Category Archive: Press Statement
-
Press Statement on the Viral Video of a Student Nurse Posting a Patient's Cardiac Monitor Flatline
Comments Off on Press Statement on the Viral Video of a Student Nurse Posting a Patient's Cardiac Monitor FlatlineThe National Privacy Commission (NPC) has taken cognizance of the recent incident involving a nursing student who shared a controversial video filmed within a hospital setting, including a clip of a patient’s cardiac monitor.
The Data Privacy Act of 2012 (DPA) applies to the processing of personal and sensitive personal information (collectively, personal data). Section 12 of the DPA provides that processing of personal information shall be permitted only if it is not prohibited by law, and when at least one of the conditions listed in Section 12 exists. Additionally, Section 13 of the DPA provides that processing of sensitive personal information and privileged information shall be prohibited, except in the cases listed in Section 13. Thus, the posting of videos determined to contain personal data should comply with the DPA, its Implementing Rules and Regulations (IRR), and other issuances of the NPC. Non-compliance with the law shall be penalized by imprisonment and fine, as the case may be.
If the videos do not include details that can identify a person, its disclosure may not fall under the scope of the DPA. However, the NPC acknowledges the potential risks to individuals' rights and freedoms, especially for patients. We emphasize that sharing images or videos from these settings can raise serious ethical concerns and may undermine the trust between patients and healthcare providers. Ethical considerations are critical in maintaining the integrity of healthcare practices and protecting the dignity of patients.
With this, we urge all medical professionals and healthcare workers, including students in training, to exercise the utmost caution when taking pictures or videos within healthcare settings and refrain from posting these in publicly accessible platforms. We remind everyone that freedom of expression is not absolute and is limited by considerations such as the data privacy rights of others.
The NPC will continue to promote and safeguard the rights of all individuals and work closely with relevant stakeholders to ensure that the principles of data privacy and ethical standards are upheld.
For more information, visit our website at https://privacy.gov.ph/ or contact us at [email protected].
###
-
Press Statement of the NPC on Alleged DOST Data Breach
Comments Off on Press Statement of the NPC on Alleged DOST Data BreachThe National Privacy Commission (NPC) has launched an investigation in response to reported personal data breach within the Department of Science and Technology (DOST). Initial findings indicate that the breach includes the personal data of approximately 597 data subjects, all of whom are employees of DOST.
Upon learning of this incident, the NPC promptly initiated actions through its Complaints and Investigation Division (NPC-CID). On April 4, 2024, an on-site investigation was conducted at the DOST Central Office to determine the nature and extent of the breach, as well as to identify any compromised personal data.
Preliminary assessments reveal that the breach potentially exposed personal information and sensitive personal information, such as names, gender, civil status, and addresses of DOST’s employees. Additionally, the data dump uploaded by the threat actor included several resumes of individual applicants to DOST. The NPC-CID is currently engaged in a thorough analysis of the data dump to fully determine the extent of the breach and assess associated risks.
The NPC received a breach notification from DOST on April 5, 2024. Under NPC Circular 16-03, it is mandatory for the DOST to notify the affected data subjects and the NPC within 72 hours upon knowledge of or a reasonable belief that a personal data breach has occurred.
Furthermore, the NPC strongly urges the public against accessing, downloading, or sharing the uploaded data dump without legitimate purpose or proper authorization. Such actions may constitute unauthorized processing of personal data, which is punishable by law.
The NPC remains committed in keeping the public informed of the progress of this investigation as they unfold.
For inquiries and updates regarding this incident, please visit our official website www.privacy.gov.ph, or contact our Public Information and Assistance Division at [email protected].
###
-
Privacy Commissioner Naga and UN Special Rapporteur discuss the link between privacy and free expression
Comments Off on Privacy Commissioner Naga and UN Special Rapporteur discuss the link between privacy and free expressionToday, 23rd of January 2024, the National Privacy Commission (NPC) hosted Ms. Irene Khan, United Nations Special Rapporteur (UNSR) on the promotion and protection of the right to freedom of opinion and expression. I had the privilege of engaging in an insightful conversation with Ms. Khan about the pivotal role that the right to privacy plays in a country that upholds human rights and freedom of opinion and expression.
Fundamental human right to privacy and freedom of opinion and expression are interdependent pillars of a democratic society. The right to privacy safeguards individuals from undue surveillance, ensuring that personal information is protected. This, in turn, cultivates an environment conducive to the free exchange of ideas and opinions, which is a cornerstone of any vibrant democracy.
This was at the core of our discussion – on how the NPC and Republic Act No. 10173, also known as the “Data Privacy Act of 2012,” safeguard personal information while championing freedom of opinion and expression, recognizing the role of journalism, art, literature, and research in a free society. This allows for creative expression to flourish without the fear of privacy violations.
