The National Privacy Commission recently held its first assembly for government Data Protection Officers

Kung di tayo kikilos, sino ang kikilos? Kung ‘di ngayon, kailan pa? (If we won’t act, then who else will? If not now, when?)”

National Privacy Commission (NPC) Commissioner Raymund Enriquez Liboro quoted this political slogan from the 70s as he opened the first in a series of Data Protection Officers (DPO) assemblies organized by the NPC at the Land Bank Plaza last April 5, 2017. About 186 DPOs from different government agencies attended to learn more about their roles as DPOs and to quickly build their proficiency in marshaling compliance of their respective organizations with the Data Privacy Act (DPA).

The NPC Advisory No. 2017-01 (Designation of Data Protection Officers) mandates the appointment of DPOs by institutions in the public and private sectors that are involved in collecting any form of personal data, defines the qualifications of DPOs and, where applicable, Compliance Officers for Privacy (COP), their duties and responsibilities, and general obligations of both.

 

The half-day event was just an introductory one — meant to bring all the government DPOs together, give them an idea of their role within their own government agencies, and set the stage for the next 90 days as government acts to protect not only its people, but also their personal data.

The DPO participants will be referred to from now on as “DPO1”, the term given to the first group of DPOs from government. Liboro stressed the importance of making government DPOs take the lead in data privacy protection. After all, the public give their “implicit trust” when providing government with their personal information. He said that eventually, there would be other DPO assemblies similar to this one, but those will involve the private sector.

An NPC Privacy Toolkit had been assembled and distributed to all participants as a primer on the Five (5) Pillars of Data Privacy, Accountability, and Compliance:

  1. Commit to Comply – Appoint a DPO
  2. Know your risks – Conduct a Privacy Impact Assessment
  3. Be accountable – Create your Privacy Management Program and write your Privacy Manual
  4. Demonstrate your compliance – Implement Privacy and Data Protection measures, and
  5. Be prepared for breach – Regularly exercise your Breach Reporting Procedures
NPC Privacy Toolkit

 

The five (5) pillars of Data Privacy, Accountability, and Compliance

Assistant Secretary Carlos Caliwara of the Department of Information and Communications Technology (DICT) mentioned the changing digital landscape, saying “Now that the Philippines is facing growing concern on data security, it is high time that we take steps to protect our citizens’ data. The establishment of the NPC has served as the government’s commitment towards achieving this goal. Data Protection Officers…are responsible for ensuring that the agency is complying with applicable laws regarding data privacy and security.” He also assured the DPOs that DICT and NPC are “committed to work hand in hand with all the agencies to strategize, collaborate, and implement R. A. 10173” or the Data Privacy Act.

Presidential Adviser on Economic Affairs and Information Technology Communications, Ramon Jacinto, spoke of the Internet of Things (IoT) and how it is even more important now to secure and protect data. “If we do not protect data, we don’t count…we have the chance to instill a new culture of privacy that will continue into the future.”

In her talk, “DPA, DPO and Government”, Deputy Privacy Commissioner Ivy Patdu explained the scope of the Data Privacy Act, what constitutes personal information, the rights of data subjects, and how information gained considerable importance in the recent years. She emphasized that the 3 important elements of data collection were 1) Transparency (the data subject is given notice that his personal data will be collected, 2) Legitimate purpose (there is a legitimate purpose for the information to be collected, and 3) Proportionality (information is only collected to the extent necessary).

A humorous take on the tendency to over-collect, over-require personal information

In one of the final slides of Deputy Commissioner Patdu, she showed a graph of government breaches worldwide in 2016. (see image below)

While some countries had more than 5 incidents, the data exposed was not as material as that of the 3 countries (with red dots) whose data breaches involved more than 50 million records: Turkey, Mexico, and the Philippines. Of these 3 countries, the Philippines had what Patdu described as a “one time, big time” breach, referring to the Commission on Elections data breach widely called ‘Comeleak’.

Following Patdu’s presentation, NPC’s Atty. Jamael Jacob tackled everything about DPOs — its legal bases, who are required to designate DPOs, who can be a DPO, duties and responsibilities of a DPO. Also discussed were the roles of personal information controllers (PICs) and personal information processors (PIPs).

Atty. Francis Euston Acero, also with the NPC, discussed the threats to data privacy in government. He began by identifying possible threat actors (those who are capable of disclosing personal information). These would include state (or government)-sponsored people, hacktivists or cause-oriented people, fraud-oriented people like identity thieves, and commercially-oriented people like telemarketers. He also described threats as originating from three different sources:

  • Organizational threats – insider access, insufficient backup and recovery, social media
  • Physical threats – improper destruction of data, lack of a physical security system, and physical theft
  • Technical threats – removable storage media, non-existent system architecture, and zero-day attacks (attacks stemming from a security hole that hackers take advantage of before the software vendor becomes aware of the hole and fixes it)

Finally, Commissioner Liboro closed the DPO assembly by emphasizing that the role of NPC is to make compliance easy but that it always has to come with accountability. He differentiated information security from data privacy. Information security has to do with confidentiality, integrity, and availability of data while data privacy has to do with data subjects’ rights and obligations of personal information controllers and processors.

Focusing on the tendency of government (including the private sector) to over-collect personal information, Liboro reminded everyone that there is a Data Life Cycle. The Data Life Cycle includes the proper and secure disposal of personal data that have already served its purpose. “Data has a life. It has a beginning and it has an end.”, Liboro said.

Data Life Cycle

Liboro also discussed in greater detail the 5 main actions required of DPOs. These 5 main action areas have been further divided into steps that need to be addressed over the next 90 days. The first 30 days will concentrate on organizational aspects that would require the selection and registration of a DPO in every government agency. The next 60 days would focus on personal data risks and risk management protocol.

A scanned copy of the document given out at the DPO assembly by NPC. (Note: NPC clarified that under #21, there is an added requirement for government DPOs – Security Clearance)

This assembly is only the first of several more DPO assemblies. Future plans include similar assemblies for the private sector, including the health and financial sectors.

 

Photo credits to the author. Some rights reserved.

This post is supported by a writing grant from the Philippine Center for Investigative Journalism (PCIJ).