Statement of Privacy Commissioner John Henry Naga on the alleged leak of personal data among law enforcement agencies

Today, 20th of April 2023, the National Privacy Commission gathered the concerned government agencies, namely, the Philippine National Police (PNP), National Bureau of Investigation (NBI), Civil Service Commission (CSC), and Bureau of Internal Revenue (BIR) to address the alleged leak of personal data involving law enforcement agencies.

According to representatives of said agencies, after conducting their respective investigations and vulnerability tests, the NBI, CSC, and BIR have confirmed that there were no breaches on their part and will release their respective statements to the public. However, the Philippine National Police requested for time to validate and review its systems for possible security compromise considering that the Police was highlighted in the report alleging the data leak.

To further investigate this matter, we issued an order to conduct an onsite investigation on the concerned data processing system of PNP on 24 April 2023 headed by the Complaints and Investigation Division of this Commission. Likewise, we also ordered Mr. Jeremiah Fowler, the cybersecurity researcher who published an article regarding this matter, to appear before this Commission on 21 April 2023 to aid this Commission in its investigation.

The recent allegations of a data breach involving law enforcement agencies in the country should serve as a reminder that no organization, not even the government, is immune to the threat of cyberattacks. And that we should remain in constant vigilance in protecting personal data.

I call on all government agencies and private sectors processing personal data to review the implementation of their data privacy and security measures. It is not enough to simply comply with existing regulations and standards; we must also proactively identify and address potential vulnerabilities.

Even as our probe is underway, the NPC strongly demands of these government agencies, such as the PNP, to strictly comply with the Data Privacy Act of 2012, including the mandatory breach notification requirement under various NPC Circulars.

Privacy Commissioner