ALBURO ALBURO AND ASSOCIATES LAW OFFICES ALBURO ALBURO AND ASSOCIATES LAW OFFICES
contact  

Quezon City, Philippines


contact

(02)7745-4391


contact

info@alburolaw.com

contact

MON-SAT 8:30AM-5:30PM

June 1, 2022 rizzlemay

PROCEDURE FOR NOTIFYING THE NATIONAL PRIVACY COMMISSION IN CASE OF DATA PRIVACY BREACH

Image via: https://lh3.googleusercontent.com/proxy/m8WB6Hft2KoyJkNFzcKzvDAAcKR2pCu9k_PdPNf-HuniKcdWzquBIJI5a94Dx-vBDScdTjgRuSnh2uRRmFz1olL9polGYbwN2JRUGQ56Kix5tm9jSXXkGOLP9_EWeBmmsHgl-jJ8e-c-3vzpnAMLczGBN9Ri8DaESa4Il5Y

Read also: PROCEDURE FOR HANDLING DATA PRIVACY BREACH

  • The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.

  • Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.

  • There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject.

The personal information controller shall notify the Commission and the affected data subjects upon knowledge of, or when there is reasonable belief that a personal data breach has occurred. The obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.

NPC Circular 16-03 – Personal Data Breach Management Provides for The Procedure for Notifying the National Privacy Commission in Case of Personal Data Breach

  • When Notification Should be Done.

The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.

  • Delay in Notification.

Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The personal information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately secure or restore integrity to the information and communications system shall not be a ground for any delay in notification, if such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal the personal data breach.

  • When delay is prohibited. 

There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances, the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply.

  • Content of Notification.

The notification shall include, but not be limited to:

  1. Nature of the Breach
    1. description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
    2. a chronology of the events leading up to the loss of control over the personal data;
    3. approximate number of data subjects or records involved;
    4. description or nature of the personal data breach;
    5. description of the likely consequences of the personal data breach; and
    6. name and contact details of the data protection officer or any other accountable persons.
  2. Personal Data Possibly Involved
    1. description of sensitive personal information involved; and
    2. description of other information involved that may be used to enable identity fraud.
  3. Measures Taken to Address the Breach
    1. description of the measures taken or proposed to be taken to address the breach;
    2. actions being taken to secure or recover the personal data that were compromised;
    3. actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident;
    4. action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification;
    5. the measures being taken to prevent a recurrence of the incident.
  • Form. 

Notification shall be in the form of a report, whether written or electronic, containing the required contents of notification.

The report shall also include the name and contact details of the data protection officer and a designated representative of the personal information controller. The manner of notification of the data subjects shall also be included in the report.

Where notification is transmitted by electronic mail, the personal information controller shall ensure the secure transmission thereof. Upon receipt of the notification, the Commission shall send a confirmation to the personal information controller. A report is not deemed filed without such confirmation. Where the notification is through a written report, the received copy retained by the personal information controller shall constitute proof of such confirmation.

Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.

All rights reserved.

SUBSCRIBE NOW FOR MORE LEGAL UPDATES!

[email-subscribers-form id=”4″]

Share
Tweet
Share
0 Shares

Leave a Reply

Your email address will not be published. Required fields are marked *

0 Shares
Share
Tweet
Share