Skip to main content
← Back to portal
PPS Philippine Pediatric Society

Privacy Policy

Version 1.0 · Effective July 14, 2026 · Data Protection Officer: dpo@pps.org.ph

Privacy Notice Privacy Policy Cookie Policy Terms of Service Your Rights

PPS Privacy Policy

Version 2.1 · Effective 15 July 2026

This Privacy Policy explains how the Philippine Pediatric Society, Inc. (PPS) collects, uses, discloses, protects, and disposes of personal data on the PPS Portal at portal.pps.org.ph. It implements the Data Privacy Act of 2012 (RA 10173), its IRR, and the Circulars of the National Privacy Commission.

For a short summary, read the Privacy Notice instead.


1. Our role

PPS is a non-stock, non-profit medical specialty society. We are the Personal Information Controller for data collected through the Portal.

For patient data entered by physicians into the Rx Pad, Clinical Tools, and Registry, PPS is a Personal Information Processor and the physician is the controller. No PPS staff has operational access to those individual entries.

Our Data Protection Officer — dpo@pps.org.ph, PPS Head Office, Quezon City.

2. Scope

This Policy applies to the PPS Portal, PPS-managed email addresses, and records held at Head Office and by chapters on behalf of PPS. It binds every PPS trustee, officer, employee, consultant, volunteer, and vendor with access to personal data controlled by PPS.

3. Principles

Every processing activity respects Section 11 of the Act: transparency, legitimate purpose, proportionality, accuracy, storage limitation, integrity and confidentiality, and accountability.

4. Data we collect

  • Personal information — name, contact details, photo, PPS number.
  • Sensitive personal information — PRC License, PTR, S2, specialty, training and CPD records, hospital and clinic affiliations, government IDs in HR records.
  • Financial — payment tokens through PayMongo (never full card numbers or CVVs).
  • Content — support tickets, event feedback, votes, comments, clinical drafts.
  • Automatic — log data, cookies, security telemetry.

5. Purposes and legal basis

Purpose Legal basis
Membership onboarding, profile, event registration, payments, CPD tracking, Portal services §12(b) contract
Marketing email, optional fields, functional and analytics cookies, Public Doctor Directory listing §12(a) consent
BIR / PRC reporting, breach notification, evidencing consent §12(c) legal obligation
Fraud prevention, security monitoring, audited support impersonation, defense of legal claims §12(f) legitimate interests
Processing SPI for professional-organization purposes §13(d)
SPI processed with explicit consent (application, credentials) §13(a)
SPI required by law (PRC license, government IDs) §13(b)
Patient data in clinical tools §13(e) — physician is controller, PPS is processor

6. Consent

Where consent is the basis, PPS follows NPC Circular 2023-04:

  • Registration presents unbundled checkboxes. Marketing consent is never a condition of membership.
  • Every grant, refusal, or withdrawal is recorded immutably with the policy version, timestamp, IP, and user agent.
  • When a policy version advances materially, the Portal shows a blocking re-consent prompt at your next login.
  • Withdrawal is self-service at /my-privacy → Consent Preferences and takes effect immediately.

7. Who we share with

  • Inside PPS — access is role-based and periodically reviewed. Clinical-tool content is walled off from staff.
  • Processors under contract — AWS (cloud), PayMongo (payments), and our transactional email provider, each under a Data Processing Agreement.
  • PPS chapters — for chapter-level services, under Data Sharing Agreements.
  • Government — BIR, PRC, NPC, courts, when required by law.
  • Public Doctor Directory — strictly opt-in, revocable.

PPS does not sell personal data.

8. Cross-border transfer

Portal data is hosted on AWS in the United States. We rely on the AWS Data Processing Addendum with Standard Contractual Clauses, backed by AWS SOC 2, ISO 27001, and PCI DSS certifications, with encryption in transit and at rest. Accountability remains with PPS.

9. Retention and disposal

We retain personal data only as long as needed, or as required by law. Disposal runs nightly with an audit trail. Legal holds suspend disposal for affected records.

Category Retention
Member profile Active + 10 years, then anonymized
Denied applicants 3 years, then anonymized
Payment records 10 years (BIR RR 5-2014), reviewed by DPO
CPD certificates 10 years
Event attendance 5 years
Support tickets 3 years after resolution
Rx Pad / Registry (as processor) 3 years, with 90/30/7-day export notices
Clinical Tools history 90 days
Audit and PII-access logs 3–5 years
Consent records, breach records Kept as legal evidence

10. Security

Under Section 20 of the Act, NPC Circular 16-01, and NPC Circular 2023-06:

  • TLS 1.2+ in transit; AWS RDS and S3 encryption at rest.
  • Mandatory 2FA for privileged roles; role-based access control; session tied to IP.
  • Audit logging of writes to sensitive tables; PII access logging.
  • Daily encrypted backups, monthly cross-region backups, quarterly restore testing.
  • Annual privacy training; confidentiality clauses in every employment and vendor contract.
  • Annual Privacy Impact Assessment refresh.

11. Breach management

We follow NPC Circular 16-03. Staff report suspected incidents to the DPO within one hour of discovery. Notifiable breaches (per IRR §38) are reported to the NPC and affected data subjects within 72 hours. Every processor is contractually required to notify PPS within 24 hours of awareness.

12. Your rights

You have all eight rights granted by the Act — to be informed, to object, to access, to rectify, to erase or block, to damages, to data portability, and to complain. Self-service tools are at /my-privacy.

Service levels: 3-working-day acknowledgement, 15-working-day substantive response (extendable once with notice). First request per year is free.

Erasure is not absolute. Records under BIR, PRC, or legal-hold obligations must be retained. Where full deletion is not possible, we anonymize or block further processing.

13. Cookies

The Portal uses three tiers of cookies: strictly necessary (always active), functional (opt-in), and analytics (currently disabled). See the Cookie Policy.

14. Automated decision-making

PPS does not use automated decision-making that produces legal or similarly significant effects on you. Low-impact automation (event eligibility, Good Standing calculation) is subject to human review on request.

15. Changes

We review this Policy annually and on any material change in law or operations. Material amendments trigger a blocking re-consent prompt on your next login.

16. Contact and complaints

Data Protection Officer — dpo@pps.org.ph · PPS Head Office, Quezon City · Portal: /my-privacy → File a Complaint.

National Privacy Commission — complaints@privacy.gov.ph · https://www.privacy.gov.ph · 5th Floor, Delegation Building, PICC Complex, Pasay City.

You may also seek damages in court for violations of the Act.


Version 2.1 — Effective 15 July 2026. Adopted by the PPS Board of Trustees.

Contact our Data Protection Officer

mail dpo@pps.org.ph

Jamie Francis Dy — ICT Consultant and Data Protection Officer

National Privacy Commission

gavel complaints@privacy.gov.ph

https://www.privacy.gov.ph

🍪
Data Privacy Act of 2012

Your privacy, your choice

PPS uses cookies to run this portal securely and to remember your preferences. We do not sell your data. Manage your choices below, or read our Cookie Policy and Privacy Notice.

Strictly necessary Always on

Required for sign-in, security, and CSRF protection. The portal will not work without these.

Functional

Remembers your dark-mode and sidebar preferences between visits.

Analytics

Aggregate usage statistics to improve the portal. Currently not active — your choice is recorded for future use.

verified_user Compliant with RA 10173 · Data Protection Officer: dpo@pps.org.ph