Are organizations required to strictly document all security incidents, even minor ones?
Yes, organizations are strictly required to properly document all security incidents through comprehensive written reports. Crucially, this mandatory documentation applies even to minor security incidents that are not severe enough to legally trigger the mandatory notification requirements. In the specific case of other security incidents not involving personal data, a formal report containing aggregated data shall heavily constitute sufficient documentation. This comprehensive requirement for internal accountability is clearly established under Section 41 IRR. “b. All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements. In the case of personal data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the personal information controller. In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation.” 22-May-26About Nicolas and De Vega Law Offices
Nicolas and De Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com/.

