Category Archive: Press Releases
PAW 2023: Empowering Data Privacy Champions to Safeguard Personal Data Privacy RightsComments Off on PAW 2023: Empowering Data Privacy Champions to Safeguard Personal Data Privacy Rights
The National Privacy Commission (NPC) celebrated the Privacy Awareness Week (PAW) 2023, with the conduct of PAW Conference on May 25, 2023, at Okada Manila, Parañaque City, as the culminating event. With the theme “Empowering DPOs and Protecting Personal Data Privacy Rights of Filipinos,” and Department of Information and Communications Technology Secretary Ivan John E. Uy as the keynote speaker, PAW 2023 showcased the critical role of Data Protection Officers (DPOs) in promoting responsible processing of personal data and sharing best practices in the promotion and protection of data privacy rights of Filipinos.
In his video message, President Ferdinand R. Marcos, Jr. highlighted the significance of the PAW Conference as a testament to the Marcos Administration’s efforts to align the country's data privacy initiatives with global standards. In addition, he urged all attendees and the DPOs to persevere in their commitment to legal compliance, working hand in hand with the NPC to foster digital innovation and ensure the continuous development of robust data privacy practices. “From this gathering, I hope to see innovative solutions that will safeguard and address the concerns of the private sectors as regards to data protection,” President Marcos, Jr. stated.
In her Statement, Vice President Sara Z. Duterte-Carpio also expressed her support for this year’s PAW Conference. “This occasion attests to your (NPC) continuing efforts to fulfill your responsibility of protecting the privacy rights of Filipinos,” she stated. Vice President Duterte-Carpio called upon all citizens to work together in safeguarding our fellow Filipinos, especially children, from the abuses prevalent in virtual spaces and digital platforms.
Privacy Commissioner Atty. John Henry D. Naga delivered his Commissioner’s Report underscoring the NPC's profound belief in the importance of ensuring that data subjects are well-informed of their rights. “We firmly believe in empowering data subjects through knowledge and awareness, and fostering a culture of privacy and data protection. Through our comprehensive advocacy programs, we strive to provide individuals with the necessary tools to navigate the complexities of the digital world. This enables them to make informed decisions about their personal data, and exercise control over their privacy,” the Privacy Commissioner stated.
The PAW Conference gathered industry leaders, DPOs, and data privacy experts and advocates to provide valuable insights on the advantages of institutionalizing data privacy programs, to share best practices for data subject rights promotion and protection, and to highlight the pivotal role of privacy professionals in organizations.
The speakers for this year’s PAW include Mr. David Hardoon (Aboitiz Data Innovation), Mr. Eugene Acevedo (Rizal Commercial Banking Corporation), Mr. Amit Jagga and Atty. Michael Montero (Concentrix Philippines), Mr. Kevin Shepherdson (Straits Interactive), Atty. Aurelle Dominic Narag (PrivaLex Consulting Group), Atty. Maria Concepcion Gloria-Rubio (Philippine Amusement and Gaming Corporation or PAGCOR), Atty. Maria Patricia Foria (Insurance Company of North America), and Mr. J. Trevor Hughes of the (International Association of Privacy Professionals).
Messages of support were also sent by NPC partners, namely, Senator Jinggoy Estrada, Senator Sherwin Gatchalian, Senator Christopher Lawrence Go, Senator Loren Legarda, Senator Ramon Revilla, Jr., Senator Joel Villanueva, and Senator Cynthia Villar.
In promoting collaboration and strengthening partnership regarding personal data protection in the international level, data privacy authorities from other countries expressed their support to the NPC and shared their best practices in their respective jurisdictions, namely, Ms. Denise Wong (Personal Data Protection Commission of Singapore), Ms. Ada Chung Lai-Ling (Privacy Commissioner for Personal Data Protection of Hong Kong, China), Mr. Akira Nakaminato (Personal Information Protection Commission of Japan), Prof. Dr. Faruk Bilir (Personal Data Protection Authority of Türkiye), Ms. Blanca Lilia Ibarra Cadena (INAI of Mexico) and Mr. Ian Deguara (Information and Data Protection Commissioner of Malta).
NPC in 2022: Navigating Challenges, Delivering Excellence
In 2022, the NPC achieved significant accomplishments by further enhancing data privacy and protection. To assist Personal Information Controllers (PICs) and Personal Information Processors (PIPs) in strengthening their data privacy measures, the NPC issued 4 circulars covering administrative fines, loan-related transactions, private security agencies, and registration of personal data processing systems. Additionally, the NPC released an advisory providing the guidelines on request for personal data of public officers, and 29 advisory opinions addressing privacy concerns faced by data subjects, PICs, and PIPs.
The NPC heightened its data privacy response through strengthened compliance efforts, including the registration of DPOs, through its Compliance and Monitoring Division. This resulted in 1,670 new registrations of PICs, PIPs, and individual professional DPOs. Furthermore, the NPC processed 2,047 amendment requests, 711 renewal applications, and conducted 42 On-Site Visits and 543 Privacy Sweeps. Non-compliant PICs/PIPs received 63 Notice of Documents Submissions and 45 warning letters.
Regarding complaint handling, the NPC amplified its case investigation and enforcement programs to promptly address data breach, data security, and privacy concerns. In 2022, the NPC handled 279 new complaints and resolved 1,404 complaints, with a total of 3,175 concerns being managed by its Legal and Enforcement Office. In relation to its adjudicatory function, the NPC issued 35 Decisions, 60 Resolutions, and 45 Orders for cases adjudicated in 2022.
Recognizing the importance of adopting emerging information and communications technologies (ICTs), the NPC pursued the digitalization and modernization of its services. The Data Breach Notification Management System (DBNMS) and the NPC Registration System (NPCRS) were launched in 2022 to facilitate its breach notification and registration processes.
While accomplishing these milestones, the NPC solidified its position in the global data privacy landscape. In September 2022, the NPC renewed its ties by signing a memorandum of agreement with the Personal Data Protection Commission (PDPC) of Singapore, which was witnessed by President Ferdinand Marcos, Jr. and Prime Minister Lee Hsien Loong, during the former’s State Visit. Locally, inter-agency collaborations were fostered through a memorandum of agreement with the Philippine Competition Commission and the Cybercrime Investigation and Coordinating Center.
In terms of public education, the NPC conducted various capacity-building programs on data privacy and protection for its stakeholders. It addressed 10,755 requests received through different channels and processed 82 Freedom of Information requests from 2022 up to the first quarter of 2023. Additionally, awareness campaigns were also conducted through press releases, DPA briefing sessions, Kabataang Digital Summit, and the PSST! initiative (Privacy, Safety, Security, and Trust).
The NPC also supported the SIM Registration Act by guiding Public Telecommunications Entities (PTEs) to process citizens' personal data in compliance with the Data Privacy Act of 2012 (DPA). It addressed public concerns on issues related to the terms and conditions and privacy policies being implemented by PTEs.
Privacy Commissioner Naga proudly stated that, “Our accomplishments during the year 2022 is proof that the NPC remained true to its principles to invariably uphold data subject rights and be an able partner of personal information controllers and personal information processors.”
NPC in 2023: Raising Accomplishments to the Next Level
Currently, the NPC continues to craft policies toward strengthened privacy regulations, building a high-trust society, and realizing a privacy-empowered Philippines.
Privacy Commissioner Naga shared the accomplishments for the first quarter of 2023 including the publication of NPC Circular No. 2023-01 or Schedule of Fees and Charges of the NPC, the draft Circular on Data Privacy Competency Program, and other draft circulars for public input.
Recently, the NPC signed two memoranda of understanding (MOU) which commenced collaborations both in the local and international levels. The first MOU was signed with the country’s leading telcos namely, Dito Telecommunity Corporation, Globe Telecom Inc., and Smart Communications, Inc., while the second MOU was entered into with the Office of the Privacy Commissioner for Personal Data – Hong Kong, China. These partnerships reflect the NPC’s commitment in fostering cooperation and advancing data privacy efforts across various sectors and international boundaries.
The NPC also announced the launching of two significant initiatives. Privacy Commissioner Naga introduced the Circular on Prerequisites for the Philippine Privacy Mark Certification Program and released the 2022 Compendium of NPC Issuances, a comprehensive guide designed to educate and inform Filipinos about data privacy and protection, made digitally available at the NPC website.
In recognizing the importance of keeping up with the evolving user expectations, the NPC enhanced its website and launched the NPC Website Version 2.0. It made significant improvements to include a user-friendly interface, personalized drop-down menus, news and updates, mobile-friendly design, and an efficient search bar. To explore the NPC Website 2.0 and experience its new features, visit https://privacy.gov.ph/.
PAW Awards 2023
With privacy at the forefront of digital transformation and data-driven innovation, the PAW Awards 2023 celebrated the significant achievements and best practices in protecting personal information. The annual PAW Awards is part of the NPC’s endeavor to acknowledge its stakeholders’ compliance with the DPA and to inspire PICs/PIPs, DPOs, and data privacy advocates in their efforts to strengthen data privacy and protection in the country.
The Privacy Initiative of the Year was awarded to Universal Leaf Philippines, Inc. for its Electronic Literacy Initiative while the Privacy Management Program Award was won by PAGCOR.
Mr. Allan A. Custodio was chosen as the Privacy Advocate of the Year and Mr. Jonathan John B. Paz of the Bank of the Philippine Islands was hailed as the Data Protection Officer of the Year.
NPC Concludes Investigation on Unauthorized GCash TransactionsComments Off on NPC Concludes Investigation on Unauthorized GCash Transactions
PASAY CITY, May 24, 2023 - The National Privacy Commission (NPC) has concluded its extensive
investigation into the reported unauthorized transactions involving multiple GCash accounts. After
careful examination and independent verification of the incident, the NPC has confirmed that the
security breach resulted from the utilization of “phishing” attacks.
“Upon our thorough investigation, we have determined that the unauthorized transactions in
GCash accounts were a result of a meticulous phishing scheme,” stated by Privacy Commissioner
John Henry D. Naga. "Unknown threat actors took advantage of vulnerable GCash users, triggering
the phishing scheme through online gambling websites such as 'Philwin' and 'tapwin1.com'," the
Privacy Commissioner added.
Initiated on May 09, 2022, the NPC's Complaints and Investigation Division (CID) conducted an
independent investigation to ascertain the extent of the alleged unauthorized transactions and
determine if there is a possible compromise of personal data and other potential violations of the
Data Privacy Act of 2012.
On May 12, 2023, the NPC held a clarificatory meeting with G-Xchange, Inc. (GXI), providing
information gathered from their internal investigation and outlining the measures taken to address
the incident. The NPC raised concerns and requested additional information and proof from GXI to
enable the conduct of an independent assessment and verify the company's claims.
Subsequently, on May 19, 2023, GXI submitted its compliance with the orders issued by the NPC.
"We have ordered GXI to intensify its education and awareness campaign to its clients to prevent
similar incidents in the future,” Privacy Commissioner Naga disclosed. “We assure the public that
the National Privacy Commission remains resolute in its mandate to safeguard the rights of data
subjects and protect personal information. We will employ the full extent of our powers under the
law to penalize those who violate the Data Privacy Act of 2012,” the Privacy Commissioner asserted.
The NPC is committed in promoting a safe and secure digital environment for all Filipinos and urges
everyone to remain vigilant against phishing attacks that would compromise their personal
PH, HK sign MOU on Personal Data ProtectionComments Off on PH, HK sign MOU on Personal Data Protection
The National Privacy Commission (NPC) and the Office of the Privacy Commissioner for Personal
Data of Hong Kong (PCPD) signed a Memorandum of Understanding (MOU) to strengthen
collaboration and cooperation on personal data protection. Privacy Commissioner Atty. John Henry
D. Naga of NPC and Privacy Commissioner for Personal Data Ada Chung Lai-ling of PCPD signed
the MOU today, May 22, 2023, at PCPD Headquarters in Hong Kong, China.
Privacy Commissioner Naga emphasized the significance of the MOU and expressed enthusiasm on
this collaborative journey. “This Memorandum of Understanding reaffirms both jurisdictions’ firm
belief that robust data governance is essential to protect data subjects’ privacy rights, ensure trust in
digital services, and harness the transformative potential of data for social and economic progress.
The MOU reflects our commitment to jointly address the challenges posed by the digital landscape
and to foster a secure, inclusive, and data-driven future,” the Privacy Commissioner said.
The MOU aims to enhance data privacy and protection measures through mutual support,
knowledge sharing, and joint initiatives, “Through this MOU, the NPC is ensuring that through its
cooperation with other jurisdictions, it leverage its mandate and build a sustainable and responsible
digital future for the Filipinos.” Naga added.
Hong Kong’s Privacy Commissioner, Ms. Ada CHUNG Lai-ling, highlighted the importance of
executing the MOU and looked forward to embarking on this new chapter of collaboration. She said
“The signing of the MOU between the two authorities shows our joint commitment and dedication
in safeguarding personal data privacy of citizens in our respective jurisdictions. I believe that the
enhanced collaborative efforts of both authorities would facilitate the growth and development of
digital economies in both jurisdictions while safeguarding personal data privacy. Going forward, I
am confident that the two authorities can share their expertise and experience in areas of mutual
interests amidst rapid technological developments in both jurisdictions.”
Scope of collaboration
The scope of this MOU extends to various aspects of personal data protection, focusing on mutual
cooperation while adhering with their respective domestic laws and regulations. Furthermore, the
NPC and PCPD shall engage in joint efforts to promote personal data protection within their regions
This collaboration also includes the provision of mutual assistance to facilitate investigations in the
respective jurisdictions concerning potential contraventions of both countries’ privacy and data
protection legislation. Additionally, both organizations will coordinate and provide mutual
assistance in joint investigations into cross-border personal data incidents or breaches, subject to the
foreign relations laws of both countries.
The NPC and PCPD shall actively engage in knowledge sharing, training, and education on current
and emerging privacy and data protection issues and trends. They shall explore or identify suitable
organizations from both jurisdictions to participate in a cross-jurisdictional sandbox to test-bed
innovative data sharing cases.
Joint Efforts: NPC and NBI Collaborate to Apprehend Bomb Threat SuspectComments Off on Joint Efforts: NPC and NBI Collaborate to Apprehend Bomb Threat Suspect
Today, May 19, 2023, the National Privacy Commission (NPC) visited the National Bureau of
Investigation (NBI) to discuss the recent arrest of the suspect involved in the bomb threat incident
targeting the NPC office.
The suspect persisted in posting bomb threats, continuously messaging the NPC until Monday, May
15, 2023, which prompted the Commission to file a formal complaint. With the invaluable assistance
from the Cybercrime Investigation and Coordinating Center (CICC), the Philippine National Police
(PNP), and the National Bureau of Investigation (NBI), the suspect was apprehended on May 17,
The quick response to the bomb threat targeting the NPC was led by NBI's Cybercrime Division,
headed by Atty. Jeremy Lotoc. Upon receiving the information, the Cybercrime Division initiated
an immediate investigation, diligently tracing the suspect's digital footprint. Through a collaborative
effort between the NBI and local police, the suspect was successfully apprehended in Aklan.
Privacy Commissioner John Henry D. Naga stated, "We believe in upholding accountability for
actions that disrupt public safety and instill fear among individuals. Rest assured, the NPC remains
unwavering in its commitment to protecting the privacy rights of Filipinos. We reiterate that
incidents such as these will not deter us from fulfilling our responsibilities."
He is undergoing inquest proceedings before the Office of the City Prosecutor of Pasay. The charges
were formally filed on May 16, 2023, against the suspect who is facing multiple violations. These
include Grave Threats under Art. 282 of the Revised Penal Code in relation to Cybercrime
Prevention Act of 2012 and P.D. 1727 in relation to Cybercrime Prevention Act of 2012.
Commissioner Naga assured the public that the NPC is working closely with the authorities to
support their investigations and provide any necessary assistance. The Commission will fully
cooperate to ensure an effective and efficient legal process.
The NPC extends its gratitude to the law enforcement agencies for their swift action in apprehending
the individual responsible for this alarming incident. "We are thankful for their vigilance and
commitment to ensuring the well-being of our community. The NPC applauds the NBI’s determined
pursuit and apprehension of cybercriminals without hesitation in its mission to combat cyber threats
and ensure the safety and security of individuals in the digital realm. We also appreciate the
understanding and support of the public during this challenging period. Their tireless efforts and
dedication to public safety are highly commendable," Naga said.
"As an organization dedicated to safeguarding privacy rights, we urge the public to exercise caution
and responsibility when using social media platforms, emphasizing the importance of engaging in
respectful and lawful online discourse. Let us collectively work towards a safe and inclusive digital
space that fosters understanding, dialogue, and the protection of privacy rights," he added.
On May 12, 2023, the NPC received bomb threat through posted comment by the suspect in the
NPC’s official Facebook account, prompting Commissioner Naga to immediately activate NPC’s
emergency protocols and the evacuation of NPC personnel to designated evacuation site within
PICC Complex and the temporary suspension of NPC office operations.
Privacy Commissioner Naga Orders In-depth Investigation into GCash GlitchComments Off on Privacy Commissioner Naga Orders In-depth Investigation into GCash Glitch
PASAY CITY, May 12, 2023 – The National Privacy Commission (NPC) is investigating a potential
personal data breach involving compromised accounts of the mobile application, GCash. This is in
light of the glitch that occurred on May 10, 2023, which forced the temporary halt of GCash app
operations. The NPC’s Complaints and Investigation Division (CID) has been closely monitoring
this incident since May 9, 2023 amidst circulating reports of GCash users on suspicious
transactions on their GCash accounts, to determine the existence of breach and its extent, and
whether there are any other violation of the provisions of the Data Privacy Act of 2012.
On May 10, 2023, the NPC issued a notice to explain and an order addressed to G-Xchange, Inc.
(GXI), the company managing GCash, requiring GXI to appear before the Commission for a
clarificatory meeting and to provide additional information and documents. The clarificatory
meeting was held on May 12, 2023, wherein GXI presented information to the NPC about their
investigation and the measures taken with dispatch to address the incident. The NPC will issue
another Order instructing GXI to provide further information and documents to enable an
independent assessment and verify the claims presented by GXI on the supposed phishing being
the cause of the glitch.
Privacy Commissioner and Chairman Atty. John Henry D. Naga assures the public that all
necessary steps have been made by the NPC to protect the rights of GCash clients as data subjects.
"The NPC is committed to safeguard the privacy of all individuals and will continue to provide
guidance on how the public can better protect themselves from violations of their data privacy
rights, even as these threat actors are also becoming more sophisticated in the pursuit of their
criminal design," Privacy Commissioner Naga stated. He further emphasized, "The NPC will
diligently exercise its powers under the law against any party found to be in violation of the Data
Driving positive change and transformation: NPC strengthens strategic partnership with Telcos through MOU signingComments Off on Driving positive change and transformation: NPC strengthens strategic partnership with Telcos through MOU signing
PASAY CITY, May 10, 2023 – The National Privacy Commission (NPC) took a significant step in
safeguarding the personal data of telecommunications subscribers by signing a Memorandum of
Understanding (MOU) with the leading telecommunications companies (Telcos) of the country. The
MOU aims to strengthen the coordination and cooperation between the government and private sector,
to further enhance the quality of services to stakeholders while ensuring the protection of personal data.
The MOU was signed on May 10, 2023 by Privacy Commissioner and Chairman Atty. John Henry D.
Naga and representatives from Dito Telecommunity Corporation (Atty. Adel A. Tamano), Globe
Telecom Inc. (Atty. Irish Krystle Salandanan-Almeida), and Smart Communications, Inc. (Leah Camilla
B. Jimenez). By virtue of the memorandum, a Joint Task Force is established to foster coordination,
communication, and implementation of the parties’ respective obligations regarding data privacy and
protection, with NPC serving as the Secretariat.
The NPC, in cooperation with the Telcos, will work towards capacity-building, knowledge sharing, and
intensifying anti-fraud measures by launching a joint information dissemination campaign which will
educate and inform the public on these fraudulent schemes and the correct process on how to report
The collaboration between NPC and Telcos, through the MOU, is a response to the urgent need to
protect the public’s data privacy and security, especially against the prevalence of fraudulent schemes
such as targeted smishing messages. Commissioner Naga is confident that the MOU will start a more
dynamic relationship between the government and Telcos. “It is imperative that we join forces with the
private sector and collaborate to further strengthen data privacy awareness and educate our
kababayans in safeguarding their personal data. By working together in this common endeavor, we can
effectively promote the significance of ensuring that personal data is safe and secured, and the
consequences of failing to do so,” the Privacy Commissioner said.
“This initiative is crucial in light of the increasing instances of data breaches and cyber threats that pose
a significant risk to data privacy and security. It is our collective responsibility to equip our fellow
citizens with the knowledge on their rights as data subjects and doing their part in protecting their own
personal data,” Naga added.
The representatives of the Telcos affirmed their commitment in supporting the NPC’s efforts in
educating Filipinos about data privacy rights, promoting a safe online environment, and preventing
fraudulent schemes to prevail.
NPC holds DPO ACE Level 1 Program ExaminationComments Off on NPC holds DPO ACE Level 1 Program Examination
The National Privacy Commission (NPC) successfully concluded the two-day Data Protection Officer Accountability, Compliance and Ethics (DPO ACE) Level 1 Program examination for Metro Manila on 25 April 2023.
Around 240 privacy advocates took the examination held at the Department of Information and Communications Technology Central Office in Quezon City.
The DPO ACE was designed in 2018 to capacitate Data Protection Officers with the knowledge and skills necessary to effectively manage the compliance of their respective organizations with the Data Privacy Act of 2012 (DPA).
The NPC is currently developing a new data privacy education program that will cover the foundational and operational aspects of the DPA. The new program is designed for anyone who seeks to have a better understanding of the data privacy law and its application to actual situations, whether a practitioner or not.
The new program is set to enhance the accessibility of training opportunities throughout the country to enrich data privacy education in the Philippines.
Any questions concerning the DPO ACE may be addressed to [email protected].
NPC to Meet with Law Enforcement Agencies Over Alleged Breach of Personal DataComments Off on NPC to Meet with Law Enforcement Agencies Over Alleged Breach of Personal Data
The National Privacy Commission (NPC) will meet with the Philippine National Police (PNP), National Bureau of Investigation (NBI), and other concerned agencies to investigate the alleged leak of documents containing personal data involving law enforcement. The meeting is set on 20 April 2023, at 1:00 pm, and will be attended by representatives of NPC, PNP, Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR).
According to a recent report by an online news outlet, the document includes personal information such as names, addresses, contact details, and even medical records of police officers, prosecutors, and judges. The NPC considers this matter of utmost importance and has taken immediate action to ensure that those responsible for the alleged breach will be held accountable.
In a statement, Privacy Commissioner John Henry Naga said, "As your data privacy authority, the NPC is fully committed to protecting personal information and assures the public that we will not leave a stone unturned in getting to the bottom of this alleged breach. We would also like to have this opportunity to remind those who process personal data that they concomitantly have the duty to protect the data they collect. Do not collect if you can't protect."
In light of the alleged records leak and breach, the NPC has taken swift action and called the PNP, requiring them to provide additional information and explanation regarding the incident. "The NPC takes this matter very seriously, and we are working closely with all concerned agencies to investigate this issue thoroughly," said Commissioner Naga.
The NPC emphasizes the importance of safeguarding personal data and encourages organizations to implement necessary measures to ensure the protection of personal information. The Commission reminds everyone that the right to privacy is a fundamental human right that must be respected at all times.
The NPC will continue to work closely with the PNP, NBI, and other concerned agencies to ensure that appropriate actions are taken to prevent similar incidents from happening in the future.
Privacy Chief Invites LGUs to Host Personal Data Privacy Compliance Seminars and WorkshopsComments Off on Privacy Chief Invites LGUs to Host Personal Data Privacy Compliance Seminars and Workshops
The National Privacy Commission (NPC), in coordination with the Department of the
Interior and Local Government (DILG), invites all Provincial Governors, City and Municipal
Mayors, and others concerned to host personal data privacy compliance seminars and workshops
in their respective local government units (LGUs).
One of the key thrusts of the NPC is to equip LGUs, their data protection officers, and
personnel with knowledge and skills to strengthen their compliance with the Data Privacy Act
(DPA) of 2012. As local governments process personal data in order to execute its mandate, it is
important for LGUs to amplify their initiatives in raising awareness on data privacy and
promoting data protection. The local governments' effective compliance with the data privacy
law will significantly improve their public service through transparent processes and secure data
processing systems. Further, the conduct of personal data privacy compliance seminars and
workshops is an important step in igniting our local government’s enthusiasm to join the
Commission towards the goal of protecting their constituent’s personal data.
As part of its compliance support and advocacy functions, the Compliance and
Monitoring Division (CMD) of the NPC will assist local chief executives in strengthening their
data privacy policies and implementation. CMD will provide personnel as speakers in seminars
or workshops regarding DPA compliance organized by the LGUs. Interested LGUs may contact
NPC-CMD at (+63) 936 043 2973 or via email at [email protected]
Read DILG’s Memorandum Circular inviting LGUs relative to the conduct of personal
data privacy compliance seminar and workshop by the NPC here: Link
ATTY. JOHN HENRY D. NAGA
NPC launches online registration system for data processing systemsComments Off on NPC launches online registration system for data processing systems
PASAY CITY – The National Privacy Commission (NPC) launched its online registration
system today February 3, 2023. The NPC Registration System (NPCRS) is an online platform that
provides a secure and seamless portal for both government and private organizations to register
their data processing systems with the Commission. It is the latest system developed and
implemented by the NPC to deliver services in a more effective and efficient manner.
The implementation of the NPCRS shall provide the following benefits to the Commission
and its stakeholders, specifically: ease of monitoring requests/approval of registration
applications; a secure portal for the registration monitoring unit to access registration data using
role based access control; real-time visibility in the validation of documentary requirements;
accurate collection of sectors and subsectors information; accurate verification of active/inactive
registration; efficient retrieval of contact details of the Data Protection Officer (DPO); and easy
generation of documents (e.g. Certificate of Registration, statistical reports on registered entities
(daily, monthly, yearly).
Digitalization of services
“The call for digitalization of government services by the current administration triggered
the launching of the NPCRS this February, and the Data Breach Notification Management System
(DBNMS) last April 2022. The finalization of the Circular on Registration was simultaneous with
the development of the National Privacy Commission Registration System,” Privacy
Commissioner Atty. John Henry Naga said.
The new system allows personal information controllers (PICs) and processors (PIPs),
through their Data Protection Officers (DPOs), to comply with the registration requirements
provided in the Data Privacy Act (DPA) of 2012 and its Implementing Rules and Regulations
According to Commissioner Naga, information on Data Processing Systems owned by
PICs and PIPs allows the NPC to a more efficient compliance monitoring process. “Through the
NPCRS, the data processing activities of PICs and PIPs will be effectively and efficiently
monitored. Through this system, compliance with the Data Privacy Act of 2012 will be ensured
and our endeavor to protect the personal data of every Juan and Juana will be fortified,” the
Privacy Commissioner added.
More efficient compliance monitoring
Atty. Rainier Anthony Milanes, Chief of the NPC’s Compliance and Monitoring Division,
explained that the new circular on registration aims to address the issues encountered in
implementing the old circular such as common or multiple DPOs.
“It also provides new regulations such as the requirement to display the NPC Seal of
Registration which will provide data subjects the needed assurance that entities processing their
personal data have completed the first level of DPA compliance,” Atty. Milanes added. The NPC
Seal of Registration will be issued simultaneously with the Certificate of Registration.
Section 5 of NPC Circular No. 2022-04 provides for the mandatory registration of a PIC or
PIP that employs 250 or more persons, or those processing sensitive personal information of 1,000
or more individuals, or those processing data that will likely pose a risk to the rights and freedoms
of data subjects, to register all Data Processing Systems
Atty. Milanes stated that adherence to the data privacy principles of transparency,
legitimate purpose, and proportionality were one of the cornerstones in developing the NPCRS.
“The registration system was developed using Privacy by Design and Development, Security,
and Operations (DevSecOps). Privacy Impact Assessments were conducted during planning,
before implementing changes concerning personal data processing, and before the system goes
live,” he explained.
The development of NPCRS is parallel with the finalization of NPC Circular No. 2022-04
published last December 27, 2022. The Circular on the Registration of Personal Data Processing
System, Notification Regarding Automated Decision-Making or Profiling, Designation of Data
Protection Officer, and the National Privacy Commission Seal of Registration became effective on
January 11, 2023.
Access the Circular here: Link
Register using the NPCRS here: Link
NPC conducts on-site visits among telcos to check compliance with DPA while implementing SIM Registration ActComments Off on NPC conducts on-site visits among telcos to check compliance with DPA while implementing SIM Registration Act
January 13, 2023, METRO MANILA --- The National Privacy Commission (NPC), through
its Compliance and Monitoring Division conducts simultaneous Compliance Check On-site Visits
to the head offices of telecommunication companies, such as Smart Communications, Globe
Telecom, and Dito Telecommunity to ensure that they are implementing appropriate security
measures to protect the personal data of Filipinos registering their SIM Cards.
Privacy Commissioner John Henry D. Naga together with the Chief of NPC’s Compliance
and Monitoring Division, Atty. Rainier Anthony Milanes, personally went to each on-site visit to
oversee the activities and discuss the importance of the compliance check with the data protection
team of each telco.
“The telcos should consider these Compliance Check On-site Visits as an opportunity to
demonstrate that they have sufficient organizational and program controls, and security
measures in place to guarantee that the personal data being processed in relation to the SIM
registration are safe and secured,” Naga said.
“Telcos must take their responsibility of protecting the privacy rights of their subscribers
seriously by ensuring that personal data related to SIM registration are properly collected and
stored, access to the data is restricted by role-based access controls, and data servers are protected
by encryption and layers of firewall,” the Privacy Chief added.
Atty. Milanes said that “as a regulator ensuring compliance to the Data Privacy Act of
2012, we must see firsthand how these personal information controllers conduct their day-to-day
operations which should incorporate items stated in their privacy manuals.”
“With the leadership of our Privacy Commissioner, the NPC’s Compliance and
Monitoring Division shall continue to conduct various mechanisms that would ensure telcos’
compliance with the DPA,” Milanes added.
Upon the conclusion of Compliance Check On-Site Visit, the three telcos were appraised
of some gaps in their personal data privacy implementation and were required to submit proof
of compliance within fifteen (15) days.
Privacy Commissioner Naga noted that, in general, Smart, Globe, and Dito have
demonstrated capabilities in protecting personal data of their clients. He maintained that telcos
should ensure that its security measures are further improved and strengthened as information
and communications technology advances.
The SIM Registration Act was implemented on December 27, 2022. It can be recalled that
the NPC gathered the telcos to urgently address the privacy concerns regarding the
implementation of the SIM registration which led to immediate changes to the telcos’s SIM
registration process on their websites and mobile applications.
NPC amends Circular on the processing of personal data for loan-related transactionsComments Off on NPC amends Circular on the processing of personal data for loan-related transactions
The National Privacy Commission (NPC) has amended certain provisions of its NPC
Circular No. 2020-01 providing for the guidelines on the processing of personal data for loanrelated transactions which was published on September 14, 2020.
Under NPC Circular No. 2022-02, the amendments cover the processing of personal data
for evaluating loan applications, granting loans, collection of loans, and closure of loan accounts;
character references; and a newly added provision for guarantors. Privacy Commissioner John
Henry D. Naga said that the amended Circular further addresses the data privacy concerns due
to the prevalence of online lending.
“NPC Circular No. 2022–02 provides amendments that will serve as an added protection
to both borrowers and lending companies. The NPC aims for smooth transactions between the
two parties, where borrowers are afforded their data privacy rights and lending companies are
given the opportunity to ethically conduct their business and establish trust among their
customers,” Commissioner Naga said.
Updated guidelines on processing personal data
Under Section 3(A)(5) of the amended Circular, a lending company, financing company,
and other persons acting as such should provide just-in-time notices before obtaining the consent
of the data subjects in loan-related transactions. The just-in-time notice provides data subjects
with information on how a particular piece of information they are asked to provide will be
When providing details of processing to data subjects, the lending company, financing
company, or other persons acting as such must consider the accessibility of the information and
convenience of the borrowers. For example, if the loan transaction is being facilitated through a
mobile application, the details of processing shall be readily accessible and easily located within
the mobile application.
In loan processing activities, Section 3(D) of the amended Circular provides that a lending
company, financing company, or other persons acting as such are prohibited from conducting
unnecessary processing including requiring unnecessary permissions that involve personal and
sensitive personal information. It specifically states that “when the purpose for accessing an
application permission has already been achieved and there are no other applicable lawful criteria
for such access, such online applications shall prompt the data subject to turn off, disallow these
permissions, or inform the data subject that access to the relevant application permissions may
already be revoked.”
Protecting character references and guarantors
The amended Circular allows the processing of a borrower’s contact information for
identity verification and to check the truthfulness of the information provided by borrowers.
However, the processing must not be unbridled or unconstrained, excessive, and disproportional
to its purpose. This includes processing that leads to harassment; processing for collection of debt
outside of the guarantors provided by the borrower; and processing that results in unfair
The amended Circular also protects the data privacy rights of a borrower’s character
reference and guarantor. Under Section 4, it provides that a character reference is a person whose
contact information is provided for verification of the identity and veracity of the information
provided by the borrower for the grant of a loan. Furthermore, a character reference shall not be
automatically treated as a guarantor, who is an individual who expressly binds himself or herself
to the creditor to fulfill the obligation of the individual borrower in case the latter defaults on
payment as provided under Section 5.
For those who were chosen as character references, Section 4(C) of the amended Circular
provides that a lending company, financing company, or other persons acting as such shall
adequately inform the concerned individuals that they were chosen as character reference of the
loan applicant and how their contact details were obtained. They must also provide the character
reference with the option of having their personal data removed as a character reference.
Furthermore, contacting character references for purposes outside of the loan transaction (e.g.,
marketing, cross-selling, or sharing to third parties for purposes of offering other products or
services) is strictly prohibited.
On the other hand, Section 5 of the amended Circular provides that a guarantor is “one
who expressly binds himself or herself to the creditor to fulfill the obligation of the individual
borrower in case the latter should fail to do so”. Further, Section 5(A) of the amended Circular
provides that the guarantor’s separate consent must be obtained by a lending company, financing
company, or other persons acting as such. For purposes of debt collection, Section 5(B) of the
amended Circular expressly prohibits a lending company, financing company, or other persons
acting as such to contact persons in the borrower’s contact list other than those who were declared
A lending company, financing company, or other persons acting as such are required to
register with the NPC and submit a complete list of the names of all publicly available
applications that they own and operate. Violators of the amended Circular will be subject to
penalties, fines, and other disciplinary measures as provided in the DPA, its implementing rules
and regulations, and other issuances of the NPC
Access the Circular here: link
NPC gathered Telcos to address data privacy concerns on the SIM Registration ActComments Off on NPC gathered Telcos to address data privacy concerns on the SIM Registration Act
The National Privacy Commission (NPC) convened with Telecommunications Companies (Telcos) on 29 December 2022, specifically to address the public’s data privacy concerns in relation to the effectivity of Republic Act No. 11934 also known as the “Subscriber Identity Module (SIM) Registration Act.”
The registration officially commenced on 27 December 2022 wherein it gathered various concerns from the public including matters relating to terms and conditions, and privacy policies being implemented by Telcos. The meeting was called by Privacy Commissioner John Henry Naga to shed light on these concerns, including the notices and tick-boxes that may be displayed on Telcos’ websites and mobile applications asking for the users’ permission or consent in using their personal data submitted for marketing, profiling, or sharing with third-party partners.
Smart Communications Inc., (Smart) clarified that these are just optional and are being included to determine whether the SIM card is being used by an individual or a juridical entity. Similarly, Globe Telecom (Globe) stated that the option for their clients to allow the receipt of commercial and promotional alerts, and third-party sharing, among others were only optional while Dito Telecommunity’s (Dito) SIM Card Registration which can be accessed through its application did not include other tick-boxes asking for consent on marketing, profiling, or sharing with third-party partners.
In this light, Privacy Commissioner Naga directed Telcos to totally remove the notices and tick-boxes pertaining to data sharing with third-party entities. He further directed Telcos to put on a separate page the notices and tick-boxes related to commercial and promotional alerts. Telcos assured that the users have the ability to opt out in receiving promotional alerts through SMS and email request, among others. In addition, he instructed Smart, Globe, and Dito to include modifications and improvements on their websites and applications to further comply with the Data Privacy Act of 2012.
“Telcos must ensure the secure, ethical, and responsible handling of data, especially in all data processing being conducted in compliance with the SIM Registration Act,” the Privacy Chief stated. He added that “[t]heir obligation to comply with the SIM Registration Act comes hand-in-hand with ensuring that data privacy and protection is upheld. Such includes the implementation of mechanisms that would guarantee the security of the data collected for the purposes of the SIM Card Registration.”
Telcos agreed and committed to implementing the changes on its SIM Card Registration websites and mobile applications as soon as possible. In the meantime, Telcos will remove the notices and tick-boxes related to commercial and promotional alerts until they have modified their websites and application to put these consent options on a separate page. Furthermore, the Commission maintains that protecting citizens’ privacy and ensuring that data privacy rights of mobile users are upheld as one of the cornerstones for the successful implementation of the SIM Card Registration. The Commission will continue to closely coordinate with Telcos and other stakeholders for the proper implementation of the law.
NPC conducts the 2022 DP Council Election to ensure continuous sectoral engagement and compliance with the DPAComments Off on NPC conducts the 2022 DP Council Election to ensure continuous sectoral engagement and compliance with the DPA
PASAY CITY --- The National Privacy Commission (NPC) held the 2022 Data Privacy (DP)
Council Election last 22 December 2022 to ensure continuous sectoral engagement and proper
coordination towards the effective compliance with the Data Privacy Act (DPA) of 2012.
One representative and one vice-representative was elected into the DP Council from the
following identified sectors: government, telecommunications/internet service providers, banks,
non-bank financial institutions, education, business process outsourcing, health maintenance
organization, health & hospitals, pharmaceutical, retail and manufacturing, real estate, life
insurance, non-life insurance, security, utilities, transportation and logistics, hotel, tourism,
manning (maritime), manning (land-based), social media and media, and technology.
Consequently, the elected representatives then elected the President, Vice-President, and
Secretary which form part of the DP Council Executive Committee. The elected President was Ms.
Gelalyn Boquiren of San Miguel Corporation; the elected Vice-President was Atty. Francis Euston
Acero of Meralco; and the elected Secretary was Mr. Michael Montero of Concentrix.
The DP Council was formed by the NPC in August 2019 to serve as a consultative body
under the direct supervision of the Office of the Privacy Commissioner. The Council shall function
as the mechanism for collaboration and a platform for knowledge-sharing between and among the
stakeholders, with the goal of increasing sectoral compliance and supporting the development of
programs for different sectors.
Elected representatives shall represent the identified sectors to ensure the continuous
engagement of sectoral members and serve as liaisons to the NPC to better address the special
interests and concerns of each sector. The creation of the DP Council is intended to get the support
of various industries and create a unified voice for the representation of all sectors.
Privacy Commissioner John Henry D. Naga said that he is positive that “the DP Council
will be one of our countless collaborations which aims to establish efficient mechanisms that will
further protect our citizens’ data privacy rights.”
“Sectoral participation is crucial in the National Privacy Commission’s intensified
compliance drive. We want sectors to commit to a singular mindset for compliance with the DPA.
As the public’s data privacy awareness grows, there is an increased need for widespread trust in
businesses and organizations. The Data Privacy Council should always be evolving and updated
with the latest developments in data privacy and protection to better respond to the specific needs
of each sector,” Commissioner Naga added.
NPC, CICC sign MOA to thwart the use of ICT for data breaches and cybercrimesComments Off on NPC, CICC sign MOA to thwart the use of ICT for data breaches and cybercrimes
PASAY CITY ---- The National Privacy Commission (NPC) and the Cybercrime
Investigation and Coordinating Center (CICC) jointly signed a Memorandum of Agreement
(MOA) to synergize their efforts in combating and preventing the use of information and
communication technology (ICT) for criminal and unauthorized purposes. The agreement was
signed on December 9, 2022.
The joint signing was attended by Privacy Commissioner Atty. John Henry D. Naga and
Undersecretary Alexander K. Ramos, Executive Director of the CICC. The NPC and CICC jointly
resolved “to counter the use of ICTs for criminal and unauthorized purposes; and to foster interagency cooperation and resource sharing towards prevention, suppression, and prosecution of
cybercrimes and data privacy breaches.”
“The Memorandum of Agreement between the National Privacy Commission and the
Cybercrime Investigation and Coordinating Center is the culmination of our agencies’ mutual
ambition to further protect the integrity of the Philippines’ digital transformation journey. The
NPC is committed to work with CICC to ensure the safe and secure integration of digital services
and processes into all areas of organizations and businesses,” the Privacy Commissioner said.
The MOA enables effective joint action in data protection and cybercrime law, and data
privacy law enforcement. Also, it allows the NPC to access resources, technical expertise, and
institutional and international linkages of the National Cybercrime Hub (NCH) to fulfill its
mandate related to data privacy and protection.
As part of the MOA’s compliance with the Data Privacy Act (DPA) of 2012, the NPC will
participate in the NCH activities, which the CICC established to build a network that gathers law
enforcement and government agencies, academe, industry experts, and international law
enforcement and government partners for more effective inter-agency and stakeholder
coordination, and resource sharing towards the prevention of cybercrimes.
Data privacy lawyers from the NPC will be assigned in the NCH to provide inputs to
ensure compliance with the DPA. In addition, the NPC shall allow resource sharing for the
accomplishment of the objectives and scope of the MOA.
PH, Singapore renew stronger ties in personal data protectionComments Off on PH, Singapore renew stronger ties in personal data protection
The Philippines and Singapore renewed their commitment to deepen their ties in personal
In a Memorandum of Understanding (MOU) signed on September 7, 2022 by Privacy
Commissioner John Henry D. Naga of the National Privacy Commission (NPC) and
Commissioner Lew Chuen Hong of Singapore’s Personal Data Protection Commission (PDPC),
the two countries reaffirmed their agreement to promote exchanges in personal data protection
and facilitate trusted cross border data flows.
The signing was jointly witnessed by Philippine President Ferdinand R. Marcos, Jr. and
Singapore Prime Minister Lee Hsien Loong. The MOU is among the areas of cooperation the
Philippines and Singapore agreed on during the state visit of President Marcos to Singapore from
September 6-7, 2022. The first data protection-related MOU was signed in September 2019.
According to Privacy Commissioner Naga, the renewed MOU recognizes the need to
foster closer collaboration and cooperation in personal data protection and the free flow of data
as the global digital economy advances. “Diplomatic relations like this Memorandum of
Understanding are one of the tools to strengthen the Philippines and Singapore’s partnership,
build mutual trust between our countries, and create greater opportunities in data privacy and
protection. Indeed, the MOU intensifies the already existing relations between the Philippines
and Singapore,” the privacy chief added.
PDPC Commissioner Lew stated that the MOU promotes the critical elements in
developing the digital economy. In his post, Commissioner Lew wrote, “NPC and PDPC have
been longstanding partners, as we advanced ASEAN frameworks on data management and
contractual clauses. Such work enhances certainty for companies doing business in ASEAN.”
Scope of collaboration
Under the MOU, the Philippines and Singapore can exchange information and provide
mutual assistance in potential or ongoing investigations in their respective jurisdictions in
relation to a suspected data privacy and protection violation.
The two ASEAN member states have committed to developing compatible mechanisms
to enable trusted cross border data flows. The mechanisms include the promotion of applicable
international certification systems; mutual recognition of comparable protection afforded by the
Philippines and Singapore’s respective legal frameworks or national trust mark and privacy
certification frameworks; and the development, participation, promotion, and implementation of
the ASEAN Cross Border Data Flow Mechanism
As further stated in the MOU, the NPC and PDPC may also collaborate in terms of
knowledge sharing, training, and education on current and emerging privacy and data protection
issues and trends; and the exploration or identification of suitable participants in a crossjurisdictional sandbox to test-bed innovative data sharing cases.
The MOU took effect on the date of the signing and will be in effect until either country
chooses to terminate it. To ensure seamless collaboration, both States will monitor the
implementation of the MOU and conduct periodic reviews.
NPC received an “unqualified audit opinion” from COAComments Off on NPC received an “unqualified audit opinion” from COA
The National Privacy Commission (NPC) has received an unmodified opinion (also
referred to as unqualified opinion) from the Commission on Audit (COA) for the fair presentation
of its financial statements for the Calendar Year 2021. The audit was conducted in accordance
with the International Standards of Supreme Audit Institutions and covered the review of
accounts and financial operations of the NPC.
On June 23, 2022, COA transmitted the Annual Audit Report on its unqualified opinion
to the NPC. An unqualified opinion is issued when the Auditor concludes that financial
statements are prepared in all material respects and in accordance with the applicable financial
“In our opinion, the accompanying financial statements present fairly, in all material
respects, the financial position of the National Privacy Commission as of December 31, 2021, and
its financial performance, cash flows, changes in net asset/equity, and status of budget in relation
to the actual amounts utilized/disbursed for the year then ended in accordance with the
International Public Sector Accounting Standards (IPSAS),” COA Supervising Auditor Lea T.
