MANILA, Philippines – A former government official filed a complaint before a data privacy agency to oblige the Commission on Elections (Comelec) to properly inform over 55 million voters about the massive leak online of their personal information last March.

Dr Jose Ramon Albert, through law firm CenterLaw Philippines, filed an 11-page administrative complaint with the National Privacy Commission (NPC) against the Comelec on Friday morning, June 17.

The plea was made to “compel Comelec to disclose to 55 million voters the nature of the breach in the leak and who is responsible,” said lawyer Romel Bagares of CenterLaw in a text message to Rappler.

Albert is a senior research fellow of the Philippine Institute for Development Studies and former secretary general of the now-defunct National Statistics Coordination Board (NSCB).

In his complaint, Albert asked the NPC to enjoin Comelec to provide each of the 55 million registered voters with the following information:

• Nature of the breach
• Sensitive personal information possibly involved
• Measures taken by the Comelec to address the breach

The officials accountable for the breach should also be designated by the Comelec, Albert continued. He said that these are mandated under Section 20(f) and Section 21(b) of Republic Act 10173 or the Data Privacy Act of 2012.

In April, Albert and CenterLaw formally made the same demands to Comelec Chairman Andres Bautista. 

But Bagares noted that since then, the poll body had only accomplished one item. “They only complied with the notification to the National Privacy Commission,” he said.

Albert also mentioned in the complaint that the Comelec notified the NPC only on April 26, or nearly a month after the website hacking and data leak.

The poll body explained that it was “focused on conducting an initial investigation to track down all its perpetrators, determine the extent of the accessed information, and ultimately restore system integrity.”

“The law requires them to inform all voters of the nature of the breach, and to mention the people responsible in the safety and security of the data,” Bagares added. (READ: After Comelec data leak, what to do to protect yourself?)

Bagares noted that concealment of the breach is punishable under Section 30 of RA 10173. “The law is clear about disclosure of a data breach to affected data subjects,” he said.

Comelec compliance

On Friday, Comelec spokesperson James Jimenez argued that the poll body had already complied with the law.

“We are currently cooperating with the NPC. We’ve already informed them of the problem, and they’ve been advising us on how to move forward. And I think we are compliant with the substance of the law,” he told reporters.

Jimenez also said that Comelec personnel accountable for the leak had been included in its report to the NPC.

“We are proceeding with this as the law requires. If what they demand is what the law requires, then that’s what they’re gonna get. I don’t know that they have any specific demands beyond what the law requires, but we are compliant with the law.”

In late March, hackers defaced the Comelec website, then gained access to the voter registration records stored there. The voter records database was then leaked online. (READ: Experts fear identity theft, scams due to data leak) 

An online portal surfaced soon after, which made these voter records searchable. The website has since been inaccessible.

Then in April, two suspects were arrested by the National Bureau of Investigation (NBI) in connection with the hacking.

Jimenez said on Friday that the Comelec has included more defenses in its website to protect it from future online attacks. – Rappler com