Comelec complying to ensure no data breach in barangay elections – NPC
MANILA, Philippines – Despite major voters' data leaks during the 2016 elections, the National Privacy Commission (NPC) is optimistic that the Commission on Elections (Comelec) is now better equipped to ensure no similar breaches happen during the barangay polls.
If President Rodrigo Duterte's allies in Congress fail to pass a law postponing the elections, they will take place in October.
"If you ask me about compliance of the Comelec, they have come very far from way before it happened," said NPC Commissioner Raymund Liboro on Tuesday, March 28, during a news briefing in Malacañang.
Some reforms the Comelec has implemented, in compliance with NPC recommendations, are hiring a data protection officer, crafting a privacy management program, and conducting a privacy impact assessment to find out the "vulnerabilities" in their systems, said Liboro. (READ: What have we learned a year since 'Comeleak'?)
One such vulnerability is the physical security of databases holding sensitive personal information of voters.
The Comelec learned about this vulnerability the hard way when robbers broke into the office of the election officer in Wao town, Lanao del Sur, and stole a computer containing a copy of the national list of registered voters and biometric records, including photos, of all 55,000 registered voters of the town.
"Data privacy and data protection is not all about IT (information technology). It's about organizational readiness. Physical security is very, very important," said Liboro.
Thus, addressing vulnerabilities of the Comelec include everything from ensuring personnel are trained well in protecting data to ensuring the layout of a Comelec office is best for securing data.
The privacy impact assessment is ongoing.
Lessons from Wao
Another vulnerability made apparent by the Wao incident is the storage of sensitive data in computers kept in municipal offices, which, with their number, are more difficult to secure than in provincial offices.
Based on field work, the NPC found that the more than 1,600 other municipalities and cities kept data in their offices, potentially exposing voters' sensititve information.
Liboro said the NPC had ordered the "immediate cessation" of processes, like information verification, in municipal offices that will require that data be kept there.
Information of registered voters can still be collected in municipal offices, but data should be stored only in provincial offices to make them easier to secure. There are 81 provincial offices nationwide.
So far, the Comelec seems to be responding to NPC recommendations, but Liboro said there is no room for complacency.
"They are trying to faithfully comply with all our compliance orders. Compliance is not an overnight thing. What we always determine is if they are aware of the risks, then the security measures should be at par with the risks they have identified," he said.
The NPC has found Comelec Chairman Andres Bautista criminally liable for the leak of voters' information in March 2016.
The data leak involved 75,302,683 voters' registration records (including deactivated or disapproved records) in the Comelec's Precinct Finder web application; 1,376,067 records in its Post Finder web application, plus 139,301 records in its iRehistro portal; 896,992 records in its gun ban database; 20,485 records of firearms serial numbers; and records of 1,267 Comelec personnel.
Hackers were able to access the data and made these available to the public through a searchable website. The website was soon taken down.
The privacy body said Bautista's "willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence." – Rappler.com