A Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
A Security Incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.
All personal information controllers (“PIC”) and processors must implement a security incident management policy. This policy is for managing security incidents, including data breaches.
In drafting your security incident management policy and personal data breach response procedure, the following must be included:
Creation of a security incident response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach
Implementation of organizational, physical, and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident;
Implementation of a response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;
Mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and
Compliance with the Data Privacy Act, its IRR, and all related issuances by the NPC pertaining to personal data breach notification.
Conduct of a Privacy Impact Assessment to identify attendant risks in the processing of personal data. It shall consider the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
Data Governance Policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
Implementation of appropriate Security Measures that protect the availability, integrity, and confidentiality of personal data being processed;
Regular Monitoring for security breaches and vulnerability scanning of computer networks;
Capacity Building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
The functions of the Security Incident Response Team may be outsourced and there is no precise formula for its composition. However, its members must, as a collective unit, be ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirements.
Implementing security incident management policy of the personal information controller or personal information processor;
Managing security incidents and personal data breaches; and
Compliance by the personal information controller or personal information processor with the relevant provisions of the Act, its IRR, and all related issuances by the Commission on personal data breach management.
PICs must use the dedicated email address of the office of the DPO when creating an account because it will be the username for the account. For business continuity purposes, the account should be readily available to the new DPO once the current DPO/user resigns or vacates the position in any other way, otherwise access to previously submitted ASIRs and PDBNFs shall be lost.
An Annual Security Incident Report (ASIR) is a report to the Commission containing all security incidents and personal data breaches in a calendar year, including those not covered by the mandatory notification requirements. ASIRs shall be submitted to the Commission annually and contain the following information:
To submit an ASIR in the DBNMS, the following information must be provided:
Personal Information Controller Tab
– contains the general information of the security incidents encountered:How Security Incidents Occurred Tab – contains the number of Security Incidents and Data Breach reports according to cause:
Theft
Identity Fraud
Sabotage / Physical damage
Malicious code
Hacking
Misuse of Resources
Hardware Failure
Software Failure
Communication Failure
Natural Disaster
Design Error
User Error
Operations Error
Software Maintenance Error
Third Party / Service Provider
Others
Mandatory Notification
Not all personal data breaches need to be notified to the NPC and the affected data subjects. Notification is mandatory only when ALL the following elements are present:
When there is doubt as to whether notification is necessary, consider factors:
This obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.
A Personal Data Breach Notification Form (PDBNF) is an online form used for the submission of personal data breach notification for those breaches that meet all the elements of mandatory reporting. If the incident does not meet all these requirements, document it and include it in the Annual Security Incident Report to be submitted to the NPC on the following year.
Following the launch of the DBNMS, the Commission accepts submission of PDBNFs through the System ONLY. Any PDBNF submitted outside of the DBNMS shall not be considered as valid.
PDBNFs should be accomplished and submitted within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. When providing updates or additional information, PICs should not submit new PDBNFs, otherwise, the new PDBNF will be tagged as invalid.
"To those PICs and PIPs that availed the services of third-party vendors to help them with their personal data breach notifications, the generic email address that will be used shall be from the PIC or the PIP and not the third-party vendor. This is to ensure that all of the submitted reports of the PIC or PIP remains accessible to the same even if they decide to replace their third-party providers".
Representative Field and Email address –If the PIC is being represented by another individual, firm, or entity (such as law firms), the representative’s name with its corresponding email address shall be indicated as such. If the PIC is not being represented, simply copy the name of the PIC and its registered email.
Date of Occurrence and Date of Discovery –Indicate the significant dates of the incident. If the date of occurrence of the of the incident cannot be determined at the time of notification, leave it blank.
Brief Summary – Indicate a short but substantive description of the nature of the breach being reported. It must, at the very least, state the short facts constituting the requirements for mandatory breach reporting.
Notification Type – (a) Involves SPI or data that may enable identity fraud, (b) Acquired by an unauthorized person, (c) Likely to give a real risk of serious hard to data subjects. For each applicable field, provide a brief explanation.
Requests in Relation to Data Breach Notifications
If it is not reasonably possible to submit a complete Personal Data Breach Notification Form to the Commission or to notify the data subjects within the prescribed period, the Personal Information Controller is still required to submit a PDBNF, with the available information at hand, along with any of the following requests:
Request(s) shall be submitted with the PDBNF. Request shall be resolved by the Commission and an Order or Resolution granting or denying the request shall then be issued through the DBNMS. The Commission may also require the PIC to submit additional information for further evaluation.
Data Subject Notification
Under the Data Privacy Act, the data subject has the right to be notified In the enforcement of this right, the PIC MUST NOTIFY the data subject within seventy-two (72) hours upon knowledge of or reasonable belief that a personal data breach has occurred.
Delay in the notification to data subject
Generally, there shall be no delay in notification, except to the extent necessary to determine the following:
If the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive, personal information will harm or adversely affect the data subject, delay is not allowed. In both instances, the Commission shall be notified within the 72-hour period based on available information. If it is not possible to notify the affected data subjects within the required period, the PIC may submit a request for postponement of data subject notification through the DBNMS.
Failure to notify.
If the PIC fails to notify the Commission or data subjects, or there is unreasonable delay to the notification, the Commission shall determine if such failure or delay is justified. Failure to notify shall be presumed if the Commission does not receive notification from the personal information controller within five (5) days from knowledge of or upon a reasonable belief that a personal data breach occurred. In this case, the PIC may be sanctioned either under the Guidelines on Administrative Fines (NPC Circular No. 2022-01) or the DPA.
Under Section 30 of the DPA, Concealment of Security Breaches involving Sensitive Personal Information is committed by those, having knowledge of the security breach and with an obligation to inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the NPC that the breach has happened. This carries a penalty of imprisonment from one (1) year and six (6) months to five (5) years, and a fine of Five Hundred Thousand Pesos (P500,000.00) to One Million Pesos (P1,000,000.00).
Under NPC Circular No. 2022-01, any failure to notify the NPC and the affected data subject(s) of a personal data breach pursuant to Section 20 (f) of the DPA not covered under Section 30 of the DPA for Concealment of Security Breaches involving Sensitive Personal Information shall be administratively liable for a fine equivalent to 0.25% to 2% of the annual gross income of the immediately preceding year of the violation.
Evaluation and Investigation
Upon receipt of the PDBNF, the evaluating officer shall prepare the Breach Notification Evaluation Report (BNER). After the receipt of all the documents required to assess the submission, the CMD shall either endorse the case for further investigation of the Complaints and Investigation Division (CID) if there is a finding of a possible data privacy violation, and docket the same as a sua sponte case otherwise, the case will be endorsed to the Commission en banc for direct adjudication on the other issues.
The investigation by CID may include an on-site examination of systems and procedure and/or a technical investigation. During investigation, the PIC may be required by the investigating team to furnish additional information, document or evidence, or to produce additional witness.
All content is in the public domain unless otherwise stated.
Learn more about the Philippine government, its structure, how government works and the officials behind it.
GOV.PH