NPC’s 5 commandments of data privacy protection



BEFORE leaving home, a netizen books a place via AirBnB and completes a booking for a flight out the country. He then receives confirmation of his bookings and air ticket in his email. He books a ride from home to office on Uber. He keeps his GPS open. On the way to the office something catches his attention and takes a photo of the scene. Making an ATM (at the moment) post, he shares the photo on his Instagram account which is automatically shared in his Facebook account. He accesses Facebook and responds or reacts to certain posts. He sees an ad and he accesses the site to make a purchase. He gets a notification on his smartphone and proceeds to read the news on his favorite media site. He twits reactions via his Twitter account. He makes a call to the office to inform the secretary that he will be there for a meeting. He gets off at a coffee shop, gets coffee. He then proceeds to the office in time for the meeting. While at the meeting, he verifies certain information with a colleague who is not yet in the office via Viber. At midday, he pays his bills via his bank’s online payment system. The rest of the day he makes a few more phone calls and responds to Viber and text messages. Before the day ends, he makes a reservation at a favorite restaurant and books a seat to watch a movie. He then books a ride with Uber to go home. All his transactions were paid using his credit card.

The netizen’s online activities for the day have been collected by several organizations, local and international: Airbnb, the airline, Uber, Instagram, Facebook, the online shop, the news media site, Twitter, Viber, the bank, the restaurant, the theater, the credit card company, and, of course, the telecommunications company. If somebody was watching, he’d know exactly where this netizen has been and what his activities were. Information like this is highly valued by organizations like Google, Facebook, Instagram and Twitter, among others.

Have we lost control over our data? Once posted in the net, it stays in the net. For example, the voter personal information records in the Commission on Elections’ database which were illegally copied and posted on internet sites, although they were supposed to have been deleted, are still out there. We will never know when they will resurface but voters’ personal information can be used to track netizens’ online accounts.

The COME Leak incident generated heightened awareness on the need to protect personal information. The National Privacy Commission (NPC), a government agency mandated “to administer and implement the provisions of this [Data Protection] Act, and to monitor and ensure compliance of the country with international standards set for data protection,” came up with “The 5 Commandments of Data Privacy Protection” which will guide organizations’ compliance with the Data Protection Act.

1. Data Protection Officer (DPO). A DPO must be designated to take over the reins of ensuring that the organization complies with the law.

2. Privacy Impact Assessment (PIA). The PIA seeks to identify the vulnerabilities and attendant risks in the programs and processes of an organization in the collection, storage, processing, and transmission of personal information. The PIA results will enable the DPO to identify the organizational and technical measures necessary to protect personally identifiable information and implement the same. A PIA must be conducted for each program or process that involves personal data. Such assessment shall be updated regularly or as necessary.

3. Data Privacy Policy. This refers to the body of policies, procedures, rules, and guidelines that make up the core of an organization’s Privacy Management Program which the NPC recommends be crafted and implemented. It serves as a reference guide, for example, on identifying the type of data that will be collected, stored, transmitted, and/or processed, to meet the objectives of a particular business activity necessary for the delivery of a service. The Privacy Management Program also includes organizational and technical plans and programs, in particular, organizational and technical data protection measures that will be implemented. In crafting the Data Privacy Policy, the PIA results must be considered. The Data Privacy Policy is a “living” document which shall be updated regularly or as necessary as circumstances dictate.

4. Organizational Commitment. The NPC recommends developing a strong commitment to protect personal information that organizations collect, store, process, and transmit. Organizations are encouraged to conduct capacity-building programs on the need to protect personal information among its employees and drive the implementation of organizational and technical measures to protect personal information.

5. Preparedness. One of the tools that organizations must develop is a Data Breach Response Plan. The plan will guide the organization on how to respond to data breaches, including notification to its stakeholders and to the NPC, law enforcement, and other regulators. The plan also includes all possible actions and responses that the organization can take to remedy the breach. The plan must be tested and exercised regularly, and updated as deemed necessary.

Beyond our country’s borders, organizations also exert efforts to protect data privacy. Have you actually read the privacy policy of sites that you access and subscribe to? It’s time that you do.


Please follow our commenting guidelines.


  1. The head of NPC blamed COMELEC for the voters hacking yet came out with an incredulous statement that he was sure it was not used to cheat BB Marcos.

    Don’t be fooled by this chameleon NPC chairman over a sensitive gov’t position, a holdover PNoy USEC appointee, even if they were all supposed to tender their courtesy resignation to Du30!

  2. jess nazario on

    The most urgent thing to do now is to RECOVER, no REPLACE, the fingerprint-biometrics-based voters’ database for it has completely lost its intended purpose. Except for personal identity thieves it has completely lost its worth. And what makes things worse is it has now even become a very serious cyber-threat to Filipino voters whose fingerprints have been leaked all over the internet. Our fingerprints are IMMUTABLE. They persist over our entire lifetime. We cannot have a replacement issued to use and we lose them only when we are reduced to skeletons or when we are cremated. Ergo the FP data in that hacked voters’ database are practically useless due to the hacking and their dissemination all over cyberspace.

    We can write volumes and volumes on the topic data privacy and protection till we fill a full library of it BUT are we solving the more important issue of what MUST we do to prepare for the looming 2019 election which is just 2 years and 2+ months from now ? Remember we have been building the existing voters’ database over the past 14 years and it is not even complete and truly cleansed. What will we use to safeguard this and future elections in the area of voter authentication and verification on election day now that the existing voters’ database has been totally compromised ? Is there even a biometrics technology available in the market to replace the FP-biometrics based database ? There seems none available today that can match or surpass the accuracy, practicality and cost of FP biometrics technology. Yes, DNA is very much more accurate than FP but it is super expensive and will be resisted by citizens who would never allow their DNA information used in a database to serve a public function such as elections. Iris, voice, facial, body odor, gait, palm geometry biomterics technologies etc.cannot yet match the accuracy of FP biometrics. Maybe there is just one new biometrics technology that might be a possible option and should be looked into immediately but this is quite new and has not survived actual use in big databases and over a significant time period..

    Is Comelec doing something to recover from the impact of this hacking disaster ? Comelec should inform the public about this. Maybe Congress should start an investigation on this immediately. They have committees who are there precisely to address issues in our electoral system. What are they doing ?