Petero said in the report.
Privacy Commissioner John Henry D. Naga welcomed the result of the audit and lauded
the NPC workforce for their commitment and dedication in the proper management of public
“Meriting an unqualified opinion from the Commission on Audit is proof of the NPC’s
honest and transparent governance. Such is consistent with the Commission’s Quality Policy to
perform with utmost integrity and to commit to regulatory requirements of public service,” Naga
“We, at the NPC, hope that the unqualified opinion from COA will instill public
confidence and trust, not only in data privacy but also in the exercise of fiscal prudence in
handling public funds. The credit goes to the NPC workforce for ensuring that public funds are
efficiently utilized for the benefit of the Filipino people,” the Privacy Commissioner added.
“The NPC is an enabler and a protector, not only regarding data privacy but also in its
solemn obligation to use public funds for public benefit. The NPC gives its assurance that it will
continue to improve its fund utilization through consistent review, assessment, and
implementation of its quality management systems,” NPC Executive Director Ivin Ronald D.M.
In addition to COA’s assessment, the NPC also received the International Organization
for Standardization (ISO) 9001:2015 certification in December 2021, for the implementation of a
quality management system. These are a testament to the integrity of the NPC in its endeavor to
be a world-class regulatory and enforcement agency.
PAW 2022: Data privacy awareness advances culture of privacy in PHComments Off on PAW 2022: Data privacy awareness advances culture of privacy in PH
Data privacy awareness, as a crucial part of creating a culture of privacy in the Philippines,
sits at the forefront of this year’s Privacy Awareness Week (PAW) celebration.
Pursuant to Presidential Proclamation No. 527 signed by President Rodrigo Roa Duterte
in 2018, PAW is annually celebrated every last week of May. The two-day conference held on
May 25 and 26, 2022 aimed to further empower data subjects to protect their personal data and
to know their respective data privacy rights. One of the highlights of the event is the message of
President Duterte for PAW 2022 which encourages the NPC to “continue to cultivate public
awareness on data privacy practices, and institute more stable and secure data protection policies
in various media channels” and to “pursue initiatives that will empower our citizenry to
safeguard their private data against unscrupulous groups and individuals.”
The NPC conducted the PAW 2022 with a theme: “Ang PAWer ng Data Privacy Mo:
Praktikal, Angkop, at Wastong Paggamit ng Datos ni Juan at Juana.” The two-day PAW 2022
conference was streamed live via MS Live, Facebook, and YouTube.
Privacy Commissioner John Henry D. Naga said during his Commissioner’s Report that
the National Privacy Commission’s (NPC) conduct of a privacy awareness campaign consisting
of trainings, activities, and projects is a “testament of its commitment to expand and cultivate the
public’s awareness of their rights as data subjects under the Data Privacy Act (DPA).”
The NPC held 21 activities and projects, 359 stakeholders’ consultative meetings, 308
social media campaigns, and 5 DPO ACE trainings as part of its extensive data privacy awareness
campaign to arm data subjects with knowledge in protecting their data and equip data protection
officers and their organizations in the development of their data protection strategy and
The NPC encourages the data subjects to do their part in protecting themselves against
threats and risks by following these 5 tips: 1) reading up on data privacy through educational
materials accessible on the NPC website and social media pages; 2) conducting a privacy check
on their online accounts; 3) sharing their knowledge on data privacy to friends, family, and peers;
4) calling out data privacy violations online and offline; and 5) being an advocate by doing small
privacy-friendly projects. All these precautions have significant impact on the advancement of
the culture of privacy in the Philippines.
Enhanced Compliance and Monitoring Program
The NPC made significant efforts in 2021 to exceed the expectations of its stakeholders in
the face of threats to the public’s data privacy rights. The NPC firmly believes that protection of
personal data is a joint responsibility between personal information controllers (PICs) or personal
information processors (PIPs), and data subjects.
Last year, the NPC launched an enhanced compliance and monitoring program to ensure
the compliance of the PICs and PIPs with the DPA. A total of 895 compliance checks were
conducted in 2021, which include 685 privacy sweeps, 50 notices of documentary submissions,
and 160 warning letters. A total of 2,964 PIC applications for registration were recorded in the
As a response to the surge of complaints regarding data breach security and privacy
concerns, the NPC intensified its complaints handling, case investigation, and enforcement
program. In 2021, the NPC handled 147 notices to explain, 363 complaints, 24 sua sponte
investigations, and 8,487 data privacy concerns. In its adjudicatory function, the NPC performed
28 adjudication meetings that resulted to 129 Decisions, Resolutions, and Orders.
To aid PICs and PIPs in fortifying their data privacy and protection, the NPC issued
Circulars, including (i) NPC Circular 2021-01 or the “2021 Rules of Procedure of the National
Privacy Commission”, and (ii) NPC Circular 2021-02 or the “Guidelines on the Processing of
Personal Data during Public Health Emergencies for Public Health Measures”, Advisories, and
Advisory Opinions to guide stakeholders in interpreting the DPA. The most recent advisories of
the NPC have laid out the guidelines on requests for personal data of public officers, processing
of personal data for election campaign or partisan political activity, and data subject rights,
Since the pandemic began, the NPC has released 24 public health emergency bulletins to
help health authorities, local government units, and other stakeholders navigate the balance
between the public’s right to health and right to privacy. Further, the NPC coordinated with the
Department of Health (DOH) to include telemedicine in the regulatory sandbox as part of
processing personal data using innovative methods.
The coordination with the DOH yielded 3 Joint Circulars, as follows: (1) DOH-NPC Joint
Memorandum Circular No. 2020-0001 or the “Guidelines on the Use of Telemedicine in COVID-19 Response”; (2) DOH-NPC Joint Memorandum Circular No. 2020-0002 or the “Privacy
Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance
and Response”; and (3) DOH-NPC Joint Memorandum Circular No. 2020-0003 or the “Guidelines
on the Monitoring and Evaluation (M&E) of the Use of Telemedicine in COVID-19 Response”.
Moreover, the NPC passed the International Organization for Standardization (ISO)
9001:2015 certification. It is an international standard dedicated to a quality management system
based on the principles of customer focus, leadership, engagement of people, process approach,
improvement, evidence-based decision making, and relationship management.
In actively participating in the global data privacy landscape, the NPC, as Chair of the
Global Privacy Assembly (GPA) COVID-19 Taskforce, has organized 5 webinars attended by
participants from Australia, New Zealand, the United States, the United Kingdom, Singapore,
Argentina, Canada, Hong Kong, and Switzerland, among others. Three of the webinars were
separate collaborations with the Center for Information Policy Leadership, International
Association of Privacy Professionals, and Organization for Economic Cooperation and
Commissioner Naga, in his Commissioner’s Report, stated that, “The GPA COVID-19
Taskforce’s work has been recognized by various countries in advancing capacity-building
initiatives aligned with the GPA’s goal to evolve global privacy and work towards a regulatory
environment with high standards of data protection.”
What to Expect
Acting Secretary of the Department of Information and Communications Technology
Emmanuel Rey Caintic, said in his keynote message that “data privacy is not intrusive and is
supposed to help things move faster and safer,” emphasizing the importance of keeping data
privacy compliance simple for government agencies and companies alike.
Moving forward, Commissioner Naga assured stakeholders of the Commission’s fierce
commitment to meet its mandate of protecting the Filipino people’s data privacy rights.
“For our countrymen – the data subjects, PICs, PIPs, and data privacy advocates - you can
hope that in the year 2022 and the coming years, the National Privacy Commission will carry on
in implementing programs, reforms, and projects to create a strong culture of privacy in the
Philippines. The Commission will continue to endeavor setting its sight on equipping Filipinos
with knowledge on data privacy, security, and protection,” Commissioner Naga added.
The PAW 2022 conference gathered speakers from both the government and private
institutions to give insights on topics such as information safety on social media; protecting data
privacy in schools; VaxCertPh; establishing trust in online lending; online banking safety;
ensuring child safety in the online world; and cybercrime in the Philippines particularly emerging
trends, prevention, prosecution, and remedies.
Speakers include representatives from the Department of Social Welfare and
Development, Cybercrime Investigation and Coordinating Center, Department of Justice,
Philippine National Police – Anti-Cybercrime Group, DOH, Department of Education,
Commission on Higher Education, Bangko Sentral ng Pilipinas, Securities and Exchange
Commission, Union Bank of the Philippines, Bank of the Philippine Islands, Google Philippines,
Globe, UNICEF, Meta, St. Scholastica’s College, University of the Philippines Diliman, Cebu
Pacific Air, Home Credit Philippines, and Fintech Alliance.
Visit paw2022.privacy.gov.ph for more information. The full recording is available for
replay at Facebook facebook.com/privacy.gov.ph and YouTube
PAW 2022: NPC awards outstanding data privacy practices in public, private sectorsComments Off on PAW 2022: NPC awards outstanding data privacy practices in public, private sectors
Outstanding data privacy practices in both public and private sectors are recognized
during the 5th National Data Privacy Conference, in celebration of the Privacy Awareness Week
(PAW) for the year 2022.
Through the PAW Awards, a subtheme of this year’s PAW conference, the National
Privacy Commission (NPC) honored the efforts of personal information controllers (PICs),
personal information processors (PIPs), and data privacy advocates to strengthen their
organizations’ compliance with the Data Privacy Act (DPA) of 2012.
The conference was held on May 25 and 26, 2022, at the Philippine International
Convention Center (PICC), and streamed live via MS Live, Facebook, and YouTube. In his
congratulatory message, NPC Executive Director and PAW Awards selection committee head
Atty. Ivin Ronald D.M. Alzona said that “in giving recognition to these individuals or institutions,
we hope to inspire and motivate not only members of the Philippine data privacy community,
but also the data subjects themselves, in continuing to uphold and advocate their data privacy
rights, and ensure compliance with the Data Privacy Act of 2012.”
PAW Awards winners
The Privacy Initiative Award of 2022 was granted to Maya Bank, Inc. for its #FraudPatrol,
while the Privacy Management Program Award were given to multiple recipients belonging to
various sectors: Development Bank of the Philippines (DBP) from the banking sector; KMC MAG
Solutions, Inc. (KMC) from the BPO sector; University of the Philippines Diliman (UP-Diliman)
from the education sector; Philippine Amusement and Gaming Corporation (PAGCOR) from the
government sector; HC Consumer Finance Philippines, Inc. (Home Credit) from the non-bank
financial sector; Universal Leaf Philippines, Inc. (Universal Leaf) from the retail and
manufacturing sector; and Manila Electric Company (MERALCO) from the utilities sector.
The Privacy Advocate Award was awarded to Ms. Abigail G. Javier of Universal Leaf,
while Atty. Maria Concepcion A. Gloria-Rubio of PAGCOR won the Data Protection Officer
Award of the Year.
Privacy Commissioner Atty. John Henry Du Naga awarded former Privacy
Commissioner Raymund E. Liboro the Exemplary Leadership for Privacy Award in recognition
of his exceptional leadership and invaluable contributions in the country’s data privacy
The PAW Awards recognizes individuals, organizations, and initiatives that have made
significant contributions to the Philippines’ data privacy and protection progress. It is part of
NPC’s ongoing endeavor to acknowledge its stakeholders’ effective compliance with the DPA
and efforts to heighten public awareness to strengthen data privacy and protection in the country.
PAW is annually celebrated every last week of May, pursuant to Presidential
Proclamation No. 527 signed by President Rodrigo Roa Duterte in 2018. One of the highlights of
the event is the President’s Message for PAW 2022 with the President encouraging the NPC to
“continue to cultivate public awareness on data privacy practices, and institute more stable and
secure data protection policies in various media channels” and to “pursue initiatives that will
empower our citizenry to safeguard their private data against unscrupulous groups and
Visit paw2022.privacy.gov.ph for more information. The full recording of PAW 2022 is
available for replay at Facebook facebook.com/privacy.gov.ph and YouTube
PH to support establishing an international certification system promoting interoperability among different data protection frameworksComments Off on PH to support establishing an international certification system promoting interoperability among different data protection frameworks
Member economies of the Asia-Pacific Economic Cooperation (APEC) Cross-Border
Privacy Rules (CBPR) System, including the Philippines, declared the establishment of the Global
CBPR Forum to foster interoperability among different regulatory approaches to data privacy
In its Declaration, the Global CBPR Forum stated that it intends to establish an
international certification system based on the APEC CBPR and Privacy Recognition for
Processors (PRP) Systems. The Forum’s system, however, will be independently administered
and is separate from the APEC Systems.
Privacy Commissioner John Henry D. Naga welcomes the Philippines’ involvement in
improving cross-border data flows and fostering innovation without compromising effective
data protection and privacy.
“Cross-border data flows will greatly benefit from an interoperable privacy framework.
Now more than ever, the world is witnessing how the acceleration of digitalization is giving way
to a rapid increase in the collection, use, and transfer of data across borders. The Global CBPR
Forum’s goal of promoting worldwide expansion and uptake of the Global CBPR and PRP
Systems is aligned with the NPC’s vision of upholding the right to privacy and data protection
while ensuring free flow of information,” Naga said.
To ensure that the program is aligned with best practices, the Global CBPR Forum will
periodically review data protection and privacy standards of members and provide a forum for
information exchange and cooperation.
The Global CBPR Forum is open for the participation of jurisdictions that accept its
objectives and principles. According to the Declaration, participating economies in the APEC
CBPR System plan to transition operations of the APEC CBPR and PRP Systems to the Global
CBPR Forum and will provide at least 30 days’ notice to Accountability Agents.
All approved Accountability Agents and certified companies will automatically be
recognized in the new Global CBPR Forum based on the same terms of recognition under the
APEC CBPR and PRP Systems.
The Philippines became a member economy of the APEC CBPR System in March 2020.
The APEC CBPR System is voluntary and accountability-based. It requires organizations to
develop and implement privacy policies and practices for all personal information that they have
collected or received that is subject to cross-border transfer to other participating APEC members.
Read the full Global CBPR Forum Declaration
NPC conducts on-site compliance checks to determine level of compliance with the DPAComments Off on NPC conducts on-site compliance checks to determine level of compliance with the DPA
The National Privacy Commission (NPC) is conducting on-site compliance check
visits to personal information controllers (PICs) and personal information processors
(PIPs), to verify compliance documents submitted and determine whether there are
substantial findings of non-compliance with the Data Privacy Act of 2012 and NPC’s
On-site visits are being conducted by the NPC’s Compliance and Monitoring
Division, to determine whether a PIC or PIP can demonstrate organizational
commitment, program controls, and review mechanisms intended to assure privacy and
personal data protection of their data processing systems.
The privacy body’s on-site visits began in March, with the different industries and
sectors, such as, but not limited to, media entities, hotels, courier services, schools,
government entities, and local government units. On-site visits, along with privacy
sweeps and the submission of relevant documents, are aligned with NPC Circular No.
18-02 providing the guidelines on the conduct of compliance checks.
Privacy Commissioner John Henry D. Naga said that these on-site visits are an
opportunity for the NPC to help and guide PICs and PIPs to comply with the Data
Privacy Act (DPA) of 2012.
“Personal information controllers and processors should view these on-site visits
as one of the opportunities for the Commission to guide them with their effective
compliance with the DPA and prevent any mishandling of personal data to the detriment
of data subjects. We, at the NPC, firmly believes that PICs and PIPs should not only
comply and submit documents in accordance with the DPA, but must also recognize their
vital role in upholding and protecting data subject rights,” Naga said.
In an on-site visit, duly authorized NPC personnel will conduct a targeted
inspection within the PIC or PIP’s premises. These include, but not limited to, the
presentation of relevant documents or records, organizational inspection to its selected
departments wherein processing of personal information are undertaken, and an
interview with relevant personnel tasked to manage personal information.
Upon the conclusion of the on-site visit, the NPC personnel will present their
findings and determine whether the PIC or PIP has deficiencies that needed to be
addressed. In such cases, they will submit a commitment letter to the Commission
expressing their intention to comply within a particular timeline. If such deficiencies had
been adequately addressed or if the findings exhibit no substantial deficiencies, the NPC
shall issue a Certificate of No Significant Findings in favor of the PIC or PIP.
NPC launches user-friendly online system for faster and easier data breach notification management and reportingComments Off on NPC launches user-friendly online system for faster and easier data breach notification management and reporting
On April 20, 2022, the National Privacy Commission (NPC) held its virtual launching of
the Data Breach Notification Management System (DBNMS), a user-friendly interface that
facilitates easy tracking and faster submission of Personal Data Breach Notifications and Annual
Security Incident Reports.
The DBNMS is a standardized and automated system, making it easier for personal
information controllers (PICs) to submit Personal Data Breach Notification as required by NPC
Circular No. 16-03 and Annual Security Incident Reports. The DBNMS addresses the limitations
of manual submission and processing, as well as increases public transparency by allowing PICs
to access pertinent and real-time information on their data breach notification.
Privacy Commissioner John Henry D. Naga told more than 800 event participants from
both the public and private sector that the DBNMS is part of the NPC’s efforts to develop new
and digitized ways to better serve the Filipinos.
“The National Privacy Commission’s vision to further protect and uphold data privacy
rights goes hand-in-hand with embracing emerging technologies that will revolutionize data
privacy and protection. Hence, the NPC continuously adopts and implements digitization of our
processes to efficiently achieve our objectives,” Naga said.
A PIC, including those with multiple branches or offices, can only have one account in the
DBNMS. If the PIC has other related companies or entities, each company or entity must register
in the system under separate accounts. The company or entity is responsible for maintaining and
submitting its reporting requirements to the NPC.
With the launch of the DBNMS, the NPC will no longer accept Breach Notification and
Annual Security Incident Report submissions except through the DBMNS online platform. Thus,
submissions through email, personal filing, ordinary mail, licensed courier service, and any other
mode of physical submission shall not be considered as valid.
To use the DBNMS, head to https://dbnms.privacy.gov.ph. For other concerns relating
to the system, email [email protected].
NPC presents the revised draft Circular on Administrative Fines for data privacy violatorsComments Off on NPC presents the revised draft Circular on Administrative Fines for data privacy violators
The National Privacy Commission (NPC) conducted an online public hearing on March
22, 2022, where the updated draft Circular on Administrative Fines was presented before its
stakeholders. The updated draft includes consolidated comments from previous hearings which
started last April 2021.
In consideration of the comments from the public, the NPC revised the scope to include
all personal information controllers (PICs) or personal information processors (PIPs) under the
jurisdiction of the Data Privacy Act of 2012 (DPA).
The Circular on Administrative Fines aims to promote organizational accountability and
compliance with the DPA by providing an optimal deterrence, as further explained by the
economic study of the University of the Philippines Law Center. Specifically, an administrative
fine may be imposed based on the annual gross income of PICs or PIPS within the range of 0.25%
to 3% for grave violations and 0.25% to 2% for major violations.
One of the notable changes in the current draft is the proposal to include a ceiling for the
imposition of administrative fines. As such, the provision limiting the total imposable fine to not
more than Five Million Pesos (Php 5,000,000.00) was inserted. Such ceiling applies, whether the
infraction results in single or multiple violations arising from a single act of PICs and PIPs. The
NPC clarified that the single act pertains to a per processing activity basis and not per data
privacy principle or data subject right violated.
Privacy Commissioner John Henry D. Naga told attendees of the public consultation that
the draft circular provides a fair and reasonable system of fines.
“The National Privacy Commission has consistently issued proactive measures for
personal information controllers and personal information processors to comply with the law.
The Data Privacy Act was enacted in 2012 and upon the constitution of the Commission in 2016,
it has been actively promoting, educating, and assisting the stakeholders in their common
endeavor in complying with the law. By now, we expect PICs and PIPs to have incorporated in
their respective processes and implemented necessary measures, to protect data subjects and
uphold data privacy rights,” Naga explained.
Factors affecting fines
In computing the imposable fine, the NPC will take into consideration the number of data
subjects affected; the degree of negligence, or the intent of the PICs or PIPs that contributed or
resulted in the violation; the categories of personal data affected; and the nature, duration, and
severity of such infraction, among others.
Meanwhile, to determine the annual gross income of the erring PICs or PIPs, the NPC
may review and require the submission of audited financial statements filed with the appropriate
tax authorities for the immediately preceding year of the violation, the last regularly prepared
balance sheet or annual statement of income and expenses, and such other financial documents
as may be deemed relevant and appropriate for the purpose.
If a particular PIC and PIP has not been operating for more than one year, the base for
computing administrative fines will be the entity’s total gross income at the time the violation
PICs and PIPs who refuse to pay the administrative fines may be subject to a Cease-and-Desist Order, and other processes or reliefs the NPC is authorized to pursue as provided under Section 7 of the DPA, and/or appropriate contempt proceedings under the Rules of Court.
The Commission is open to receive comments from its stakeholders regarding the draft
circular until April 6, 2022. Any comments may be sent to [email protected].
Access the draft guidelines on administrative fines
Malacañan appointed a private lawyer and former Dapitan City Councilor Atty. Dug
Christopher B. Mah as the new Deputy Privacy Commissioner of the National Privacy
Commission (NPC), effective March 2022. The NPC also welcomed newly appointed Directors,
Data Security and Compliance Office.
Privacy Commissioner John Henry D. Naga and Deputy Privacy Commissioner Leandro
Angelo Y. Aguirre greeted Mah, Tabaquin, Nieva, and their respective teams to the NPC in an
oath-taking ceremony held on March 09, 2022.
“The NPC is delighted to have our newly appointed Deputy Commissioner Dug
Christopher Mah and directors, Atty. Franklin Anthony Tabaquin IV and Atty. Aubin Arn Nieva,
join the Commission’s endeavor towards an effective and efficient enforcement of the Data
Privacy Act. I am confident that with their knowledge and expertise, they will be an asset to the
Commission and aid us in pursuing the NPC’s goal of empowering our data subjects and
stakeholders, as well as to strengthen their compliance with the data privacy law,” Naga said.
“The NPC is geared towards a pro-data subject approach, upholding data subject rights,
most importantly the vulnerable sector of the society, and recalibrating companies’ and
organizations’ role as personal information controllers and processors,” the privacy chief added.
The New Deputy Commissioner
Deputy Commissioner Mah served as City Councilor of Dapitan City from 2013 to 2022
and was in the Board of Directors of the Rural Bank of Rizal (ZN), Inc. in Dipolog City from 2007
to last year. He is a certified public accountant and a graduate of the University of San Carlos.
He obtained his law degree from the University of San Jose Recoletos in 2005 and was
subsequently admitted to the Philippine Bar the following year. After passing the Bar, he entered
private law practice and handled criminal, land dispute, corporate, and labor cases.
Atty. Tabaquin, IV began his government service as a staff attorney of the Government
Corporate Counsel (OGCC). He advised the OGCC and key Government-owned or -Controlled
corporations (GOCCs) on the formulation of data privacy regulations and was appointed as data
He obtained his Bachelor of Laws degree from the San Beda University – Mendiola and
was admitted to the Philippine Bar in 2007. He has been an advocate for adopting Technology
Law in the government sector, where he spearheaded digitization efforts and awareness
seminars/training in data privacy among GOCCs.
Prior to his appointment at the NPC, Atty. Nieva served in the Department of Information
and Communications Technology for more than three years in various capacities. In 2017, Atty.
Nieva acted as the Deputy Chief-of-Staff to former DICT Acting Secretary Eliseo Rio, Jr.
In 2019, he was designated as the Officer-in-Charge of the Office of the Assistant Secretary
for Legal Affairs and Consumer Protection, and as Officer-in-Charge of the Office of the Assistant
Secretary for Development and Innovations in concurrent capacity. In the same year, he served
as the department’s data privacy officer.
Atty. Nieva obtained his law degree and a bachelor’s degree in International Business and
Entrepreneurial Management from San Beda University – Manila, where he graduated with
academic distinction and as class valedictorian.
Privacy Commission issues guidelines on evaluating requests for personal data of public officers including SALNComments Off on Privacy Commission issues guidelines on evaluating requests for personal data of public officers including SALN
The National Privacy Commission (NPC) has issued guidelines on evaluating
requests for personal data about public officers. NPC Advisory No. 2022-01 states that
any disclosure of personal data shall observe the general privacy principles of
transparency, legitimate purpose, and proportionality. Additionally, every government
agency must be responsible for personal data under its control or custody.
The personal data of public officers, including individuals who are or were
performing service under contract for the government, may be disclosed if the requested
information is a matter of public concern or interest, provided that the information is
relevant to the subject matter of the request, and disclosure is not otherwise prohibited
by any law or regulation. Privacy Commissioner John Henry D. Naga emphasized that
the Advisory “aims to strike a balance between the right of the people to information on
matters of public concern and the right to privacy of an individual.”
“Thus, the Advisory recognizes the Filipino people’s right to information and the
necessity of an open and transparent government, while also giving due consideration
and respect to the dignity, safety, and human rights of public officers,” Naga added.
On approving requests
Under Section 7 of the Advisory, requests for information about public officers
and individuals performing service under contract for the government must have a clear,
specific, and legitimate purpose that does not contradict laws, morals, or public policy.
When evaluating requests, the government agency shall determine whether the
information requested is a matter of public concern and whether there is a public purpose
to be served that may outweigh the rights and freedoms of the public officer as a data
subject. The requested information or document may be granted or denied upon the
evaluation of the government agency considering the aforesaid elements. Further, access
or disclosure of the requested information must not exceed the specified purpose
declared by the requestor.
If the requested document or information is denied and deemed not of public
concern, the requestor must be informed within a reasonable time accompanied by a
The public officer whose information is being requested shall also be informed of
the existence of the request and the action taken by the concerned government agency.
The government agency may likewise determine whether particular sensitive
personal information is irrelevant or unnecessary to the fulfillment of the purpose of the
requesting party which should be redacted to protect the dignity, safety and security of
the public officer. Some of these information may include: a) Home address of the
declarant; b) Details of any unmarried children below eighteen (18) years of age living in
declarant’s household, if any, particularly their names, dates of birth, and ages; c)
Signatures of the declarant and co-declarant; and d) Government-issued ID numbers of
the declarant and co-declarant.
Information allowed to be disclosed
Deputy Privacy Commissioner Leandro Angelo Aguirre said that the guidelines
emphasize that data privacy and freedom of information coexist and must be mutually
“We hope that this Circular addresses some misconceptions that data privacy and
the freedom of information are in conflict with each other. A key mandate of the National
Privacy Commission is to ensure the free flow of information. The work of the NPC is to
ensure that the access to and disclosure of the personal data of public officers is not
curtailed but rather done in a manner that is consistent with what the law requires and
respects their rights and freedoms as data subjects,” Aguirre said.
Information about public officers and individuals performing service under
contract for the government that may be disclosed are the following: 1) the fact that the
individual is or was an officer or employee of, or performed service/s under contract for,
a government institution; 2) the title, business address, and office telephone number of
the individual; 3) the classification, salary range, and responsibilities of the position held
by the individual; 4) the name of the individual on a document prepared by the
individual in the course of employment or contract with the government; and 5) other
circumstances similar to the foregoing.
Documents (e.g., Personal Data Sheet or PDS, Statement of Assets, Liabilities and
Net Worth or SALN) that contain sensitive personal information of the concerned public
officer, or his or her family, may be granted if there is a declared, specified, and lawful
Read the NPC advisory in full here:
NPC invites public to a symposium on data subject rights, scope of DPA in abusive practices of OLAsLeave a Comment
The National Privacy Commission (NPC) invites the public to a virtual symposium on online lending to let them learn about their data privacy rights as borrowers, and the scope of the Data Privacy Act (DPA) in terms of unethical and abusive online lending practices.
NPC and PCC sign MOA to boost consumer and data privacy protectionLeave a Comment
On February 9, 2022, the National Privacy Commission (NPC) and the Philippine Competition Commission (PCC) jointly signed a Memorandum of Agreement (MOA) in order to foster cooperation and coordination between the two regulatory agencies. The MOA signing ceremony was held virtually and attended by NPC Privacy Commissioner John Henry D. Naga and PCC (more…)
NPC survey: PH now with heightened data privacy awareness & knowledge, driven by social media and TVLeave a Comment
Based on a recent survey commissioned by the National Privacy Commission (NPC), public awareness and knowledge on the Data Privacy Act (DPA) grew from 13% in 2017 to 25% in 2021. However, most of those with internet access still lack awareness of internet security, with only 9% awareness of appropriate social media usage. (more…)
NPC conducts separate clarificatory meetings with Manila Bulletin and the COMELECLeave a Comment
The National Privacy Commission (NPC) conducted separate clarificatory meetings on January 25, 2022 with representatives from the Commission on Elections (COMELEC) and Manila Bulletin regarding the alleged hacking and data breach involving COMELEC servers. (more…)
NPC PHE Bulletin No. 22 Processing of Household Vaccination Information by Local Government UnitsLeave a Comment
The National Privacy Commission (NPC) received concerns on the collection of vaccination information by the local government units (LGUs), specifically the barangays, as directed by the Department of the Interior and Local Government (DILG).
We understand from various news reports and media interviews that the DILG ordered barangays to submit their respective lists of unvaccinated residents through a Memorandum Circular (copy of which is not yet available at the DILG website as of this writing). To do this, the DILG mentioned in the interviews that the LGUs will be required to conduct a survey within their localities and gather information on residents who have yet to be vaccinated, which may be done through house-to-house interviews and will require the presentation of residents’ vaccine cards and valid IDs.
The NPC recognizes that this personal data processing activity is still pursuant to the government’s pandemic response, specifically on the current need to have accurate data of unvaccinated residents in relation to the initiative to further encourage everyone eligible to be vaccinated against COVID-19 and to promote vaccine booster uptake. As such, we emphasize that this processing activity is not based on the consent of the data subjects; rather, the same is based on the applicable laws, rules, and regulations governing the DILG and the various LGUs in relation to their critical responsibilities during this ongoing public health emergency.
With this, we remind the DILG and all LGUs of their obligations under the Data Privacy Act of 2012 (DPA) as personal information controllers (PICs).
1. PICs should not collect any unnecessary personal data from the residents, in keeping with the principle of proportionality. Only those personal data which are relevant to the purpose of having an accurate inventory of unvaccinated residents should be collected, in relation to the recent directives of the government to regulate mobility of unvaccinated persons.
2. These lists of vaccinated and unvaccinated individuals, including those who already received booster shots, contain sensitive personal information which shall be processed only for the declared and specified purpose as mentioned above, in line with the response to the public health emergency.
3. These lists shall not be further processed for any incompatible purpose. Further processing is incompatible when:
- It would be very different from the original purpose of responding to public health emergencies as part of public health measures or there is no clear and reasonable link between such original purpose and the purposes of the intended further processing;
- It would result in an unjustified consequence on the rights and freedoms of the individual;
- It would not be reasonably expected by the individual considering the context in which the personal data has been collected.
Processing for unauthorized purpose/s is punishable with imprisonment of up to seven years and a fine of up to two million pesos under the DPA.
4. The DILG and the LGUs shall implement safeguards to protect these lists against accidental, unauthorized, or otherwise unlawful use or access. The following and other similar actions are prohibited:
- unauthorized copying and distribution of the lists;
- posting of the lists, whether physically or online;
- taking photos of the same;
- live streaming the actual collection of information done by the barangay personnel.
These information should only be accessible and disclosed to specific authorized persons. Such authority should be documented either in an official written policy or written authority identifying them by name or by their position or designation. Any unauthorized disclosure shall be punishable under the DPA and other applicable laws.
5. Submissions of these lists to the authorized recipients identified by the DILG, whether through paper-based or electronic systems, should be done in a secure manner:
- In the case of transmission by mail, courier, or hand carried by LGU personnel to the DILG – sealed envelopes should be used, no sensitive personal information should be visible through the envelope window, where applicable, and the envelopes should be marked “confidential”, among others;
- For electronic transmissions – the use of encryption using Advanced Encryption Standard with a key size of 256 bits (AES-256), passwords for access should be implemented, among others.
LGUs shall keep records of all submissions/transmittals for reportorial requirements. All involved PICs shall be held accountable for the processing of personal data on these lists.
6. For transparency, the DILG and/or the LGUs should prepare a privacy notice specific to this processing activity which they should provide to the residents during the interview and post on their official websites or social media platforms. It is recommended that the privacy notice be translated to either Filipino or another language or dialect so that it will be better understood by the data subjects in the locality. The privacy notice should sufficiently inform the residents of the details of the processing of their vaccination status, their rights as data subjects, among other necessary information.
7. Any public official or employee found guilty of a violation of the DPA shall in addition to the imprisonment and fine, suffer an accessory penalty consisting of disqualification to occupy public office for a term double the term of criminal penalty imposed.
We maintain that privacy rights and public health requirements are not in conflict with each other. The rights and principles of data privacy are fully compatible with the tasks necessary to address the pandemic.
For any data privacy concerns, we may be reached at [email protected]
*** *** ***
Statement of Privacy Commissioner Naga on alleged COMELEC hack and data breachComments Off on Statement of Privacy Commissioner Naga on alleged COMELEC hack and data breach
The National Privacy Commission (NPC) issued separate orders to the Commission on Elections (COMELEC), Mr. Art Samaniego Jr., and Manila Bulletin to appear for a clarificatory meeting via teleconference on January 25, 2022 on the alleged hacking and data breach incident involving the COMELEC servers.
On January 8, 2022, the NPC received information from Mr. Samaniego, Technology Editor & IT Head of the Manila Bulletin, regarding a suspected breach on COMELEC servers wherein an estimated 60 gigabytes of data, which possibly contain personal information and sensitive personal information, were allegedly accessed and downloaded by a certain group of hackers.
The NPC’s Complaints and Investigation Division commenced its own independent investigation and issued a notice to COMELEC requiring them to explain the alleged hacking and data breach..
The COMELEC must address the serious allegations made in the Manila Bulletin news report and determine whether personal data were indeed compromised, particularly personal information, sensitive personal information, or data affecting the same, which were processed in connection with the upcoming 2022 national and local elections. COMELEC is also directed to conduct a comprehensive investigation on the matter and submit to the NPC the results thereof no later than January 21, 2022.
Rest assured that the NPC does not tolerate any act in violation of the Data Privacy Act including negligence in implementing organizational, physical, and technical security measures on personal data processing systems, whether in government or private institutions.
ATTY. JOHN HENRY D. NAGA
Court of Appeals upholds the Decision of the National Privacy CommissionComments Off on Court of Appeals upholds the Decision of the National Privacy Commission
On December 14 2021, the Court of Appeals (CA) Sixteenth Division issued a Decision denying the petition for review filed by Pieceland Corporation (Pieceland) and upholding the ruling of the National Privacy Commission (NPC) in NPC Case No. 19-528 (Pieceland Corporation v. Manila New Life Church Inc.).
“The Commission welcomes the Decision of the appellate court upholding NPC’s ruling and its recommendation to prosecute violators for the unauthorized processing of sensitive personal information under the Data Privacy Act (DPA),” said Privacy Commissioner John Henry D. Naga.
“This favorable Decision is proof that our Commission is working hard in protecting data subjects and guaranteeing their right to privacy. We will be more resolute in implementing and enforcing the DPA against violators,” the NPC Chief added.
In 2019, Manila New Life Church Inc. (MNLCI) filed a complaint before the NPC against Pieceland for the unauthorized processing of personal data, in which the NPC ruled in favor of the Complainants.
According to Deputy Commissioner Leandro Angelo Aguirre, ponente of the NPC Decision, “the availability of a far less intrusive measure demonstrates that the measures employed by Respondents [requiring data subjects to submit passports, governmentissued IDs, and colored pictures] are disproportionate to the aim they seek to achieve. In as much as Respondents recognized the issued IDs of the other tenants in the building, the same standard should have been applied to the church members of Complainant.”
The NPC also found that Pieceland processed the personal data of MNLCI members without the consent of data subjects as defined under the DPA.
Petition for Review and Decision
Pieceland filed a petition for review to the CA against NPC for allegedly committing a reversible error in ruling that Pieceland violated Section 25(b) of the DPA. However, the appellate court denied the petition and ruled the following:
NPC validly acquired and exercised jurisdiction over the case;
Available remedies were exhausted;
NPC has the power to waive technicalities;
Consent requirement under DPA was not satisfied;
Existence of legitimate interest immaterial against prohibition on processing SPI, and;
Nominal damages warranted but modified, increasing the amount from Php 1,000.00 to Php 20,000.00 for specific MNLCI members that filed the complaint.
NPC’s recommendation to prosecute Pieceland and its responsible officers for DPA violations is likewise upheld. Pieceland is also ordered to delete the sensitive personal information they collected from the data subjects.
“The impact of the CA’s decision will help the Commission in further promoting not just the rights and freedoms of the data subjects, but also the obligations and responsibilities of Personal Information Controllers (PICs),” Aguirre said.
“I hope that this is something that will urge PICs to be more mindful of their accountability under the DPA and to ensure that their methods of processing are aligned with the requirements of the law and pertinent issuances of the Commission,” he added.
For more details on the Decision, see the Court of Appeals website at services.ca.judiciary.gov.ph or access this link: here
The NPC Resolution denying the Motion for Reconsideration can be read here.
Statement of Privacy Commissioner John Henry D. Naga for the New Year 2022Comments Off on Statement of Privacy Commissioner John Henry D. Naga for the New Year 2022
As we enter another year, I encourage everyone to be one with the National Privacy Commission in championing the values of COURAGE, COMPASSION, AND INTEGRITY.
The internet is rife with cybercriminals taking advantage of users all year round. I urge organizations and individuals to constantly look out for and devise ways to lessen, if not eradicate, the threats and risks to the public’s data privacy. Ensure that there is adequate security in your data systems.
The National Privacy Commission vows to exhibit courage in going after malicious actors preying on innocent people’s personal data, promote compassion over each person’s data subject rights through the appropriate handling of their personal data, and perform our mandate with integrity through constant improvement of policies and systems at par with international data privacy standards.
With these three values as our touchstone, we can have a future where the balance of safeguarding data subject rights while ensuring the free flow of information thrives.
I wish everyone a happy and healthy 2022.
ATTY. JOHN HENRY D. NAGA
NPC gets ISO certificationComments Off on NPC gets ISO certification
The National Privacy Commission (NPC) has been recommended to International Organization for Standardization (ISO) 9001:2015 certification. The ISO certifying body made the recommendation after two (2) audit stages were undertaken on December 13 and 20, 2021, respectively.
ISO 9001:2015 is an international standard dedicated to a quality management system based on the principles of customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management.
ISO auditors found that the Commission’s processes adhere to the requirements of its functions and quality management system implemented.
The certification will instill confidence and trust in the Commission’s stakeholders through customer-centric service delivery while adhering to statutory and regulatory requirements.
Newly appointed Privacy Commissioner John Henry Naga said that the NPC will continue to uphold organizational efficiency and productivity in the face of dangers to the public’s data privacy rights.
“Passing the ISO 9001:2015 certification is a testament of the National Privacy Commission’s commitment to implement a top-caliber quality management system that consistently meets and exceeds the requirements and expectations of stakeholders,” Naga said.
Using the ISO 9001 standard helps customers get consistent, good quality products and services, which are beneficial to organizations.
ISO 9001 is the world’s most popular quality management standard for large or small companies and organizations. More than one million companies and organizations in over 170 countries are ISO 9001 certified.
For further details about ISO 9001, see their official website at here
Privacy Commissioner John Henry Naga’s statement on possible personal data breach in recent BDO hackingComments Off on Privacy Commissioner John Henry Naga’s statement on possible personal data breach in recent BDO hacking
The National Privacy Commission (NPC) is investigating the possible personal data breach involving unauthorized transactions and potential unauthorized processing of personal data resulting from the suspected compromise of multiple BDO Unibank, Inc. (BDO) accounts.
As early as December 11, 2021, the NPC’s Complaints and Investigation Division has commenced the investigation of this serious security incident to determine the full extent of the compromise and any violations of the Data Privacy Act (DPA).
On December 13, 2021, the NPC has issued notices to both BDO and Unionbank to explain, including requiring the banks to furnish additional information, documents, evidence, or witnesses, as may be necessary. NPC has been in constant coordination with both banks in relation to the sua sponte investigation of the security incident.
Under the NPC’s Rules of Procedure, a sua sponte investigation allows the Commission to investigate possible personal data breaches even without a formal complaint from the public or a third party.
The NPC also looks into the relevance of BDO’s 10-year-old system to the alleged security incident and to determine whether sufficient technical, organizational, and physical safeguards were in place to prevent unauthorized disclosure of personal information that may have been contained in the system.
Apart from requiring additional evidence and information, the NPC has ordered BDO and Unionbank to appear for clarificatory conference, on January 4, 2022, to verify and clarify the evidence submitted by the banks in relation to the investigation.
The NPC assures the public that all steps necessary to safeguard the rights of data subjects shall be taken and that the Commission shall exercise the full extent of its powers under the law against any party found to be in violation of the DPA.
The Commission is also coordinating with other government agencies in relation to this security incident.
ATTY. JOHN HENRY D. NAGA
Palace appoints new PH privacy commissionerComments Off on Palace appoints new PH privacy commissioner
Malacañang has appointed Atty. John Henry Du Naga as the new privacy commissioner of the National Privacy Commission (NPC), effective December 14, 2021, for a term of three years.
Incoming Commissioner Naga will succeed Privacy Commissioner Raymund Enriquez Liboro, whom the former worked with as Deputy Privacy Commissioner.
Commissioner Liboro congratulated his erstwhile deputy for his appointment and expressed support for his leadership. “I thank President Rodrigo Duterte for appointing Atty. John Henry Du Naga as the new Privacy Commissioner. With Atty. Naga’s appointment, I know that I am passing the baton to capable hands. I have great confidence that the new Privacy Commissioner will further cement the National Privacy Commission as a body committed to advancing data privacy and protection,” Liboro said.
Appointed as the country’s first Privacy Commissioner in March 2016 and having finished two consecutive terms, Liboro fast-tracked data protection policy development in the country by issuing the Data Privacy Act’s Implementing Rules and Regulations and essential policy circulars and advisories.
In October 2018, Commissioner Liboro put the country on the global scene by earning the Philippines a voting seat on the exclusive 5-member executive committee of the Global Privacy Assembly (GPA).
In 2019, the NPC, through Commissioner Liboro chaired the first-ever ASEAN Data Protection and Privacy Forum and hosted the 52nd Asia Pacific Privacy Authorities Forum.
Since 2020, the NPC has issued public health bulletins to guide personal information controllers and data subjects at a time of unprecedented and rampant data collection in response to the COVID-19 pandemic. In addition, under Commissioner Liboro’s leadership, the NPC was tasked with spearheading the COVID-19 task force of the GPA, which aimed to examine current privacy concerns and drive practical responses to privacy issues emerging from the pandemic.
This year, Commissioner Liboro focused on leveraging privacy to boost economic recovery, enabling trust and confidence in our industries to protect data privacy. As a result, the NPC successfully launched the NPC Philippine Privacy Trust Mark in November, a mechanism for companies to apply for demonstrable proof of excellence.
New role and same goal
As Deputy Privacy Commissioner since December 2019, Naga has considered consistency as the key to his work in both regulatory framework and ethical governance. He pushed for fair policies, technology standards, and other initiatives that promote privacy and data protection in the country.
“As I take this new role as Privacy Commissioner, my focus is to ensure the efficient and effective enforcement of the law and the protection of data subjects’ rights and interests,” said the new privacy chief. “Compliance is not just for the organization. It is also for the people, for our country. To protect one another through compliance is the first step to national stability and security,” he added.
The incoming Commissioner was briefly designated as NPC’s Data Protection Officer, who enhanced the agency’s internal policies and procedures in data protection and standards. He also headed the Data Security and Compliance Office, spearheading the agency’s mandate to monitor government and the private sector to ensure compliance with the DPA and provide assistance on matters relating to data protection at the request of a national or local agency, a private entity, or any person.
Before his appointment at the Philippines’ privacy body, Naga was the Assistant Secretary of the Department of Information and Communications Technology (DICT). During his stint at the DICT, he pushed for several information and communication technology (ICT) bills as the Legislative Liaison. In addition, he became the representative of the Department in various international ICT organizations.
In June 2018, he was appointed as the DICT Undersecretary for Management and Operations and was responsible for the overall internal management of the Department.
He also headed the Technical Working Groups for the Entry of the 3rd Telecommunications Player, the Common Tower Policy, the Tripartite agreement with the National Grid Corporation of the Philippines (NGCP) and Transco. Further, he was instrumental in securing the Landing Party Agreement with the Bases Conversion and Development Authority (BCDA) and Facebook, giving the Philippines 2 terabyte internet capacity. In February 2019, he led the Development and Innovations cluster of the DICT that was in charge of implementing the National Broadband Plan, National Government Portal, and the Philippine Identification System (PhilSys).
The incoming ‘Commissioner’s career in providing public service started when he became a two-term provincial board member in the Province of Masbate. After passing the bar, he provided legal services as he handled high-profile labor, telecommunications, and corporate law cases.
