the CCS program head/IT coordinator together with the dean of the academic affairs before a hearing date will be set.  All members of the concerned group should be present during the prescribed hearing date(s) where the capstone adviser should act as a moderator and to be supervised by the CCS program head/IT coordinator.  The outcome of the hearing should be made known to all concerned parties after the dean of the academic affairs acknowledged the recommendations made by the capstone adviser and the CCS program head/IT coordinator.  Once the result of the proceeding(s) affirms the eviction, the evicted member will no longer be allowed to work with his or her group or join any group for that matter.  The evicted member may observe the following options:

a.      He or she can continue working alone with the same project like that of his or her former group; or

b.      He or she needs to re-enroll the same subject and join a new group afterwards.

B.      Project Proposal Guidelines

1.      Each group or proponent is required to present three (3) Capstone project titles each of which is client-based and covers the following areas of interest.

a.      A Standalone System with Device. Requires only a computer to operate regardless of the number of users. In order for this kind of system to qualify as a capstone project, there should be an additional device connected to the computer. A good example of this device is a barcode reader or a biometric device.

b.      A LAN-Based System. Requires two or more computers connected to one another. This kind of set up allows simultaneous processing, either with the same set of activity or with defined task assigned to several different users.

c.       An Online System. The system should be operational and accessible using the internet. 

d.      A Mobile Application.  The software should be executed in a mobile phone.

2.      The capstone adviser may:

a.      Solely evaluate the presented capstone project titles and approve the project title that qualifies for a capstone project; or

b.      Evaluate the presented capstone project titles together with the panel of examiner(s) and recommend a project title that qualifies for a capstone project.

3.      A capstone project should be a new project and not as a continuing project from other subjects.

4.      Once a capstone project title has been approved, no proposal of the same will be entertained – i.e., identical operations, identical products and/or services.

5.      The approved project title will be the working project of the group or the proponent for both Capstone 1 and Capstone 2.

6.      By midterm, a group or proponent  who has no approved project title yet is already considered ‘Failed.’

C.      Project Development Guidelines

1.      Plagiarism.  A Capstone project should be an original piece of work, and it should be free from any plagiarism issue.    A plagiarized software or document will result into an automatic failing grade.

2.      Capstone 1 covers the preparation of Chapters 1 to 3 and at least 30 to 50 percent of the proposed system.  The system requirements should cover the Graphical User Interface (GUI), user module, and file maintenance.

3.      Capstone 2 covers the completion of the entire document as well the delivery of the finished system.

4.      Any software template and/or bootstrap is prohibited. The development of a capstone project should start from the scratch.  The use of middleware must be duly approved by the capstone adviser and should be properly discussed in the document.

5.      Republic Act 10173 – Data Privacy Act of 2012.  A group or proponent should strictly observe the provisions of RA 10173 for their mutual protection and that of their client. 

6.      In the event the group or the proponent experiences challenges they deemed difficult to handle and could hamper the development and completion of the Capstone project:

a.      During Capstone 1, the group should write to their adviser a letter of request for a change of Capstone project.  The adviser may approve such request granted that there is enough time for the group to be able to submit all the required deliverables.  In case there is an insufficient time left, the group or the proponent needs to re-enroll the subject.

b.      During Capstone 2 and the first two weeks of the start of the semester, the group should write to their adviser a letter of request for a change of Capstone project.  Beyond this period, no group or proponent should be granted such request.  The requesting group or proponent needs to undergo the same process as required in Guideline B of this manual.

D.     Project Presentation Guidelines

a.      Capstone 1. 

1.      Only a capstone project that has been approved or cleared by the capstone adviser should be presented before the panel of examiners.  This means that a group or proponent has  successfully complied and submitted all the necessary requirements of the project as evaluated by the capstone adviser.   

2.      There is no project presentation during the final examination week.  The project presentation should be held two (2) or three (3) weeks before the final examination week in order to provide ample  time for possible revisions as required or recommended by the panel of examiners. 

3.      Each group or proponent is required to submit a set of their final document (in hard copy form) to their adviser at least three (3) days before their scheduled presentation date.  The number of copies of the final document depends on the number of the panel of examiners. 

4.      The presenters are required to be in their proper corporate attire during the project presentation.  The corporate attire should adhere to the guidelines on the standard dress code of the institution.

