15th Mar 2018
“Beware the ides of March!” is from William Shakespeare’s famous tragedy, Julius Caesar. It was a warning uttered by a soothsayer to Julius Caesar, that he should stay home and be careful when March 15, the ides of March, comes.
However, for entities covered by the Philippines’ Data Privacy Law of 2012, it is not really the ides of March, but two (2) dates – March 8, 2018 and March 31, 2018, that truly matter.
Under NPC Circular 17-01 dated 31 July 2017, the Philippines’ National Privacy Commission (NPC) set the deadline for completion of Phase II of the registration of data processing systems of covered entities with the National Privacy Commission to March 8, 2018. By this date, covered entities should have proceeded with the NPC’s online registration platform and provided all the relevant information regarding its data processing systems.
Also, at this stage of the registration, covered entities should already have adequate systems in place, compliant with the Philippines’ Data Privacy Act of 2012. This is because NPC’s registration requires disclosure of data systems and policies relating to data governance, data privacy, information security, and data security measures for data protection in the company.
The 8th March, every year, is also the date fixed under NPC regulations, for the annual renewal of the certificate of registration of covered entities. Fortunately, and certainly to avoid long queues, the NPC allows the renewal to take place two (2) months prior to the March deadline.
Finally, March 31 is also the deadline pegged by the NPC for Personal Information Controllers from covered entities to submit their Annual Security Incident Report. This Annual Report, mentioned in NPC Circular 16-03, is a summary of all reports, comprised of general information including the number of security incidents and data privacy breaches encountered, classified according to their impact on the availability, integrity or confidentiality of personal data.
The NPC gave a list of sectors or institutions where mandatory registration of their data processing system is required. Among them are the national and local government, including all branches, offices and agencies of government, banks and non-bank financial institutions, including pawnshops non-stock savings and loan associations, telecommunications networks, internet service providers and other entities or organizations providing similar services, business process outsourcing companies, universities, colleges and other institutions of higher learning, all other schools and training institutions, hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities, and other organizations processing genetic data, providers of insurance undertakings, including life and nonlife companies, pre-need companies and insurance brokers, business involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs, pharmaceutical companies engaged in research, personal information processors processing personal data for a personal information controller included in the preceding items, and data processing systems involving automated decision-making.
The NPC warned that failure to register its data processing system may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Philippines’ Data Privacy Act of 2012.
Unauthorized processing of personal information is penalized by imprisonment of up to three (3) years and a fine of up to Two million pesos (Php2,000,000.00). The penalty and fine are imposed on persons who, among others, process personal information without being authorized under the Data Privacy Act of 2012.
In line with the hefty fines of up to P5,000,000.00 and the penal liability of imprisonment, both imposed under the Data Privacy Act of 2012, and even for negligent acts leading to data privacy breaches, this warning should be given stern attention by covered entities.
Update (as of 08 March 2018): The National Privacy Commission extended the registration period for the data processing systems (DPS) of individual Personal Information Controllers (PICs) and individual Personal Information Processors (PIPs). This extension was made to apply to covered professionals such as medical doctors, lawyers, accountants and dentists, and other professionals, who in the practice of their profession, process personal data and satisfy the criteria for mandatory registration of their Data Processing Systems. It was clarified however that this extension applies only to individual PICs and PIPs. The previous 08 March 2018 deadline still applies to other covered persons. The National Privacy Commission further stated that the agency will continue to accept late submissions.
Nicolas & De Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 4706126, +632 4706130, +632 4016392.