NPC sees benefits from privacy-protected SIM-card registration (Statement of Privacy Commissioner Raymund E. Liboro)Comments Off on NPC sees benefits from privacy-protected SIM-card registration (Statement of Privacy Commissioner Raymund E. Liboro)
The Philippines may harness the benefits of the proposed SIM-Card Registration Act by enabling SMEs engaged in e-commerce and engendering consumer trust in a fastgrowing identity-linked digital services society.
The recent approval of the bill in the House of Representatives came at a time of rapid digitalization during the pandemic that resulted in the Filipinos’ unprecedented participation in e-commerce, fintech, and mobile services using various digital platforms.
Under these circumstances the need to know-your-customer or know your caller becomes imperative not only to protect the public from ICT-enabled scams and frauds, but more importantly to build consumer and business confidence to engage productively in the digital economy.
The National Privacy Commission (NPC) maintains that mandatory SIM-card registration will succeed only under a framework of guaranteed privacy protection for mobile users. At present, we have that framework in place to protect citizens’ privacy and ensure that data privacy rights of mobile users are upheld and that is the Data Privacy Act (DPA) of 2012.
It must be noted that the approved bill came at a time when the country has put in place a foundational platform for identification which can strengthen trust in the registration of SIM cards. As a foundational platform, the PhilSys establishes a single source of truth for identification. Validating identities has always been a barrier in previous SIM-card registration proposals, but which the country can now hurdle with PhilSys, the government’s unified, centralized form of identification for Filipino citizens and resident aliens.
Voting 181-6-0 on December 6, the House approved on final reading House Bill 5793 or the proposed SIM-Card Registration Act. A similar measure has been filed in the Senate.
The bill includes a confidentiality clause that prohibits disclosing any information of a subscriber, unless upon subpoena or order from a court or written request from a law enforcement agency about an investigation that a particular number is used in the commission of a crime.
Under the bill, every public telecommunication entity (PTE) or direct seller shall require the end-user to present valid identification to register a SIM.
PTEs or telcos must provide the data protection citizens expect. They are required by the DPA to afford appropriate organizational, technical, and physical security measures to secure the personal data they will collect and prevent its unauthorized use and abuse.
Under the DPA, telcos are required, among other things, to conduct privacy impact assessments, enable their employees and supply chains on data security and privacy to prevent data breaches and ensure end-to-end protection of personal data.
The final version of the proposed law, after undergoing Senate procedures and bicameral committee consideration, where applicable, must clearly articulate the requirements for the implementation of data security measures by entities identified to handle SIM-card registration and that these entities be held accountable for any violation of data privacy rights under the DPA.
Furthermore, the final version should provide sufficient time for registration to prevent mobile users from being unjustly cut off from enjoying mobile services due to a limiting SIM-card registration period.
The NPC will continuously perform its regulatory function and assess the potential risks of the proposed law and provide practical recommendations to mitigate these risks so mobile users can be protected.
Interagency group vows to catch scammers behind smishing, text spamsComments Off on Interagency group vows to catch scammers behind smishing, text spams
Ten government agencies, including the Bangko Sentral ng Pilipinas (BSP) and Department of Justice (DOJ), have joined efforts to catch those behind the epidemic of smishing and text spams luring Filipinos into spurious investment schemes and work from-home jobs.
“We desire to assist victims of cybercrime to the fullest and … bring the culprits to justice,’’ said Executive Director Cezar Mancao of the Cybercrime Investigation and Coordinating Center (CICC) at the creation of the technical working group against ICT enabled scams and fraud
Spearheaded by the CICC, the group includes the National Privacy Commission (NPC), Department of Information and Communications Technology, National Telecommunications Commission (NTC), Department of Labor and Employment, Department of Trade and Industry, National Security Council, and Anti-Money Laundering Council.
The group was created at an online meeting called by the NPC on November 26 to prevent what Privacy Commissioner Raymund Liboro called a potential “privacy disaster.” Millions of ordinary Filipinos are targeted by smishing and text spam. Many of them could have fallen prey to the scams and lost their hard-earned money.
From November 11 to November 21 alone, Globe Telecom reportedly sent 1.55 million messages through its network.
App, portal, hotline
Among the measures, the interagency group has identified to address the problem was the setting up of a hub that will centralize complaints, including those filed with other agencies.
The CICC is now developing an app and a web portal where victims could report a scam through a hotline and dedicated website, according to Mancao.
The CICC will then furnish the telcos with the numbers provided by the victims and those gathered by other agencies so that these are blocked. Globe Telecom has so far blocked 1 billion messages since January. In addition, Smart Communications has blocked at least 60 web domains linked to the scam.
Mancao said the CICC would employ a triage system and refer cases to appropriate agencies for action, even as he called on other agencies to assist his office in addressing “tactically and strategically” the ICT-assisted scams and fraud.
The DOJ Office of Cybercrime offered to facilitate coordination with international agencies to fight against globally operating syndicates behind the scam.
Justice Undersecretary Jon Salvahan said the DOJ, as the country’s central authority on international legal cooperation, would enlist the help of law enforcement agencies overseas in intelligence gathering and investigation of the syndicates.
Data aggregators to be summoned
The NPC will summon five data aggregators after being eyed as possible conduits behind the surge in smishing (a portmanteau of SMS [short message service] and phishing) and text spams over the past weeks.
Companies like global brands tap the aggregators to act on their behalf and deal with telcos in blasting promotions and other messages to customers.
For its part, the BSP Financial Supervision Sector said it was strengthening fraud management among financial institutions. One challenge, though, is how to hold on to proceeds in bank accounts and payment platforms used in the scams given the constraints posed by the Bank Secrecy Law, said BSP representative Deputy Director Byron Goli.
The BSP also welcomed the centralization of complaints under one portal, noting that it currently refers complainants to other agencies like the Philippine National Police, the National Bureau of Investigation, and the DOJ.
The centralization of complaints for action by concerned agencies will result in swifter responses and help boost public trust in government, according to Liboro.
Voluntary call and text attestation
Besides these short-term actions, the interagency group is looking at prepaid text and call attestation, which can trace the owner of numbers listed in a registry to be attested by telcos.
Liboro said call attestation was being implemented in the United States by the Federal Communications Commission (FCC) to curb robocalls. Marketers must register with the FCC under a scheme in which telcos could attest to the origin of calls.
According to the Privacy Commissioner, telcos in the country are open to the idea that they said was technically feasible.
“How can you trust a number calling or texting you? There should be a way to attest the number contacting you,” Liboro said. “For small entrepreneurs for example, having their prepaid numbers attested could boost their businesses because customers could be assured that they are dealing with someone that can be traced through a verified telco registry. Attestation could even help prevent bogus online deliveries and other ICT enabled frauds,” he added.
Increasing risks, reducing benefits
NTC Deputy Commissioner Edgardo Cabarios suggested two ways to address scams and fraud. One is by increasing risks to the scammers, and another is by reducing their benefits.
A SIM-registration scheme that could limit the options for criminals and possibly lead to arrests would increase the risks to the scammers. But, at the same time, effective law-enforcement and increasing citizens’ awareness not to fall prey to scams and blocking numbers sending phishing and text spams would reduce the benefits derived by those behind the scams, Cabarios said.
The next meeting of the interagency group is scheduled for Dec. 10.
NPC probes telcos, bank and payment platform on smishing; inter-agency body formed to go after scammersComments Off on NPC probes telcos, bank and payment platform on smishing; inter-agency body formed to go after scammers
The National Privacy Commission (NPC) has formally launched an investigation into whether telcos exercised due diligence and accountability in transacting with data aggregators linked to the sending of texts offering spurious jobs and investment schemes to millions of Filipinos.
On Monday, the NPC sent Globe Telecom, Inc., Smart Communications, Inc. and Dito Telecommunity Corp. orders to submit within five days documents and information that will provide the Commission specifics on their data flows and transactions involving data aggregators.
The Commission also sent orders to Union Bank of the Philippines, Inc. and GCash (Mynt – Globe Fintech Innovations, Inc.) –– the main payment channels where victims are directed to deposit their investments. The investment accounts invariably become inaccessible to the victims after they had been enticed to deposit larger sums in exchange for bigger commission.
New group against ICT-enabled scams
Another government action aimed at combating smishing and text spams that have cost a number of Filipinos their hard-earned money was the creation of an interagency group.
Formed on Nov. 26, the group against ICT-enabled scams and fraud consists of the NPC, Cybercrime Investigation and Coordinating Center (CICC), Department of Information and Communications Technology (DICT), National Telecommunications Commission, Department of Justice (DOJ), Department of Trade and Industry (DTI), Department of Labor and Employment, Bangko Sentral ng Pilipinas, National Security Council and Anti-Money Laundering Council.
The CICC, headed by Executive Director Cesar Mancao, is the lead agency. It will serve, among other things, as the hub that will receive complaints from cellular phone subscribers and will be tasked with forwarding the numbers used by scammers to telcos for blocking.
The NPC is also pushing for call and text attestation to prevent what Privacy Commissioner Raymund E. Liboro calls a national “privacy disaster.’’ Attestation can trace the owner of a number used in calling or sending texts, as these are listed in a registry.
Involved in the proliferation of smishing and text spams are data aggregators, which could be legal entities tapped by companies such as global brands to act on their behalf and deal with telcos in blasting promotions and other company messages to their customers.
“At the meeting with the NPC on November 24, the data protection officers of Globe Telecom and Smart Communications revealed a complex chain of data aggregation and handling, involving data brokers, that is bringing new challenges to compliance and enforcement,” Liboro said.
The telcos said they traced the smishing and text spams to China and India-webhosted companies.
In its report to the NPC, Globe in particular identified a data broker, Macrokiosk, that was tapped by a firm named China Skyline Telecom, as the primary source of messages that “share the theme of job hiring and contain a Whatsapp contact link.”
Globe said 1.55 million of such messages were sent through its network from Nov. 11 to 21 alone.
United effort vs ICT enabled scams and frauds
In a recently conducted inter-agency meeting, the NPC, DOJ, DTI, DICT, CICC, and other agencies have committed to strengthen consumer protection and widen the hunt versus the perpetrators of this scam.
The DOJ said on Friday that it would coordinate with its counterparts abroad to build cases against the perpetrators of this cybercrime.
The NPC has encouraged telcos to continue blocking these data aggregators, as well as the numbers, domains and internet protocol addresses that enable the smishing and text spams.
Smart Communications has blocked at least 60 web domains. Globe Telecom, for its part, has blocked 1 billion messages since January, preventing them from reaching and scamming mobile phone users.
The companies have also intensified their awareness campaigns to help more data subjects protect themselves from falling victim to smishing attacks.
The telco players have committed to cooperate fully with the NPC and provide critical information to strengthen government’s fight against smishing.
— END —
Online safety of children takes center stage in NPC’s Kabataang DigitalComments Off on Online safety of children takes center stage in NPC’s Kabataang Digital
The National Privacy Commission (NPC) will hold the Kabataang Digital, its advocacy campaign that promotes online safety for children, on November 25, 2021.
Under the slogan “Matalino, Mapagmatyag, at Mapanuri,” the annual young privacy advocates summit, in collaboration with the Department of Education (DepEd), is open to all students, educators, and parents.
Kabataang Digital officially launched on November 25, 2020 in line with the celebration of National Children’s Month. This advocacy campaign for children encourages data protection, by enjoining school officials and parents to educate their children on appropriate digital citizenship, promote safe choices, and elaborate the implications of the digital environment for children’s privacy rights.
NPC Executive Director Ivin Ronald Alzona states that “Kabataang Digital is a vital part of the NPC’s vision of building a better digital landscape for future generations.”
“Kabataang Digital teaches children data privacy principles that will serve as their building blocks of being responsible and smart digital citizens who are knowledgeable on what should and should not be shared online and are mindful of their rights as data subjects. With Kabataang Digital, the NPC seeks the assistance of educators and parents in equipping the youth with the knowledge they need to responsibly explore and utilize technological tools prioritizing data privacy and protection,” Alzona said.
The summit is divided into two sessions: the morning session will gather kids in Grades 1-6 and their guardians or teachers, while the afternoon session is for teenagers or those in junior high school up to college. It is estimated that 3000 participants are expected to attend.
Basic data privacy knowledge and information will be discussed in the morning session, which will also feature testimonials from children.
The afternoon session will revolve around more serious topics on data privacy and an interactive session through a roundtable discussion, where a combination of professionals and student leaders will discuss emerging concerns on child data privacy.
Topics will include challenges and opportunities for growth as digital children; digital responsibility through data privacy rights and best practices on using the internet and social media platforms; how teenagers perceive personal data protection at this age; cyberbullying and accountability; digital citizenship and influence of social media to teenagers; and data privacy for newly registered or first-time voters and the possible risks to their data privacy.
Among the resource persons invited are data protection officers and representatives from the Commission on Elections, Google, National Council for Children’s Television, DepEd, online influencers, UNICEF, and Stairway Foundation Inc., among others.
The summit will hold a ceremonial signing of the Memorandum of Agreement (MOA) between the NPC and Globe. As part of the MOA, the NPC and Globe will share short instructional or informational videos focusing on data protection for children. The videos will be hosted in NPC’s Kabataang Digital YouTube channel.
Those who are interested to participate may watch the Kabataang Digital summit live via YouTube: Click here.
Statement of NPC on S&R data breachComments Off on Statement of NPC on S&R data breach
The National Privacy Commission (NPC) received an initial breach notification report on November 15, 2021, 4:47 PM, from S&R Membership Shopping in relation to a cyber-attack that may have compromised its members’ contact information. The S&R said that it discovered the security incident last November 14, 2021.
The company has then submitted an supplemental breach report today, November 24, 2021, confirming that the subject of the ransomware attack was the S&R membership system affecting twenty-two thousand (22,000) data subjects. According to the said report, the following personal data were compromised:
– date of birth
– contact number
Based on the S&R’s disclosure and confirmation from their data protection officer (DPO), credit cards and other financial information were not among the compromised personal data.
They informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks.
The NPC reiterated to S&R their obligation to fully disclose and individually notify the affected data subject. Likewise, the Commission directed them to provide the technical report of the incident from the third-party cyber security firm.
ATTY. RAINIER A M MILANES
Chief, Compliance and Monitoring Division
NPC: GLOBAL SYNDICATE BEHIND SCAM TEXT SURGE; SUMMONS TELCOS, BANKS AND E-COMMERCE PLATFORMSComments Off on NPC: GLOBAL SYNDICATE BEHIND SCAM TEXT SURGE; SUMMONS TELCOS, BANKS AND E-COMMERCE PLATFORMS
The National Privacy Commission (NPC) has summoned the data protection officers of Globe Telecom, Smart Communications, Dito Telecommunity, Lazada, Shopee and several banks to report on their spam prevention measures and further steps to combat the recent surge of scam texts that have been soliciting and misusing personal information. (more…)
NPC launches Ph Privacy Trust Mark to add value to business, boost trust in cross-border data transfersComments Off on NPC launches Ph Privacy Trust Mark to add value to business, boost trust in cross-border data transfers
The National Privacy Commission (NPC) launched today the Philippine Privacy Trust Mark (PPTM), which aims to increase trust and confidence in businesses and public offices as the mark offers the highest level of assurance on data privacy compliance and secure cross-border data transfers.
“Our launch today of PPTM comes at an opportune time as we aim to fully embrace digitalization for our economic recovery. This won’t be achieved without strengthening the foundation of trust in every action and transaction we make online,” Privacy Commissioner Raymund E. Liboro said.
He urged all personal information controllers (PICs) and personal information processors (PIPs) to now aim for certification as PTTM is open to all types of organizations.
PPTM also enables consumers “to make informed choices and have greater control of the personal data collected from them,” Liboro said.
“By helping data subjects identify organizations they can entrust their personal data, we are also encouraging consumers to be more data privacy-conscious and to exercise their rights more prudently,” he added.
The launch comes with the release of the full PPTM Certification Scheme guidelines, which outline the requirements and processes to gain certification, including the requirements for PICs and PIPs to establish, implement, and continually improve their management systems, an imperative to be certified.
The certification process will evaluate an organization’s demonstration of operational compliance with the Data Privacy Act through risk management and assess an organization’s demonstration of having the proper organizational, physical, and technical security measures to ensure data protection.
The guidelines also provide adequate support for cross-border data transfers, reflecting NPC’s intent to align its compliance mechanisms with global practices and standards.
“Certified PICs and PIPs can more easily integrate themselves in global value chains as they gain more clients, customers and business partners with their branding of secure privacy systems,” Liboro said.
While the mark is voluntary and only applicable to management systems, organizations must still ensure that all identified products, services, programs, and projects adhere to the data privacy principles of legitimate purpose, transparency, and balance through the data lifecycle.
Valid for three years
The certificates are valid for three years and may be renewed.
However, those certified could still be suspended if found to “persistently” fail in meeting requirements, such as evidence of continuous improvement.
Failure to resolve an issue within six months could result in revocation of the certification.
Revocation will also be applied when the certification is invalid or when a certified organization is found to have violated the terms of the audits or lack the declared requirements for its management systems.
The PPTM Certification Scheme comes with guidance for those seeking to function as bodies that will audit PIC and PIP-applicants, certify their management systems, and renew their certification.
The guidelines also outline the competence requirements and obligations in providing certification assessment for PPTM.
The certification bodies recognized by the NPC must demonstrate independence throughout the certification process, which must be completed in six months upon submission of application documents and requirements.
NPC recognizes importance of complying with COA rules to promote transparency, good governanceComments Off on NPC recognizes importance of complying with COA rules to promote transparency, good governance
In recognizing the importance of complying with Commission on Audit (COA) rules and regulations, the National Privacy Commission (NPC) held an online entrance conference with COA last month.
The conference marked the official start of COA’s review of NPC’s accounts and transactions for calendar year 2021. The NPC reiterated that public funds must be spent judiciously in accordance with prevailing laws, rules, and regulations in order to promote transparency and good governance. Furthermore, the NPC assures that it will closely coordinate with COA in the conduct of its audit and has requested its continued guidance.
NPC Executive Director Ivin Ronald Alzona described the entrance conference as “a crucial part of NPC’s roadmap in achieving its vision of being a world-class regulatory and enforcement agency, upholding the right to privacy and data protection while ensuring the free flow of information.”
“The COA entrance conference is a critical part of the National Privacy Commission’s quality policy, wherein we endeavor to perform our mandate with passion and utmost integrity through continually improving policies and systems at par with international standards, and commit to regulatory and statutory requirements for public service for the benefit of the Filipino people,” Alzona added.
In the entrance conference, COA discussed the terms of its engagement; audit focus; audit objectives; its responsibilities as auditor and NPC as auditee; reports that COA requires in conducting its audit; expected output from COA; and its audit timeline. The annual audit report is due to be issued in June 2022.
Privacy Commissioner Raymund Liboro said the NPC and COA shared the same objective of ensuring that institutions were trusted by the public.
“The NPC is promoting good stewardship in personal data, while COA is about good stewardship of the people’s resources. The NPC as a 21st century regulator is here to promote trust in government and businesses so that innovation will flourish,” Liboro added.
COA Supervising Auditor Lea Petero hopes that the audit agency will be of help to the NPC in “improving the operations of the Commission for an honest and transparent governance.”
The Privacy Commissioner assured the public that the NPC would work hand in hand with COA in complying with existing laws and regulations to improve policies and processes to better serve the public.
NPC leads creation of new global working group on “data sharing for the public good”Comments Off on NPC leads creation of new global working group on “data sharing for the public good”
The National Privacy Commission (NPC) is leading the formation of a new working group under the Global Privacy Assembly (GPA) aimed at gathering and promoting data-sharing best practices to guide governments and regulators toward a post-pandemic economic recovery.
“The new working group will focus on identifying practical approaches on how personal data can be shared and used to usher in innovation and growth while protecting individual rights and promoting public trust,” NPC Commissioner Raymund E. Liboro said.
The resolution of the working group also underlines the need for governments, the private sector, and the academe to prevent and be vigilant against the abuse of data sharing in the guise of “public good” or “common good” purposes.
The creation of the group comes at a time that personal data processing has become integral to sustain a safe economic recovery amid privacy risks.
Liboro noted that concerns were already emerging in the sharing of personal data in health passports, health monitoring of incoming travelers and returning nationals, contact-tracing, and handling of children’s or students’ data in e-learning technologies.
“The working group endeavors to strengthen the capacity of GPA members and observers in developing proactive responses to curb risks in data-sharing activities,” Liboro added while highlighting the need to integrate privacy-by-design across data sharing processes and agreements.
The resolution on data sharing for the public good was submitted at the 43rd GPA by the NPC as COVID-19 Working Group chair. Reports on the progress of the new GPA working group will be presented at the Assembly’s 2022 closed session.
The working group to be formed will build on the gains of the COVID-19 Working Group, which was created with a mandate of one year to assist and provide its members with advice on best practices, insights and practical responses regarding privacy issues during a pandemic.
The 30-member COVID-19 Working Group, despite a relatively short stint, achieved significant outcomes in furthering the mission of the GPA, including the conduct of various capacity-building activities and the two-part Compendium of Best Practices in Response to COVID-19.
Deepening int’l cooperation
“The GPA is alive and flourishing thanks to our interactions and exchanges,” newly elected GPA Chair Blanca Lilia Ibarra Cadena said at the 43rd GPA, held virtually on October 18-21, 2021. Cadena is also President Commissioner of Mexico’s INAI (National Institute for Transparency, Access to Information and Personal Data Protection).
“Our partnership is deepening, with our cooperation covering issues that concern society as a whole, achieving a growing impact. The ideas expressed at this conference invite us to rethink and draw new horizons on the incorporation of best practices in the handling of personal data,” Cadena added.
Liboro echoed this, saying “international work forms a vital role in NPC’s mandate.”
“We need to show the world that the Philippines is a responsible steward of personal data and that privacy is alive and well in our country. It’s important to convey both to our local and global audience that the aim of the Data Privacy Act of 2012 is to protect and uphold data subject rights to instill trust in our institutions, government, and businesses,” Liboro said.
The GPA is an international body that has been providing an avenue for privacy dialogues and collaboration for over 130 privacy and data protection authorities for the past four decades. The Assembly is organized into working groups that concentrate on its most significant initiatives.
NPC launches trainers’ training to expand ranks of data privacy expertsComments Off on NPC launches trainers’ training to expand ranks of data privacy experts
The National Privacy Commission (NPC) has launched its Training the Trainers Program (T3), accrediting ten institutional privacy trainers and three individual accredited privacy trainers to develop more data privacy experts and nurture a culture of privacy across the country.
“T3 will scale the number of trainings that can be administered, and it will promote a healthy competition among trainers, thereby setting higher standards that will benefit Data Protection Officer (DPO) aspirants,” Privacy Commissioner Raymund E. Liboro said at the virtual launch of the program held on October 18.
“Through this program, Filipinos, no matter where they are, will have quality training services from our T3 partners. There will be no shortage of opportunities to learn more about the Data Privacy Act (DPA) and how these learnings can be applied to operational practices,” he added.
Under the T3 program, the NPC accredits trainers who have demonstrated the capacity, expertise, qualifications, and dedication to educate the public on key concepts and accurate interpretations of the DPA, its implementing rules and regulations, and other NPC issuances.
The accredited trainers will be given the opportunity to expand their knowledge on data privacy and be regularly guided by the NPC to ensure they are kept updated of emerging privacy concepts, trends, and developments.
Profiles to be published
Aside from comprehensive guidance, the NPC will support accredited partners by publishing their profile on the NPC T3 website and in newspapers of general circulation to affirm their legitimacy as trainers and to encourage DPO aspirants to tap their expertise.
With the T3 Program in place, Data Protection Officer (DPO)-trainers will be more equipped to fulfill their duties of enabling personal information controllers and processors to be DPA-compliant, and ensuring that privacy risks are mitigated in all their data processing activities.
“This will help Philippine companies, especially sectors that rely on cross-border data mechanisms, to be competitive compared to its peers in Europe and other jurisdictions that take data protection seriously,” said T3 Project Lead, Atty. Aurelle Dominic E. Narag.
Institutional Privacy Trainers accredited by the NPC are the ADM & Partners; Center for Research and Communication Foundation Inc; Development Academy of the Philippines; Global Knowledge Philippines; People Management Association of the Philippines; Lights Consultancy, OPC (Lights Institute); Privacy Key Specialists PH, Inc; Straits Interactive Training and Services Inc; Yisrael Solutions and Training Center Inc; and Process Synergy, Inc.
The NPC accredited three privacy practitioners – Dr. Rolando R. Lansigan, Atty. Karl John A. Baquiran, and Atty. Kayzer Saba.
They were all awarded certificates of accreditation at the virtual launch on Monday.
DPO ACE expanded
By involving private sector partners, the T3 Program expands the scope of NPC’s ongoing DPO Accountability, Compliance, and Ethics Certification (DPO ACE) Program level 1.
The T3 partners will conduct trainings patterned after the DPO ACE level 1 curriculum, and they will prepare students to take and pass the DPO ACE level 1 Certification Examinations.
The status of their accreditation will hinge on their undertaking to train at leastthree hundred students per year, and a passing rate of 80% for their students who will take NPC DPO ACE certification examinations.
“The T3 program will increase the training standards of our partners who will be tested against their undertakings. Eventually your students will have to take DPO ACE examinations, and a percentage of them will have to pass for you to retain the recognition status” added Atty. Narag.
Liboro emphasized that the new program would help nurture privacy resilience in the country at a critical time of massive digitalization.
“As the Philippines pursues digitalization, the role of the NPC will be bigger. With all partners now under the T3 and our other programs, the ambition to reach more and train more, and build the capacities of privacy advocates and DPOs can be realized,” the Privacy Commissioner said.
Privacy Commission launches open call for accountability agent applicants for APEC cross-border privacy rules systemComments Off on Privacy Commission launches open call for accountability agent applicants for APEC cross-border privacy rules system
The National Privacy Commission (NPC) invites companies and organizations to apply for accreditation as an Accountability Agent for the APEC (Asia-Pacific Economic Cooperation) Cross-Border Privacy Rules (CBPR) System.
The APEC CBPR System is voluntary and accountability-based, and facilitates data flows that respect privacy among APEC-member economies. The system requires organizations to develop and implement privacy policies and practices for all personal information that they have collected or received that is subject to cross-border transfer to other participating APEC members.
Accountability Agents perform a crucial role in the APEC CBPR System by certifying that the privacy policies and practices of participating companies or organizations are compliant with the CBPR System requirements.
“An Accountability Agent performs a key role in propelling the data privacy and protection landscape of the Philippines and elevating the country’s standing and reputation in the global trade,’’ Privacy Commissioner Raymund E. Liboro said.
“Likewise, the Accountability Agent is expected to collaborate with companies, consumers, and governments to ensure that cross-border data transfers are at par with the privacy standards set by APEC,” Liboro added.
NPC will accept applications starting October 15, 2021 and will evaluate all submission per batch. For the first batch, deadline is on November 29, 2021.
The Philippines became the ninth member economy participating in the CBPR System in March 2020. As the next step to fully implement the CBPR System in the Philippines, the NPC is currently working towards nominating an Accountability Agent who will certify companies in the APEC CBPR System.
For more information on the criteria for Accountability Agent recognition, visit the APEC CBPR System website at http://cbprs.org/documents/. Documents for AA recognition are also available here: https://www.privacy.gov.ph/documents-for-accountability-agent-recognition/.
Interested organizations must notify the NPC of their intent and submit a completed application for an initial assessment to [email protected].
Any questions concerning the process may be addressed to [email protected].
App and software developers learn importance of data privacy by design at NPC forumComments Off on App and software developers learn importance of data privacy by design at NPC forum
Over 500 software and mobile app developers from local governments and the private sector learned the importance of adopting data privacy principles in all stages of their product development and business management processes at a privacy-by-design webinar that National Privacy Commission (NPC) conducted on Sept. 27.
Kevin Shepherdson, a founder of Singapore-based privacy specialist firm Straits Interactive Pte. Ltd., lamented how many developers look at privacy only after they introduced the app and when everyone was complaining.
“You have to think [of privacy] at the planning stage. You have to be proactive not reactive,” Shepherdson said.
He warned that a reactive practice could bring problems in the end, citing a number of cases in which tech companies, such as Google and Tiktok, had been slapped by foreign privacy authorities with million-dollar penalties for privacy-violative practices. Others, like the facial recognition Ever App, were forced to shut down.
“Everything you do from the moment may influence not only the performance of your software but also those who use it in the context of privacy. Privacy must be your default posture even before you begin your programming journey," Privacy Commissioner Raymund E. Liboro said at the summit.
Origin of privacy by design
Privacy by design was developed in the 1990s by the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian.
The approach, adopted by the European Union’s General Data Protection Regulations, requires data processors and IT system engineers to design products in a data-minimizing and data-subject friendly way, with pre-settings that adopt measures to mitigate anticipated security risks.
Lessons from Ph’s contact-tracing
Liboro urged developers to strive for privacy by design, calling it an "enabler of trust that will promote the use of your products, services and technologies.”
“Conversely the lack of trust will make people suspicious and hesitant to use your app or disclose their information which is critical for data driven technologies," Liboro said.
He cited as lesson the country's contact tracing, which Malacañang called the “weakest point” in the country’s Covid-19 efforts. Liboro noted that the NPC found people using these apps “incorrectly, with some using aliases to spoof their identity.”
Edwin Concepcion, head of Straits’ DPaaS Excellence and Support–Asean, echoed this, saying “building trust was one of the challenges the local contact tracing apps.”
He said he had found a privacy notice of a local government-implemented contacttracing app that was collecting personal data for marketing and data mining, purposes which have no relation to the objective of the contact-tracing app.
Liboro assured the participants that the NPC was continuing to coordinate with national and local governments “to ensure their respective in-house and respective software developers or contract-tracing apps are appraised of the duty to safeguard the personal info of Filipino people.”
Consent best practices
Atty. Rainier M. Milanes, chief of NPC's Compliance and Monitoring Division, gave an overview of the Data Privacy Act (DPA) of 2012, while reminding developers and data privacy officers (DPOs) to regularly work out a “clear, specific and updated” privacy notice and consent collection forms.
“Include specific consent. Describe what happens to the data once it is collected, what will happen to it when stored and when will it be disposed of,” Milanes said.
Strait’s Shepherdson added that once a mobile app had uninstalled, the user’s personal data must be deleted from the app as it was understood that the app’s business goals had been fulfilled.
Milanes said another best practice was allowing users to refuse and withdraw consent “easily and anytime.”
“Consent should also be unbundled from other terms and conditions whenever possible,” Milanes explained, discouraging the use of pre-ticked boxes especially for optional terms, such as marketing purposes, when seeking consent.
Kelvin Magtalas, information systems analyst at NPC’s Data Security and Technology Standards Division, said privacy notices and consent forms must have “clear and concise language understandable to its targeted audience.”
“In the Philippines, where we have many dialects, reiteration in other dialects should also be considered,” Magtalas added.
He pointed out that fintech-and online-solutions provider industries must improve on drafting privacy notices as many “vaguely describe the actual processing of their services.”
Cross-border data transfers, accountability
Atty. Ivy Grace Villasoto, Policy Development Division chief, explained the obligations of personal information controllers and personal information processors in sharing and transferring data.
She discussed the Asean Model Contract Clauses (MCCs), which the NPC is encouraging companies to adopt when transferring personal data across different jurisdictions in the region.
MCCs are templates businesses can adopt to set out the responsibilities, required personal data protection measures and related obligations of contracting parties when transferring personal data with other entities within the Asean for both controller-tocontroller as well as controller-to-processor transfers.
"You can use this to fulfill your obligations under Section 21 of the DPA or the principle of accountability to provide a comparable level of protection as personal data is processed by a third party," Villasoto said.
Swiss privacy laws
Carlos Ely C. Tingson, DPO of the Presidential Security Group, shared an analysis of Swiss privacy laws, one of the highest legal standards for privacy in the world that makes Switzerland a top choice for data centers.
He emphasized the need to fully understand the laws of other jurisdictions and their security protocols that would be applied to data handling processes.
“By putting privacy by design, it is not enough to say, ‘We are using high-grade encryption.’ We have to check the design itself, the infrastructure we use,” Tingson said.
“We also have to check, aside from the SSL (Secure Socket Layer) and the authentication protocols, we have to check how were the [server] keys derived, how were the keys distributed, where are they stored, and the like,” he added.
Finding external, internal vulnerabilities
Allan Jay Dumanhug, cofounder of cybersecurity firm Secuna, encouraged developers to “hack yourselves first,” providing key tips in searching for publicly available data through Google, GitHub and Shodan, the most common sources of hackers.
For his part, Raymund Nuñez, an information security professor at the University of the Philippines and a security consultant, said vulnerabilities that were widely perceived low-risk could still open a point of entry for hackers, especially when combined with other low-risk threats.
`Bruteforcing’ credit card number
Nuñez revealed how the last four-digits of a credit card number revealed in physical receipts, could still be “bruteforced” to reverse anonymization especially if the programming language used was weak. Bruteforcing is an exhaustive search and the guessing of possible combinations of a targeted password.
“Bruteforcing blindly would have taken months to crack but with the insights we have, the techniques we applied, we were able to crack 300,000 passwords in a few hours,” Nuñez added.
Google, Facebook reassurance
Meanwhile, tech giants such as Google and Facebook reiterated their commitments to comply with the DPA and protect users.
Yves Gonzalez, head of Google Philippines’ Government Affairs and Public Policy, presented the platform’s key features that represent privacy by design.
"Our privacy tools put you, the user in control," Gonzalez said, noting that configurations are easy to use so users, "in just a few clicks,” can choose the right privacy setting that works best for them.
He also touted Google’s privacy sandbox which allows advertisers to continue profiting from personalized ads while protecting users profile.
Arianne Jimenez, Facebook’s privacy and public policy manager for the Asia Pacific, shared how the social media giant leveraged real-time data to respond to real world crises such as Covid-19.
Vigilance among data subjects
Liboro urged data subjects to be more vigilant in protecting their data privacy rights in this digital age.
“Do not hesitate to file a complaint against tech platforms that are failing your privacy and protection standards,” he said.
The NPC chief said data subjects need not adjust with tech platforms.
``Developers, companies and personal information controllers must adjust according to your needs by thinking of your privacy rights in every step of the way,’’ he said.
“Because it is only through privacy by design that data subjects will fully embrace the digital world, and hence keep the economy and innovation thriving for the benefit of Filipinos,” Liboro added.
NPC reminds companies giving vaccine rewards to get consentComments Off on NPC reminds companies giving vaccine rewards to get consent
The National Privacy Commission (NPC) has reminded all personal information controllers (PICs) to get vaccinees’ free and informed consent before using any personal information in their COVID-19 vaccination cards for promos, raffles, or discounts.
The agency recently issued NPC PHE Bulletin No. 20 in light of reports of collection of copies of COVID-19 vaccination cards by certain companies as a form of reward to vaccinated individuals.
Privacy Commissioner Raymund Liboro noted that vaccination cards contained sensitive personal information such as the vaccinee’s age, date of birth, and health information.
“While we laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19, we must also remind all PICs of the need to establish a lawful basis in the conduct of their respective personal data processing activities,” Liboro said.
“Securing the free and informed consent of the individuals may be a lawful basis,” he added.
For consent to be valid, Liboro said it must be freely given, specific, informed, and an indication of will.
“This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic, or recorded means,” he said.
A privacy notice must be provided to sufficiently inform the vaccinees wishing to avail themselves of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency, the NPC chief said.
He also reminded the PICs that the use of the vaccine card must be limited to the intended purpose of giving promos, raffles, or discounts.
“It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose,” he said.
The health information of the data subjects must be adequately secured. PICs must adopt measures to protect copies of the vaccine cards and shall be accountable for their processing.
The vaccine cards should never be posted by PICs on public platforms. Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws.
Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose. These must be disposed of in a secure manner – hardcopies must be shredded properly while softcopies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery.
The NPC also reminded all subjects to send a report to its information desk at [email protected] for any concerns, questions, reports, and complaints.
-- END --
Statement of Privacy Commissioner Raymund Liboro on the Implementation of Mobile Number Portability LawComments Off on Statement of Privacy Commissioner Raymund Liboro on the Implementation of Mobile Number Portability Law
The National Privacy Commission (NPC) welcomes the implementation of the Mobile Number Portability Act (MNPA).
Data portability is a data subject right enshrined in Section 18 of the Data Privacy Act (DPA).
Allowing mobile postpaid or prepaid subscribers to retain their existing mobile number despite switching between different mobile service providers gives data subjects control over their data, which is among the key principles of the DPA. We believe that the implementation of the MNPA is a boon to the telecommunications industry in the country and bolsters consumer welfare at a time of surging cellphone usage.
We assure mobile subscribers that the NPC is ready to assist other government agencies in the implementation of the mobile number portability law. We will provide inputs and guidance in the porting activities of mobile service providers to ensure that the handling of subscribers’ personal data is strictly aligned with the data privacy law.
COVID-19 software developers invited to NPC data privacy assemblyComments Off on COVID-19 software developers invited to NPC data privacy assembly
The National Privacy Commission (NPC) has invited COVID-19 contact-tracing application developers to a data privacy summit for the technology sector scheduled for September 27.
More than 300 software developers are expected to attend the event, dubbed “DPO 24: The Data Protection Officers’ Assembly for the Technology Sector,” via MS Live Events.
The event is open to information technology offices and departments of local government units (LGUs), individual software developers and those from private institutions.
The NPC has reached out to the Department of the Interior and Local Government (DILG) and the League of Cities of the Philippines to invite their internal or partner software developers for their contact-tracing apps or websites.
“Holding the summit for the technology sector is crucial to the National Privacy Commission, as technology has become the primary means to conduct business, especially during the pandemic,’’ Privacy Commissioner Raymund Enriquez Liboro said.
“Data privacy does not just require secure technology and tools to collect and process personal data. It also requires well-informed data protection officers and developers and implementors of these tools,” Liboro added.
Discussions in the summit will include contractual agreements and balancing privacy with data sharing, building trust in the age of digital transformation, privacy by design in social media, data privacy best practices in eCommerce, best practices in consent particularly electronic consent and online privacy notices, and mobile app privacy.
Software developers as privacy watchers
The NPC is calling on software teams developing COVID-19 contact-tracing apps for LGUs to act as privacy watchers, integrate a privacy-by-design (PbD) approach, and employ a proper consent mechanism in which users can easily withdraw consent at any time.
Recommended measures include incorporating a PbD in software engineering encompassing modeling, method, definition, and analysis; following secure coding and design principles; and conducting essential software testing. Encryption of all network communications between the app and the backend is also a must.
Earlier this year, the DILG issued a memorandum circular directing local chief executives such as governors, mayors, and barangay captains to appoint data protection officers as part of setting data privacy standards in the collection and processing of personal data.
NPC invites online lending operators for a symposium on data privacy compliance and legitimate lending practicesComments Off on NPC invites online lending operators for a symposium on data privacy compliance and legitimate lending practices
The National Privacy Commission (NPC) invites the non-bank financial institutions (NBFI) sector, including the operators of online lending applications (OLAs), for an online symposium on Data Privacy Act (DPA) compliance and legitimate lending practices in relation to DPA after the Commission’s order to immediately take down four OLAs (JuanHand, Pesopop, CashJeep, and Lemon Loan), as part of the Commission’s crackdown on non-compliant and unregistered online lending applications.
The symposium will be held on Sept. 13, 2021, via Microsoft Webinar from 9:00 AM to 3:30 PM. Over a hundred online lending operators are invited to the symposium. Aside from OLAs, the NBFI sector comprises pawnshops, cooperatives, remittance centers, money changers, microfinance associations, savings and loans associations, securities companies, and financing companies.
Privacy Commissioner Raymund Enriquez Liboro said that the symposium’s goal is to encourage those in the NBFI sector to register with the NPC and assist them in their road to data privacy compliance.
“The National Privacy Commission has high hopes that this symposium will go a long way in our goal to build resilience against data privacy risks and threats in the non-bank financing sector. Customers, in their transactions with these institutions, trust that their personal data is in good hands. Failing in data privacy and protection erodes that trust. The NPC is more than willing to provide the NBFI sector with the knowledge that they need to handle properly and protect their stakeholders’ personal data,” Liboro said.
Points of discussion in the symposium include salient provisions of the DPA, current OLA issues, pointers on registration to the NPC, the role of NPC as a regulator to protect data subject rights, and public consultation on the amendments to NPC Circular 20-01, which provides guidelines on the processing of personal information for loan processing.
Interested attendees may refer to the NPC’s Facebook post. For inquiries, email [email protected] with the subject “[INQUIRY] OLA Symposium.” Non-bank financial entities who are not yet registered to NPC are encouraged to attend.
Google takes down apps on orders of NPCComments Off on Google takes down apps on orders of NPC
Following orders from the National Privacy Commission (NPC) to take down JuanHand, Pesopop, CashJeep, and Lemon Loan, the four online lending apps (OLAs) no longer appear and are now unavailable for download from the Google Play Store.
The NPC has furnished copies to Google LLC to remove them from Google Play Store for posing serious privacy risks to individuals who download the apps.
Privacy Commissioner Raymund Enriquez Liboro welcomes the National Telecommunications Commission and Google’s action and urges other OLAs to use lawful and reasonable methods when processing data of loan applicants.
“For other OLAs, the NPC strongly urges you to employ know-your-customer (KYC) and debt collection practices that are aligned with NPC Circular No. 20-01, where we laid out guidelines on the processing of personal data for loan-related transactions,” he added.
In four separate orders, the NPC directed Wefund Lending Corp., Joywin Lending Investor Inc., Cash8 Lending Corp., and Populus Lending Corp. – operators of Juan Hand, Lemon Loan, CashJeep, and Pesopop, respectively – to stop the processing of their borrowers’ personal data.
JuanHand, Lemon Loan, CashJeep, and Pesopop’s processing of their borrowers’ information such as contacts, location, photos, media files, email, and social media data, pose serious privacy concerns that expose borrowers to privacy risks and harms.
The four lending apps had been downloaded a cumulative total of more than 2.1 million times from the Google Play Store.
The NPC has opened a channel with Google’s regional office for the immediate execution of its orders.
Privacy Commission orders immediate takedown of four online lending appsComments Off on Privacy Commission orders immediate takedown of four online lending apps
The National Privacy Commission (NPC) has ordered the immediate takedown of four online lending apps (OLAs), JuanHand, Pesopop, CashJeep, and Lemon Loan to protect the data privacy rights of borrowers.
These apps have been the subject of various complaints of unauthorized use of personal data that resulted in harassment and shaming of borrowers and are currently being investigated for violations of the Data Privacy Act and other NPC issuances.
The NPC said the apps have gained access to a trove of information in the borrowers’ mobile devices, including contacts and social media data, that are excessive and may be weaponized to harass and shame delinquent borrowers before persons in their mobile devices’ contact list to collect debts.
Privacy Commissioner Raymund Liboro said the orders banning the four apps “are crucial to prevent serious privacy risks and protect and preserve the privacy rights of data subjects.”
“These online lending apps raised many red flags and the companies operating these apps demonstrate problematic data actions that expose borrowers to serious privacy risks and harms,” Commissioner Liboro added.
Companies operating these apps were provided the opportunity to reply to NPC’s findings, but two of the apps did not file position papers, while the other two failed to convince the Commission why it should not impose the ban.
The ban shall remain in effect until lifted by the Commission.
Meanwhile, the NPC continues to investigate the possible criminal liabilities of the OLA operators' directors, officers, and agents.
In four separate orders, the NPC directed Wefund Lending Corporation, Joywin Lending Investor Inc., Cash8 Lending Corporation, and Populus Lending Corporation – operators of Juan Hand, Lemon Loan, CashJeep, and Pesopop, respectively – to halt the processing of their borrowers’ personal data.
The Commission said the apps were engaged in “irrelevant, unnecessary, and excessive” harvesting of personal and sensitive information without borrowers’ free and informed consent.
The NPC has furnished copies of the orders to the National Telecommunications Commission (NTC) to take down the four apps from the internet and to Google LLC to remove them from the Google Play Store.
The Commission issued the orders based on the findings of the NPC’s Complaints and Investigation Division (CID) which examined the apps and found that these violated the principles of transparency, legitimate purpose, and proportionality in the Data Privacy Act of 2012 and the NPC issuance on the Processing of Personal Data for Loan-Related Transactions (NPC Circular No. 20-01).
The four apps have gained access to practically all the data in a borrower’s mobile device, according to NPC’s CID, which simulated the registration process of loan applicants and evaluated source codes.
The apps can process information ranging from a borrower’s sensitive personal data, location, photos, media files, emails, contact lists, and data from social media platforms like Facebook, Instagram, and Google +.
This level of access amounts to the borrower’s complete surrender of all data in his mobile device and other information that the lender can collect from third parties, such as employers, utilities, government agencies, remittance companies, and insurance and financial services providers.
In particular, JuanHand, for example, has an invasive manner of using personal data. It can read a borrower’s calendar of events and confidential information, add, and modify calendar events, and send emails to contacts without the borrower’s knowledge.
Permanent right of use of data, complaints
In addition, CID’s Fact-Finding Report found that borrowers have unwittingly granted JuanHand a “permanent right” to use the “true, up-to-date, valid and complete information” they have provided so they can avail themselves of a loan.
