DATA PROTECTION. National Privacy Commission Complaints and Investigation Division Officer Mubarak Pangandaman discusses with regional executives of government agencies in Central Visayas breach management in cases of security incidents, during the Data Privacy Regional Summit at the Waterfront Hotel in Lahug, Cebu City, Dec. 11, 2018. (Photo by John Rey Saavedra)


CEBU CITY – The National Privacy Commission (NPC) is monitoring compliance with the policy mandating critical sectors to register data processing systems of personal information controllers (PICs) and personal information processors (PIPs).

Lawyer Ivy Grace Villasoto of the commission’s Privacy Policy Office on Tuesday spoke before regional executives from different government agencies in Central Visayas during the Data Privacy Regional Summit in Waterfront Hotel Lahug in Cebu City. The summit was sponsored by the NPC, in partnership with the Department of Information and Communications (DICT).

She said the NPC has registered around 22,000 data privacy officers (DPOs) who are from both the government and private sector.

Although the number of DPOs from the government is not readily available as of this writing, Villasoto said government offices have been complying with the law on data protection.

She said the NPC is constantly coordinating with government offices to ensure compliance with Republic Act 10173 or the Data Privacy Act of 2012 and implementing circulars issued by the commission.

The commission has in fact proposed a tripartite agreement with critical sectors like bank associations to ensure compliance with the data protection law.

The privacy policy officer of the NPC told the Philippine News Agency in an interview that the commission has been consulting with the Bangko Sentral ng Pilipinas (BSP), Securities and Exchange Commission (SEC), the Department of Justice (DOJ), and the Anti-Cybercrime Division of the National Bureau of Investigation (NBI) in implementing data privacy policies to critical sectors.

Villasoto told the summit participants that the Data Privacy Act of 2012 is an omnibus law which is applicable to both private and public entities. “As long as these entities process personal information in the Philippines, they are covered by the law,” she said, adding that the law has an “extraterritorial application.”

“It must be clarified that juridical entities are not data subjects,” which means they are not covered by the law,” she said.

On July 31 last year, the NPC issued Circular 17-01 requiring organizations that have at least 250 workers or those that process data involving sensitive personal information of 1,000 or more individuals to register their data processing systems with the commission.

Lawyer Regine Noelle Ignacio of the commission’s Compliance and Monitoring Division told the summit participants that aside from registering, these organizations are also required to appoint a data protection officer and conduct a privacy impact assessment even prior to adoption of a project, collection of new information, or programs.

A privacy manual and implementing privacy and data protection measures are also needed to be complied with, Ignacio said, adding that it is also important that organizations exercise breach reporting procedures when security incidents occur which tend to affect data protection or possible compromise of availability, integrity, and confidentiality.

Mubarak Pangandaman of the commission’s Complaints and Investigation Division told the summit participants that organizations are required to regularly report security incidents.

The NPC has already conducted at least 20 data protection summits in different regions of the country. (PNA)