NPC pushes adoption of international data protection standards on security techniques

The National Privacy Commission (NPC) is pushing for the adoption of international data protection standards on security techniques among organizations. These techniques cover privacy framework, implementation of data protection controls, management of identity information, and guidelines for privacy impact assessment.

NPC’s Data Security and Compliance Office issued advisories on the adoption of a set of international standards (ISO/IEC 29100, ISO/IEC 29151, ISO/IEC 24760, and ISO/IEC 29134) that apply to all types and sizes of organizations or entities acting as personal information controllers (PICs) and personal information processors (PIPs), including public and private companies, government, and non-profit organizations.

These international standards are approved for adoption as a Philippine National Standard (PNS) by the Bureau of Philippine Standards, upon the recommendation of the Subcommittee on Information Security, Cybersecurity and Privacy Protection (SC 1) and the Technical Committee on Information Technology (BPS/TC 60). The BPS/TC 60 is in charge of the review and adoption of relevant international standards in the Philippines to which NPC is a participating member on identifying and reviewing standards for data protection.

Deputy Privacy Commissioner and OIC-Director for Data Security and Compliance Office, Atty. John Henry D. Naga, said that adopting international standards evolves an organization’s data protection efforts. The PNS ISO/IEC 29100 standard on privacy framework, for example, can be applied by PICs and PIPs in their risk management process, privacy policies, privacy controls, and privacy principles and in designing, implementing and operating information and communication technology projects..

“Managing and processing personal data is a run-of-the-mill task for most organizations both in public and private sectors. Part of the National Privacy Commission’s function is to issue recommendations for security measures to fortify personal data protection, including the most appropriate standard recognized by the global information and communications technology industry”, Naga said.

Proper management of identity information is crucial in protecting privacy. Identity is often a requirement for authorization and authentication purposes. PICs and PIPs may refer to the PNS ISO/IEC 24760-series of standards framework to properly manage the identity information of individuals, organizations, or information technology components that operate on behalf of individuals or organizations.

PNS ISO/IEC 29134 covers the conduct of privacy impact assessments (PIA) and the structure and content of a PIA report. This standard will align organizations with international best practices in conducting a PIA. It served as the basis for the NPC Advisory 17-03 (Guidelines of PIA).

When conducting a PIA, organizations can identify potential privacy issues and risks on their processes, systems, or programs. This step in privacy protection steers organizations away from costly and damaging privacy mistakes and possible legal consequences. A PIA also demonstrates the organization’s respect for data privacy rights and helps them earn data subjects’ trust.

PNS ISO/IEC 29151 will help PICs and PIPs enhance the security controls they use to protect personal data. It guides how best to mitigate the privacy risks identified in a PIA by enforcing information security policies.

PIC and PIPs adopting the international standards on security techniques should implement these on top of their compliance with the Data Privacy Act of 2012, the law’
implementing rules and regulations, and other issuances of the NPC. Access the links below for more information on the advisories: