Adopted: 14 June 2018

WHEREAS, the right to privacy, which includes information privacy, is constitutionally protected and accorded recognition independent of its identification with liberty, and at the same time, Article II, Section 11 of the constitution emphasizes that the State values dignity of every human person and guarantees full respect for human rights;

WHEREAS, Section 20(c) of the Data Privacy Act of 2012 requires implementation of security measures, which must include safeguards to protect its computer network, and a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and regular monitoring for security breaches;

WHEREAS, Section 20(f) of the Data Privacy Act of 2012 requires prompt notification of the National Privacy Commission ( œNPC ) and affected data subjects when  sensitive personal information or  other  information that  may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, which may likely give rise to a real risk of serious harm to any affected data subject; and

WHEREAS, to ensure compliance with Section 20(c) and 20(f) of the DPA, and to strengthen monitoring of threats and vulnerabilities that may affect or tend to affect personal data protection, towards privacy resilience in the country, Personal Information Controllers ( œPICs ) and Personal Information Processors ( œPIPs ) are required under Section 22 of NPC Circular 16-03 to submit to the Commission a summary of all reports of security incidents and personal data breaches.

WHEREFORE, in consideration of these premises, the National Privacy Commission  hereby  issues  this  Advisory  to  provide  templates  for  security incident and personal data breach reporting.

SEC. 1. Scope. - This Advisory shall apply to all natural or juridical persons, or any other body in the government or private sector engaged in the processing of personal data within and outside of the Philippines, subject to the applicable provisions  of  the  Data  Privacy  Act  of  2012,  its  implementing  rules  and regulations, and other relevant issuances of the National Privacy Commission.

SEC. 2. Definition of Terms. - This Advisory shall refer to the Definition of Terms under NPC Circular 16-03.

SEC. 3. Templates. - This Advisory provides recommended templates for the  reportorial  requirements  of  the  Commission  on  security  incidents  and personal data breaches:

1.    Annual security incident reports to be submitted to the NPC by the PlC^[1]   and PIP,^[2]   provided that entities that are both PICs and PIPs shall submit both reports to the NPC;

2.    Mandatory notification for the NPC^[3] and for data subjects^[4]   for personal data breach  events  with  mandatory  notification  requirements  under  the  Data Privacy Act of 2012; and

3.    Security  incident  reports^[5]     to  be  kept  on  the  premises  of  the  personal information controller or the personal information processor.

SEC. 4. Presumption. - Non-submission of the required Annual Security Incident and Personal Data Breach Reports shall create the presumption that no such security incident or personal data breach occurred during the covered period.

(SGD) IVY D. PATDU, MD, JD Deputy Privacy Commissioner Policies and Planning

(SGD) LEANDRO ANGELO Y. AGUIRRE Deputy Privacy Commissioner Data Processing Systems

---

^[1] Annex œA  - Summary of Annual Security Incident and Personal Data Breach Reports for PICs.

^[2] Annex "B" - Summary of Annual Security Incident and Personal Data Breach Reports for PIPs

^[3] Annex œC  - Mandatory Notification: Personal Data Breach for National Privacy Commission

^[4] Annex œD  - Mandatory Notification: Personal Data Breach for Data Subjects

^[5] Annex œE  - Summary Report by PICs of Security Incidents Amounting to a Personal Data Breach not covered by mandatory notification requirements Annex œF  - Summary Report by PIPs of Security Incidents Involving Personal Data Processing on Behalf of Personal Information Controllers Amounting to a Personal Data Breach Annex œG  - Summary Report of Highly Confidential Information