5.      A group or proponent with incomplete requirements will not be allowed to present their project before the panel of examiners in their scheduled presentation date.  Upon completion of the requirements, they are eligible to present their project before the final examination week only.  The group or proponent should be the one to:

a.      Look for a presentation date;

b.      Prepare the presentation room;

c.       Prepare all the necessary documents and pertinent requirements; and

d.      Look for the panel of examiners and should be duly approved by the CCS program head/IT coordinator.

                        Note:  The final grade that the group or proponent will receive should be a step lower                 but not lower than 3.0 in case they will receive a passing grade.

6.      A group or proponent who did not successfully deliver the requirements of the subject will not be allowed to present their work.  They will be given a grade of either INC or 5.0.   A group or proponent with a grade of INC or 5.0 will not be allowed to enroll the Capstone 2 subject.  However, an INC grade can be completed before the start of the next semester where the presenter should adhere to the guidelines listed in D5.  The highest possible grade that a group or proponent will receive upon completion will be 3.0.

7.      During project presentation, a non-appearing member will be given a grade of INC given the following circumstance:

a.      There is a valid reason duly backed by legal documents; or

b.      The group agreed to drop the non-appearing member in order to proceed with the presentation.

8.      Checking and validation of minor project revisions will be  handled by the capstone adviser.  Whereas, the panel of examiners may request for a second presentation within the allowed presentation dates for a project that has been evaluated as ‘Major Revision.’

b.       Capstone 2.

1.      A group or proponent with complete documentation and completed almost all of the major system deliverables will be allowed to present their work before the panel of examiners.

E.      Grading Guidelines

a.      Capstone 1.

1.      A group or proponent who did not comply with the major requirements of the subject will receive a failing grade.

2.      A student with a grade of INC or 5.0 is not allowed to enroll in Capstone 2.

3.      A group or proponent with a grade of INC is still given an opportunity to comply with the requirements by observing the guidelines listed in D5a to D5d.  The group or proponent should be able to present their Capstone 1 project before the start of the class of the next semester.  The highest possible grade that a group or proponent should receive is 3.0.  Should they fail to deliver the requirements, their grade will remain unchanged.

b.      Capstone 2.

1.      A group or proponent who did not comply with the major requirements of the subject will receive a failing grade.

2.      A group or proponent with a grade of INC is still given an opportunity to comply with the requirements by observing the guidelines listed in D5a to D5d.  The group or proponent is given a year to comply with the requirements. 

Figures and Tables using APA Format

Figures can be in a form of charts, drawings, photos, or anything with visual appeal other than tables

Figure 1 represents the software development model used in this study.  The Rapid Application Development model is best suited to the study because ...

    Figure 1. The Rapid Application Development model used in the Study

**image courtesy of testingexcellence.com

Tables are used when presenting numbers and texts in an easy-to-read format.

The recommended hardware requirements will enable the system to operate faster and with greater efficiency compared with the minimum hardware requirements.  See Table 1 for the complete list of hardware requirements.

    Table 1. List of hardware peripherals to be used during system implementation.

Reasons for Using Figures and Tables
1. Effective Communication
2. Appealing Presentation

Guidelines in using Figures and Tables
1. Numbering - figures and tables should be numbered sequentially (e.g., Figure 1., Figure 2., and Table 1., Table 2.)
2. Labeling - place the label below for the figures and above for the tables.  Figure and table labels should be a short description and not a title.
3. Positioning - figures and tables should be placed below a paragraph in order to aid the readers. Explain what the reader will find and the relation of the figures and tables to the document.
4. In-text referencing - refer to the figure or table by number (e.g., Figure 1 shows that ...)
5. Diagram referencing - provide a reference every time a figure or table is adapted from another source.  Refer to the APA style in referencing figures and tables.

Citations and Referencing

For comprehensive Citations and Referencing, open the link

https://opentextbc.ca/writingforsuccess/chapter/chapter-9-citations-and-referencing/

The APA Format

Click Here

Request Letter

<< Date Today >>

<< Name of Contact Person >>

<< Position >>

<< Address >>

Dear <<Sir/Madam>>,

Greetings!

We, the fourth year BSIT students of Global Reciprocal Colleges, would like to conduct a study of your company’s operation as part of our subject requirements in Capstone.  In this regard, we would like to ask from your good office to assist and allow us to perform this endeavor.

In this activity, a series of interviews and data gathering processes will be observe.  Given your company’s current operation or system, we would like to evaluate and determine its problems and flaws (if there are any), and if there is a possibility where we can propose, improve, or even develop a new system for the benefit of your organization.  Rest assured that everything will be treated with utmost confidentiality.

Thank you very much for your favorable response on this matter. 

