July 2021

1. GOVERNING TEXTS

In view of the rapid development of information and communications technology ('ICT') in recent years, the Philippines has adopted measures to better address the use, regulation, and protection of the same, particularly in relation to cybersecurity.

Under the Cybercrime Prevention Act of 2012 (Republic Act No. 10175) ('the Cybercrime Prevention Act'), cybersecurity is defined as the 'collection of tools, policies, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber environment and organisation and user's assets.'

Cybersecurity is closely intertwined with privacy and data protection. Considering the growing popularity of the use of digital platforms for the disclosure or exchange of personal data, cybersecurity is a foremost concern for individual data subjects, personal information controllers ('PIC'), and personal information processors ('PIP') alike. As such, responsive measures and heightened vigilance in cybersecurity regulation is necessary.

1.1. Legislation

The Cybercrime Prevention Act

The principal legislation in the Philippines on cybersecurity is the Cybercrime Prevention Act and the Implementing Rules and Regulations of Republic Act No. 10175 ('the Cybercrime IRRs'). The Cybercrime Prevention Act penalises cybercrime offences which are classified into three main categories:

• offences against the confidentiality, integrity, and availability ('CIA') of computer data and systems, such as illegal access, illegal interference, data interference, cyber-squatting, among others;
• computer-related offences, namely computer-related forgery, fraud, and theft; and
• content-related offences, such as cybersex, cyber libel, and cyber child pornography, in relation to the Anti-Child Pornography Act of 2009 (Republic Act No. 9775) ('the Anti-Child Pornography Act').

The Cybercrime Prevention Act and the Cybercrime IRRs also create the following bodies:

• the Office of Cybercrime within the Department of Justice ('DOJ');
• the Cybercrime Investigation and Coordinating Center ('CICC'); and
• the National Computer Emergency Response Team ('NCERT').

In addition, the Cybercrime Prevention Act provides for international cooperation in relation to investigations or proceedings concerning criminal offences related to computer systems and data, as well as the collection of electronic evidence of a criminal offence.

In April 2022, the NPC launched its new Data Breach Notification Management System ('DBNMS'), an online reporting system that must be used by PICs and PIPs to submit personal data breach notifications and Annual Security Incident Reports ('ASIRs') to the NPC.

The Anti-Child Pornography Act

The Anti-Child Pornography Act provides for the unlawful and prohibited acts in relation to child pornography, defined as any representation, whether visual, audio, or written combination thereof, by electronic, mechanical, digital, optical, magnetic, or any other means, of a child engaged or involved in real or simulated explicit sexual activities. All internet service providers ('ISPs') are mandated to notify the Philippine National Police ('PNP') or the National Bureau of Investigation ('NBI') within seven days from obtaining facts and circumstances that any form of child pornography is being committed using its server or facility. Similarly, internet content hosts are also mandated to report the presence of any form of child pornography, as well as the particulars of the person maintaining, hosting, distributing or in any manner contributing to such internet address, to the proper authorities within the same period.

Budapest Convention on Cybercrime

In 2018, the Philippines acceded to the Council of Europe Convention of Cybercrime ('the Budapest Convention'), the first international treaty on crimes committed through the internet and other computer networks.

The Budapest Convention deals with copyright infringement, computer-related fraud, child pornography, violations of network security, among others. It also provides for powers and procedures which are international and transnational in character, including international cooperation, extradition, and mutual assistance.

The Data Privacy Act

The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Data Privacy Act'), the Implementing Rules and Regulations of Republic Act No. 10173 ('the Privacy IRRs'), and circulars and advisories issued by the National Privacy Commission ('NPC') comprise the central data privacy and security legislation in the Philippines.

In general, the Data Privacy Act prohibits the processing of personal information without the express and recorded consent of the data subject. The law also enumerates the rights of data subjects (i.e. notice, access, control, data portability, and the right to be indemnified by PICs for damages arising from the unlawful processing of personal information) and the obligations of PICs and PIPs to ensure the privacy, security, and integrity of personal information, including but not limited to a breach notification requirement.

The Data Privacy Act created the NPC, which is mandated to administer and implement it. In addition, the Data Privacy Act provides for:

• general principles of data privacy (transparency, legitimate purpose, and proportionality);
• criteria for lawful processing of personal data;
• rights of data subjects;
• responsibilities of PICs and/or PIPs; and
• other related procedures and penalties for violations of its provisions, including the imposition of the penalties of imprisonment and fine on certain names offences.

The Access Devices Regulation Act

The Access Devices Regulation Act of 1998 (Republic Act No. 8484, as amended by Republic Act No. 11449) ('the Access Devices Regulation Act') enumerates the prohibited actions and penalties for actions committed in relation to an 'access device.' 

An 'access device' is defined as a card (credit, debit, ATM, and the like), account number, equipment, or other means of account access that can be used to obtain money, goods, services, or any other thing of value, or to initiate a transfer of funds.

It also requires the necessary disclosures for credit card applications. The authority of credit card companies to issue credit cards shall be suspended or cancelled, if they fail to comply with the disclosure requirements, after due notice and hearing.

Amendments to the law were introduced in 2019, including the imposition of higher penalties, such as life imprisonment for the hacking of a bank's system or the skimming of 50 or more payment cards which are deemed to constitute economic sabotage. In addition, the amendments include a broader scope for the prohibited acts which now covers access to online banking, ATM, and other similar accounts in a fraudulent manner; skimming, copying, or counterfeiting cards; and hacking of the banking system; among others.

The Electronic Commerce Act

The Electronic Commerce Act of 2000 (Republic Act No. 8792) ('the Electronic Commerce Act') applies to electronic data messages or electronic documents used in the context of commercial and non-commercial activities, including transactions, contracts, exchanges, and storage of information, with the goal of ensuring the authenticity and reliability of such electronic data messages or electronic documents.

The Electronic Commerce Act considers an electronic document as the functional equivalent of a written document. It provides for the legal recognition of electronic documents, as well as electronic signatures and the related presumptions thereto.

The Electronic Commerce Act also defines and provides for the penalties for the following acts:

• hacking, cracking, or piracy;
• violations of the Consumer Act of 1992 (Republic Act No. 7394); and
• violations of the provisions of the Electronic Commerce Act.

The Anti-Photo and Video Voyeurism Act

The Anti-Photo and Video Voyeurism Act of 2009 (Republic Act No. 9995) ('the Anti-Photo and Video Voyeurism Act') penalises photo or video voyeurism, which includes the following prohibited acts:

• taking photo or video coverage of the performance of a sexual act or a similar activity;
• capturing an image of a person's private areas without consent, under circumstances where there is a reasonable expectation of privacy; or
• selling, copying, sharing, showing, etc. the photo or video recording of such sexual act or similar activity without consent, notwithstanding consent to take the photo or record the video.

1.2. Regulatory authority 

DICT

The Department of Information and Communications Technology ('DICT') was created under the Department of Information and Communications Technology Act of 2015 (Republic Act No. 10844) ('the DICT Act').

Under the DICT Act and its Implementing Rules and Regulations, the DICT shall serve as the primary policy, planning, coordinating, implementing, and administrative entity of the Executive Branch of the Government of Philippines ('the Government') that will plan, develop, and promote the national ICT development agenda.

In addition, all powers and functions related to cybersecurity including, but not limited to the formulation of the National Cybersecurity Plan, the establishment of the NCERT, and the facilitation of international cooperation on intelligence regarding cybersecurity matters were transferred to the DICT.

The powers and functions of the DICT include, among others:

• the formulation, recommendation, and implementation of national policies on the use and development of ICT;
• improvement of public access to ICT;
• in relation to resource-sharing and capacity building, coordination of all national ICT plans and initiatives; and
• protection of the rights and welfare of consumers and business users to privacy, security, and confidentiality in matters relating to ICT.

For policy and program coordination, the following agencies are attached to the DICT under the DICT Act:

• the NPC;
• the National Telecommunications Commission; and
• the CICC.