The CID said it was conducting investigations of OLAs amid numerous complaints against them. Based on Google’s statistics, JuanHand has been downloaded more than 1 million times; Lemon Loan and Pesopop, more than 500,000 times each; and CashJeep, over 100,000 times.
The NPC is currently studying and investigating more than 200 OLAs available for download and will issue orders and other actions according to the investigation results.
This is not the first time that the Commission is cracking down on OLAs.
In October 2019, the Commission issued a ban against 26 OLAs for failing to appear before it and answer allegations, such as the use of personal data to shame delinquent borrowers.
Through NPC's coordination with the NTC and Google LLC, the 26 OLAs were taken down, and the apps are no longer publicly available for download, installation, or use.
Recently, the Commission has opened a channel with Google’s Regional Office for the immediate execution of its orders.
Online sellers told to protect customers’ personal data from unauthorized disclosure and improper disposalComments Off on Online sellers told to protect customers’ personal data from unauthorized disclosure and improper disposal
The National Privacy Commission (NPC) is warning all online merchants or sellers against the unauthorized disclosure/processing and improper disposal of their customers’ personal data, which are prohibited acts under the Data Privacy Act of 2012 (DPA).
Instances of alleged bogus online sellers in Cebu have been brought to the attention of the Commission. These online sellers allegedly sent items to individuals who did not purchase them. These sellers may have acquired the individuals’ personal data through misuse, malicious disclosure, or improper disposal of information.
Privacy Commissioner Raymund Enriquez Liboro is calling on all online sellers to recognize and uphold the data privacy rights of their customers.
Online stores are required to employ reasonable and appropriate organizational, physical and technical security measures, the same way physical stores are mandated to perform. Section 25 of the Implementing Rules and Regulations of the DPA states that security measures must be intended to prevent “accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing” of personal data.
“We call on owners and operators of online stores to adopt best data privacy practices and to always observe compliance with the Data Privacy Act. The lack of security and privacy practices compromises your customers’ personal data, which can only lead to your loss. Consumer trust, your income, and your reputation will suffer when unauthorized disclosure of personal data happens,” Liboro said.
Online sellers are strongly advised to collect only personal data that is necessary to the transaction; to be transparent by providing a privacy notice on their respective websites; to use customers’ personal data only for the declared purpose; to keep the data for a limited time and to securely dispose of such data, that would prevent further processing and/or unauthorized access or disclosure.
Tips for online shoppers
The Commission is likewise urging online shoppers to do their part in protecting their personal data. In September last year, the Commission shared an online shopping safety video under the PSST (Privacy, Safety, Security, and Trust) campaign to educate buyers on how to have a safe and secure online shopping experience.
Online shoppers are urged to “check them out before you check out” and read first the online shopping website or app’s privacy notice before transacting. Remember that explicit consent is needed before they can use personal data for secondary purposes (e.g., marketing, surveys) and avoid sharing more personal data than what is needed to complete the online purchase. Also, using a unique username and strong password for online shopping accounts is a must.
The Commission is also encouraging the general public to purchase only from legitimate, trustworthy, and secure online shopping websites. These secure websites have URLs that begin with HTTPS and have the padlock sign or image. In addition, online shoppers are reminded to check the website for security certificates based on international standards.
For more information, watch the PSST online shopping safety video here.
NPC pushes adoption of international data protection standards on security techniquesComments Off on NPC pushes adoption of international data protection standards on security techniques
The National Privacy Commission (NPC) is pushing for the adoption of international data protection standards on security techniques among organizations. These techniques cover privacy framework, implementation of data protection controls, management of identity information, and guidelines for privacy impact assessment.
NPC’s Data Security and Compliance Office issued advisories on the adoption of a set of international standards (ISO/IEC 29100, ISO/IEC 29151, ISO/IEC 24760, and ISO/IEC 29134) that apply to all types and sizes of organizations or entities acting as personal information controllers (PICs) and personal information processors (PIPs), including public and private companies, government, and non-profit organizations.
These international standards are approved for adoption as a Philippine National Standard (PNS) by the Bureau of Philippine Standards, upon the recommendation of the Subcommittee on Information Security, Cybersecurity and Privacy Protection (SC 1) and the Technical Committee on Information Technology (BPS/TC 60). The BPS/TC 60 is in charge of the review and adoption of relevant international standards in the Philippines to which NPC is a participating member on identifying and reviewing standards for data protection.
Deputy Privacy Commissioner and OIC-Director for Data Security and Compliance Office, Atty. John Henry D. Naga, said that adopting international standards evolves an organization’s data protection efforts. The PNS ISO/IEC 29100 standard on privacy framework, for example, can be applied by PICs and PIPs in their risk management process, privacy policies, privacy controls, and privacy principles and in designing, implementing and operating information and communication technology projects..
“Managing and processing personal data is a run-of-the-mill task for most organizations both in public and private sectors. Part of the National Privacy Commission’s function is to issue recommendations for security measures to fortify personal data protection, including the most appropriate standard recognized by the global information and communications technology industry”, Naga said.
Proper management of identity information is crucial in protecting privacy. Identity is often a requirement for authorization and authentication purposes. PICs and PIPs may refer to the PNS ISO/IEC 24760-series of standards framework to properly manage the identity information of individuals, organizations, or information technology components that operate on behalf of individuals or organizations.
PNS ISO/IEC 29134 covers the conduct of privacy impact assessments (PIA) and the structure and content of a PIA report. This standard will align organizations with international best practices in conducting a PIA. It served as the basis for the NPC Advisory 17-03 (Guidelines of PIA).
When conducting a PIA, organizations can identify potential privacy issues and risks on their processes, systems, or programs. This step in privacy protection steers organizations away from costly and damaging privacy mistakes and possible legal consequences. A PIA also demonstrates the organization’s respect for data privacy rights and helps them earn data subjects’ trust.
PNS ISO/IEC 29151 will help PICs and PIPs enhance the security controls they use to protect personal data. It guides how best to mitigate the privacy risks identified in a PIA by enforcing information security policies.
PIC and PIPs adopting the international standards on security techniques should implement these on top of their compliance with the Data Privacy Act of 2012, the law’
implementing rules and regulations, and other issuances of the NPC. Access the links below for more information on the advisories:
- Advisory On the Adoption Of International Data Protection Standard No. 2021-001 ISO/IEC 29100 – Information technology – Security techniques – Privacy framework
- Advisory on the Adoption Of International Data Protection Standard No. 2021-002 ISO/IEC 29151 – Information technology – Security techniques – Code of practice for personally identifiable information protection
- Advisory on the Adoption of International Data Protection Standard No. 2021-003 ISO/IEC 24760 – Information technology – Security techniques – A framework for identity management
- Advisory on the Adoption of International Data Protection Standard No. 2021-004 ISO/IEC 29134 – Information technology – Security techniques – Guidelines for privacy impact assessment
NPC emphasizes privacy protection in anti-fraud data sharing initiatives of the financial industryComments Off on NPC emphasizes privacy protection in anti-fraud data sharing initiatives of the financial industry
Anti-fraud data sharing initiatives of the financial services industry must eliminate potential risks on the personal data of data subjects. Advisory Opinion No. 2021-026 issued by the National Privacy Commission (NPC) guides personal information controllers in protecting the privacy of shared databases through strict adherence to the basic data privacy principles of transparency, legitimate purpose, and proportionality, and the conduct of privacy impact assessments (PIA).
The advisory opinion was issued in response to the initiatives of the financial services industry on cybersecurity that aim to thwart fraud incidents and uphold customers’ confidence in digital payments systems. The industry’s shift to digital financial and payment services due to the COVID-19 pandemic brought about cyber attacks and fraudulent schemes on financial institutions and their clients
The NPC recognizes that a shared database for know-your-customer, enhanced due diligence, and anti-money laundering monitoring purposes may boost the integrity and security of the financial system but may have significant legal effects on the rights and freedoms of data subjects included in the database.
To ensure privacy protection in shared databases, the personal data it contains “must be accurate, relevant, and kept up-to-date. Inaccurate or incomplete data must be rectified, supplemented, destroyed, or their further processing restricted,” the advisory opinion read. In further upholding the rights of data subjects, mechanisms must be provided for the free exercise of these rights.
Read the advisory opinion in full here: Click to Read
Privacy Commission issues cease-and-desist order to online political survey platformComments Off on Privacy Commission issues cease-and-desist order to online political survey platform
Beware of a website that requires voters to give their full name, complete address, and mobile phone number so they can take part in a survey supposedly aimed at gauging the public pulse in the runup to the 2022 national elections.
The National Privacy Commission (NPC) has issued a cease-and-desist order (CDO) to the website Pilipinas2022.ph for multiple violations of the Data Privacy Act.
In addition, the NPC has enjoined the National Telecommunications Commission to take down the website.
The NPC issued the order after the Complaints and Investigation Division (CID) scrutinized on its own accord Pilipinas2022.ph amid concerns that the website’s continued operations would expose to harm voters who were enticed to participate in the survey.
Privacy Commissioner Raymund E. Liboro, and Deputy Privacy Commissioners John Henry D. Naga and Leandro Angelo Y. Aguirre signed the order based on the CID findings that:
- PiliPinas2022.ph does not meet the lawful criteria for processing of personal information and has failed to comply with the general data privacy principles of transparency, legitimate purpose, and proportionality. Its processing of the collected personal information is not being done fairly and lawfully.
- Processing by the website of personal information is detrimental to national security or public interest as it masquerades as an online political survey platform but does not specify its purpose in collecting the data. Neither does it provide a clear and complete privacy notice sufficient to solicit an informed consent, nor disclose its identity as a personal information controller.
Not only are data subjects misinformed about the true purpose and further processing of their personal information, but they are also left in the dark as to who will be held accountable in case their personal information is used for unlawful purposes.
- The website’s continued operation is a palpable risk that can cause grave and irreparable injury to affected data subjects.
Deputy Privacy Commissioner Naga, who penned the order, said the NPC would not tolerate the act of misinforming data subjects, especially voters, on how and why their personal information was being collected.
“We also call on voters to be more vigilant and cautious in joining initiatives or campaigns that collect their personal data with questionable intentions,” Naga added.
The NPC directed PiliPinas2022.ph to file a comment within 10 days from receipt of the order, and to stop processing personal data on its database until the Commission issues a decision on the submission of the comment.
The NPC sent the CDO to the email address of PiliPinas2022.ph whose owners and operators have remained unidentified.
The Commission on Elections (Comelec) earlier said that PiliPinas2022.ph was not affiliated with the election body. The Comelec reminded the public to think twice before clicking “online survey” websites created and managed by unknown entities as these may pose security risks.
-- END --
NPC’s new initiative on ASEAN cross-border tools to boost PH digital competitivenessComments Off on NPC’s new initiative on ASEAN cross-border tools to boost PH digital competitiveness
The National Privacy Commission (NPC) has issued its first guidance on the adoption of tools which harmonize data management and cross-border transfer standards across the Association of Southeast Asian Nations (ASEAN), a move that will help Philippine businesses unlock more gains in the fast expanding digital economy across the ASEAN.
These tools, namely the Model Contract Clauses (MCCs) and the Data Management Framework (DMF), “are vital… for ASEAN businesses to use in their data-related business operations and help build trust, transparency, and accountability,” according to NPC Advisory No. 2021 - 02 dated June 28, 2021.
The MCCs are voluntary standards that businesses in the economic block can adopt in legally binding contracts to ensure the protection of customer data when transferred across different jurisdictions.
However, given the different levels of development among ASEAN member states, companies are allowed to modify the MCCs in a way that does not contradict the clauses, as well as domestic laws on privacy and protection.
Meanwhile, the DMF is a voluntary and non-binding guidance for ASEAN businesses to establish a data management system and governance structure that appropriately safeguard different kinds of data.
The DMF identifies six areas that need robust measures to ensure the confidentiality, integrity and availability of data throughout its lifecycle.
These areas are on:
- a) Governance and oversight
- b) Policies and procedural documents
- c) Data inventory
- d) Impact / Risk assessment
- e) Controls
- f) Monitoring and continuous improvement
Privacy Commissioner Raymund E. Liboro encouraged local businesses to explore these new tools and usher in the burgeoning ASEAN internet economy.
The ASEAN digital economy is estimated to have reached $72 billion in gross merchandise value in 2018. This was powered by a fast-growing internet user base across online travel, e-Commerce, online media, and ride hailing.
“Given the great shift to digitalization during this pandemic, the region can surely exceed the $240 billion it is projected to attain by 2025. But as early as now, we must ensure that the Philippines will have a slice of that growth,” Liboro said, noting that adopting the MCCs and DMF, which also support businesses’ compliance with the Data Privacy Act of 2012, can help realize this.
“With its focus on trust, transparency, and accountability, the MCCs and DMF will elevate Philippines companies’ competitiveness and readiness to capture new markets. Because what companies do to safeguard their customers’ data from hacks, unauthorized access and other emerging threats is what is defining competitiveness today,” Liboro said.
He added that the NPC will soon be launching more efforts to capacitate companies, especially micro, small, and medium enterprises who are hardest hit from the pandemic, in conforming with these new ASEAN tools for a more inclusive growth.
Approved in January 2021 at the 1st ASEAN Digital Ministers’ Meeting, the MCCs and DMF are initiatives built on the principles of the ASEAN Framework on Personal Data Protection which aims to promote the growth of trade and flow of information in the ASEAN internet economy.
A Stronger Data Privacy Law Sought in Proposed AmendmentsComments Off on A Stronger Data Privacy Law Sought in Proposed Amendments
Amendments to Republic Act No. 10173, known as the Data Privacy Act of 2012 (DPA), are sought
to strengthen the current law amid the digital transformation in the Philippines.
During the 55th Asia Pacific Privacy Authorities (APPA) Forum, Privacy Commissioner
Raymund Enriquez Liboro said that the House of Representatives – Committee on Information
and Communications Technology, has approved the substitute bill to amend the DPA last
February 4, 2021.
Efforts to amend the DPA began in the last quarter of 2019. The substitute bill grants additional
powers to the National Privacy Commission (NPC). It gives the authority to issue summons,
subpoenas, contempt powers, and to impose administrative penalties.
“In the last five years, the National Privacy Commission has laid down data privacy in the
Philippines with a clear roadmap. In our drive to become a data privacy resilient country, we
have adopted a responsive regulatory approach characterized by raising awareness, strict
compliance, and enforcing the law. To do this, we find a need to amend the current DPA to keep
up with the changing times,” Commissioner Liboro said in his speech at the APPA 55, which was
held virtually last June 16-18 and hosted by the Personal Information Protection Commission of
Other provisions of the substitute bill:
Redefining “sensitive personal information” to include biometric and genetic data, and
political affiliation, considering the innate sensitivity of these classes of personal data.
Clarification on extraterritorial application of the DPA by specifying clear instances when
processing personal data of Philippine citizens and/or residents is concerned. This
ensures the end-to-end protection of data subjects’ information (i.e., offering of goods or
services, or monitoring of behavior within the Philippines or when the entity has a link
with the country), to which they are entitled under the DPA.
Define the digital age of consent to process personal information to more than fifteen (15)
years, applicable where information society services are provided and offered directly to 5th Floor Delegation Building, Philippine International Convention Center (PICC) Complex, Pasay City 1307
URL: http://privacy.gov.ph Email Add: [email protected]
a child (as children more than 15 years old under Philippine laws may already act with
Inclusion of performance of a contract as a new criterion of the lawful basis for processing
of sensitive personal information.
Allowing Personal Information Controllers (PICs) outside of the Philippines to authorize
Personal Information Processors (PIPs) in the country to report data breaches to the
Commission on behalf of the controller.
Modifying criminal penalties under the DPA, giving the proper courts the option to
impose either imprisonment or fine upon its sound judgment.
Shifting gears in new normal
Aside from the proposed amendments to the DPA, the NPC is set to introduce administrative
fines to strengthen data privacy accountability and build data privacy resilience among PICs and
The NPC presented in the Forum the Digital Identity, e-Commerce, and e-Governance in the
Philippines and ASEAN, highlighting the Commission’s efforts in assisting the development of
the law and its IRR to ensure the people’s right to privacy.
The NPC also presented its efforts to curb harmful handling of citizens’ personal data such as the
Commission’s issuances and guidance to the public as part of the COVID-19 response and the
Kabataang Digital, the NPC’s advocacy campaign promoting a safe online environment for the
youth. Also discussed are the guidelines expressly prohibiting the harvesting of contact lists of
borrowers for debt collection through harassment; guidelines promoting the use of
videoconferencing technology or e-hearing to hear cases; and the amended Rules of Procedure to
streamline the Commission’s complaints process.
“The NPC, despite the pandemic, has shifted gears and embraced the new normal of resolving
data privacy complaints. We commenced Project Decongestion 2.0, refining our strategy in
handling our case dockets clogged with thousands of individual complaints,” Commissioner
Designations from the following jurisdictions joined APPA 55: the NPC; Office of the Australian
Information Commissioner; Office of the Information and Privacy Commissioner, British
Columbia; Office of the Privacy Commissioner of Canada; Privacy Commissioner for Personal
Data, Hong Kong, China; Personal Information Protection Commission, Japan; Personal
Information Protection Commission, Republic of Korea; Korea Internet & Security Agency; Office
for Personal Data Protection, Macao SAR, China; National Institute for Transparency, Access to
Information and Personal Data Protection, Mexico; Office of the Privacy Commissioner, New
Zealand; National Authority for Personal Data Protection of Peru; Office of the Information 5th Floor Delegation Building, Philippine International Convention Center (PICC) Complex, Pasay City 1307
URL: http://privacy.gov.ph Email Add: [email protected]
Commissioner, Queensland; Personal Data Protection Commissioner, Singapore; Federal Trade
Commission, United States; and Office of the Victorian Information Commissioner.
APPA is acknowledged as the principal forum for privacy and data protection authorities in the
Asia Pacific region. Some of the topics at APPA 55 is about data protection measures as part of
the response to COVID-19, privacy issues encountered in the new normal, updates on global
privacy developments, and children’s privacy.
- Redefining “sensitive personal information” to include biometric and genetic data, and
National Privacy Commission urges developers of Instant Messaging Apps to limit the grant of application permissions for usersComments Off on National Privacy Commission urges developers of Instant Messaging Apps to limit the grant of application permissions for users
During this time that we are endeavoring to survive and recover from the COVID-19 pandemic, Instant Messaging (IM) applications currently play an important role in our daily lives to adapt with the restrictions limiting physical interactions. As a result, the concerns of the citizenry on how private and secure these apps emanate from their fear that their data privacy rights might be violated due to the permissions required by IM applications.
These IM applications often seek permissions to access features in a user’s device, such as contacts, microphone, location, camera, photos, and files. Though they ask permission from the user to grant access to certain features of their device, a denial would prevent a user to effectively use such application.
The National Privacy Commission (NPC) believes that limiting access to the full features of IM apps due to the user’s denial to grant app permissions may be unnecessary. Thus, the NPC is encouraging these IM developers and their companies to revisit their policies and allow users who opted to refuse to grant app permissions, due to data privacy concerns, to allow them full access of their apps features.
The Data Security and Technology Standards Division of the NPC hereby recommends these guidelines for developers of IMs to respect the users’ privacy by allowing them to opt-out of device permissions that can track, store, and access their data. We also aim to impart tips on good data privacy practices for users of IMs through these guidelines.
IM app developers must not treat privacy as an afterthought. Below is the privacy by design practices that must serve as their starting point in application development:
Request minimum permissions.
Look for alternatives that will help limit the number of permissions you seek. Specific permissions that get denied by users often should influence subsequent updates to the IM app.
Ask for access only in appropriate timings. Tweak the user interface in a way that it provides an explanation. While some in-app features are necessary to operate the app, some are only needed to improve user experience. For example, in meetups, users press location sharing in their IM apps to know each other’s proximity or location. Never force or let users accidentally allow access to optional features.
Plan for users to select deny. Whenever possible, minimize how long the app is permitted to access a device’s features. The user can allow a permission through the following options:
- While using the app.
The IM app will have access to the specific permission only if the app is active or in use.
- Only this time.
The IM app will have access once or at the time it was granted, and access will automatically be revoked.
If the requested permission is denied:
- Do not lock out users from using your app.
Whenever possible, users must still be allowed to use the app even if they choose the “deny” option. For example, denying microphone permission will still let users browse messages and chat through the app.
- Expect permanent deny.
Do not push users to go to their device’s Settings page. Ask for permission and allow the permission to be dismissed within the app.
4. Access sensitive permissions only when the user expects it.
Instant messaging apps must show visual indicators that it is currently accessing sensitive permissions such as camera and microphone.
5. Pay attention to libraries.
Regularly review current data, especially sensitive data, accessed by external parties through components such as Application Programming interfaces and libraries.
6. Practice privacy engineering.
Privacy engineering integrates the data privacy principles of transparency, legitimate purpose, and proportionality into the life cycle of software development. This helps the software achieve privacy-by-design and privacy-by-default.
Less is more
The responsibility of protecting data privacy rights of IM users does not fall solely on the developers. Aside from embedding privacy by design in these applications, users can secure the app by applying restrictions.
“Simple configurations to the instant messaging app such as setting off your active status, sync contacts, who can see your birth date, and location help maintain your privacy. Applying a passcode or fingerprint lock as well as two-step verification are examples of adding another layer of security to the app you are using,” Privacy Commissioner Raymund Enriquez Liboro recommended.
Users are also advised to examine and tweak the privacy and security settings of their IMs by being vigilant when conversing with strangers and practicing caution when joining group chats. Members of group chats will gain access to your phone number once you permitted to join. However, some IMs allow users to prohibit anyone from viewing their phone number.
“Do not click links and files sent via IM apps from unknown senders or if you are not expecting to receive them. These links and files may be attempts to phish information from you, or they may carry malware that can infect your device,” Privacy Commissioner Liboro warned.
Less is more when it comes to the privacy of IMs. Before granting access, users must carefully review the app permissions a particular IM is requesting.
Thus, prudence dictates to only grant app permissions needed to use the app. Do not allow permissions to features that are not being used. Furthermore, developers of operating systems should also provide options where instant access is granted to app permissions and automatically revoked after such use.
For the full report, you may access them here: Report Link
- While using the app.
NPC to collaborate with CICC to strengthen its Digital Forensic LaboratoryComments Off on NPC to collaborate with CICC to strengthen its Digital Forensic Laboratory
PASAY CITY --- On June 23, 2021, the National Privacy Commission (NPC) signed a Memorandum of Agreement (MOA) with the Cybercrime Investigation and Coordinating Center (CICC). This collaboration aims to further enhance the capacity of NPC’s personnel in the conduct of digital investigation and forensics. This is in recognition of the significant synergies and complementarity on the respective duties and functions of both agencies in the protection of data privacy and cybersecurity.
Under the MOA, the CICC will provide capacity building to NPC personnel in the operation of its Digital Forensic Laboratory. Furthermore, they will provide the NPC resource persons, training programs, modules, and materials for the following topics:
- Techniques, methodology, applications, and best practices in digital
investigations and forensics;
- Admissibility, chain of custody and preservation of digital evidence; and
- Operation, maintenance, and full utilization of the digital forensic
“The Memorandum of Agreement is a manifestation of the NPC and CICC’s common interest and obligation to protect stakeholders’ right to data privacy and cybersecurity. With professional and ethical competence and integrity as our touchstones, both agencies will utilize and maximize the resources of the government for the utmost benefit of the people we serve,” Privacy Commissioner Raymund Enriquez Liboro said.
In return, the NPC will conduct data privacy briefings, seminars, and workshops such as the DPO ACE Program for CICC personnel. In furtherance of the cooperation between the two agencies, the NPC and CICC may conduct joint data security and privacy investigations.
In this undertaking between the NPC and CICC, any data received by one from the other shall be treated as confidential information, which may not be disclosed to any person without written authority from the other party.
Similarly, both NPC and CICC shall observe and comply with the provisions of the Data Privacy Act of 2012, its Implementing Rules and Regulations (IRR), and other applicable rules and issuances of the NPC on matters concerning privacy and data protection, as well as the provisions of the Cybercrime Prevention Act of 2012, its IRR, and other applicable rules and issuances of CICC on matters concerning cybersecurity and cybercrime prevention.
- Techniques, methodology, applications, and best practices in digital
NPC highlights data controllers’ prominent role in digital growth, economic recoveryComments Off on NPC highlights data controllers’ prominent role in digital growth, economic recovery
Privacy Commissioner Raymund E. Liboro called on businesses and organizations to step up efforts in adopting personal data protection principles and strategies, citing the economic and global opportunities that await those who commit to safeguarding their customers’ privacy to the highest standards.
“An incentive for your companies is recognition for excellence for achieving a higher level of accountability,” Liboro said in his speech at the first day of a Privacy Awareness Week (PAW) conference, touting firm-level accountability as a business “differentiator” amid cutthroat competition in the digital economy.
Liboro described firm-level accountability as taking “primary responsibility" for protecting their data subjects, going beyond legal compliance to promote a culture of privacy that embraces a “do no harm” culture and acknowledges the "duty of care" towards its customers and users.
Earning trust seals
The Privacy Commissioner encouraged all personal information controllers (PICs) to invest in earning certifications and seals which the NPC will soon be issuing as part of its push to help companies build a better reputation for their brands.
Among them is the Privacy Mark, a voluntary certification scheme that will validate a company’s compliance with the latest international standard for privacy and protection.
Meanwhile, the certification of compliance with the APEC Cross Border Privacy Rules will provide PICs a pathway to global markets, an opportunity made more accessible even to small business players as the digitalization heightened cross-border trade.
“We want our companies to capitalize on this momentum by expanding their data-driven services to cross-border transactions. Thus, NPC is partnering with bilateral, regional, and international organizations for Global Data Transfer Mechanisms to ensure the free and secure flow of data from and into the Philippines,” Liboro added.
Liboro also noted that compliance mitigates risks of costly sanctions for violating the Data Privacy Act (DPA), especially with the NPC’s nearing completion of a proposed circular on administrative fines against erring PICs which will add to existing criminal penalties.
“We will continue to incentivize accountability in the years to come and disincentivize those who refuse to be accountable and put citizens at risk of privacy harms. We will do this to differentiate responsible organizations from those who willfully violate the law to target our limited enforcement resources where it is most needed and effective,” Liboro added.
Support from gov’t leaders
In his message of support to the NPC at the opening of PAW’s conference, President Rodrigo Duterte said that the celebration will supplement the efforts “in protecting our people’s privacy rights and enable us to raise public awareness on current data practices and developments as we strive to overcome the challenges brought about by the pandemic.”
“I laud the National Privacy Commission for its steadfast commitment in safeguarding our people’s privacy rights through the implementation of data protection measures and strict enforcement of our privacy laws,” President Duterte said.
Secretary Gregorio Honasan II of the Department of Information and Communications Technology said that “data is a game changer in the digital world,” making it everyone’s responsibility, especially data controllers, to protect it from predators.
“It is our duty to not only advance data protection and cybersecurity in the country but also to futureproof our plans, programs, and initiatives, so that people will safely benefit from the advantages of the digital world and data-driven governance,” Honasan said.
A panel session on upholding data privacy rights in the pandemic response during the conference highlighted the importance of digital solutions being mindful of the data privacy rights of citizens while taking into consideration vulnerable sectors.
Pasig City, for example, modeled its contact tracing app with the provisions of the data privacy law in its essence. Mayor Vico Sotto said the technology of the city’s contact tracing app is also accessible to citizens with or without smartphones.
“We need all our systems and technologies, if we really want them to be used at a wider scale, to be inclusive, safe, secure, compliant to the Data Privacy Act, and to limit who gets access to the data. The Pasig City Government complies with all data privacy requirements and recognizes that privacy is a fundamental right,” Sotto said during the panel session.
Undersecretary Jonathan Malaya of the Department of the Interior and Local Government echoed the importance of utilizing digital solutions that reach vulnerable and technologically challenged groups. In this, Malaya stressed that the government and business establishments, as data controllers, must “adjust for contact tracing to be successful.”
Role of Private Entities
The ever-evolving digital landscape focus of PAW 2021 cultivated more ideas on valuing personal information and discussed potential risks of cybersecurity.
The 2-day awareness conference tackled different topics covering E-Commerce, telecommunications, online learning, and expertise on data privacy itself. It highlighted the responsibility of the private sector in complying to the DPA and their role in preserving the rights of their data users.
Mr. Mark Frogoso, Chief Information Security Officer of GCash emphasized that “Compliance really is your license to do business, and so, complying to the Data Privacy Act is a key enabler for continuous Business Operations.”
The value of transparency, collaboration, and trust conveyed the overall message of NPC’s partners in practicing protective privacy across industries.
“We believe that if our consumers and subscribers feel and believe that their information and privacy rights are protected by our company, then that will engender the public’s trust. Achieving minimum compliance with data protection regulations should not be the be-all and end-all objective,” Atty. Adel Tamayo of DITO Community said.
For the first time since the establishment of the NPC, it has produced the PAW Awards - a recognition for outstanding privacy practices throughout different sectors.
To close the celebration, data privacy leaders and advocates who have greatly contributed to the foundations of data privacy in the country were awarded by Commissioner Liboro himself.
Individuals and institutions joined the nominations through data privacy initiatives and showed compliance with the DPA. Winners include – San Miguel Corporation for private sector and the Department of Health for public sector.
The 4th Privacy Awareness Week, themed “Valuing Privacy in the Time of Digital Transformation: Protecting Filipinos. Promoting Economic Recovery. Building Trust,” aims to emphasize the role of data privacy and protection to harness opportunities in the fast-growing digital economy and to help the country build back stronger and inclusively.
The PAW is an annual national celebration, led by the NPC, to promote data privacy as a tool for overall national development.
-- END --
NPC’s ACE training to help gov’t officials develop data privacy codes of conductComments Off on NPC’s ACE training to help gov’t officials develop data privacy codes of conduct
The National Privacy Commission (NPC) is set to hold a Data Protection Officer Accountability, Compliance, and Ethics Certification Program (DPO ACE) on May 26, 2021 to bolster government officials’ capacity in developing data privacy codes of conduct.
The DPO ACE is one of the annual activities being conducted during Privacy Awareness Week (PAW), which is critical at present as recent reports of an alleged data leak of gov.ph websites reached the NPC. Nearly 2,000 passwords of gov.ph websites were allegedly exposed on an online forum, the NPC’s Complaints and Investigation Team disclosed.
The full day activity will be held virtually. Around 180 data protection officers (DPOs) and managers from national government agencies, local government units, and government owned and controlled corporations are expected to attend, including representatives from the Bureau of Internal Revenue, Department of Health, National Telecommunications Commission, Research Institute for Tropical Medicine, Department of Education, and Department of the Interior and Local Government, among several others.
Privacy Commissioner Raymund Enriquez Liboro said that Filipinos need to be assured that the personal data they entrust to the government is handled securely, ethically, and responsibly. The ultimate goal of DPO ACE is to equip government agencies with knowledge on how to formulate and implement policies that are aligned with the Data Privacy Act.
“There is a serious need to put up stronger walls against data security breaches in the government setting where a great deal of collection and processing of citizens’ personal data happens. DPO ACE intends to help DPOs and their organizations to have a more circumspect approach to data protection strategy and implementation,” Liboro said.
Subsequently, the NPC will virtually hold the 4th National Data Privacy Conference on May 27-28, 2021 in celebration of the PAW 2021. This year’s PAW is themed “Valuing Privacy in the Time of Digital Transformation” and will revolve around how we can continue to protect the data privacy of Filipinos, promote economic recovery, and build trust among the government, private institutions, and the citizens, all while we are dealing with the COVID-19 pandemic.
For more information on PAW 2021, visit paw2021.privacy.gov.ph or email [email protected]
NPC is set to impose administrative finesComments Off on NPC is set to impose administrative fines
The National Privacy Commission (NPC) is set to impose administrative fines on data privacy violations of personal information controllers or processors from the private sector. A separate initiative for government agencies is also underway with the NPC holding consultations with the Civil Service Commission.
The NPC presented the draft circular on the guidelines on administrative fines to concerned organizations and stakeholders in an online public consultation on April 30, 2021. The Commission made it clear that the proposed fines are separate from the criminal penalties and fines provided under the Data Privacy Act (DPA) and its implementing rules and regulations.
Together with the University of the Philippines (UP) Law Center and an expert from the UP School of Economics, the NPC studied and adopted an economic analysis of law to come up with an apt range of fines that provides the proper deterrent effect to companies while also ensuring free flow of information to promote innovation and growth. Depending on the infraction committed, the draft circular proposes fines ranging between 0.5% to 5% of the annual gross income of the personal information controller or processor handling the personal data.
Factors affecting fines
Factors that influence the determination of the fines include the gravity of infraction, the number of data subjects affected, failure to notify the Commission and affected data subjects of personal data breaches, and the intentional or negligent character of the offense, among others.
“The proposed circular considers the proportionality of the fine meted, its dissuasive effects, the costs of precaution, and other social, regulatory, and economic impacts that its adoption may create to all personal information controllers and processors,” Privacy Commissioner Raymund E. Liboro told attendees of the public consultation.
As a matter of due process, the personal information controller or processor have rights enabling them to present evidence on whether the fine should be imposed or, in case fines will be imposed, it should be lowered because of certain circumstances.
Deputy Privacy Commissioner Leandro Angelo Y. Aguirre said that the fines are not intended to be an added financial cost to companies. “The fines are incentives for companies to protect all of us. Because if we are all protecting the information we process, that benefits both the companies and data subjects. It serves to incentivize the implementation of appropriate measures while disincentivizing the misuse of data,” Aguirre added.
The draft circular introduces to the NPC a new range of enforcement tools to ensure accountability from all organizations, businesses, and individuals when processing personal information. Liboro said that the administrative circular adapts to the Philippines’ growing economy and reinforces our national ambition of building a high trust, resilient, and knowledge-based society.
“The National Privacy Commission hopes that this administrative circular will further enhance the culture of data privacy accountability in the Philippines, incentivize compliance for the DPA, build maximum data privacy resilience by encouraging full accountability, compliance, and ethics from our data users,” Liboro said.
The draft circular is available on the NPC website. An online public hearing will be held soon reflecting stakeholders’ recommendations and comments.
PALACE APPOINTS FORMER DICT ASSISTANT SECRETARY AS NPC EXECUTIVE DIRECTORComments Off on PALACE APPOINTS FORMER DICT ASSISTANT SECRETARY AS NPC EXECUTIVE DIRECTOR
Malacañang appoints former Department of Information and Communications Technology (DICT) Assistant Secretary Atty. Ivin Ronald D.M. Alzona as the new Executive Director (ED) of the National Privacy Commission (NPC), effective April 2021.
In the oath-taking ceremony on April 8, Privacy Commissioner Raymund Liboro, welcomed Alzona and his team in confidence to what he described as a transitioning, advancing and innovating agency. “You came at a very opportune time; you came at the time that the NPC is in its prime development stage.” Liboro said.
From handling management and operations of the DICT since 2018, Alzona takes on a new challenge in managing the continuing digital transformation in data privacy regulatory practice. As former DICT Assistant Secretary he plans to incorporate some practices from his former agency in future-proofing data privacy policies and standards given the ever-evolving ways of technology. According to Alzona, he aims to “advocate for the convergence of policy and technology through the formulation of a data policy framework that recognizes enabling and convergent ICT technologies such as AI, Big Data, Blockchain and Internet of Things (IOT), ensuring that NPC’s responsive regulatory framework remains inclusive and dynamic.”
He also plans to “promote best practices in data protection amongst personal information controllers (PICs) and encourage them to heavily invest in their privacy programs as data breaches could prove even more costly or catastrophic in the long run.”
His experience as part of DICT’s top management will be a valuable contribution to the fairly young agency. He strongly believes in consensus-building in an organization explaining that “consensus-building not only builds trust; it also ensures efficiency, stability and synergy in problem-solving and decision-making.” Prior to his appointment to NPC, he served DICT under various capacities - as Assistant Secretary for Management and Operations, OIC-Undersecretary for Regional Operations and Countryside and ICT Industry Development, Assistant Secretary for Administration and Assistant Secretary for National Broadband Backbone and Free WiFi/Internet Access in Public Places.
The Privacy Commission is geared towards beefing-up its nation-building efforts as Executive Director Alzona emphasizes the significance of the Commission’s mandate in the growing Philippine economy. “While innovation is considered as the engine for our economic growth; and data is regarded by many as the new oil, I liken data privacy to a spark plug, without which we could not effectively ignite and jumpstart our country’s economic engine especially within the context of the Fourth Industrial Revolution” he said.
Alzona intends to focus in creating a citizen-centric and techno-centric institution in the NPC. He reiterates that he will be “implementing a quality management system that capitalizes on NPC’s culture of action, culture of collaboration and culture of excellence as espoused by the Privacy Commissioner.”
Alzona obtained his law degree from San Beda University - Manila in 2010 and was subsequently admitted to the Philippine Bar the following year. He also holds a degree in business management and entrepreneurship with academic distinction from the same university.
Using COVID-19 health data as travel requirement calls for ‘privacy by design’ approachComments Off on Using COVID-19 health data as travel requirement calls for ‘privacy by design’ approach
The Global Privacy Assembly (GPA) is urging government and organizations around the globe to embed a privacy by design approach in using COVID-19 health data as a travel requirement amid the pandemic.
In a statement submitted to the executive committee of the GPA by COVID-19 Working Group Chair Raymund Liboro of the National Privacy Commission, embedding privacy by design will build public trust in such methods and contribute to governments’ public health strategy.
Governments and organizations worldwide are looking into implementing measures to curb the spread of COVID-19 through the sharing of health information of domestic and international travelers as a prerequisite of travel. Examples of such measures are a negative COVID-19 test result, vaccination status, and digital health passports.
The joint statement views the potential sharing of health data on a mass scale across borders and entities as unprecedented or never known before.
“Admittedly, using health data for domestic or international travel purposes is justifiable to curb the spread of COVID-19. However, this must be done with the utmost care and consideration to the individual’s privacy from the outset, also called as privacy by design,” Liboro said.
Any measure adopted by governments and organizations that involve processing of personal data must be guided by effectiveness, necessity, and proportionality. Assure individuals that their health data is handled securely and for travel purposes only; that “the data demanded from them is not excessive; they have clear and accessible information to understand how their data will be used; there is a specific purpose for the processing; and their data will be retained for no longer than is necessary,” the joint statement further read.
Liboro, representing the Philippines as the lead of the GPA COVID-19 Working Group, submitted the joint statement to the executive committee of the GPA. The working group built on the successes of the COVID-19 Task Force, which Liboro also chaired.
Good data protection principles in travel
The joint statement lists the following global data protection practices that governments and organizations can adhere to when they require COVID-19 health data from travelers:
- Consider the privacy risks of processing a traveler’s COVID-19 health data to from the beginning. Before starting any processing of health data of travelers, conduct a formal and comprehensive assessment of its impacts on the privacy of individuals. Governments and organizations should seek advice or guidance from data protection and privacy authorities.
- Personal data collected, used, or disclosed to lessen the public health effects of COVID-19 require a clearly defined purpose.
- All government authorities and organizations must operate under relevant and appropriate lawful authority and ensure that their processing of health data is necessary and proportional.
- Protect the data protection rights of vulnerable individuals who are unable to use or may not have access to electronic devices. Consider alternative solutions that these individuals do not experience discrimination. Similarly, protect those who cannot be vaccinated due to their age, possible health risks, or other underlying conditions.
- Inform individuals on how their data will be used, by whom and for what purpose. Provide clear and accessible information recognizing the geographical, cultural, and linguistic diversity of people who wish to travel.
- Only collect the minimum health information from individuals.
- Employ measures to address the risks of directly sharing information from health records for travel purposes.
- Assess the cybersecurity risks of digital systems and apps, especially risks that may emerge in a global threat context.
- Consider how long the data should be retained. Design a retention period that safely deletes information once it is no longer needed.
- The design of such schemes should be capable of foreseeing permanent deletion of data or databases. This should also recognize that the routine processing of COVID-19 health information at borders may become unnecessary when the pandemic ends.
Read the joint statement here: https://globalprivacyassembly.org/gpa-executive-committee-joint-statement-on-the-use-of-health-data-for-domestic-or-international-travel-purposes/.
Privacy Commission commends local government’s latest push towards data privacy complianceComments Off on Privacy Commission commends local government’s latest push towards data privacy compliance
The National Privacy Commission (NPC) commends the Department of the Interior and Local Government (DILG) and local government units (LGUs) for its policy to appoint data protection officers (DPOs) as part of a push to set data privacy standards in the collection and processing of personal data.
In a memorandum circular dated Jan. 14, 2021, local chief executives such as governors, mayors, and barangay captains are directed by the DILG to appoint DPOs as part of ensuring “compliance to the provisions of laws and issuances relative to privacy and data protection.” Non-compliant LGU officials may be subjected to disciplinary actions.
The policy covers provinces, cities, municipalities and barangays, DILG regional offices, BARMM-MILG or Bangsamoro Autonomous Region in Muslim Mindanao—Ministry of the Interior and Local Government Office, and other offices concerned
NPC continually reminds LGUs to beef up its data privacy safeguards especially in the time of COVID-19 where data collection is a huge part of the government’s pandemic response. In November 2020, NPC enjoined software developers for LGUs to create applications and systems where users’ personal data is protected at all times.
Privacy Commissioner Raymund Liboro said that the role of DPOs is to monitor and ensure that their organizations are compliant with the Data Privacy Act of 2012 and issuances of the NPC, which includes having privacy and data protection policies ensuring the safety and security of personal data being processed, and the proper and effective implementation of such policies.
“Data privacy requires not just the safety and security of tools used to collect and process personal data. DPOs and implementors of tools and services must also be well-informed about the data privacy law so they can properly oversee their organization’s data protection strategy and implementation,” Liboro said.
The DILG policy is in line with NPC Advisory No. 2017-01, “Designation of Data Protection Officers.” It reiterates DILG’s prior circular dated March 19, 2018 titled “Designation of Data Protection Officers Pursuant to Republic Act No. 10173, Titled Data Privacy Act (DPA) of 2012.”
Under Section 26 of the implementing rules and regulations of the DPA, “any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as DPO or compliance officer, shall be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.”
Liboro said that the policy indicates DILG’s willingness and commitment to work with the NPC in setting a data privacy standard in the Philippines.
“LGUs implementing data privacy safeguards in their daily operations will usher in improved administration, enhanced delivery of services, and greater public trust. As a great deal of personal data are entrusted to the LGUs, this move of the DILG is a crucial step towards the LGUs’ compliance journey. This is just the beginning because data privacy compliance is continuous work and is ever evolving,” Liboro said.
Online Lending Firm Found Criminally Liable for Violating Data Privacy LawComments Off on Online Lending Firm Found Criminally Liable for Violating Data Privacy Law
The National Privacy Commission (NPC) has recommended the prosecution of Fynamics Lending Inc., the operator of the PondoPeso online lending application which has reportedly been harassing and public-shaming delinquent borrowers, for violating the data privacy law.
In a 40-page decision, the Commission chaired by Privacy Commissioner Raymund Enriquez Liboro determined the criminal liability of Fynamics Lending Inc. and its Board of Directors, for violation of Section 25 (Unauthorized Processing of Personal Information and Sensitive Personal Information) of the Data Privacy Act (DPA).
Violators of Section 25 could be penalized by imprisonment of up to three years, and a fine of up to P2 million for unauthorized processing involving personal information. Where sensitive personal information is involved, violators shall be penalized by imprisonment of up to six years and slapped with a fine of up to P4 million.
The Commission is forwarding the decision and a copy of the pertinent case records to the Department of Justice, recommending the prosecution of the Respondents for the crimes of Unauthorized Processing under Section 25 of the DPA for its further actions.
You may access a copy of the pseudonymized Decision here (https://www.privacy.gov.ph/wp-content/uploads/2021/02/NPC-19-910-In-re-FLI-Decision-LYA-Final-pseudonymized-17Dec2020.pdf).
Complaints against Fynamics
The decision on Fynamics Lending Inc. resulted from one of the sua sponte investigations conducted by the NPC against online lending companies. From July 6, 2018, to July 31, 2019, NPC received 689 complaints against online lending companies and their applications. A total of 113 complaints were made against Fynamics’ online lending app during the period.
Complaints against Fynamics’ online lending app include the following:
- The app used personal information from complainants' mobile phonebook/directory/contact list to contact third persons, without their consent or authority;
- Personal information about the data subjects, unwarranted and false information, was discussed with third persons, including friends, relatives, co-workers, and the data subject's superior. These persons were often told that the data subjects named them as co-makers or character references. In some cases, they were asked to settle the loan on behalf of the data subjects;
- Agents or representatives of the app used personal information about data subjects and others in their contact list to damage the reputation of data subjects or to harass, threaten, or coerce them to settle their loans;
- Methods used in personal data processing information were unduly intrusive, including posting on social media of personal and sensitive personal information of data subjects or even subjecting their contacts to threats and harassment. The personal information processed was excessive or otherwise used for purposes beyond what is necessary or authorized under their agreement.
