Clients are advised to review their privacy and data protection policies for compliance with the security requirements under the Circular.

The Circular took effect on 30 March 2024, and gives PICs and personal information processors (PIPs) until 30 March 2025 to comply with the requirements. Noncompliance with the Circular may result in the issuance of enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines against the PIC or PIP. Moreover, criminal, civil and administrative liabilities, as well as disciplinary sanctions, may be imposed against any erring officer or employee of the PIC or PIP for failure to comply with the Circular.

In more detail

The Circular applies to all natural or juridical persons engaged in the processing of personal data within and outside of the Philippines, subject to the applicable provisions of the DPA, its Implementing Rules and Regulations, and other relevant NPC issuances (collectively, "data privacy regulations").

The following are the minimum requirements for security of personal data:

General obligations of a PIC or PIP

1. Designate and register its Data Protection Officer (DPO) with the NPC in accordance with data privacy regulations
2. Register its Data Processing Systems with the NPC in accordance with data privacy regulations
3. Create an inventory of all its data processing systems and activities
4. Conduct a Privacy Impact Assessment (PIA) on the processing of personal data and update the same as necessary
5. Set a Privacy Management Program
6. Periodically train employees, agents, personnel or representatives on privacy and data protection compliance
7. Comply with the NPC's order when its privacy and data protection policies are subject to review and assessment

Privacy Impact Assessment

The Circular provides that a PIA should be undertaken for every processing system that involves personal data. It specifically requires a PIA to be conducted on Off-The-Shelf Software, solutions, or data processing systems. Risks identified in the PIA must be addressed by a Control Framework that must be compliant with the provisions of the Circular.

"Control Framework" refers to a comprehensive enumeration of the controls intended to address the risks, including organizational, physical and technical measures to maintain the availability, integrity and confidentiality of personal data, and to protect it against natural dangers such as accidental loss or destruction and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration or contamination.

Privacy-By-Design and Privacy-By-Default

A PIC or PIP must consider the Privacy-By-Design and Privacy-By-Default principles in its processing activities, and enable Privacy-By-Default in its data processing systems without further action from data subjects.

"Privacy-by-Design" is an approach to the development and implementation of projects, programs and processes that integrate into the design or structure safeguards that are necessary to protect and promote privacy unto the design or structure of a processing activity or a data processing system. Meanwhile, "Privacy-by-Default" is defined under the Circular as the principle according to which the PIC/PIP ensures that only data necessary for each specific purpose of processing is processed by default, without the intervention of the data subject.

Personal data storage

Personal data must be stored in a form that permits the identification of data subjects for only as long as necessary for the specific purpose for which it was initially processed. Moreover, the PIC should establish a Retention Policy, which must be periodically reviewed and made known to the data subjects.

Each PIC or PIP should issue and enforce a Password Policy for passwords used to access personal data.

Access to personal data

Personal data stored in databases must only be accessed or modified using authorized software programs. A PIC or PIP shall implement an Access Control Policy and ensure that access to personal data is strictly regulated by issuing a security clearance or its equivalent only to authorized personnel, which must be filed with the DPO.

"Access Control Policy" is a document or set of rules that defines how access to information is managed, including who may access specific information and under what circumstances.

An Acceptable Use Policy must also be issued regarding the use of information and communications technology. This refers to a document or set of rules stipulating controls or restrictions that personnel of a PIC or PIP must agree to for access to the network, facilities, equipment, or services of such PIC or PIP. Each user shall agree to the policy and sign the appropriate agreement before being allowed access to and use of the technology.

Secure authentication mechanisms (e.g., multifactor authentication or secure encrypted links) must be implemented when providing online access to sensitive personal information, privileged information and high volumes of personal data. Such user access rights and authentication mechanism must be defined and controlled by a System Management Tool.

A PIC or PIP shall ensure that only known devices, properly configured to its security standards, are authorized to access personal data. The PIC or PIP shall also establish solutions that only allow authorized media to be used on its computer equipment.

Log records of personal data stored in any physical media, such as paper-based filing system, must be maintained and updated. The log records must contain information on which file was accessed, including when, where and by whom, as well as indicate whether copies of the file were made.

Business continuity

A PIC or PIP must have a Business Continuity Plan to mitigate potential disruptive events. It must consider personal data backup, restoration and remedial time; periodic review and testing of the plan; and contact information and other business-critical matters.

Telecommuting policy

PICs or PIPs adopting telecommuting or other alternative work arrangements must set a policy on alternative work arrangements and communicate it to concerned stakeholders. The PIC or PIP shall consider security measures such as training on limitations on use of company-issued devices, best password management and security practices in managing accounts and devices, and periodic trainings on data privacy and cybersecurity.

Transfer of personal data

A PIC or PIP that transfers personal data by email must ensure that the data is adequately protected and use secure transmission and reception of email messages, including attachments. Where appropriate, a PIC or PIP may utilize systems that scan outgoing emails and attachments for keywords that would indicate the presence of personal data and, if applicable, prevent its transmission.

Removable or portable storage media, such as compact discs (CD), digital versatile discs (DVD) and universal serial bus (USB) flash drives, for processing personal data, used for transfer of personal data shall be encrypted, if such mode of transfer is unavoidable or necessary. Facsimile technology shall not be used for transmitting documents containing personal data.

A PIC and its PIP that transmit documents or media containing personal data by mail or post shall make use of registered mail or, where appropriate, guaranteed parcel post services and Private Express and/or Messengerial Delivery Service.

Data disposal and destruction policy

In establishing policies and procedures for disposal of personal data, a PIC or PIP shall take into account the retention period of data; jurisdiction-specific laws, regulations and existing contracts; identification of relevant de-identification, anonymization or deletion techniques; and required documentation before the deletion, de-identification, or anonymization of personal data.

A PIC or a PIP shall retain logs as long as deemed necessary and appropriate based on best practices and industry standards. Security logs that record information about authentication attempts and security incidents shall be retained for longer periods than general system logs. PICs shall implement backup and archive mechanisms for their logs.

Procedures must be established to ensure secure and proper disposal and destruction of personal data that would render further processing impossible.

Penalties

A violation of the provisions of the Circular may, upon notice and hearing, result in the issuance by the NPC of compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines against the PIC or PIP. Moreover, failure to comply with the Circular may result in criminal, civil and administrative liabilities, as well as disciplinary sanctions against any erring officer or employee of the PIC or PIP.

The Circular gives a PIC and PIP a transitory period of 12 months from the effectivity of the Circular or until 30 March 2025 to comply with the foregoing requirements.

Recommended action

Clients are advised to revisit and update their current organizational, physical and technical security measures intended for protection of personal data to ensure compliance with the foregoing requirements. Privacy and data protection policies must be aligned with the minimum security requirements under the Circular by the 30 March 2025 deadline.

Please feel free to reach out to Quisumbing Torres' Intellectual Property, Data, and Technology Practice Group for assistance on these and other data privacy compliance matters.

* * * * *

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE