Entities and individuals covered by Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”) were required to register with the National Privacy Commission (“NPC”) in two (2) phases: (1) the appointment of a Data Protection Officer by last 09 September 2017; and (2) the registration of Data Processing Systems by last 08 March 2018.
Under NPC Circular No. 17-01, the NPC shall issue a certificate of registration to a personal information controller or processor who has successfully completed the registration. This certificate will be valid until the 8th day of March of the next following year. To renew its registration, a personal information controller or processor may file an application for the renewal of its certificate of registration within two (2) months prior to, but not later than the 8th day of March every year.
According to the same circular, registrations where no applications for renewal have been filed are deemed revoked. However, a personal information controller or processor may be allowed to file an application for renewal beyond the prescribed period upon approval of the NPC and only for good cause shown. In this regard, it shall notify the NPC of its intention to renew its registration and the reason for its delay.
Another yearly requirement to be complied with by personal information controllers or processors, regardless of whether they are mandated to register their Data Protection Officer and Data Processing Systems, is the submission of the Annual Security Incident Report. Under Rule IX, Section 41 of the DPA Implementing Rules and Regulations (“DPA-IRR”), security incidents and personal data breaches must be documented through written reports, a general summary of which shall be submitted to the NPC annually. The NPC had set the deadline for each annual security incident report to at the end of the first quarter of every year. Thus, for all security incidents between the period from January to December 2017, the deadline for the submission of the report was originally on 31 March 2018. However, this deadline was extended to 30 June 2018 to allow more entities and individuals to comply with the requirement. In view of this, the NPC issued Advisory No. 18-02 which provided specific and updated templates for the submission of the annual security incident report and personal data breach notifications.
As regards personal data breach notifications, Chapter III, Section 20 of the DPA and Rule IX, Section 38 of the DPA-IRR provide that a personal information controller shall, within seventy-two (72) hours upon knowledge, or reasonable belief, of the occurrence of a personal data breach requiring notification, inform the NPC and affected data subjects of the same. A personal data breach requires notification when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the NPC believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. According to NPC Circular No. 16-03, “other information” shall include, but not be limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits. According to the same circular, the obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.
The notification shall at least describe the nature of the breach such as how it occurred, a chronology of the pertinent events, approximate number of data subjects or records involved, nature of the breach (whether an availability, integrity, or confidentiality breach), the likely consequences thereof, and the contact information of the data protection officer or any other accountable persons, the personal data possibly involved, and the measures taken or proposed to be taken to address the breach, secure or recover the data compromised, mitigate the consequences and limit the damage, if any, to those affected by the incident, inform the data subjects affected, and prevent a recurrence of the incident, by the entity to address the breach.