Guidelines on Security Incident and Personal Data Breach Reportorial Requirements

June 14, 2018

NPC ADVISORY NO. 2018-01

SUBJECT : Guidelines on Security Incident and Personal Data Breach Reportorial Requirements

 

WHEREAS, the right to privacy, which includes information privacy, is constitutionally protected and accorded recognition independent of its identification with liberty, and at the same time, Article II, Section 11 of the constitution emphasizes that the State values dignity of every human person and guarantees full respect for human rights;

WHEREAS, Section 20 (c) of the Data Privacy Act of 2012 requires implementation of security measures, which must include safeguards to protect its computer network, and a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and regular monitoring for security breaches;

WHEREAS, Section 20 (f) of the Data Privacy Act of 2012 requires prompt notification of the National Privacy Commission ("NPC") and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, which may likely give rise to a real risk of serious harm to any affected data subject; and

WHEREAS, to ensure compliance with Section 20 (c) and 20 (f) of the DPA, and to strengthen monitoring of threats and vulnerabilities that may affect or tend to affect personal data protection, towards privacy resilience in the country, Personal Information Controllers ("PICs") and Personal Information Processors ("PIPs") are required under Section 22 of NPC Circular 16-03 to submit to the Commission a summary of all reports of security incidents and personal data breaches.

WHEREFORE, in consideration of these premises, the National Privacy Commission hereby issues this Advisory to provide templates for security incident and personal data breach reporting.

SECTION 1. Scope. — This Advisory shall apply to all natural or juridical persons, or any other body in the government or private sector engaged in the processing of personal data within and outside of the Philippines, subject to the applicable provisions of the Data Privacy Act of 2012, its implementing rules and regulations, and other relevant issuances of the National Privacy Commission.

SECTION 2. Definition of Terms. — This Advisory shall refer to the Definition of Terms under NPC Circular 16-03.

SECTION 3. Templates. — This Advisory provides recommended templates for the reportorial requirements of the Commission on security incidents and personal data breaches:

1. Annual security incident reports to be submitted to the NPC by the PIC 1 and PIP, 2provided that entities that are both PICs and PIPs shall submit both reports to the NPC;

2. Mandatory notification for the NPC 3 and for data subjects 4 for personal data breach events with mandatory notification requirements under the Data Privacy Act of 2012; and

3. Security incident reports 5 to be kept on the premises of the personal information controller or the personal information processor.

SECTION 4. Presumption. — Non-submission of the required Annual Security Incident and Personal Data Breach Reports shall create the presumption that no such security incident or personal data breach occurred during the covered period.

APPROVED

(SGD.) IVY D. PATDU, MD, JDDeputy Privacy Commissioner

(SGD.) LEANDRO ANGELO Y. AGUIRREDeputy Privacy Commissioner

(SGD.) RAYMUND E. LIBOROPrivacy Commissioner

ANNEX A

Summary of Annual Security Incident and Personal Data Breach Reports for PICs

SUMMARY

Annual Security Incident and Personal Data Breach ReportsJanuary to December 2017

Sector: ____________________ City: _______________ Province: _______________

PERSONAL INFORMATION CONTROLLER

 

Personal Data Breach, Mandatory Notification	<#>
Personal Data Breach, not covered by mandatory notification requirements	<#>
Other Security Incidents, not amounting to a personal data breach	<#>
Total	<#>

 

Attack Vectors

How Security Incidents Occurred

 

Types	Number	Types	Number
Theft	<#>	Communication Failure	<#>
Fraud	<#>	Fire	<#>
Sabotage/Physical Damage	<#>	Flood	<#>
Malicious Code	<#>	Design Error	<#>
Hacking/Logical Infiltration	<#>	User Error	<#>
Misuse of Resources	<#>	Operations Error	<#>
Hardware Failure	<#>	Software Maintenance Error	<#>
Software Failure	<#>	Third Party Services	<#>
Hardware Maintenance Error	<#>	Others	<#>

