In a bid to strengthen data protection measures, the National Privacy Commission (NPC) has issued Circular No. 2023-06, introducing enhanced requirements for safeguarding personal data processed by personal information controllers (PICs) or personal information processors (PIPs).
The Circular, which came into effect on March 30, 2024, mandates PICs and PIPs to adhere to a comprehensive set of security standards aimed at mitigating risks associated with processing personal information. Failure to comply with these guidelines could result in various penalties, including fines and disciplinary actions.
Under the Data Privacy Act (DPA), PICs must implement reasonable and appropriate organizational, physical, and technical measures to protect personal information against unauthorized access, disclosure, alteration, or destruction. The Circular serves as a clarion call to elevate existing security protocols to meet evolving data privacy challenges.
Here’s a closer look at some key provisions outlined in NPC Circular No. 2023-06:
General Obligations of PICs and PIPs:
Designation of Data Protection Officer (DPO): PICs and PIPs must appoint and register a DPO with the NPC to oversee compliance with data privacy regulations.
Privacy Impact Assessment (PIA): Conducting a PIA is mandatory for every processing system involving personal data, explicitly emphasizing off-the-shelf software and data processing systems.
Privacy Management Program: Establishing a comprehensive Privacy Management Program is essential to ensure adherence to data protection principles.
Training and Awareness: Regular training sessions for employees, agents, and personnel are crucial to fostering a culture of privacy and data protection compliance.
Privacy-By-Design and Privacy-By-Default:
Integration of Privacy Safeguards: PICs and PIPs are urged to adopt a Privacy-By-Design approach, embedding privacy safeguards into the design and structure of processing activities.
Privacy-By-Default: Ensure only necessary data is processed by default without requiring intervention from data subjects.
Personal Data Storage and Access:
Retention Policy: Personal data should only be stored for as long as necessary for the initially processed purpose, with clear guidelines outlined in a Retention Policy.
Access Control: Strict access control policies must be enforced to regulate access to personal data, with authorized personnel granted access based on defined security clearances.
Business Continuity and Telecommuting:
Business Continuity Plan: PICs and PIPs are required to develop and implement a robust Business Continuity Plan to mitigate potential disruptions, including data backup and restoration provisions.
Telecommuting Policy: Organizations adopting telecommuting or alternative work arrangements must establish policies to ensure data security and privacy compliance in remote work settings.
Data Transfer and Disposal:
Secure Data Transfer: Implement secure transmission methods for transferring personal data, including encrypted email communication and encrypted removable storage media.
Data Disposal Policy: Establish clear procedures for the secure disposal and destruction of personal data, adhering to best practices and industry standards.
Penalties for Noncompliance:
Enforcement Measures: Noncompliance with NPC Circular No. 2023-06 may result in enforcement orders, fines, or disciplinary sanctions against erring officers or employees.
Transitory Period: PICs and PIPs are granted a 12-month transitory period, until March 30, 2025, to align their security measures with the requirements outlined in the Circular.
As organizations navigate the increasingly complex data privacy and security landscape, ensuring compliance with NPC Circular No. 2023-06 is paramount. By prioritizing robust security measures and fostering a culture of privacy awareness, businesses can safeguard personal data and uphold the trust of their stakeholders in an era of heightened data protection scrutiny.