CICC

Under the DICT Act, the CICC has the following powers and functions:

• formulate a national cybersecurity plan;
• extend immediate assistance for the suppression of real-time commission of cybercrime offences through a computer emergency response team ('CERT');
• recommend the enactment of laws, issuances, measures, and policies; and
• monitor cybercrime cases and coordinate the preparation of measures to prevent and suppress cybercrime activities and perform all other matters related to cybercrime prevention and suppression.

The DICT Secretary is the chairperson of the CICC.

NPC

The NPC was created under the Data Privacy Act. The NPC is mandated to administer and implement the provisions of the Data Privacy Act. It has, among others, the following functions:

• receive complaints and institute investigations in relation to the Data Privacy Act;

• facilitate or enable the settlement of complaints;
• issue cease and desist orders;
• monitor compliance of government agencies and instrumentalities and coordinate these bodies;
• provide assistance on privacy or data protection;
• propose legislation or amendments to Philippine laws on privacy or data protection.

In relation to such functions, the NPC issues circulars, memoranda, and advisory opinions which form part of the relevant rules on privacy and data protection in the Philippines.

BSP

Under the New Central Bank Act of 2018 (Republic Act 7653), as amended by Republic Act No. 11211, the Central Bank of the Philippines ('BSP') exercises supervision over the operations of banks and regulates the operations of finance companies and non-bank financial institutions performing quasi-banking functions and institutions performing similar functions. Pursuant to this power, the BSP releases regulatory issuances, including the BSP Circular No. 982 Enhanced Guidelines on Information Security Management (2017) and amendments to the Manual of Regulations for Banks and the Manual for Non-Bank Financial Institutions, addressing technology, cyber-risk reporting, and notification requirements.

Other authorities

Other relevant authorities include the following agencies:

• the Office of Cybercrime of the DOJ for the investigation and prosecution of cybercrime;
• the Philippine National Police Anti-Cybercrime Group ('PNP-ACG') for law enforcement; and
• the National Bureau of Investigation Cybercrime Division ('NBI-CCD') for law enforcement.

1.3. Regulatory authority guidance

The NCSP

The National Cybersecurity Plan 2022 ('NCSP') is a comprehensive plan of action designed to improve security and enhance the cyber resilience of the ICT environment in the Philippines. The NCSP envisions the fulfilment of the following objectives:

• to systematically and methodically harden the Critical Information Infrastructure ('CII') for resiliency;
• to prepare and secure government infrastructure;
• to raise awareness in the business sector on cyber risks and use of security measures among businesses to prevent and protect, respond, and recover from attacks; and
• to raise awareness of individuals on cyber risks among users. As they are the weakest links, there is a need to adopt the right norms in cybersecurity.

The NCSP contains the National Cybersecurity Strategy Framework which institutionalises the adoption and implementation of information security governance and risk management approaches. The following are central to the key areas for the development of the cybersecurity plan of the Government:

• information security;
• application security;
• network security;
• internet security; and
• CII protection.

The NCSP acknowledges that the Philippines is still at the infancy stage with regard to cybersecurity. It does, however, serve as a roadmap for a coherent and cohesive cybersecurity strategy moving forward.

The DICT issued Memorandum Circulars No. 005, 006, and 007 prescribing the policies, rules, and regulations on the protection of CIIs, government agencies, and individuals, respectively, as provided under the NCSP. For further information on CII protection, see section 11 below.

DICT Memorandum Circular No. 005 includes the adoption of the Code of Practice stipulated in PNS ISO/IEC 27000 family of standards and other relevant international standards; requiring compliance with an annual risk and vulnerability assessment and security assessment, as well as the reporting of all cybersecurity incidents within 24 hours from detection to the NCERT.

DICT Memorandum Circular No. 006 provides that all government agencies and instrumentalities shall establish their own CERT (i.e. 'Government CERT' or 'GCERT'), which are mandated to respond to cyberattacks.

DICT Memorandum Circular No. 007 discusses the integration of cybersecurity courses in education and the observance of CyberSecurity Awareness Week.

The NPC Data Breach Circular

The NPC issued NPC Circular 16-03: Personal Data Breach Management ('the NPC Data Breach Circular') containing the framework for personal data breach management and the procedure for personal data breach notification and other requirements. Under the NPC Data Breach Circular, a PIC or PIP shall implement a security incident management policy, containing the policies and procedures for the purpose of managing security incidents, including personal data breaches. This includes the creation of a data breach response team and the implementation of security measures, personal data privacy policies, and an incident response procedure.

The NPC Privacy Toolkit

The NPC Privacy Toolkit provides for the five pillars of data privacy accountability and compliance:

• appointment of a data protection officer ('DPO');
• conduct of a Privacy Impact Assessment ('PIA');
• preparation of a privacy management program, codified into a privacy manual;
• implementation of data privacy and protection measures; and
• exercise of breach reporting procedures.

This framework is not only meant to combat data privacy threats but to also help PICs and processors comply with the Data Privacy Act.

Other issuances

The Rule on Cybercrime Warrants (A.M. No. 17-11-03-SC) ('the Warrants Rule') issued by the Supreme Court of the Philippines provides for the four types of cybercrime warrants:

• Warrant to Disclose Computer Data ('WDCD');
• Warrant to Intercept Computer Data ('WICD'),
• Warrant to Search, Seize, and Examine Computer Data ('WSSECD'); and
• Warrant to Examine Computer Data ('WECD').

These warrants are applied for by law enforcement agencies from the designated Regional Trial Court handling cybercrime cases. Under the Warrants Rule, the service of warrants and/or other court processes on persons or service providers situated outside of the Philippines shall be coursed through the Office of Cybercrime of the DOJ.

DOJ Advisory Opinion No. 1: Institution of Cybercrime and Cyber-related Cases issued by the DOJ clarifies that an investigation by a law enforcement agency is not a mandatory requirement for the institution of a criminal action involving a violation of the Cybercrime Prevention Act.

Other investigation units or agencies, aside from the PNP-ACG and NBI-CCD, may also undertake the investigation of cyber-related offences or offences committed by, through, or with the use of ICT.

2. SCOPE OF APPLICATION

The Cybercrime Prevention Act

The Cybercrime Prevention Act punishes content-related offences such as cybersex, child pornography, and libel which may be committed through a computer system. It also penalises unsolicited commercial communication or content that advertises or sells products or services.

Jurisdiction over cybercrimes, including those committed by a Filipino national abroad, shall be with the Regional Trial Court if any of the elements was committed within the Philippines, or committed with the use of any computer system that is wholly or partly situated in the country, or when by such commission any damage is caused to a natural or juridical person who, at the time the offence was committed, was in the Philippines. Cases shall be heard by designated special cybercrime courts manned by specially trained judges to handle cybercrime cases.

The Data Privacy Act

The Data Privacy Act applies to the processing of all types of personal information and to any natural and/or juridical person involved in personal information processing, including those PICs and PIPs who, although not found or established in the Philippines:

• use equipment that is located in the Philippines or maintain an office, branch, or agency in the Philippines; and
• process personal information pertaining to a Philippine citizen or resident and maintain commercial links to the Philippines.