Our discussion also encompassed NPC’s strategic initiatives aimed at fostering data privacy awareness and implementation of policies that balance privacy rights and lawful disclosure. The NPC has issued a Circular on Guidelines for Legitimate Interest and is also in the process in calling for public input in the issuance of guidelines on processing of personal data for research purposes. These policies guarantee a lawful basis for personal information processing while ensuring the free flow of information.
I express my sincerest gratitude to Ms. Khan for her valuable insights and commend her commitment to the promotion and protection of human rights globally. Her expertise and experience added immense value to our collective efforts in ensuring the protection of personal data. This is especially important given the renewed commitment of the Marcos Administration to promote and protect human rights.
The NPC values collaboration with international entities such as the United Nations in fostering a global conversation on the relationship between privacy and human rights. I hope that this visit will contribute to a deeper understanding of the democratic landscape in the Philippines and will result to the further development of effective strategies to safeguard both privacy and freedom of expression.
ATTY. JOHN HENRY D. NAGA
Privacy Commissioner###
-
NPC Statement on the visit of the UN Special Rapporteur for Freedom of Opinion and Expression
Comments Off on NPC Statement on the visit of the UN Special Rapporteur for Freedom of Opinion and ExpressionThe National Privacy Commission (NPC) welcomes the visit of the United Nations Special Rapporteur (UNSR) on the promotion and protection of the right to freedom of opinion and expression, Ms. Irene Khan, on January 23, 2024. This visit presents an opportunity for an open dialogue, fostering discussions on the relationship between the right to privacy and freedom of opinion and expression as crucial aspects of a vibrant democracy.
Privacy Commissioner Atty. John Henry D. Naga will engage in a discussion with Ms. Khan, presenting the NPC’s initiatives and accomplishments that highlight its efforts in advocating for freedom of expression while protecting the right to privacy. This is provided for under the provisions of Republic Act No. 10173, also known as the “Data Privacy Act of 2012,” which extends protection to journalists and their sources. Additionally, the law also exempts personal information processed for journalistic, artistic, literary, or research purposes.
As technology evolves, so do the challenges surrounding privacy and freedom of expression. The NPC is dedicated to addressing these challenges through collaborative efforts and constructive dialogues, developing initiatives and policies that strike a balance between protecting personal information while ensuring the free flow of information. This guarantees that individuals can express themselves without fear of unwarranted surveillance or infringement on their personal information.
The NPC looks forward to a productive and enlightening exchange with Ms. Khan, reinforcing its commitment to privacy as an enabler, not a hindrance, to the promotion of democratic values where privacy and freedom of expression can coexist in harmony.
###
-
NPC Strongly Warns Against Resharing of PhilHealth Leaked Data
Comments Off on NPC Strongly Warns Against Resharing of PhilHealth Leaked DataThe National Privacy Commission (NPC) stands resolute in our commitment to safeguard your personal data and uphold your privacy rights. Today, we reiterate a critical warning regarding the leaked personal data from the Philippine Health Insurance Corporation (PhilHealth).
It has come to our attention that the personal data exfiltrated from PhilHealth is being shared illicitly. We want to emphasize the gravity of this situation and the severe consequences that await anyone involved in processing, downloading, or sharing this data without legitimate purpose or without authorization.
Under Section 25 of the Data Privacy Act of 2012 (DPA), those found guilty of unauthorized processing of personal information will face penalties that include imprisonment for one to three years and a fine ranging from Php500,000 to Php2,000,000. Unauthorized processing of personal sensitive personal information carries even more substantial penalties: imprisonment for three to six years and a fine ranging from Php500,000 to Php4,000,000.
Sharing such leaked data exposes affected individuals to a range of risks, including identity theft, fraud, extortion, blackmail, and other malicious activities. We urge you, as responsible citizens, to refrain from resharing this data and to promptly report its presence to the relevant authorities, including the NPC and law enforcement agencies.
We also call upon personal information controllers and processors to strengthen their data protection measures. Compliance with the DPA and other relevant laws and regulations is not just essential; it is a collective responsibility to protect the rights and privacy of every Filipino.
For inquiries and real-time updates on this matter, please visit our official website at www.privacy.gov.ph or contact us directly at [email protected]. Your privacy matters, and NPC is here to protect it.
