Physical Security Measures
Plain English Translation
Organizations must implement physical security measures to control access to facilities, workstations, and electronic media containing personal data. This includes clear desk policies, restricted physical entry to data processing areas, and documented procedures for the transfer, removal, disposal, and re-use of storage media. Physical safeguards complement technical controls and prevent unauthorized access through non-digital means.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement basic office locks, enforce locking screens when stepping away, and buy a cross-cut shredder for physical documents.
Required Actions (scaleup)
- Install badge-access systems for offices, maintain formal visitor logs, and use certified vendors for the destruction of electronic media.
Required Actions (enterprise)
- Deploy multi-factor physical access controls (biometrics) for data centers, implement continuous CCTV monitoring, and utilize formal hardware asset tracking systems.
The Philippines Data Privacy Act (RA 10173) requires organizations to implement physical access limits to facilities, design workstations for privacy, control the movement of electronic media, and secure physical infrastructure against disasters and unauthorized access.
RA 10173 requires a comprehensive combination of organizational, technical, and physical security measures. This specific control focuses heavily on the physical protection of data centers, workstations, paper records, and electronic media.
Organizations should implement strict physical access controls using badge readers, visitor logs, and locked restricted areas to ensure only authorized personnel can enter rooms or interact with workstations where personal data is processed.
A clear desk policy is a crucial administrative control requiring employees to clear sensitive personal data from their desks and securely lock away physical documents at the end of the workday or when the workstation is left unattended.
Yes, IRR Section 27 specifically mandates the implementation of policies and procedures for the secure transfer, removal, disposal, and re-use of electronic media, as well as the prevention of improper disposal of sensitive paper files.
Companies must limit access to data center facilities using strong physical authentication, monitor activities inside the server rooms, and physically protect the critical hardware from natural disasters, power disturbances, and external threats.
Workstation security controls include positioning computer screens to prevent unauthorized viewing, limiting activities within the workstation area, and ensuring users always lock their terminals when stepping away from their desks.
A fully compliant physical security policy must explicitly outline facility access limits, workstation privacy guidelines, media disposal and re-use procedures, and disaster protection protocols for all physical records and equipment.
Personal data must be disposed of using certified methods that prevent mechanical recovery or reconstruction, such as cross-cut shredding for paper records and cryptographic wiping or physical destruction for electronic storage media.
Auditors should comprehensively review physical access control lists, visitor access forms, facility floor plans demonstrating privacy considerations, media disposal records, and the formal physical security policy. WatchDog Security's Compliance Center can help teams link these artifacts to RA 10173 control requirements and track whether evidence is current.
Physical security controls often produce scattered evidence, such as access lists, visitor logs, clear desk attestations, and media disposal records. WatchDog Security's Compliance Center can help teams centralize this evidence, map it to RA 10173 requirements, and identify gaps before an internal review or audit.
Clear desk and secure disposal rules are only effective when employees receive current policies and acknowledge them. WatchDog Security's Policy Management can help maintain version-controlled physical security policies, distribute them to employees, and track acceptance for audit readiness.
"The personal information controller shall implement policies and procedures to limit physical access to its facility and work stations, including guidelines which specify proper use of and access to workstations and electronic media."
"The personal information controller should implement policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of personal data."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

