QuestionsQuestions (NPC ADVISORY NO. 18-01)
NPC Advisory No. 18-01 cites Section 20(c) of the Data Privacy Act of 2012, which requires personal information controllers/ processors to implement security measures, including safeguards to protect computer networks, a process for identifying and accessing reasonably foreseeable vulnerabilities, and preventive, corrective, and mitigating actions against security incidents, including regular monitoring for security breaches.
Mandatory notification is required when sensitive personal information or other information that may be used to enable identity fraud is reasonably believed to have been acquired by an unauthorized person, and such acquisition may likely give rise to a real risk of serious harm to affected data subjects.
Its purpose is to provide guidelines and templates for security incident and personal data breach reportorial requirements to ensure compliance with Section 20(c) and 20(f) of the Data Privacy Act of 2012, and to strengthen monitoring toward privacy resilience.
It applies to all natural or juridical persons and any other body in government or private sector engaged in processing personal data within and outside the Philippines, subject to the Data Privacy Act of 2012, its IRR, and other relevant NPC issuances.
Section 2 states that the advisory shall refer to the definition of terms under NPC Circular 16-03.
Section 3 provides templates for: (1) annual security incident reports to be submitted by PICs and PIPs (with the condition that entities that are both submit both), (2) mandatory notification for NPC and data subjects for certain personal data breaches, and (3) security incident reports to be kept on the premises of the PIC or PIP.
The advisory states that entities that are both PICs and PIPs shall submit both reports to the NPC.
The advisory requires submission of a summary of all reports of security incidents and personal data breaches, consistent with Section 22 of NPC Circular 16-03, and it provides annexed templates for those summaries.
Section 3(3) provides that security incident reports must be kept on the premises of the personal information controller or personal information processor.
Section 4 states that non-submission of the required Annual Security Incident and Personal Data Breach Reports shall create the presumption that no such security incident or personal data breach occurred during the covered period.
The advisory creates a presumption (i.e., a default inference) that no incident occurred during the covered period when required reports are not submitted; in legal analysis, it means the party may face the burden to rebut the presumption if contrary evidence exists.
First, mandatory notification for personal data breach events that meet the Data Privacy Act’s mandatory notification triggers (notification to the NPC and affected data subjects). Second, summary annual reportorial requirements (templates for PICs and PIPs) for security incidents and personal data breaches.
The advisory references annexes for: (a) PIC annual summary (Annex A), (b) PIP annual summary (Annex B), (c) mandatory notification to the NPC (Annex C), (d) mandatory notification to data subjects (Annex D), (e) security incident/personal data breach summaries not covered by mandatory notification requirements (Annex E), (f) security incidents involving processing on behalf of PICs amounting to breaches (Annex F), and (g) summaries of highly confidential information (Annex G).
Because Section 20(c) concerns implementing security measures and monitoring to prevent/mitigate breaches, while Section 20(f) concerns prompt notification when specific breach triggers occur; the advisory aligns reporting obligations with both prevention/mitigation and notification duties.
The objective is to strengthen monitoring of threats and vulnerabilities that may affect personal data protection and to ensure privacy resilience by standardizing how PICs and PIPs summarize and report incidents and breaches to the NPC.