Search for:
Cybersecurity, Data and Tech

Philippines: Minimum requirements for security of personal data issued by the National Privacy Commission

By , and 8 Mins Read

The National Privacy Commission issued Circular No. 2023-06, which provides for the updated requirements for the security of personal data processed by a personal information controller or personal information processor.

In brief

The Data Privacy Act (DPA) provides that a personal information controller (PIC) must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. The PIC shall also protect personal information against natural dangers and human dangers. For this purpose, the National Privacy Commission (NPC) recently issued NPC Circular No. 2023-06 (“Circular“), which sets out the updated minimum requirements for the security of personal data.

Clients are advised to review their privacy and data protection policies for compliance with the security requirements under the Circular.

The Circular took effect on 30 March 2024, and gives PICs and personal information processors (PIPs) until 30 March 2025 to comply with the requirements. Noncompliance with the Circular may result in the issuance of enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines against the PIC or PIP. Moreover, criminal, civil and administrative liabilities, as well as disciplinary sanctions, may be imposed against any erring officer or employee of the PIC or PIP for failure to comply with the Circular.

In more detail

The Circular applies to all natural or juridical persons engaged in the processing of personal data within and outside of the Philippines, subject to the applicable provisions of the DPA, its Implementing Rules and Regulations, and other relevant NPC issuances (collectively, “data privacy regulations“).

The following are the minimum requirements for security of personal data:

General obligations of a PIC or PIP

  1. Designate and register its Data Protection Officer (DPO) with the NPC in accordance with data privacy regulations
  2. Register its Data Processing Systems with the NPC in accordance with data privacy regulations
  3. Create an inventory of all its data processing systems and activities
  4. Conduct a Privacy Impact Assessment (PIA) on the processing of personal data and update the same as necessary
  5. Set a Privacy Management Program
  6. Periodically train employees, agents, personnel or representatives on privacy and data protection compliance
  7. Comply with the NPC’s order when its privacy and data protection policies are subject to review and assessment

Privacy Impact Assessment

The Circular provides that a PIA should be undertaken for every processing system that involves personal data. It specifically requires a PIA to be conducted on Off-The-Shelf Software, solutions, or data processing systems. Risks identified in the PIA must be addressed by a Control Framework that must be compliant with the provisions of the Circular.

“Control Framework” refers to a comprehensive enumeration of the controls intended to address the risks, including organizational, physical and technical measures to maintain the availability, integrity and confidentiality of personal data, and to protect it against natural dangers such as accidental loss or destruction and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration or contamination.

Privacy-By-Design and Privacy-By-Default

A PIC or PIP must consider the Privacy-By-Design and Privacy-By-Default principles in its processing activities, and enable Privacy-By-Default in its data processing systems without further action from data subjects.

“Privacy-by-Design” is an approach to the development and implementation of projects, programs and processes that integrate into the design or structure safeguards that are necessary to protect and promote privacy unto the design or structure of a processing activity or a data processing system. Meanwhile, “Privacy-by-Default” is defined under the Circular as the principle according to which the PIC/PIP ensures that only data necessary for each specific purpose of processing is processed by default, without the intervention of the data subject.

Personal data storage

Personal data must be stored in a form that permits the identification of data subjects for only as long as necessary for the specific purpose for which it was initially processed. Moreover, the PIC should establish a Retention Policy, which must be periodically reviewed and made known to the data subjects.

Each PIC or PIP should issue and enforce a Password Policy for passwords used to access personal data.

Access to personal data

Personal data stored in databases must only be accessed or modified using authorized software programs. A PIC or PIP shall implement an Access Control Policy and ensure that access to personal data is strictly regulated by issuing a security clearance or its equivalent only to authorized personnel, which must be filed with the DPO.

“Access Control Policy” is a document or set of rules that defines how access to information is managed, including who may access specific information and under what circumstances.

An Acceptable Use Policy must also be issued regarding the use of information and communications technology. This refers to a document or set of rules stipulating controls or restrictions that personnel of a PIC or PIP must agree to for access to the network, facilities, equipment, or services of such PIC or PIP. Each user shall agree to the policy and sign the appropriate agreement before being allowed access to and use of the technology.

Secure authentication mechanisms (e.g., multifactor authentication or secure encrypted links) must be implemented when providing online access to sensitive personal information, privileged information and high volumes of personal data. Such user access rights and authentication mechanism must be defined and controlled by a System Management Tool.

A PIC or PIP shall ensure that only known devices, properly configured to its security standards, are authorized to access personal data. The PIC or PIP shall also establish solutions that only allow authorized media to be used on its computer equipment.

Log records of personal data stored in any physical media, such as paper-based filing system, must be maintained and updated. The log records must contain information on which file was accessed, including when, where and by whom, as well as indicate whether copies of the file were made.

