REPORT A BREACH
- The Security Incident Management Policy
- The Security Incident Response Team
- Annual Reports
- Mandatory Notification
- The Subsequent Investigation
Submission of Data Breach Notifications and Annual Security Incident ReportsAll Breach Notifications and Annual Security Incident Reports (Annual Security Incident Report (“ASIR”) shall be submitted through the Data Breach Notification Management System (“DBNMS”) online platform (https//dbnms.privacy.gov.ph). Submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission shall not be considered as valid. The deadline for the submission of ASIRs for the years 2018 to 2021 is on 31 October 2022. For 2022 ASIRs, the DBNMS shall accept submissions from 1 January 2023 to 31 March 2023. To guide you in navigating the DBNMS, please watch the videos below:
- How to create a DBNMS account
- How to submit a Personal Data Breach Notification report
- How to comply with the required documents and information
- How to submit an Annual Security Incident Report
AssessmentA security incident is any event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place. A data breach is a kind of security incident. A data breach happens when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. There are three kinds of data breaches:
- Availability breach. – from the loss accidental or unlawful destruction of personal data;
- Integrity breach. – from the unauthorized alteration of personal data; and
- Confidentiality breach. – from the unauthorized disclosure of or access to personal data.
The Security Incident Management PolicyAll personal information controllers and processors must implement a security incident management policy. This policy is for managing security incidents, including data breaches. In drafting your security incident management policy and personal data breach management procedure, the following must be included:
- Creation of a security incident response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach;
- Implementation of organizational, physical and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident;
- Implementation of an incident response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;
- Mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and
- Compliance with the Data Privacy Act, its IRR, and all related issuances by the NPC pertaining to personal data breach notification.
- Conduct of a privacy impact assessment to identify attendant risks in the processing of personal data. It shall take into account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
- Data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
- Implementation of appropriate security measures that protect the availability, integrity and confidentiality of personal data being processed;
- Regular monitoring for security breaches and vulnerability scanning of computer networks;
- Capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
- Procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the effectiveness of the security measures.
The Security Incident Response TeamThe Security Incident Response Team is responsible for:
- Implementing security incident management policy of the personal information controller or personal information processor;
- Managing security incidents and personal data breaches; and
- Compliance by the personal information controller or personal information processor with the relevant provisions of the Act, its IRR, and all related issuances by the Commission on personal data breach management.
Annual ReportsPersonal information controllers and processors are required to submit their Annual Report, where all security incidents and personal data breaches must be documented through written reports, including those not covered by the notification requirements. In the event of a personal data breach, a report shall include: (a) the facts surrounding the incident; (b) the effects of such incident; and (c) the remedial action taken by the personal information controller. For other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation. Any or all reports shall be made available when requested by the Commission: Provided, that a summary of all reports shall be submitted to the Commission annually, comprised of general information including the: (1) number of incidents and breach encountered; and (2) classified according to their impact on the availability, integrity, or confidentiality of personal data. Back To Top
Mandatory NotificationNot all data breaches have to be reported to the NPC. Only when these are all present, the personal information controller (or processor, as the case may be):
- There is a breach of sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud;
- The data is reasonably believed to have been acquired by an unauthorized person; and
- Either the personal information controller or the NPC believes that the data breach is likely to give rise to a real risk of serious harm to the affected data subject.
- The likelihood of harm or negative consequences on the affected data subjects;
- How notification, particulary of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred; and
- If the data involves:
- Information that would likely affect national security, public safety, public order, or public health;
- At least one hundred (100) individuals;
- Information required by all applicable laws or rules to be confidential; or
- Personal data of vulnerable groups.
- the scope of the breach;
- to prevent further disclosures; or
- to restore reasonable integrity to the information and communications system.
- Nature of the Breach. – There must be, at the very least, a description of: (a) the nature of the breach; (b) a chronology of events, and (c) an estimate of the number of data subjects affected;
- Personal data involved. – stating the description of sensitive personal information or other information involved.
- Remedial Measures. – there must be: (a) Description of the measures taken or proposed to be taken to address the breach; (b) Actions being taken to secure or recover the personal data that were compromised; (c) Actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident; (d) Action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification; and (d) the measures being taken to prevent a recurrence of the incident.
- Name and contact details. – of the Data Protection Officer or contact person designated by the Personal Information Controller to provide additional information.
- Notify the data subject within seventy-two (72) hours upon knowledge of or reasonable belief that a personal data breach has occurred;
- The notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects;
- The notification shall have the same content as those made to the National Privacy Commission, but shall include instructions on how data subjects will get further information; and
- recommendations regarding how to minimize risks resulting from breach and to secure any form of assistance.
The Subsequent InvestigationThe NPC will consider these factors in its investigation following the occurrence of a data breach:
- Security measures that have been implemented and applied to the personal data at the time the personal data breach was reasonably believed to have occurred, including measures that would prevent use of the personal data by any person not authorized to access it;
- Subsequent measures that have been taken by the personal information controller or personal information processor to ensure that the risk of harm or negative consequence to the data subjects will not materialize;
- Age or legal capacity of affected data subjects; Provided, that in the case of minors or other individuals without legal capacity, notification may be done through their legal representatives; and
- Compliance with the law and existence of good faith in the collection of personal information.
- On-site examination of systems and procedures;
- If necessary, the Commission shall require the cooperation of concerned parties, or compel appropriate action therefrom to protect the interests of data subjects; and
- The investigation shall be governed by the Rules of Procedure of the Commission.