###
-
NPC Takes Firm Stand: Unwavering Commitment to Protect Data Privacy Rights in Wake of PhilHealth Data Breach
Comments Off on NPC Takes Firm Stand: Unwavering Commitment to Protect Data Privacy Rights in Wake of PhilHealth Data BreachIn an unyielding display of its commitment to safeguarding the privacy and security of personal data, the National Privacy Commission (NPC) has initiated an immediate, proactive investigation into potential violations of the Data Privacy Act of 2012 by the Philippine Health Insurance Corporation (PhilHealth) and its officials. This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth's systems.
On October 6, 2023, the Complaints and Investigation Division of the NPC has completed its initial analysis of 650GB worth of compressed files originating from the data dump claimed by the Medusa group. Upon extraction, these files revealed a staggering 734GB worth of data, including personal and sensitive personal information. In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law.
During a recent media interview, PhilHealth implicitly acknowledged a degree of negligence on their part, with one of their officials citing the expiration of antivirus software as a potential vulnerability that may have facilitated the breach. The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information.
In unequivocal terms, the NPC issues a stern warning to the public: Any individual or organization found to process, download, or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges.
Rest assured, the NPC stands firm in its resolve to combat any actions that contravene the Data Privacy Act of 2012, whether within government or private institutions. We pledge unwavering dedication to enforcing the necessary measures and will be relentless in holding those responsible fully accountable.
For inquiries and updates on this incident, please visit our official website at www.privacy.gov.ph or contact us at [email protected]. Your data privacy matters, and your National Privacy Commission is here to protect it.
###
-
Press Statement on Alleged PhilHealth Data Breach
Comments Off on Press Statement on Alleged PhilHealth Data BreachThe National Privacy Commission (NPC) is fully committed to safeguarding personal data and ensuring the privacy of all individuals. Today, on the 25th of September 2023, we were notified by the Philippine Health Insurance Corporation (PhilHealth) regarding an alleged ransomware attack, prompting immediate action from the NPC.
The Complaints and Investigation Division of the NPC has taken swift measures to address this incident. We have issued a Notice to Explain to PhilHealth, seeking comprehensive information regarding the nature and extent of the data breach. Furthermore, we have issued an Order to Appear, compelling PhilHealth's presence at a hearing scheduled for tomorrow, the 26th of September 2023. This will be followed by a Notice of Onsite Investigation on the 28th of September 2023. These actions have been initiated to evaluate the impact of the alleged data breach and to assess the mitigation efforts undertaken by PhilHealth, with a primary focus on protecting the interests of the affected beneficiaries and contributors.
In strict adherence to NPC Circular No. 2016-03, we expect PhilHealth to provide a complete report within the next two days. This report must offer a comprehensive account of the breach, including details on the personal data that may have been compromised, and the measures implemented to contain and rectify the situation.
The NPC is dedicated to ensuring the privacy and security of personal data for all citizens. Rest assured, we will keep the public informed of developments in this matter as they become available.
For inquiries and updates on this incident, please visit our official website www.privacy.gov.ph or contact our Public Information and Assistance Division thru [email protected].
###
-
Empowering Youth Protection: Privacy Commissioner’s Full Support for Anti-OSAEC and CSAEM Act's IRR
Comments Off on Empowering Youth Protection: Privacy Commissioner’s Full Support for Anti-OSAEC and CSAEM Act's IRRThe National Privacy Commission (NPC) wholeheartedly supports the issuance of the
Implementing Rules and Regulations (IRR) for the Anti-Online Sexual Abuse or Exploitation of
Children (OSAEC) and Anti-Child Sexual Abuse or Exploitation Materials (CSAEM) Act, also
known as the Anti-OSAEC and CSAEM Act. This legislation signifies a significant milestone in our
ongoing efforts to combat online sexual abuse and exploitation of children, as well as the
dissemination of child sexual abuse or exploitation materials.The process of drafting the IRR for the Anti-OSAEC and CSAEM Act was commendably thorough
and inclusive. It entailed multi-sectoral consultations involving various stakeholders such as
children's groups, the private sector, the general public, and other organizations dedicated to
combating online sexual abuse and exploitation of children. This collaborative approach facilitated
invaluable dialogue and insights, undoubtedly contributing to the IRR's comprehensiveness and
effectiveness.The NPC acknowledges the importance of safeguarding the privacy and personal data of
individuals, particularly children, in today's digital era. Through our Youth Online Protection
Program, known as Kabataang Digital, we are fully committed to promoting online safety and
security among the youth.We firmly believe that raising awareness and understanding of these legal instruments is crucial
for ensuring their successful implementation. As our nation progresses in the fight against online
sexual abuse and exploitation of children and child sexual abuse or exploitation materials, the
NPC, along with our Kabataang Digital Program, stands prepared to provide support, collaborate,
and engage with all stakeholders to accomplish the objectives outlined in the law.Let us continue working together towards creating a safer and more secure digital environment for
our children, where their rights are upheld, their privacy is safeguarded, and their well-being
remains paramount.ATTY. JOHN HENRY D. NAGA
Privacy Commissioner###
-
Statement of Privacy Commissioner John Henry Naga on the alleged leak of personal data among law enforcement agencies
Comments Off on Statement of Privacy Commissioner John Henry Naga on the alleged leak of personal data among law enforcement agenciesToday, 20th of April 2023, the National Privacy Commission gathered the concerned government agencies, namely, the Philippine National Police (PNP), National Bureau of Investigation (NBI), Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR) to address the alleged leak of personal data involving law enforcement agencies.
