Balancing Progress and Privacy in the NPC’s Guidance on the Unified PWD ID System

National Privacy Commission’s Advisory Opinion No. 2025-007[1]

by: Atty. Charisa Belista-Tan and Isabelle R. Gonzales | 24 November 2025

The Philippine government is moving towards a modern, unified identification system for Persons with Disabilities (PWDs), a crucial step aimed at enhancing service delivery and preventing fraud. This initiative, driven by Republic Act No. 10754 or the Act Expanding the Benefits and Privileges of Persons with Disability,[2] seeks to replace disparate and often insecure PWD IDs with a single, reliable credential, available in both physical and digital formats. It signals a nation moving toward efficiency, uniformity, and inclusion, finally recognizing that fragmented systems and paper-based records no longer serve the people who need services most.

A key feature of this proposed system is the collection and use of biometric data, such as fingerprints and facial scans, to enhance the process of verifying the identity of PWDs availing of their benefits. While this technological leap promises greater efficiency and security, it also raises significant data privacy concerns.

In a detailed response to these concerns, the National Privacy Commission (NPC, or the Commission) has issued Advisory Opinion No. 2025-007, providing a legal framework that balances the government's public service mandate with its fundamental duty to protect personal information of citizens.

A Special Class of Identification

One of the first questions addressed by the NPC was whether the minimum requirements and standards on the issuance of identification cards containing personal data prescribed under NPC Circular 2023-03,[3] apply to the new Unified PWD ID. The Commission answered that it likely does not. The rationale lies in an important exclusion within the Circular itself. Section 1 of the Circular explicitly exempts ID cards issued by government agencies as part of their specific regulatory mandate. This category includes essential documents like driver's licenses and passports, where the personal data displayed is integral to the issuing agency's regulatory or statutory mandate.

The NPC explained that the Unified PWD ID falls squarely into this category. It is not a general-purpose ID, but a specific tool issued under Republic Act No. 10754 to facilitate the delivery of benefits and privileges to PWDs. Therefore, its issuance is considered a direct exercise of a government agency's regulatory and statutory duties.

However, the Commission is quick to draw a critical distinction. While the issuance of the ID card itself may be excluded from the specific rules of NPC Circular 2023-03, the entire system supporting it remains firmly under the purview of the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant issuances of the Commission. This means that every step—from the initial collection of a PWD's personal data, including personal and sensitive personal information, to its storage, use, and eventual disposal—must adhere to the foundational principles of the DPA. These non-negotiable principles include transparency, legitimate purpose, and proportionality, mandating the implementation of robust organizational, physical, and technical security measures to safeguard the data.

Navigating the Rules for Biometric Data

The plan to use fingerprints and facial scans brings biometric data into the spotlight. Biometric identifiers (e.g., facial scan, fingerprints) are treated as personal information under NPC Advisory Opinion No. 2017-063.[4] While the NPC has not yet released specific, standalone guidelines dedicated solely to biometric data, its collection and processing must find lawful basis under the existing DPA and its IRR.

Encouragingly, the NPC doesn’t shut the door on technology. The NPC actively urges stakeholders, such as the Department of Social Welfare and Development (DSWD), to help shape future biometric policies. This collaborative approach aims to ensure that future guidelines are practical and ethical in addressing the pressing concerns associated with this sensitive technology. Until such guidelines are finalized, all entities processing biometrics must operate strictly within the framework of the DPA.

Public Authority Exemption: A License with Strict Conditions

The central question is whether the DSWD is legally permitted to process PWDs’ biometric data for identity verification. The NPC confirms that this is likely permissible under a key provision of the DPA: the public authority exemption found in Section 4(e).[5]

This section states that the DPA's provisions do not apply when personal information processing is necessary for a public authority to carry out its constitutionally and statutorily mandated functions. Thus, the government is legally bound to identify legitimate beneficiaries and prevent fraud. Biometric verification, therefore, can be justified as a means to an end, but only within strict bounds.

