MANILA, Philippines – While expressing support for the Subscriber Identity Module (SIM) Registration bill, the National Privacy Commission (NPC) outlined ways to ensure that its implementation would prevent security risks and data breaches.

The NPC warned that these risks may arise due to overcollection and improper or inadequate monitoring practices.

“In fulfillment of its duty to uphold the rights of data subjects, the NPC will closely coordinate with other agencies to develop the necessary guidelines to properly implement the bill,” the agency said in a statement on Saturday, October 8.

The NPC said it is “fully aware” that the implementation would entail a “massive collection of personal data,” and called for developing a “technology-neutral approach” and “future-proofing” the proposed legislation so it respects the rights and freedoms of data subjects.

For one, the commission said retailers may not have the resources or know-how to verify identities and authenticate identification cards. End-users are required to present valid government IDs or other documents to verify their identity. The NPC said the burden to determine SIM card buyers’ identities should not fall on retailers.

This recommendation was adopted in Senate Bill No. 1310 or the SIM Registration Act, the version of the bill passed by the Senate on September 28, 2022. Registration forms will be accomplished through a platform or website provided by public telecommunications entities (PTE). 

This will include the end-user’s attestation that the identification documents are true and correct, and that the said person accomplished the registration form.

Meanwhile, SIM registrations in remote areas with limited telecommunication or internet access will be facilitated by concerned government agencies and PTEs.

The NPC also discouraged using a centralized server or database, as it would pose a greater risk in the event of a security breach. 

As stated in SB 1310, electronic registration forms will be kept in the concerned PTE’s database, which will serve as a SIM Register, only to be used by the PTE to process, activate, or deactivate a SIM or subscription and for no other purpose.

Successful submission and acceptance of the required registration form will signify the certification of registration by the end-user.

The bill also stated that in case of a cyber-attack on the SIM Register, it should be reported to the Department of Information and Communications Technology within 24 hours of detection.

Senator Grace Poe, chair of the committee on public services and principal sponsor of the bill, expects the bill to be signed into law this year. – Rappler.com