According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC, and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public. However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlighted in the report alleging the data leak.
To further investigate this matter, we issued an order to conduct an onsite investigation on the concerned data processing system of PNP on 24 April 2023 headed by the Complaints and Investigation Division of this Commission. Likewise, we also ordered Mr. Jeremiah Fowler, the cybersecurity researcher who published an article regarding this matter, to appear before this Commission on 21 April 2023 to aid this Commission in its investigation.
The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data.
I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities.
Even as our probe is underway, the NPC strongly demands of these government agencies, such as the PNP, to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various NPC Circulars.
ATTY. JOHN HENRY D. NAGA
Privacy Commissioner###
-
STATEMENT OF PRIVACY COMMISSIONER JOHN HENRY NAGA ON SELFIE VERIFICATION IN SIM CARD REGISTRATION
Comments Off on STATEMENT OF PRIVACY COMMISSIONER JOHN HENRY NAGA ON SELFIE VERIFICATION IN SIM CARD REGISTRATIONIn performing their responsibilities under the Subscriber Identity Module (SIM) Card Registration Act, Public Telecommunications Entities (PTEs) are reminded of their obligation to process our citizens' personal data in accordance with the Data Privacy Act of 2012.
Thus, as an additional layer of protection against fraud and identity theft, the processing involved in selfie verification should pass the general data privacy principles of transparency, legitimate purpose, proportionality, and all other data privacy safeguards in the law.
Ensuring the privacy of our registrants is paramount to instilling trust in the full implementation of the SIM Card Registration Act. This will be bolstered if PTEs can guarantee that all the data in their possession are protected against misuse, unauthorized processing, data breaches, and all other security incidents.
ATTY. JOHN HENRY D. NAGA Privacy Commissioner
###
-
Press Statement of NPC on the SIM Card Registration Bill
Comments Off on Press Statement of NPC on the SIM Card Registration BillThe National Privacy Commission (NPC) supports the intention of the SIM Card
Registration Bill to prevent the proliferation of various and evolving electronic communicationaided criminal activities.The NPC is fully aware that implementing a SIM card registration system will entail a
massive collection of personal data. Hence, there is a strong need to develop a technology-neutral
approach and to future-proof the proposed legislation to achieve its intended purpose, in a
manner that respects the rights and freedoms of the data subjects.The NPC advocated to the House of Representatives and the Senate of the Philippines to
consider the proportionality principle and data minimization mechanisms concerning the
provisions on social media providers and authorized resellers. Mechanisms must be developed
and implemented to prevent security risks and data breaches that may arise from overcollection
and improper or inadequate monitoring practices.The NPC recommended that the burden to determine the SIM card buyer’s identity
should not fall on retailers who may not have the necessary know-how or resources to properly
verify the identity of data subjects and the authenticity of the identification cards that will be
presented. Delegating it to these retailers may result in overcollection and improper or
inadequate monitoring and security practices. This was adopted in Section 5 of the Bill.The NPC also discouraged the use of a centralized server or database as it carries greater
risks if a security breach occurs. This recommendation was adopted in Section 6 of the Bill, which
requires that the designated government agencies or public telecommunications entities (PTEs)
maintain their own databases. The PTE must strictly use the database to process, activate, or
deactivate a SIM or subscription, and not for any other purpose.In fulfillment of its duty to uphold the rights of data subjects, the NPC will closely
coordinate with other agencies to develop the necessary guidelines to properly implement the
Bill.###
-
Privacy Commissioner’s statement on invoking data privacy in the refusal to comply with subpoenas
Comments Off on Privacy Commissioner’s statement on invoking data privacy in the refusal to comply with subpoenasWe would like to reiterate that the Data Privacy Act of 2012 (DPA) does not prohibit the disclosure of personal or sensitive personal information (collectively, personal data) when necessary for purposes of complying with validly issued subpoenas by government investigating bodies. Data privacy rights should not be cited as an excuse to evade legal proceedings.