The decision emphasized the role that personal information controllers play in “ensuring that the innovation and growth that happens in the Philippines continue to abide by the laws and ethical practices, leading to products and services that are free from any doubt on their security and informational privacy.”
"The National Privacy Commission once again reminds businesses to adhere to the data privacy law and respect their customers' data privacy rights. To operators and companies behind online lending applications whose business model exploits borrowers, the Commission is determined to halt your unethical and illegal use of your customers' personal information.” Privacy Commissioner Raymund Liboro said.
As mentioned in the Decision, a technical report prepared by the NPC Task Force on Online Lending Mobile Applications found that Fynamics’ online lending app could access the complainants’ mobile contact lists. The ability to read the user’s contacts is considered dangerous permission.
Dangerous permissions are those that “cover areas where the app wants data or resources that involve the user’s private information or could potentially affect the user’s stored data or the operation of other apps,” the Decision read.
In October 2019, the NPC issued a ban on data processing against 26 online lending apps for data privacy violations including debt-shaming. The order led to the takedown of these sites from app download giant, GooglePlay.
In September 2020, the NPC issued a circular ordering online lending applications to stop accessing contact lists of borrowers.
The NPC continues to investigate other online lending companies that have been the subject of numerous complaints ranging from harassment to public shaming of borrowers.
Privacy Commission’s updated online learning guidelines advise schools to enforce social media policyComments Off on Privacy Commission’s updated online learning guidelines advise schools to enforce social media policy
Schools engaged in online learning are advised to strictly enforce a social media policy that reminds the possible data privacy consequences of posting screen captures, images, videos, chats, and sounds involving students and teachers during online learning on social media platforms.
Such actions may have implications on data privacy and other related regulations, according to the National Privacy Commission’s (NPC) updated bulletin on the data privacy best practices in online/blended/synchronous learning.
To assess and address concerns related to online learning, the NPC had dialogues with regulators such as the Department of Education and Department of the Interior and Local Government to gather inputs on the actual experiences of learners, educators, schools, and parents since the school year started.
Prioritize data privacy
All policies, guidelines, or codes involving the processing of personal data should always adhere to the general data privacy principles of transparency, legitimate purpose, and proportionality, with the best interests of the learner as the paramount consideration.
“The efforts of schools to simulate physical classrooms to provide a sense of normalcy for education is not unnoticed by the Commission. However, seeing as the COVID-19 pandemic caught all of us unprepared, there is a need to develop and improve policies that allow effective online teaching and learning without endangering data privacy rights,” Privacy Commissioner Raymund Liboro said.
A strict social media policy entails prohibiting teachers and other school personnel from using personal data collected in an official capacity and/or during an official school activity for personal purposes (e.g. posting in their social media accounts).
To protect the data privacy of both teachers and students, submissions of assignments and other school requirements may be done through available online messaging applications on a case-to-case basis, with consideration to the circumstances of teachers and/or students.
Submissions should be sent directly to the appropriate teacher or school personnel and not be made publicly available.
Likewise, teachers or school personnel should send communications involving student personal data (e.g. exam grades, results of assignments, report cards, reminders on unpaid school fees, etc.) directly to the concerned recipient/s and should never be posted publicly.
On the use of cameras
Opening of cameras during online learning is allowed. The Commission, however, stressed that policies or guidelines on the use of cameras for online classes and examinations should be reasonable and necessary to supervise and monitor learners and help educators in teaching.
Policies or guidelines on the camera use should consider encouraging the use of virtual backgrounds whenever possible to avoid displaying the private living spaces of teachers and students.
Consider equality and fairness in situations where learners “experience technical difficulties, limited internet connection, devices malfunctions, glitches on the online platforms used for online learning, and other analogous circumstances,” the bulletin read. Schools should determine alternative ways to monitor online classes and examinations in these situations.
Online classes may be recorded for learners who may have missed a particular class, subject to existing school policies on attendance. The recording may be used by the school and educators for training purposes, with learners and/or parents and guardians informed beforehand.
The above recommendations should be read together with the requirements of existing child protection policies and anti-bullying policies, as necessary and appropriate.
# # #
The move, according to WhatsApp’s new privacy terms, is exclusively intended to expand the application as a growing platform for business transactions and customer service with the extension of marketing features.
The broad language WhatsApp used in its new privacy terms has stirred confusion and concern. Critical privacy questions such as the scope of data that Facebook and its family companies will be able to harvest from WhatsApp and whether agreeing to the new policy is mandatory remain unanswered.
While the Commission takes positive note on WhatsApp’s emphatic assurance on its continued end-to-end encryption of messages and calls, we would like to note that encryption is a bare minimum requirement for ensuring data protection.
In addition, WhatsApp’s source code is proprietary and is not viewable by concerned experts who may want to validate the security and privacy of the application. Thus, we are limited to taking its privacy promises at face value.
More importantly, privacy does not only concern the messages we send and receive nor the calls we make and take, but should apply to the extent of surveillance to which all activities done on the platform are subjected.
The Data Security and Technology Standards Division of NPC summarizes the following concerns on the expanded data processing authority of WhatsApp when the new policy kicks in:
- Being provided ''as is'' and to be used at the users' sole risk
- Having authority to delete your account without prior notice or a reason
- Makes no warranty regarding uninterrupted, timely, secure or error-free service
- Uses your personal data for advertising
- May use tracking pixels, web beacons, browser fingerprinting, and/or device fingerprinting on users.
- May use your personal information for marketing purposes
- Can or otherwise transfer your personal data as part of a bankruptcy proceeding or other type of financial transaction.
- Forces users into binding arbitration in the case of disputes
- Keeps user logs for an undefined period of time
Another point of contention worth noting, as raised by the public, lies in the mere sharing with companies associated with its parent Facebook, which has not had a stellar record in personal data protection and management.
Like other data privacy regulators around the world, the NPC has repeatedly flagged Facebook for various concerns, some of which have yet to be addressed.
Rest assured that the Commission is closely monitoring developments and will directly coordinate with WhatsApp to extract specific details on the new policy, as we seek to understand more the data protection measures it currently adopts or will possibly adopt in light of the new privacy terms.
We take this as an opportunity to work with digital movers like WhatsApp to ensure that transparent and easily understandable consent processes, especially in a fast-thriving digital environment, are consistently observed.
As defined by the Data Privacy Act of 2012, consent is “any freely given, specific, informed indication of will" of a data subject, agreeing to the processing of his or her personal data.
Ultimately, we hope to help data subjects choose the best platforms that guarantee their security when communicating digitally.
Pending the result of our discussions, we encourage the public to prepare backing up their data stored in WhatsApp in case moving to a different platform turns out to be the more prudent choice.
# # #
Privacy Commission orders lender Familyhan to take down list online of 6,000 borrowersComments Off on Privacy Commission orders lender Familyhan to take down list online of 6,000 borrowers
The National Privacy Commission (NPC) has ordered Familyhan Credit Corp. to immediately stop processing the personal data of more than 6,000 borrowers following an investigation of complaints that the online lender has put at risk the privacy of the data subjects in violation of the Data Privacy Act of 2012 (DPA).
The Commission also ordered Familyhan to immediately take down its master database online to prevent more people from gaining unauthorized access to it.
The database stores sensitive information of the lender’s customers -- names, passport numbers, email addresses, current addresses of borrowers based in Hong Kong and Singapore, and residential addresses of borrowers in the Philippines.
The orders were made through a Cease-and-Desist Order (CDO) the NPC sent on January 15 to the lender's headquarters in Lipa City in Batangas province.
The CDO was also sent to the personal addresses of the officers and board members of Familyhan, namely May Reyes, Voltaire Villafuerte, Jessa Rene Villafuerte, Acer John Angeles and Maureen Atienza.
Based on the complaints and on its independent investigation, the NPC said there was "sufficient ground" to support that Familyhan violated Section 26 of the DPA for providing unauthorized access to personal and sensitive personal information due to negligence.
Familyhan could also face additional penalties for concealment of security breaches.
The report of NPC’s Complaints and Investigation Division `finds that there is reason to believe that Familyhan should have known or had a reasonable belief that a security breach of their borrowers’ personal information occurred; that it has not made the required notification; that there is evidence to support a finding of possible negligence for failure to secure the database and prevent unauthorized access; and that it has not registered with this Commission, despite meeting the criteria for mandatory registration," the CDO read.
As of January 18, the database remained to be accessible online, making the matter all the more urgent to be acted on by the Commission.
Familyhan and the responsible officers are given 10 days to file a Comment on the CDO.
This is not the first time that the NPC has taken action against an online lender based on complaints it received.
In October 2019, the Commission ordered online lenders to take down 26 apps that they used in harvesting data to shame delinquent borrowers. The lenders were Cash bus, Cash flyer, Cash warm, Cashafin, Cashaku, Cashope, Cashwhale, Credit peso, Flash Cash, JK Quickcash lending, Light Credit, Loan motto, Moola Lending, One cash, Pautang peso, Pera express, Peso now, Peso tree, Peso.ph, Pesomine, Pinoy cash, Pinoy Peso, Qcash, Sell loan, SuperCash and Utang pesos.
In NPC Circular No. 20-01 it issued last year, the NPC barred online lenders from collecting borrowers’ phone and social media contact list amid mounting reports of harassment and shaming of users.
# # #
Privacy Commission firms up collaboration with UK counterpart in sharing best privacy practicesComments Off on Privacy Commission firms up collaboration with UK counterpart in sharing best privacy practices
The National Privacy Commission (NPC) recently signed a memorandum of understanding (MoU) with its counterpart in the United Kingdom to formalize their partnership as bilateral partners, and ensure a robust data privacy environment while fostering innovation and business growth.
Privacy Commissioner Raymund E. Liboro and UK’s Information Commissioner Elizabeth Denham signed the MoU in a virtual ceremony on Jan. 13.
The regulators primarily aim to support each other’s work by exchanging best practices in governance, policy making and enforcement and keeping each other abreast of privacy and protection developments in their respective jurisdictions.
Under the MoU, initial areas of cooperation include the conduct of education and training programs; joint research projects; exchange of intelligence information–excluding personal data–involving potential or ongoing investigations of breaches and other security incidents in their respective jurisdictions.
The MoU will be implemented without the sharing of any personal information which they store in their respective databases.
The event has never been more timely, according to Liboro, citing the continuing and emerging data privacy and protection challenges amid the mutating COVID-19 and rising infections.
“With the UK ICO (Information Commissioner's Office) propping up NPC’s technical capacity, leadership and governance, we are confident that the NPC will be more able to influence national and local policy-makers, authorities and the private sector to be more cautious and more mindful when dealing with personal data,” Liboro said.
“Together, we hope we can find ways to create an environment where privacy standards and epidemiological measures coexist in harmony,” he added.
For her part, Denham said the MoU with the NPC was a continuation of the strengthened unity of the international community of data privacy regulators and champions at the height of skepticisms over the essence of data protection in a health crisis.
"One silver lining for me [during the pandemic] was the way the privacy community came together," Denham said.
"We are responding to the global nature of data flows and international trade. The way to do that is to work cooperatively on policy matters, on regulatory matters and investigation internationally. And we're working together closer than ever before to protect our citizens domestically, " she added.
The UK Information Commissioner also lauded the NPC for its leadership at the Global Privacy Assembly's (GPA) COVID-19 Task Force, through which the Commission steered discussions for GPA members to be better equipped in preserving privacy rights.
Ultimately, Liboro hopes partnerships with more experienced privacy authorities like the UK ICO will help the NPC achieve its goal of embedding a deep culture of respect for privacy rights in the Philippines.
As such, the NPC is targeting to seal more bilateral partnerships for stronger capacity in policy-making, awareness enforcement and investigation.
# # #
Privacy Commission summons operators of website that exposed car owners' personal dataComments Off on Privacy Commission summons operators of website that exposed car owners' personal data
The National Privacy Commission (NPC) is extending the cease-and-desist order (CDO) on lisensya.info following the failure of its owners and operators to counter privacy violation allegations the Commission received late last year that the website had breached personal information of Land Transportation Office (LTO)-registered motorists.
Google Safe Browsing recently detected phishing activities on lisensya.info.
The CDO was first served on Nov. 12 against respondents Jose Minao and Billy James Jimena, the website’s owners and operators, who were given until Nov. 22, 2020 to file a comment on the allegations and to present their defense, as provided by Section 12 of NPC Circular No. 20-02 or the “Rules on the Issuance of Cease and Desist Order.”
Lisensya.info provided a “Motor Vehicle Authenticator,” which, through the mere input of the motor vehicle file number by anyone, would show sensitive information, such as the make, plate number, engine number, chassis number, registration expiry date and name of the owner.
Netizens claimed the data the site provided were accurate, raising suspicions of a leak in LTO’s database as these were the types of information the LTO was collecting from motorists for registration. A total of 12.725 million vehicles were registered with the LTO in 2019.
Based on results of NPC’s initial investigation, lisensya.info had neither a privacy notice nor any contact details of its owner.
Lisensya.info associated itself with the LTO, but the agency assailed it for using the LTO logo on its website to establish a false connection with the transportation office.
“Ang lisensya.info website ay HINDI pinapatakbo o konektado sa ahensya ng LTO,” the transportation agency’s post on its verified Facebook page read. “Para sa kaligtasan ng lahat, huwag po tayong magbigay ng SENSITIBONG IMPORMASYON sa UNVERIFIED links o accounts.”
Since the CDO was first served to lisensya.info, the website is no longer easily accessible to the public.
- The NTC issued a memorandum dated Nov. 16, 2020 directing Internet Service Providers (ISPs) to block access to lisensya.info. The memorandum was sent through electronic mail to various ISPs on Nov. 20 and 23, 2020. The Commission directed the ISPs to submit a report on their actions within five days from receipt of the memorandum.In a letter addressed to the NPC dated Dec. 21, 2020, the National Telecommunications Commission said that several ISPs, including PLDT, Smart Communications, Dito Telecommunity, InfiniVAN, Pipol Broadband and Telecommunications Corp., Philippine Telegraph & Telephone Corp., Apo Associated Radio Electronics & Communications Co., and Kabayan Cable TV Systems, had reported that lisensya.info “has already been blocked and will no longer be accessed by their subscribers.”
- As of Nov. 24, 2020, lisensya.info had already been flagged by Google and Firefox. Upon accessing the site through Google Chrome, users can see a security warning saying that Google Safe Browsing recently detected phishing activities on lisensya.info. Users, who choose to proceed accessing the website despite the security warning, will be directed to a YouTube video. The same happens when users use browsers without a security warning. Some users, upon accessing the website, are directed to a statement saying “lisensya.info’s server IP address could not be found.”
The CDO on lisensya.info and the Order extending the same are available on the NPC website, privacy.gov.ph.
# # #
Developers of LGUs’ Contact-Tracing Apps Enjoined to Act as Privacy WatchersComments Off on Developers of LGUs’ Contact-Tracing Apps Enjoined to Act as Privacy Watchers
Software teams developing COVID-19 contact-tracing apps for local government units (LGUs) are advised to incorporate a privacy-by-design (PbD) approach and allow users to opt in and out of digital contact tracing.
The recommendations are provided by the Data Security and Compliance Office of the National Privacy Commission (NPC). The NPC is currently conducting compliance checks on LGUs’ contact-tracing apps being implemented in provinces, cities, municipalities, and barangays.
Privacy by design
Privacy Commissioner Raymund Enriquez Liboro enjoined software development teams to “act as privacy watchers and create applications and systems where users’ data privacy is protected at every level.”
“Build security into contact-tracing apps by adopting best privacy practices, such as transparency on how the data is used, collecting only necessary details and having proper disposal mechanism,” Liboro added.
Incorporating a PbD in software engineering encompasses the following:
- Modeling. Comprehend the application from end to end, describing or defining the personal data flows of the developing application.
- Method. Understand and implement clearly the methods in determining the models and personal data flows of the system.
- Definition. Define the terms, processes and how all the data link together. Definitions will provide a better understanding of the processes and data in developing the application.
- Analysis. Analyze all the information gathered from modeling, method, and definition and determine ways of developing the application that embed PbD and preserve privacy.
Recommended measures also include following secure coding and design principles, and the conduct of essential software testing.
Encrypt all network communications between the app and the backend. Use transport layer encryption to encrypt data in transit when communicating over mobile and Wi-Fi networks.
Software development teams should keep in mind that not all users are tech savvy. Consider an intuitive and easy-to-navigate onboarding user experience or UX that displays the overview of the app and its privacy notice.
The privacy notice contains the identity of the personal information controller, service description (list of all services that the app provides), personal data that are processed, collection methods, timing of collection, purposes for processing, storage and transmission of personal information, methods of use, location of personal information, third party transfer, retention period, participation of data subjects, and inquiries.
The NPC also advised software development teams to protect themselves against threats.
“Attackers often target software developers, system administrators and development platforms because they may have the system passwords, sensitive credentials, access to source code and access rights to sensitive assets,” Liboro added.
Proper consent mechanism
Apps must allow users to opt in and out of digital contact tracing. Use of the app must be voluntary, with data subjects allowed to withdraw consent at any time. Opting out must not lead to negative consequences for the user.
When different purposes exist in the app, there must be a separate consent and purpose must be explained beforehand to users (e.g. the use of anonymized data for pandemic and epidemiology research and development purposes).
Ensure that users can exercise their data privacy rights by providing user controls in the initial onboarding and during the use of the app. User control can be in the form of a dedicated privacy control panel or dashboard.
Make the contact tracing app’s system access explicit, especially when it tries to access sensitive capabilities of the user’s mobile device (e.g. storage or microphone). When making a permission request, the app must disclose what it is accessing.
Define and set where personal data are stored. Put in place strict policies and safeguards to restrict the location points of the digital personal data processed by the contact tracing app.
To prevent the data from being retrieved or the data subjects re-identified, delete and dispose of the personal data securely when the primary purpose for processing has already expired and there is no other legal basis (like law enforcement) to keep the contact or case details for a period longer than the existence of the pandemic.
Before implementing the app, business, system and process owners, or developers should conduct a privacy impact assessment (PIA) to identify data privacy and security risks.
In conducting a PIA, refer to NPC Advisory 2017-03 and the Philippine National Standard on Guidelines for Privacy Impact Assessment: PNS ISO/IEC 29134:2018.
# # #
Privacy Commission calls on entities using CCTV to establish its legitimate purposeComments Off on Privacy Commission calls on entities using CCTV to establish its legitimate purpose
Entities that use closed-circuit television (CCTV) to monitor public and semi-public spaces must identify its legitimate purpose and consider its impact on the rights and freedoms of data subjects.
The National Privacy Commission (NPC) issued Advisory No. 2020-04 on Nov. 16, to guide personal information controllers (PICs) and processors (PIPs) that process personal data through the use of CCTV systems.
The capture, use, retention and destruction of video and/or audio footage obtained from CCTVs are forms of personal data processing under the Data Privacy Act. Before installing a CCTV, the purpose/s of processing personal data to be obtained from the system must be determined.
Purposes that are allowed include compliance with the law or regulation; security of properties; protection of important interests of individuals; and, public order and safety. However, these purposes are overridden by the fundamental rights and freedoms of data subjects.
“CCTV systems, when used reasonably and appropriately, are tools that support the safety and security of PICs, PIPs and data subjects. Implement organizational, technical and security measures, conduct regular reviews on the system, and ensure that its use is bound to specified and legitimate purposes,” Privacy Commissioner Raymund Liboro said.
For the complete guidelines on the use of CCTV systems, refer to NPC Advisory No. 2020-04.
Privacy Commission to probe lisensya.info for possible privacy violationComments Off on Privacy Commission to probe lisensya.info for possible privacy violation
The National Privacy Commission (NPC) is conducting a probe of lisensya.info, a website that associated itself with the Land Transportation Office (LTO), to determine possible breach of personal information of LTO-registered motorists.
A total of 12.725 million vehicles were registered with the LTO in 2019.
“The NPC shall verify the incident and look into the extent of possible harm on LTO’s data subjects to determine how to best resolve the situation,” Privacy Commissioner Raymund E. Liboro said.
“NPC is coordinating with the Data Protection Officer (DPO) of the LTO for us to be provided with more details of the incident,” he added, noting the DPO of the agency has just filed its initial breach notification report with the NPC yesterday, November 10, 2020.
Last week, the LTO issued a statement assailing lisensya.info for using the LTO logo on its website to establish a false connection with the agency.
The questionable website provided a “Motor Vehicle Authenticator” which, through the mere input of the motor vehicle file number by anyone, would show sensitive information, such as the make, plate number, engine number, chassis number, registration expiry date, and name of the owner.
Netizens claimed the data the site provided were accurate, raising suspicions of a leak in LTO’s database as these are the types of information the LTO collects from motorists for registration.
Based on results of NPC’s initial investigation, lisenysa.info has neither a privacy notice nor any contact details of its owner.
As of November 10, the site remained accessible while the LTO-run website “lto.net.ph,” which provides the status of the availability of license plates, is down or unavailable.
# # #
Privacy Commission issues advisory cautioning establishments against repurposing of collected dataComments Off on Privacy Commission issues advisory cautioning establishments against repurposing of collected data
The National Privacy Commission (NPC) has warned against the repurposing of collected personal data in client/visitor contact-tracing forms and employee health-declaration forms for direct marketing, profiling, or any other use or purpose beyond what is required for Covid-19 prevention and control.
Repurposing personal data is punishable under the Data Privacy Act (DPA), the Commission said in an advisory issued on October 23 in response to complaints from citizens against business establishments over mishandling and misuse of contact-tracing data, such as a customer’s name, address, age, cellphone number and e-mail.
“Since the Covid-19 pandemic hit, we are seeing an unprecedented manner of data collection and processing, which proportionally also increased its associated privacy risks. Data privacy is crucial to the survival of businesses and therefore must be embedded into processes or policies that involve the personal data of employees and customers,” Privacy Commissioner Raymund Liboro said.
Advisory No. 2020-03 details guidelines for workplaces and establishments in processing personal data for Covid-19 response, such as the use of privacy notices to exhibit transparency, and the proper handling of paper-based and digital contact-tracing forms.
The advisory, crafted with recommendations and inputs provided by data protection officers (DPOs) from the privacy council for the retail and manufacturing sector, was issued to build public trust in businesses and how they handle sensitive personal data amid the pandemic.
Establishments need to consider privacy and security in each stage of the data life cycle, from collection to use, storage and disposal.
“As personal information controllers, establishments play a big role in the implementation of contact tracing. For this reason, they are expected to guarantee the protection of personal data under their safekeeping,” Liboro said. “Companies and businesses need to exhibit transparency about the data they collect and for what and how it will be used.’’
Employees, clients/customers, and visitors must be informed through a privacy notice of the details of the processing of their personal data, according to the advisory. Businesses must also create a privacy notice that is easy to understand, noticeable, and accessible or situated in points of entry and other conspicuous areas in the establishment.
When using QR codes, the privacy notice should be located beside the QR code with the contact number of the DPO of the establishment.
Security personnel or other authorized staff of the establishment must ensure that the data collected in the paper-based and digital client/visitor contact-tracing forms and employee health-declaration forms are accurate and readable, with all required fields filled out.
The advisory prohibits identity checks or other intrusive means when collecting employees or customers’ personal data, unless it is part of a documented regular procedure (e.g. presentation of company ID for employees or asking for proof of identity for visitors).
Dos and don’ts in handling forms
Establishments must provide a designated area where employees and clients/visitors can accomplish the forms while observing physical distancing. The latter provides additional privacy by eliminating the risk of shoulder surfing or data exposure.
Where QR codes are used, establishments should assign a unique QR code to each employee. For clients/visitors, QR codes should be posted at the entrance of the establishment.
Protect paper-based systems, such as logbooks, folders, individual forms, notepads, from data breaches by eliminating open access, where personal information is visible and accessible to others. Accomplished forms must be physically segregated to prevent unintended disclosure of personal data.
Likewise, digital forms must be equipped with adequate safeguards, such as encryption, for protection from accidental and intentional data breach.
The advisory further states that establishments allowing their electronic devices (smartphones, tablets, etc.) to be used by employees or customers in data entry must ensure that their operating system and security patches are up to date and regularly scanned for viruses. Web browser’s autofill feature must be disabled to prevent other users from seeing information previously entered in the digital form.
As added protection, deploy the electronic device with an automatic lock feature, password, and a remote wipe functionality, whenever practical, so that data are securely deleted if the devices gets lost or stolen.
Under Joint Memorandum Circular No. 20-04-A Series of 2020 issued by the Department of Trade and Industry and Department of Labor and Employment, personal data collected through the health-declaration form or the visitor contact-tracing form must be disposed of properly after 30 days from date of accomplishment.
Shred paper-based records properly and electronically wipe storage media or digital devices, including backup data, to ensure that stored information is beyond recovery.
Disclosure of the personal data is limited to the Department of Health and its partner agencies, local government units, and authorized entities, officers, or personnel.
To get a copy of NPC Advisory No. 2020 - 03, visit https://www.privacy.gov.ph/wp-content/uploads/2020/10/NPC-Advisory-No.-2020-03.pdf
PH chosen to lead new global working group to sustain data-privacy dialogue on Covid-19Comments Off on PH chosen to lead new global working group to sustain data-privacy dialogue on Covid-19
The Global Privacy Assembly (GPA) has created a new working group that will build on the successes of the Covid-19 Task Force in influencing global policy discussions on data privacy during the pandemic, with the country represented by the National Privacy Commission (NPC) chosen to lead the efforts.
“As the Task Force has concluded, the GPA voted to create the working group to continue the valuable work and sustain the momentum started by the task force,’’ Privacy Commissioner Raymund E. Liboro said. “More guidance is needed. Thus, we are continuing this engagement and collaboration to provide the community and our stakeholders direction in developing pandemic-responsive policies that uphold privacy standards.”
He added that the selection of the NPC to continue steering the goals of the GPA through a new group “is testament to the confidence partners in the international community has in the NPC, given the positive outcomes of the Covid-19 Task Force despite its short stint.”
Liboro, who chaired the Covid-19 Task Force, said the task force, in its five-month work, provided its members with valuable guidance regarding privacy issues emerging from the pandemic.
At the GPA closed session on October 15, the NPC chair reported to GPA members and observers the substantial impacts of the campaign and plans. A review of deliverables, particularly the compendium of best practices, was one of the highlights.
“GPA’s repository of Covid-19 responses collates and shares knowledge, guidance, tools and resources, as well as case studies and technical expertise, offering practical support to the privacy community,” he added.
The compendium is the product of several capacity-building webinars on issues that the majority of members considered most pressing. These are (1) contact-tracing and location tracking (2) handling of employee data from home/return-to-work situations; and, (3) handling of children/students’ data associated with the use of e-learning and online education technologies.
“These webinars highlighted recovery mechanisms that helped members deal and cope with the new normal. These also noted some business continuity strategies for data protection officers (DPOs) and gave emphasis on their role in championing privacy and data protection amid the pandemic,” Liboro said.
Specifically, the COVID-19 Task Force organized five webinars, three of which were separate collaborations with the Centre for Information Policy Leadership, International Association of Privacy Professionals and Organization for Economic Cooperation and Development (OECD).
“In planning and organizing these capacity-building activities, we made sure there is regional diversity in the selection of speakers, so as to give a holistic perspective and to be able to hear as much as possible, all voices and experiences from around the globe,” Liboro said.
GPA Chair Elizabeth Denham, also United Kingdom Information Commissioner, said GPA members greatly benefited from the task force’s international engagements, crucial as the pandemic accelerated the adoption of technologies while privacy authorities are being more involved in the public-health agenda.
“The work of the Covid-19 Task Force has shown that the modernized GPA can be agile and proactive in responding to the needs of our community. The breadth of the Task Force's achievements from capacity building and outreach events to the Compendium of Best Practices [has] provided real practical benefits,” Denham said.
“As GPA Chair, I warmly thank Raymund Liboro for his dynamic and productive leadership of the Covid-19 Task Force and look forward to the continuation of his work as chair of the new working group,” she added
GPA executive member Angelene Falk also lauded NPC’s work in steering the task force, expressing optimism that the new group can advance goals further.
“Under Commissioner Liboro’s leadership the task force has delivered pragmatic initiatives and global cooperation. The task force’s work in advancing capacity-building initiatives goes to the heart of the Global Privacy Assembly’s strategic objectives to advance global privacy and work toward a regulatory environment with high standards of data protection,” said Falk, who is also Australian Information Commissioner and Privacy Commissioner.
“It is with these reflections that I express my full support to the work of the GPA Covid-19 Task Force, and welcome the establishment of a GPA Working Group dedicated to the privacy issues being raised by the Covid-19 pandemic,” she added.
Members of the GPA Covid-19 Task Force include representatives from both GPA members and observers from the following countries and organizations: Australia, Burkina Faso, Canada, Council of Europe, Dubai International Financial Centre Authority, EU Fundamental Rights Agency, European Data Protection Supervisor, Gabon, Georgia, Germany, Hong Kong, International Committee of the Red Cross, Ireland, Israel, Japan, Jersey, Korea, Macao, Mauritius, Mexico, New Zealand, OECD Data Governance and Privacy Unit, Peru, the Philippines, San Marino, Sweden, Switzerland, Turkey, the United Kingdom, UN Global Pulse, Uruguay and the US Federal Trade Commission.
Online lenders barred from harvesting borrowers’ phone and social-media contact list, says Privacy CommissionComments Off on Online lenders barred from harvesting borrowers’ phone and social-media contact list, says Privacy Commission
Lenders operating online apps that can be installed in smartphones are prohibited from harvesting personal information, such as phone and social media contact lists, for harassing delinquent borrowers, the National Privacy Commission (NPC) said in a circular it published today, October 19.
The Commission issued Circular No. 20-01 in response to numerous complaints that online lenders were illegally using personal data of clients and those of others on their contact lists, causing damage to their reputation and violating their rights as data subjects.
The harassment and shaming of delinquent borrowers before relatives, friends and colleagues persist despite separate orders last year from the NPC and the Securities and Exchange Commission (SEC) to shut down errant online creditors.
When the circular comes into effect 15 days after its publication in the Official Gazette or two newspapers of general circulation, all lending and financing companies in possession of their borrowers’ contact lists in whatever form in violation of the guidelines shall dispose of the information in a secure manner that would prevent further unauthorized processing, access, or disclosure to any other party or the public, the NPC said.
“The National Privacy Commission is issuing this circular for the appropriate and respectable treatment of borrower’s personal information,’’ Privacy Commissioner Raymund Liboro said.
He said online lending applications should design their business processes with privacy by design and default, and with complete adherence with the principles of the Data Privacy Act (DPA).
“Once again we remind online lending operators and businesses to take their customers’ data privacy seriously and deploy adequate security measures. For the public, we hope this circular will help them keep an eye out for red flags while they are in the process of borrowing money from online lenders,’’ Liboro added.
Dos and don’ts
He further said that ``the circular lays out what online lending operators can and cannot do with borrowers’ personal information to avoid instances of abuse.”
Under the circular, unnecessary permissions include accessing phone contact or e-mail list, harvesting social media contacts, copying or otherwise saving these for use in debt collection, or to harass the borrower or his/her contacts.
Access to the phone camera of the borrower is allowed only for the purpose of know-your-customer (KYC) policies. In no way shall the borrower’s photo be used, the circular said, to harass or embarrass him or her in order to collect a delinquent loan.
App permissions are allowed only under suitable, necessary and not excessive purpose of KYC for determining creditworthiness, preventing fraud and collecting debt.
``When such purpose has already been achieved, such online apps shall prompt the data subject to turn off or disallow these permissions,’’ the circular said. Read the circular in full here.
- The circular also stipulates the following:
- Personal information controllers, lending and financing companies in this case, must implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data.
- Details concerning the loan must be written in a clear language and in the most appropriate format.
- Borrowers must be informed if the loan processing activity involves the use of profiling, automated processing, automated decision-making, or credit rating or scoring.
- A separate lawful criterion must be in place pursuant to Sections 12 and/or 13 of the Data Privacy Act, should information be used for marketing, cross-selling, or sharing with third parties for purposes of offering other products or services not related to loans.
- Reasonable policies on retention of data must be adopted and implemented for those with denied loan applications and borrowers who have fully settled their loans.
The circular said lending or financing companies and persons acting like these entities were at all times accountable for personal data under their control or custody.
``They shall not use any personal data to engage in unfair collection practices as defined under SEC Memorandum Circular No. 18 series of 2019,’’ read part of the circular’s Section 3E.
The section added that any lender found in violation of the circular shall be liable under the applicable provisions of the DPA, which impose fines and imprisonment.
The NPC observed that a month after it ordered the shutdown of 26 online lending companies in October last year, the complaints it received from the public declined 90 percent.
# # #
NPC holds first ever Health Privacy Forum to promote sector complianceComments Off on NPC holds first ever Health Privacy Forum to promote sector compliance
The National Privacy Commission (NPC) held on Oct. 15 a capacity-building webinar for data protection officers (DPOs) of the health sector to help them improve privacy and protection protocols.
NPC’s first-ever Health Privacy Forum, which drew in almost 200 participants, was conducted in the wake of the Commission’s findings that the sector’s compliance with data privacy standards fared dismally and may have been the primary cause of the breaches the sector had reported so far this year.
Discussions included a recap of pertinent privacy issuances during the pandemic, compliance updates, emerging privacy issues in the health sector, and trends and challenges the sector may face as it finds the delicate balance between data protection and public health interest.
`Right thing to do’
Dr. Enrique A. Tayag, director of the health department’s Knowledge Management and Information Technology Service, said “blending data privacy with our public health response to the COVID-19 pandemic is possible, and is the right thing to do.”
“Data privacy and security risks will always remain in public health. If the public does not trust that we will protect their data, we won’t be able to succeed. Our contact tracing will be affected because the public won’t provide us with accurate information,” said Tayag, who is known for his almost 30-year work in epidemiology.
The Department of Health (DOH), as a clearinghouse for tech solutions on COVID-19, elevates these applications to the NPC which, in turn, evaluates their compliance with data privacy and protection standards, Tayag said.
To date, the DOH has evaluated 69 out of 113 proposed third-party tech solutions and 32 of their contracts, such as data-sharing and outsourcing agreements. It has also conducted five privacy impact assessments. In all these, the NPC extended its expertise to ensure that these uphold privacy principles.
Tayag encouraged DPOs to keep abreast of COVID-19 developments that may compel a rethink on their strategies.
“Let’s study the policies and strategies, and accept that we need to learn. We must also ensure that we comply with these,” Tayag said. “To grow is to change.”
Bottom spot, human error
Data from the Compliance and Monitoring Division (CMD) of the NPC showed that no company from the health sector in the July to September privacy sweep fulfilled the minimum requirement of securing NPC registration, effectively pushing it to the bottom spot among all nine sectors the Commission monitors.
CMD Director Olivia Khane S. Raza said that in the 10 months to October, the main cause of breaches in the health sector was human error (64 %). In contrast, human error accounted for 39% of the breaches for all nine sectors, second to malicious attacks (48%).
Privacy Commissioner Raymund E. Liboro described the findings as “worrisome,” as health institutions take the lead in the country’s contact-tracing efforts.
“The Privacy Forum was held to push health DPOs to review their strategies and add more guardrails to data as the economy starts opening up, which only means contact tracing will be rolled out in more places as well. We must then intensify work in improving our processes to build trust, ” Liboro said.
He said the lack of trust and transparent mechanisms was giving people legitimate reasons to refuse disclosing their personal information and their conditions for fear of misuse and abuse of their data. ``Trust must be the cornerstone principle of contract tracing in order that our efforts be not for naught.”
# # #
Privacy Commission probing reports against establishments over mishandling of contact tracing dataComments Off on Privacy Commission probing reports against establishments over mishandling of contact tracing data
Several business establishments – from a mall, fast-food and drugstore chains, and supermarkets to a European fast-fashion retailer and a North American coffee shop franchisee – have been the subject of reports from citizens over mishandling and misuse of contact-tracing data, prompting the National Privacy Commission (NPC) to take steps in checking their compliance with the Data Privacy Act (DPA) and the guidelines issued by the Commission and other government agencies.
The chief concerns were the improper use of logbooks and the lack of appropriate data-protection measures that left in the open filled-out contact-tracing forms that contain customers' data, such as names, addresses and contact details, which other people could see.
Other concerns included using personal data for purposes besides contact tracing, absence of a privacy notice, and baseless retention period.
"We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures," Privacy Commissioner Raymund E. Liboro said.
The Privacy Commissioner emphasized that NPC’s move to check on companies to uphold data protection and privacy rights was pro-consumer and pro-business. The move would enable businesses to gain the trust of customers and support government contact-tracing efforts.
"Building trust is especially crucial now as we begin to open the economy gradually.'' Liboro said.
He added that “building trust is possible if we have cleared citizens’ doubts over potential misuse and abuse of their data. Kapag ma-ingat sa datos ng mga tao, aangat ang negosyo.”
Helping the retail sector comply
The NPC met on Oct. 9 with data protection officers (DPOs) from the Privacy Council for the retail and manufacturing sector to guide their contact-tracing practices.
NPC Director Olivia Khane S. Raza of the Compliance and Monitoring Division (CMD) advised business establishments to devise a reasonable way to collect data to prevent accidental and unauthorized viewing.
“As you are in the best position to anticipate and manage risks based on your store setup, you should be able to identify points of possible risks for you to develop the security measures appropriate for your operations," Raza said.
Best practices, early warning
To address public concerns, she called on companies to adopt best data-privacy practices, such as collecting what is minimum necessary; providing a transparent data privacy notice; having proper disposal mechanism; imposing a limited period for storage; and training employees on data privacy protocols and urging them to observe the protocols strictly.
According to Raza, compliance checks are early warning mechanisms to help businesses prevent more complaints that could lead to legal action.
The CMD chief added that if a company received a notice of deficiency, it should "act and address deficiencies within the prescribed time. Otherwise, this can lead to orders, such as a cease and desist order.’’
Depending on the violations committed, negligent businesses might be penalized under the DPA with imprisonment and fines. With a combination of prohibited acts, a violator could be fined up to P5 million and imprisoned for a maximum of six years.
Gela Boquiren, head of the Privacy Council for the retail and manufacturing sector, said retailers must base their contact-tracing efforts on two joint memorandum circulars.
One is from the NPC and the Department of Health ("Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response”) and the other from the Department of Trade and Industry, and Department of Labor and Employment ("Supplemental Guidelines on Workplace Prevention and Control of COVID-19”).
Only for contact tracing
Boquiren, also the DPO of San Miguel Corp., advised retailers to ensure that the rest of the processing cycle (storage, use, transfer, and destruction) of customers' data was always protected.
“As we start to support our favorite stores physically, we need to accomplish contact-tracing forms with correct information so authorities can contact us, just in case," she said.
She added that establishments ``have to assure customers that personal information collected will be secured and used only for the primary purpose of contact tracing.”
Boquiren also appealed for support from owners of malls, which house many retailers, in ensuring ``that businesses use proper contact-tracing forms and prevent the unauthorized use of customers’ contact details.”
NPC, PCOO work toward government’s compliance with data privacy and freedom of info lawsComments Off on NPC, PCOO work toward government’s compliance with data privacy and freedom of info laws
The National Privacy Commission (NPC) and the Presidential Communications Operations Office (PCOO) will intensify assistance to government agencies for their proper enforcement and effective balancing of the Data Privacy Act and the executive order on Freedom of Information (FOI), two intertwining laws that have been reasserted at the recent Data Privacy and FOI Congress as being more complementary than conflicting.
Themed “Balancing of Rights: Data Privacy and Freedom of Information,” the event, which gathered around 360 data protection officers (DPOs) and FOI decision makers, aimed to debunk misconceptions that the DPA hinders people’s right to know while the FOI compromises personal data privacy rights of government officials.
“The DPA is about accountability and fairness. It is not a cloak for the government to cover up corruptive activities,” Privacy Commissioner Raymund E. Liboro said at the Sept. 22 webinar.
For his part, PCOO Assistant Secretary Kris R. Ablan explained that FOI decision makers must always take into account the DPA, ensuring to protect sensitive personal information and only release data that is necessary and relevant to the purpose for which the information is requested.
Where a gray area between the two laws may arise, one must always turn to the public interest test in which FOI and data privacy laws yield to more important rights, such as the country’s security, according to Ablan, who is also director of the FOI Project Management Office.
Ablan also noted that at the heart of a healthy democratic country was a well-informed citizenry. NPC chief Liboro echoed this stance.
“We encourage government officials to share information that will help build trust to the public for journalistic, artistic, scientific and research and accountability purposes. This approach will help the government further gain the public’s trust and stimulate dynamic collaboration toward attaining national goals,” Liboro said.
The DPA-FOI Congress also provided basic discussions on standard processes to comply with the DPA and FOI Act.
Both agencies have agreed to increase joint capacity-building campaigns in order to improve the government's implementation of both laws.
Ablan said skills training must aim to equip the information officer with the different skills that need to be combined together.
“The information officer must be an expert of FOI in disclosing information. The same information officer must be adept with records management in order for them to retrieve info and disclose it in a timely manner. He must be well-versed in national security concerns and must be able to employ standard data privacy and protection practices,” Ablan said.
Privacy Commission says suspending Data Privacy Act as recommended by business groups is counterproductive in curbing COVID-19 transmissionComments Off on Privacy Commission says suspending Data Privacy Act as recommended by business groups is counterproductive in curbing COVID-19 transmission
Science and medical ethics dictate that publicly naming COVID-infected individuals does not help in decreasing the transmission of infection and is counterproductive.
The call to suspend the Data Privacy Act (DPA) is gross disregard for the expert opinions of epidemiologists and scientists around the world and the reality happening on the ground, especially in countries that have kept COVID at bay. In the ASEAN alone, Singapore and Thailand, which have been cited for their success in contact tracing in battling the virus, have not considered suspending a fundamental human right as a measure to fight the pandemic.
We must consistently defer to science and available evidence, when making decisions especially in a national response as critical as this. There has been no evidence that publicly naming COVID-infected individuals has public health benefits. But we have evidence that outing those with the disease leads to public discrimination, shaming, and social vigilantism.
Such prejudicial treatment has prevented COVID positive individuals and their close contacts from coming out to seek testing and treatment, making it more difficult for authorities to more accurately capture how far COVID has spread.
We have enough provisions in our laws to allow the government to effectively conduct contact tracing, treat patients, and face this threat while securing the personal data and dignity of our citizens.
The call to suspend the DPA in the name of public disclosure is anti-poor and devoid of science and ethics. Let us move forward the fight against COVID with more evidence-based proposals and solutions.
# # #
NPC, PCOO join hands in debunking myths on Data Privacy Act and Freedom of InformationComments Off on NPC, PCOO join hands in debunking myths on Data Privacy Act and Freedom of Information
How do you balance the right to privacy of individuals and freedom of information?
The National Privacy Commission (NPC) and the Presidential Communications Operations Office (PCOO) are holding a joint virtual meeting tomorrow aimed at debunking myths surrounding the implementation of the Data Privacy Act (DPA) of 2012 and the Freedom of Information (FOI) Program.
A memorandum from Executive Secretary Salvador Medialdea enjoins all heads of departments, bureaus and offices to authorize the participation of their designated Data Protection Officers (DPOs) and FOI decision makers.
The meeting will be held via Google Meet at 9:00 AM – 12:00 PM on Tuesday, Sept. 22. It is dubbed the “1st Data Privacy and Freedom of Information Congress of 2020 – Balancing of Rights: Data Privacy and Freedom of Information.”
Privacy Commissioner Raymund E. Liboro said that the FOI and the DPA both were upholding Filipinos’ rights and must go hand in hand in improving government processes.
“The DPA and FOI are twin skills that need to be mastered by the government to be better public servants. Freedom of Information upholds the people’s right to know, while the Data Privacy Act upholds data subject rights. Presenting these laws in the same space is a milestone proving that data subject rights and freedom of information rights belong on the same side, not in conflict with one another,” Liboro said.
Republic Act No. 10173 or the DPA mandates the protection of individual personal information in information and communications systems in the government and the private sector, while ensuring free flow of information to promote innovation and growth.
The FOI Program under Executive Order No. 02 (s. 2016) mandates public disclosure and transparency of state documents and transactions involving public interest.
The NPC intends to “continue working with the PCOO” in this matter through “subsequent activities to promote the DPA and FOI and its correct application in government services,” Liboro said.
Participants in the meeting are limited to DPOs and FOI decision makers in national government agencies.
# # #
Online Learning Guidelines Issued to Help Protect Student Privacy and Reduce Data Breaches in SchoolsComments Off on Online Learning Guidelines Issued to Help Protect Student Privacy and Reduce Data Breaches in Schools
Before webcam-supported online discussions are recorded, schools must consider getting the consent of the parent or legal guardian of students below 18 years old, according to guidelines that a group of public and private universities and colleges across the country has issued.
The presence of the parent or guardian during these recorded sessions must also be considered, said the group, which likewise advised that the use of webcams in synchronous online classes be optional.
These are among the guidelines contained in Advisory No. 2020-1 that the Data Privacy Council Education Sector issued recently to help students, parents, and teachers, administrators and other school personnel safely navigate digital spaces, as classes have shifted to online platforms to curb the spread of Covid-19.
