Bautista found criminally liable for ‘Comeleaks’
COMMISSION on Elections (Comelec) Chairman Andres D. Bautista is criminally liable for his “gross negligence” in the so-called “Comeleak” of voters database a few months before the May 2016 general elections, the National Privacy Commission (NPC) said in a 35-page decision dated Dec. 28 last year and released Thursday.
Mr. Bautista, that afternoon, said in a news conference and in a statement that the NPC’s findings were “based on misappreciation of facts, legal points and material contexts.”
The NPC cited the Comelec chief for violation of several provisions in Republic Act No. 10173 or the Data Privacy Act of 2012, in connection with what the commission called “the worst recorded breach on a government-held database in the world,” which took place between March 20 and 27 last year.
To recall, several Comelec data bases were breached in March last year, including the voter database in the Precinct Finder Web application that contained more than 75 million records of personal information.
Paul Loui Z. Biteng, a fresh graduate of information technology, was arrested by the National Bureau of Investigation (NBI) on April 20 for defacing the Comelec Web site. On April 25, the Manila Prosecutor’s Office found probable cause to indict Mr. Biteng for allegedly violating the Cybercrime Prevention Act of 2012.
A second suspect, Jonel de Asis, was nabbed by the NBI on April 28.
“Comelec could have embedded privacy in the design of its data processing systems, but it missed the opportunity to do so because the head of agency denies any responsibility in complying with the law, even implying that this duty begins only when prompted by subordinate officers,” the decision read in part, adding:
“The willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.”
Under section 26 of the law, the penalty for accessing personal information and sensitive personal information due to negligence is one to three years of imprisonment and a fine of P500,000 to P2 million.
Section 36 of the same law metes an additional penalty for a public officer of disqualification from public office “for a term double the term of criminal penalty.”
The NPC has ordered Mr. Bautista and the Comelec to comply with such corrective measures as the appointment of a data protection officer, an agency-wide privacy impact assessment within two months, and implementation of security policies in line with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.
The NPC has also recommended to Justice Secretary Vitaliano N. Aguirre II that his agency look into possible violations under the Cybercrime Prevention Act, especially since one of the computers used in the data breach had an IP address registered with the NBI. — and