Legal basis and constitutional anchor
- The Advisory is anchored on the constitutional protection of privacy and human dignity, including information privacy.
- The Advisory is tied to Section 20(c) of Republic Act No. 10173 (Data Privacy Act of 2012), which requires implementation of security measures and safeguards for computer networks, including preventive, corrective, and mitigating action against security incidents that can lead to a security breach.
- The Advisory is tied to Section 20(f) of Republic Act No. 10173 (Data Privacy Act of 2012), which requires prompt notification of the National Privacy Commission and affected data subjects when certain personal data breach events are reasonably believed to have been acquired by an unauthorized person and may likely give rise to a real risk of serious harm.
- The Advisory connects with Section 22 of NPC Circular No. 16-03, which requires submission to the Commission of a summary of all reports of security incidents and personal data breaches.
Policy purpose and reporting objective
- The Advisory is issued to ensure compliance with Section 20(c) and Section 20(f) of the Data Privacy Act of 2012.
- The Advisory is issued to strengthen monitoring of threats and vulnerabilities affecting personal data protection.
- The Advisory seeks privacy resilience in the country by standardizing reportorial formats for security incidents and personal data breaches.
- The Advisory requires reporting templates to guide Personal Information Controllers and Personal Information Processors in Commission submissions and notifications.
Scope and who must comply
- The Advisory applies to all natural or juridical persons, or any other body in the government or private sector engaged in processing personal data within and outside of the Philippines.
- Compliance applies to covered entities subject to the Data Privacy Act of 2012, its implementing rules and regulations, and other relevant issuances of the National Privacy Commission.
- The Advisory applies through reportorial requirements tied to security incidents and personal data breaches.
- Reporting requirements apply to entities acting as Personal Information Controllers (PICs) and Personal Information Processors (PIPs).
Definitions adopted by reference
- The Advisory uses the definitions of terms under NPC Circular No. 16-03.
- The meaning of defined terms for purposes of reporting under this Advisory follows NPC Circular No. 16-03 without independent restatement.
Required report templates and submissions
- The Advisory provides recommended templates for reporting security incidents and personal data breaches to the National Privacy Commission.
- The Advisory provides an Annual Security Incident Report submission template for PICs and PIPs to the National Privacy Commission.
- Entities that are both PICs and PIPs must submit both annual reports to the National Privacy Commission.
- The Advisory provides a template for mandatory notification to the National Privacy Commission and to data subjects for personal data breach events that trigger mandatory notification under the Data Privacy Act of 2012.
- The Advisory provides reporting templates for security incident reports that must be kept on the premises of the personal information controller or personal information processor.
Annual and incident summary templates (NPC Annexes)
- The Advisory includes an annex for an annual summary report for PICs, titled “Annex A – Summary of Annual Security Incident and Personal Data Breach Reports for PICs.”
- The Advisory includes an annex for an annual summary report for PIPs, titled “Annex B – Summary of Annual Security Incident and Personal Data Breach Reports for PIPs.”
- The Advisory includes an annex for mandatory notification to the National Privacy Commission, titled “Annex C – Mandatory Notification: Personal Data Breach for National Privacy Commission.”
- The Advisory includes an annex for mandatory notification to data subjects, titled “Annex D – Mandatory Notification: Personal Data Breach for Data Subjects.”
- The Advisory includes a template for a summary report by PICs of security incidents amounting to a personal data breach not covered by mandatory notification requirements, titled “Annex E – Summary Report by PICs of Security Incidents Amounting to a Personal Data Breach not covered by mandatory notification requirements.”
- The Advisory includes a template for a summary report by PIPs of security incidents involving personal data processing on behalf of PICs amounting to a personal data breach, titled “Annex F – Summary Report by PIPs of Security Incidents Involving Personal Data Processing on Behalf of Personal Information Controllers Amounting to a Personal Data Breach.”
- The Advisory includes a template for a summary report of highly confidential information, titled “Annex G – Summary Report of Highly Confidential Information.”
Mandatory-notification report templates
- Mandatory notification reporting applies to personal data breach events that have mandatory notification requirements under the Data Privacy Act of 2012.
- Mandatory notification requires both:
- notification of the National Privacy Commission, and
- notification of data subjects.
- The Advisory provides separate recommended templates for mandatory notification to the National Privacy Commission and to data subjects.
Presumption for non-submission
- The Advisory establishes a presumption that no security incident or personal data breach occurred during the covered period if the required Annual Security Incident and Personal Data Breach Reports are not submitted.
- The presumption applies for failure to submit the Annual Security Incident and Personal Data Breach Reports required under the reporting framework tied to NPC Circular No. 16-03.
Adoption and signatories
- The Advisory is approved and signed by the Deputy Privacy Commissioner, Policies and Planning.
- The Advisory is approved and signed by the Deputy Privacy Commissioner, Data Processing Systems.
- The Advisory is approved and signed by the Privacy Commissioner.