 

Personal Data Breaches

 

	Confidentiality	Integrity	Availability
Mandatory Notification Required	<#>	<#>	<#>
Mandatory Notification Not Required	<#>	<#>	<#>

PREPARED BY: ____________________

DATE: __________

DESIGNATION: ____________________

 

ANNEX B

Summary of Annual Security Incident and Personal Data Breach Reports for PIPs

SUMMARY

Annual Security Incident and Personal Data Breach ReportsJanuary to December 2017

PERSONAL INFORMATION PROCESSOR

 

Security incidents involving personal data processing performed on behalf of PICs	<#>
Personal Data Breaches involving personal data processing performed on behalf of PICs	<#>
Personal Data Breaches reported to PICs	<#>
Total	<#>

 

Attack Vectors

How Security Incidents Occurred

 

Types	Number	Types	Number
Theft	<#>	Communication Failure	<#>
Fraud	<#>	Fire	<#>
Sabotage/Physical Damage	<#>	Flood	<#>
Malicious Code	<#>	Design Error	<#>
Hacking/Logical Infiltration	<#>	User Error	<#>
Misuse of Resources	<#>	Operations Error	<#>
Hardware Failure	<#>	Software Maintenance Error	<#>
Software Failure	<#>	Third Party Services	<#>
Hardware Maintenance Error	<#>	Others	<#>

PREPARED BY: _______________

DATE: __________

DESIGNATION: _______________

 

ANNEX C

Mandatory Personal Data Breach Notification to Data Subjects

<NAME OF ENTITY>

<ADDRESS>

<CONTACT INFORMATION>

<DATE>

<DATA SUBJECT>

<ADDRESS>

Subject: <DATA BREACH> dated <DATE>

Dear <DATA SUBJECT>

I write in behalf of <ENTITY>, regarding your data in <BRIEF DESCRIPTION OF DATABASE>.

We regret to inform you that your data has been exposed in this data breach. To our understanding, your exposure is limited to: <DATA INVOLVED IN THE DATA BREACH>. SDAaTC

Nature of the Breach

• Provide a summary of the events that led up to the loss of control over the data. Do not further expose the data subject.

• Describe the likely consequences of the personal data breach.

Measures taken to Address the Breach.

• Provide information on measures taken or proposed to be taken to address the breach, and to secure or recover the personal data that were compromised.

• Include actions taken to inform affected individuals of the incident. In case the notification has been delayed, provide reasons.

• Describe steps the organization has taken prevent a recurrence of the incident.

Measures taken to reduce the harm or negative consequences of the breach.

• Describeactions taken to mitigate or limit possible harm, negative consequences, damage or distress to those affected by the incident.

Assistance to be provided to the affected data subjects.

• Include information on any assistance to be given to affected individuals.

Do not hesitate to contact our Data Protection Officer for further information:

 

Data Protection Officer	<DATA PROTECTION OFFICER>
	<OFFICE ADDRESS>
	<E-MAIL ADDRESS>
	<TELEPHONE>
	<OTHER CONTACT INFORMATION>

 

We commit to provide more information to you as soon as possible, as they become available, with our best efforts.

Sincerely,

<ENTITY>

<HEAD OF AGENCY/DATA PROTECTION OFFICER>

ANNEX D

Mandatory Notification: Personal Data Breach for the National Privacy Commission

<NAME OF ENTITY>

<DATE>

<PRIVACY COMMISSIONER>

Subject: <DATA BREACH> dated <DATE> of <DATABASE>

Gentlemen:

I write in behalf of <ENTITY>, in relation to the data breach of <DATE>, involving <BRIEF DESCRIPTION OF DATA>. This notification is made pursuant to the mandatory data breach notification procedure in Philippine law to the National Privacy Commission.

