A A A

Amicus Curiae

National Privacy Commission extends renewal of registrations and submission of Annual Security Incident Reports

Noelle Jenina Francesca E. Buan

April 16, 2019

The National Privacy Commission (“NPC”) recently announced the extension of the validity of registrations completed by personal information controllers and processors as of 2018, as well as the indefinite postponement of the submission of the Annual Security Incident Report (“ASIR”) covering the calendar year 2018.

Under NPC Circular No. 17-01, the NPC required the renewal of registrations within two (2) months prior to, but not later than the 8th day of March every year. Otherwise, registrations where no applications for renewal have been filed are deemed revoked, unless good cause is shown for the delay.

However, for 2019, personal information controllers and processors that completed at least Phase One (i.e., Appointment of Data Protection Officer [“Data Protection Officer”]) of their registration with the NPC by 2018, are not required to renew their registration this year. The validity of their registration is extended until 08 March 2020. The extension means that all organizations who are currently registered at least for Phase One need not file an application for renewal.

Personal information controllers and processors who completed at least Phase One are entitled to an official digital certificate of registration, available upon request with the NPC.

Furthermore, the NPC announced that personal information controllers and processors who completed at least Phase One but have not registered for Phase Two (i.e., Registration of Data Processing Systems [“DPS”]) are not required to complete such Phase Two registrations at this time. The NPC will provide further updates on when DPS registration will resume. Personal information controllers or processors who previously completed their DPS registrations and already received their digital receipts will be unable to access their accounts and make changes in the meantime. However, the NPC advised parties to internally document such changes for record-keeping purposes.

According to the NPC, personal information controllers or processors covered by NPC Circular No. 17-01 that have not yet registered are still required to complete their Phase One Registrations or register their respective DPOs to avoid possible liabilities.

In addition to the foregoing compliance requirement, the Implementing Rules and Regulations of the Data Privacy Act (“DPA-IRR”) mandate that security incidents and personal data breaches must be documented through written reports, a general summary of which shall be submitted to the NPC annually. The NPC had set the deadline for each annual security incident report to at the end of the first quarter of every year.

However, the NPC recently announced that it postponed indefinitely the submission of the Annual Security Incident Report (“ASIR”) covering the calendar year 2018. According to the NPC, this is in view of their current efforts to revise its key processes in the submission of the ASIR for the enhancement of reportorial efficiency and harmonization of documents submission. Despite this postponement, the NPC advises parties to continue internally recording their security incidents. For personal information controllers or processors that have accomplished the 2018 ASIR and wish to submit to the NPC, may still do so any time via e-mail, through the NPC website, or by hard copy submission.