Respectully yours,

<< alphabetically list your names here  and sign above your name>>

Noted by:

<<name of the capstone adviser>>

Capstone Adviser

RA10173 - Data Privacy Act of 2012

National Privacy Commission

Know Your Data Privacy Rights

Under RA10173, people whose personal information is collected, stored, and processed are called data subjects. Organizations who deal with your personal details, whereabouts, and preferences are dutybound to observe and respect your data privacy rights.

If you feel that your personal data has been misused, maliciously disclosed, or improperly disposed, or if any of the rights discussed here have been violated, the data subject has a right to file a complaint with us.

*****

The right to be informed

Under R.A. 10173, your personal data is treated almost literally in the same way as your own personal property. Thus, it should never be collected, processed and stored by any organization without your explicit consent, unless otherwise provided by law. Information controllers usually solicit your consent through a consent form. Aside from protecting you against unfair means of personal data collection, this right also requires personal information controllers (PICs) to notify you if your data have been compromised, in a timely manner.

As a data subject, you have the right to be informed that your personal data will be, are being, or were, collected and processed.

The Right to be Informed is a most basic right as it empowers you as a data subject to consider other actions to protect your data privacy and assert your other privacy rights.

Example:

A medical doctor in a private hospital in Manila recorded a conversation with his lady patient without the patient’s knowledge and prior consent. Upon realizing what was happening, the patient immediately confronted the doctor and expressed her strong dismay, pointing out the physician’s lack of professionalism in recognizing his personal right to privacy. She said she could have given her consent anyway if only she was asked politely. The doctor apologized and explained that his action was just meant to aid his recall, especially when he later examined the case, saying he just wanted to provide the best possible service, which the patient deserves. The patient, however, demanded the doctor to delete the recorded conversation and canceled on the medical consultation. She said if the doctor does not even know the basic courtesy of asking for consent, then how can he expect to win the patients’ confidence in his competence as a medical practitioner.

Take note of this:

To protect your privacy, the Philippine data privacy law explicitly require organizations to notify and furnish you the following information before they enter your personal data into any processing system (or at the next practical opportunity at least):

·         Description of the personal data to be entered into the system

·         Exact Purposes for which they will be processed (such as for direct marketing, statistical, scientific etc.)

·         Basis for processing, especially when it is not based on your consent

·         Scope and method of the personal data processing

·         Recipients, to whom your data may be disclosed

·         Methods used for automated access by the recipient, and its expected consequences for you as a data subject

·         Identity and contact details of the personal information controller

·         The duration for which your data will be kept

·         You also have to be informed of the existence of your rights as a data subject.

Additional notes:

In recording a conversation or interview with someone, it is enough to verbally ask for a direct consent from an individual data subject. If the subject yields, it would be useful to also mention as part of the recorded conversation that the subject knows the conversation is being recorded and that you asked and were given the consent. It would even be better if you could get the subject to verbally confirm his consent.

Banks involved in phone banking tell their callers that the conversation with their call center agent would be recorded, and that proceeding with the call is indication of their consent. This practice is considered sufficient notice.

Websites resort to publishing a Privacy Notice page, which essentially accomplishes the same thing. Similar privacy notices should be made in public establishments equipped with security CCTVs.

Whenever anyone is making an audio or video recording of you, or even just taking your pictures, you have a right to know, and you must always be given the chance to opt out when you don’t feel comfortable.

A salesman may be collecting detailed personal data about you and your family without your permission, under the pretext of targeting you as a prospective customer to tailor-fit their offerings to your individual needs. This, by itself, may be potentially beneficial to you. But since your personal privacy and safety becomes potentially at risk, you have a right to be informed if you are being individually targeted in a sales campaign like this.

*****

The right to access

This is your right to find out whether an organization holds any personal data about you and if so, gain “reasonable access” to them. Through this right, you may also ask them to provide you with a written description of the kind of information they have about you as well as their purpose/s for holding them.

Under the Data Privacy Act of 2012, you have a right to obtain from an organization a copy of any information relating to you that they have on their computer database and/or manual filing system. It should be provided in an easy-to-access format, accompanied with a full explanation executed in plain language.

You may demand to access the following:

·         The contents of your personal data that were processed.

·         The sources from which they were obtained.

·         Names and addresses of the recipients of your data.

·         Manner by which they were processed.

·         Reasons for disclosure to recipients, if there were any.

·         Information on automated systems where your data is or may be available, and how it may affect you.

·         Date when your data was last accessed and modified

·         The identity and address of the personal information controller.