Responsible Officers. The pertinent details of <ENTITY>, and the responsible persons thereof, are as follows:

 

Head of the Organization	<NAME>
	<OFFICE ADDRESS>
	<E-MAIL ADDRESS>
	<TELEPHONE>
	<OTHER CONTACT INFO>
Data Protection Officer	<NAME>
	<OFFICE ADDRESS>
	<E-MAIL ADDRESS>
	<TELEPHONE>
	<OTHER CONTACT INFO>
Process Owner	<NAME>
	<OFFICE ADDRESS>
	<E-MAIL ADDRESS>
	<TELEPHONE>
	<OTHER CONTACT INFO>

 

Nature of the Breach. In brief, we describe the nature of the incident, thus:

• Describe the nature of the personal data breach.

ANNEX E

Summary Report by PICs of Security Incidents Amounting to a Personal Data Breach not covered by mandatory notification requirements

Personal Data Breach No. <#><NAME OF DATA PROCESSING SYSTEM>

Facts<Who are the main people responsible>

Effects/Consequences<What were the effects or consequences of the data breach?>

Remedies/Action Taken<How long did it take to resolve the matter?>

ANNEX F

Summary Report by PIPs of Security Incidents Involving Personal Data Processing on Behalf of Personal Information Controllers Amounting to a Personal Data Breach

Personal Data Breach No. <#><NAME OF DATA PROCESSING SYSTEM>

Facts<Who are the main people responsible>

Effects/Consequences<What were the effects or consequences of the data breach?>

Remedies/Action Taken<How long did it take to resolve the matter?>

ANNEX G

Summary Report of Highly Confidential Information

<NAME OF ENTITY>

HIGHLY CONFIDENTIAL

 

Reference Number:
Name of Data Protection Officer: <NAME OF THE DPO>	E-mail Address: <E-MAIL ADDRESS OF THE DPO>
Today's Date: <DATE REPORTED AND SUBMITTED>	Tel. No.: <OFFICE TEL. NO. OF THE DPO>
Any prior personal data breach within this calendar year?	[ ] Yes [ ] No
Date and Time of Security Incident:	Status of Security Incident: <New, In Progress, Forwarded for Investigation, Resolved, etc.>
Who Was Notified: <NAME AND CONTACT DETAILS OF THE DATA PROTECTION OFFICER OR ANY OTHER ACCOUNTABLE PERSONS> <i.e., DPO — Supervisor — Law Enforcement — Director of IT — Internal Auditor, Head of Agency — Other (Please Specify)>	Date and Time of Notification:

Summary of the Security Incident: Brief Description of Event Facts <Who are the main people responsible> <What are the events surrounding the security incident?> <Where was the data located, stored, or otherwise processed?> <When did the security incident happen?> <How was the security incident detected?> <Why did the security incident happen?>   Effects/Consequences <What were the effects or consequences of the security incident?> <How was the data affected?> <Who were the data subjects affected?> <How were the data subjects affected?> <How long did it take to affect the data subjects?>   Remedies/Action Taken <How long did it take to resolve the matter?> <Who took charge in the remedial effort?> <What actions were taken by such persons in charge?> <When was the situation completely resolved?> <What measures did the PIC take to ensure the data breach does not happen again?>   Use another page, if necessary.

 

Initiated By:

Date:

Reviewed By:

Date:

 

Footnotes

1. Annex "A" — Summary of Annual Security Incident and Personal Data Breach Reports for PICs.

2. Annex "B" — Summary of Annual Security Incident and Personal Data Breach Reports for PIPs.

3. Annex "C" — Mandatory Notification: Personal Data Breach for National Privacy Commission.

4. Annex "D" — Mandatory Notification: Personal Data Breach for Data Subjects.

5. Annex "E" — Summary Report by PICs of Security Incidents Amounting to a Personal Data Breach not covered by mandatory notification requirements.

Annex "F" — Summary Report by PIPs of Security Incidents Involving Personal Data Processing on Behalf of Personal Information Controllers Amounting to a Personal Data Breach.

Annex "G" — Summary Report of Highly Confidential Information.