With encouragement from the National Privacy Commission (NPC), data protection officers of a number of universities and colleges volunteered on June 26 to come up with the guidelines in the wake of a surge in security breaches of data systems of schools in the country in the first half of the year.
The security breaches stemmed from hacked portals and databases, phishing, stolen laptops, system glitches and human error, according to a report of NPC’s Data Security and Compliance Office.
Protect student privacy
Privacy Commissioner Raymund E. Liboro said the NPC ``commends the education sector for coming up with an online learning guidance with data privacy at its core. Adopting technologies and online tools is a new progression of education as the pandemic continues to inhibit our movements.”
Like everything else, online learning must adhere to the data privacy law for the safekeeping of personal data, he said.
“Educational institutions must choose an online learning platform with the best security features and one that is most capable of protecting students’ privacy. Consider if the platform meets the requirements of the Data Privacy Act before letting students use them,” Liboro added.
For the conduct of personal data processing activities deemed necessary or related to online learning, the advisory emphasized accountability, information about education as sensitive personal information, legitimate interest, legitimate purpose, proportionality and transparency.
Areas of concern
The guidance listed areas of concern covered by the guidance.
These are the use of a Learning Management System (LMS) and Online Productivity Platforms (OPP); other available unofficial supporting tools for online learning; use of social media; publication of information or files via other means or platforms; storage of personal data; use of webcams and the recording of videos of online discussions; online proctoring; and data security.
The advisory, among other things, said that:
- An announcement or posting involving personal data, such as grades and results of assignments, must be viewable only by its intended recipient/s.
- Downloading of personal data stored in the LMS or OPP should be kept to a minimum and/or limited to that which is necessary for online learning.
- Mechanisms must be in place so that submissions, such as assignments and projects, may be carried out in a safe and secure manner.
- Submissions via social media platforms are discouraged.
- Posting or sharing of personal data, such as photos and videos, on social media, must have a legitimate purpose and be done using authorized social media accounts of the school.
- Explicit consent of the student (or parent or legal guardian, in the case of minors) should be obtained before the conduct of online proctoring and the use of related tools or technologies.
The advisory also asked schools to practice limited use of supporting tools or technologies that they have not officially adopted, as there is no formal relationship between them and the developer of the tools.
The guidance is meant to be a set of recommendations and shall not be treated as some type of policy since schools retain the prerogative to decide on the measures, they deem appropriate.
The advisory also said that the document covered different areas relevant to online learning, but it was not intended to be an exhaustive list of such concerns. ``Neither does it include issues which, while related to online learning, do not involve the processing of personal data,’’ it read.
The advisory can be updated periodically, as the need arises, it added.
The advisory is among the articles in the September issue of the DPO Journal. A complete copy of the advisory can also be read on the NPC website.
Schools that drafted advisory
Members of the Data Privacy Council for Education that drafted the advisory are San Beda University, De La Salle University, Ateneo de Manila University, University of the Philippines-Diliman, University of the Philippines-Manila, University of the Philippines-Cebu and Technological University of the Philippines.
Also involved are De La Salle-College of Saint Benilde, PAREF Woodrose School, Our Lady of Fatima University, University of Perpetual Help-Dalta, University of Santo Tomas-Legazpi, Central Mindanao University, Laguna State Polytechnic University, and Ateneo de Iloilo.
Launched by the NPC in 2018, the DP Council is a stakeholder-based approach for a more effective promotion of data privacy accountability across all sectors. The Council is tasked with collaborating with the NPC in the creation of privacy codes for the specific needs and conditions of every sector.
# # #
Contact Tracing Forms Must Collect Only What is NecessaryComments Off on Contact Tracing Forms Must Collect Only What is Necessary
The National Privacy Commission (NPC) is discouraging the collection of signatures and other unnecessary personal information for contact-tracing forms and has called on businesses to work toward complying with data privacy standards.
The statement comes in light of inquiries and information communicated to NPC that private establishments as well as some government agencies collect signatures and other personal data that are immaterial in moving contact-tracing efforts forward.
“In every aspect of the data processing cycle, activities must observe the basic principles of transparency, legitimate purpose and proportionality,” said lawyer Stephen John Duma of the NPC Compliance and Monitoring Division.
The NPC reminded data protection officers (DPOs) of their ever-evolving duties in a fast-changing landscape, highlighting the need to update their privacy notice and manual, and re-do a privacy impact assessment against the backdrop of the health crisis.
Duma cited DPOs’ responsibility in providing a clear and accessible privacy notice that gives data subjects sufficient information on data collection, processing, storage and disposal activities to weigh out risks in giving their personal data.
“Detailed information on the relevant personal data flows must be provided. You should have a clear way of employing these activities and show in your privacy notices that they have adequate organizational, physical and technical capacity to protect data from collection to disposal,” Duma said.
The retention period and the legal or technical basis for it, where applicable, must also be disclosed.
Privacy notices must also specify the parties and authorities to whom the data will be disclosed to or shared with and for what purposes.
Duma also stressed the importance of including the DPO’s name and contact information in privacy notices in order to enlighten prospective data subjects of the establishment’s data protection measures.
“The Commission is more than willing to provide businesses and agencies the required guidance in formulating policies and implementing measures that capture the privacy and protection needs of their data subjects,” he said.
# # #
Statement of Privacy Commissioner Raymund Liboro on the PNP plan to monitor social media for quarantine violatorsComments Off on Statement of Privacy Commissioner Raymund Liboro on the PNP plan to monitor social media for quarantine violators
- The plan by the Philippine National Police to scan social media for violators of quarantine protocols must recognize the data privacy rights of individuals.
- In keeping communities safe in this pandemic, leads and evidence gathered from social media and other digital tools to enforce the law must be legally obtained.
- By monitoring social media, the police must use techniques that are not privacy intrusive. Law enforcers should be trained to use the medium effectively and reliably to build the confidence and trust of the public, especially netizens.
- It is essential for the police to allay the fears of the community by explaining the measures they employ in enforcing quarantine rules and evaluating possible violators, how they observe the rights of the citizens, and how they mitigate the risks to individuals’ privacy.
RAYMUND ENRIQUEZ LIBORO
COA’s auditing procedures not restricted by data privacy law, says Privacy CommissionComments Off on COA’s auditing procedures not restricted by data privacy law, says Privacy Commission
- The Data Privacy Act (DPA) does not obstruct the functions of public authorities.
- The DPA is not a restriction on the Commission on Audit (COA) gaining access to the personal information of data subjects collected by Philippine Health Corp. (PhilHealth).
- Personal data to be accessed shall be adequate, relevant, suitable, necessary, and not excessive in relation to its declared and specified purpose of processing.
The National Privacy Commission (NPC) provides guidance to PhilHealth on the COA gaining access to the personal information of data subjects collected by the state-run health insurance agency through Advisory Opinion No. 2020-016 that it issued in response to the request of PhilHealth for guidance on a COA memorandum.
The memorandum states that the DPA does not absolutely prohibit the COA from gaining access to information because the law has exceptions, and that those to be audited cannot deny state auditors the information by invoking the privacy law.
While it acknowledged COA’s constitutional mandate to examine resources owned or held in trust by the government, PhilHealth expressed concern that the manner to be employed by the COA in acquiring personal information under its custody and safekeeping, if done through remote access or database cloning, may lead to a personal data breach.
Privacy law not an impediment
In Advisory Opinion No. 2020-016, the NPC reiterates that the DPA does not obstruct the functions of public authorities.
Processing of information to carry out the functions of the authorities as part of a constitutional or legal mandate, subject to restrictions, ``is one of the instances where the application of the DPA and its implementing rules and regulations (IRR) is qualified or limited,’’ the NPC said.
Privacy Commissioner Raymund E. Liboro, who signed the advisory opinion, said the data privacy law was not aimed at hampering or interfering with the performance of the duties and functions of public authorities, such as the COA.
“It falls on COA and its sound judgment in determining what methods to use in the collection or gathering of personal data to perform its auditing functions,” Liboro said.
If the audit agency’s methods in gathering personal data do not violate the provisions of the DPA, the presumption of regularity in carrying out its official duties stands, the NPC chief said.
“Still, it is the responsibility of public authorities as a personal information controller to adhere to the general data privacy principles under the law,’’ he added.
While it must determine the scope and method of auditing, including gathering personal data from auditees, the COA must abide by the principle of proportionality laid out by the DPA and its IRR, according to Liboro.
In processing personal data, the COA, he said, must ensure that ``the personal data collected and processed shall be adequate, relevant, suitable, necessary, and not excessive in relation to its declared and specified purpose, and that personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.’’
# # #
Transcending Regulatory Role: Data Privacy Authorities’ Massive Influence in Establishing Public Trust in a CrisisComments Off on Transcending Regulatory Role: Data Privacy Authorities’ Massive Influence in Establishing Public Trust in a Crisis
Members and observers of the Global Privacy Assembly’s (GPA) COVID-19 Taskforce, which the National Privacy Commission (NPC) chairs, has tagged contact tracing as the biggest area of challenge for data regulators around the world, more so as economies gradually open up and more tracking efforts are launched.
In his opening speech at the recent joint webinar of the Taskforce and the Centre for Information Policy Leadership (CIPL), Commissioner Raymund E. Liboro said that a survey conducted by the Taskforce showed that contact tracing and location tracking ranked as the most pressing privacy issue for many jurisdictions and organizations globally.
“As one of the new emerging challenges confronting us, contact-tracing applications pose questions on proportionality and transparency requirements, privacy issues on location tracking and surveillance, and whether privacy by design approach figured in the development of these applications,” Liboro said.
“Data Protection Reimagined: Digital Acceleration, New Emerging Issues and the Role of Privacy Regulators in the COVID-19 Era” was the title of the joint meeting where discussions revolved around how the pandemic has intensified the use and role of data to respond to the health crisis, as well as the evolving role of data privacy authorities.
“Our data subjects need us now more than ever. Our roles as data privacy authorities are significant in protecting individuals' personal information and fostering privacy rights, especially during this time,” Liboro said.
Liboro emphasized the critical role of data privacy regulators in preventing misuse of personal data, the collection and processing of which may go beyond what these were initially intended for if epidemiological authorities are not guided on the technical and practical approaches for using and safeguarding them.
“Regulators do not have to learn only the technical functionality of contact-tracing technologies, but we must also understand its effectiveness and impact on our data subjects. We must let them know that we are their guide in all matters related to data privacy and data protection,” he said, adding the NPC is closely watching local and international privacy-related developments.
“We are here to provide them with the most relevant bulletins, guidelines, and best practices for emerging data privacy concerns,” he added.
Dr. Caroline Buckee, associate professor for epidemiology at Harvard University, joined the CIPL-GPA joint meeting where she emphasized the need for policymakers to have more understanding of how to translate raw data into useful insights, narrowing the need for more data to only the important bits.
“We've seen a really interesting sea change where from January onwards, there were companies who really want to share data and policymakers want all the insights” Buckee said, citing the increased source of data such as from credit cards transactions and from the burgeoning ad tech industry.
“But there’s this massive disconnect because more data isn't always good. The data must be rounded in a very clear epidemiological goal and we need to understand how policy makers can use it and there’s a huge heterogeneity in the capacity of policy makers to take in data and use it in a sensible way. And we’ve seen that everywhere in low-and high-income settings where there’s this capacity issue on the policy end,” Buckee said.
Guiding economies to recovery
Singapore’s Personal Data Protection Commission Assistant Chief Executive Zee Kin Yeong, also among the discussants, encouraged governments to reexamine data protection principles, particularly the accuracy obligation, and find ways to make it more relevant for businesses.
“One thing that we’re starting to think harder about is how can we reinterpret the principle of accuracy obligation. I don't see too much discussion about it. We need to spend some time thinking of the importance of accurate data and encouraging businesses to use the right business intelligence tools to be able to get the correct insights. And how do we translate this accuracy obligation in a way that will resonate with the companies in this point in time who are trying to make good business decisions... so that they are able to get to the road of recovery and stay on the road of recovery,” Zee Kin said.
Zee Kin also told governments to begin looking at how to go about cross-border data exchanges in anticipation of international travels.
“As economies repower, and international travel comes to mind, what we need to start considering is how do we facilitate the exchange of data, a collaboration of contact-tracing efforts for international travelers, so that we can assist the recovery of our economies,” he added.
Public trust thru transparency
“Public trust is vital in effectively rolling out contact-tracing mechanisms and other digital solutions. Trust will only happen if our citizens are convinced that their data is processed fairly, lawfully and securely,” Liboro said.
A transparent data ecosystem is where the collection and processing purposes, risks, storage and disposal terms are laid clearly, he said, adding that collectors of data must abide by the agreed terms and seek new consent for future changes.
Where public trust is tarnished due to poor observance of data privacy and protection standards, privacy regulators should hold authorities and other authorized controllers accountable, according to the NPC chief.
Liboro also called on intensified collaboration as data privacy challenges were expected to rise amid the gradual opening up of the economy.
“We must continue creating knowledge and share best practices as a global community, and develop the confidence to declare to our governments and citizens that public health and personal data protection are on the same side in this time of pandemic,” the COVID-19 Task Force chair added.
# # #
DATA PRIVACY ACT is not a hindrance in contact tracingComments Off on DATA PRIVACY ACT is not a hindrance in contact tracing
- Hospitals have the duty to disclose the necessary COVID patient details to LGU contact tracers following the DOH guidelines.
- COVID patients should be truthful in providing accurate personal details.
- In this pandemic, public health and data privacy are on the same side.
The National Privacy Commission (NPC) reiterates that the Data Privacy Act (DPA) is not a hindrance to contact tracing initiatives, saying that it seeks to protect individuals from discrimination, harassment, and acts of social vigilantism amid the COVID-19 pandemic.
“We want to clarify that the DPA does not prevent hospitals from sharing a COVID-19 patient's data to proper authorities. The law recognizes the guidelines set by DOH on contact tracing procedures that hospitals, LGUs, and contact tracers must follow. In this pandemic, public health and data privacy are on the same side,” Privacy Commissioner Raymund E. Liboro said.
"The DPA should not be used as an excuse for not providing COVID patient data necessary for LGU contact tracing that we need to combat the pandemic," Liboro noted that hospitals were mandated to collect information from patients and provide it to the authorities under the guidelines set by the Department of Health (DOH). "Likewise, we call on the individuals affected by COVID to be truthful when providing accurate health information," he added.
Department Memorandum 2020 - 0189 of the DOH, or the Updated Guidelines on Contact Tracing of Close Contacts of Confirmed Coronavirus Disease Cases, says that “health facilities, public and private, shall cooperate fully with the DOH - Epidemiology Bureau and its regional and local counterparts by ensuring that Local Contact Tracing Teams (LCTTs) are provided access to medical records, facilitating case interviews, and conducting other case investigation and contact tracing activities.” When providing training to LCTTS, local government units must include the secure handling of personal data that was collected.
Liboro emphasized that public and private health institutions, companies, and individuals involved in the COVID response must “collect and process what is necessary and disclose data only to the proper authorities.”
“The NPC has provided public health emergency bulletins, advisory opinions as guidance for personal information controllers, especially healthcare providers. Our Commission has been coordinating closely with the Department of Health to ensure that the DPA will not be an obstruction in the proper conduct of contact tracing," the NPC chief said.
In Advisory Opinion 2020 - 022, a response to the request of the Private Hospitals Association of the Philippines, Inc. for clarification of contact tracing protocols, the Commission cited as bases DOH’s Updated Guidelines on Contact Tracing, which limits the disclosure of COVID-19 personal data, and the DOH-NPC Joint Memorandum Circular (JMC) on the Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response.
The guidelines provide that disclosure of patient identifiers or data is allowed but limited only to authorized entities, officers, and personnel.
Any disclosure must serve "a public purpose or function" that would allow relevant authorities to reach those who may have come into close contact with a COVID-19 positive individual so they may be promptly alerted and provided preventive counseling or care.
The guidelines prohibit disclosure of names and other personal identifiers that can single out a patient to the public, the media, or any other public-facing platforms without the patient's written consent or his/her authorized representative or next of kin.
Risks of publicly naming infected individuals
The DOH and NPC advise against publicly naming data subjects suspected of having contracted COVID-19 or confirmed positive for the disease connected with contact tracing efforts.
"Publicly naming an infected individual is equivalent to putting a person’s life at risk, given the physical assaults and discrimination which suspected or confirmed individuals had experienced. Fearing possible harassment and stigma, people may hide their true conditions, leading to lost opportunities in tracking the disease and contact tracing. The policy is counterproductive, will not result to better contact tracing, and will put more lives of front liners at risk," Liboro said.
The latest NPC advisory opinion on contact tracing reiterated that collection and processing of data must be fully aware of the principles laid out by the DPA and that secure disposal of personal data from records, whether manually or digitally obtained, must be done once the purpose of their collection had been achieved.
Liboro also reasserted the points in NPC Bulletin No. 3 issued in March.
"Again, the DPA is not a hindrance to contact tracing efforts and the guidance it provides is necessary, especially in these unfamiliar times, to preserve the basic right of people to data privacy and protection, and build trust,” he said.
# # #
- Hospitals have the duty to disclose the necessary COVID patient details to LGU contact tracers following the DOH guidelines.
Privacy Commission limits disclosure of personal information in publication of decisionsComments Off on Privacy Commission limits disclosure of personal information in publication of decisions
To set privacy measures to a maximum and better ensure the safety of data subjects, the National Privacy Commission (NPC) will now pseudonymize their names in cases it publishes on its website.
This is enforced through the Commission's issuance in June of Advisory 2020 - 01 or the "Protocols for the Publication of Decisions, Resolutions and Orders on the NPC Website."
The advisory specifically prohibits the disclosure of complete names of data subjects in a case and orders that pseudonymized initials replace the names instead. In cases where the mention of the address is material, only the province or city shall be cited.
To pseudonymize something is to anonymize or replace it with artificial identifiers.
“Publishing our cases to the public not only promotes transparency but also contributes in educating the public of data privacy. However, to better perform our mandate of protecting data subjects, we found the need to further sanitize published case decisions of personal information that distinctly identify a data subject,” NPC Commissioner Raymund E. Liboro said.
“This will prevent any possible safety risks posed by the disclosure of personal information,” he added.
In addition to pseudonymizing published cases, the NPC will also limit the publication of cases, orders and resolutions that have not been disposed with finality.
Specifically, these cases include:
- Those decided on the basis of compromise agreements, mediated settlement agreements, quitclaims and other modes of alternative dispute resolutions, as these are not decided on the basis of merit and therefore lack teaching value for the public.
- Interlocutory decisions, orders and resolutions that do not dispose of the case or breach notification with finality.
- Decisions, orders and resolutions that may be subject of a motion for reconsideration, unless the reglementary period to file such has lapsed.
Notwithstanding the enumeration of unpublishable cases, the guidelines still provide the Commission its own discretion to publish certain decisions, orders and resolutions where public or educational interests prevail.
# # #
Privacy Commission now allows e-hearingsComments Off on Privacy Commission now allows e-hearings
The National Privacy Commission (NPC) has adopted videoconferencing to reduce the risks of coronavirus infections posed by face-to-face hearings.
Advisory 2020 - 02 or the "Guidelines on the Use of Videoconferencing Technology for the Remote Appearance and Testimony of Parties Before the NPC" took effect on the day it was issued on 3 August.
The guidelines detail the proceedings, and proper conduct of e-hearings and post-hearings.
"Videoconferencing will enable the NPC to maintain a safe workplace while ensuring a continuous delivery of our service. This can also provide stakeholders convenience and cut down on their travel cost," NPC Commissioner Raymund Liboro said.
The e-hearings can be conducted for all quasi-judicial proceedings, such as discovery conferences, summary hearings, mediation conferences, investigations and clarificatory hearings.
Parties to the complaint or investigation who may wish to avail themselves of e-hearing shall express their written consent in the manner prescribed in the new guidelines.
"Rest assured that e-hearings shall be conducted in a secure and reliable videoconferencing platform, and that standard practices on collection, storage and disposal of personal data are observed," Liboro said.
# # #
Data privacy leaders support President Duterte’s call for safer e-commerce, e-governanceComments Off on Data privacy leaders support President Duterte’s call for safer e-commerce, e-governance
Data privacy advocates in the public and private sectors, including those from the manufacturing, banking and BPO industries, have expressed support for President Duterte’s call for safer e-commerce and e-governance spaces in his fifth State of the Nation Address.
“President Duterte's thrust to protect consumers' personal data, and enforce data protection and privacy laws will surely boost online retail which will impact manufacturers,” said Gela Boquiren, data protection officer (DPO) of conglomerate San Miguel Corp.
“With the National Privacy Commission (NPC) at the forefront, DPOs from all sectors will work as one to achieve this milestone,” Boquiren added.
Maria Francesca Montes, DPO of Unionbank, said the bank supports ``the President in his official call to protect personal data of Filipinos, especially in this time when most are vulnerable in the digital space.’’
Responsible data stewards
In his address to the joint session of Congress on July 27, the President said: “We must continue to protect Filipinos in the new normal and remind the world that we are responsible stewards of data. I am committed to protect both the physical and digital lives of our law-abiding countrymen.’’
He said the country’s cyberspace must be patrolled, and online consumer and data protection and privacy laws enforced. ``We must run after online scammers and those undermining the people’s trust in online transactions.‘’
The President further said: ``The national government shall lead the way in our transition to online systems. I reiterate my call for all government instrumentalities to implement systems that shall make physical queuing a thing of the past.’’
People have been flocking to the digital space to conduct transactions, as the COVID-19 pandemic disrupts physical activities.
“The current pandemic has caused many of our countrymen to transact electronically with far greater frequency than before, ‘’ managing partner of Disini Law JJ Disini said.
Disini said Filipinos’ ``ability to transact without fear of fraud or any harm is essential not only for their own safety but to further the growth of e-commerce.’’
He described as timely the President’s decision ``to recognize the important role data privacy will play not only in protecting our people but promoting economic development.’’
The Contact Center Association of the Philippines (CCAP) is in harmony with the NPC in promoting data privacy and protection as a tool in nation building and economic prosperity, said Tonichi Achurra of CCAP.
“The contact center sector and the rest of the IT-BPM industry have long been stewards of data protection. It is an essential part of our business model and the fact that the Philippines is global leader in this space is testament to the trust placed on us by countless international clients,” Achurra added.
The President ’s statement reflects the NPC commitment in ensuring the safety of Filipino consumers as they shift to online transactions amid the pandemic.
"Building trust by protecting data privacy is key to ensuring the success of e-commerce, e-governance, and e-learning enunciated by President Duterte, as the country migrates to the digital arena," Privacy Commissioner Raymund Liboro said.
Liboro added that "enforcing laws that protect online consumers against hackers and scammers could further build the confidence of the country's international partners in our information systems, a development that would help boost the economy and provide jobs to our people."
He said the President’s commitment to protect the physical and digital lives of Filipinos was in line with meeting the goals of ``a high-trust and resilient society’’ envisioned in the Philippine Development Plan.
`New oil,’ global standards
His reminder to the world that Filipinos are responsible stewards of data is a clear message that the President recognizes data as the ``new oil ‘’and that he is committed to global standards on protection and privacy, according to the NPC chief.
Liboro added that the President’s statement further cements his support for the BPO industry and his confidence in the Filipinos’ ability to compete globally in the digital space.
Role in global privacy landscape
The Philippines, through the NPC, has been making strides in the international and local data protection and privacy landscape.
As of March this year, the country is an official participant in the APEC Cross-Border Privacy Rules (CBPR) system, making the country the 9th member-economy in the region alongside the United States, Mexico, Canada, South Korea, Singapore, Chinese Taipei and Australia.
“Our entry into the APEC CBPR System is a huge milestone for the Philippines. With the easing of data-flow barriers that the system affords us, we could soon expect Philippine trading opportunities across APEC economies to significantly expand, thus help contribute to regaining losses sustained by the economy due to the COVID-19 crisis,” Commissioner Liboro said.
As a participant in the APEC CBPR system, the NPC is expected to identify at least one accountability agent whose role shall be to assess and certify the compliance of local companies with CBPR standards.
By being CBPR-certified companies, Philippine companies gain entry to a much larger market at reduced compliance costs in matters pertaining to cross-border data transfers.
In turn, they are required to protect personal data through enforceable standards, accountability, risk-based protections, consumer-friendly complaints handling, consumer empowerment, consistent protection, and cross-border enforcement cooperation.
The NPC is also gearing up for the launch of “Kabataang Digital,” an advocacy campaign under the PSST! (Privacy, Safety, Security and Trust) Online that promotes safe online environment for the youth.
“Kabataang Digital” encourages data protection for children by enjoining school officials and parents in educating their children on appropriate digital citizenship, promoting safe choices, and elaborating the implications of the digital environment for children’s privacy rights.
“Kabataang Digital” is on YouTube. The NPC is currently coordinating with various partners for the campaign’s launch.
# # #
Statement of Privacy Commissioner Raymund Enriquez Liboro on the disclosure of details surrounding BuCor’s COVID-19 casesComments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on the disclosure of details surrounding BuCor’s COVID-19 cases
The Data Privacy Act is not a cloak for denying the public's right to know.
High-profile inmates like Jaybee Sebastian had become public figures on account of their previous association with particular national issues in the past.
There is a justified public interest to release information like details surrounding the deaths from COVID-19 of these high-profile inmates, especially when the personal information being sought is linked to issues already on the minds of the public.
RAYMUND ENRIQUEZ LIBORO
# # #
Privacy Commission Pushes Restaurants, Barbershops, and Salons to Adopt Data Privacy Measures in Contact TracingComments Off on Privacy Commission Pushes Restaurants, Barbershops, and Salons to Adopt Data Privacy Measures in Contact Tracing
The National Privacy Commission (NPC) reminded business establishments to take on data privacy and security measures, as prescribed by the Data Privacy Act (DPA) of 2012, as they conduct contact-tracing efforts.
In NPC Bulletin 15 released yesterday, 8 July 2020, businesses, particularly restaurants, salons and barber shops, were told to collect only what is necessary.
They were also advised to provide easy to understand information to data subjects on the purpose of the collection, and to implement measures to ensure that personal data they gather do not fall into the wrong hands.
The NPC also asked establishments to use the information only for purposes declared before the collection. Should there be a need to use the information for other purposes, businesses are expected to contact data subjects to seek their consent.
As establishments are responsible for complying with the DPA, owners and top management must remind their staff as well as third-party service providers, such as security personnel, that using the personal data of customers or visitors for any other purpose is punishable under the law.
The NPC also reminded businesses that all personal data collected for the purpose of contact tracing will be retained only for a period allowed by existing government issuances, in this case Department of Trade (DTI) Memorandum Circular (MC) 20-28, s. 2020 or “Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons'' and DTI MC 20-37, s. 2020 or “Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood Establishments.”
Once these rules are no longer in force, all personal data collected for their purposes should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure.
# # #
NPC Initiates Code of Conduct to Guide Schools Amid Shift to Online EducationComments Off on NPC Initiates Code of Conduct to Guide Schools Amid Shift to Online Education
The National Privacy Commission (NPC) is working closely with various universities and colleges to create a Code of Conduct that will guide and enable school management, teachers, students and parents to cultivate a data privacy-conscious environment, especially as most activities are done online amid the quarantine.
"The planned Code of Conduct will set the standard policies and measures schools must adopt to prevent data breaches and be able to act accordingly in such occurrences," Privacy Commissioner Raymund E. Liboro said at a Friday meeting with more than 40 data privacy officers from various schools across the country
"Setting clear-cut guidelines is crucial today as the pandemic has compelled most businesses to migrate online. As this is uncharted territory for many, including the education sector, intensified guidance and awareness on data privacy and security practices must be provided to all," Liboro added.
At the meeting, the NPC gathered a handful of volunteer-partners to work on the guidelines. Among them were the DPOs of Ateneo de Manila University (AdMU), Ateneo de Iloilo, Batangas State University, Central Mindanao University, De La Salle College of Saint Benilde, De La Salle University (DLSU), Laguna State Polytechnic University, and Lyceum of the Philippines University.
Also volunteering were Manila Central University, San Beda College-Alabang, San Beda University, Technological University of the Philippines, University of Sto. Tomas Legazpi, University of the Philippines (UP) Cebu, UP Diliman, UP Manila, and University of Perpetual Help System DALTA.
The Commission welcomes more volunteers as it aims to complete the Code of Conduct before the opening of school year 2021-2022.
Learning from the recent hacking surge
In light of the recent wave of breaches at universities and colleges, the NPC reports the education sector's January to June breach notifications surging to 19, already exceeding 2019's 18 notifications and even likely to grow for the rest of the year.
“We see this trend in the education system to continue as we migrate our processes online,” said the Commission's Data Security and Compliance Office (DaSCO) Officer-in-Charge Director Khane S. Raza.
DaSCO data showed that 69% were due to malicious attacks such as hacked portal (73%), phishing (18%) and stolen laptops (9%). Meanwhile, 19% of the first semester's attacks were due to system glitches and 12% because of human errors.
The Commission has observed that the events exposed schools' lack of effective detection systems and of awareness on breach notification procedures.
"The events exposed campuses' data security vulnerabilities, which demonstrate insufficient adoption of measures at the prevention level. On reporting, many breach notifications failed to be exhaustive. Details such as the nature of the breach and the scope of the damage could have enabled them to identify the best remedial measures to contain the negative impacts of the breach," Liboro said.
As such, the following are the recommendations of the Commission:
- Create a data-breach response team, which will be responsible for creating and implementing an incident-response procedure. This will help schools contain the impact of the breach and immediately restore integrity to the information and communications system.
- Create policies and implement them effectively to prevent or minimize breaches and ensure timely discovery of a security incident.
- Conduct security audits and tests, such as privacy-impact assessment source- code audit, vulnerability assessment and penetration testing, especially when there are changes in conditions that warrant a review of data privacy and security policies.
Danny Cheng, DLSU DPO, said tests were effective preventive measures, likening it to the importance of COVID-19 testing.
"Continuously invest in testing like in COVID. At least you'll know the possible holes which are visible or can be taken advantage of by hackers. The actions you may take after will depend on your own mitigating capabilities and resources," Cheng added.
- Proactively explore and adopt measures that can help prevent intrusions. This includes investing in secure web applications and automated detection systems where practicable to their available resources.
Liboro said the Code of Conduct to be crafted for the education sector would build on these recommendations, which were thoroughly studied by the Commission, while ensuring to adopt a consultative approach in order for the Code to capture and address the realities on the ground the best and most accurate way possible.
Schools intensify awareness efforts
AdMU DPO Jamael Jacob shared how his office has ramped up its awareness campaign for the University community given the growing number of security incidents that involve schools.
"Because of this recent turn of events, we've made a conscious effort to ante up the release of our reminders. To make them more accessible to people, we converted them into infographics, particularly those relevant to work-from-home arrangements like the proper use of emails,” Jacob said.
“So far, the feedback is positive. We hope, eventually, we can change the behavior and culture of our community," he added.
Elson B. Manahan, UP-Diliman DPO, said his university was also intensifying its awareness campaign by rolling out numerous policies for guidance.
"We have issued several guides on how professors and management can safeguard their systems as they work from home. We coordinate and will continue to coordinate with the Commission, especially as we embark on formulating an industry-wide Code of Conduct. This goes to show that the Commission is making education a priority sector and we appreciate it," Manahan said.
Commissioner Liboro affirmed that the NPC would continue to focus on the education sector, as it makes up 17% of the breaches received in the first half of the year.
"We hope that all of us will come out of the recent ordeal wiser and more intent to create breach-proof systems within our campuses. We fervently hope that the outcome of this future work, this Code of Conduct, will prevent a repeat of the dangerous event that caused panic and fear among several data subjects," he said.
"We also hope that this Code of Conduct in the education sector will be a best practice for other sectors to replicate."
# # #
Privacy Commissioner Liboro on FaceApp: Do Not Be Afraid Of New TechnologiesComments Off on Privacy Commissioner Liboro on FaceApp: Do Not Be Afraid Of New Technologies
The National Privacy Commission (NPC) has conducted an assessment of FaceApp, a mobile application that trended again on social media in the past week because of privacy concerns over its face-altering capability.
Users have been uploading their selfies on FaceApp for entertainment purposes. Through facial recognition technology, the app modifies photos according to certain presets or filters, such as gender swapping and age manipulation.
Upon assessment, the NPC found significant differences between the 2019 and 2020 versions of FaceApp’s privacy policies. The NPC first assessed the application in August 2019, while a second privacy assessment was conducted on June 23 this year.
Third-party cloud providers
To process and edit photographs, FaceApp disclosed that it was using thirdparty cloud providers -- Google Cloud Platform and Amazon Web Services.
Only photographs specifically selected for editing are uploaded to the cloud, where they are temporarily cached during the editing process and encrypted using a key stored locally on the user’s mobile device.
Opting out, permissions
In contrast, the 2020 version provides users choices, such as opting out, device permissions, cloud processing, cookies, targeted online advertising, choosing not to share one’s personal information and third-party platforms.
The assessment has also found that the 2020 FaceApp version no longer requires users to disclose their mobile number and Facebook login information for identity verification.
The Privacy Commissioner’s reminder to the public
In general, the NPC reminds users to take precautions before uploading selfies and other photos to social media. If abused or misused, these seemingly harmless actions may expose users to data privacy risks, such as unauthorized access, processing and malicious disclosure due to negligence.
“Do not be afraid to explore new technologies but use it with caution. Report abuse if any.” Privacy Commissioner Raymund E. Liboro said. “The public must not immediately give in to privacy panics. Rather, we should read and learn how to analyze privacy notices and policies. Ask yourself, is the app and developer being fair by providing choices and notices? These privacy notices are the window to transparency on how companies and developers will protect your data and rights.” he added.
The NPC is also reminding companies of their responsibilities over face- recognition activities on their platforms, including preventing the abuse or misuse of their customers’ personal data.
# # #
PH to lead global privacy taskforce on COVID-19Comments Off on PH to lead global privacy taskforce on COVID-19
- The National Privacy Commission (NPC) is leading the newly formed COVID-19 taskforce of the Global Privacy Assembly (GPA), instituted to guide 134 jurisdictions around the world in enabling effective government response to the pandemic while continuing to protect citizens’ personal data and privacy.
- Privacy Commissioner Raymund Enriquez Liboro commenced his chairmanship of the taskforce in an inaugural meet last 26 May, coinciding with the Privacy Awareness Week (PAW) 2020.
- “Our aim for this taskforce is to examine current privacy concerns, while finding the right balance between supporting innovation to combat the pandemic and ensuring people’s personal data and information rights are respected. We will draw on the expertise of our membership and stakeholders to provide useful insight on common challenges,” Liboro said.
- The taskforce aims to drive practical responses to privacy issues emerging from the pandemic, as well to assist its membership with insight and best practices. Initially, it will train its focus on two strategic fronts: data protection for contact tracing applications, and privacy in a post-crisis landscape where countries begin to ease their COVID-19 restrictions.
- “We have seen that personal data and technology have become essential in helping governments respond to the COVID-19 pandemic. From contact tracing and disease surveillance applications, to COVID-19 testing as people start going back to the workplace, data protection and privacy have never been more important,” Liboro said.
- In a message, GPA Chair Commissioner Elizabeth Denham thanked Liboro for accepting the new role to lead the taskforce.
- “The Philippines was a great example of a country where the privacy commission had been able to work with national authorities and others in efforts to combat the pandemic, exercising its role as both enabler and protector of citizens’ personal data. As a member of the GPA Executive Committee which had decided on establishment of the Taskforce, Commissioner Liboro was already bringing his customary energy and vision to the new role,” Denham said.
- The taskforce is composed of members from Europe, Asia, North America, the Middle East, Australia and New Zealand. In addition, it also includes international organizations as observers, such as the International Committee of the Red Cross and the Organization for Economic Co-operation and Development.
- Formerly known as the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the Global Privacy Assembly is the premier global forum for data protection and privacy authorities established in 1979.
- Meantime, the NPC marked the celebration of the PAW 2020 in the country with the holding of the 3rd National Data Privacy Conference via a mass video conference last Friday, attended by some 2,000 online participants, many of whom are registered Data Protection Officers.
- Dubbed “Enabling Trust in the New Normal: Reimagining Privacy in the Time of Pandemic,” the live online conference discussed how organizations may retain data subject trust as they adapt to changes under the new normal. This involves the adoption of better defenses against continuing attempts of cyberattacks on the sensitive personal data of the public in the time of pandemic.
# # #
PAW 2020: NPC calls for privacy boost amid quarantine easingComments Off on PAW 2020: NPC calls for privacy boost amid quarantine easing
As the government gradually eases quarantine restrictions in the country, Filipino privacy professionals and advocates on Friday gathered virtually for the 3rd National Data Privacy Conference to discuss how organizations may best navigate the emerging new normal to ensure data subject trust remains intact.
Speaking to some 2,000 online participants, many of whom are registered Data Protection Officers (DPOs), Privacy Commissioner Raymund Enriquez Liboro urged for the adoption of better defenses against growing attempts at breaching walls protecting sensitive personal data of the public in the time of pandemic.
“Many of the coping and mitigation measures to deal with the pandemic involve the use of personal data,’’ Liboro said in his opening remarks at the half-day virtual conference titled, “Enabling Trust in the New Normal: Reimagining Privacy in the Time of Pandemic.”
``While some aspects of data processing may have changed due to the state of public crisis, the basics remain the same – people’s sense of trust that their data is in good hands will largely determine our level of success with those measures,’’ he added.
Organized by the National Privacy Commission (NPC) in celebration of the Privacy Awareness Week (PAW) 2020, the online event also gained over 11,000 views on a social media platform.
Liboro’s call for reinforced privacy safeguards comes as cyberattacks are showing no signs of abating.
18 million phishing attacks daily
Panelist Raymund Nuñez, an adjunct professor at the Electrical and Engineering Institute of UP Diliman, noted that Google was blocking 18 million daily phishing attacks.
The conference took place just hours after PLDT ‘s broadband customer service account on Twitter was hacked, endangering the personal data of more than 100,000 followers and as many accounts.
`We have preliminary findings,’’ said PLDT DPO Leah Camilla Jimenez, also a panelist, said of the breach. PLDT is required to submit a report to the National Privacy Commission about the breach as part of the protocol under the Data Privacy Act.
Jimenez said that trust was connected to safekeeping of information and that ``the trustworthiness of a company and the DPO will be tested all the time, especially today.’’
Citing Frank William Abagnale Jr., a con man turned international cyber security expert, EastWest Bank DPO Manuel Joey Regala said it was four times easier to hack today.
DPOs must adapt like the insect-eating chameleon as the environment changes abruptly ``so we can hunt hackers,’’ said Regala, also a panelist. ``The hacker is to the DPO as the insect is to the chameleon.’’
PPEs for DPOs
Using one of the commonly used terms in the pandemic, he said DPOs must be equipped with PPEs, referring to personal knowledge, process and equipment.
Personal knowledge includes having timely awareness of current threats and phishing attacks, while process involves adopting policies and guidelines, according to Regala.
He said equipment would refer to a secured Wi-Fi connection and VPN, which hides one’s location, as well as multifactor authentication, hard-disk encryption, and data- leak and advanced-threat protection.
San Miguel Corp. DPO Gelalyn Boquiren shared her insights on the impact of the pandemic on the retail and sectors, and on data subjects.
Boquiren said many activities in retail and manufacturing could be done at home save for the actual making of goods.
She observed that the retail to customer cycle had become more digital and more secure.
Princess Lou Ascalon of IBM Philippines said that clients had demanded the names of PUI (person under investigation for the new coronavirus) among BPO employees. But because of the guidelines issued by the NPC and Department of Health on contact tracing, IBM decided to just tell the clients about the presence of PUIs but their names were not disclosed.
``Data privacy has never been more important than today for consumers and businesses,’’ Ascalon said.
``Data trust marks are important for businesses and coveted by those who don’t have it,’’ she added.
In his remarks, Liboro said: ``PAW 2020 is all about exploring how government and private organizations may win and maintain trust amid the changing times and the emerging new normal.’’
PAW 2020 is annually celebrated every May 25 to 31, pursuant to Presidential Proclamation No. 527 signed by President Rodrigo Roa Duterte in 2018. It is observed in recognition of the “need to inform and educate the public about data privacy, data protection and fair information rights and responsibilities as part of reinforcing the efforts of the NPC in protecting personal data and ensuring the Philippines’ compliance with international standards set for data protection.”
Highlights of the video conference may be viewed at paw2020.privacy.gov.ph, while the full recording is available for replay at facebook.com/privacy.gov.ph.
# # #
Official message from Privacy Commissioner Raymund Enriquez Liboro, regarding the reported hacking of PLDT’s Twitter account:Comments Off on Official message from Privacy Commissioner Raymund Enriquez Liboro, regarding the reported hacking of PLDT’s Twitter account:
“The NPC has data breach notification protocols in place which we expect companies to follow. PLDT has a working data protection team that should be on top of its data breach response looking into this incident. We are awaiting their official report on the matter. And should this incident give rise to a real risk to the rights and freedoms of data subjects, then, they are required, to notify all the data subjects affected so they can take the necessary measures to protect themselves against the possible effects of the breach.”
RAYMUND ENRIQUEZ LIBORO
# # #
NPC issues ‘work from home’ guidelines to safeguard personal dataComments Off on NPC issues ‘work from home’ guidelines to safeguard personal data
The National Privacy Commission (NPC) is instructing public and private organizations to ensure the protection of personal data as they implement a work from home (WFH) setup with their employees, which may likely stay on as part of the ‘new normal’ as the country continues to manage the COVID-19 crisis.
In NPC PHE Bulletin No. 12 released to media, the NPC acknowledged WFH as a feasible management solution supportive of government calls for continued social distancing. The agency, however, warns organizations that the setup is not risk-free. To make WFH sustainable, personal data should be accorded the same high level of protection as required by the Data Privacy Act of 2012.
“Given the public health emergency (PHE) that the country faces, the National Privacy Commission (NPC) supports the adoption of the WFH setup as a viable strategy to balance the need to preserve the health and well-being of an organization’s workforce with the need to continuously operate and provide services to the public,” said Privacy Commissioner Raymund Enriquez Liboro
The WFH setup can be considered as a type of telecommuting. Republic Act 11165 or the Telecommuting Act, defines telecommuting as a “work arrangement that allows an employee in the private sector to work from an alternative workplace with the use of telecommunications and/or computer technologies.”
In its WFH guidelines, the NPC said, organizations opting to implement telecommuting as part of its Business Continuity Plan should implement well-defined security measures. These include active measures to avoid unauthorized access to, and improper disposal of, documents containing personal data, among others.
# # #
NPC PHE BULLETIN No. 7: Official Statement of the National Privacy Commission on Calls for Patients to Waive Privacy Rights, Publicly Disclose Health StatusComments Off on NPC PHE BULLETIN No. 7: Official Statement of the National Privacy Commission on Calls for Patients to Waive Privacy Rights, Publicly Disclose Health Status
Amid the public health crisis, we have been hearing calls from certain quarters for patients to temporarily set aside their data privacy rights, as though doing so makes for a robust weapon in overcoming this pandemic. In this war that is testing our humanity and values, it should be emphasized that protecting privacy rights is tantamount to protecting lives.
The Data Privacy Act of 2012 (DPA) is not a hindrance to the COVID-19 response. There are enough provisions in the law to allow contact tracing, treating patients, and addressing threats while guaranteeing the privacy that COVID-19 positive patients, persons under investigation (PUIs), and persons under monitoring (PUMs) expect.
Republic Act No. 11332 (An Act Providing Policies and Prescribing Procedures on Surveillance and Response to Notifiable Diseases, Epidemics, and Health Events of Public Health Concern) mandates patients, PUIs, and PUMs to be fully transparent and truthful to the Department of Health (DOH), our hospitals, and other pertinent public authority on the personal data (travel and medical history, etc.) requested from them. Such information will be material for health and local institutions to treat them and/or properly contain the spread of the infectious disease in a timely manner.
Where they may falter in cooperation, as when they refuse to provide details or conceal required information, patients can be penalized with imprisonment and hefty fines under RA 11332.
In addition, the DOH has set management protocols requiring every health institution to triage patients in emergency rooms according to their conditions. These protocols are in place and designed to keep our health workers safe.
On sharing with other authorized public authorities, the DOH may do so subject to the limitations that the sharing is (a) pursuant to a public function or a public service, (b) based on the constitutional or statutory mandate of the DOH and/or the other public authorities, (c) strictly following set protocols and processes, (d) ensuring the security of such shared information, and (e) upholding data subjects’ rights.
With respect to sharing medical information of individuals to private health institutions, the Health department would be in the best position to determine if such is consistent with the provisions of RA 11332 and other applicable protocols in a pandemic.
The joint plea of the Integrated Bar of the Philippines, Philippine Medical Association and Philippine College of Surgeons quoted a recent bulletin of the National Privacy Commission (NPC). We clarify that the statement was made in connection with our appeal for the release only of “trusted and verified information,” especially during an “unfamiliar global pandemic.” It was never meant to support any request for the voluntary waiver by COVID-19 patients, PUIs and PUMs of the confidentiality of their medical condition.
We remain firm in our stand that authorities and institutions should collect only what is necessary and share information only to the proper authority.
