NPC decision on ‘Comeleak’ finds COMELEC Chair Bautista criminally liable

Between March 20 and 27, 2016, the largest data breach on a government-held personal database (dubbed Comeleak), happened when personal information of voters were accessed and downloaded from Comelec’s databases and published publicly by a hacker group.

In a decision dated December 28, 2016, the National Privacy Commission (NPC) found the Commission on Elections (COMELEC) liable for violating the Data Privacy Act of 2012 (or Republic Act No. 10173). It has also recommended criminal prosecution against COMELEC Chairman J. Andres D. Bautista, being the head of the agency.

The decision on NPC Case No. 16-001, described Bautista’s reaction to the breach as a “lack of appreciation” of what data protection really involves. “Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC’s privacy and security policies and practices.”

Exactly what databases were exposed?

The decision states that “the personal data in the breach is contained in several databases kept in the website”. It went on to list these five databases:

• Voter database in the Precinct Finder web application (75,302,683 records)
• Voter database in the Post Finder web application (1,376,067 records)
• The iRehistro registration database (139,301 records)
• The firearms ban database (896,992 personal data records and 20,485 records of firearms serial numbers)
• COMELEC personnel database (1,267 records of COMELEC personnel)

What information was in those databases?

The NPC decision, focusing specifically on the two voter databases (Precinct Finder and Post Finder) enumerated the sensitive personal information compromised:

Precinct Finder – The decision lists the compromised information as including “…voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, update time”.

Post Finder – The decision lists the compromised information as including “…voter’s verified name, date of birth, gender, civil status, post of registration, passport information (with number and expiry date), taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system”.

Why is Bautista being held liable?

The accountability of Bautista was clearly stated by the NPC. “A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action.”

Raymund Liboro, NPC Commissioner, said that the Comelec is not just an ordinary personal information processor. Another NPC Commissioner, Dondi Mapa, likewise said that in COMELEC’s zeal to protect the vote, the question was if they also protected the voter. In any case, NPC contends that the ultimate responsibility lies with the head of agency.

What violations against the Data Privacy Act of 2012 were committed?

According to NPC, COMELEC “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in dispensing its duty as “personal information controller”. On the other hand, NPC says that Chairman Bautista “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.

What are the penalties for violations?

Section 26 of that Act penalizes negligence resulting in the illegal access to sensitive personal information with imprisonment from 3 to 6 years and a fine ranging from P500,000 to P4,000,000. Section 36 of the same Act imposes additional penalties when the offender is a public officer — disqualification from public office for a period equivalent to double the term of criminal penalty.

Recommended Corrective Measures

Finally, the NPC decision also carries with it corrective measures it wants COMELEC to implement:

1. Appoint a Data Protection Officer in one (1) month’s time from receipt of the decision
2. Conduct an agency-wide Privacy Impact Assessment within two (2) months
3. Create a Privacy Management Program and a Breach Management Procedure within three (3) months
4. Implement organizational, physical, and technical security measures, within six (6) months, in compliance with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01 on Security of Personal Data in Government Agencies.

In addition, since one of the computers used in the COMELEC data breach bore an IP address registered with the National Bureau of Investigation, the NPC is also recommending to the Secretary of the Department of Justice that “further investigation for possible prosecution”, under the Cybercrime Prevention Act, be done.

Bautista’s Reaction

In a separate press conference, Chair Bautista reacted to the NPC decision. Watch the video below courtesy of COMELEC’s Facebook page.

Bautista says the Office of the Solicitor General will file a motion for reconsideration on behalf of COMELEC.

This post is supported by a writing grant from the Philippine Center for Investigative Journalism (PCIJ)