Example:

An individual had been involved in an incident inside and outside a Manila restaurant where his wallet was stolen. He also suffered minor injuries in the incident. He requested access to the restaurant CCTV footage relating to himself, saying he wants to see all details surrounding the incident and possibly figure out a way to recover his wallet. He tried to personally speak to the manager but was referred to the security guard. After a few days of following up on his request, he was finally informed that the establishment would not provide him any data. This infuriated him and, upon going back to the restaurant, he demanded his right to view the footage or else he would create a scene. He was told that, as per their security policy, no “outsider” is allowed to enter areas in their establishment designated only as “for employees only”. As a compromise, the manager said they will give him a record of the footage using the customer’s handheld gadget.

How to exercise your right to access your personal data

You must execute a written request to the organization, addressed to its Data Protection Officer (DPO). In the letter, mention that your request is being made in exercise of your right to access under the Data Privacy Act of 2012. The DPO is required to respond to your written request. Be prepared to provide evidence of your identity, which the DPO should require of you to make sure that personal information is not given to the wrong person.

If your request was not granted, or if you feel your request was not sufficiently addressed, you may file a formal complaint with the NPC. Before doing so, however, we recommend that you inform the organization and its DPO of your intention to formally complain to the NPC. They might be able to the opportunity to apologize, better explain their position, or reconsider your request.

Additional notes:

Some exceptions may disallow the exercise of an individual’s right to access. This is to balance the right to privacy of an individual versus the needs of civil society. Here are some examples:

·         A criminal suspect is not allowed access to the personal data held about him by law enforcement agencies as it may impede investigation.

·         You are not allowed access to information about you as contained in communications between a lawyer and his or her client, if such communication is subject to legal privilege in court.

·         Your right to access your own medical and psychological data may be denied you in the rare instance where it is deemed that your health and well-being might be negatively affected.

*****

The right to object

You can exercise your right to object if the personal data processing involved is based on consent or on legitimate interest. When you object or withhold your consent, the PIC should no longer process the personal data, unless the processing is pursuant to a subppoena, for obvious purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation.

In case there is any change or amendment to the information previously given to you, you should be notified and given an opportunity to withhold consent.

Example

The right to object is most specifically applicable when organizations or personal information controllers are processing your data without your consent for the following purposes:

·         Direct marketing purposes. When business organizations give you sales materials about products and services, they must explicitly inform or remind you of your right to object. If you feel uncomfortable to being target of a direct marketing campaign, you must be able to easily invoke your right to object. If you previously acceded but wishes to opt-out, you must be given an easy way to opt-out. In asserting your right to object being included in a direct marketing campaign, businesses have no recourse but to accede as there are no exemptions or grounds for refusal in this case.

·         Profiling purposes. Businesses customarily resort to profiling, or the creation of profiles of individual customers and clients without their consent. This is done either for marketing or customer care purposes. The cross-referencing of customer information to product marketing brings about practical advantages to both the buyer and seller in any potential business transaction. Under RA 10173, however, profiling of this requires your consent as customer, or else you are justified in invoking your right to object. The right of state agents to do profiling for law enforcement purposes, however, may override your right to object.

·         Automated processing purposes. In technology-driven industries, such as banking and finance, many decisions affecting individuals are arrived at electronically via automatic data processing systems based on personal information stored in computerized data files. This reduces the business transaction process down to a few seconds and facilitates a speedy exchange of economic value. Potentially, however, it may also inadvertently arrive at decisions prejudicial to your interests and lead to the weakening of your position as a transacting party. As such, organizations are required to notify you whether your personal data will undergo automatic processing, and inform you that you have a right to object.

How to exercise your right to object

Whenever you have the chance, you may assert your right to object verbally, be it in person or via a phone call. To have it formally documented, however, you must execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to object under the Data Privacy Act of 2012. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.

*****

The right to erasure or blocking

Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data. You can exercise this right upon discovery and substantial proof of the following:

1.      Your personal data is incomplete, outdated, false, or unlawfully obtained.

2.      It is being used for purposes you did not authorize.

3.      The data is no longer necessary for the purposes for which they were collected.

4.      You decided to withdraw consent, or you object to its processing and there is no overriding legal ground for its processing.

5.      The data concerns information prejudicial to the data subject — unless justified by freedom of speech, of expression, or of the press; or otherwise authorized (by court of law)

6.      The processing is unlawful.

7.      The personal information controller, or the personal information processor, violated your rights as data subject.

