Following its press release on 4 January 2018,1 which sets 31 March 2018 as the deadline for personal information controllers (PICs) to submit their respective security incident reports for 2017, the National Privacy Commission (NPC) issued on 12 February 2018 NPC Advisory 18-01 or the Guidelines on Security Incident and Personal Data Breach Reportorial Requirements (Reporting Guidelines).
The Reporting Guidelines are geared towards ensuring compliance with the notification and reporting requirements of PICs under the Data Privacy Act of 2012 (DPA),2 strengthening the monitoring of threats and vulnerabilities affecting personal data protection and providing PICs and personal information processors (PIPs) with ways of demonstrating the implementation of appropriate security measures, including a breach management program. The NPC clarified that the guidelines are applicable to all PICs and PIPs in the public and private sector, which are processing personal data within and outside the Philippines.
Mandatory Breach Notification
Compliance by PICs of the notification obligations for personal data breaches continue to be governed by the DPA’s Implementing Rules and Regulations (“IRR”)3 and NPC Circular 16-034 on Personal Data Breach Management. The Reporting Guidelines supplement said regulations by providing PICs with the NPC’s recommended templates or formats of the notices to be sent to the NPC and affected data subjects within 72 hours from discovery of the breach.
Under the Reporting Guidelines, PIPs must perform the following acts in case of a personal data breach affecting processing systems being operated for a PIC:
1. Document the data breach and provide a personal data breach report to the PIC;
2. Include the data breach in its annual report to the NPC; and
3. Furnish to the NPC, upon request, a copy of the personal data breach report and of the notification of the PIC.
Annual Security Incident Report
All PICs and PIPs are required to document and provide an annual report to the NPC on the following matters:
1. Personal data breaches covered by the mandatory notification requirements;
2. Personal data breaches not covered by the mandatory notification requirements;
3. All security incidents, whether involving personal data or otherwise.
The recommended template of the annual report, which should be submitted to the NPC before 31 March 2018, and annually thereafter, is also included in the Guidelines. For security incidents, an aggregated summary of attack vectors5 are required to be stated in the annual report.
PICS and PIPs are advised to maintain records of the documentation of and reports on data breaches and security incidents for six (6) years, unless otherwise directed by the NPC.
Actions to Consider
Clients are urged to collate and prepare the information required for the annual security incident report, to be submitted to the NPC by the 31 March 2018 deadline. According to Atty. Francis Acero, Chief of the NPC’s Complaints and Investigations Division, PICs and PIPs who fail to timely file the annual report may be subjected to intrusive and expansive compliance checks. He added that in case of a personal data breach, the erring PIC or PIP may be presumed by the NPC to have failed to implement the required security measures for the protection of the confidentiality, integrity, and availability of personal information.
1 NPC sets March deadline for submission of 2017 Annual Security Incident Report of personal information controllers.
2 Sections 20(c) and 20(f)
3 Rule IX, IRR.
5 Attack vectors listed by the NPC are denial of service, compromised information (does not involve personal data), compromised asset, unlawful activity,
internal hacking, external hacking, malware, email, policy violations, and others.