Business continuity

A PIC or PIP must have a Business Continuity Plan to mitigate potential disruptive events. It must consider personal data backup, restoration and remedial time; periodic review and testing of the plan; and contact information and other business-critical matters.

Telecommuting policy

PICs or PIPs adopting telecommuting or other alternative work arrangements must set a policy on alternative work arrangements and communicate it to concerned stakeholders. The PIC or PIP shall consider security measures such as training on limitations on use of company-issued devices, best password management and security practices in managing accounts and devices, and periodic trainings on data privacy and cybersecurity.

Transfer of personal data

A PIC or PIP that transfers personal data by email must ensure that the data is adequately protected and use secure transmission and reception of email messages, including attachments. Where appropriate, a PIC or PIP may utilize systems that scan outgoing emails and attachments for keywords that would indicate the presence of personal data and, if applicable, prevent its transmission.

Removable or portable storage media, such as compact discs (CD), digital versatile discs (DVD) and universal serial bus (USB) flash drives, for processing personal data, used for transfer of personal data shall be encrypted, if such mode of transfer is unavoidable or necessary. Facsimile technology shall not be used for transmitting documents containing personal data.

A PIC and its PIP that transmit documents or media containing personal data by mail or post shall make use of registered mail or, where appropriate, guaranteed parcel post services and Private Express and/or Messengerial Delivery Service.

Data disposal and destruction policy

In establishing policies and procedures for disposal of personal data, a PIC or PIP shall take into account the retention period of data; jurisdiction-specific laws, regulations and existing contracts; identification of relevant de-identification, anonymization or deletion techniques; and required documentation before the deletion, de-identification, or anonymization of personal data.

A PIC or a PIP shall retain logs as long as deemed necessary and appropriate based on best practices and industry standards. Security logs that record information about authentication attempts and security incidents shall be retained for longer periods than general system logs. PICs shall implement backup and archive mechanisms for their logs.

Procedures must be established to ensure secure and proper disposal and destruction of personal data that would render further processing impossible.

Penalties

A violation of the provisions of the Circular may, upon notice and hearing, result in the issuance by the NPC of compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines against the PIC or PIP. Moreover, failure to comply with the Circular may result in criminal, civil and administrative liabilities, as well as disciplinary sanctions against any erring officer or employee of the PIC or PIP.

The Circular gives a PIC and PIP a transitory period of 12 months from the effectivity of the Circular or until 30 March 2025 to comply with the foregoing requirements.

Recommended action

Clients are advised to revisit and update their current organizational, physical and technical security measures intended for protection of personal data to ensure compliance with the foregoing requirements. Privacy and data protection policies must be aligned with the minimum security requirements under the Circular by the 30 March 2025 deadline.

Please feel free to reach out to Quisumbing Torres’ Intellectual Property, Data, and Technology Practice Group for assistance on these and other data privacy compliance matters.

Categories:
Author

Bienvenido Marquez III is a partner in Quisumbing Torres' Intellectual Property, Data and Technology Practice Group. He also co-heads the Consumer Goods & Retail Industry Group and is a member of the Technology, Media & Telecommunications Group. He participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. He is a member of Baker McKenzie's Asia Pacific Intellectual Property Business Unit for Brand Enforcement. He is immediate Past President of the Philippine Chapter of the Licensing Executives Society International (2019-2021), and is currently co-chair of the LESI Asia Pacific. He is also a member of the Anti-Counterfeiting Committee of the International Trademarks Association (INTA). He has been appointed as member of the INTA Asia Global Advisory Council (GAC) for 2022 to 2023, making him the only Philippine representative on the council.

Bien has vast experience in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions, cyber security and cybercrime. He has been consistently ranked as a leading individual for Intellectual Property and TMT in Legal 500 Asia Pacific, Chambers Asia Pacific, asialaw Leading Lawyers, Managing IP Stars, Asia IP, and World Trademark Review. He was also recognized as a Volunteer Service Awardee by INTA in 2018.

Author

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.

Author

Berenice Joanna G. Dela Cruz is an associate in Quisumbing Torres. She works with various practice groups in the firm, including Corporate & Commercia/M&A, Dispute Resolution, Intellectual Property, Data and Technology, and Employment. Prior to joining the firm, she was a legal intern in the Office of the Solicitor General where she assisted in research, preparation of pleadings, meetings with clients and court hearings. Berenice graduated cum laude from the University of the Philippines College of Law in 2022, and ranked 5th in her batch. She also received the Dean's Medal for Academic Excellence and commendations for her participation in several international moot court competitions. She was newly admitted to the Philippine bar in 2023.

Related Posts

Write A Comment