However, the Data Privacy Act does not apply to the following:

• information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
  • the fact that the individual is or was an officer or employee of the government institution;
  • the title, business address, and office telephone number of the individual;
  • the classification, salary range, and responsibilities of the position held by the individual; and
  • the name of the individual on a document prepared by the individual in the course of employment with the Government;
• information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract and the name of the individual given in the course of the performance of those services;
• information relating to any discretionary benefit of a financial nature, such as the granting of a licence or permit given by the Government to an individual, including the name of the individual and the exact nature of the benefit;
• personal information processed for journalistic, artistic, literary, or research purposes;
• information necessary in order to carry out the functions of public authority which include the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in the Data Privacy Act shall be construed as to have amended or repealed the Secrecy of Bank Deposits Act of 1955 (Republic Act No. 1405), the Foreign Currency Deposit Act of 1972 (Republic Act No. 6426), and the Credit Information System Act of 2008 (Republic Act No. 9510) ('CISA');
• information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or the BSP to comply with the CISA, the Anti-Money Laundering Act of 2001 (Republic Act No. 9160) (as amended), and other applicable laws; and
• personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Additionally, the Data Privacy Act also applies to an act done or practice engaged in and outside of the Philippines by an entity if:

• the act, practice, or processing relates to personal information about a Philippine citizen or a resident;
• the entity has a link with the Philippines, and the entity is processing personal information in the Philippines or, even if the processing is outside the Philippines, as long as it is about Philippine citizens or residents such as, but not limited to, the following:
  • a contract is entered in the Philippines;
  • a juridical entity unincorporated in the Philippines but has central management and control in the country; and
  • an entity that has a branch, agency, office, or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
• the entity has other links in the Philippines such as, but not limited to:
  • the entity carries on business in the Philippines; and
  • the personal information was collected or held by an entity in the Philippines.

The Access Devices Regulation Act

Under the Access Devices Regulation Act, the following acts shall constitute access device fraud and are unlawful:

• producing, using, trafficking in one or more counterfeit access devices;
• trafficking in one or more unauthorised access devices or access devices fraudulently applied for;
• using, with intent to defraud, an unauthorised access device;
• using an access device fraudulently applied for;
• possessing one or more counterfeit access devices or access devices fraudulently applied for;
• producing, trafficking in, having control or custody of, or possessing device-making or altering equipment without being in the business or employment, which lawfully deals with the manufacture, issuance, or distribution of such equipment;
• inducing, enticing, permitting, or in any manner allowing another for consideration or otherwise to produce, use, traffic in counterfeit access devices, unauthorized access devices or access devices fraudulently applied for;
• multiple imprinting on more than one transaction record, sales slip, or similar document, thereby making it appear that the device holder has entered into a transaction other than those which said device holder had lawfully contracted for, or submitting, without being an affiliated merchant, an order to collect from the issuer of the access device, such extra sales slip through an affiliated merchant who connives therewith, or under false pretenses of being an affiliated merchant, present for collection such sales slips and similar documents;
• disclosing any information imprinted on the access device, such as, but not limited to, the account number or name or address of the device holder, without the latter's authority or permission;
• obtaining money or anything of value through the use of an access device, with intent to defraud or with intent to gain and fleeing thereafter;
• having in one's possession, without authority from the owner of the access device or the access device company, an access device, or any material, such as slips, carbon paper, or any other medium, on which the access device is written, printed, embossed, or otherwise indicated;
• writing or causing to be written on sales slips, approval numbers from the issuer of the access device of the fact of approval, where in fact no such approval was given, or where, if given, what is written is deliberately different from the approval actually given;
• making any alteration, without the access device holder's authority, of any amount or other information written on the sales slip;
• effecting transaction, with one or more access devices, issued to another person or persons, to receive payment or any other thing of value;
• without the authorisation of the issuer of the access device, soliciting a person for the purpose of:
  • offering an access device; or
  • selling information regarding or an application to obtain an access device; or
• without the authorisation of the credit card system member or its agent, causing or arranging for another person to present to the member or its agent, for payment, one or more evidence or records of transactions made by credit card.

The Electronic Commerce Act

The Electronic Commerce Act aims to facilitate domestic and international dealings, transactions, arrangements, agreements, contracts, and exchanges and storage of information through the utilisation of electronic, optical and similar medium, mode, instrumentality, and technology to recognise the authenticity and reliability of electronic data messages or electronic documents related to such activities and to promote the universal use of electronic transactions in the Government and by the general public.

Specifically, the Act shall apply to any kind of electronic data message and electronic document used in the context of commercial and non-commercial activities to include domestic and international dealings, transactions, arrangements, agreements, contracts, and exchanges and storage of information.

The Anti-Photo and Video Voyeurism Act

The Anti-Photo and Video Voyeurism Act prohibits the following acts:

1. the unconsented taking of a photo or video of a person or group of persons engaged in a sexual act or any similar activity, or capturing an image of the private area of a person, under circumstances in which the said person has a reasonable expectation of privacy;
2. the copying or reproduction of such photo or video recording of the sexual act;
3. the selling or distribution of such photo or video recording; and
4. the publication or broadcasting, whether in print or broadcast media, or the showing of such sexual act or any similar activity through VCD/DVD, the internet, cellular phones, and other similar means or devices without the written consent of the persons featured.

The prohibitions in items 2, 3, and 4 above will still apply even if the person or persons featured in the photo or video consented to the taking of the photo or recording of the sexual act.

3. DEFINITIONS

Information security program

Under the regulations of the BSP, an 'information security program' refers to information security policies, standards and procedures, security operations, technologies, organisational structures, and information security awareness and training programs aimed at protecting a supervised financial institution's information assets and supporting infrastructure from internal and external threats.

Database

Under the Cybercrime Prevention Act, 'database' refers to a representation of information, knowledge, facts, concepts, or instructions which are being prepared, processed, or stored or have been prepared, processed, or stored in a formalised manner and which are intended for use in a computer system.

Cybersecurity incident

Under the Cybercrime Prevention Act, 'cybersecurity' refers to the collection of tools, policies, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber environment and organisation and user's assets. The punishable acts under said law constitute breaches of cybersecurity and are considered as cybercrime offences.

Under the regulations of the BSP, 'information security incident' is defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening the CIA of a supervised financial institution's information or information systems.

The NPC Data Breach Circular defines a 'security incident' as an event or occurrence that affects or tends to affect data protection, or may compromise the CIA of personal data. It shall include incidents that would result in a personal data breach, if not for safeguards that have been put in place.

Under the Data Privacy Act, a 'personal data breach' refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:

• an availability breach resulting from loss, accidental, or unlawful destruction of personal data;
• integrity breach resulting from alteration of personal data; and/or
• a confidentiality breach resulting from the unauthorised disclosure of or access to personal data.

Cybersecurity / information security officer

The Data Privacy Act defines a DPO as an individual designated by the head of agency or organisation to be accountable for its compliance with the Data Privacy Act, the Privacy IRRs, and other issuances of the NPC. The Data Privacy Act further provides that, except where allowed otherwise by law or the NPC, the individual must be an organic employee of the government agency or private entity. A government agency or private entity may have more than one DPO.

Other definitions

Other important definitions include the following:

• without right: either (i) conduct undertaken without or in excess of authority, or (ii) conduct not covered by established legal defences, excuses, court orders, justifications, or relevant principles under the law;
• critical infrastructure: the computer systems, and/or networks, whether physical or virtual, and/or the computer programs, computer data, and/or traffic data so vital to the Philippines that the incapacity or destruction of or interference with such system and assets would have a debilitating impact on security, national or economic security, national public health and safety, or any combination of those matters;
• service provider: any public or private entity that provides users of its service with the ability to communicate by means of a computer system, and any other entity that processes or stores computer data on behalf of such communication service or users of such service;
• traffic data or non-content data: any computer data other than the content of the communication including, but not limited to, the communication's origin, destination, route, time, date, size, duration, or type of underlying service;
• personal Information: any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or that, when put together with other information, would directly and certainly identify an individual;
• sensitive personal information: personal information:
  • about an individual's race, ethnic origin, marital status, age, colour, and religious, philosophical, or political affiliations;
  • about an individual's health, education, genetic or sexual life, or to any proceeding for any offence committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • issued by government agencies peculiar to an individual, which includes but is not limited to social security numbers, previous or current health records, licences or denials, suspension, or revocation, and tax returns; and
  • specifically established by an executive order or an act of Philippine Congress to be kept classified;
• information system: applications, services, information technology assets, or other information handling assets; and
• information and communications system: a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted, or stored and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

Pursuant to the NPC Privacy Toolkit, the NPC requires all PICs and PIPs to, at a minimum, conduct a mandatory, agency/company-wide training on privacy and data protection policies once a year, provided that a similar training shall be provided during all agency personnel orientations.