On the call for patients, PUIs and PUMs to share or consent to the sharing of personal data to the general public for contact tracing, we affirm our stand that doing so may not be as helpful to contact tracing interventions as this can only induce fear among these individuals given the multiple reports now on physical assaults, harassments, and discrimination endured by patients, PUIs, PUMs, and even health workers. These threats to their safety and security may discourage them to report their symptoms to public authorities, take confirmatory tests, and submit to treatments.
If a patient, PUI, or PUM himself or herself would want to disclose such information, as what some public figures have done, that is their personal choice.
On seeking consent, the DPA requires consent to be freely given, specific, and an informed indication of will that they indeed agree to the public disclosure. Informed consent requires that these patients, PUIs, or PUMs have been made aware of the risks that may arise from the disclosure, including the risk of being subjected to violent physical attacks as some COVID positive patients and their family members have experienced according to news reports.
To conclude, we want to reiterate that even in times of calamity or a state of a public health emergency, rules on patient privacy, the confidentiality of health records, medical ethics, and data subjects' rights remain in effect and upholding them equate to protecting lives.
# # #
Statement by Privacy Commissioner Raymund Enriquez Liboro on “Social Vigilantism” in the time of COVID-19Comments Off on Statement by Privacy Commissioner Raymund Enriquez Liboro on “Social Vigilantism” in the time of COVID-19
The National Privacy Commission strongly condemns “social vigilantes” who attack or threaten the safety of health workers amid the COVID-19 pandemic in the misguided belief that such acts of discrimination may serve the public good.
Social vigilantes are those who take it upon themselves to enforce their views of what they consider appropriate beliefs and behavior.
There have been incidents in which vigilantes doused chemicals on health workers, expelled them from boarding houses or refused them lodging and even barred them from taking tricycles on their way to work or home.
The health workers are being attacked as a group, prompting a number of them not to wear uniforms in public for fear of being discriminated against, or worse assaulted.
These acts are unacceptable and their perpetrators must be penalized in accordance with law.
We also denounce people who irresponsibly publicize the personal data of persons under investigation (PUIs) and persons under monitoring(PUMs), thus exposing them to danger even graver than the novel coronavirus itself – that of maltreatment, online bullying and physical violence from individuals who may be driven by desperation and fear.
Our health workers, as well as the PUIs and PUMs under their watch, are not the enemy. They are on the battlefront of the public health emergency, doing their part to contain the crisis and deserving the support and compassion from the rest of us.
Their human rights must be respected in these times of great social and economic distress. They have the right to be left in peace and their personal information protected against being disseminated without their consent.
Once personal information of health workers, PUIs and PUMs is divulged, targeting, doxing and stigmatization are not far behind.
Social vigilantes contribute to the problem by dampening the bayanihan spirit and damaging our collective capacity to respond in an organized and humane way. They must, therefore, be discouraged and stopped.
In fulfillment of its twin mandate to protect the fundamental human right of privacy and ensure the free flow of information to promote innovation and growth, the National Privacy Commission is committed to deter all unlawful use of personal data.
# # #
NPC resets registration renewal in JulyComments Off on NPC resets registration renewal in July
The National Privacy Commission (NPC) is extending until 31 August 2020 the validity of the registration of Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to make way for a new automated system to be launched in July.
The PICs and PIPs covered by the extension are those that previously completed at least Phase-I of their NPC registration. Those that have not yet done so, however, are required to register their Data Protection Officer (DPO) immediately to avoid possible liabilities, per NPC Circular 17-01. (For instructions on how to comply with this requirement, please go to www.privacy.gov.ph/guidelines-on-dpo-registration-process/).
Meantime, the NPC will begin accepting applications for renewal of registration using the new system beginning 01 July 2020.
For queries, DPOs may call the NPC at (02) 8234-2228 local 118; +639101029114 (Smart); +639652863419 (Globe); or via email at [email protected]
Managing Mobile App PermissionsComments Off on Managing Mobile App Permissions
This refers to a software application running on the Android platform. It is designed for a smartphone or a tablet PC running on an Android OS.
Mobile App Permission
Govern what the application can do and access, ranging from access to data stored in a mobile phone (e.g. contacts, media files, camera, microphone, etc.,) to access to a phone’s hardware.
Whenever Valentine’s Day comes around, there is a surge in usage of dating apps1. In 2017, a dating app recorded a 20%2 usage increase at this time of year and it is expectd to rise again in 20203.
To create an account, most apps require a user to fill out an online form or to connect through an existing social media account (e.g. Facebook or Twitter) to verify one’s identity. This way, dating apps gain access to and control of the user’s personal data.
In recent years, vulnerabilities that would put users’ personal data at risk have been uncovered. Though subscribing to a dating app may seem harmless, it is important to remember that it may adversely affect the users’ reputation and privacy.
According to the Open Web Application Security Project (OWASP)4, mobile applications are more susceptible to attacks than regular web applications. By downloading these applications, users unknowingly expose themselves to privacy risks.
In most cases, users are forced to accept permissions through an all-or-nothing approach (i.e. they cannot authorize just a subset of the requested permissions or cancel the installation of the selected application). Likewise, mobile app permissions are not well-defined to users (e.g. the permission SEND SMS allows an app to send SMS messages both to normal and premium numbers – not giving any options to users), making authorization decisions more difficult.
It should be noted that the inclusion of application permissions in privacy notices does not equate to transparency. In some cases, an application’s declared permissions are not consistent with those required.
Security Measures/Risk Mitigation:
Mobile applications bring convenience to users, improve how organizations provide services to customers and maximize smartphone technology. But these benefits must not come at the expense of users’ data privacy rights.
The following are things to consider when using apps:
- Read privacy notices. A privacy notice will give you insights into how your data will be processed, the nature and extent of processing, your rights as data subjects and how you may exercise these rights.
- Be mindful of the data you provide: Blank fields are enticing to accomplish but not all fields are meant to be filled out. Provide data that are only necessary to the application’s function.
- Always check your privacy settings: Immediately after installation, take advantage of the applications’ privacy settings. This allows you to control who sees any information about you. Tweak the settings to improve your privacy and security.
- Check the permissions: The majority of these applications collect excessive permissions – permissions that are not necessary for the applications to perform their functions. Excessive permissions may result in potential risks. You must disable all unnecessary and suspicious permissions before using an application.
- Be careful of the people you meet: These days, it is easy to meet people online. You must be vigilant when using these applications and avoid sharing too much personal information.
There is a lack of transparency when explaining purpose of processing and final disposal of personal data collected by mobile apps. Privacy notices are not easy to read. Some are legal in nature and too long. Others refer to the blanket privacy notice of the entire organization, making it difficult for data subjects to read through it. In addition, certain mobile applications seek permissions that are not relevant to their functions.
Moreover, a majority of the applications do not provide a privacy notice before users sign up or create an account. Also, there are no standards for mobile application development which result in a developer’s tendency to seek excessive permissions.
In summary, the convenience that comes with using a mobile application may be the most unrecognized threat to privacy. Users often enjoy the convenience at the expense of their data privacy. People easily grant permissions to an Android app without carefully reading the terms and conditions.
NPC Suspends GRAB PH’S Selfie Verification, Audio, Video Recording SystemsComments Off on NPC Suspends GRAB PH’S Selfie Verification, Audio, Video Recording Systems
The National Privacy Commission (NPC) has issued a Cease and Desist Order (CDO) to Grab Philippines, Inc. (Grab PH) after finding deficiencies in complying with the Data Privacy Act of 2012 (DPA) for three personal data processing systems, which may endanger the privacy rights of the riding public.
In a Notice of Deficiencies issued to Grab PH dated 31 January 2020, the NPC found several deficiencies in its selfie verification, pilot test of the in-vehicle audio recording, and pilot test of the in-vehicle video recording.
In the notice, the NPC said Grab PH did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects, saying that “only the risks faced by the company were taken into account” in its Privacy Impact Assessment (PIA).
“The video recording system will also enable grab employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the notice reads.
In a meeting, company representatives said the photo, audio and video files collected through the three systems will be released upon request to police authorities in the event of dispute, conflict or complaint.
The company also failed to mention its legal basis in processing the collected data. The documents submitted to the NPC were also found to be insufficient to establish whether the company’s data processing was proportional to its intended purpose; whether the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.
While the option to withdraw consent was included by Grab PH in the PIA for the in-vehicle audio and in-vehicle video recording systems, the details on how to exercise such right were not sufficiently communicated to passengers through Grab message. It was also unclear if and how the data processing will be affected upon such withdrawal of consent.
Grab PH has 15 days to comply with the remedial measures directed in the NPC’s Notice of Deficiencies. The lifting of the CDO, however, will be decided by the Commission on a per-system basis. As such, the order is applied separately for each of the systems and takes effect until such time that the company fully implements proper controls to address the deficiencies identified in the notice.
The CDO is not intended as a penalty for Grab Philippines, Inc. but as a means to afford the company reasonable opportunity to achieve full compliance with the DPA, its rules, and related guidelines. The move, in effect, secures the riding public from unwanted privacy exposure and in the same manner enables the company to modify its system to be compliant with the DPA.
“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the NPC said in the CDO.
The power of the NPC to issue a CDO is explicitly provided in Section 7 of the DPA and reiterated in Section 9 of its Implementing Rules and Regulations.
Statement of Privacy Commissioner Raymund Enriquez Liboro On the release of passenger manifest of airlines to government agencies particularly the DOH, in relation to the 2019 nCov responseComments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro On the release of passenger manifest of airlines to government agencies particularly the DOH, in relation to the 2019 nCov response
- While data privacy is a right, it is not an absolute right. The same should always be harmonized vis-à-vis the requirements of public order and safety, and to protect the life and health of the data subject or another person. (Data Privacy Act of 2012, Sec 12. D and E)
- If a government agency pursuant to its constitutional or statutory mandate, requests airlines to release passenger manifest, the same is allowed under the Data Privacy Act of 2012.
- In responding to a critical public health issue like nCov, the DOH has the mandate, purpose and the necessity to collect and process personal data to uphold the public welfare. Therefore, nothing should prevent airline companies from releasing relevant passenger data to competent and mandated authorities like the Department of Health.
- The Data Privacy Act of 2012 is not meant to prevent the government from processing personal and sensitive personal information when necessary to fulfill their mandates. Rather, it aims to protect the right to data privacy while ensuring free flow of information. What the DPA does is to promote fair, secure, and lawful processing of such information.
- We recognize that the passenger manifest to be disclosed with the pertinent government agencies may pose privacy risks to individuals. While the Data Privacy Act 2012 will not stand as an obstacle to the fulfillment by public authorities of their constitutional and statutorily mandated functions, the DPA nonetheless serves as a reminder of the need for data protection in order to assure that rights of data subjects will be protected.
NPC calls Grab over passenger verification system and in-car audio, video recording pilot testComments Off on NPC calls Grab over passenger verification system and in-car audio, video recording pilot test
The National Privacy Commission (NPC) has called Grab Philippines to address the privacy concerns relating to the launch of their new passenger verification system and in-car audio and video recording pilot test.
“We understand that Grab designed their new systems as additional security to both drivers and passengers. But to avoid serious breaches of privacy, the Commission must ensure that their new system is compliant with the Data Privacy Act and adhering fully to the principles of transparency, proportionality, and legitimate purpose,” said Olivia Khane Raza, Chief of the NPC’s Compliance and Monitoring Division.
The NPC required the data protection officer of Grab Philippines to present on Wednesday, 15 January 2020, documents demonstrating their compliance with the law including, among others, their Privacy Manual, Privacy Impact Assessment reports, and Privacy Notices for the passenger verification system and in-car audio and video recording pilot test.
Privacy commission gives 12 digital safety tips for ChristmasComments Off on Privacy commission gives 12 digital safety tips for Christmas
19 December 2019
Privacy commission gives 12 digital safety tips for Christmas
The National Privacy Commission (NPC) is reminding shoppers and travelers to be extra vigilant against cybercriminals this Christmas season.
During the Data Privacy Stakeholders’ Assembly on Thursday, held at the Philippine International Convention Center, Privacy Commissioner Raymund Enriquez Liboro said it’s that time of the year again when consumers are most prone to getting victimized online by unlawful elements, as many tend to overlook danger signs while shopping for gifts for their loved ones or availing of vacation services.
Here are 12 tips to protect your personal data as you shop, purchase gifts, and book your travels:
- Think before you plug
It may be the season of sharing but be always mindful when sharing digital files. Ensure that your USB flash drive is malware-free by scanning it first with an up-to-date antivirus.
- Charge smart
The busy holiday season means constant correspondence with your friends and loved ones, as well as surfing online shops to buy presents. This drains your battery, and though it’s tempting to charge your device in the nearest public charging station, it’s better to charge your phone using your own power bank or plugging your charger into an AC outlet.
- Install legitimate apps
Fake apps use up your phone's resources by displaying unsolicited advertisements on your device, or worse, obtain your payment information or other personal data without your knowledge.
Aside from searching the official application source (App Store for iOS and Google Play for Android), also check the developer’s name indicated below the title of the app and the app’s description for spelling, grammatical, or technical errors. Take the time to examine the number of downloads and read positive reviews.
- Shop wisely
Activate one-time pins (OTPs) in your issuing bank when making online or mobile banking transactions. This protects every transaction you make by sending a confirmation message to your mobile phone first before proceeding with the payment.
- Protect your documents and gadgets
When traveling, keep your documents, laptops, phones, tablets, and other gadgets secure by locking your luggage. Secure your bags containing personal identification and cards by carrying them in front of you so that any suspicious movement is noticeable. Do not leave your items unattended in public areas.
- Be wary of open Wi-Fis
Wi-Fi hotspots aren’t always safe to use. Hotspots in public places such as malls, airports, hotels, coffee shops, and restaurants often lack sufficient security.
To protect your information when using wireless hotspots, send information only to websites that are fully encrypted and avoid using mobile apps that require either personal, payment, or financial information. If necessary, consider using a reputable Virtual Private Network (VPN) when transacting finances.
- Safely dispense your money from Automated Teller Machines (ATMs)
Shake and pull the ATM card slot first before inserting your debit/credit card. This is to check if an ATM skimming device has been installed to obtain your payment card information and steal your money.
- Double-check advertisements
Enticing deals like extremely low prices or “Buy One, Take One” promos abound during the Christmas season. Avoid getting duped by checking out the prevailing prices of items on promo.
- Go on scam-free holiday vacations
Fake online deals offer low-priced accommodations and airfares to bait holiday-goers. Avoid them by conducting research and carefully reading the details on travel offers. Inspect the website security by looking up the words “complain,” “scam,” “fake,” or “review.” Trustworthy travel agencies are licensed.
Ask your family and friends for recommendations on travel agencies they transacted with before.
- Protect your identity and account information
Bring only the identification, credit, and debit cards you need in your travels. Ensure that you’re carrying back-up copies or photos of your identification cards in a secure storage or location.
- Spam calls or robocalls
Spam calls or robocalls are designed to steal your money or personal data.
Be extra cautious of these “budol-budol” phone calls especially if you are leaving your home in the care of a trusted person. Provide instructions and security checks or questions to authenticate the caller’s identity.
- Online dating scams
Take precautions when using online or mobile dating apps. Crooks and scammers prowl dating platforms that may lead to emotional and financial heartbreak. Do not give money, gifts, or share your personal data to people you have not yet met personally.
Other security measures to practice:
- Disable storing of login or payment information
- Purchase from authentic sellers
- Check website security and identity
- Use credit, preferably disposable or virtual
- Ask online sellers not to put your personal contact number in the delivery package
During the assembly, the Commission also reported on the gains during the country’s historic hosting of the 52nd Asia Pacific Privacy Authorities (APPA) Forum in Cebu two weeks ago.
Chief among the planned programs is the Privacy Awareness Week (PAW), which the Commission is celebrating since 2018 by conducting its flagship event called the National Data Privacy Conference.
The PSST! (Privacy, Safety, Security, and Trust) campaign, another flagship project of the Commission, will also stage symposiums in various regions in the Philippines. Under PSST! is the child-centric campaign Kabataang Digital, launched in front of over 500 students and educators during the 52nd APPA in Cebu City.
Kabataang Digital aims to provide age-appropriate support for children to help them understand the nature of privacy and the digital environment’s implications on their privacy rights. It aims to raise awareness among children, their parent and/or guardians, school authorities, and relevant entities regarding children’s privacy rights, risks, and possible harm when using information and communication technology; and collaborate with other agencies, particularly the Department of Education, in developing appropriate legislative and policy frameworks balancing the right to privacy and free flow of information.
The NPC also reported on the year-end status of the compliance checks it conducted, updates on personal information controller registration, and breach incidences.
The agency also began laying out its key programs and prospects for 2020, chief among which is the creation of the Sectoral Advisory Team (SecAT).
52nd APPA FORUM OPENS IN CEBUComments Off on 52nd APPA FORUM OPENS IN CEBU
The 52nd Asia Pacific Privacy Authorities (APPA) Forum officially opened in Cebu today, with privacy commissioners from 14 jurisdictions across the region convening in closed sessions, to deliberate on emerging technology trends and threats that impact privacy, share best practices, explore new policy directions, and build institutional partnerships.
In his opening remarks, Philippine Privacy Commissioner Raymund Enriquez Liboro highlighted the need to ensure that privacy regulations across the Asia Pacific are responsive not just to safeguard individual rights and protect personal data but also to facilitate the safe flow of information, which is the fuel for economic progress in an era dominated by information and communication technology.
“Value in today’s data-driven world is created by building bridges and not walls. And that’s what we intend to accomplish today at the APPA Forum. To build bridges towards a future that is safe and progressive, which our children could immensely benefit from,” Liboro said.
Delegations from the following jurisdictions have joined the forum: National Privacy Commission (host); Office of the Australian Information Commission; Office of the Information and Privacy Commissioner, British Columbia; Office of the Privacy Commissioner of Canada; Privacy Commissioner for Personal Data, Hong Kong, China; Personal Information Protection Commission, Japan; Personal Information Protection Commission, Korea; Korea Internet and Security Agency; Office for Personal Data Protection, Macau, China; National Institute for Transparency, Access to Information and Personal Data Protection, Mexico; Office of the Privacy Commissioner, New Zealand; Personal Data Protection Commission, Singapore; Federal Trade Commission, USA; Office of the Victorian Information Commissioner.
National Authority for Data Protection, Peru; Office of the Information Commissioner, Queensland; Personal Data Protection Commission, Singapore; Federal Trade Commission, United States; and the Office of the Victorian information Commissioner, Victoria.
Following Commissioner Liboro’s opening speech, the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) provided the delegates with updates, in its capacity as APPA Secretariat and Chair of the APPA Governance Committee.
The morning session proceeded with reports from the three APPA Working Groups followed, which tackled the Privacy Awareness Week (PAW) activities in 2019, plans for 2020 and other continuing communication initiatives. A report on the results of a survey on top breaches was also discussed as well as a survey on complaints handling.
Other reports discussed were about de-identification, open data, data sharing, data portability, information aspects of indigenous people, education and outreach activities, as well as developments on key investigation and enforcement matters.
This is the first time for the Philippines to host APPA, which is acknowledged as the principal forum for privacy and data protection authorities in the Asia Pacific region.
The Forum is being held at the Shangri-La’s Mactan Resort and Spa on 2-3 December and organized with the support of the five-member APPA Governance Committee and was attended by fourteen APPA member authorities.
# # #
Following NPC stop processing order on 26 online lenders, drop in complaints seenComments Off on Following NPC stop processing order on 26 online lenders, drop in complaints seen
Privacy-related online lending complaints have drastically declined a month following recent enforcement actions by the National Privacy Commission (NPC) on dubious online lending applications. The issue is among the topics for discussion at the 52nd Asia Pacific Privacy Authorities (APPA) Forum in Cebu City, where privacy commissioners from all over the Asia Pacific region and representatives from the Association of Southeast Asian Nations (ASEAN) will convene on Monday and Tuesday.
“Instances of unauthorized use of data, similar to complaints received by the NPC about online lenders, are beginning to crop up elsewhere in the region, and other privacy authorities are keen on hearing about how what we have learned and how they may deal with similar challenges. During the formal sessions, delegates will meet in closed-door sessions to discuss policy directions as well as explore best practices, emerging technologies, trends and threats to privacy, and what concerted actions privacy authorities may do to address these concerns,” Privacy Commissioner Raymund Enriquez Liboro said.
Available data gathered by the NPC from January to November 2019 showed there is a downward trend in the filing of formal complaints against online lending apps beginning October. The decrease happened a month following the NPC’s issuance of an Order on the top three online apps that were subject of majority of complaints.
“Following months of grueling work, the Commission is pleased to report a decline in the number of new formal complaints from borrowers involving the unauthorized use of their private personal information by online lenders. We are not letting up on the matter, and we continue to hold marathon hearings to resolve each filed complaint the soonest time possible, given our resources. The decrease in new cases, however, is a welcome development. It is an indication that people are definitely becoming mindful about protecting personal data and upholding privacy rights,” said Atty. Jose Belarmino II, NPC OIC-Executive Director and designated subject matter spokesperson.
The NPC has 23 formal complaints on record related to online lending in January 2019. The numbers steadily climbed during the first quarter. After the agency went public on the issue in May, the number rose even higher, signaling that more victims were previously unaware they can seek the NPC’s assistance.
The number peaked in September to a high of 300+ new cases for the month. In was on the first week of that month that the NPC issued an Order on Fynamics Lending Inc., Unipeso lending Company, and Fcash Global Lending, Inc., the top three most-complained companies. Fynamics has formally answered the NPC’s order. Unipeso and Fcash, meanwhile, filed motions to dismiss. All submissions are now under deliberations.
In September, the NPC also helped coordinate the creation of an industry-wide alliance Fin-Tech organizations, together with Bangko Sentral ng Pilipinas; the Security and Exchange Commission; and the Department of Trade and Industry.
After the September peak, the number of fresh formal complaints regarding online lenders immediately declined in October, coinciding with the NPC order to shutdown 26 other online lending companies, in coordination with Google LLC and the National Telecommunications Commission. By November, new formal complaints dropped by 90%, down to 14 complaints, which is comparable to January complaints data.
# # #
PH to host 52nd APPA Forum in CebuComments Off on PH to host 52nd APPA Forum in Cebu
The Philippines is set to host the 52nd Asia Pacific Privacy Authorities (APPA) Forum in Cebu with the National Privacy Commission (NPC) taking the lead.
Privacy commissioners from the region and guest ASEAN representatives are expected to converge for the main event at the Shangri-La's Mactan Resort and Spa on 2-3 December 2019. During the formal sessions, members and invited guests will meet in closed-door sessions to discuss best practices, build partnerships, share information on emerging technology and trends, as well as explore new policy directions across the region.
Other activities in the agenda include, the discussion of jurisdictional reports from each delegation, conduct of roundtable dialogues, exchange views on the challenges linked with international data transfer and the cross-border enforcement of privacy laws across Asia Pacific.
“Since its founding in 1992, the APPA has inspired alliances among authorities in the region, paving the way for establishing cooperative arrangements that push for data subject protection. At the 52nd APPA Forum in Cebu City, Philippines, we keep to this cherished tradition of judicious discourse and communal action as we jointly address new and emerging privacy challenges that are continually prompted by technological advances,” Privacy Commissioner Raymund Enriquez Liboro said.
This will be the first time for the Philippines to host APPA, acknowledged as the principal forum for privacy and data protection authorities in the Asia Pacific region, aimed at facilitating partnerships and the exchange of ideas on privacy regulation.
Meantime, three side events are also scheduled during the APPA Forum, open to all Data Protection Officers (DPOs) and the general public. They are the NPC’s DPO ACE (Accountability, Compliance, and Ethics) certification program, the Global Privacy Forum, and the PSST! (Privacy, Security, Safety, and Trust) symposium for students and educators.
Around 800 DPOs in the Visayas and Mindanao are expected to join the NPC’s DPO ACE (Accountability, Compliance, and Ethics) certification program on December 3 at the Waterfront Hotel & Casino, Cebu City. It shall cover the standard seven modules, to be discussed by top agency officials, while the written examination is scheduled on December 5.
Meanwhile, the flagship Global Privacy Forum is set on December 4, with the theme “Bridging East and West”. Around 800 participants are also expected to join in the discussions, which features panel sessions to discuss policy reforms, projects, and programs in different jurisdictions that are relevant to the operations and activities of local sectors. Among the guests and panelists include United Kingdom Deputy Information Commissioner James Dipple-Johnstone, Hong Kong Privacy Commissioner Stephen Kai-Yi Wong, New Zealand Privacy Commissioner John Edwards, British Columbia Privacy Commissioner Michael McEvoy, Canada Deputy Privacy Commissioner Brent Homan, and Allison M. Lefrak of the US Federal Trade Commission.
Also, on December 4, the PSST! Symposium is to be held at the University of Southern Philippines Foundation. Meant as a youth-oriented public awareness campaign on the risks brought on by careless and carefree use of online services, around 500 students are set to join the whole-day event. Among its highlights include the launch of “Kabataang Digital”, an advocacy campaign to promote a safe digital environment for teens and kids.
The complete rundown of the 52nd APPA program may be viewed online at www.appa52.privacy.gov.ph
# # #
NPC sets up DPO COMPLex workshop for GOV’TComments Off on NPC sets up DPO COMPLex workshop for GOV’T
The National Privacy Commission (NPC) is set to conduct the DPO COMPLex experiential compliance workshop for government Data Protection Officers (DPOs) on November 13 – 14 at the Luxent Hotel in Quezon City. This following a marked improvement in this year’s DPO registration figures for the sector.
State Universities and Colleges (SUCs) saw the biggest jump in the number of registered entities compared to last year, jumping to 87%. National Government Agencies (NGAs) is next at 73%, followed closely by Government-owned and Controlled Corporations (GOCCs) at 72%, while Local Government Units (LGUs) are at 39%.
In November 2018, registration in the NPC of SUCs was only at 6%, NGAs at 5%, GOCCs at 17%, while LGUS were at 12%.
The surge in numbers is attributed to the NPC’s enhanced compliance program launched beginning January this year, which consisted of intensified privacy sweeps geared towards government institutions as well as compliance awareness campaigns, including the 1st Digital Data Governance for the Public Sector Conference held alongside other events during the Privacy Awareness Week last May.
“As one of the biggest repositories of personal data in the country, it is only imperative that the government fully complies and sets the tenor for all other sectors. Compliance begins once an organization’s Data Protection Officer registers with the NPC. It’s not the be-all, end-all of compliance but it’s the crucial start. It is an indication of accountability and the willingness to cooperate with the Commission. Compliance itself, however, is a journey and takes some time to perfect. We understand that, so, we provide extensive knowledge support to those who are eager to comply,” Liboro said.
The 2-day DPO COMPLex is the result of focused group discussions with DPOs from various government offices who discussed with the NPC the challenges they face at work when instituting compliance-related measures and activities. Day-one (November 13) will be for DPOs in NGAs and LGUs while day-two (November 14) will be for GOCCs and SUCs. It features simulation modules to equip participants with first-hand privacy compliance experience on Data Mapping, Privacy Impact Assessment, Criteria for Lawful Processing, Security Measures, and Breach Management.
By the end of this experiential workshop, participants are expected to be better equipped on how to prepare and maintain records of processing activities of their agencies and create multi-layered privacy notices using these, as well as perform a privacy impact assessment in accordance with NPC Advisory 17-03.
Participating government DPOs are also expected to hone their skills at identifying the appropriate criteria or legal basis for their agency’s personal data processing activities; employing security measures required under NPC Circular 16-01 on security of personal data in government agencies; as well as preparing and implementing data sharing agreements in accordance with NPC Circular 16-02, when applicable.
Lastly, participants are also expected to gain better understanding of how to establish personal data breach management procedures for their respective agencies in accordance with NPC Circular 16-03.
Due to the limited slots available, the DPO COMPLex is strictly by-invitation-only to registered government DPOs. Event registrants are to be accommodated on a first-come, first-served basis.
For other details, interested government DPOs may inquire with Mr. Cleo R. Martinez, Policy Advisor for Government Sector, at 0936-0432973 and 02-8234-2228 local 118.
# # #
NPC issues guidelines to prevent data compromise this Undas 2019Comments Off on NPC issues guidelines to prevent data compromise this Undas 2019
The National Privacy Commission (NPC) advises Filipinos observing All Saints’ Day and All Souls’ Day to take preventive security measures to avoid compromising data on their device and data systems.
For travelers, something as simple as avoiding the use of a public charging station will help keep their device and personal data safe. In the absence of a portable “powerbank,” the NPC says that plugging of mobile devices into a power outlet thru an AC adapter remains the safest option.
When connecting to free public Wi-Fi, make sure your VPN is active. It would also be best to visit only encrypted websites or those with HTTPS at the beginning of the URL.
“Practice informed discernment when deciding what to post online and what to keep safely private. For example, posting a photo of your boarding pass or passport can make you vulnerable to financial theft and identity fraud,” Privacy Commissioner Raymund Enriquez Liboro advised.
Meantime, data protection officers (DPOs), personal information controllers (PICs), or processors (PIPs) in both the public and private sector are advised to ensure there’s adequate security for their data systems.
Here are the NPC’s recommended actions for DPOs:
- Place non-mission critical systems off-line, especially those that contain or have access to personal data.
- For all systems, whether online or offline, ensure that all system activities are kept secured.
- Ensure to back up your data (both physical and digital). It is critical to have backups as it may be the best way to recover data when an incident occurs.
- Ensure that workstations are properly managed and accounted for.
- Implement physical security measures to prevent unauthorized access. Keep personal valuables safe.
- Make sure all physical documents containing personal information are secure in locked file cabinets.
- Log out of all your accounts when not needed.
- Ensure that proper system updates are done to ensure that your system and even computers are protected from threats and possible attacks.
- Ensure that appropriate intrusion detection systems (e.g. firewall, anti-virus) are in place and properly working.
- Ensure that the organization has a response and recovery plan that would be useful in times of emergencies, disasters, or even system attacks.
- Ensure that the employees are reminded and/or educated regarding the organization’s security measures that must be observed (e.g. accessing work documents outside the office premises).
- For teleworking or organizations implementing “work from home” during this holiday, just make sure you have a secure connection.
# # #
PH joins APEC privacy systemComments Off on PH joins APEC privacy system
The Philippines has formally joined the Cross-Border Privacy Rules (CBPR) System, a move seen to expand its trading opportunities within the Asia Pacific region by eliminating data-flow barriers when transacting with member economies of the Asia Pacific Economic Cooperation (APEC) through the adaption of common standards for data privacy.
The National Privacy Commission (NPC) recently submitted the Philippines’ letter of intent to join the CBPR System, ahead of a meeting by the Electronic Commerce Steering Group (ECSG) - Data Privacy Sub-Group (DPS) held in Puerto Varas, Chile. In the document, Privacy Commissioner Raymund Enriquez Liboro said the Philippines intends to use at least one APEC-recognized Accountability Agent to certify local companies as CBPR-compliant.
“When businesses become CBPR-certified, they may then transfer personal data in a safe and seamless manner across other certified companies operating in the APEC region, which accounts for about half of global trade. For Philippine companies, this means gaining entry to a much larger market at reduced compliance costs with respect to cross-border data transfers,” Liboro said.
ECSG Chairperson Shannon Coe welcomes the country’s addition to the CBPR System, saying it would be integral to its long-standing trading relationship with the United States.
“The Philippines – as the United States’ 31st largest trading partner – would be a key addition to the CBPR System for U.S. businesses. The United States and the Philippines have a historic trading relationship and many U.S. companies rely on the favorable market and skilled workforce in the Philippines to process data throughout the Asia-Pacific region. The Philippines’ participation in the CBPR System would strengthen the business case for U.S. companies looking to invest in the Philippines, through our bilateral commercial relationship,” Coe said.
“Many U.S. companies value the opportunity to partner with or invest in businesses abroad with a strong commitment to privacy. As protecting privacy becomes a bigger part of all corporate operations, MSMEs and SMEs that take steps to strengthen their privacy practices – including by joining the CBPR System – are only becoming more competitive and attractive to consumers and businesses they partner with,” Coe added.
For his part, Singapore’s Personal Data Commissioner Tan Kiat How said he looks forward to working closely with the Philippines in encouraging local businesses to be CBPR-certified.
“Singapore welcomes more economies on board the APEC CBPR systems. With the growing Digital Economy and the need for the movement of data across borders to support global commerce, the APEC CBPR system allows data to be transferred safely and seamlessly across APEC economies. We look forward to working with the Philippines to encourage businesses to be CBPR certified,” Tan said.
The submission of the country’s letter of intent marks the culmination of an elaborate process of collaboration between the NPC, its mother agency, the Department of Information and Communications Technology (DICT), the Department of Trade and Industry (DTI), and the Department of Foreign Affairs (DFA).
“I think this is a perfect embodiment of inter-agency teamwork, achieving a milestone that not only boosts Philippine data privacy and trade but even our diplomatic relationship with Asia Pacific economies,” Liboro said.
In his endorsement letter, DTI Secretary Ramon M. Lopez emphasized that the country’s participation in the CBPR is aligned with the government thrust of helping local companies become part of the global market. “This would provide our micro, small and medium enterprises opportunities for growth by gaining access across APEC markets and participating in global supply chains which rely on the free movement of data across borders,” Lopez said.
Meantime, DICT Secretary Gregorio B. Honasan III has acknowledged the significance of participating in the System and expressed support for the initiative.
“Institutionalizing the implementation of data privacy policies consistent with the APEC Privacy Framework opens opportunities for cross-border data flows and provides a step forward, towards building a robust Philippine digital economy,” Honasan said.
Borne of the APEC Privacy Framework, the CBPR System was endorsed by ministers from the 21-member APEC economies in November 2004 as a voluntary accountability system. Hence, membership requires submission of a letter of intent to the Joint Oversight Panel (JOP) and the accomplishment of an enforcement map, demonstrating adherence to the nine (9) privacy principles under the APEC framework.
The APEC CBPR certification serves as a seal of privacy compliance and accountability, creating a competitive advantage in both local and global markets. It also fosters trust among consumers, assured that their personal data is securely transferred. This, by requiring business entities to observe transparency and streamline the customer complaint process.
“By taking steps to expand the CBPR System to the Philippines and beyond, we are building a growing coalition of pro-growth and pro-privacy economies that see the importance of balancing privacy and economic prosperity. In this digital age, there’s no ignoring the importance of privacy practices and consumers around the world are imploring governments to help create solutions that enhance privacy without hindering innovation,” Coe said.
The Philippines’ participation in the CBPR System has been anticipated since it became a member in the APEC Cross Border Privacy Enforcement Arrangement (CPEA) back in 2017.
To date, there are eight (8) participating economies in the CBPR System, namely: United States of America, Mexico, Japan, Canada, Republic of Korea, Australia, Singapore, and Chinese Taipei. After evaluation and upon approval by the JOP, the Philippines will be the 9th economy to join the system.
# # #
PH, Singapore sign MoU on Personal Data ProtectionComments Off on PH, Singapore sign MoU on Personal Data Protection
MANILA, Philippines --- The Philippines and Singapore agreed to share best practices in personal data protection and develop compatible mechanisms to facilitate trusted cross border data flows including mutual recognition of comparable protection afforded by their respective laws to safeguard both Philippines and Singapore citizens.
Philippine President Rodrigo R. Duterte and Singapore President Halimah Yacob personally witnessed the signing of the Memorandum of Understanding (MoU) in Malacañan Palace, yesterday between the Philippines’ National Privacy Commission (NPC) and Singapore’s Personal Data Protection Commission (PDPC), during the State Visit of Singapore to the Philippines. The MoU --- signed by NPC Privacy Commissioner Raymund Enriquez Liboro and PDPC Commissioner Tan Kiat How --- reaffirms and strengthens the working relationship between the two countries to improve personal data protection and foster trust in cross border data flows.
The document marks the first data protection-related MoU signed between the two ASEAN member states.
Privacy Commissioner Liboro stated that this collaboration would further ensure that the Philippines and Singapore would continue to strengthen its partnership when it comes to data protection. “With the signing of the Memorandum of Understanding, the Philippines and Singapore envision exchanges of information and best practices to foster innovation. We will also work on mutual assistance in data privacy enforcement. This is a reaffirmation of both the Philippines’ and Singapore’s recognition of the importance of data governance and cross-border data flows to global trade in a digital economy,” Liboro said.
For his part, PDPC Commissioner Tan said the MoU signals Singapore’s continued strong partnership with the Philippines as a collaboration partner. “Singapore is pleased to continue fostering closer collaborations with partners such as the Philippines to drive a robust data protection regime crucial to promoting and safeguarding cross border data flows that are the lifeblood of the digital economy. Our work will include developing mechanisms to facilitate cross-border data flow, such as the APEC Cross-Border Privacy Rules and ASEAN Cross-Border Data Flows Mechanism, and best practices to enable data innovation, through the use of data sharing sandboxes,” he said.
In the MoU, both countries have committed to cooperate in the areas of mutual exchange of information and joint enforcement actions.
# # #
Online lending execs face jail terms for data privacy violationsComments Off on Online lending execs face jail terms for data privacy violations
The National Privacy Commission (NPC) has concluded its investigation on three major online lending companies in the country for alleged public shaming of borrowers and has found that their operators may be liable for imprisonment of up to 7 years and fines of not more than P5 Million under the Data Privacy Act of 2012 (DPA).
In a press briefing today, Privacy Commissioner Raymund Enriquez Liboro made available to journalists copies of the fact-finding reports filed by NPC investigators on online lending firms Fast Cash Global Lending, Inc., Unipeso Lending Company, Inc., and Fynamics Lending Inc., which recommended among others, the criminal prosecution of their board members for violating sections 25, 28, 31 and 32 of the DPA.
“The investigation determined that their business practice specifically targets the privacy of persons, practically making a profit out of people’s fear of losing face and dignity. These unethical practices simply have no place in a civilized society and must stop,” Liboro said.
As of July 31, the number of complaints filed against Fast Cash Global Lending, Inc., which operates Fast Cash online app, has reached 166. Charges have been filed against its directors and board members to be Kellon De Jesus Manalastas, Tiancai Huang, John Christian P. Sia, Jovy Co Ting, and Zichao Su.
The number of complaints filed against Unipeso Lending Company, Inc., which operates Cashlending online app, has reached 138. Charged before the Commission are its executives Haolong Li, Guanqun Luo, Flordeluna Rosell, Rizza Mae Lorilla, and Renyvic Duquiatan.
Complaints against Fynamics Lending Inc., which operates PondoPeso online app, have reached 133. Charges have been filed against its responsible officers Meng Li, Changjin Wang, Kwinnie Mae Fianza, Jacquielyn Chua Garrido, Helen Joy Amican de Luna, and Bernard B. Salvacion, Jr.
The fact-finding reports gave the Commission sufficient grounds to establish that the three lending companies have not complied with legal requirements for processing personal data; failed to adhere to the principles of transparency, legitimate purpose and proportionality; and committed unauthorized processing; processing for unauthorized purpose; malicious disclosure; and unauthorized disclosure.
“Report found that the penalties inflicted on borrowers by these online lenders are abusive. The public shaming they carried out, has caused anxiety, depression; some have even lost jobs and feel they became unemployable, that their reputation and future was put in jeopardy. The permanence of these damages is disproportionate to the mere delinquency in paying debts, sometimes as low as one thousand pesos,” Liboro said.
The NPC has ordered the executives behind the online lending apps 10 days upon receipt of an Order to File an Answer, to explain before the Commission the allegations contained in the fact-finding reports. If the respondents failed to do so without justification, the NPC would then make its final decision based on available evidence and information provided in said reports.
Aside from criminal prosecution, the NPC fact-finding team has also recommended issuing a temporary or permanent ban on the processing of personal data by the lending firms, as urgently required by public interest; as well as the issuance of compliance orders against them.
Evident from the complaints are common statements from data subjects conveying how downloading these applications lead to a disruption in their lives and those of others, in violation of individual rights and freedoms.
“We would like to caution the people on downloading mobiles applications, particularly online lending application. Please read the terms and conditions carefully, for it may include dangerous permissions such as access to your live location, phone books and social media account, and even camera control. Let us be responsible for our safety and the protection of our personal data,” Liboro said.
The NPC intends to have the apps of the three online lending operators be taken down from the Google Play Store. For this, the agency is now coordinating with the Federal Trade Commission through the Cross-border Privacy Enforcement Arrangement.
From July 6, 2018, to July 31, 2019, the NPC received a total of 689 complaints against several online lending applications. They comprise around 55% of the total complaints filed with the NPC. This total number does not include around 2,666 similar concerns the NPC received via email and social media, which were not filed as formal complaints. With these in consideration, the NPC on its own initiative conducted the investigation.
# # #
PH leads ASEAN’s move to protect privacyComments Off on PH leads ASEAN’s move to protect privacy
The Association of Southeast Asian Nations (ASEAN) took a major step in harmonizing regional data protection, privacy regulations and initiatives by launching the first ASEAN Data Protection and Privacy Forum in Bangkok, Thailand with the Philippines at the helm. The Philippines was represented by Privacy Commissioner Raymund Enriquez Liboro, who chaired the Forum’s inaugural meeting.
Gathering all data privacy regulators and privacy enforcement agencies and bodies in the ASEAN, the Forum intends to foster sharing of knowledge and best practices, discussion of governance and operational know-how, and development of a framework for enforcement cooperation.
"The ASEAN must harness technologies and digital innovation to its advantage through effective policies that will enable greater movement of data and ease of market access that will bridge the digital divide among the Member States and at the same time, provide guidance to its digital citizens in protecting their data. We must ensure that everybody can benefit from the digital economy and that no one is left behind. That is the ASEAN Way," Liboro said in his welcome remarks.
With the increasing global concern over privacy, "responsible data stewardship and data management across the region will protect and benefit all our citizens and certainly boost the region’s competitiveness," Liboro added.
Representatives from all 10 ASEAN Member States (AMS) were present as key decisions on priority areas for cooperation and the scope of work of the Forum were made. Developments and updates on the proposals about Data Classification Framework and Cross Border Data Flow Mechanism for ASEAN were also tackled during the meeting.
The Forum will serve as the platform for the AMS to exchange views and information on data protection and privacy matters, including enforcement cooperation. Seeking to harmonize data protection and regulation, the Forum comes as at a juncture in ASEAN history when privacy and data protection is becoming an important concern.
“Though ASEAN Member States are in varying stages of development when it comes to their respective data protection and privacy regimes, the Forum ensures that everyone has a seat on the table especially in tackling common issues on data protection and privacy,” Liboro said.
To date, 3 ASEAN countries have data protection laws and established a data privacy authority regulator. These are the Philippines, Singapore, and Malaysia. Just recently, Thailand passed its own data protection law, while other states in the region such as Indonesia are in various stages of developing their own data protection and data privacy laws.
The Philippines’ NPC and its mother agency, the Department of Information and Communications Technology (DICT), are closely working with Singapore’s Personal Data Protection Commission (PDPC) in developing the ASEAN Framework on Digital Data Governance.
In 2018, the ASM endorsed the ASEAN Framework on Digital Data Governance intended to enhance data management, facilitate harmonization of data regulations, and promote intra-ASEAN flows of data. It called for the creation of forward-looking and enabling policies to facilitate the growth of the digital economy in the region.
Since its founding in 1967, the ASEAN has spurred economic cooperation and integration in the region and has been instrumental in its overall economic growth. ASEAN integration has also enabled its member states to compete effectively for international investments, leveraging on its collective market of more than 600 million consumers.
The Data Protection and Privacy Forum Meeting was held back-to-back with the ASEAN Telecommunications and Information Technology Senior Officials Meeting (TELSOM) and ASEAN Telecommunication Regulators' Council (ATRC) Leaders' Retreat and other Related Meetings being held this week in Bangkok, Thailand.
As the Chair of ASEAN meetings for 2019, Thailand has prioritized Industry 4.0, cultivating digital talent, and digitizing small business in line with its theme of “Advancing Partnership for Sustainability.”
# # #
NPC forms coalition to protect “digital Filipino”Comments Off on NPC forms coalition to protect “digital Filipino”
Coming on the heels of a surge in citizen complaints of alleged privacy harassments from online lenders, more than 2,000 Data Protection Officers (DPO) from major government offices and leading businesses today joined the National Privacy Commission’s (NPC) call to form a united front to strengthen the protection of peoples’ personal data.
“Our common goal of ensuring data privacy in today’s radically changing technology landscape can only be won as a community, where the government and businesses align resources to safeguard the data subject’s interests,” Privacy Commissioner Raymund Enriquez Liboro said in his opening remarks during the second annual National Data Privacy Conference (NDPC) at the Philippine International Convention Center.
Serving as the NPC’s flagship event to launch this year’s Privacy Awareness Week (PAW) celebrations, the NDCP harps on the theme “Datos ng Pilipino, Protektado ko!” (Protecting the Digital Filipino: Accountability, Compliance & Ethics in a Data-Driven Philippines), which is an appeal to institutions and individuals who process personal information to fully embrace their accountability, aim for maximized compliance with the Data Privacy Act of 2012, and observe high ethical standards.
