The right to be notified of data breach incidents

Giancarlo O. Largo

Consumer personal data has played an increasingly pivotal role in many markets and economies.

Companies like Grab and Air BnB have grown their respective businesses not by acquiring tangible properties but by banking on information given to them by their clienteles. This palpable importance of consumer data has given credence to the prevalent belief that information is now the modern currency in this rapidly changing digital world. Corollary to this, the need to protect vital information has also been put to fore amidst a mounting trend of cybercrimes including identity theft and online vexations.

Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) lays down the privacy principles and the rights of the data subjects to protect consumer information in the hands of companies that process or control these data — the personal information processor (PIP) or personal information controller (PIC). The task is charged upon the National Privacy Commission (NPC) which shall ensure that data subjects enjoy the following rights:

• To be informed that their personal data shall be, is being or has been processed, including the existence of their rights;

• To object or withhold consent to processing in case of any amendment to the information supplied to them;

• To request access to the details of their personal data being processed;

• To rectify or dispute any inaccuracy in their personal data;

• To erase or order the blocking of their personal data under certain grounds;

• To be indemnified when they sustain damages on account of inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data;

• To obtain a copy of their personal data in an electronic or structured format to allow further use (called the Right to Data Portability); and

• To lodge a complaint before the NPC in cases of violation of these enumerated rights.

In addition to the list, which is particularly significant during data breach incident, is the “right” of the data subject to be notified by the PIC concerned when data breach occurs. As provided in NPC Circular No. 16-03 (“Circular”) on Personal Data Breach Management, the affected data subjects have to be notified by the concerned PICs within seventy two (72) hours from discovery when personal information about their race, ethnic origin, marital status, age, religious or political affiliations, matters about their health, education, genetic record, social security numbers and the like is believed to be acquired by an unauthorized person and would likely therefore give rise to a real risk of serious harm to the data subjects.

This notification must include, in general, the nature of the breach, the information involved, measures taken to address the breach, and details of the person who may be contacted for more information. Aside from being alerted of the breach, data subjects should be provided with instructions on how to further mitigate the dangers arising from the breach. Such simple actions as changing passwords or PINs and reporting possible data-related suspicious transactions become helpful in these scenarios.

Interestingly though, this right to be notified is not discussed under the chapter on the Rights of the Data Subject in the DPA and is more thoroughly discussed in an NPC circular such that oftentimes, data subjects and even the PICs become unaware of this right and its corresponding obligations.

Another aspect that makes compliance a challenge, especially for PIP and PIC, is to determine when a certain event is a security incident or a data breach. Take note that the right of the data subject to be notified only pertains to data breaches. The Circular defines personal data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed…in a nature of: an availability breach…, integrity breach…, confidentiality breach.”

However, there are also security incidents defined as “an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.” The interplay of the terms “availability, integrity and confidentiality” in both definitions makes the distinction quite sophisticated for laymen.

The rights of the data subject sits at the core of the DPA. Simplifying the definitions would be helpful in increasing awareness and thereby enforcing such rights.

How can we help you?