While we advocate for the protection of the right to data privacy of data subjects, there are provisions in the law that recognizes the processing of personal information when necessary for compliance with a legal obligation or to fulfill functions of public authorities. On the other hand, sensitive personal information may also be processed when provided for by existing laws and regulations, or necessary for establishment, exercise, or defense of legal claims, among others.
We hope that this clarifies the scope and limitation of our law and its implications to existing and future legal proceedings.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner###
-
Stop Profiling and Red Tagging Pandemic Heroes
Comments Off on Stop Profiling and Red Tagging Pandemic HeroesThe National Privacy Commission denounces in the strongest terms any act of unjust profiling of community pantry organizers whom we consider heroes of this pandemic as this may violate their right to privacy. We have always been firm in our stand that unjust profiling activities are unwelcome due to the risks it entails to our citizens, such as discrimination and stereotyping.
It is for this reason that we express our grave concerns over the statement of Lieutenant General Antonio Parlade Jr. regarding Ms. Ana Patricia Non, likening her selfless act to that of Satan’s.
Labels like these are unnecessary when the people are struggling to find every means to survive in this pandemic.
The unwarranted profiling activities are being carried out against those organizing community pantries in aid of the less fortunate. Despite this good intention, they have been discouraged from continuing this activity because of red tagging.
It is during these trying times that we should not, by any means, fuel discrimination against anyone who has done nothing to deserve such. We must aim to build a united community driven by volunteerism with the genuine desire to help others and the needy.
Unjust profiling destroys the Filipino Bayanihan spirit.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner -
On the Alleged Profiling of Community Pantry Organizers
Comments Off on On the Alleged Profiling of Community Pantry OrganizersWhile more people set up community pantries in the spirit of bayanihan, it has come to our attention that there were concerns over alleged profiling of organizers of these initiatives. Individuals were purportedly asked to provide personal data including their email address, Facebook account name, family background, among others.
We would like to emphasize that collecting personal data must be done fairly and lawfully with respect to the rights of a data subject, including the rights to be informed and object.
The Philippine National Police’s (PNP) leadership in the past has acted on unlawful profiling and recognized the importance of protecting the privacy of the citizenry in the performance of their duties.
Today, we call on again the attention of the PNP Data Protection Office to look into these reports and take appropriate measures to prevent any doings of its personnel on the ground that could potentially harm citizens and violate rights. Should there be a need to collect personal information to maintain peace and order, it must be accomplished with transparency, legitimate purpose, and proportionality.
In times of adversity, Filipinos have the ability to come together and do extraordinary deeds. We must continue these efforts to build trust within and across communities amid this unprecedented health crisis.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner -
Practice Transparency with Responsibility when Posting SAP Beneficiaries on Social Media
Comments Off on Practice Transparency with Responsibility when Posting SAP Beneficiaries on Social MediaThe National Privacy Commission is urging local government authorities to practice transparency with responsibility when posting the identities of the financial beneficiaries of the Social Amelioration Program (SAP) on social media.
We understand that using social media platforms is a quick and accessible method to reach the public and uploading the list of SAP beneficiaries through these platforms may be considered an efficient way to exercise transparency in utilizing public fund.
However, public disclosure of personal information should strictly adhere to the principle of proportionality. Local Government Units (LGUs) must determine the types of personal data that they will disclose, particularly when the original list of SAP beneficiaries contains sensitive personal information.
The Data Privacy Act does not prohibit LGUs to disclose information which it deems essential for the public to know in the name of transparency. Nevertheless, LGUs should be mindful of its concomitant responsibilities as personal information controllers.
***
-
NPC INVESTIGATING ALLEGED LARGE-SCALE FACEBOOK BREACH
Comments Off on NPC INVESTIGATING ALLEGED LARGE-SCALE FACEBOOK BREACHThe National Privacy Commission (NPC) is currently validating information that says 879,699 Facebook accounts of Filipino netizens allegedly are compromised as part of the large-scale breach affecting 533 million global users in the social media platform.
Initial information shows that the data leaked includes phone numbers, full names, location, e-mail addresses, and biographical information of users across various countries.
The NPC immediately reached out to Facebook’s Philippine Data Privacy Officer to gather more information on the matter.
As we await more answers, we highly encourage Facebook users to be more cautious online. We reiterate the need for the regular changing of passwords and the activation of two-step authentication of accounts to safeguard their personal information.
We assure the public that the NPC is on top of this matter.
***
-
Unified contact tracing app a welcome development says the Privacy Commissioner
Comments Off on Unified contact tracing app a welcome development says the Privacy CommissionerThroughout this pandemic, we at the National Privacy Commission (NPC) maintained that privacy should be considered in government interventions that make use of personal data.
