Privacy Commission recommends criminal prosecution of Bautista over “Comeleak”

The National Privacy Commission (NPC) has found that the Commission on Elections (COMELEC) violated the Data Privacy Act of 2012 and has recommended the criminal prosecution of Chairman J. Andres D. Bautista for the data breach that occurred between 20 and 27 of March last year.

In its decision dated December 28, 2016 on NPC Case No. 16-001, the NPC underscored Bautista’s “lack of appreciation”of the principle that data protection is more than just implementation of security measures. “Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC’s privacy and security policies and practices,” the decision reads.

The NPC said the COMELEC “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in the dispense of the agency’s duty as “personal information controller.” The document, meanwhile, mentioned Chairman Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.

Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000. Meantime, Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty.

“The personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder web application, which contains 1,376,067 records; (c) the iRehistro registration database, with 139,301 records; (d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the COMELEC personnel database, containing records of 1,267 COMELEC personnel,” the document reads, making the incident the worst recorded breach on a government-held personal database in the world, based on sheer volume.

Further illustrating the breadth of the breach, the NPC decision also gave a rundown of what types of compromised sensitive personal information were contained in COMELEC’s two web-based applications.

“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”

“The voter database in the Post Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system,” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the COMELEC data breach.

Referring to Bautista, the NPC decision reads, “the willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.

“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” the NPC decision further reads.

As corrective measures, the NPC has ordered the COMELEC and Chairman Bautista to do the following:

Appoint a Data Protection Officer in one month’s time from receipt of the decision. Conduct an agency-wide Privacy Impact Assessment within two months. Create a Privacy Management Program and a Breach Management Procedure within three months. Within six months upon receipt of the decision, the COMELEC is also obliged to implement organizational, physical and technical security measures in compliance with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.

The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used in the COMELEC data breach had an IP address registered with the National Bureau of Investigation (NBI).

About the NPC: The National Privacy Commission is a regulatory and quasi-judicial body created in March 2012 by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. Headed by one commissioner and two deputy commissioners, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation.

Contact Person: Atty. Rashy Rellosa – [email protected]

###