The Implementing Rules and Regulations of the Data Privacy Act of 2012 (R.A. No. 10173) require all Personal Information Controllers (PICs) to submit to the National Privacy Commission (NPC) an annual report of security incidents, including personal data breaches (Annual Report). Pursuant to NPC Circular No. 16-03 on Personal Data Breach Management, the Annual Report should contain general information on the number of incidents and breaches encountered, classified according to their impact on the availability, integrity, or confidentiality of personal data.
A "Security Incident" refers to any event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result, or have resulted, to a personal data breach. Some examples of security incidents cited by the NPC are unauthorized alteration of an individual’s personal records and brute force attack into a database, even if unsuccessful.
The NPC, through its press release issued on 4 January 2018 set 31 March 2018 as the deadline for personal information controllers (PICs) to submit their 2017 Annual Report. According to NPC Chairman Raymund Liboro, "[the Annual Report is] an essential signpost of any PIC’s commitment to protecting the personal data of its customers and employees." All PICs, regardless of whether required to register with the NPC or not, are required to submit the Annual Report.
Pending the issuance of the prescribed format of the Annual Report, PICs should submit a general summary of all security incidents which occurred in their data processing systems in 2017, whether attempted or successful, via email on or before 31 March 2018.