Data privacy update: The Annual Security Incident Report

Maria Isabel M. Llave

The National Privacy Commission (NPC) recently extended the deadline to submit the Annual Security Incident Report for all security incidents occurring in 2017, to June 30, 2018. The NPC had previously issued the Guidelines on Security Incident and Personal Data Breach Reportorial Requirements under NPC Advisory No. 18-01 (“Guidelines”) along with templates for the required reports.

However, the NPC is currently revisiting these Guidelines and templates and recently announced that it is planning to further simplify the requirements for the annual report and align them with those of other privacy regulations on international data flows such as the General Data Protection Regulation (GDPR) and APEC-Cross Border Privacy Rules (CBPR).

Nonetheless, the NPC also noted that Personal Information Controllers (PICs) who already submitted their report based on present guidelines would be considered as sufficient for the year by the NPC.

Under NPC Circular No. 16-03 on Personal Data Breach Management, the NPC requires a company to document adverse events that have an impact on the availability, integrity, or confidentiality of personal data, even if these adverse events prove unsuccessful. These events are defined in the Data Privacy Act of 2012 (DPA) as security incidents.

Both the Personal Information Controller (PIC) and the Personal Information Processor (PIP) are required to document all occurrences of security incidents and personal data breaches (those covered by the mandatory notification requirements and those not covered by such requirements), and submit an Annual Security Incident and Personal Data Breach Report to the NPC. This is due by the end of the first quarter of the succeeding year.

While the NPC is in the process of simplifying the requirements for the annual report, its recently issued Guidelines may prove instructional for PICs and PIPs with respect to the contents of the Annual Security Incident Report as well as the mandatory notification and reports for Personal Breach.
Under the Guidelines, and as previously provided under NPC Circular No. 16-03, the Annual Security Incident Report consists of the following:

• Summary of Annual Security Incident and Personal Data Breach Reports containing the following information:

• The summary must contain the following information, collated at the end of every calendar year: (i) total number of security incidents and personal data breaches (reportable and non-reportable); (ii) total number of security incidents; (iii) total number of reportable personal data breach, i.e., mandatory notification required; and (iv) other personal data breaches, i.e., non-reportable breaches.

• Total number of Security Incidents that do not involve personal data, classified according to Attack Vectors, including, among others, denial of service, compromise information (which does not involve personal data), compromise asset, unlawful activity, internal hacking, external hacking, malware, e-mail, policy violations.

• Total number of Reportable and non-reportable personal data breaches, classified according to their impact on the Confidentiality, Integrity or Availability of the Personal Data affected.

• Summary Information of the incidents surrounding the personal data breach/es. The summary of personal data breach/es must be based on the entries in the Personal Data Breach Report/s.

What is interesting is that under the Guidelines, the NPC introduced for the first time the concept of attack vectors. While this term is not actually defined in the Guidelines, a simple internet search reveals that in the tech community, attack vectors are commonly known as techniques or methods by means of which unauthorized access can be gained to a device or a network by hackers for nefarious purposes (see

Based on this definition, and as demonstrated by the attack vectors enumerated in the template for the Annual Security Incident Report, PICs and PIPs should not only be concerned with security incidents involving personal data.

Thus, the NPC has previously stated that “a cyberattack that successfully uncovers industrial secrets that do not involve the processing of personal data may be considered a security incident (NPC Press Release on “NPC sets March deadline for submission of 2017 Annual Security Incident Report of personal information controllers” dated Jan. 4, 2018).

What appears to be most important, apart from maintaining the security, integrity and confidentiality of personal data, is the overall security and protection of an entity’s systems and infrastructure, whether or not such systems process personal data.

How can we help you?