This document addresses the SunFish or GreatDay application for which a customer has purchased a license or subscribed to use. Data stored in SunFish is under the control of that customer and SunFish provides a variety of technologies and tools to assist customers in meeting their obligations for protection and control of that data. We advise that the customer is subject to a variety of legislation with regards to privacy including regulations of the country in which the customer is domiciled, countries in which they operate and, in some cases, countries of which their employees are residents.
SDP is committed to ensuring privacy for data under our control as well as providing tools to our customers to help them ensure privacy and complying with applicable regulation. Securing data and ensuring privacy are essential concerns in provisioning HR applications and development regulations have not substantially changed the approach we take to security and privacy; however, new regulation has substantially increased compliance requirements for customers.
SDP willfully embraced and implemented the application of the National Privacy Commission’s – Data Privacy Act (DPA) of 2012, known as Section of Republic Act 10173.
GENERAL REGULATION PRINCIPLES SPECIFIC TO DATA PRIVACY ACT (DPA) RA 10173
In accordance with DPA; SDP guarantees proper information management thru,
the various individual personal data under proper data lifecycle management,
- Collection/ Creation,
- Storing/ Saving,
- Processing/ Using,
- Retention/Archiving, and
- Disposal/ Removal.
LAWFUL GROUND FOR PROCESSING
“Processing” as defined and stated on this document, is in equal terms with the Data Privacy Act of 2012 – Section 3 Definition of Terms. These individual or group may be any of the following, but are not limited to,
- The Management,
- All Employees,
- Project Based, and
- Special Projects
- Third-party or External Service Providers:
- System Administrators of Data Processing System,
- System Administrators of Information and Communication System
- Auditors, and
- Legal Counsel
Section 4. Scope of the IRR of RA No. 10173, known as the Data Privacy Act of 2012, further elaborates the scope of the Data Privacy Act on its entirety and is referred to on this document.
IRR R.A. 10173 Rule VII. Section 50. Accountability for Transfer of Personal Data. A personal information controller shall be responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.
- A personal information controller shall be accountable for complying with the requirements of the Act, these Rules, and other issuances of the Commission. It shall use contractual or other reasonable means to provide a comparable level of protection to the personal data while it is being processed by a personal information processor or third party.
- A personal information controller shall designate an individual or individuals who are accountable for its compliance with the Act. The identity of the individual or individuals so designated shall be made known to a data subject upon request.
IRR R.A. 10173 Rule VII. Section 51. Accountability for Violation of the Act, these Rules and Other Issuances of the Commission.
- Any natural or juridical person, or other body involved in the processing of personal data, who fails to comply with the Act, these Rules, and other issuances of the Commission, shall be liable for such violation, and shall be subject to its corresponding sanction, penalty, or fine, without prejudice to any civil or criminal liability, as may be applicable.
- In cases where a data subject files a complaint for violation of his or her rights as data subject, and for any injury suffered as a result of the processing of his or her personal data, the Commission may award indemnity on the basis of the applicable provisions of the New Civil Code.
- In case of criminal acts and their corresponding personal penalties, the person who committed the unlawful act or omission shall be recommended for prosecution by the Commission based on substantial evidence. If the offender is a corporation, partnership, or any juridical person, the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime, shall be recommended for prosecution by the Commission based on substantial evidence.
DATA PROTECTION BY DESIGN AND BY DEFAULT
Organizations must deliberately build in privacy, and both systems and processes have to adopt privacy by default. Organizations are obligated to ensure that the processing of personal data is for a specific purpose, and the organizations must demonstrate that data protection is at the heart of their IT framework and solution design.
TECHNICAL AND ORGANIZATIONAL SECURITY
Organizations are also obligated to implement all necessary technical and organizational measures to ensure a level of security appropriate to the risk of the processing for the data subjects. It is therefore necessary that the organization analyzes its internal IT asset landscape to identify and map data flows. This will help to ascertain the appropriateness of the security framework.
We collect and log information on the usage of our website for the purpose of technical analysis and to improve the usability of our website. This information may include your IP address. We do not match this information to information about your identity.
DATA SUBJECT RIGHTS
Organizations should be guided by the concept that the individual should know and always be able to identify what personal data is processed, by whom, for what purposes, and over what period of time. Thus, data controllers will need to actively provide certain general and specific information; With the individual’s rights to access, refuse or object, or be forgotten. Organizations involved in processing personal data will therefore require robust internal processes with designated roles.
With a responsibility to clearly show customers, data subjects, and regulators that they are DPA compliant, organizations must implement a host of systemic measures to reduce the risk of violation. Complexity grows when organizations need to keep track of every purpose for which personal data is being processed and when they need to ensure that all individuals have given their consent for each data processing use case. These measures must be built into existing IT infrastructures. Depending on the outcome of a data protection risk assessment, organizations should take measures to help maintain compliance. Such measures include the appointment of a dedicated data protection officer (DPO), the execution of privacy impact assessments (PIAs), and the adoption of regular audit procedures.