Example

In several cases, the need to balance this right with the freedom of expression and public interest has been highlighted as follows:

·         Melvin v. Reid (as published in http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1429&context=bjil)

“In Melvin v. Reid, 34 decided in 1931, for example, a homemaker, who had once worked as a prostitute and who had been wrongly accused of murder, became the subject of a feature film (“The Red Kimono”) seven years after her acquittal, based on the facts of her trial. Although not specifically referencing a right to be forgotten, the court, permitting suit against the film-maker, noted: “One of the major objectives of society as it is now constituted, and of the administration of our penal system, is the rehabilitation of the fallen and the reformation of the criminal.” The court held that the unnecessary use of the plaintiff’s real name inhibited her right to obtain rehabilitation.”

·         Sidis v. F-R Publishing Corp. (http://communication.oxfordre.com/view/10.1093/acrefore/9780190228613.001.0001/acrefore-9780190228613-e-189?rskey=Mr5AR5&result=1)

“Newsworthiness, or public interest, generally trumps privacy in the United States. This fact was recognized as early as 1890, by Samuel Warren and Louis Brandeis in their famous Harvard Law Review article, “The Right to Privacy.” The principle was further reinforced in 1940, when the U.S. Court of Appeals for the Second Circuit held that former child prodigy William James Sidis, who had made great efforts to become a private citizen again after having received extensive news coverage as a young boy, could not prevail in a privacy action against a magazine that featured him in a “Where Are They Now?” section. The court held that the public retained a legitimate interest in knowing whether Sidis had lived up to the intellectual promise of his youth.”

·         Karnataka High Court Judgement (http://lexinsider.com/a-high-court-gives-life-to-the-right-to-be-forgotten-right/)

“…the High Court of Karnataka after passing of the order on a criminal matter which was relating to a complaint given by the Petitioner’s daughter and filing a case in the High Court that her marriage never happened with defendant. The petition was to annul the marriage certificate and later the case was quashed on comprise between the parties. In the same case Petitioner’s daughter name was requested to be removed from the digital records of the High Court and also from search engines including Google as it affected her relationship with her husband and her reputation as well.The High Court ordered, “It should be the endeavor of the Registry to ensure that any internet search made in the public domain ought not to reflect the petitioner’s daughter’s name in the cause-title of the order or in the body of the order in the criminal petition.”, giving life to this right. However, the name of the petitioner’s daughter would certainly be reflected in the order copy was made clear.”

How to exercise your right to erasure (or blocking)

Execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to erasure under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.

*****

The right to damages

You may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of your rights and freedoms as data subject.

Example

This example is from the United Kingdom, as published at: http://www.nabarro.com/insight/briefings/2017/february/assessing-damages-for-data-protection-and-data-privacy/

“In October 2013, the Home Office published quarterly statistics about the family returns process by which applicants who have children but who have no right to remain in the UK are returned to their country of origin.

The Home Office uploaded anonymised statistics, but they also mistakenly uploaded a spreadsheet of raw data on which those statistics were based. This spreadsheet contained personal data and private information of approximately 1,600 individuals, including their names, ages, nationality, the fact of an asylum claim, the regional office which dealt with their case and their immigration removal status.

This data remained online for nearly two weeks before it was removed but during that time the webpage had been visited by IP addresses across the UK and abroad. As a result, a small number of these individuals brought claims for misuse of private information and breaches of the Data Protection Act 1998 (DPA).

The defendant accepted that their accidental publication of personal data amounted to a misuse of private and confidential information and a breach of the DPA. It was not disputed that, subject to proof, damages were recoverable for distress at common law and section 13 of the DPA, unless Google Inc v Vidal-Hall is overturned.

The six individuals who brought the claims were awarded between £2,500 and £12,500 in damages for misuse of their private information and the distress suffered as a result of the data breach.”

How to exercise your right to damages

Write or speak to the organization which mishandled your personal information to see if you can reach an agreement and claim compensation. If you feel that your concern has not been satisfactorily addressed, you should write to the organization and inform them of your intent to take the matter to the court, before you start court proceedings. Talk to a legal adviser if you want to make a claim in court.

The NPC has no role in dealing with compensation claims. But you may request us to assess if the organization mishandled your personal data and broke the DPA. You can give a copy of the NPC’s letter to the court along with the evidence to prove your claim. This, however, does not guarantee that the judge will fully agree with NPC’s view. You may also require someone from the NPC to give expert evidence which will only be allowed if the judge orders it. The party calling the witness will have to shoulder the corresponding cost.

