The National Privacy Commission (NPC) has found that the Commission on Elections (COMELEC) violated the Data Privacy  Act of 2012; and has recommended the criminal prosecution of Chairman J. Andres D. Bautista, for the data breach that occurred between 20 and  27 of March  last year.

In its decision dated December 28, 2016, on NPC Case No. 16-001, the NPC underscored Bautista’s  “lack of appreciation” of the principle that data  protection is more  than  just implementation of security measures. “Data  privacy is more than  the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC’s privacy and security policies  and practices,” the decision reads.

The NPC said the COMELEC “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in the dispense of the agency’s  duty as “personal information controller.” The document, meantime, mentioned Chairman Bautista as having “violated the provisions of Section 11, 20, 21 and  22 in relation to Section 26” of the same law.

Section 26 of the Data Privacy  Act, which  penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000. Meantime, Section 36 accords  additional penalties when the offender is a public  officer, consisting in the disqualification from public  office for a period equivalent to double the term  of criminal penalty.

“The personal data  in the breach  is contained in several  databases kept in the website: (a) the voter database in the Precinct  Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder  web application, which  contains 1,376,067 records; (c) the iRehistro registration database, with 139,301  records; (d) the firearms ban database, containing 896,992 personal data  records and 20,485 records of firearms serial numbers; and  (e) the COMELEC personnel database, containing records of 1,267 COMELEC personnel,” the document reads, making the incident the worst recorded breach  on a government-held personal database in the world, based  on sheer volume.

Further illustrating the breadth of the breach,  the NPC decision also gave a rundown of what types  of compromised sensitive personal information were  contained in COMELEC’s two web- based applications;

“The voter  database in the Precinct  Finder application contained each voter’s complete name, date of birth,  gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter  registration record number, reason for deletion/deactivation, registration date, and update time.”

“The voter  database in the Post Finder application contained information on each voter’s verified name,  date of birth,  gender, civil status, post of registration, passport information, with number and expiry  date, taxpayer identification number, e-mail address, mailing address, spouse’s name,  the complete names of the voter’s mother and father,  the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name,  citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other  textual reference information for the voter  registration system,” the decision further reads, depicting how much  personal data  are now most likely in the hands of criminal elements as a result  of the COMELEC data breach.

Referring to Bautista,  the NPC decision reads  “the wilful  and intentional disregard of his duties as head of agency, which  he should know or ought to know,  is tantamount to gross negligence. The lack of a clear data  governance policy, particularly in collecting and further processing of personal data,  unnecessarily exposed personal and  sensitive information of millions of Filipinos to unlawful access.

“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want  of even slight  care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,”  the NPC decision further reads.

As corrective measures, the NPC has ordered the COMELEC and Chairman Bautista  to do the following:

Appoint a Data Protection Officer in one month’s time from receipt  of the decision. Conduct an agency-wide Privacy  Impact Assessment within two months. Create  a Privacy  Management Program and a Breach Management Procedure within three  months. Within  six months upon receipt of the decision, the COMELEC is also obliged to implement organizational, physical and technical security measures in compliance with  the Implementing Rules and Regulations of the Data Privacy  Act and the provisions of NPC Circular No. 16-01, on Security  of Personal Data in Government Agencies.

The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used  in the COMELEC data  breach  had an IP address registered with  the National Bureau of Investigation (NBI).

About the NPC: The National Privacy Commission is a regulatory and quasi-judicial body created in March  2016 by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. Headed by one commissioner and two deputy commissioners, the agency  is mandated to uphold the right  to data  privacy and ensure the free-flow of information, with  a view to promoting economic growth and innovation.


Contact Person:  Atty. Rashy Rellosa –

Contact No.: +639178587757