4.2. Cybersecurity risk assessments

Pursuant to NPC Advisory No. 2017-03: Guidelines on Privacy Impact Assessments, the NPC requires all PICs and PIPs to conduct a PIA for each program, process, or measure within the company that involves personal data.

The PIA shall include the following:

• a data inventory identifying:
  • the types of personal data held by the company, including records of its own employees;
  • list of all information repositories holding personal data, including their location;
  • types of media used for storing the personal data; and
  • risks associated with the processing of the personal data;
• a systematic description of the processing operations anticipated and the purposes of the processing, including, where applicable, the legitimate interest pursued by the company;
• an assessment of the necessity and proportionality of the processing in relation to the purposes of the processing; and
• an assessment of the risks to the rights and freedoms of data subjects.

The risks identified in the PIA must be addressed by a control framework, which is a comprehensive enumeration of the measures intended to address the risks, including organisational, physical, and technical measures to maintain the CIA of personal data and to protect the personal data against natural dangers, such as accidental loss or destruction, and human dangers, such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination.

The contents of a control framework shall take into account, among others, the following:

• nature of the personal data to be protected;
• risks represented by the processing, the size of the organisation, and complexity of its operations;
• current data privacy best practices; and
• cost of security implementation.

For agencies or companies that process the personal data records of more than 1,000 individuals, including company personnel, the NPC recommends the use of the ISO/IEC 27002 control set as the minimum standard to assess any gaps in the company's control framework.

4.3. Vendor management

Under the Data Privacy Act, each PIC is responsible for the personal information under its control or custody, including information that has been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation. In relation to the foregoing, the PIC is accountable for complying with the requirements of the Data Privacy Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third party.

Under Rule X of the Privacy IRRs, the personal data processing by a PIP shall be governed by a contract or other legal act that binds the PIP to the PIC. The contract or legal act shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the PIC, and the geographic location of the processing under the subcontracting agreement.

Additionally, the contract or other legal act shall stipulate, in particular, that the PIP shall:

• process the personal data only upon the documented instructions of the PIC, including transfers of personal data to another country or an international organisation, unless such transfer is authorised by law;
• ensure that an obligation of confidentiality is imposed on persons authorised to process the personal data;
• implement appropriate security measures and comply with the Data Privacy Act, the Privacy IRRs, and other issuances of the NPC;
• not engage another processor without prior instruction from the PIC, provided that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
• assist the PIC, by appropriate technical and organisational measures and to the extent possible, fulfil the obligation to respond to requests by data subjects relative to the exercise of their rights;
• assist the PIC in ensuring compliance with the Data Privacy Act, the Privacy IRRs, other relevant laws, and other issuances of the NPC, taking into account the nature of processing and the information available to the PIP;
• at the choice of the PIC, delete or return all personal data to the PIC after the end of the provision of services relating to the processing, provided that this includes deleting existing copies unless storage is authorised by the Data Privacy Act or another law;
• make available to the PIC all information necessary to demonstrate compliance with the obligations laid down in the Data Privacy Act and allow for and contribute to audits, including inspections, conducted by the PIC or another auditor mandated by the latter; and
• immediately inform the PIC if, in its opinion, an instruction infringes the Data Privacy Act, the Privacy IRRs, and other issuances of the NPC.

4.4. Accountability/record keeping

Compliance checks

In ensuring compliance with the Data Privacy Act and its related issuances, the NPC may employ any of the following modes of compliance checks:

• privacy sweep: the NPC shall review a PIC's or PIP's compliance with respect to its obligation under the Data Privacy Act, and its related issuances based on publicly available or accessible information, such as, but not limited to, websites, mobile applications, raffle coupons, brochures, and privacy notices. This is the initial mode of a compliance check;
• documents submission: the NPC may require the submission of documents and additional information from a PIC or PIP that has undergone a privacy sweep to, among others, clarify certain findings arising therefrom and determine the level of compliance of the PIC or PIP with respect to its obligations under the Data Privacy Act and its related issuances; and
• on-site visit: the NPC may subject a PIC or PIP to an on-site visit if there are persistent or substantial findings of non-compliance with the obligations indicated in the Data Privacy Act and its related issuances.

Authorised personnel of the NPC shall conduct a targeted inspection within the premises of a PIC or PIP that may include a presentation of documents or records, visits to selected departments wherein processing of personal information is undertaken, as well as interviews of relevant personnel tasked to handle personal information processed by the PIC or PIP subject to the compliance check.

The NPC may, in its discretion, directly employ this mode of compliance check if it determines that the totality of circumstances warrant such action, taking into account the following considerations:

• level of risk to the rights and freedoms of data subjects posed by personal data processing by a PIC or PIP;
• reports received by the NPC against the PIC or PIP, or its sector;
• non-registration of a PIC or PIP that is subject to the mandatory registration requirement as provided under NPC Circular 17-01: Registration of Data Processing Systems and Notifications Regarding Automated Decision-Making ('the NPC Registration Circular');
• unsecured or publicly available personal data found on the internet that may be traced to a PIC or PIP; and
• other considerations that indicate non-compliance with the Data Privacy Act or the issuances of the NPC.

Record-keeping

The Privacy IRRs require any natural or juridical person or other body involved in the processing of personal data to maintain records that sufficiently describe its data processing system and identify the duties and responsibilities of those individuals who will have access to personal data. Records should include:

• information about the purpose of the processing of personal data, including any intended future processing or data sharing;
• a description of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;
• general information about the data flow within the organisation, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data;
• a general description of the organisational, physical, and technical security measures in place; and
• the name and contact details of the PIC and, where applicable, the joint controller, its representative, and the compliance officer or DPO, or any other individual or individuals accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.

Privacy by Default

The Privacy IRRs also require any natural or juridical person or other body involved in the processing of personal data to implement appropriate data protection policies that provide for organisational, physical, and technical security measures and, for such purpose, take into account the nature, scope, context, and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects. These policies shall implement appropriate security measures that, by default, ensure only personal data which is necessary for the specified purpose of the processing are processed. They shall determine the amount of personal data collected, including the extent of processing involved, the period of their storage, and their accessibility.

Codes of conduct

The NPC has the authority under the Data Privacy Act to review, approve, reject, or require modification of privacy codes voluntarily adhered to by PICs, provided that the privacy codes shall adhere to the underlying data privacy principles embodied in the Data Privacy Act. Such privacy codes may include private dispute resolution mechanisms for complaints against any participating PIC.

5. DATA SECURITY

The NCSP

Under the NCSP, the Government shall manage its risks in the protection of the CII by identifying, analysing, and evaluating risks. Accordingly, the guidelines for implementing the risk management approach shall be formulated by the DICT. Under such guidelines, critical systems and CII owners shall formulate their risk management policies.

The NCSP further provides that the cybersecurity assessment and compliance for the protection of CII shall be composed of three levels:

• protection assessment (inventory level);
• security assessment (readiness); and
• compliance to cyber risks to CII (voluntary).

In relation to CII, other than compliance with information security standards as provided under DICT Memorandum Circular No. 005, all CIIs are required to participate in the conduct of risk and vulnerability assessment by the DICT, as well as security assessment, at least once a year. The risk and vulnerability assessment includes the overall process of identification, analysis, and evaluation of weaknesses of an asset or control that can be exploited by one or more threats. The security assessment includes security evaluation of operational systems. For further information on CII protection, see section 11 below.

The NCERT published an article titled 'Secure your digital assets from cyberattacks,' discussing tips to prevent or minimise loss during a cyberattack, including:

• eliminate the risks;
• patch management of digital assets;
• invest in cybersecurity solutions;
• training for employees;
• reviewing third-party capabilities and support;
• utilising protection solutions on the web; and
• defining procedures and actions to be taken and identify the priorities during an attack, which includes maintenance of an updated list of who to contact (ISP, law enforcement agencies, third-party providers, etc.).

