Question & AnswerQ&A (NPC ADVISORY NO. 18-01)
The Guidelines are underpinned by the constitutional right to privacy, including information privacy, and the State's duty to value the dignity of every human person and guarantee full respect for human rights as stated in Article II, Section 11 of the 1987 Philippine Constitution.
Sections 20(c) and 20(f) of the Data Privacy Act of 2012 are referenced. Section 20(c) mandates implementation of security measures and safeguards, while Section 20(f) requires prompt notification to the National Privacy Commission and affected data subjects upon a personal data breach.
All Personal Information Controllers (PICs) and Personal Information Processors (PIPs), including entities that act as both PIC and PIP, are required to submit these reports to the National Privacy Commission.
Non-submission of these reports creates a presumption that no security incident or personal data breach occurred during the covered period.
The Guidelines apply to all natural or juridical persons and any other body in the government or private sector engaged in personal data processing within or outside of the Philippines, subject to the Data Privacy Act of 2012 and NPC issuances.
The Advisory provides templates for: 1) Annual security incident reports for PICs and PIPs; 2) Mandatory notification of personal data breaches to the NPC and data subjects; and 3) Security incident reports to be kept on the premises of PICs or PIPs.
The purpose is to ensure compliance with Sections 20(c) and 20(f) of the Data Privacy Act and to strengthen monitoring of threats and vulnerabilities to personal data protection towards privacy resilience in the Philippines.
Under Section 22 of NPC Circular 16-03, PICs and PIPs are required to submit summary reports of security incidents and personal data breaches.
The definitions follow those in NPC Circular 16-03; broadly, a security incident is any event that compromises information assets, while a personal data breach involves unauthorized acquisition, access, or disclosure of sensitive personal information or other personal data.
PICs and PIPs must implement security measures, identify vulnerabilities, take corrective actions against security incidents, monitor for breaches, report security incidents and breaches to the NPC using prescribed templates, and notify affected data subjects as required.