In this case, Republic Act No. 10754 mandates the government to effectively implement benefits for PWDs, which includes preventing fraud and ensuring services reach their intended recipients. The NPC views the collection of biometric data as a potentially essential tool for fulfilling said mandate. Consequently, this specific processing activity may be considered exempt from certain DPA requirements, allowing the DSWD to proceed.

However, the NPC strongly emphasizes that this exemption is not a blank check. It does not remove the government's profound responsibility to protect the data it collects. The Commission makes it clear that applying data protection principles remains a matter of "good practice and accountability". To that end, the advisory opinion outlines four mandatory safeguards that the DSWD must implement if it chooses to process biometric data:

·       Adequate Security Measures: The DSWD must establish and maintain comprehensive technical, organizational, and physical security measures. This involves everything from encrypting the data to controlling physical access to servers and training personnel on data protection protocols to prevent any unauthorized access, use, or disclosure.

·       Transparency with Data Subjects: PWDs must be fully informed about how their data is being used. This requires clear, accessible privacy notices that detail the exact purpose of the data collection, its scope, and how long it will be stored.

·       Proactive Risk Assessment: Before the system goes live, a Privacy Impact Assessment (PIA) must be conducted. A PIA is a systematic process for identifying and mitigating potential privacy risks associated with a project. This proactive step ensures that privacy is built into the system's design from the very beginning, rather than being an afterthought.

·       Strict Data Retention Limits: The biometric data can only be retained for as long as it is necessary to achieve the specific, declared purpose of verifying PWD identities for benefit availment. Once that purpose is fulfilled, the data must be securely disposed of.

A Framework for Responsible Innovation

The NPC’s opinion on the Unified PWD ID System is more than just a legal advisory. It is a moral compass for a digitalizing government. It reminds us that progress is not defined by how fast we collect data, but by how carefully we protect it. It affirms the government's authority to use modern tools like biometrics to perform its duties, but it firmly anchors that authority in the principles of accountability and data protection. By exempting the system from one specific circular but holding it accountable to the broader Data Privacy Act, and conditioning the use of biometrics on the implementation of strict safeguards, the NPC has established a robust framework for responsible innovation. This opinion serves as a vital guide not only for the DSWD but for all government agencies seeking to leverage technology to serve the public, reminding them that progress and privacy must always go hand in hand.

Because in a democracy, progress and privacy are not enemies. They are partners in trust.

[1] National Privacy Commission. (2025). NPC Advisory Opinion No. 2025-007.

[2] National Council on Disability Affairs. (2016). Implementing Rules and Regulations (IRR) of RA 10754 'An Act Expanding the Benefits and Privileges of Persons with Disability (PWD). https://ncda.gov.ph/disability-laws/implementing-rules-and-regulations-irr/irr-of-ra-10754-an-act-expanding-the-benefits-and-privileges-of-persons-with-disability-pwd/

[3] NPC Circular 2023-03 dated November 07, 2023.

[4] NPC Advisory Opinion No. 2017-063 dated February 09, 2017.

[5] Data Privacy Act of 2012, Rep. Act No. 10173, § 4(e) (2012). Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views and opinions of the Firm or any of its partners. This article shall not be construed as official legal advice from the Firm. 

Atty. Charisa L. Belista is a lawyer who obtained her Bachelor of Science in Business Administration major in Human Resource Development Management in 2015 and Juris Doctor Degree in 2021 from the University of Santo Tomas and Arellano University School of Law, respectively.

Isabelle R. Gonzales is a paralegal who earned her Bachelor of Science in Human Ecology (magna cum laude) from the University of the Philippines Los Baños. She is currently completing her Juris Doctor degree at San Beda College Alabang School of Law, where she is in her second year.

For further inquiries, please contact counsel@dargonlawfirm.com or call (02) 8426-1837.