A Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
- A Confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
- Integrity breach resulting from alteration of personal data; and/or
- An Availability breach resulting from loss, accidental or unlawful destruction of personal data;
A Security Incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.
All personal information controllers (“PIC”) and processors must implement a security incident management policy. This policy is for managing security incidents, including data breaches.
In drafting your security incident management policy and personal data breach response procedure, the following must be included:
Creation of a security incident response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach
Implementation of organizational, physical, and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident;
Implementation of a response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;
Mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and
Compliance with the Data Privacy Act, its IRR, and all related issuances by the NPC pertaining to personal data breach notification.
The Security Incident Management Policy must also include measures intended to prevent or minimize the occurrence of a personal data breach. These measures include:
Conduct of a Privacy Impact Assessment to identify attendant risks in the processing of personal data. It shall consider the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
Data Governance Policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
Implementation of appropriate Security Measures that protect the availability, integrity, and confidentiality of personal data being processed;
Regular Monitoring for security breaches and vulnerability scanning of computer networks;
Capacity Building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
The functions of the Security Incident Response Team may be outsourced and there is no precise formula for its composition. However, its members must, as a collective unit, be ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirements.
The Security Incident Response Team is responsible for:
Implementing security incident management policy of the personal information controller or personal information processor;
Managing security incidents and personal data breaches; and
Compliance by the personal information controller or personal information processor with the relevant provisions of the Act, its IRR, and all related issuances by the Commission on personal data breach management.
- How to create a DBNMS account
- How to submit a Personal Data Breach Notification report
- How to comply with the required documents and information
- How to submit an Annual Security Incident Report
PICs must use the dedicated email address of the office of the DPO when creating an account because it will be the username for the account. For business continuity purposes, the account should be readily available to the new DPO once the current DPO/user resigns or vacates the position in any other way, otherwise access to previously submitted ASIRs and PDBNFs shall be lost.
An Annual Security Incident Report (ASIR) is a report to the Commission containing all security incidents and personal data breaches in a calendar year, including those not covered by the mandatory notification requirements. ASIRs shall be submitted to the Commission annually and contain the following information:
- number of incidents and breach encountered; and
- number of incidents classified according to their causes and as to whether they are considered mandatory or voluntary data breach notifications or as other security incidents.
To submit an ASIR in the DBNMS, the following information must be provided:
Personal Information Controller Tab
– contains the general information of the security incidents encountered:- Year – of the Report
- City/ Municipality – where the PIC is located.
- Number of Security Incidents and Data Breaches
- Mandatory Breach Notification
- Voluntary Breach Notification
- Other security incident
How Security Incidents Occurred Tab – contains the number of Security Incidents and Data Breach reports according to cause:
Theft
Identity Fraud
Sabotage / Physical damage
Malicious code
Hacking
Misuse of Resources
Hardware Failure
Software Failure
Communication Failure
Natural Disaster
Design Error
User Error
Operations Error
Software Maintenance Error
Third Party / Service Provider
Others
Mandatory Notification
Not all personal data breaches need to be notified to the NPC and the affected data subjects. Notification is mandatory only when ALL the following elements are present:
- The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
- Other information includes, but is not limited to, the following:
- Data about the financial or economic situation of the data subject;
- Usernames, passwords, and other login data;
- Biometric data;
- Copies of identification documents, licenses, or unique identifiers like Philhealth, SSS, GSIS, TIN number; or
- Other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
- There is reason to believe that the information may have been acquired by an unauthorized person; and
- The personal information controller believes that the data breach is likely to give rise to a real risk of serious harm to the affected data subject.
When there is doubt as to whether notification is necessary, consider factors:
- The likelihood of harm or negative consequences on the affected data subjects;
- How notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred; and
- If the data involves:
- Information that would likely affect national security, public safety, public order, or public health;
- At least one hundred (100) individuals;
- Information required by all applicable laws or rules to be confidential; or
- Personal data of vulnerable groups.
This obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.
A Personal Data Breach Notification Form (PDBNF) is an online form used for the submission of personal data breach notification for those breaches that meet all the elements of mandatory reporting. If the incident does not meet all these requirements, document it and include it in the Annual Security Incident Report to be submitted to the NPC on the following year.
