A UNIVERSE of data has been collected and held by organizations, public and private, for a long time. Among the data collected are those pertaining to individuals. This is the reality that citizens have long faced
The Commission on Elections (COMELEC) has long been collecting, organizing, and processing data about citizens of voting age. Since the poll body needs to determine that an individual is qualified to vote, it collects personally identifiable, sensitive, and other data. Republic Act 10367, or the Mandatory Biometrics Voter Registration Law, mandated the COMELEC to implement a biometrics registration system. Thus, in addition to the data it traditionally collected, the poll body started to collect biometrics data of registered voters as well as of new voters. The law also required that the COMELEC secure the data collected and ensure that the data shall not be used for any purpose other than for electoral exercises.
The duty and obligation of the COMELEC to protect personally identifiable and sensitive data about voters stems from the Mandatory Biometrics Voter Registration Law, RA 10367, and the Data Privacy Act of 2012, Republic Act 10173.
So, how did the incident, dubbed the “COMELeak,” come to be? The decision promulgated by the National Privacy Commission provides a glimpse into the failings of the COMELEC that led to the COMELeak incident.
First, despite the claims that the COMELEC website and the public-facing applications known as Precinct Finder and Post Finder had embedded security features, all had vulnerabilities which were exploited by malevolent actors who identified themselves as Anonymous Ph and LulSecPinas.
Second, despite the claims that the COMELEC information infrastructure was protected by three layers of firewalls and intrusion detection systems, exfiltration of databases was not detected and data traffic during the period of exfiltration was left unmonitored.
Third, data protection policies and programs had not been put in place.
Fourth, a data protection officer had not been assigned. None of the commissioners or executive officers of the poll body took on the responsibility to ensure that voters’ data was protected against unauthorized access.
Fifth, all the claimed security measures were put in place after the COMELeak incident had occurred.
Sixth, there was an attempt to conceal the scope and magnitude of the COMELeak incident by consciously downplaying it, casting doubt on the genuineness and accuracy of the data illegally accessed and copied.
Seventh, there was delay in notifying the National Privacy Commission (NPC) of the incident despite the mandatory reporting requirement of the Data Privacy Act.
Government agencies and private organizations are required by law to protect personally identifiable and sensitive information when the Data Privacy Act was promulgated on August 15, 2012. And, specifically for COMELEC, the poll body was required to protect personally identifiable and sensitive information when the Mandatory Biometrics Voters Registration Law was promulgated on February 15, 2013.
In the course of the investigation into the COMELeak incident conducted by the NPC, it was argued that the COMELEC officials “should not be held liable for the data breach, arguing, among others, that it was impossible for COMELEC officials to determine the relevant standards imposed by the information and communications technology industry”. Perhaps there was lack of consultation with ICT professionals. Information security standards had long been established in the ICT industry and the requirement for protecting personally identifiable and sensitive information started in the late 1990s with the promulgation by the European Union of the Data Protection Directive which has since been adopted globally. The Data Privacy Act identifies and categorizes personally identifiable and sensitive data into a class of its own, distinguishes it from other data collected by public and private organizations, and raises the bar of protection on personally identifiable and sensitive data.
The onus of instituting data protection policies, programs, and measures falls on the shoulders of heads of agencies. While it may be said that heads of agencies hardly have any knowledge of how to go about protecting personally identifiable and sensitive data and information systems that are used to collect, store, and process data, it falls on them to muster the organization they lead in the development and implementation of plans and programs to comply with the mandates of the Data Privacy Act.
In the case of the COMELEC, it has in place a strategic plan which includes, among others, the development of technology capacity. The managers and personnel in its Information Technology Department (ITD) are aware of the need to protect data, applications, and systems infrastructure. The ITD crafts and updates its Information Systems Strategic Plan (ISSP) which is supposed to be approved by the COMELEC en banc. But it appears that, based on the findings of the NPC, the data protection measures identified in the ISSP had not received the imprimatur of the en banc. Nor were requests for additional personnel who would focus on data and infrastructure protection approved.
The NPC thus found the COMELEC in violation of various provisions of the Data Privacy Act.
The NPC has since ordered the COMELEC to designate a Data Protection Officer, conduct a privacy impact assessment, create a privacy management program, create a breach management procedure, and implement organizational, physical and technical security measures, all which are aimed at providing measures to protect personally identifiable and sensitive data.