Read also: PROCEDURE FOR NOTIFYING THE NATIONAL PRIVACY COMMISSION IN CASE OF DATA PRIVACY BREACH
-
The data subjects shall be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
-
A personal information controller may be exempted from the notification requirement where the National Privacy Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects.
-
The personal information controller shall take the necessary steps to ensure the proper identity of the data subject being notified, and to safeguard against further unnecessary disclosure of personal data.
Notification shall be required upon knowledge of or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred.
Aside from informing the National Privacy Commission, the personal information controller or personal information processor should also inform the affected data subjects upon knowledge of, or when there is reasonable belief that a personal data breach has occurred.
NPC Circular 16-03 Provides For The Procedure For Notifying The Data Subjects In Case Of Privacy Data Breach:
The personal information controller shall notify the data subjects affected by a personal data breach, subject to the following procedures:
When should notification be done.
The data subjects shall be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. The notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects. It shall be undertaken in a manner that would allow data subjects to take the necessary precautions or other measures to protect themselves against the possible effects of the breach. It may be supplemented with additional information at a later stage on the basis of further investigation.
Content of Notification.
The notification shall include, but not be limited to:
- nature of the breach;
- personal data possibly involved;
- measures taken to address the breach;
- measures taken to reduce the harm or negative consequences of the breach;
- representative of the personal information controller, including his or her contact details, from whom the data subject can obtain additional information regarding the breach; and
- any assistance to be provided to the affected data subjects.
Where it is not possible to provide the foregoing information all at the same time, they may be provided in phases without undue delay.
Form.
Notification of affected data subjects shall be done individually, using secure means of communication, whether written or electronic. The personal information controller shall take the necessary steps to ensure the proper identity of the data subject being notified, and to safeguard against further unnecessary disclosure of personal data.
The personal information controller shall establish all reasonable mechanisms to ensure that all affected data subjects are made aware of the breach.
Where individual notification is not possible or would require a disproportionate effort, the personal information controller may seek the approval of the Commission to use alternative means of notification, such as through public communication or any similar measure through which the data subjects are informed in an equally effective manner.
The personal information controller shall establish means through which the data subjects can exercise their rights and obtain more detailed information relating to the breach.
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.
All rights reserved.
SUBSCRIBE NOW FOR MORE LEGAL UPDATES!
[email-subscribers-form id=”4″]