Following the launch of the DBNMS, the Commission accepts submission of PDBNFs through the System ONLY. Any PDBNF submitted outside of the DBNMS shall not be considered as valid.
PDBNFs should be accomplished and submitted within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. When providing updates or additional information, PICs should not submit new PDBNFs, otherwise, the new PDBNF will be tagged as invalid.
"To those PICs and PIPs that availed the services of third-party vendors to help them with their personal data breach notifications, the generic email address that will be used shall be from the PIC or the PIP and not the third-party vendor. This is to ensure that all of the submitted reports of the PIC or PIP remains accessible to the same even if they decide to replace their third-party providers".
The following pieces of information must be stated in the PDBNF:
Notification Type Tab
Representative Field and Email address –If the PIC is being represented by another individual, firm, or entity (such as law firms), the representative’s name with its corresponding email address shall be indicated as such. If the PIC is not being represented, simply copy the name of the PIC and its registered email.
Date of Occurrence and Date of Discovery –Indicate the significant dates of the incident. If the date of occurrence of the of the incident cannot be determined at the time of notification, leave it blank.
Brief Summary – Indicate a short but substantive description of the nature of the breach being reported. It must, at the very least, state the short facts constituting the requirements for mandatory breach reporting.
Notification Type – (a) Involves SPI or data that may enable identity fraud, (b) Acquired by an unauthorized person, (c) Likely to give a real risk of serious hard to data subjects. For each applicable field, provide a brief explanation.
Personal Data Breach Notification Details Tab
- General cause and specific cause
- With Request – refers to any request made to the Commission in relation to the PDBNF (see Preliminary request).
- How breach occurred + DPS vulnerability – Description of how the breach occurred and the vulnerability of the data processing system that made the breach possible.
- Chronology – refers to the chronology of events from discovery of the incident until recovery.
- Number of DS/Record – approximate number of affected data subjects and/or records
- Description/ Nature – Determine the nature of the breach (availability, integrity, or confidentiality breach). (a) Availability breach resulting from loss, accidental, or unlawful destruction of personal data, (b) Integrity breach resulting from alternation of personal data, (c) Confidentiality breach resulting from the unauthorized disclosure of or access to personal data. The nature of the breach may be a combination of any of the foregoing breaches (e.g. Integrity and confidentiality breach, etc.)
- Likely consequences – provide how the incident will affect both the Personal Information Controller and its data subject.
- DPO – Name of the data protection officer or any other accountable person, and his/her contract information.
- SPI – indicate/enumerate the Sensitive Personal Information compromised. SPI pertains to the personal information about any of the following : (a) an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and (d) those information specifically established by an executive order or an act of Congress to be kept classified.
- Other info that may enable identity fraud – Data about the financial or economic situation of the data subject (e.g. usernames, passwords and other log-in credentials, biometric data, copies of identification documents, licenses or unique identification like Philhealth, SSS, GSIS, TIN, or other similar information, which may be made as basis of decisions concerning the data subject, including the grant of rights or benefits.
- Measures to address the breach – specific measures taken to address the incident including the results of the investigation conducted.
- Measure to secure/ recover personal data – actual measures taken to secure or recover personal data.
- Actions to inform data subjects – The actual manner of notification (e.g., email, physical mail etc.) including any assistance extended to data subjects, if applicable.
- Measures to prevent recurrence of incidence – actual or proposed actions done to addressing the compromised vulnerability and prevent the same incident from happening in the future
- Record type – Type of records that was compromised (e.g digital records in electronic system, etc.)
- Data subjects- Type of data subjects affected who may be PIC’s (a) own employees, (b) customers, (c) personal data of vulnerable groups, or (d) others.
Requests in Relation to Data Breach Notifications
If it is not reasonably possible to submit a complete Personal Data Breach Notification Form to the Commission or to notify the data subjects within the prescribed period, the Personal Information Controller is still required to submit a PDBNF, with the available information at hand, along with any of the following requests:
- Exemption from data subject notification
- A personal information controller may be exempted from the notification requirement if it is not reasonably possible to notify the data subjects within the prescribed period provided that the Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects.