The Data Privacy Act

The Data Privacy Act requires PICs to employ reasonable and appropriate organisational, physical, and technical measures to protect the security of personal information. At a minimum, these measures should include:

• anti-computer hacking safeguards;
• a security policy;
• a process for preventing and mitigating security breaches;
• contractual or other reasonable data protection arrangements with third-party contractors; and
• the appointment of an information security officer who will ensure the entity's compliance with the Data Privacy Act.

Organisational security measures

The Privacy IRRs provide that, where appropriate, PICs and PIPs shall comply with the following guidelines for organisational security:

• designate an individual or individuals who shall function as DPO(s), compliance officer(s), or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security;
• implement appropriate data protection policies that provide for organisational, physical, and technical security measures and which take into account the nature, scope, context, and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects;
• maintain records that sufficiently describe their data processing system and identify the duties and responsibilities of those individuals who will have access to personal data;
• be responsible for selecting and supervising its employees, agents, or representatives, particularly those who will have access to personal data. The said employees, agents, or representatives shall operate and hold personal data under strict confidentiality if the personal data are not intended for public disclosure. Moreover, there shall be capacity building, orientation, or training programs for such employees, agents, or representatives regarding privacy or security policies;
• develop, implement, and review procedures for the collection of personal data, for obtaining consent, for limiting the processing of data, for access management, system monitoring, and protocols to follow during security incidents or technical problems, for data subjects to exercise their rights under the Data Privacy Act, and for data retention schedule; and
• the PIC, through appropriate contractual agreements, shall ensure that its PIPs, where applicable, shall also implement the security measures required by the Data Privacy Act and the Privacy IRRs. It shall only engage those PIPs that provide sufficient guarantees to implement appropriate security measures and ensure the protection of the rights of the data subject.

Physical security measures

Moreover, the Privacy IRRs likewise provide that, where appropriate, PICs and PIPs shall also comply with the following guidelines for physical security:

• implement policies and procedures to monitor and limit access to activities in the room, workstation, or facility, including guidelines that specify the proper use of and access to electronic media;
• ensure that the design of the office space and work stations, including the physical arrangement of furniture and equipment, shall provide privacy to anyone processing personal data;
• identify the duties, responsibilities, and schedule of individuals involved in the processing of personal data to ensure that only individuals actually performing official duties shall be in the room or work station at any given time;
• implement policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media in order to ensure appropriate protection of personal data; and
• establish policies and procedures that prevent the mechanical destruction of files and equipment. Furthermore, the room and work station used in the processing of personal data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.

Technical security measures

Lastly, the Privacy IRRs also provide that, where appropriate, PICs and PIPs shall adopt and establish the following technical security measures:

• a security policy with respect to the processing of personal data;
• safeguards to protect their computer network against accidental, unlawful, or unauthorised usage;
• the ability to ensure and maintain the CIA and resilience of their processing systems and services;
• regular monitoring for security breaches, development of a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and taking preventive, corrective, and mitigating action against security incidents that can lead to a personal data breach;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
• encryption of personal data during storage and while in transit, authentication process, and other technical security measures that control and limit access.

The NPC Government Security Circular

Section 4 of NPC Circular No. 16-01: Security of Personal Data in Government Agencies ('the NPC Government Security Circular') enumerates the following general obligations of a government agency involved in personal data processing:

• through its head of the agency, designate a DPO;
• conduct a PIA for each program, process, or measure within the agency that involves personal data, provided, that such assessment shall be updated as necessary;
• create privacy and data protection policies, taking into account the PIAs, as well as Sections 25 to 29 of the Privacy IRRs;
• conduct mandatory, agency-wide training on privacy and data protection policies once a year, provided that a similar training shall be provided during all agency personnel orientations;
• register its data processing systems with the NPC in cases where the processing involves personal data of at least 1,000 individuals, taking into account Sections 46 to 49 of the Privacy IRRs; and
• cooperate with the NPC when the agency's privacy and data protection policies are subjected to review and assessment, in terms of their compliance with the requirements of the Data Privacy Act, the Privacy. IRRs, and all issuances by the NPC.

In addition, government agencies are required to encrypt all personal data that are digitally processed, whether at rest or in transit. For this purpose, the NPC recommends the use of the Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard.

The NPC Data Breach Circular

Section 6 of the NPC Data Breach Circular enumerates the preventive or minimisation measures that shall be included in the security incident management policy of a PIC or PIP. The safeguards may include the following:

• conduct of a PIA to identify attendant risks in the processing of personal data. It shall take into account the size and sensitivity of the personal data being processed, as well as the impact and likely harm of a personal data breach;
• data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
• implementation of appropriate security measures that protect the CIA of personal data being processed;
• regular monitoring for security breaches and vulnerability scanning of computer networks;
• capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents; and
• procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the effectiveness of the security measures.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

DICT Memorandum Circular No. 005

DICT Memorandum Circular No. 005 provides that all cybersecurity incidents shall be reported within 24 hours from detection to the NCERT. Information sharing shall be done with the use of established communication protocol using at the minimum the Traffic Light Protocol. The DICT CERT Manual provides that all external communication and notification from the NCERT shall be approved by the Cybersecurity Bureau of the DICT.

The Data Privacy Act

Under the NPC Data Breach Circular, notification is required upon knowledge of reasonable belief of a security breach that meets the following conditions:

• the security breach involves sensitive personal information or information that may be used to enable identity fraud;
• there is a reason to believe that information has been acquired by an unauthorised person; and
• the unauthorised person is likely to give rise to a real risk of serious harm.

The notification is to be done by the PIC even if the processing is outsourced or subcontracted to the PIP. Within 72 hours of knowledge or reasonable belief of the personal data breach, the PIC should notify the NPC. Notification to the data subjects or individuals involved should also be done within the same period unless there is reason to postpone or omit notification, subject to the approval of the NPC. The notification should contain the nature of the breach, the personal information possibly involved, measures taken by the entity to address the breach, and the contact details of the PIC.

The notification to the data subject should contain the same contents along with instructions on how the data subject may get further information and recommendations to minimise risks resulting from the breach. All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements, and submitted to the NPC on an annual basis.

The Anti-Child Pornography Act

The Anti-Child Pornography Act requires all ISPs to notify law enforcement authorities within seven days from obtaining facts and circumstances that any form of child pornography is being committed using its server or facility. Similarly, internet content hosts are also mandated to report the presence of any form of child pornography to the proper authorities within the same period.

7. REGISTRATION WITH AUTHORITY

Under the Privacy IRRs and the NPC Registration Circular, a PIC or PIP shall register with the NPC if it is processing personal data and operating in the country under any of the following conditions:

• the PIC or PIP employs at least two 250 employees;
• the processing includes sensitive personal information of at 1,000 individuals; or
• the PIC or PIP belongs to any of the industries or business sectors listed in the NPC Registration Circularas subject of mandatory registration.

However, even if a PIC or PIP does not meet the requirements above, registration may still be done on a voluntary basis.

The contents of registration shall include the following:

• name and address of the PIC/PIP, and of its representative, if any, including their contact details, purpose or purposes of the processing, and whether the processing is being done under an outsourcing or subcontracting agreement;
• a description of the category or categories of data subjects, and the data or categories of data relating to them;
• a brief description of the data processing system, and recipients or categories of recipients to whom the data might be disclosed; and
• a general description of privacy as well as security measures for data protection, among others.

The registration process, both mandatory and voluntary, is outlined in the NPC Registration Circular which provides that a PIC or PIP shall register through the NPC's official website in two phases, namely:

• phase I: a PIC or PIP, through its DPO, shall accomplish the prescribed application form, and submit the same to the NPC, together with all supporting documents. Upon review and validation of the submission, the NPC shall provide the PIC or PIP via email an access code, which shall allow it to proceed to phase II of the registration process; and
• phase II: using the access code, a PIC or PIP shall proceed to the online registration platform and provide all relevant information regarding its data processing systems. The NPC shall notify the PIC or PIP via email to confirm the latter's successful completion of the registration process, provided that registration may be done in person at the office of the NPC in the event that online access is not available. After registration, a certificate of registration shall be issued by the NPC.

