CEBU CITY – The National Privacy Commission (NPC) is monitoring compliance with the policy mandating critical sectors to register data processing systems of personal information controllers (PICs) and personal information processors (PIPs).
She said the NPC has registered around 22,000 data privacy officers (DPOs) who are from both the government and private sector.
Although the number of DPOs from the government is not readily available as of this writing, Villasoto said government offices have been complying with the law on data protection.
She said the NPC is constantly coordinating with government offices to ensure compliance with Republic Act 10173 or the Data Privacy Act of 2012 and implementing circulars issued by the commission.
The commission has in fact proposed a tripartite agreement with critical sectors like bank associations to ensure compliance with the data protection law.
Villasoto told the summit participants that the Data Privacy Act of 2012 is an omnibus law which is applicable to both private and public entities. “As long as these entities process personal information in the Philippines, they are covered by the law,” she said, adding that the law has an “extraterritorial application.”
“It must be clarified that juridical entities are not data subjects,” which means they are not covered by the law,” she said.
On July 31 last year, the NPC issued Circular 17-01 requiring organizations that have at least 250 workers or those that process data involving sensitive personal information of 1,000 or more individuals to register their data processing systems with the commission.
Lawyer Regine Noelle Ignacio of the commission’s Compliance and Monitoring Division told the summit participants that aside from registering, these organizations are also required to appoint a data protection officer and conduct a privacy impact assessment even prior to adoption of a project, collection of new information, or programs.
A privacy manual and implementing privacy and data protection measures are also needed to be complied with, Ignacio said, adding that it is also important that organizations exercise breach reporting procedures when security incidents occur which tend to affect data protection or possible compromise of availability, integrity, and confidentiality.
Mubarak Pangandaman of the commission’s Complaints and Investigation Division told the summit participants that organizations are required to regularly report security incidents.
The NPC has already conducted at least 20 data protection summits in different regions of the country. (PNA)