- Postponement of data subject notification
- The Commission may authorize the postponement of notification where if it is not reasonably possible to notify the data subjects within the prescribed period provided and it may hinder the progress of a criminal investigation related to a serious breach, taking into account the following circumstances: a) Information that would likely affect national security, public safety, public order, or public health, b) at least one hundred (100) individuals, c) information required by applicable laws or rules to be confidential, d) personal data of vulnerable group, and e) other risks posed by the personal data breach.
- Extension of time for submission of Full Report and other documents
- The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply. The Commission may also require additional documents and pieces of information after its initial evaluation. As such, the PIC may request for additional time to comply with those requirements.
- Alternative means of notification to affected data subjects. –
- Notification of affected data subjects shall be done individually. However, if individual notification is not possible or would require a disproportionate effort, the PIC may request for the approval of the NPC to use alternative means of notification, such as through public communication or any similar measure through public communication or any similar measure.
Request(s) shall be submitted with the PDBNF. Request shall be resolved by the Commission and an Order or Resolution granting or denying the request shall then be issued through the DBNMS. The Commission may also require the PIC to submit additional information for further evaluation.
Data Subject Notification
Under the Data Privacy Act, the data subject has the right to be notified In the enforcement of this right, the PIC MUST NOTIFY the data subject within seventy-two (72) hours upon knowledge of or reasonable belief that a personal data breach has occurred.
- The notification may be made based on available informationwithin the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects;
- Notification to the data subjects must be sent individually, either by written or electronic means.
- The notification shall have thesame content as those made to the National Privacy Commission but shall include instructions on how data subjects will get further information; and recommendations on how to minimize risks resulting from breach and how to secure any form of assistance.
Delay in the notification to data subject
Generally, there shall be no delay in notification, except to the extent necessary to determine the following:
- the scope of the breach;
- to prevent further disclosures; or
- to restore reasonable integrity to the information and communications system.
If the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive, personal information will harm or adversely affect the data subject, delay is not allowed. In both instances, the Commission shall be notified within the 72-hour period based on available information. If it is not possible to notify the affected data subjects within the required period, the PIC may submit a request for postponement of data subject notification through the DBNMS.
Failure to notify.
If the PIC fails to notify the Commission or data subjects, or there is unreasonable delay to the notification, the Commission shall determine if such failure or delay is justified. Failure to notify shall be presumed if the Commission does not receive notification from the personal information controller within five (5) days from knowledge of or upon a reasonable belief that a personal data breach occurred. In this case, the PIC may be sanctioned either under the Guidelines on Administrative Fines (NPC Circular No. 2022-01) or the DPA.
Under Section 30 of the DPA, Concealment of Security Breaches involving Sensitive Personal Information is committed by those, having knowledge of the security breach and with an obligation to inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the NPC that the breach has happened. This carries a penalty of imprisonment from one (1) year and six (6) months to five (5) years, and a fine of Five Hundred Thousand Pesos (P500,000.00) to One Million Pesos (P1,000,000.00).
Under NPC Circular No. 2022-01, any failure to notify the NPC and the affected data subject(s) of a personal data breach pursuant to Section 20 (f) of the DPA not covered under Section 30 of the DPA for Concealment of Security Breaches involving Sensitive Personal Information shall be administratively liable for a fine equivalent to 0.25% to 2% of the annual gross income of the immediately preceding year of the violation.
Evaluation and Investigation
Upon receipt of the PDBNF, the evaluating officer shall prepare the Breach Notification Evaluation Report (BNER). After the receipt of all the documents required to assess the submission, the CMD shall either endorse the case for further investigation of the Complaints and Investigation Division (CID) if there is a finding of a possible data privacy violation, and docket the same as a sua sponte case otherwise, the case will be endorsed to the Commission en banc for direct adjudication on the other issues.
The investigation by CID may include an on-site examination of systems and procedure and/or a technical investigation. During investigation, the PIC may be required by the investigating team to furnish additional information, document or evidence, or to produce additional witness.