Registration with the NPC must be done on an annual basis. Any amendments or updates to a PIC/PIP's registration information, including the addition of data processing systems, must be reported to the NPC within two months from the effective date of the change.

8. APPOINTMENT OF A SECURITY OFFICER

A PIC or PIP shall designate an individual or individuals who shall function as a DPO. The DPO shall be accountable for ensuring compliance by the PIC or PIP with the Data Privacy Act, the Privacy IRR, issuances by the NPC, and other applicable laws and regulations relating to privacy and data protection. NPC Advisory No. 2017-01: Designation of Data Protection Officers clarified that the designation of a DPO by a PIC or PIP is mandatory.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

Digital asset exchange

The Securities and Exchange Commission ('SEC') is currently reviewing the Draft Rules on Digital Asset Exchange released in 2019 ('the Draft Rules'). Under the proposed rules, the Digital Asset Exchange should:

• implement a written cybersecurity policy giving due consideration to the frequency, magnitude, and cost of cybersecurity incidents;
• inform investors about material cybersecurity risks and incidents in a timely manner;
• have processes in place to enable them to disclose, prior to entering into an initial transaction, all material risks to their clients in a clear, fair, and not misleading manner; and
• conduct a detailed analysis of the risks in connection with its products, services, as well as activities, and continuously update this analysis and the resultant disclosures.

The Draft Rules also propose the designation of a chief information security officer ('CISO') who shall oversee and implement a 'Digital Asset Exchange Cyber Security Program' and enforce its cybersecurity policy, with the responsibility of formulating the policies to implement sections on cybersecurity, including an information security strategic plan and an information security program.

BCM

Under BSP Circular No. 951 Guidelines On Business Continuity Management (2017), financial institutions are required to adopt a business continuity management ('BCM') framework which includes five phases, representing a continuous cycle:

• business impact analysis/risk assessment;
• strategy formulation;
• plan development;
• plan testing; and
• personnel training and plan maintenance.

Matters such as pandemic planning, cyber resilience, information security, interdependencies, liquidity risk management, project management, problem management, outsourcing, and insurance must also be considered in the BCM process. BSP Memorandum No. M-2019-017 reiterates the need for financial institutions to have a collective, coordinated cyber response through information sharing and collaboration through participation in the Cybersecurity Incident Database of the Bankers Association of the Philippines.

In addition, please also refer to the discussions above on the BSP's issuances on the use of clouds and offshore outsourcing, as well as the reportorial requirements in relation to supervised financial institutions.

Cyber-risk reporting

Under BSP Circular No. 1019 Technology and Cyber-Risk Reporting and Notification Requirements (2018) ('BSP Circular No. 1019'), supervised financial institutions are required to submit periodic reports and event-driven reports. The periodic report consists of an annual IT profile to be submitted within 25 calendar days from the end of the reference year.

As for event-driven reports, supervised financial institutions are required to notify the BSP upon discovery of any of the following:

• reportable major cyber-related incidents, defined as all events which may seriously jeopardise the confidentiality, integrity, or availability of critical information, data, or systems of supervised financial institutions; and
• disruptions of financial services and operations, including disruption of critical operations which last for more than two hours due to threats (causes include fire, typhoon, pandemics, etc.).

The compliance officer and/or designated officer of the financial institution shall notify the appropriate supervising department of the BSP within two hours following the discovery of the incident, disclosing, at the minimum, the nature of the incident and the specific system or business function involved. Within 24 hours from the time of discovery of the incident, a follow-up report should be sent to the BSP specifying more information regarding the incident.

BSP Circular No. 1019 clarifies that security events or attacks which are normally prevented by security systems or devices need not be reported to the BSP, except if the same involves significant financial value and/or a multitude of customer accounts beyond the financial institution's reasonable threshold levels.

Health

Under the Data Privacy Act, sensitive personal information includes personal information about an individual's health, education, genetic, or sexual life of a person, as well as their previous or current health records. Accordingly, the processing of such information is prohibited, except in limited instances, such as when the data subject has given consent, where the processing is provided for by existing laws and regulations, for the protection of life and health of the data subject or another person, and when the data subject is not legally or physically able to express his or her consent prior to the processing, among others.

Based on NPC Advisory Opinion No. 2019-010: Access to Employee 201 Files and Medical Records ('NPC Advisory Opinion No. 2019-010'), medical records, as well as charges of health maintenance organisations, hospital billings, itemised hospital charges, and other medical-related expenses, may still be considered as part of a data subject health records because these may expose relevant information relating to the data subject's health.

In view of the COVID-19 ('Coronavirus') outbreak and the increase in the number of data breach reports, mostly regarding the disclosure of personal and sensitive personal information online/through digital platforms, the NPC released NPC PHE Bulletin No. 3: Collect What is Necessary, Disclose Only To The Proper Authority containing frequently asked questions on the collection and processing of personal data during the Coronavirus pandemic. Under this issuance, the NPC stated that data protection and privacy should not hinder the government from collecting, using, and sharing personal information during this time of public health emergency, but at the same time, the law does not limit public health authorities from using available technology and databases. The NPC also highlighted the principle of proportionality, or collecting only what is necessary and disclosing only to the proper authority. All NPC issuance related to Coronavirus can be accessed here.

The NPC and the Department of Health ('DOH') released Joint Memorandum Circular No. 2020-0002: Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response. The issuance provides that the processing of personal health information of Coronavirus cases and identified close contacts shall only be to the extent necessary for the purposes outlined in the Joint Memorandum, highlighting the use of the data for policy, investigation, coordination, response, and intervention measures. The processing of personal health information of Coronavirus cases and identified close contacts shall be allowed in any of the following cases:

• processing by health authorities pursuant to constitutional or statutory mandate;
• processing by a health care provider if necessary for the purposes of case investigation and management, contact tracing, mandatory reporting, etc.;
• processing by DOH partner agencies and their authorised personnel shall be allowed pursuant to a data sharing agreement; and
• personal information are pseudonymised or anonymised.

Disclosure shall be limited to the authorised entities, officers, personnel, and concerned individuals only. The information which may be disclosed for a legitimate purpose includes aggregate or pseudonymised/anonymised detailed health information, and mandatory reporting requirements to public health authorities and DOH partner agencies.

All ICT solutions and technologies used for the collection and processing of such personal health information shall be registered with the NPC and must comply with the DOH Coronavirus surveillance and response protocols and data requirements. Interested developers and implementers of these ICT solutions and technologies should also be registered with the NPC and shall follow the minimum ICT standards set by the DICT and Knowledge Management and Information Technology Service of the DOH.

The NPC Circular 2021-02 – Guidelines on the Processing of Personal Data during Public Health Emergencies for Public Health Measures applies to all PICs and PIPs engaged in the processing of personal data during the COVID-19 pandemic within the general framework of the necessary public health measures and all future public health emergencies.

PICs engaged in data processing during the COVID-19 pandemic are required to the submit a complete list of all the Contact Tracing Applications ('CTAs') and Vaccine Card Systems which they operate to the NPC. The Circular also requires that personal data collected through CTAs be stored only for a limited period and shall be disposed of properly after thirty (30) days from date of collection. The retention period for Vaccine Card Systems and the DOH central database of vaccinations shall be governed by the appropriate law or DOH regulation on the matter.

Telecommunications

Transportation, energy, water, health, emergency services, banking and finance, business process outsourcing, telecommunications, media, and government sectors are considered CII and are required to observe information security standards imposed upon by the DICT. DICT Memorandum Circular No. 005 prescribes policies and rules on CII protection based on the NCSP. Aside from requiring compliance with international standards, the said Memorandum Circular requires telecommunications operators and ISPs to conduct cyber hygiene on their networks.

Telecommunications networks, internet service providers, and other entities or organisations providing similar services are required to register with the NPC within two months from the start of operations.

For further information on CII protection, see section 11 below.

