WikiFrameworksPhilippines DPA (2012)Physical Security Measures

Physical Security Measures

Plain English Translation

Organizations must implement physical security measures to control access to facilities, workstations, and electronic media containing personal data. This includes clear desk policies, restricted physical entry to data processing areas, and documented procedures for the transfer, removal, disposal, and re-use of storage media. Physical safeguards complement technical controls and prevent unauthorized access through non-digital means.

Executive Takeaway

Mandates the implementation of physical safeguards to protect facilities, workstations, and hardware media from unauthorized physical access, theft, and environmental hazards.

ImpactHigh
ComplexityMedium

Why This Matters

  • Prevents physical theft and unauthorized viewing of sensitive personal data, which often circumvents robust digital security controls.
  • Ensures regulatory compliance with NPC physical security standards, avoiding severe operational disruptions and legal penalties.
  • Protects critical infrastructure from environmental damage and natural disasters, maintaining high data availability.

What “Good” Looks Like

  • A formally enforced clear desk and clear screen policy for all employees processing personal data, with tools like WatchDog Security's Policy Management supporting version control and acceptance tracking.
  • Strict, logged physical access controls for data centers and secure file storage rooms.
  • Documented procedures for the secure destruction of physical documents and electronic storage media, with tools like WatchDog Security's Compliance Center helping organize disposal evidence for audits.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The Philippines Data Privacy Act (RA 10173) requires organizations to implement physical access limits to facilities, design workstations for privacy, control the movement of electronic media, and secure physical infrastructure against disasters and unauthorized access.

RA 10173 requires a comprehensive combination of organizational, technical, and physical security measures. This specific control focuses heavily on the physical protection of data centers, workstations, paper records, and electronic media.

Organizations should implement strict physical access controls using badge readers, visitor logs, and locked restricted areas to ensure only authorized personnel can enter rooms or interact with workstations where personal data is processed.

A clear desk policy is a crucial administrative control requiring employees to clear sensitive personal data from their desks and securely lock away physical documents at the end of the workday or when the workstation is left unattended.

Yes, IRR Section 27 specifically mandates the implementation of policies and procedures for the secure transfer, removal, disposal, and re-use of electronic media, as well as the prevention of improper disposal of sensitive paper files.

Companies must limit access to data center facilities using strong physical authentication, monitor activities inside the server rooms, and physically protect the critical hardware from natural disasters, power disturbances, and external threats.

Workstation security controls include positioning computer screens to prevent unauthorized viewing, limiting activities within the workstation area, and ensuring users always lock their terminals when stepping away from their desks.

A fully compliant physical security policy must explicitly outline facility access limits, workstation privacy guidelines, media disposal and re-use procedures, and disaster protection protocols for all physical records and equipment.

Personal data must be disposed of using certified methods that prevent mechanical recovery or reconstruction, such as cross-cut shredding for paper records and cryptographic wiping or physical destruction for electronic storage media.

Auditors should comprehensively review physical access control lists, visitor access forms, facility floor plans demonstrating privacy considerations, media disposal records, and the formal physical security policy. WatchDog Security's Compliance Center can help teams link these artifacts to RA 10173 control requirements and track whether evidence is current.

Physical security controls often produce scattered evidence, such as access lists, visitor logs, clear desk attestations, and media disposal records. WatchDog Security's Compliance Center can help teams centralize this evidence, map it to RA 10173 requirements, and identify gaps before an internal review or audit.

Clear desk and secure disposal rules are only effective when employees receive current policies and acknowledge them. WatchDog Security's Policy Management can help maintain version-controlled physical security policies, distribute them to employees, and track acceptance for audit readiness.

PHILIPPINES-DPA IRR Section 27(a)

"The personal information controller shall implement policies and procedures to limit physical access to its facility and work stations, including guidelines which specify proper use of and access to workstations and electronic media."

PHILIPPINES-DPA IRR Section 27(d)

"The personal information controller should implement policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of personal data."

PHILIPPINES-DPA IRR Section 27(e)

"Policies and procedures to prevent mechanical destruction of files and equipment shall be in place. The room and workstation shall in so far as may be practical be secured against natural disasters, power disturbances, external access and other similar threats."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication