Photo from Pexels | panumas nikhomkhai
The following post does not create a lawyer-client relationship between Alburo Alburo and Associates Law Offices (or any of its lawyers) and the reader. It is still best for you to engage the services of a lawyer or you may directly contact and consult Alburo Alburo and Associates Law Offices to address your specific legal concerns, if there is any.
Also, the matters contained in the following were written in accordance with the law, rules, and jurisprudence prevailing at the time of writing and posting, and do not include any future developments on the subject matter under discussion.
AT A GLANCE:
The Data Privacy Act of 2012 or Republic Act (R.A.) No. 10173 states in its declaration of policy that the State is to protect the fundamental human right of privacy while still balancing and ensuring the free flow of information. Pursuant to the Act and such State policy, the National Privacy Commission (NPC) was established.
The NPC is the government body mandated to implement the Data Privacy Act, and part of its functions is to develop and issue guidelines on physical and technical measures for data protection. Verily, the NPC issued two (2) circulars in furtherance of data protection in the Philippines – NPC Circular 2023-05 and NPC Circular 2023-06.
NPC Circular 2023-05
NPC Circular 2023-05 governs the prerequisites for the Philippine Privacy Mark (PPM) Certification Program, a voluntary certification program initiated to assess and ensure the protected processing of personal information by public and private organizations that implement data privacy and protection management systems.
To be sure, NPC Circular 2023-05 applies to all personal information controllers (PICs) or personal information processors (PIPs) and Certification Bodies (CBs) that will seek certification or accreditation under the PPM Certification Program. The instant Circular defines “certification” as the attestation of a third-party related to an object of conformity; and, “accreditation” as the attestation of a third-party related to a conformity assessment body conveying a formal demonstration of its competence to carry out specific conformity assessment tasks (Sec. 3, NPC Circular 2023-05).
For PICs or PIPs to be certified under the PPM Certification Program, they must be compliant with the following international standards to manage information security: ISO/IEC 27001 and ISO/IEC 27701 (Sec. 4, NPC Circular 2023-05). Meanwhile, for CBs to be accredited under the PPM Certification Program, the CB must be compliant with the following standards: ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 17021-1 (Sec. 5, NPC Circular 2023-05).
Failure to comply by the PICs, PIPs, or CBs, with the above prerequisites will result in their disqualification from the PPM Certification Program (Sec. 6, NPC Circular 2023-05).
NPC Circular 2023-06
NPC Circular 2023-06 governs the security of personal data in the government and the private sector, and provides updated requirements for the security of personal data processed by a PIC or PIP. The instant Circular is of a general nature, hence a PIC or PIP may implement a more detailed or stricter policies and procedures that reflect industry-specific operating requirements (Sec. 2, NPC Circular 2023-05).
Some salient provisions from the instant Circular include: a delineation of general obligations that a PIC and its PIP must fulfill; the Privacy Impact Assessment (PIA) that must be undertaken for every processing system of a PIC or PIP that involves personal data; the institution of a privacy management system; and, rules on the storage, access, and disposal of personal data.
RELATED ARTICLES:
NOTIFYING THE NPC IN CASE OF DATA PRIVACY BREACH
PROCEDURE FOR HANDLING DATA PRIVACY BREACH
Click here to subscribe to our newsletter
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries regarding legal services, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/ 0917-5772207/ 09778050020.
All rights reserved.