In its very first case since being formally organized last year, the National Privacy Commission (NPC) showed its muscles as it released its decision finding the Commission on Elections (Comelec) and its chair Andres D. Bautista criminally liable for the massive breach of voter database in March last year.
At a press conference in Quezon City on Thursday, Jan. 5, the NPC read out its Dec. 28, 2016 decision which found that the poll body and Bautista violated the provisions of the Data Privacy Act of 2012.
The privacy commission, composed of commissioner Raymund Liboro and deputy commissioners Dondi Mapa and Ivy Patdu, also recommended the filing of criminal charges against Bautista for his “gross negligence” as head of the Comelec.
The NPC, however, did not find enough evidence to indict Comelec officials Robert Christian Lim, Al Parreno, Jose Tolentino Jr., James Jimenez, Ferdinand de Leon, Jeannie Flororita, and Eden Bolo for violations of the Data Privacy Act.
Patdu, a lawyer-physician, said they have forwarded the decision to the Department of Justice which will now conduct an investigation of its own to determine if there is probable cause to elevate the case to the proper courts.
The hacking, which came to be known as “Comeleak”, exposed the personal data of about 75 million registered voters. No biometric information was included in the breach, however.
In its decision, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures.
“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec’s privacy and security policies and practices,” the decision read.
However, Bautista said in a separate press briefing that he will ask the Office of the Solicitor General to file a motion for reconsideration as the NPC failed to appreciate “several facts, legal points, and material contexts.”
Bautista says the NPC’s recommendation to file criminal charges against him for the data leak was “just too much,” noting that his alleged act of omission of not appointing a data privacy officer was not solely his responsibility but required the permission of the commission en banc.
“If the Comelec IT specialists directly in charge of operating the website were found to be not liable, what more those who merely oversee their work and in particular, the head of agency? Following the decision’s logic, if there is a breach of the Supreme Court website, will the Chief Justice be potentially liable?”
The Comelec chief also insisted that there was no IRR (implementing rules and regulations) yet for the Data Privacy Act when the breach happened in March 2016. “That’s ex-post facto law (retroactive effect of a law). How can we comply when we don’t know yet their rules?” he asked.
The NPC said the Comelec specifically “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in its capacity as “personal information controller.” Bautista, on the other hand, was indicted for having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.
Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000.
Meantime, Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty.
Referring to Bautista, the NPC decision reads “the wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.
“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” the NPC decision further read.
As corrective measures, the NPC has ordered the Comelec and Bautista to do the following:
• Appoint a Data Protection Officer in one month’s time from receipt of the decision;
• Conduct an agency-wide Privacy Impact Assessment within two months;
• Create a Privacy Management Program and a Breach Management Procedure within three months; and
• Within six months upon receipt of the decision, the Comelec is also obliged to implement organizational, physical, and technical security measures in compliance with the IRR of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.
The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation (NBI).