NPC Advisory on Data Breach Report Guidelines

Ask AI

NPC ADVISORY NO. 18-01: NPC Advisory on Data Breach Report Guidelines

Getting related questions...
What do you want to know about the law?
Your conversations and searches stay on your device. We do not store or track your activity on our servers. To know more about our privacy commitment see jur.ph/privacy Ask AI provides quick answers grounded in full case texts to avoid mistakes. Always verify with the original text.

Ask AI

Title Supreme Court: NPC Advisory on Data Breach Report Guidelines

Law: Npc Advisory No. 18-01

Decision Date: Jun 21, 2018

The National Privacy Commission mandates that all entities processing personal data implement security measures and report security incidents and data breaches using specified templates to ensure compliance with the Data Privacy Act and protect individuals' privacy rights.

security incident

A

Security Measures and Monitoring Requirements

Section 20(c) of the Data Privacy Act requires safeguards for computer networks.
Organizations must identify and mitigate foreseeable vulnerabilities.
Continuous monitoring for security breaches is required.

Notification Obligations Regarding Data Breaches

Section 20(f) mandates prompt notification to the National Privacy Commission (NPC) and affected data subjects.
Notifications apply when sensitive personal information is compromised by unauthorized persons.
Notification aims to mitigate risks of serious harm such as identity fraud.

Reporting Requirements and Compliance

NPC Circular 16-03 Section 22 requires Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to submit reports.
Reports summarize all security incidents and personal data breaches.
This enhances privacy resilience and threat monitoring nationally.

Scope of the Advisory

Applies to all individuals and entities, both natural and juridical, in government or private sectors.
Covers data processing activities within and outside the Philippines.
Subject to the Data Privacy Act, its implementing rules, and NPC issuances.

Definitions

Uses terms defined under NPC Circular 16-03.

Reporting Templates Provided

Annual Security Incident Reports for both PICs and PIPs.
Mandatory notification templates for NPC and affected data subjects regarding personal data breaches.
Security incident reports maintained on-site by PICs or PIPs.

Presumption of Occurrence Based on Non-Submission

Failure to submit Annual Security Incident and Personal Data Breach Reports creates presumption that no such incidents occurred during the report period.

Key Annexes Referenced

Annex A: Summary Reports for PICs.
Annex B: Summary Reports for PIPs.
Annex C: Mandatory Notification for NPC.
Annex D: Mandatory Notification for Data Subjects.
Annex E, F, G: Additional security incident reports related to personal data breaches and highly confidential information.

Approval and Authority

Issued and approved by the NPC Privacy Commissioner and Deputy Commissioners, establishing its authoritative effect.

END