Musings on new NPC Circular on Data Privacy Registration (1)
The Philippines’ leading government agency for data privacy protection, the National Privacy Commission, issued early this year NPC Circular No. 2022 — xxxx “Amending Certain Provisions of NPC Circular 17-01 on Registration of Data Processing Systems and Notifications Regarding Automated Decision-Making” which sought to replace NPC Circular 17-01.
The draft, if approved, aims to make it easy for personal information controllers, personal information processors, and individual professionals to comply with the registration requirement of the Data Privacy Act of 2012, especially if taken in conjunction with the new NPC Registration System.
In a consultative fashion, the NPC sought the comments of stakeholders on the draft and conducted a virtual public hearing to secure the public’s input on the exposure draft.
As borne by the regulatory impact statement issued by the Anti-Red Tape Authority on the draft circular, the amendment seeks to address the difficulty being experienced by personal information controllers or PICs and processors or PIPs to register with the NPC, resulting in the low number of registrants based on the data of the NPC Compliance and Monitoring Division.
Note that under Section 24 of the DPA, when entering into any contract that may involve accessing or requiring sensitive personal information from at least 1,000 individuals, a government agency shall require the contractor and its employees to register its personal information processing system with the NPC in accordance with the DPA and to comply with the law’s provisions. Furthermore, Section 14 of the DPA mandates that PIPs shall also comply with all requirements of the DPA and other applicable laws.
In line with Sections 46 and 47 of the DPA IRR, a PIC or PIP that employs fewer than 250 persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional or includes sensitive personal information of at least 1,000 individuals.
Moreover, Section 48 thereof declares that a PIC carrying out any automated processing operation that is intended to serve single or several related purposes must notify the NPC when the operation becomes the sole basis for making decisions about a data subject, and when such decision would significantly affect the data subject.
The amendment seeks to provide clarity on the rules for registration vis- à-vis the changes in the registration system. Under the new proposed system, eRehistro, the NPC will seek to leverage updates in technology to replace the manual registration system.
Under the proposed regulation, a
PIC or PIP shall create an account by signing up on the NPC’s official registration platform where it shall provide details about the entity together with a unique and dedicated email address, specific to the position of DPO. The prescribed application form shall be accomplished and shall be uploaded together with all supporting documents (e.g., duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, SEC Certificate of Registration, certified true copy of latest General Information Sheet, and valid business permit.) The details of all data processing systems owned by the PICorPIPaswellasall publicly facing online mobile or web-based applications must also be registered in the platform. Once submitted, the entries of the PIC or PIP shall undergo review and validation by the NPC. The PIC or PIP shall be given five days to submit the necessary requirements if deficient. Once the submissions have been validated and considered complete, the PIC or PIP shall be informed that the Certificate of Registration is available for download. (To be continued)
“
As borne by the regulatory impact statement issued by the Anti-Red Tape Authority on the draft circular, the amendment seeks to address the difficulty being experienced by personal information controllers and processors.