In its very first case since being formally organized last year, the National Privacy Commission (NPC) showed its muscles as it released its decision finding the Commission on Elections (Comelec) and its chair Andres D. Bautista criminally liable for the massive breach of voter database in March last year.
The NPC said the Comelec specifically “violated Sections 11, 20 and 21 of the Republic Act No. 10173? in its capacity as “personal information controller”. Bautista, on the other hand, was indicted for having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26 of the same law.
Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000.
Meantime, Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty.
Referring to Bautista, the NPC decision reads “the wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.
“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” the NPC decision further read.
As corrective measures, the NPC has ordered the Comelec and Bautista to do the following:
- Appoint a Data Protection Officer in one month?s time from receipt of the decision;
- Conduct an agency-wide Privacy Impact Assessment within two months;
- Create a Privacy Management Program and a Breach Management Procedure within three months; and
- Within six months upon receipt of the decision, the Comelec is also obliged to implement organizational, physical, and technical security measures in compliance with the IRR of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.
The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation (NBI).