ARTICLE
23 May 2023

NPC Rolls-out Breach Notification And Registration Platforms

SS
SyCip Salazar Hernandez & Gatmaitan

Contributor

SyCip Salazar Hernandez & Gatmaitan was founded in 1945 and is a leading full-service law firm in the Philippines. Its principal office is in Makati City, with branch offices in Cebu City, Davao City and the Subic Bay Freeport Zone. The firm offers a broad and integrated range of legal services, with departments in the following fields: banking, finance and securities; special projects; corporate services; litigation and dispute resolution; employment law and immigration; intellectual property; and tax.
On April 20, 2022, the NPC launched its Data Breach Notification and Management System (DBNMS) which it hailed as "a user-friendly interface that facilitates easy tracking and faster submission...
Philippines Privacy

On April 20, 2022, the NPC launched its Data Breach Notification and Management System (DBNMS) which it hailed as "a user-friendly interface that facilitates easy tracking and faster submission of Personal Data Breach Notifications (PDBNs) and Annual Security Incident Reports (ASIRs)" in accordance with NPC Circular No. 16-03.

1319396a.jpg

Data Breach Notification and Management System

The DBNMS provides for an assessment aid for PICs and PIPs to determine whether they are subject to mandatory data breach notification.

1319396b.jpg/p>

The main functionality of the DBNMS is to facilitate the submission of PDBNs.

1319396c.jpg

ASIRs should also be submitted through the DBNMS.

1319396d.jpg

Considering the accessibility of the platform, PICs and PIPs must submit ASIR, even for nil reporting. The presumption that there is no security incident to report that previously arose from non-submission of the ASIR no longer applies. The deadline for the submission of ASIRs for the years 2018 to 2021 is on October 31, 2022, while 2022 ASIRs must be submitted by March 31, 2023. With the roll-out of the online platform, NPC will only accept PDBNs and ASIRs through the DBMNS. Submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission are no longer considered as valid.

National Privacy Commission Registration System

On February 3, 2023, the NPCRS, an online platform for private and government entities to register their DPS, went live pursuant to NPC Circular No. 2022-04.

1319396e.jpg

Under NPC Circular No. 2022-04, the two-phased process under NPC Circular No. 17-01 was abolished and registration is now a single process to include both the registration of the Data Protection Officer (DPO) and the registration of the DPS. All information (not otherwise tagged as optional) and all supporting documents must be submitted during registration. There is no facility to save a registration as a draft and return to it at a later time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More