HomeData privacyThe National Privacy Commission recently held its first assembly for government Data Protection Officers
The National Privacy Commission recently held its first assembly for government Data Protection Officers
April 12, 2017
“Kung di tayo kikilos, sino ang kikilos? Kung ‘di ngayon, kailan pa? (If we won’t act, then who else will? If not now, when?)”
National Privacy Commission (NPC) Commissioner Raymund Enriquez Liboro quoted this political slogan from the 70s as he opened the first in a series of Data Protection Officers (DPO) assemblies organized by the NPC at the Land Bank Plaza last April 5, 2017. About 186 DPOs from different government agencies attended to learn more about their roles as DPOs and to quickly build their proficiency in marshaling compliance of their respective organizations with the Data Privacy Act (DPA).
The NPC Advisory No. 2017-01 (Designation of Data Protection Officers) mandates the appointment of DPOs by institutions in the public and private sectors that are involved in collecting any form of personal data, defines the qualifications of DPOs and, where applicable, Compliance Officers for Privacy (COP), their duties and responsibilities, and general obligations of both.
The half-day event was just an introductory one — meant to bring all the government DPOs together, give them an idea of their role within their own government agencies, and set the stage for the next 90 days as government acts to protect not only its people, but also their personal data.
The DPO participants will be referred to from now on as “DPO1”, the term given to the first group of DPOs from government. Liboro stressed the importance of making government DPOs take the lead in data privacy protection. After all, the public give their “implicit trust” when providing government with their personal information. He said that eventually, there would be other DPO assemblies similar to this one, but those will involve the private sector.
An NPC Privacy Toolkit had been assembled and distributed to all participants as a primer on the Five (5) Pillars of Data Privacy, Accountability, and Compliance:
Commit to Comply – Appoint a DPO
Know your risks – Conduct a Privacy Impact Assessment
Be accountable – Create your Privacy Management Program and write your Privacy Manual
Demonstrate your compliance – Implement Privacy and Data Protection measures, and
Be prepared for breach – Regularly exercise your Breach Reporting Procedures
Assistant Secretary Carlos Caliwara of the Department of Information and Communications Technology (DICT) mentioned the changing digital landscape, saying “Now that the Philippines is facing growing concern on data security, it is high time that we take steps to protect our citizens’ data. The establishment of the NPC has served as the government’s commitment towards achieving this goal. Data Protection Officers…are responsible for ensuring that the agency is complying with applicable laws regarding data privacy and security.” He also assured the DPOs that DICT and NPC are “committed to work hand in hand with all the agencies to strategize, collaborate, and implement R. A. 10173” or the Data Privacy Act.
Presidential Adviser on Economic Affairs and Information Technology Communications, Ramon Jacinto, spoke of the Internet of Things (IoT) and how it is even more important now to secure and protect data. “If we do not protect data, we don’t count…we have the chance to instill a new culture of privacy that will continue into the future.”
In her talk, “DPA, DPO and Government”, Deputy Privacy Commissioner Ivy Patdu explained the scope of the Data Privacy Act, what constitutes personal information, the rights of data subjects, and how information gained considerable importance in the recent years. She emphasized that the 3 important elements of data collection were 1) Transparency (the data subject is given notice that his personal data will be collected, 2) Legitimate purpose (there is a legitimate purpose for the information to be collected, and 3) Proportionality (information is only collected to the extent necessary).
In one of the final slides of Deputy Commissioner Patdu, she showed a graph of government breaches worldwide in 2016. (see image below)
While some countries had more than 5 incidents, the data exposed was not as material as that of the 3 countries (with red dots) whose data breaches involved more than 50 million records: Turkey, Mexico, and the Philippines. Of these 3 countries, the Philippines had what Patdu described as a “one time, big time” breach, referring to the Commission on Elections data breach widely called ‘Comeleak’.
Following Patdu’s presentation, NPC’s Atty. Jamael Jacob tackled everything about DPOs — its legal bases, who are required to designate DPOs, who can be a DPO, duties and responsibilities of a DPO. Also discussed were the roles of personal information controllers (PICs) and personal information processors (PIPs).
Atty. Francis Euston Acero, also with the NPC, discussed the threats to data privacy in government. He began by identifying possible threat actors (those who are capable of disclosing personal information). These would include state (or government)-sponsored people, hacktivists or cause-oriented people, fraud-oriented people like identity thieves, and commercially-oriented people like telemarketers. He also described threats as originating from three different sources:
Organizational threats – insider access, insufficient backup and recovery, social media
Physical threats – improper destruction of data, lack of a physical security system, and physical theft
Technical threats – removable storage media, non-existent system architecture, and zero-day attacks (attacks stemming from a security hole that hackers take advantage of before the software vendor becomes aware of the hole and fixes it)
Finally, Commissioner Liboro closed the DPO assembly by emphasizing that the role of NPC is to make compliance easy but that it always has to come with accountability. He differentiated information security from data privacy. Information security has to do with confidentiality, integrity, and availability of data while data privacy has to do with data subjects’ rights and obligations of personal information controllers and processors.
Focusing on the tendency of government (including the private sector) to over-collect personal information, Liboro reminded everyone that there is a Data Life Cycle. The Data Life Cycle includes the proper and secure disposal of personal data that have already served its purpose. “Data has a life. It has a beginning and it has an end.”, Liboro said.
Liboro also discussed in greater detail the 5 main actions required of DPOs. These 5 main action areas have been further divided into steps that need to be addressed over the next 90 days. The first 30 days will concentrate on organizational aspects that would require the selection and registration of a DPO in every government agency. The next 60 days would focus on personal data risks and risk management protocol.
This assembly is only the first of several more DPO assemblies. Future plans include similar assemblies for the private sector, including the health and financial sectors.
Photo credits to the author. Some rights reserved.
Jane T. Uymatiao is known as @citizenjaneph. She spent more than 15 years as an IT auditor/consultant at an accounting firm and another 2.5 years as VP-Head of a bank's Corporate Planning Division. She has been blogging for about 16 years now and is one of the early adopters of social media. She believes in active citizen engagement, pushing for transparency and good governance, and is often tapped to speak on social media-related topics. Her personal blogs are: yoga and wellness (yoginifrommanila.com), tech (titatechie.com), lifestyle (philippinebeat.com), and personal (janeuymatiao.com)
Jane has a Master’s degree in Business Administration, major in International Business with a focus on Strategic Management, from the Wharton School, University of Pennsylvania. She is also a certified yin yoga teacher. More details at www.linkedin.com/in/janeuymatiao
Updated: August 2022