DATA RETENTION VERSUS DATA DELETION
Business systems, such as human capital management (HCM) systems, contain combinations of a multitude of records on both employees and other individuals, such as job applicants and contractors. A company’s HCM system may, for example, store data related to job applications, payroll records, training history, compensation history, retirement plans, health information, and so on. Over time, a company’s HCM system will accumulate a considerable number of records, many of which contain personal information related to individuals. The DPA requires organizations to remove any personal data from their systems once this data is no longer needed for the course of business. In other cases, an employee may simply revoke their consent to a special data processing activity. At the same time, personal data obtained may still be lawfully processed on other legal grounds or be an integral part of records that are subject to retention. In such cases, the company needs to determine how to best store that data so it is not unnecessarily accessed but can still be retrieved by authorized parties.
DATA PROTECTION AS A PART OF LEGAL COMPLIANCE
Data protection requirements are only one subset of compliance requirements faced by a company. Data protection requirements need to be aligned with other applicable requirements, including tax legislation or industry-specific laws. Retention requirements are the best example. If more specific legislation defines that certain records, including personal information, need to be kept for years, deletion of this data is not allowed. Organizations need to analyze their business processes with regard to all applicable legislation and establish the appropriate technical and organizational measures to achieve and maintain compliance.
HOW SUNFISH SUPPORTS DATA PRIVACY AND COMPLIANCE
SunFish solutions are designed around comprehensive security and privacy standards. These already include many of the technical safeguards required to comply with privacy regulation and a range of business processes solutions which when used correctly can assist customers in meeting regulatory compliance requirements. We continue to enhance SunFish to provide our users with additional tools to simplify their compliance requirements.
SunFish provides tools to simplify compliance for data that is in active use, while it is being retained after normal active use and how it is disposed when the data has reached its end of use.
SunFish is in the process of releasing an additional tool to support tracking of employee agreements including consent forms. Consent tracking allows customers to create a consent form which can be presented to an employee each time they login to the application for their acceptance. Consent forms allow the employee to accept the form, defer their acceptance for some time, submit questions for clarification to a company appointed administrator or reject the form. Customers can select actions such as the maximum time an employee can defer their response before being blocked from accessing the application and whether to block employees from access if they reject the form.
Reporting on consent allows admin users to list who has accepted the form including time of acceptance and IP address used as well as who is still pending to accept.
SunFish provides granular function access control to system functions with the ability to control a user’s ability to view, change and delete data. Access is generally configured to a specific function in the application but can be granularly defined at the individual field level.
SunFish allows permission of specific data in combination with data type to specific users and groups of users. Customers can report on access to data and revise data access as need to know rational changes over time. Reporting is provided for easy auditing of data and function permission. We advise establishing a process of regular review on permissions.
CHANGE LOGGING AND REPORTING
SunFish logs updates to data performed by users and allows permissioned users to report on data changes including before and after states of the data. Permissioned users can view the type of data change, user that performed the change, time of the change, previous & new data, and other information. Filters can be applied by the user and specific reports are available to view data changes group by employee for example.
PERSONAL DATA REPORTING
SunFish provides the ability to extract a comprehensive report on non-transactional employee data for the purpose of complying with data requests from employees.
PERSONAL DATA DELETION
SunFish manages a large amount of employee data including the storing of transactional records and employee financial transactions that will require lengthy storage periods as a result of regulatory and audit requirements. The integrated nature of the data requires long term storage in order to maintain data integrity.
Once an employee ceases employment, they will enter a non-active data storage phase. Employees no longer employed are segmented to a non-active category for separate management. In order to provide the ability to comply with data deletion requests, SunFish allows for the deletion of employee personally identifiable information from records. Within the structure of the database tables, this data is directly substituted with a deletion identifier and is no longer viewable through the application.
Deleted data is stored in a separately encrypted format which is not application accessible. This data can later be recovered only by using the application secondary encryption keys. This data can additionally be purged from the application using the purge function described below.
SunFish supports the ability to purge data from the database (in addition to archiving functionality). Purge functions can be scheduled or run manually. Purge functions permanently and remove data from the database making it unrecoverable. Data purging may be applied for the purposes of data cleansing to improve system efficiency or for the purpose of disposing of unused data to reduce liability and comply with data deletion requests. The recommended process is to maintain active data for the period required by regulation, then delete data using the Personal Data Deletion function and purge the encrypted data deletion records automatically based on a schedule of not less than one year.
DATA PORTABILITY AND EXPORT
SunFish allows customers to extract data to unencrypted flat file formats to support the need for data portability. Functions are tailored to support data extraction for different purposes such as a system migration to another vendor, or requests by employees for data portability to, for example, subsequent employers.
