Recent Privacy Circulars on Certification Program and Security Measures to Strengthen Personal Data Protection

by Sean Patrick Lee and Margareth Grace Buensalido

NPC Circular 2023-05: Prerequisites for the Philippine Privacy Mark Certification Program

The Philippine Privacy Mark (PPM) Certification Program of the National Privacy Commission (NPC) enables organizations handling personal data to voluntarily obtain certification or accreditation. According to the circular, which became effective on March 15, 2024, the PPM Certification Program is “a voluntary certification program, to assess public and private organizations that implement data privacy and protection management systems, to ensure the secure and protected processing of personal information.”[1] Through this program, data subjects can quickly recognize trustworthy organizations for the processing of their personal data.

The PPM Certification Program is applicable to all personal information controllers (PICs) or personal information processors (PIPs) that seek certification, as well as to Certification Bodies (CBs) that seek accreditation. Certification refers to a third-party attestation related to an object of conformity assessment (e.g., product, process, service, system, installation, project, data, design, material, claim, person, body, or organization) with the exception of accreditation.[2] Meanwhile, accreditation refers to a third-party attestation related to a conformity assessment body conveying a formal demonstration of its competence to carry out specific conformity assessment tasks.[3] 

For certification, PICs and PIPs must be previously certified with ISO/IEC 27001 on information security management system and ISO/IEC 27701 on privacy information management system.[4] In addition to these requirements, CBs are also required to be certified with ISO/IEC 17021-1 on conformity assessment. CBs are then required to complete 3 accreditation stages based on ISO-IEC standards.[5]

Remarks

This initiative is considered a positive development for data privacy rights in the Philippines. While the circular only tackles the prerequisites for the program, it shows how rigorous the standards are for certification and accreditation. Once the concerned organizations complete the program, data subjects would then be able to easily identify organizations that can be trusted with their personal data. The PPM Certification Program also creates a strict standard that demonstrates these organizations’ capability to comply with the Data Privacy Act and its related rules and regulations.

With data privacy as a growing concern of data subjects, we anticipate a surge in organizations seeking certification or accreditation under the PPM.

NPC Circular 2023-06: Security of Personal Data in the Government and the Private Sector 

This issuance provides for updated requirements for the security of personal data processed by PICs and PIPs. It applies to all natural or juridical persons engaged in the processing of personal data within and outside of the Philippines.[6] The circular took effect on March 30, 2024, and covers the following main topics:

I.                General obligations of PICs and PIPs[7]

PICs and PIPs have the following general obligations:

1.     Designate and register a Data Protection Officer with the NPC.

2.     Register data processing systems with the NPC.

3.     Create an inventory of all data processing systems and activities.

4.     Conduct a Privacy Impact Assessment (PIA) on personal data processing.

5.     Establish a Privacy Management Program.

6.     Provide periodic training on privacy and data protection policies to employees, agents, personnel, or representatives.

7.     Comply with NPC’s orders during privacy and data protection policy reviews and assessments.

II.              Privacy-by-default

PICs and PIPs should enable privacy-by-default in their data processing systems without requiring any action from data subjects. Privacy-by-default “refers to the principle according to which the PIC/PIP ensures that only data necessary for each specific purpose of processing is processed by default.[8]” Additionally, any function that lacks a lawful basis for processing or is incompatible with the general data privacy principles must be switched off or deactivated.[9]

III.            Storage of Personal Data

PICs/PIPs must store personal information only for as long as necessary and for the purpose it was collected. There must be retention periods established and documented in a policy.[10] Furthermore, all stored personal data must be sufficiently protected, and each PIP/PIC must have a Password Policy.[11] 

IV.            Access to Personal Data

Personal data collected by PIPs and PICs may only be accessed or modified through authorized software programs, and only on known devices. PIPs and PICs must also implement an access control policy and only on a “need-to-know basis.”[12] For online access of personal data, the NPC requires secure authentication mechanisms such as encrypted links or multifactor authentication to prevent any possible data breaches.[13] In extreme cases wherein devices are lost or compromised, PICs and PIPs must have ways to remotely disconnect or delete the data within these devices.[14]

V.               Business Continuity

In case of any potentially disruptive event, PIPs and PICs must have a Business Continuity Plan, and if necessary, adopt telecommuting or other alternative work arrangements to continue the delivery of essential goods and services. A Business Continuity Plan “refers to documented procedures that guide a PIC or PIP to respond, recover, resume, and restore systems and processes to a predefined level of operation following disruptive events.” Security measures in alternative work arrangements may encompass training on the limitations on the use of company-issued computing devices as well as periodic training, best password management and secured practices in managing online accounts.[15]

VI.            Transfer of Personal Data

In the transfer of personal data by email, PICs and PIPs must adequately secure the transmission and reception of email messages, such as using systems that scan outgoing emails and attachments for keywords that would indicate the presence of personal data and, if applicable, prevent its transmission.[16] There must also be security controls to prevent personnel from printing or copying personal data. The use of removable or portable storage media, such as compact discs and flash drives, must be regulated, if not avoidable. On the other hand, facsimile technology cannot be used to transmit documents containing personal data.[17]

VII.          Disposal of Personal Data

In establishing disposal and destruction policies, the following information shall be considered: retention period, de-identification, anonymization, or deletion techniques, and required documentation before deletion, de-identification, or anonymization.[18] PICs and PIPs shall retain logs for as long as necessary and must have the capacity to record information about authentication attempts which shall be retained for longer periods than general system logs.[19] Disposal and destruction must render further processing impossible and shall include rules on electronically disposing personal data through the use of degaussers, erasers, encryption, or secure wiping programs, physically disposing storage media, and disposing paper documents through the use of shredders.[20]

Remarks

The proper implementation of NPC Circular 2023-06 can greatly increase data security of data subjects. The importance of strengthening protective mechanisms for personal data cannot be overstated amidst all the reported data breaches and leaks involving even the Philippine government.[21] The recent circular provides comprehensive, concrete, and actionable guidelines enabling PICs and PIPs to enhance protection for the personal data of their data subjects. PIPs and PICs must endeavor to meet the standards set by the circular, and the NPC must be well equipped to properly evaluate and monitor these organizations in an effective manner.

[1] National Privacy Commission (NPC) Circular No. 2023-05 (2023). Prerequisites for the Philippine Privacy Mark Certification Program.

[2] § 3.

[3] § 3.

[4] § 4.

[5] § 5.

[6] National Privacy Commission (NPC) Circular No. 2023-06 (2023). Security of Personal Data in the Government and the Private Sector.

[7] § 4.

[8] § 7.

[9] § 7.

[10] § 9.

[11] § 11.

[12] § 13.

[13] § 16.

[14] § 18.

[15] § 22.

[16] § 23.

[17] § 26.

[18] § 28.

[19] § 29.

[20] § 30.

[21] Tyrone Jasper C. Piad, DICT gains partial access to DOST’s compromised system, PHIL. DAILY INQUIRER, April 4, 2024.

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views and opinions of the Firm or any of its partners. This article shall not be construed as official legal advice from the Firm.