When the government collects the personal data of our citizenry, we owe to them a solemn covenant to protect their personal data, and ensure that we will not use their data for other purposes.
Filipinos need to be assured that data is handled securely; the data demanded of them is proportional to the purpose; they can understand how their data will be used; there is a specific purpose for the processing; and their data will be retained for no longer than is necessary.
Through these we earn our citizens' trust on which the very success of our contact tracing efforts is hinged.
We see the Memorandum of Agreement (MOA) signing as a welcome development. With the MOA, the government thru the Department of the Interior and Local Government (DILG) gives the Filipinos an assurance that it shall assume complete responsibility and controllership over StaySafe.PH and all sensitive personal data that are collected with the use of this application.
The NPC recognizes the immense benefits of data-driven technologies. We treat our personal information controllers all the same, and we help those that try to comply with the Data Privacy Act and its principles.
We will continue to work closely with the DILG, Department of Information and Communications Technology, Department of Health and the government as we continuously improve the system. We will be there to assist in every step of the way to ensure that privacy is considered at every stage of its implementation.
***
-
Privacy Commissioner Raymund Liboro on PNP request to obtain lawyer list in Calbayog City
Comments Off on Privacy Commissioner Raymund Liboro on PNP request to obtain lawyer list in Calbayog CityIn light of the issue concerning the request of list of lawyers representing communist groups, the National Privacy Commission (NPC) reminds all government agencies as personal information controllers of their duties and responsibilities under the Data Privacy Act of 2012.
While the NPC recognizes that there may be a presumption of regularity in the conduct of police operations, the rights of the data subjects remain to be paramount and must be upheld at all times.
We would like to emphasize that law enforcement or investigative agencies of the government do not have blanket authority to access or use the information about private individuals under the custody of another agency.
Consideration shall be made on the nature of the requested information and on whether these are required to be kept confidential in line with other applicable laws and regulations on the matter.
The NPC is still monitoring the incident to obtain additional information.
***
-
Update on Alleged Cashalo Data Breach
Comments Off on Update on Alleged Cashalo Data BreachAmid recent reports on the alleged data breach on the cash-loaning application Cashalo, operated by Oriente Express Techsystem Corporation, the National Privacy Commission (NPC) did a preliminary probe on the data security issue. Initial findings show that huge amounts of personal data from Cashalo are being dumped and sold on different cyber forums since February 14, 2021.
A certain user named “creepxploit” sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on two sites on the dark web. The user even provides sample data for potential buyers. Given the facts, it is suspected that the user successfully downloaded files from Cashalo's own database, which signifies a potential breach on the application. Creepxploit's posts remain accessible as of writing.
NPC immediately reached out to Cashalo through their data protection officer to relay the incident and required them to provide additional information. The Commission received Cashalo's breach report last February.
The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident.
# # #
-
Privacy Commission wants deeper probe of Facebook, tells social media giant to do more to protect users
Comments Off on Privacy Commission wants deeper probe of Facebook, tells social media giant to do more to protect usersWe are initiating a deeper probe on Facebook’s proposed preventive actions regarding the proliferation of suspicious accounts as such activities on the platform continue to threaten the personal data privacy and other security-related rights of its Filipino users.
According to Facebook, they “removed two separate networks for violating our policy against coordinated inauthentic behavior (CIB). One of these networks originated in China and the other in the Philippines.” Under the network that originated in the Philippines, they “removed 57 Facebook accounts, 31 Pages and 20 Instagram accounts for violating our policy against foreign or government interference which is coordinated inauthentic behavior on behalf of a foreign or government entity.”
With this, we have sent a letter today inviting them to appear before the Commission as we seek for more details from its findings.
This is not our first encounter with Facebook. You may recall that in 2018, the Commission probe into the exploitation of the “View As” feature to extract user’s access tokens without their consent resulted into an order to comply with the provisions of the Data Privacy Act of 2012, such as establishing a dedicated help desk for Filipino data subjects on privacy related matters.
Now, we call again for Facebook’s compliance with laws, rules, and regulations under our jurisdiction. This ensures that responsible social media platforms shall elevate their community standards to a level that adequately protects the data privacy rights of Filipino data subjects and rights to free speech and expression.
It is incumbent on us at the National Privacy Commission to step up our action especially on platforms, like Facebook that is considered as one of the biggest holders and processors of personal data.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner -
Privacy Commissioner Liboro urges schools to fortify information systems amid rising security incidents
Comments Off on Privacy Commissioner Liboro urges schools to fortify information systems amid rising security incidents- The National Privacy Commission is looking into the reported security incidents sustained by prominent universities these past weeks.
