Philippines Issues New Personal Data Security Guidelines

The National Privacy Commission (NPC) of the Philippines has taken a significant step towards bolstering the security of personal data with the issuance of NPC Circular No. 2023-06. This directive, effective as of March 30, 2024, lays down updated and stringent requirements for the safeguarding of personal information managed by Personal Information Controllers (PICs) and Personal Information Processors (PIPs). The Circular gives a PIC and PIP a transitory period of 12 months from the effectivity of the Circular or until 30 March 2025 to comply with the foregoing requirements.Here's an in-depth look at what the circular entails and the implications for organizations handling personal data.

Under the Data Privacy Act (DPA), it is mandatory for PICs to implement comprehensive measures that are reasonable and appropriate to protect personal information against risks such as accidental or unlawful destruction, alteration, disclosure, and other forms of unlawful processing. The Circular intensifies these requirements, building on the DPA's foundation to cover protection against both natural and human dangers. Organizations have a deadline until March 30, 2025, to align their operations with the new regulations, with severe penalties outlined for non-compliance.

1. General Obligations of PICs and PIPs
   Data Protection Officer (DPO):  Every PIC and PIP must designate a DPO, register them with the NPC, and ensure compliance with all data privacy regulations.
   Data Processing Systems Registration: All data processing systems must be registered with the NPC, alongside creating an inventory of all data processing activities.
   Privacy Impact Assessment (PIA): A mandatory PIA is required for each data processing system, particularly for off-the-shelf software solutions, to identify and mitigate risks.
2. Privacy Management and Training
   Privacy Management Program: Establish and maintain a program that regularly updates privacy management policies.
   Training: Periodic training programs are required for all employees and agents on privacy and data protection compliance.
3. Enhanced Privacy Protocols
   Privacy by Design and Default: These principles must be embedded in all data processing activities, ensuring that the strictest privacy settings are automatically applied without any need for user intervention.
4. Data Storage and Access
   Data Storage: Personal data should only be stored in a manner that allows identification of data subjects for as long as necessary for the intended purpose.
   Access Control: Access to personal data must be strictly regulated, with policies in place to ensure that only authorized personnel have access, utilizing secure authentication mechanisms.
5. Infrastructure and Network Security
   Business Continuity: A comprehensive business continuity plan is necessary to address potential disruptions, focusing on data backup, restoration, and remedial actions.
   Secure Data Transfer: Adequate protection measures must be in place for data transferred via email or other electronic means, including encryption of portable media and secure email systems.
6. Data Disposal and Penalties
   Data Disposal: Policies must be established for the secure and proper disposal of personal data, including the use of appropriate de-identification or anonymization techniques.
   Penalties for Non-Compliance: Organizations can face enforcement actions, fines, and potentially criminal charges for failing to comply with the regulations.

Recommended Actions for Compliance -  Organizations are urged to thoroughly review and update their privacy and data protection policies to comply with the new requirements. This involves:

The issuance of NPC Circular No. 2023-06 marks a pivotal development in the protection of personal data in the Philippines. By setting forth these detailed requirements, the NPC aims to fortify the legal and operational framework for data protection within the country, promoting a safer and more secure digital environment. As the March 2025 compliance deadline approaches, it is crucial for all affected entities to understand these changes and take proactive steps to integrate these standards into their daily operations. This will not only ensure compliance but also enhance trust and security in the processing of personal data.
For more details, refer :  https://privacy.gov.ph/wp-content/uploads/2024/03/NPC-Circular-Repeal-16-01-Signed.pdf