NPC conducts privacy compliance check on BPI

The National Privacy Commission (NPC) is conducting a privacy compliance check on the Bank of Philippine Islands (BPI) after the recent incident that caused the bank’s electronic channels to be temporarily suspended, inconveniencing many of its clients.

The compliance check will evaluate the existing governance, organizational, physical and technical measures in place and seek to address any gaps especially in the bank’s breach management protocol, with the view of preventing or mitigating similar incidents in the future.

Under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (Data Privacy Act), the NPC is mandated to ensure compliance of institutions with its provisions, which includes data breach notification, management and mitigation.

The NPC has been in contact with the bank since 7 June 2017, the first day news about the incident spread on social media. The high profile nature of the incident, and the potential harm to thousands of data subjects prompted the Commission to immediately coordinate with the bank and its data protection officer to work towards containing the breach and lessening the impact of the incident.

According to Privacy Commissioner Raymund Enriquez Liboro; “We appreciate BPI’s efforts to establish communication with the Commission throughout this episode to assuage our concern for the privacy of their depositor’s personal data. We highly regard the bank’s assurances. As advocate and vanguard of people’s privacy rights, however, the NPC’s public mandate compels us to look even further and deeper into this matter,” Liboro said. “We believe the BPI management fully understands this, because of our shared goal of ensuring the protection of the privacy rights and interests of their clients” he added.

The BPI incident was reported to have been caused by human error resulting in previously posted transactions to be reposted. The discovery of the error prompted to the Bank to suspend access to thousands of accounts. The BPI incident involved a breach in security affecting the availability and integrity of information that relates to individuals, considered a personal data breach under NPC’s memorandum circular on personal data breach management (NPC MC 16-03).

Commissioner Liboro explains further, "First, the BPI incident impacted information which is considered personal under the Data Privacy Act. This includes the processing of data, which is capable of uniquely identifying data subjects, such as the account information of BPI and BPI Family Bank customers contained in BPI’s systems. Second, the nature of the incident impacted both the availability and integrity of personal information considering that the incident resulted in the posting of erroneous account information and the prevention of its access to account holders. Under the law, impacts to availability and integrity of personal information may constitute a breach where loss and/or alteration to personal information occurs, whether accidentally or unlawfully."

Commissioner Liboro underscored the importance of data protection in the Internet age. “With many services being on-line, a simple data processing error can affect thousands of data subjects as well as have national impact, we can’t help to reiterate the importance of good house keeping for data processing systems and having breach management protocols in place compliance with data protection and privacy regulations reduces breach incidents and puts data subjects out of harm's way.” Commissioner Liboro said.

The National Privacy Commission recently held a general assembly of Data Privacy Officers (DPO) in the banking industry. The event, called DPO2, was conducted in cooperation with banking regulator the Banko Sentral ng Pilipinas (BSP) and the Bankers Association of the Philippines (BAP). After government, the NPC believes that the banking and finance sector's Personal Information Controllers (PICs) are involved in high-risk processing, because of the nature of the data they process and the potential impact of breaches to economic security.

About NPC: The NPC is a regulatory and quasi-judicial body constituted in March 2012 by virtue of RA 10173, the Philippines’ data privacy and data protection watchdog, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.