- Amid the increase in personal data security incidents, we call on school officials to fortify their information systems.
- As schools shift to digital operations and virtual learning systems in the wake of the pandemic, they must prioritize the security of their information technology infrastructures and deploy a “privacy by design” approach by embedding privacy into their policies, networks and business practices.
- Security incidents that lead to personal data breaches could expose affected data subjects to possible harms including identity theft, scams, and phishing. Likewise, they undermine people’s trust in institutions, which are expected to keep personal data safe and private.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on NPC’s upcoming meet w/ Facebook regarding impostor accounts
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on NPC’s upcoming meet w/ Facebook regarding impostor accounts- The National Privacy Commission has invited Facebook Philippines for a meeting on Tuesday, 16 June 2020, to seek more information regarding the numerous reports of impostor Facebook accounts.
- The Commission is currently coordinating with other government agencies, while conducting a separate investigation this matter.
- The National Privacy Commission is focused on probing the cause of the “privacy panic” triggered by these impostor accounts and instituting remedial measures to protect Filipino Facebook users.
- We shall continue to inform the public on the matter.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
-
Statement of Privacy Commission Raymund Enriquez Liboro on the Reported Proliferation of “Impostor” Facebook Accounts
Comments Off on Statement of Privacy Commission Raymund Enriquez Liboro on the Reported Proliferation of “Impostor” Facebook AccountsThe National Privacy Commission is monitoring reports about the proliferation of alleged impostor Facebook accounts that have victimized Filipino data subjects.
While the extent of these incidents is not yet fully determined at this time, we have been receiving reports from different sectors, mostly coming from academic institutions.
We immediately brought this to the attention of Facebook. According to Clare Amador, Facebook representative in the Philippines, they are already investigating this particular matter as well as other information on unauthorized FB accounts.
Meanwhile, the Privacy Commissioner has instructed Facebook to report its significant findings as soon as these become available.
In addition, we urge everyone to report alleged impostor accounts to Facebook through https://www.facebook.com/help/report.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
-
Press Statement of Privacy Commissioner Raymund Enriquez Liboro on the industry-wide Code of Ethics and Code of Conduct by FinTech Alliance
Comments Off on Press Statement of Privacy Commissioner Raymund Enriquez Liboro on the industry-wide Code of Ethics and Code of Conduct by FinTech AllianceThe National Privacy Commission is steadfast in protecting Filipino citizens in this rapidly-developing field of financial technology. We are very much committed to our primary goal: “to ensure balance of free flow of information while protecting the privacy of all data subjects”. Our Commission recognizes that one important component of successful digital governance is making sure that legitimate business interests thrive with accountability, compliance and ethics.
Let me take this opportunity to clarify the role of data privacy in light of emerging and sometimes disruptive technologies. As NPC we do not make policy choices. The Data Privacy Act of 2012 is also technology neutral. As NPC, we do not endorse nor condemn any particular technology because that choice is better left to businesses and their customers. As such, privacy regulators all over the world do not exist to disrupt disruptors. However, it is the abusive and harmful use of personal data that we condemn. It is the discrimination, stigmatization, loss of reputation and loss of individual autonomy resulting from the irresponsible and unlawful use of personal data which cause harm to individuals that the Data Privacy Act of 2012 address.
Digital technologies are considered the “engines of change” of the global economy and personal data is the “oil” that makes it work. Therefore, it is crucial to watch over this “oil” to ensure our economic growth that is inclusive, resilient, highly trusted and globally competitive.
Today is a milestone as we cast the widest net for consumer protection in tech driven financial services. The NPC, with its mandate to coordinate with other regulators and the private sector for a more effective implementation of Data Privacy Act of 2012, is working closely with other regulators: Bangko Sentral ng Pilipinas (BSP), Security Exchange Commission (SEC), Department of Trade and Industries (DTI), and FinTech Alliance to ensure the safety and security of consumers.
We are expressing our support to the institutionalization of code of ethics and adoption of code of conduct by the FinTech Industry. Through this, we expect FinTech companies to be more prudent and responsible in processing their clients’ personal data and succeed in achieving genuine financial inclusivity for the country.
-
Press Statement of Privacy Commissioner Raymund E. Liboro RE: Fact-finding reports on 3 major online lenders
Comments Off on Press Statement of Privacy Commissioner Raymund E. Liboro RE: Fact-finding reports on 3 major online lendersThe National Privacy Commission received this year multiple complaints against online lending companies. We received a total of 921 complaints reporting essentially the same facts:
- Use of contact list or phone directory without consent or authority;
- Disclosure of unwarranted or false information to other persons;
- Use of personal information for harassment and threatening communications; and
- Unduly intrusive personal data processing
The volume of the complaints filed and the seriousness of the allegations lead this Commission to create a taskforce to conduct an independent investigation against the online lending companies, focusing on the three applications comprising 61% percent of the complaints.
