Gov’t agencies, private firms told: Appoint data protection officer now

Public and private organizations that gather and process personal information must now designate their own Data Protection Officers (DPOs), the National Privacy Commission (NPC) has warned.

Photo shows NPC commissioner Raymund Liboro (center) with deputy commissioners Dondi Mapa and Ivy Patdu

Photo shows NPC commissioner Raymund Liboro (center) with deputy commissioners Dondi Mapa and Ivy Patdu

The privacy commission made the appeal following its decision last week on the “Comeleak” data breach.

NPC chair Raymund E. Liboro said organizations that have yet to comply with the Data Privacy Act of 2012 should immediately appoint their own DPOs, who would be accountable for ensuring compliance as regards everything related to data privacy and security.

Liboro said officially designating a DPO signals an organization’s “commitment to comply” with the law.

“Personal data handling is a public trust, and carries with it a burden of accountability. No amount of ignorance or legal naiveté can erase that accountability,” Liboro said.

“The Data Privacy Law of 2012 is about making sure those we entrust with our personal data are actually trustworthy by compelling them to do everything they can to protect it,” Liboro added.

In its decision dated December 28, 2016, the privacy body said Comelec failed to designate an accountable officer for data privacy, as required under Section 21 of the Data Privacy Act of 2012.

“If you process a lot of personal data, you could be a disaster waiting to happen if you fail to apply the principles provided by the law,” Liboro said.

In Section 21 of the Data Privacy Act of 2012, the DPO is defined as an “individual or individuals who are accountable for the organization’s compliance” with the privacy law, so designated by the organization in the exercise of its duty as a “personal information controller” (PIC).

The requirement is echoed in the law’s implementing rules and regulations (IRR), under Section 26, which states that such individuals “shall function as data protection officer” and would “be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.”

“The DPO is essentially tasked to champion people’s privacy rights from within his or her organization. In so doing, the DPO is able to minimize the risks of privacy breaches, address underlying problems, and reduce the damage arising from breaches if and when they do occur,” Liboro said.

“Complying with the law produces a lot of upside. Showing the public your commitment to protect their personal data, lead to increased consumer trust and thus, higher patronage.”

The DPO’s job is focused on protecting data — from collection, to storage, to sharing, and destruction, according to the NPC.

Part of this job includes providing data subjects with access to their personal data, and instructions on how they can object to processing and obtain relief when needed.

“For MSMEs that process personal data, the DPO can even be the business owner. What is important is developing a culture of privacy within their organization and ensuring their employees are aware of data privacy principles.” Liboro added.

From its recent consultations with several government agencies, the NPC noted some agencies such as the Department of Health, PhilHealth, and the Department of National Defense have been complying or have started to comply with the provisions of the law.

Liboro noted that the National Economic and Development Authority (Neda) designated a DPO right after the law was passed. The Metro Manila Development Authority (MMDA) also has recently appointed its own DPO.

“The proactive heads of these agencies must be commended for displaying zeal in protecting personal data in their agencies’ possession,” Liboro added.

Comment on this post