TECHNICAL SAFEGUARDS IN SOFTWARE
Customers maintain complete and exclusive control over data stored in SunFish. While the usage of compliance support functionality described above assists customers in complying with privacy regulation, customers should also be informed and confident of the technical safeguards used to prevent unauthorized access to data.
ENCRYPTION OF DATA AT REST
SunFish software supports database level encryption which is applied as standard to all environments we operate and optionally for customer environments. In addition to database level encryption, we additionally encrypt higher confidentiality data as it is submitted to the database to prevent accidental disclosure when highly permissioned users access the data for audit or other purposes. Passwords are only stored in hashed format and are not recoverable by decryption.
ENCRYPTION OF DATA IN TRANSIT
SunFish supports encryption of data in-transit and we use standard SSL encryption for all environments we operate and encourage customers to implement encryption on environments they operate. SSL encryption can be verified at https://www.ssllabs.com/ssltest/analyze.html?d=sf.dataon.com
SEGMENTATION OF DATA STORAGE AND APPLICATION
SunFish applications are configured with external access to the application for users and to block direct external access to file and database storage.
Cookies are small files which are stored on a user computer when the user accesses a web application. SunFish uses a variety of cookies in order to control access to the application and enhance the user experience. These cookies store user preferences and are used to identify the user to the application. The purpose of the cookies and summary of data stored in them is as follows:
|Cookie||Use||Deleted on Logout|
|COID||Remember Company ID||No|
|CUSTOMIST||Remember Account Name||No|
|SFUSRSESS_[URL]||SunFish User Session||Yes|
|SFUACCOUNT||Remember Company|User|Language while logged in||Yes|
|SFCOLORSCHEME||Remember Theme Preference||Yes|
|CSLFID||Confirm server session||Yes|
|JSESSIONID||Confirm server session||No|
|CFID||Confirm server session||Yes|
Cookies do not contain personally identifiable information of users except for the SFUACCOUNT Cookie which contains the user’s name and is deleted upon logout.
TECHNICAL SAFEGUARDS IN HOSTED SOLUTIONS
When SunFish subscriptions or perpetually licensed software is hosted by DataOn, we undertake industry best practices and additional methods to secure customer data. DataOn is certified for the ISO 9001 and 27001 standards which include certification of our hosting environments.
PERIOD OF NOTIFICATION
In the event that we become aware of a breach of our security resulting in unauthorized disclosure of customer data we conduct an impact analysis to determine what data was breached and which customers are impacted. Upon completion of the analysis, we inform customers. If we are not able to complete the analysis within 72 hours of becoming aware of the breach, we inform customers of the result of our analysis to that point.
DATA COPIES AND RETENTION
We host client data on multiple servers simultaneously for redundancy or performance reasons. Access to customer files and database are provisions separately. Database access and encryption key are provisioned separately for each customer. In addition to production copies of data we maintain backups of data on separate equipment at the production site and at a physically separated backup site. These backups are maintained in accordance with our retention policy up to 6 months. Backups are stored in encrypted format. We also maintain copies of production data which are updated in accordance with our disaster recovery plan as frequently as each five minutes. The production copies of data used in our disaster recovery center comply with the same security standards as the production data center and updates to this data occur over a virtual private network in encrypted format.
We do not respond to requests from employee of our customers to delete data. If we are obliged to respond we inform employees that they are required to contact the customer for data deletion. We store customer data on behalf of our customer and will delete all copies of customer data (in the entirety) upon a duly authorized order by the customer. In some cases, deletion of some components of the data may require our manual intervention and multiple level of authentication resulting in a processing time of up to 30 days.
SEPARATE CUSTOMER DATABASES
We store each customers’ data in separate databases for which the database passwords and encryption key are electronically configured independently for that customer. In order to provision access, we store reference information on each customer in a central database which does not contain confidential information of the company or information of employees.
We operate multiple levels of firewalls on our networks and segment production networks from internal operations. We limit access to our internal networks to our technical staff required to perform maintenance functionality on our infrastructure and require they utilize a virtual private network and segmented security access point to gain maintenance access to production networks. We protect our network with intrusion protection devices and monitor access with an intrusion detection device.
THIRD PARTY AUDITS
We undertake third party audits of our compliance with ISO 9001 and 27001 standards and provide copies of our certifications to customers. We also perform internal scanning for security vulnerabilities and conduct internal penetration testing. We employ third party companies to conduct penetration tests of our hosting environment and software and provide a certificate of test upon customer request.
SunFish DataOn Philippines Inc.
2 nd Floor, Village Corner
Antipolo City, Philippines 1870
Phone: +63 2 212 4755
This version was updated on the 3rd March 2021