The Directors who are the responsible officers of these companies would have to explain and answer the charges filed by the Commission. To date cases have been filed against:
- Fynamics Lending Inc. and its responsible officers Meng Li, Changjin Wang, Kwinnie Mae Fianza, Jacquielyn Chua Garrido, Helen Joy Amican de Luna, and Bernard B. Salvacion, Jr. operating PondoPeso Online Lending Application
- Unipeso Lending Company and responsible officers, Haolong Li, Guanqun Luo, Flordeluna Rosell, Rizza Mae Lorilla, and Renyvic Duquitan operating Cashlending Online Application
- Fcash Global Lending Inc. and its responsible officers, Kellon De Jesus Manalastas, Tiancai Huang, John Christian P. Sia, Jovy Co Ting, and Zichao Su operating Fast Cash Online Lending Application
The NPC Taskforce concluded its investigation and their report reveal a business model founded on principles violative of the Data Privacy Act. This law is intended to protect the informational privacy of individuals, ensuring that they are not harmed with the illegal or unauthorized use of their personal information. Notable findings in the report include:
- Statements from complainants about the illegal and unauthorized processing of personal information
- Failure to demonstrate compliance with requirements of the DPA, and issuances of the Commission such as late registration, inadequate notice and consent
- Use of applications with dangerous permissions, allowing the company to access phone directory, camera, location and storage of devices where the application is downloaded and installed
- Evidence showing unauthorized processing, processing for unauthorized purpose, malicious disclosure and unauthorized disclosure.
These companies and their directors are now given the opportunity to respond to these charges and are given 10 days to file an answer. If the Directors and these companies fail to answer, this Commission will render a decision based on available evidence. These companies may face possible stop processing orders. Criminal prosecution may also be recommended against its directors before the Department of Justice with possible maximum imposable penalties of up to 7 years imprisonment and fines of up to P5,000,000.00.
This order is one of the many initiatives of our Commission to stop the unethical practices and illegal acts of operators/companies behind online lending mobiles apps. In addition to this independent investigation, the Commission is coordinating closely with the Federal Trade Commission (FTC) through Cross-border Privacy Enforcement Arrangement (CPEA). We are also set to coordinate with other regulatory bodies in efforts to stop these abusive practices.
So far, we received a total of 921 complaints and 4,444 related inquiries by phone, e-mail or in this office. This Commission is ready to assist complainants and those with similar concerns. We will exert all efforts to put a stop to this unethical and illegal processing of personal information by the operators of online lending mobile applications. You may directly file your formal complaint with the Commission. We would also like to warn the public against engaging fixers and individuals who are trying to exploit your current situation.
We would like to caution the people from downloading mobiles applications, particularly online lending application. Please read the terms and conditions carefully, for they may include dangerous permissions such as access to your live location, phone books and social media account, and even camera control. We encourage everyone to responsible for our safety, security, and protection of our personal data.
And for all those operators and companies behind online lending mobile apps who are currently or planning to misuse and abuse the use of technology -- we, the National Privacy Commission, will standby with our mandate to protect the data subjects and the right to privacy of all Filipino.
# # #
-
Press Statement of Privacy Commissioner Raymund Enriquez Liboro
Comments Off on Press Statement of Privacy Commissioner Raymund Enriquez Liboro
RE: PERSONAL DATA PROCESSING BY ELECTION CANDIDATES
RE: PERSONAL DATA PROCESSING BY ELECTION CANDIDATES1. It has come to our attention that some individuals posted on social media about receiving from candidate/s a “precinct locator” or “voter’s information” card, printed with their personal data – name, complete residential address, date of birth, among others.
2. Concerns were raised over the possibility that these candidates may be processing voter personal data without authority.
3. The National Privacy Commission is currently looking into this to determine whether said election-related processing of personal data conforms with the standards of the Data Privacy Act of 2012 (DPA).
4. Political parties and candidates, in their capacity as personal information controllers, should at all times uphold the data subject rights of voters, and provide mechanisms for exercising rights. They have the obligation to ensure that all personal data processing related to any of their partisan political activity satisfy the criteria for lawful processing as provided for in the DPA.
5. Failure to uphold data subject rights in processing voter information may subject political parties and candidates to penalties for possible violations of the DPA.
6. Citizens are likewise encouraged to be aware of their data privacy rights and be on guard whenever their personal data is processed. For guidance or clarification, they may email [email protected]. If they think their data privacy rights were violated, they may email [email protected].
# # #