NPC conducts on-site visits among telcos to check compliance with DPA while implementing SIM Registration Act

January 13, 2023, METRO MANILA --- The National Privacy Commission (NPC), through
its Compliance and Monitoring Division conducts simultaneous Compliance Check On-site Visits
to the head offices of telecommunication companies, such as Smart Communications, Globe
Telecom, and Dito Telecommunity to ensure that they are implementing appropriate security
measures to protect the personal data of Filipinos registering their SIM Cards.

Privacy Commissioner John Henry D. Naga together with the Chief of NPC’s Compliance
and Monitoring Division, Atty. Rainier Anthony Milanes, personally went to each on-site visit to
oversee the activities and discuss the importance of the compliance check with the data protection
team of each telco.

“The telcos should consider these Compliance Check On-site Visits as an opportunity to
demonstrate that they have sufficient organizational and program controls, and security
measures in place to guarantee that the personal data being processed in relation to the SIM
registration are safe and secured,” Naga said.

“Telcos must take their responsibility of protecting the privacy rights of their subscribers
seriously by ensuring that personal data related to SIM registration are properly collected and
stored, access to the data is restricted by role-based access controls, and data servers are protected
by encryption and layers of firewall,” the Privacy Chief added.

Atty. Milanes said that “as a regulator ensuring compliance to the Data Privacy Act of
2012, we must see firsthand how these personal information controllers conduct their day-to-day
operations which should incorporate items stated in their privacy manuals.”

“With the leadership of our Privacy Commissioner, the NPC’s Compliance and
Monitoring Division shall continue to conduct various mechanisms that would ensure telcos’
compliance with the DPA,” Milanes added.

Upon the conclusion of Compliance Check On-Site Visit, the three telcos were appraised
of some gaps in their personal data privacy implementation and were required to submit proof
of compliance within fifteen (15) days.

Privacy Commissioner Naga noted that, in general, Smart, Globe, and Dito have
demonstrated capabilities in protecting personal data of their clients. He maintained that telcos
should ensure that its security measures are further improved and strengthened as information
and communications technology advances.

The SIM Registration Act was implemented on December 27, 2022. It can be recalled that
the NPC gathered the telcos to urgently address the privacy concerns regarding the
implementation of the SIM registration which led to immediate changes to the telcos’s SIM
registration process on their websites and mobile applications.