Employment

In NPC Advisory Opinion No. 2019-010, the NPC acknowledged that companies are required to submit reportorial documents to different regulating agencies and bodies, including the SEC, the Bureau of Internal Revenue, and in the case of publicly-listed companies, the Philippine Stock Exchange. The processing of personal information of the employees related to the accomplishment of such reports, to the extent that these reports are required under law or regulation and are necessary for compliance with the company's legal obligation, are allowed under the Data Privacy Act.

NPC Advisory Opinion No. 2019-010 referenced the NPC Government Security Circular and clarified that while this circular relates to government bodies and entities, it nevertheless serves as a benchmark for privacy best practices in the private sector. The Opinion indicates that specific to the given situation, a company must establish access controls, particularly granting limited authority to access personal data. The NPC Government Security Circular provides that a government agency, or in the context of the Opinion, the private employer, shall strictly regulate access to personal data under its control or custody, granting access to agency personnel (employees), through the issuance of a security clearance by the head of the agency (proper authority), only when necessary, requiring the adoption of policies and procedures for the protection of personal data.

The NPC released NPC PHE Bulletin No. 12: Protecting Personal Data in a Work From Home Arrangement and NPC PHE Bulletin No. 14: Updated Frequently Asked Questions ('NPC PHE Bulletin No. 14') to address issues arising from work from home arrangements, and other forms of telecommuting, and return-to-work protocols. Highlights of the guidelines on telecommuting include providing authorised information communication technology assets to employees with the proper configuration and security updates and the necessity for an 'Acceptable Use Policy' that defines allowable personal uses of ICT assets, access control, user authentication, and network security, among others.

NPC PHE Bulletin No. 14, with reference to NPC Advisory Opinion No. 2018-048, clarifies that monitoring employee activities when he or she is using an office-issued computer may be allowed under the Data Privacy Act, provided that the processing falls under any of the criteria for lawful processing. Notably, less privacy-intrusive means of monitoring should be considered rather than excessive/disproportionate means such as the use of tracking mouse movements, recording keystrokes, taking random photos of the computer screen, enabling webcams to take a picture of the employee, etc. Pursuant to the principle of proportionality, employers may not require employees to stay on video during business hours or while doing overtime work. Employers can secure personal data processing systems by providing proper ICT equipment and support facilities and mechanisms.

Education

Not applicable.

Insurance

Insurance companies and agents are required under the Insurance Code of 1974 (Presidential Decree No. 612, as amended by Republic Act No. 10607) and the Market Conduct Guidelines (2013) to ensure protection over their clients' personal information. They are also prohibited from discussing, disclosing, or otherwise utilising such information with any other person outside of the company. The privacy policy statement must be made clear to their customers/clients and made easily accessible to them.

Under the Bill of Rights of Policyholders (2016), policyholders are protected from unauthorised disclosure of personal, financial, and other confidential information by insurance companies, intermediaries, and soliciting agents, except as otherwise allowed by law, regulations, or valid court or government order.

Providers of insurance undertakings, including life and non-life companies, pre-need companies, and insurance brokers are required to register with the NPC within two months from the start of operations.

10. PENALTIES

The Data Privacy Act

The Data Privacy Act sets forth a detailed schedule of penalties, which include both imprisonment and fines, for violations of the Data Privacy Act. The penalties for violations of the Data Privacy Act in relation to cybersecurity include the following:

• the unauthorised processing of personal information shall be penalised by imprisonment ranging from one year to three years and a fine of not less than PHP 500,000 (approx. €8,500) but not more than PHP 2 million (approx. €34,000);
• the unauthorised processing of sensitive personal information shall be penalised by imprisonment ranging from three years to six years and a fine of not less than PHP 500,000 but not more than PHP 4 million (approx. €68,045);
• the processing of personal information for unauthorised purposes shall be penalised by imprisonment ranging from one year and six months to five years and a fine of not less than PHP 500,000 but not more than PHP 1 million (approx. €17,000);
• the processing of sensitive personal information for unauthorised purposes shall be penalised by imprisonment ranging from two years to seven years and a fine of not less than PHP 500,000 but not more than PHP 2 million;
• the penalty for unauthorised access or intentional breach consists of imprisonment ranging from one year to three years and a fine of not less than PHP 500,000 but not more than PHP 2 million; and
• the penalty for concealment of security breaches involving sensitive personal information consists of imprisonment of one year and six months to five years and a fine of not less than PHP 500,000 but not more than PHP 1 million.

If the offender is a corporation, partnership, or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under the Data Privacy Act. If the offender is an alien, they shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. The maximum penalty shall be imposed when the personal information of at least 100 persons are harmed, affected, or involved in the commission of the offences.

Notably, the Data Privacy Act provides that restitution for any aggrieved party shall be governed by the provisions of the Civil Code of the Philippines (Republic Act No. 386), a remedy that is civil in character.

The Cybercrime Prevention Act

The following punishable acts under said law constitute breaches of cybersecurity and are considered as cybercrime offences:

• offences against the CIA of computer data and systems:
  • illegal access: the access to the whole or any part of a computer system without right;
  • illegal interception: the interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data;
  • data interference: the intentional or reckless alteration, damaging, deletion, or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses;
  • system interference: the intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses;
  • misuse of devices:
    • The use, production, sale, procurement, importation, distribution, or otherwise making available, without right, of:
      • a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences under the Cybercrime Prevention Act; or
      • a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offences under the Cybercrime Prevention Act;
    • the possession of an item referred to in Section (4)(5)(i)(aa) or (bb) of the Cybercrime Prevention Act with intent to use said devices for the purpose of committing any of the offences under Section 4 of the Cybercrime Prevention Act; and
  • cyber-squatting: the acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain name is:
    • similar, identical, or confusingly similar to an existing trademark registered with the appropriate government agency at the time of the domain name registration;
    • identical or in any way similar with the name of a person other than the registrant, in case of a personal name; and
    • acquired without right or with intellectual property interests in it;
• computer-related offences:
  • computer-related forgery:
    • the input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible; or
    • the act of knowingly using computer data which is the product of computer-related forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest design;
  • computer-related fraud: the unauthorised input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent, provided that if no damage has yet been caused, the penalty imposable shall be one degree lower;
  • computer-related identity theft: the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another, whether natural or juridical, without right, provided that if no damage has yet been caused, the penalty imposable shall be one degree lower; and
• content-related offences:
  • cybersex: the willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favour or consideration;
  • child pornography: the unlawful or prohibited acts defined and punishable by the Anti-Child Pornography Act, committed through a computer system, provided that the penalty to be imposed shall be one degree higher than that provided for in Anti-Child Pornography Act;
  • unsolicited commercial communications: the transmission of commercial electronic communication with the use of computer systems which seeks to advertise, sell, or offer for sale products and services are prohibited unless:
    • there is prior affirmative consent from the recipient; or
    • the primary intent of the communication is for service and/or administrative announcements from the sender to its existing users, subscribers or customers; or
    • the following conditions are present:
      • the commercial electronic communication contains a simple, valid, and reliable way for the recipient to reject the receipt of further commercial electronic messages (opt-out) from the same source;
      • the commercial electronic communication does not purposely disguise the source of the electronic message; and
      • the commercial electronic communication does not purposely include misleading information in any part of the message in order to induce the recipients to read the message; and
  • libel: the unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code (Republic Act No. 3815) (as amended) ('the Revised Penal Code'), committed through a computer system or any other similar means which may be devised in the future.

The Cybercrime Prevention Act provides that those found guilty of offences against the CIA of computer data and systems and computer-related offences shall suffer the penalty of imprisonment for six years and one day to 12 years, or a fine of at least PHP 200,000 (approx. €3,360) up to a maximum amount commensurate to the damage incurred, or both. For those found guilty of misuse of devices, the same period for imprisonment applies, as well as a fine of not more than PHP 500,000 (approx. €8,400).