*****

The right to file a complaint with the National Privacy Commission

If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint with the NPC.

The right to rectify

You have the right to dispute and have corrected any inaccuracy or error in the data a personal information controller (PIC) hold about you. The PIC should act on it immediately and accordingly, unless the request is vexatious or unreasonable. Once corrected, the PIC should ensure that your access and receipt of both new and retracted information. PICs should also furnish third parties with said information, should you request it.

Example

A government employee resigned from her agency with a period with premium payments of 20.49 years. The employee’s birthdate indicated in her Government Service Insurance System (GSIS) records is 30 June 1959. However, her National Statistics Office (NSO) authenticated Certificate of Live Birth shows 30 June 1952 as her birthdate. Her birthdate will determine when she will start receiving her monthly pension – in 2019 if based on the GSIS record, and in 2012 if based on her birth certificate. She, thus, invoked her right to rectify her personal data under the Data Privacy Act of 2012.

How to exercise your right to rectify

If the organization does not yet have a system or form for data rectification, you must execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to object under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.

Some organizations already have their system or form for data rectification. For instance, the Social Security System (SSS) only requires their members to accomplish SSS Form E-4 or the Member Data Change Request Form and submit with it the supporting documents. The needed supporting documents vary depending on the personal data that you want corrected (i.e. for correction of name and birthdate – PSA/NSO-authenticated birth certificate or valid passport, for correction of name due to naturalization – Certificate of Naturalization issued by the Philippine Department of Foreign Affairs, identification certificate issued by the Philippine Bureau of Immigration, and any foreign government- issued ID cards and/or documents showing the new name).

*****

The right to data portability

This right assures that YOU remain in full control of YOUR data. Data portability allows you to obtain and electronically move, copy or transfer your data in a secure manner, for further use. It enables the free flow of your personal information across the internet and organizations, according to your preference. This is important especially now that several organizations and services can reuse the same data.

Data portability allows you to manage your personal data in your private device, and to transmit your data from one personal information controller to another. As such, it promotes competition that fosters better services for the public.

Example

In case you want to close your Facebook account and leave the service, or simply feel like you’ve shared a lot of information about your life and want a backup of all your Facebook data, you may exercise your right to data portability.

You may also exercise this right if you intend to get a usable copy of your personal health records for the use of other doctors you may like to consult. In banking, the right to data portability may be used to reduce the risks of being locked-in with one single service provider, thereby expanding customers’ options and improving customer experience.

How to exercise your right to data portability

Various online platforms have been making data portability an available and instant option for its users. For instance, Facebook enabled its users to readily download all their personal content and information, including wall posts, status updates, photos, videos, and conversation threads. Currently, users will just have to click at the top right of any Facebook page and select “Settings”, then click “Download a copy of your Facebook data” at the bottom of “General Account Settings”, and click “Start My Archive”. Google has a similar feature that readily allows its users to create an archive to keep for their personal record or for use in another service.

In case the personal information controller concerned does not yet have an online data portability feature, you must execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of your right to data portability under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC, attached therewith your request letter to the DPO.

*****

Transmissibility of Data Subject Rights

Just like any physical property, such as real estate, you can assign your rights as a data subject to your legal assignee or lawful heir. Similarly, you may assert another person’s rights as a data subject, provided he or she authorized you as a “legal assignee”.

You may also invoke another person’s data privacy rights after his or her death if you are his or her legal heir. This same principle applies to parents of minors, or their legal guardian, who are responsible for asserting their rights on their behalf.

This right, however, is not applicable in case the processed personal data being contested are used only for scientific and statistical research.

The practical need for transmissibility

An individual’s personal data lives on even after his death. As such, they could still be subject to privacy violations whether intentional or otherwise. The Data Privacy Act of 2012 included this provision to protect their privacy rights through a living person willing to assume the responsibility on their behalf. The transmissibility of data privacy rights has been extended to living adults who are unable to protect their own rights and wish to assign the responsibility to someone else.

How to execute

Data subjects who are alive but incapacitated, for some reason unable to to assert their own personal privacy rights and wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney.

In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors under their care.

*****

Limitations on Rights

The provisions of the law regarding transmissibility of rights and the right to data portability will not apply if the processed personal data are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken regarding the data subject. There should also be an assurance that the personal data will be held under strict confidentiality and used only for the declared purpose.

They will not also apply to the processing of personal data gathered for investigations in relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the data subject should only be to the minimum extent necessary to achieve the purpose of said research or investigation.