The National Privacy Commission (NPC) launched on Thursday, Feb. 3, its online registration system to provide a portal for both government and private organizations to register their data processing systems.Circular-2022-04
According to the agency, the implementation of the NPC Registration System (NPCRS) will provide the following benefits:
- Ease of monitoring requests/approval of registration applications;
- Secure portal for the registration monitoring unit to access registration data using role-based access control;
- Real-time visibility in the validation of documentary requirements;
- Accurate collection of sectors and subsectors information;
- Accurate verification of active/inactive registration;
- Efficient retrieval of contact details of the Data Protection Officer (DPO); and
- Easy generation of documents (e.g. Certificate of Registration, statistical reports on registered entities (daily, monthly, yearly).
“The call for digitalization of government services by the current administration triggered the launching of the NPCRS this February, and the Data Breach Notification Management System (DBNMS) last April 2022. The finalization of the Circular on Registration was simultaneous with the development of the National Privacy Commission Registration System,” privacy commissioner John Henry Naga said.
The new system allows personal information controllers (PICs) and processors (PIPs), through their Data Protection Officers (DPOs), to comply with the registration requirements provided in the Data Privacy Act (DPA) of 2012 and its Implementing Rules and Regulations (IRR).
According to Naga, information on Data Processing Systems owned by PICs and PIPs allows the NPC to a more efficient compliance monitoring process.
“Through the NPCRS, the data processing activities of PICs and PIPs will be effectively and efficiently monitored. Through this system, compliance with the Data Privacy Act of 2012 will be ensured and our endeavor to protect the personal data of every Juan and Juana will be fortified,” he added.
Rainier Anthony Milanes, chief of the NPC’s Compliance and Monitoring Division, explained that the new circular on registration aims to address the issues encountered in implementing the old circular such as common or multiple DPOs.
“It also provides new regulations such as the requirement to display the NPC Seal of Registration which will provide data subjects the needed assurance that entities processing their personal data have completed the first level of DPA compliance,” Milanes added.
The NPC Seal of Registration will be issued simultaneously with the Certificate of Registration. Section 5 of NPC Circular No. 2022-04 provides for the mandatory registration of a PIC or PIP that employs 250 or more persons, or those processing sensitive personal information of 1,000 or more individuals, or those processing data that will likely pose a risk to the rights and freedoms of data subjects, to register all Data Processing Systems.
Milanes stated that adherence to the data privacy principles of transparency, legitimate purpose, and proportionality were one of the cornerstones in developing the NPCRS.
“The registration system was developed using Privacy by Design and Development, Security, and Operations (DevSecOps). Privacy Impact Assessments were conducted during planning, before implementing changes concerning personal data processing, and before the system goes live,” he explained.