When offences against the CIA of computer data and systems are committed against critical infrastructure, the offender shall suffer the penalty of imprisonment between 12 years and one day and 20 years, or a fine of at least PHP 500,000 (approx. €8,400) up to a maximum amount commensurate to the damage incurred, or both.

Any person found guilty of the punishable acts classified as 'cybersex' shall be punished with imprisonment for six years and one day to 12 years, or a fine of at least PHP 200,000 (approx. €3,360) but not exceeding PHP 1 million (approx. €16,800), or both.

Any person found guilty of any of the punishable acts classified as child pornography shall be punished with the penalties as enumerated in the Anti-Child Pornography Act. If committed through a computer system, the penalty to be imposed shall be one degree higher.

Any person found guilty of aiding or abetting, or attempt, in the commission of cybercrime, shall be punished with imprisonment one degree lower than that of the prescribed penalty for the offence, or a fine of at least PHP 100,000 (approx. €1,680) but not exceeding PHP 500,000 or (approx. €8,400), or both.

Under the Cybercrime Prevention Act, corporate liability attaches to juridical persons if the commission of the punishable acts were made on behalf of or for its benefit, including instances when the punishable acts were made possible due to the lack of supervision or control by a natural person acting under the authority of the juridical person. The juridical person shall be held liable for a fine equivalent to at least double the fines imposable under the Revised Penal Code and other applicable laws, up to a maximum of PHP 5 million (approx. €84,010). The liability imposed on the juridical person shall be without prejudice to the criminal liability of the natural person who has committed the offence.

11. OTHER AREAS OF INTEREST

Notable incidents

In the Bangladesh Bank Robbery in 2016, $81 million of the $101 million successfully transferred were traced to accounts in the Philippines. Security hackers issued fraudulent instructions to illegally transfer, through the Society for Worldwide Interbank Financial ('SWIFT') communication payment system, close to $1 billion from the account belonging to the Bangladesh Bank in the Federal Reserve Bank of New York. In 2019, a former manager of the Rizal Commercial Banking Corporation, the Philippine bank wherein the money was deposited, was convicted and sentenced to imprisonment for money laundering.

In 2016, the server of the voters' database of the Philippines was hacked and subsequently, such data was leaked into the internet, including 1.3 million passport numbers of overseas Filipino workers. The incident is considered the biggest private data leak in Philippine history. According to a security firm, the incident left 55 million registered voters at risk. The NPC recommended the prosecution of the then Chairman of the Commission on Elections for violations of the Data Privacy Act. In 2020, the cybercrime charges against the alleged hacker of the voters' database were dismissed by the court for the prosecutor's failure to prove guilt beyond reasonable doubt.

CII operators

According to DICT Memorandum Circular No. 005, government agencies are ordered to adopt the Code of Practice for Information Security Controls stipulated in ISO-IEC 27002, while the Philippine National Standard ('PNS') on Information Security Management System ('ISMS') ISO/IEC 27001 shall be implemented for mandatory compliance by all CII operators.

CII refers to the computer systems, and/or networkers, whether physical or virtual, and/or computer programs, computer data, and/or traffic data that are vital to the Philippines, and that the incapacity, destruction of, or interference with such system and assets would have a debilitating impact on national or economic security, national health and safety, or any combination of those matters.

The following are the sectors classified as CIIs (DICT Memorandum Circular No. 005):

• government;
• transportation (land, sea, air);
• energy;
• water;
• health;
• emergency services;
• banking and finance;
• business process outsourcing;
• telecommunications; and
• media.

In addition to the implementation of the PNS on ISMS discussed above, Memorandum Circular No. 005 also requires all CIIs to participate, at least once a year, in the conduct of risk and vulnerability assessment by the DICT, as well as undergo security assessment. Each identified CIIs are mandated to:

• create its own CERT;
• secure a Certificate of CyberSecurity Compliance to be issued by the DICT; and
• include a disaster recovery plan and business continuity plan as part of their ICT programs.

All CIIs' websites shall obtain the Seal of Cybersecurity ('SCS') from the DICT.

Cloud computing services

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The five essential characteristics of the cloud model include (DICT Department Circular No. 2017-002 ('DC No. 2017-002')):

• on-demand self-service;
• broad network access;
• resource pooling;
• rapid elasticity; and
• measured service.

There is no general legislation discussing the requirements for cloud computing services in relation to private entities. However, DC No. 2017-002 discusses the policy of the government to adopt a 'cloud first' approach and for government departments and agencies to consider cloud computing solutions as a primary part of their infostructure planning and procurement.

The accreditation process for Cloud Service Providers ('CSPs') to be listed in the Philippine Government Cloud ('GovCloud') includes compliance with the baseline and optional security assurance requirements. There are also baseline encryption requirements for government workloads before being deployed on an accredited GovCloud CSP. In addition, government CSPs should provide logical security audits on data access, including logs and audit trails to ensure the prescribed security and privacy requirements are met.

In relation to data privacy and security, the Data Privacy Act applies to PICs who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch, or agency in the Philippines.

Under BSP Circular No. 808 Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institutions (2013) ('BSP Circular No. 808'), financial institutions are permitted to use public clouds only for non-core banking operations. On the other hand, the use of private clouds is permitted subject to the rules on outsourcing. Appendix 75e of BSP Circular No. 808 provides guidelines on IT outsourcing ('the IT Outsourcing Guidelines') which require the conduct of a risk assessment of the criticality of the services to be outsourced, and the capability of the service provider. Financial institutions should conduct proper due diligence as to the provider's financial soundness, reputation, technical skills, and capacity. BSP Circular No. 899 Amendments to the Guidelines on Outsourcing (2016) amended the IT Outsourcing Guidelines, providing that offshore outsourcing is permitted only when the service provider operates in jurisdictions that uphold privacy and confidentiality.

Digital service providers

As noted in section 3 above, under the Cybercrime Prevention Act, a 'service provider' refers to:

• any public or private entity that provides to users of its service the ability to communicate by means of a computer system; and
• any other entity that processes or stores computer data on behalf of such communication service or users of such service.

The Cybercrime Prevention Act provides that service providers are required to cooperate and assist law enforcement authorities in the collection or recording, with due cause, of traffic data in real-time associated with specified communications transmitted by means of a computer system. The traffic data and subscriber information relating to communication services provided by a service provider and content data shall be preserved for a minimum period of six months from the date of the transaction, and from the date of receipt of the order from law enforcement authorities requiring its preservation, respectively. The service provider ordered to preserve computer data shall keep confidential the order and its compliance.

Upon securing a court warrant, law enforcement authorities shall issue an order requiring any person or service provider to disclose or submit subscriber's information, traffic data, or relevant data in its possession or control within 72 hours from receipt of the order, provided that this is in relation to a valid complaint officially docketed and assigned for investigation and that the disclosure is necessary and relevant for the purpose of investigation.

Legal bases under the Data Privacy Act

Under the Data Privacy Act, personal information may only be processed if:

• the data subject has given his or her consent;
• the processing of personal information is necessary and is related to the fulfilment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
• the processing is necessary for compliance with a legal obligation to which the PIC is subject;
• the processing is necessary to protect vitally important interests of the data subject;
• the processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority; or
• the processing is necessary for the purposes of the legitimate interests of the PIC or by a third party or parties to whom the data is disclosed.

On the other hand, processing of sensitive personal information is only allowed if:

• the employee has given his or her consent;
• the processing is provided for by existing law, in case the employee's consent is not required by such law;
• it is necessary to protect the life and health of the employee or another person, and the employee is not legally or physically able to express his or her consent prior to the processing;
• it is necessary to achieve the lawful and non-commercial objectives of public organisations and associations, provided that the same is limited only to their members and prior consent was obtained;
• it is carried out by a medical practitioner or a medical treatment institution and necessary for purposes of medical treatment;
• it is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or for the establishment, exercise, or defence of legal claims, or when provided to government or public authority.

Divina Ilas-Panganiban Partner
[email protected]
Neonette Pascual Senior Associate
[email protected]
Quisumbing Torres, Manila