NPC opens passport data probe

The National Privacy Commission (NPC) has granted the Department of Foreign Affairs (DFA) 5 more days before formally facing its preliminary fact-finding inquiry on the passport data issue.

In a meeting this morning, the NPC’s Legal and Enforcement Office asked DFA representatives headed by Director Anthony A.L. Mandap to give preliminary details surrounding the issue. Mandap said he was sent to the meeting just to “formally convey” their written request for postponement since they are “still conducting an internal investigation”. He said he could not speak beyond the scope of what was written in the request.

In the letter sent to NPC late Tuesday afternoon, the DFA’s Data Protection Officer (DPO) Menardo G. Macaraig said the DFA’s own “preliminary inquiries on the matter indicate that there was no data breach because the Asia Productivity Organization Protection Unit, a government-owned and controlled corporation and recognized government printer, remain in custody and control of said data, and that said data has not been shared with or accessed by an unauthorized third party, which may use it for illicit purposes”.

Speaking to media reporters, Privacy Commissioner Raymund Enriquez Liboro said today’s initial meeting may have been brief but productive.

“The NPC’s investigation continues. In their own preliminary probe, the DFA said it is in control of the data. That says a lot already to assuage the public. The data in question is not controlled by any unauthorized parties. That was what today’s meeting with the DFA established. The data is under their safekeeping,” Liboro said.

Commissioner Liboro looks forward to next Monday’s fact-finding meeting, which will include representatives from both the DFA and APO.
“The lessons we could learn from this incident would go a long way in ensuring better government practices. They would form part of the recommendations the NPC shall later issue to government offices contracting third parties. We’re looking to the future for ways to further protect personal data. The law obliges data controller like the DFA to strictly implement contractual means to protect data when they deal with third parties and government contractors. We look forward to improving on that based on lessons we learn here,” Liboro added.