In response to this appeal, executives from various government agencies (Department of Information and Communications Technology, Department of Trade and Industry, Department of Justice, and the Philippine National Police) during the NDPC has symbolically pledged their support for the NPC’s covenant of unity for the protection of the digital Filipino. They were joined by Laban Konsyumer, an advocacy group assisting consumers on protection against deceptive, unfair, and unconscionable acts and practices.
The covenant is calling for a unified front towards safeguarding the modern Filipino’s right to prosper, protecting their personal data, and promoting their basic rights – all while equipping the public with the knowledge that would enable them to defend themselves against fraudsters and other data privacy violators. Altogether, these are envisioned to culminate in a peaceful, secure, and technologically-aware Philippines.
“Upholding the right to data privacy is everybody’s business because ultimately every potential harm to the data subject also puts at risk our commercial and societal interests. Unlawful data activities can hurt your customers or constituents, and they can certainly hurt your business, industry, profession or institution. If we are to thrive in a data-driven global economy, we have to ace data privacy. There is no better way to face this challenge than by facing it together as co-stakeholders, where we watch each other’s back in a community of trust,” Liboro said.
This year’s PAW will be observed on May 25 to 31. As per Presidential Proclamation No. 527 signed by President Rodrigo Roa Duterte last year, celebrating PAW is premised on the “need to inform and educate the public about data privacy, data protection, and fair information rights and responsibilities as part of reinforcing the efforts of the NPC in protecting personal data and ensuring the Philippines’ compliance with international standards set for data protection.”
Commissioner Liboro, however, reminded the participants of the need to conduct their own PAW activities in their offices, carrying this year’s official tagline in their corporate communication and activities.
“Attending the NPC’s event for DPOs is not the be-all end-all of PAW celebrations, in fact, it’s just curtain-raiser. The more significant highlights belong to PICs and PIPs whose activities shall directly engage data subjects in a meaningful way. Such activities would also be a way for organizations to publicly demonstrate their commitment to uphold and protect the data privacy rights of their customers, employees and other stakeholders,” Liboro said.
# # #
NPC conducts hearings on 48 online lending apps after over 400 harassment complaintsComments Off on NPC conducts hearings on 48 online lending apps after over 400 harassment complaints
Over 400 complaints of alleged harassment and shaming by various mobile online lending operators have swamped the National Privacy Commission (NPC) recently, with borrowers crying foul over perceived reputational harm and abuse of their data privacy rights.
Speaking to reporters, Privacy Commissioner Raymund Enriquez Liboro said the agency is presently handling a total of 485 complaints against operators of online lending applications that allegedly misused the borrower’s information, including the disclosure of unpaid balances to other people. At least 235 cases were formally pursued by complainants and are now subject of NPC hearings.
“Over the past few months, we received almost identical complaints that pile up by the day from individuals accusing online lending apps of rude practices. Complainants say the harassment and shaming started when they failed to pay their balances on time. The people behind the lending app called or texted their contact list about their inability to return the money, causing them embarrassment and emotional stress,” Liboro said.
Upon download, the mobile apps allegedly require access to contact information, photos, files and documents saved in the borrower’s phone, before processing of the online loan application can proceed. If a borrower fails to pay on time, all of his or her phone contacts receive a collection text message or call stating the borrower’s full name and outstanding balance.
“The NPC has started conducting hearings on the cases and it is vital that we also hear the respondent’s side of the story and we would highly appreciate it if they cooperate,” Liboro said.
In case culpability is established, erring mobile online lending operators may face temporary or permanent ban from operating while the NPC may also award damages to affected individuals. The cases could also be referred to the Department of Justice for criminal prosecution. However, during the course of the proceedings, the parties may opt for mediation where they may freely arrive into settlement.
On the bright side, Liboro noted this surge of complaints could be seen as an indication of people’s growing awareness of day-to-day data privacy issues. It also shows the increasing comfort level of Filipinos about digital technology, including online financial exchanges, which is built on the foundation of consumer. But much work needs to be done. “If left unaddressed, problems like these may slow down our momentum towards a data-driven Philippines,” Liboro said.
Simultaneous to its enforcement efforts, the NPC is also intensifying its awareness drive aimed at data subjects as well as data controllers and processors, with the Privacy Awareness Week (PAW) 2019 happening on May 25 - 31.
“Citizens need to know that they should carefully read privacy notices before they give consent to any personal data processing. PICs, meantime, should be fully transparent when declaring how they will process and use the personal data they collect, assuming full accountability,” Liboro said.
This year’s theme for the PAW is “Datos ng Pilipino, Protektado Ko! (Protecting the Digital Filipino: Accountability, Compliance & Ethics in a Data-driven Philippines).
“Upholding data privacy rights by those who process our personal data cannot happen with mere paper compliance. It has to be rooted in a sense of public accountability to data subjects. That’s what this year’s tagline emphasizes. It’s all about owning up to the responsibility of safeguarding people’s data and living up to the trust they conferred upon your organization,” Liboro said.
Serving as its flagship event for the PAW 2019 celebrations, the NPC shall conduct the 2nd National Data Privacy Conference (NDPC).
The NDPC is expected to draw more than 2,000 participants on May 23 and 24 at the Philippine International Convention Center. This year’s theme is "Protecting the Digital Filipino: Accountability, Compliance & Ethics in a Data-Driven Philippines.”
One of NDPC’s highlights is the 1st Digital Data Governance in the Public Sector Conference, which is solely for Data Protection Officers in the government. For the private industry, there will be breakout sessions targeting each sector’s specific needs.
# # #
Official Statement of Privacy Commissioner Raymund E. LiboroComments Off on Official Statement of Privacy Commissioner Raymund E. Liboro
Re: BREACH NOTIFICATION BY GLOBE TELECOM INC.
- On Sunday, Jan 27, 2019, Globe Telecom, through its Data Protection Officer, formally notified the NPC of a personal data breach. Based on their report, the personal data breach occurred due to a system error, potentially affecting 8851 customers.
- Our team is still evaluating the incident and verifying the information given to us, following our standard procedure.
- Those who may have been affected are advised to monitor their online and offline accounts for any unusual activity, to change passwords and other means of identity verification, and to be careful of phishing attempts and other online risks.
- We will provide updates once our team completes its evaluation.
PH telcos, 3rd player told: compete on data privacy and protection to win customer trustComments Off on PH telcos, 3rd player told: compete on data privacy and protection to win customer trust
The National Privacy Commission (NPC) is urging local telecommunications operators Globe, Smart, and the incoming third player, Mislatel consortium to compete for consumer trust in terms of better services and better data privacy protection.
“This is what’s good about competition, it’s the customers who decide who to trust. So, why not let the telcos compete in the data privacy and protection space. Let them compete in terms of price, performance, and privacy. Then, let the people decide which one to trust their personal data with,” said Privacy Chairman Raymund Enriquez Liboro.
Speaking before members of the Chief Information Officers Forum in their general membership meeting at the Crowne Plaza in Quezon City, Commissioner Liboro added that what the government may do is invest more in public education.
“There’s no better way to secure our digital resources than with a citizenry fully aware and assertive of their data rights. It would be healthy for our democracy, and a way towards building a threat-resilient digital economy” he added.
As part of the NPC’s continuing awareness campaign, the agency will hold its nationwide educational symposium for the youth on data privacy in line with its PSST! campaign (Privacy, Safety, Security, & Trust online!) to bolster awareness and active involvement among students in protecting their own data online.
Over 500 participants are expected to join the half-day event happening on Friday, December 7, 2018, at the De La Salle University, Manila. Its focus is on student data privacy, or how to deal with the unique privacy challenges learners may encounter in an educational setting. Apart from evoking student vigilance against offline and online threats to privacy, the symposium aims to urge them to encourage their family and friends to do the same.
“It takes a community to build a threat-resilient digital Philippines, and youth involvement significantly hastens that progress. Through the PSST! educational symposium, we hope to have data subjects – beginning with young students -- realize their empowered role as the first line of defense in protecting their own privacy, and as co-partners with the NPC in building a culture of privacy,” Liboro said.
Coinciding with the National Human Rights Awareness Week, the event features insightful talks on data privacy rights as declared in the Data Privacy Act of 2012, and their implication in the pursuit protecting the privacy, safety, and security of all stakeholders in the education sector —especially the students.
“Just like with the telco industry, data has the power to transform the education sector and admittedly, this process begins in the collection and analysis of student data. But we must ensure that this is done within limits that protect the privacy of students and ensure that their information is used exclusively for legitimate educational purposes. When this framework is in place, trust issues would be minimized when embracing educational innovations,” said Liboro.
Included in the symposium are discussions on what every student can and must do to ensure that their personal data is private, safe, and secure; how “trust” can make or break the digital economy; career prospects in the field of data privacy; and what practical things every Filipino can do to help build a threat-resilient digital Philippines.
“Young students are already immersed in the digital lifestyle, but it appears a big majority are still clueless on the grammar of online privacy, safety, security, and trust. It’s high time we correct this,” Liboro added.
Among the special guests are representatives from the Department of Information and Communication Technology, Internet Society of the Philippines, Information Security Officers Group, Facebook, Google, and Data Protection Officers from top Philippine colleges.
According to the report Digital in 2018 in Southeast Asia, there are 67 million active Filipino social media users, making us the world leader in social media usage. The 18-24 age range, university to early-career age, make up the largest group of social media users in the Philippines. Students utilize social media platforms as virtual meetings outside classrooms and as an easily-accessible source of information. After college, virtually all fresh graduates took to the Internet for job hunting.
# # #
NPC calls for data privacy compliance in the travel & tourism sector at DPO20Comments Off on NPC calls for data privacy compliance in the travel & tourism sector at DPO20
Travel and tourism services in the country are seeing a steady, vibrant growth in demand, owing to the strong business climate and increasing domestic spending. Thus, there is a need for industry players to safeguard their customers’ trust by ensuring that personal information remains secure against data theft.
At the 20th Data Protection Officers Assembly (DPO20), Privacy Commissioner and NPC Chairman Raymund Enriquez Liboro encouraged tourism service providers to comply with the provisions of the Data Privacy Act (DPA) of 2012, emphasizing on the need to mitigate risks as this sector becomes increasingly dependent on advances in technology.
The definitive outcome of compliance is ensuring Philippine tourism’s stable growth, continued contribution to national economic progress and increasing global competitiveness.
“Data privacy compliance is a must for all organizations that collect and process personal data. The assumption of your responsibility in protecting tourists’ data – from acquisition, storage, and transfer – not only allows them to enjoy that sense of peace of mind while on travel and leisure, but also strengthens your brand as a company that puts its customer’s welfare above all else,” Liboro said.
About a hundred Data Protection Officers (DPOs) and allied professionals joined the DPO20 on Tuesday at the Asian Institute of Management Conference Center. With the theme “Data Privacy: Safeguarding trust in travel and tourism”, the event aims to encourage compliance awareness, accountability and a sense of urgency within the sector.
Highlighting DPO20 is the declaration of a partnership between the NPC and key leaders in the consumer finance industry. This includes executives representing top airlines, travel agencies, meetings, incentives, conferences and exhibitions (MICE), hospitality and other allied organizations. Their support conveys the sector’s commitment in building a resilient data privacy culture in the Philippines.
The Philippines ranked 13th among the top 15 tourism powerhouses that recorded "absolute growth" within the last seven years, according to the 2018 World Travel & Tourism Council's (WTTC) "Power and Performance Report”.
The report, which assessed 185 countries based on its travel and tourism sector's performance from the period of 2011 to 2017, also placed the country at 15th in terms of "performance" or based on its compound annual growth rates between the period in WTTC's four indicators: contribution to Gross Domestic Product (GDP), international visitor spend, domestic spend, and capital investment.
The Philippines ranks 8th among states that have seen the largest growth in travel and tourism's contribution to GDP from 2011 to 2017, with USD66.3 billion share in 2017 alone.
# # #
NPC eyes fully digital PH by 2040Comments Off on NPC eyes fully digital PH by 2040
1. The National Privacy Commission (NPC) said the country's bid to be a fully-digital, high-trust society in 20 years is feasible as the government's ICT and data privacy initiatives remain on on-track.
2. "Ambisyon 2040 provides the beacon towards a high trust society, where every Filipino is secure in their physical and digital lives and living in resilient communities. This include living in a society where government and businesses are trusted, transactions are friction-less where everyone enjoys the fruits of individual autonomy. Surely, it is going to be a fully digital society by 2040," said Privacy Commissioner and NPC Chairman Raymund Enriquez Liboro.
3. In his keynote speech today addressing the delegates of Data Privacy Asia 2018 at the Makati Shangri-La hotel, Liboro said the Department of Information Communication and Technology (DICT) has the biggest role to play in the country's digital shift, with the NPC performing a crucial support function.
4. "The programs laid by the DICT, from building ICT infrastructure, strengthening capacity and support to start-ups, lessening transaction costs in government will all lead towards making the country more competitive in today’s digital markets. NPC has a role to play, too. As digital transaction expand, so are the risks, threats and harms to individuals. Protecting citizens have gone beyond patrolling the streets and the country’s borders. Data is the new asset and personal data is the new target," Liboro said.
5. After the NPC's two years of maiden operations, the country now has a total of 23,081 registered Data Protection Officers (DPOs). The number of privacy-related cases the agency received so far, this year has also increased by 145% from 2017. Of the 542 cases in 2018, 35.52% involved unauthorized processing while 36.44% were on data breaches.
6. "Two years ago, we set out to do a job. We realized that we can only do it by tapping into the energies of our many stakeholders. We planned, we toiled, and here we are now: Lengthening our strides and emerging as one of the most promising data sectors in the world," Liboro said.
7. Liboro emphasized that the NPC's role is not to be a gatekeeper of public policy and technology but instead make sure the country's privacy law is followed without hindering innovation and progress.
8. "The NPC is not the gatekeeper of what policies can and cannot be implemented in the digital society. Our job is not to pass judgement on any technology nor condemn it even if that technology raises seemingly obvious privacy issues like the: Internet of Things (IoT), Big Data and Artificial Intelligence or AI and machine learning. Instead, we are here to remind data controllers especially government agencies that they must be transparent, wield a legitimate purpose and exercise proportionality whenever they process personal data and that they must be equipped to mitigate potential risks to prevent harm to data subjects or citizens. This means that they must be compliant with the Data Privacy Act so that they can do the proper analysis and initiate actions needed to protect privacy rights while promoting innovation and growth," Liboro said.
9. He noted, the same can be said of the soon to be launched National ID system by the government, where the NPC's role was to make sure it was privacy-compliant.
10. "For decades, the prevailing notion is that a national ID system, and data privacy and security, are in opposition to each other-- that a national ID system that adheres to the tenets of data privacy and security is impossible. This, I do not believe. It betrays a dated mindset: Where our rights cannot be upheld in harmony with the needs of efficient governance. No. We can have a national ID system, and we already have robust enough laws and policy structures in place to make sure that our privacy rights are upheld. Our job in the NPC-- my job as Privacy Commissioner-- is to ensure that the law is followed now that government decided to implement a national ID policy," Liboro said.
11. "Privacy is a right, yes, but this and all our other rights can only be exercised fairly and responsibly with the context of bigger goals: Socioeconomic growth. Progress. Nation building. Our goal, therefore, is balance: Balance between the right of an individual and the needs of the larger society. And striking this balance is not an ideology. It is a skill—a skill which we hope to hone in this Second Data Privacy Asia,” he added.
NPC makes telco take measures against SIM-swap fraud; public warned on identity theftComments Off on NPC makes telco take measures against SIM-swap fraud; public warned on identity theft
The National Privacy Commission (NPC) has caused Globe Telecom, Inc. to enforce more stringent subscriber verification protocols to better protect its customers following reports that one of its prepaid mobile customers fell victim to identity theft, made possible through the perpetrator that resulted in the unauthorized access to the customer’s online banking account.
In a move to bar cyber-thieves from exploiting mobile authentication as a backdoor for fraudulent transactions, the NPC took Globe to task for security gaps in its SIM replacement procedures.
“A SIM card in the hands of a cyber thief makes mobile authentication meaningless, as it becomes almost like a master key for committing all sorts of identity fraud. It leaves the victim’s personal data vulnerable to all sorts of misuse and abuse, including access to email and Facebook accounts, and unauthorized ATM and online bank withdrawals. As gatekeepers of mobile authentication, we are asking Telco providers to upgrade their security measures,” said Privacy Commissioner and Chairman Raymund Enriquez Liboro.
In a meeting between NPC Complaints and Investigation Chief Francis Acero and Globe representatives, the telco company has committed to enforce a 24-hour delay in the activation of newly-replaced SIM cards to subscribers who reported a lost or stolen phone, if the prepaid subscriber is unable to present the SIM bed or unable to provide proof of identification in case the prepaid subscriber is a GCash user. This is to enable prepaid subscribers who may be victims of a SIM swap scheme ample time to respond to SIM replacement text notifications to the purportedly lost phone numbers and allow the subscriber a chance to cancel a malicious request and deter a mobile identity theft in progress.
In processing SIM replacement requests, Globe said it shall require subscribers to present government-issued ID cards as identity credential or the original SIM bed as proof of ownership.
Acero said the telco should also be able to utilize its GCash facility as an identity authentication platform for prepaid subscribers who use the service. “Telco utilities that use their mobile platforms for digital cash, quasi-banking, and money remittance services have ‘Know Your Customer’ or ‘KYC’ obligations that extend to protecting these clients from those who may defraud them,” Acero said.
Prior to this measure, the only security measure Globe provided was to require the person requesting a replacement card for an affidavit attesting to the truth of the loss of the SIM card. Liboro noted this was ineffective in protecting this latest victim from identity fraud. “We hope to see all telco operators in the country enforcing stringent measures to protect the privacy interests of their subscribers not just against mobile identity thieves but against all sorts of mobile fraudsters. Fraudsters thrive by being one step ahead of the game. Their fertile criminal minds exploit gaps in processing systems to execute their plan. We can beat them to it with more proactive steps like this and reacting quickly to fraud,” he said.
SIM swapping refers to the modus operandi where fraudsters illegally obtain from a telco operator a replacement SIM card not belonging to them and then use the number for fraudulent activities.
To prevent from getting victimized by SIM swap schemers, Liboro also called on the public to stop oversharing personal information on social media as well as with people who they barely know.
“Personal identity thieves and fraudsters start their schemes by collecting as much data about you as possible. They could be stalking your Facebook account, sending you phishing emails, or posing as credit card agents asking very detailed personal information. The risk these people pose is very real: your name can carry real financial value. Once these people commit crimes in your name, it can be very difficult to recover. Let’s stop feeding these schemers. Don’t share personal details on social media; transact only with privacy-compliant business agents who will seek your consent before asking for any personal data,” Liboro added.
# # #
Data privacy compliance a competitive edge for PH companiesComments Off on Data privacy compliance a competitive edge for PH companies
In this information age, compliance with data privacy and data protection regulations is considered by organizations as a competitive advantage in their business operations. This was confirmed by contact center managers and data protection experts at the recent Data Privacy Asia conference organized by the Contact Center Association of the Philippines. (CCAP).
Contact center clients look for more than just capacity and capability of the workforce; they also look at the utilization of industry best practices in data and network security, as well as international compliance with data protection and data privacy regulations. This was explained by CCAP President Jojo Uligan, who said, “Customer experience is crucial, and as service providers, this what we are focusing on. When customers are aware that their data is secure, this translates to more business for industry.”
Among those present at the event were international experts in data privacy and protection as well as the Philippines’ Data Protection Authority, the National Privacy Commission (NPC).
Privacy Commissioner Raymund Enriquez Liboro revealed that companies complying with the Data Privacy Act (DPA) of 2012 have a competitive edge when in comes to data protection and privacy. The DPA promotes international best practices in data protection comparable to data privacy frameworks such as the European General Data Protection Regulation (GDPR) and the APEC Privacy Framework.
“With ASEAN integration coming up soon, companies in the Philippines need to implement their data protection and data privacy obligations not only to keep their existing clients, but also to assure future growth,” Privacy Commissioner Liboro said.
Mr. Malcolm Crompton, former Privacy Commissioner of Australia, was also at the event to explain why having a Privacy Management Plan is essential for organizations to ensure the longevity and competitiveness of their business. “With the successful implementation of Privacy Management Plans, companies can expect increased business, enhanced reputation, more satisfied clients, and improved adaptability to change,” Mr. Crompton said. “The company’s greatest asset is data. Organizations need to rethink the risks associated with data processing in order to manage them effectively.“
Speakers at the Data Privacy Asia conference explain to reporters why Contact Centers need to comply with Data Privacy Laws to keep competitive edge. From left to right are Mr. Malcolm Crompton of ICC, Mr. Jojo Uligan of CCAP, and Privacy Commissioner Raymund Enriquez Liboro.
Organizations that process personal information as part of their operations are required to register their data processing systems with the NPC on or before the 9 September 2017 deadline specified in the Data Privacy Act’s (R.A.10173) Implementing Rules and Regulations. One of the first registration requirements of the NPC is the designation of the Data Protection Officer (DPO) who will be responsible for data protection and data privacy in the organization.
About NPC: The NPC is a regulatory and quasi-judicial body constituted in March 2012 by virtue of RA 10173. As the Philippines’ data privacy and data protection watchdog, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation. To know more about the NPC, can visit www.privacy.gov.ph.
NPC conducts privacy compliance check on BPIComments Off on NPC conducts privacy compliance check on BPI
The National Privacy Commission (NPC) is conducting a privacy compliance check on the Bank of Philippine Islands (BPI) after the recent incident that caused the bank’s electronic channels to be temporarily suspended, inconveniencing many of its clients.
The compliance check will evaluate the existing governance, organizational, physical and technical measures in place and seek to address any gaps especially in the bank’s breach management protocol, with the view of preventing or mitigating similar incidents in the future.
Under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (Data Privacy Act), the NPC is mandated to ensure compliance of institutions with its provisions, which includes data breach notification, management and mitigation.
The NPC has been in contact with the bank since 7 June 2017, the first day news about the incident spread on social media. The high profile nature of the incident, and the potential harm to thousands of data subjects prompted the Commission to immediately coordinate with the bank and its data protection officer to work towards containing the breach and lessening the impact of the incident.
According to Privacy Commissioner Raymund Enriquez Liboro; “We appreciate BPI’s efforts to establish communication with the Commission throughout this episode to assuage our concern for the privacy of their depositor’s personal data. We highly regard the bank’s assurances. As advocate and vanguard of people’s privacy rights, however, the NPC’s public mandate compels us to look even further and deeper into this matter,” Liboro said. “We believe the BPI management fully understands this, because of our shared goal of ensuring the protection of the privacy rights and interests of their clients” he added.
The BPI incident was reported to have been caused by human error resulting in previously posted transactions to be reposted. The discovery of the error prompted to the Bank to suspend access to thousands of accounts. The BPI incident involved a breach in security affecting the availability and integrity of information that relates to individuals, considered a personal data breach under NPC’s memorandum circular on personal data breach management (NPC MC 16-03).
Commissioner Liboro explains further, "First, the BPI incident impacted information which is considered personal under the Data Privacy Act. This includes the processing of data, which is capable of uniquely identifying data subjects, such as the account information of BPI and BPI Family Bank customers contained in BPI’s systems. Second, the nature of the incident impacted both the availability and integrity of personal information considering that the incident resulted in the posting of erroneous account information and the prevention of its access to account holders. Under the law, impacts to availability and integrity of personal information may constitute a breach where loss and/or alteration to personal information occurs, whether accidentally or unlawfully."
Commissioner Liboro underscored the importance of data protection in the Internet age. “With many services being on-line, a simple data processing error can affect thousands of data subjects as well as have national impact, we can’t help to reiterate the importance of good house keeping for data processing systems and having breach management protocols in place compliance with data protection and privacy regulations reduces breach incidents and puts data subjects out of harm's way.” Commissioner Liboro said.
The National Privacy Commission recently held a general assembly of Data Privacy Officers (DPO) in the banking industry. The event, called DPO2, was conducted in cooperation with banking regulator the Banko Sentral ng Pilipinas (BSP) and the Bankers Association of the Philippines (BAP). After government, the NPC believes that the banking and finance sector's Personal Information Controllers (PICs) are involved in high-risk processing, because of the nature of the data they process and the potential impact of breaches to economic security.
About NPC: The NPC is a regulatory and quasi-judicial body constituted in March 2012 by virtue of RA 10173, the Philippines’ data privacy and data protection watchdog, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.
A year after COMELEC breach: National Privacy Commission to hold first general assembly of Data Protection OfficersComments Off on A year after COMELEC breach: National Privacy Commission to hold first general assembly of Data Protection Officers
About a year after the Comeleak data breach, which exposed the personal data of over 55 million Filipino voters, the National Privacy Commission (NPC) is rallying Data Protection Officers (DPOs) from government agencies to adopt a proactive approach in the fight for data protection of citizens in a series of conferences, which invoke the famous 70’s slogan “Kung ‘di tayo kikilos, sino ang kikilos? Kung hindi ngayon, kailan pa?”
NPC starts probe into COMELEC’s 2nd large scale data breach; issues compliance orderComments Off on NPC starts probe into COMELEC’s 2nd large scale data breach; issues compliance order
The National Privacy Commission (NPC) has ordered the Commission on Elections (COMELEC) on Monday to take serious measures to address its data processing vulnerabilities after the computer of the Office of the Election Officer (OEO) in Wao, Lanao Del Sur was stolen last January 11, 2017.
The stolen computer contains data from the Voter Registration System (VRS) and Voter Search applications, as well as the National List of Registered Voters (NLRV). The stolen data also contains biometric records of registered voters in Wao, Lanao del Sur.
In its initial probe, the NPC discovered that all COMELEC field offices across the country maintain their own soft copies of the NLRV, which contains the personal information of roughly 55 million voters.
The NLRV database was also used in the Precinct Finder application, which was exposed in last year’s COMELEC website data breach.
“This is already COMELEC’s second large-scale data breach in a span of less than a year—a case of a database being breached twice under different circumstances. This time, it involves actual large-scale biometrics data of voters in a municipality. The Commission is very concerned especially since there’s ongoing voter registration nationwide. We will delve deeper into the problem to possibly recommend other measures for COMELEC to implement to protect voter data nationwide,” said Privacy Commissioner Raymund Enriquez Liboro.
“This breach illustrates that there are many ways to lose personal data. That is why data protection is not only an IT security issue involving firewalls. It’s a governance matter that covers organizational and physical measures to protect data,” Liboro added. “In this case, failure to secure the very computer containing personal data can be just as disastrous. If the COMELEC won’t address the problem systemically, this will happen again and again.”
In its Compliance Order dated February 13, 2017, the NPC directed the poll body to erase all copies of the NLRV in the COMELEC’s computers in the different municipalities and cities, if the COMELEC cannot secure the database using appropriate organizational, physical and technical measures.
The privacy watchdog is also tasking the poll body to notify all data subjects affected by the personal data breach within two weeks. Individuals with records in the NLRV may be notified by COMELEC through publication in two newspapers of general circulation. The COMELEC is also being directed to individually notify the data subjects with records in the VRS in Wao, Lanao Del Sur.
Within two weeks, the poll body is also tasked to submit to the NPC its “proposed and implemented revisions” in the voter registration process, considering the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other related NPC circulars.
The poll body is also being required to submit the status the measures it intends to implement in addressing this personal data breach, as outlined in its report to the NPC.
THE STOLEN COMPUTER
At around midnight of January 11, 2017, unidentified persons reportedly stole the desktop computer of the COMELEC’s OEO in Wao, Lanao Del Sur.
Seventeen days later, on January 28, 2017, COMELEC Executive Director Jose M. Tolentino notified the NPC of the data breach.
The data breach exposed information in the NLRV and the Voter Search application, as well as the detailed voter registration records of registered voters of Wao, Lanao del Sur.
The NLRV contains approximately 75,898,336 records as of October 17, 2016. Of these, 55,195,674 are active voters and 20,703,662 are deactivated voters.
The VRS contains a total of 58,364 registration records for Wao, Lanao del Sur. Of these, 40,991 records are for registered voters for the coming barangay elections (as of October 19, 2016), and 17,373 records are for the Sangguniang Kabataan (SK) elections (as of September 13, 2016).
The COMELEC identified 35,491 active records for the barangay elections, and 17,336 active records for the SK elections.
While the COMELEC claims the data in the database is encrypted, the COMELEC admitted that “[I]f the robber will be able to gain access to the VRS, and to decrypt the VRS and the NLRV data, the personal data might be used by unscrupulous persons for purposes other than those legitimately intended.”
Privacy Commission recommends criminal prosecution of Bautista over “Comeleak”Comments Off on Privacy Commission recommends criminal prosecution of Bautista over “Comeleak”
The National Privacy Commission (NPC) has found that the Commission on Elections (COMELEC) violated the Data Privacy Act of 2012 and has recommended the criminal prosecution of Chairman J. Andres D. Bautista for the data breach that occurred between 20 and 27 of March last year.
In its decision dated December 28, 2016 on NPC Case No. 16-001, the NPC underscored Bautista’s “lack of appreciation”of the principle that data protection is more than just implementation of security measures. “Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC’s privacy and security policies and practices,” the decision reads.
The NPC said the COMELEC “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in the dispense of the agency’s duty as “personal information controller.” The document, meanwhile, mentioned Chairman Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.
Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000. Meantime, Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty.
“The personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder web application, which contains 1,376,067 records; (c) the iRehistro registration database, with 139,301 records; (d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the COMELEC personnel database, containing records of 1,267 COMELEC personnel,” the document reads, making the incident the worst recorded breach on a government-held personal database in the world, based on sheer volume.
Further illustrating the breadth of the breach, the NPC decision also gave a rundown of what types of compromised sensitive personal information were contained in COMELEC’s two web-based applications.
“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”
“The voter database in the Post Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system,” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the COMELEC data breach.
Referring to Bautista, the NPC decision reads, “the willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.
“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” the NPC decision further reads.
As corrective measures, the NPC has ordered the COMELEC and Chairman Bautista to do the following:
Appoint a Data Protection Officer in one month’s time from receipt of the decision. Conduct an agency-wide Privacy Impact Assessment within two months. Create a Privacy Management Program and a Breach Management Procedure within three months. Within six months upon receipt of the decision, the COMELEC is also obliged to implement organizational, physical and technical security measures in compliance with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.
The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used in the COMELEC data breach had an IP address registered with the National Bureau of Investigation (NBI).
About the NPC: The National Privacy Commission is a regulatory and quasi-judicial body created in March 2012 by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. Headed by one commissioner and two deputy commissioners, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.
Contact Person: Atty. Rashy Rellosa – [email protected]
PH Privacy Commission gets international accreditationComments Off on PH Privacy Commission gets international accreditation
The Philippines' newly formed data protection and privacy authority, The National Privacy Commission (NPC) has received international recognition for its data protection regime from several notable international authorities. The NPC was formed on March 7, 2016.
The National Privacy Commission (NPC) received its accreditation as a member of the organization from the International Conference of Data Protection and Privacy Commissioners (ICDPPC). The accreditation from ICDPPC signifies that a country’s Data Protection agency meets stringent standards. Only 5 out of the 12 applications were approved by the ICDPPC Executive Committee this year. The ICDPPC has been the premier global forum for data protection authorities for 40 years, providing global leadership in data protection and privacy by connecting the efforts of over 110 privacy and data protection authorities from around the world.
NPC Commissioner Raymund E. Liboro was pleased with the recognition of the Commission’s efforts to upgrade the standards of privacy and data protection in the Country. “Admission to the ICDPPC augurs well for the Philippines. It recognizes that we are committed to international standards in protecting personal data and privacy in the Country, and that the Commission is viewed as independent and vested with the authority to do so.” Commissioner Liboro said.
Earlier last month, the Hogan Lovells Chronicle on Data Protection published an article on their website featuring the release of the Implementing Rules and Regulations (IRR) of the Data Privacy Act of 2012 (R.A. 10173) the article mentioned that “the IRRs represent a significant development in data privacy regulation in the Philippines, and will affect multi-national businesses that use or provide services in or from the Philippines, as well as local vendors with data processing facilities in the Philippines. It is fair to say that the IRRs set one of the higher bars for compliance standards in the Asia-Pacific region.”
This is good news for the Information Technology – Business Process Management (IT-BPM) industry as it reinforces the Philippines’ reputation as an ideal IT-BPM destination. Benedict Hernandez, from the Information Technology and Business Process Association of the Philippines (IBPAP), shares that it can be expected for more companies to prefer the Philippines over other countries given the fact that our Data Privacy Standards meet International Standards.
About the National Privacy Commission - The National Privacy Commission is the country’s privacy watchdog; an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
Contact Person: Michelle Saquido - [email protected]
Government Open Data to Improve with Data Sharing DirectivesComments Off on Government Open Data to Improve with Data Sharing Directives
The free flow of information within the government is expected to improve with the issuance of the latest memorandum circular of the National Privacy Commission’s (NPC). (NPC MC 16-02) on Data Sharing Agreements Involving Government Agencies.
This issuance from the NPC reinforces its mandate to support the free flow of information and safeguard the right to privacy of information. National Privacy Commissioner Raymund Enriquez Liboro said that the law was intended to strike a balance between the need for information freedom and data privacy as indispensable components of nation building. He stated further that the “Freedom of Information is more than just access requests to government, it is about responsible data sharing. Open data will contribute significantly to improving government services and coming up with new ones, supporting innovation and growth.”
The Freedom of Information (FoI) Executive Order was recently issued by the government, and the privacy commission clarified that the Data Privacy Act (DPA) cannot be used as a shield against FoI. It pointed out that the DPA is for the protection of any personal data that may be contained in government records that is not relevant to the Freedom of Information request, particularly when it affects private citizens.
The government is considered the largest collector and repository of personal data. E-governance initiatives and innovations in public services allow for citizens to avail of these services online, eliminating the need to queue up or having to fill out paper-based forms with personal data that the government already has.
The Data Sharing Issuance requires that personal information controllers (government agencies) to implement safeguards for data sharing. These include adhering to data privacy principles, entering into Data Sharing Agreements, reviewing technical security measures when allowing online access, and providing for the return, destruction or disposal of transferred personal data. Violation of directives contained in the issuance may lead to sanctions.
About the National Privacy Commission - The National Privacy Commission is the country’s privacy watchdog; an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
Contact Person: Michelle Saquido - [email protected]
Stricter government handling of personal data ordered in Privacy Commission issuanceComments Off on Stricter government handling of personal data ordered in Privacy Commission issuance
Personal data in the hands of government offices and all branches of government including state-run schools and colleges are expected to be made more secure with the issuance of the National Privacy Commission’s (NPC) first memorandum circular (#16-001) on the “Security of Personal Data in Government”. According to Commissioner Raymund E. Liboro, the circular is about “preventing and mitigating potential data breaches.” He supplements this with the importance of “heightened awareness and setting the appropriate security measures will lower the risk of security incidents and breach.”
As part of its mandate to provide public services, the government holds personal data of its citizen, as well as visitors from other countries. In fact, the government is considered to be the biggest repository and collector of personal data. With more and more services becoming more available online and with the increasing prevalence of cybercrimes like identity theft and hacking, it is vital that personal data of citizens be kept secure.
Among the obligations of government agencies contained in NPC Memorandum Circular 16-01 is the designation of a Data Protection Officer, the conduct of a Privacy Impact Assessment for processes that use personal data. The circular also obliges government agencies to create privacy policies, conduct regular training on privacy policies for its employees and contractors, and register data processing systems that process personal data of at least one thousand (1,000) individuals. The circular likewise outlines rules on the storage, access, transfer, and disposal of personal data in government IT systems.
Compliance of government institutions to this latest issuance by the NPC means that there will be less incidences of personal data breach like the one that happened to COMELEC in March this year, wherein millions of voter records were compromised. “Lessons from the incident and consultations with government agencies themselves through the CIO Forum (a nationwide association of government CIO’s) guided us in drafting the circular,” Liboro said.
Commissioner Liboro is confident that government institutions will be able to comply with the NPC’s memorandum circular. “The responsible processing of personal data is a vital component of e-government which is a major thrust of the Duterte Administration. As more and more government records are digitized and services go online, we must make sure that citizen’s personal data is kept secure. It should be a top priority,” he added.
About the National Privacy Commission - The National Privacy Commission is the country’s privacy watchdog; an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
# # #
Contact Person: Michelle Saquido - [email protected]
PDF version: pr-privacy-gov-ph-stricter-government-handling-of-personal-data-ordered-in-privacy-commission-issuance
Privacy Commission Advisory on Yahoo BreachComments Off on Privacy Commission Advisory on Yahoo Breach
The National Privacy Commission (NPC) would like to reiterate the recommendations of Yahoo and cybersecurity experts to Yahoo users to change their passwords on their Yahoo accounts.
This follows after the compromise of half a billion user accounts from Yahoo’s servers in 2014 that was only discovered and confirmed by Yahoo this week. Below is what was posted on Yahoo’s email log-in page about the Account Security issue :
"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
Other than changing Yahoo log-in credentials, the NPC also recommends that Yahoo users change log-in credentials of their other online accounts where they might have used their Yahoo email for account verification purposes. The security questions on Yahoo might also have been compromised and it would be a good idea to revise the security questions or disable that feature. The NPC also recommends activating two-part authentication to gain first time access to your account. Two-part authentication uses a phone number you provided to verify your identity.
According to Privacy Commissioner Raymund Enriquez Liboro, “A compromised email account can be an avenue for a hacker to gain access to other personal online accounts of an individual, from social media sites to on-line payment portals. That is why it is important to maintain good password hygiene, use pass phrases with numbers or special characters instead of single words, take note of log-in attempts into your account/s that weren’t initiated by you, and change your password/s two to three times a year, or as many times as you change your toothbrush.”
It was revealed at a Microsoft Cybersecurity Summit for government agencies that it takes an average of 502 days for system administrators to detect a security breach.
About the National Privacy Commission - The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
Privacy Act IRR released – NPC to educate public about privacyComments Off on Privacy Act IRR released – NPC to educate public about privacy
The Implementing Rules and Regulations (IRR) of Republic Act 10173 or the Data Privacy Act (DPA) of 2012 was officially submitted to the Presidential Communications Office (PCO) for publication on the Official Gazette by the National Privacy Commission (NPC) after several months of public consultations nationwide with various stakeholders. The IRR will officially take effect fifteen (15) days after its publication.
Civil Society organization, Foundation for Media Alternatives (FMA) was instrumental in organizing Public Consultations for the Implementing Rules. According to FMA Director Alan Alegre, “The FMA is pleased with the spirit of inclusive participation of stakeholders in the development of the DPA’s IRR. Kudos to all stakeholders who participated in the public consultations, submitted comments online and offline, and produced position papers.”
Personal Information Controllers and other stakeholders participated in five public consultations and several meetings with the NPC. These stakeholders included representatives from banks, retail, education, research, health Informatics, civil society, business process management, migrant sectors, and Government organizations. Among the organizations that helped organize public consultations were the Philippine Computer Society, U.P Office of the Vice Chancellor for Research and Development (OVCRD), Department of Health, Philippine Council for Health Research and Development, Ateneo de Davao University, UP-PGH, National Telehealth Center and the Foundation for Media Alternatives (FMA).
The NPC will focus on conducting public information campaigns aimed at educating the public and organizations on the importance of data privacy in its first year of operations.
According to Privacy Commissioner Raymund Liboro, “With the prevalent use of personal data in access devices, social media, and smartphone apps, as well as in the delivery of basic services, it is extremely important that the public and organizations be made aware of the need to responsibly handle personal information,” Commissioner Liboro explains.
“The IRR was made with the citizen’s protection and the country’s progress in mind,” emphasized Commissioner Liboro. “Personal data is an important part of your personal assets and should be guarded. Collectively, they become a national asset too.”
The Data Privacy Act applies in general to any person or organization, whether from the government or private sector, that is involved in the collection, processing and any further use of personal data. Personal data is any information that may identify a person, such as names, identification numbers, and personal circumstances. It may involve sensitive information such as contents of a medical record, which a person normally does not intend to disclose to the public.
According to Chairman Liboro, “Everyone must be aware of how to secure them from threats. The Data Privacy Act was enacted to build trust on the country’s ICT systems. To make sure every Filipino benefits from ICT and not to fall victims to data use negligence and internet abuse.”
The National Privacy Commission is hopeful that they will get full cooperation from industry, government, civil society groups and other stakeholders on the conduct of its public information campaign and other activities.
Deputy Commissioner Ivy Patdu said, “To truly embrace a culture of privacy requires multi-sectoral coordination. The Commission has a big job ahead and the support and cooperation of various industries and Government will go a long way in protecting personal data.”
She furthers, “Privacy is a fundamental human right. Promoting free flow of information should not be seen as incompatible with upholding the right to information privacy. We just need to realize that the benefits gained from use of personal data comes with a duty of respecting rights of data subjects.”
Data Privacy Act. IRR Public Consultation - Cebu, 28 July 2016Comments Off on Data Privacy Act. IRR Public Consultation - Cebu, 28 July 2016
This might be your last chance for a face to face public consultation on the IRR. This one will happen in Cebu. for those who can't make it, feel free to send us an email at [email protected]
Register for the pubcon here: http://bit.ly/2acM0lc
Access the draft IRR here: http://www.gov.ph/2016/06/20/irr-data-privacy-act-2012/
Access the E.O.10173 or the Data Privacy Act of 2012 here: http://www.gov.ph/2012/08/15/republic-act-no-10173/
for more information you can contact the Foundation for Media Alternatives at [email protected] or +632 435-6684
National Privacy Commission Position on FOI EOComments Off on National Privacy Commission Position on FOI EO
The National Privacy Commission lauds the signing of the Executive Order on the Freedom of Information as an important step towards greater transparency and people’s participation in government. The right to information on matters of public concern is a fundamental right provided in the Constitution and the right to privacy must always be balanced with the right of the people to be provided information on matters that affect their lives. The Executive Order was well-written to observe these two fundamental rights.
Freedom of information is emphasized in both the Data Privacy Act (RA 10173), and its proposed Implementing Rules and Regulations. We affirm that the Data Privacy Act should not be used to restrict access to information that fall within matters of public concern. Primarily, the Data Privacy Act does not apply to government officers and employees relating to their functions and positions, personal data in relation to government contracts and discretionary benefits given by government.
A government official who abuses his position or takes undue advantage of his functions for personal benefit will not be able to use the Data Privacy Act to restrict access of the people to information.
The protection of privacy is emphasized in Section 7 of the FOI -EO. This is not intended to shield government officials. Rather, this is for the protection of any personal data that may be contained in government records that is not relevant to the freedom of information request, particularly when it affects private citizens.
For example, it is easy to imagine request of public records from Philhealth (Philippine Health Insurance Corporation) with regard to its operations including contracts it entered into, but this does not mean that names and diseases of patients should be disclosed or published to anyone requesting access. In the same way, an official or employee of the government with access to personal data does not have the right or the authority to disclose it to just anyone. By law, he or she is mandated to protect personal information from unauthorized access or breach in order to protect the privacy of its citizens.
As an added example, public officers and employees are required by law to respect the privacy of victims of violence against women and their children and records of these cases shall be confidential. Therefore, Section 7 should not be viewed as restricting the freedom information upheld by the Executive Order. It defined information and public records broadly, which would include all government records, even those containing personal data of citizens. Section 7 is a recognition of the responsibility of government to protect personal data under its custody, and gives due regard to the equally important right to privacy.
The Executive Order of President Rodrigo R. Duterte makes a public declaration and a commitment that Filipinos shall have access to information, official and public records, and documents being held by the government. The National Privacy Commission supports this declaration. If only to emphasize, the Data Privacy Act shall not be used to restrict access to information that fall within matters of public concern. Freedom of information is not incompatible with the right to privacy.
Data Privacy Act Cannot Be Used As Shield Against FOIComments Off on Data Privacy Act Cannot Be Used As Shield Against FOI
The Data Privacy Act of 2012 cannot be used by government officials as protection against the Freedom of Information Executive Order issued by President Duterte last week, this was said by the Data Privacy Commission” in a position paper in reaction to concerns that the Data Privacy Act will be used by Government Officials to deny access to information.
In the Position Paper the Data Privacy Commission said that, “A government official who abuses his position or takes undue advantage of his functions for personal benefit will not be able to use the Data Privacy Act to restrict access of the people to information”
It also added that Data Privacy Section (7) of the FOI Executive Order, is not intended to shield government officials but is for the protection of any personal data that may be contained in government records that is not relevant to the freedom of information request, particularly when it affects private citizens.”
Section 7 should not be viewed as restricting the freedom information upheld by the Executive Order. It defined information and public records broadly, which would include all government records, even those containing personal data of citizens. Section 7 is a recognition of the responsibility of government to protect personal data under its custody, and gives dueregard to the equally important right to privacy.
According to Data Privacy Commissioner Raymund Liboro, “We laud the signing of the Executive Order on the Freedom of Information as an important step towards greater transparency and people’s participation in government. The right to information on matters of public concern is a fundamental right provided in the Constitution and the right to privacy must always be balanced with the right of the people to be provided information on matters that affect their lives. The Executive Order was well-written to observe these two fundamental rights”. Commissioner Liboro Said.
About the National Privacy Commission
- The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.