The five commandments of data privacy, according to NPC

In an age of information overload especially in the digital media, how can government agencies, private companies and even ordinary individuals protect data privacy and personal information?

The National Privacy Commission (NPC), which implements the Data Privacy Act of 2012, said simple and practical measures, coupled with adherence to the law, should be undertaken to avoid data breach. NPC commissioner Ramon Liboro said the data privacy act is a “21st century law addressing 21st century realities of crime in the digital age.”

The biggest case yet that landed on the lap of NPC, which was constituted only last year, was the so-called “Comeleak,” or the notorious 2016 hacking of the Commission on Elections (Comelec) website, which leaked 55 million distinct and sensitive voter information.

“The sheer magnitude of the data involved really put us in a tester. By sheer volume alone, this practically involves everyone, not only Filipinos here but also abroad. This is the biggest breach of sensitive personal data on a database held by a government body,” Liboro told INQUIRER.net in an interview. The NPC ruled that Comelec Chair Andres Bautista committed gross negligence under the data privacy act and presented evidence to aid in his criminal prosecution.

To avoid data breach, Liboro said the NPC is expecting government agencies and private firms to implement the following data privacy guidelines:

Rule #1: Appoint a data protection officer

Personal informational controllers and processors are required to appoint or designate a data protection officer or compliance officer, who will be accountable for compliance with applicable rules and regulations, relating to data protection and privacy.

Rule #2: Know your risks: Conduct a privacy impact assessment

“You’ve got to realize the nature of the processes that you do, the attendant risks, and the threats. Identify vulnerabilities so we can institute proper organizational and technical security measures,” Liboro said.

Rule #3: Write your plan: Create your privacy management program

The program or security manual serves to align everyone in the organization in the same direction to facilitate compliance with the data privacy act and to mitigate the impact of a data breach.

Rule #4: Be accountable: Implement your privacy and data protection measures

The measures laid out in your privacy and data protection policies should not remain theoretical. They should be continuously assessed, reviewed and revised as necessary, while training must be regularly conducted.

Rule #5: Be prepared for breach: Regularly exercise your breach reporting procedures

Upon the discovery of personal data breach or reasonable suspicion thereof, it is important to conduct an initial assessment of the breach, to mitigate its impact and to notify both the affected data subjects and the NPC within 72 hours of discovery.

Liboro said the NPC is anticipating cybercrimes and cases of such nature to escalate especially amid technological innovation but noted that matters of data privacy protection and preparedness should not be left in the hands of IT experts and geeks alone.

“It’s general awareness that data is valuable and it must be secured. These are very practical recommendations na hindi naman kailangang gastusan ng milyun-milyon (which won’t cost millions). You can actually jumpstart your privacy program with these simple steps,” he said.

“We as a citizenry must develop this culture of privacy and security which we can incorporate into our daily lives. Sometimes, measures which we call data hygiene could actually lower or mitigate this risk—from as simple as developing a strong password, using a two-factor authentication, and getting to know all these modus, etcetera,” he added.

For inquiries and complaints on data privacy, the NPC can be reached at info@privacy.gov.ph or through their social media pages. RAM

RELATED STORIES

IN THE KNOW: National Privacy Commission
Data privacy in a hyper-connected world
Read more...