NPC issues filing deadline reminder
PERSONAL information controllers (PICs) in the country have until March 31, 2018 to submit their 2017Annual Security Incident Report to the National Privacy Commission (NPC), the agency said.
Under Philippine data privacy laws, a PIC is a person or organization, both public and private, that controls the collection, holding, processing or use of personal information.
It also refers to a person or organization instructing another to collect, hold, process, use, transfer or disclose personal information on his, her or its behalf.
NPC said the law requires all PICs to submit the annual report, even if they don’t register with the commission.
The report should contain information on security incidents affecting personal data under a PIC’s control, including the number of such incidents in a year.
Under NPC’s various circulars, PICs must document unfavorable events that affected the availability, integrity or confidentiality of personal data, even if these were unsuccessful.
These events are defined as security incidents under Philippine data privacy laws.
NPC noted that if a PIC’s information security team stopped a severe attack on a database containing personal information on time, that should also be included in the report.
An unauthorized alteration in a database that alters an individual’s personal records, to his or her detriment, should also be included.
“In contrast, a cyberattack that successfully uncovers industrial secrets that do not involve the processing of personal data is not considered a security incident under Philippine data privacy laws,” NPC said. He adding that that doesn’t need to be included in the report.
Privacy Commissioner and Chairman Raymund Enriquez Liboro said the deadline is meant to give PICs ample time to prepare a complete report.
“We want to give PICs ample opportunity to audit their privacy program and improve their organization’s efficiency in the way they manage their security incidents. These reports are an essential signpost of any PIC’s commitment to protecting the personal data of its customers and employees.” Liboro said.
“When properly collated, the data becomes an invaluable management resource that enables a PIC to assess its reaction time for every crucial event,” he added.