NPC outlines 90-day plan for data protection officers

DPO1 ASSEMBLY. Data protection officers from at least 186 agencies attend the 1st DPO assembly of the National Privacy Commission on April 5, 2017. Photo by Michael Bueza/Rappler

DPO1 ASSEMBLY. Data protection officers from at least 186 agencies attend the 1st DPO assembly of the National Privacy Commission on April 5, 2017.

Photo by Michael Bueza/Rappler

MANILA, Philippines (UPDATED) – The National Privacy Commission (NPC) outlined a 90-day plan for data protection officers (DPO) to help their agencies and organizations comply with the Data Privacy Act.

The privacy body presented the plan at its first DPO assembly, gathering data protection officers from at least 186 government agencies, on Wednesday, April 5.

"It is 90 days toward accountability and compliance," said NPC commissioner Raymund Liboro. The plan can be followed not only by government agencies but also by the private sector.

"Their prize here is, there would be a smaller chance of experiencing data breaches, a smaller chance of data privacy rights being violated, a smaller chance of getting complaints from the public," said Liboro in Filipino. 

The NPC provided a data privacy accountability and compliance framework, a step-by-step guide to accomplish the 90-day plan.

Scanned document of the Data Privacy Accountability and Compliance Framework that serves as a guide to data protection officers

For the first 30 days, entities that handle personal information are expected to appoint a DPO, conduct a Privacy Impact Assessment, and formulate a Privacy Management Plan and a Privacy Manual.

Within the first 60 days, privacy in day-to-day operations should be considered. This includes taking into account the life cycle of data – from creation to proper disposal – as well as managing personal data security risks and complying with data breach management requirements.

Finally, within 90 days or 3 months, agencies would have managed data privacy requirements for third parties, trained human resources personnel on privacy and data protection, monitored mechanisms for projects, and managed applicable legal requirements.

While there are no penalties if the 90-day plan is not accomplished, Liboro said that completing the plan would minimize the risks when a data breach or a cyberattack takes place.

"In case of a data breach or a complaint, we would also review what they [agencies] have done and haven't done. From there, we'll see if they may be held accountable," said Liboro.

The NPC also handed out a privacy toolkit to DPOs as a guide for their compliance with the Data Privacy Act.

"Kung 'di tayo kikilos, sino ang kikilos? Kung 'di ngayon, kailan pa?" asked Liboro – referring to a political slogan in the 1970s – in his remarks at the DPO assembly. (If we won't act, who will? If not now, then when?)

Data protection in gov't

Being the biggest collector and processor of personal information, the government should be proactive in advocating for the data privacy rights of Filipinos, the NPC said. (READ: Gov't should protect citizens' personal data – NPC's Liboro)

This is why DPOs from government agencies were the first to be gathered by the NPC, said Liboro.

At the assembly, assistant secretary Carlos Caliwara of the Department of Information and Communications Technology (DICT) said that his agency and the NPC "commit to work hand-in-hand with all the agencies to strategize, collaborate, and implement" the Data Privacy Act.

"Now that the Philippines is facing growing concern on data security, it is high time that we take steps to protect our citizens' data," Caliwara said.

Presidential adviser on economic affairs and information technology communications Ramon Jacinto also said, "In today's data-driven economy, privacy is of utmost importance. Let us be at the forefront this time for data protection."

NPC deputy commissioner Ivy Patdu then emphasized the role of data protection officers in government.

Under the Data Privacy Act, personal information controllers (PIC) and personal information processors (PIP), which appoint the DPOs, have the obligation to uphold the rights of data subjects, adhere to data privacy principles, and implement physical and technical security measures.

They would face organizational, physical, and technical threats to data privacy, added the NPC.

"Let us show that the Philippines is committed to privacy and data protection in this digital age. And there's no better time to start than now," Patdu said.

"I hope at the end of this summit, we can all work together to embrace a culture of privacy, to implement and have true change, and to know that when a Filipino gives to government his personal data, we will do so knowing that it will be protected."

The NPC said it would soon hold DPO assemblies for other sectors such as banks, the business process outsourcing (BPO) industry, academic institutions, and health care services. – Rappler.com

Michael Bueza

Michael Bueza is a researcher and data curator under Rappler's Research Team. He works on data about elections, governance, and the budget. He also follows the Philippine pro wrestling scene and the WWE. Michael is also part of the Laffler Talk podcast trio.

image