A security incident is any event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.
A data breach is a kind of security incident.
A data breach happens when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
There are three kinds of data breaches:
A security incident is any event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.
A data breach is a kind of security incident.
A data breach happens when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
There are three kinds of data breaches:
All personal information controllers and processors must implement a security incident management policy. This policy is for managing security incidents, including data breaches.
In drafting your security incident management policy and personal data breach management procedure, the following must be included:
The Security Incident Management Policy must also include measures intended to prevent or minimize the occurrence of a personal data breach. These measures include:
Personal information controllers and processors are required to submit their Annual Report, where all security incidents and personal data breaches must be documented through written reports, including those not covered by the notification requirements.
In the event of a personal data breach, a report shall include: (a) the facts surrounding the incident; (b) the effects of such incident; and (c) the remedial action taken by the personal information controller. For other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation.
Any or all reports shall be made available when requested by the Commission: Provided, that a summary of all reports shall be submitted to the Commission annually, comprised of general information including the: (1) number of incidents and breach encountered; and (2) classified according to their impact on the availability, integrity, or confidentiality of personal data.
Not all data breaches have to be reported to the NPC. Only when these are all present, the personal information controller (or processor, as the case may be):
If there is doubt as to whether notification is indeed necessary, consider:
The failure to notify the NPC or the public may make you criminally liable for Concealment of Security Breaches Involving Sensitive Personal Information, which carries a penalty of imprisonment from one year and six months to five years, and a fine of Five Hundred Thousand Pesos (₱500,000.00) to One Million Pesos (₱1,000,000.00).
This crime is committed by those, having knowledge of the security breach and with an obligation to inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the NPC that the breach has happened.
Aside from notifying the NPC, the personal information controller shall also notify the affected data subjects upon knowledge of, or when there is reasonable belief that a personal data breach has occurred. The obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.
The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
Generally, there shall be no delay in notification however, the notification may only be delayed to the extent necessary to determine:
the scope of the breach;
to prevent further disclosures; or to restore reasonable integrity to the information and communications system.
There can be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In either case, the Commission must be notified within the 72-hour period based on available information.
The full report of the personal data breach must be submitted within five (5) days from notification, unless the personal information controller is granted additional time by the Commission to comply.
The following information must be included in any Data Breach notification:
Under the Data Privacy Act, The data subject has the right to be notified and in enforcement of such, the Personal data controller MUST:
The notification may be supplemented with additional information at a later stage on the basis of further investigation.
The notification of affected data subjects shall be done individually, using secure means of communication, whether written or electronic. And whenever individual notification is not possible or would require a disproportionate effort, the personal information controller may seek the approval of the Commission to use alternative means of notification.
The Notification requirement is not absolute; the NPC can allow the Postponement of notification when it may hinder the progress of a criminal investigation.
The NPC will consider these factors in its investigation following the occurrence of a data breach:
In investigation of a breach or a security incident, the Commission may investigate, depending on the nature of the incident, or in case of failure or delay in the notification. The investigation includes:
All content is in the public domain unless otherwise stated.
Learn more about the Philippine government, its structure, how government works and the officials behind it.
GOV.PH