The National Privacy Commission (NPC) announced on Monday, April 1, that it has issued two circulars to further strengthen personal data protection in the Philippines.
The NPC Circular 2023-05 outlines the prerequisites for organizations and Certification Bodies (CBs) participating in the Philippine Privacy Mark (PPM) Certification Program, while NPC Circular 2023-06 governs the security of personal data in the government and private sector.
“Through these Circulars, the NPC aims to provide guidance to organizations in further complying with the Data Privacy Act of 2012, its implementing rules and regulations, and other issuances of the NPC,” Privacy commissioner John Henry D. Naga stated.
“Likewise, these Circulars is in line with the Commission’s vision to further empower data subjects, especially in identifying organizations they can trust,” Naga added.
The PPM Certification Program is an initiative by the NPC to assess public and private organizations to ensure the secure and protected processing of personal information in implementing their respective data privacy and protection management systems.
The NPC Circular 2023-05 or the Prerequisites for the Philippine Privacy Mark Certification Program provides the prerequisites for certification of personal information controllers (PICs) or personal information processors (PIPs) and accreditation of CBs under the PPM Certification Program.
Under the NPC Circular 2023-05, a personal information controller (PIC) or personal information processor (PIP) seeking certification under the PPM Certification Program must be certified with ISO/IEC 27001 and ISO/IEC 27701 standards for Information Security Management Systems (ISMS) and Privacy Information Management System (PIMS) respectively.
CBs must also meet these standards, along with ISO/IEC 17021-1 for accreditation.
The NPC Circular 2023-05 took effect on March 15, 2024.
On the other hand, NPC Circular 2023-06 or the Security of Personal Data in the Government and Private Sector provides updated requirements for the security of personal data processed by a PIC or PIP.
To ensure data security, the circular enumerates the general obligations of a PIC or PIP which includes the designation and registration of a Data Protection Officer, registration of data processing systems, conducting Privacy Impact Assessment (PIA), implementing a Privacy Management Program, periodic training of personnel on privacy and data protection policies, and compliance with the orders of NPC.
The circular also sets provisions on the storage of personal data, ensuring data subjects’ information is stored for the necessary duration and protected through industry standards and best practices.
Additionally, the circular outlines stringent provisions for access to personal data, specifying procedures for authorized personnel, acceptable use policies, secure authentication mechanisms, and measures for remote disconnection or deletion of data on mobile devices, among others.
The circular also provides that a PIC or PIP must implement a Business Continuity Plan to mitigate potential disruptive events.
It must indicate the process of personal data backup, restoration, and remedial time, including the periodic review of the plan taking into account disaster recovery, privacy, business impact assessment, crisis communications plan, and telecommuting policy, among others.
The NPC Circular 2023-06 expressly repeals NPC Circular No. 16-01 and took effect on March 30, 2024.
