Nat’l Privacy Commission urges appointment of data protection officers in public and private sector

Nat’l Privacy Commission urges appointment of data protection officers in public and private sector (Photo: National Privacy Commission/Facebook)

MANILA—The National Privacy Commission (NPC) has reiterated the need for data protection officers (DPO) in public and private organizations to deter future incidents of data breach and to ensure security of personal information.

NPC Chairman and Privacy Commissioner Raymund Liboro said the appointment of a DPO signifies the commitment of organizations to comply with the data privacy law and ensure the protection of personal data.

The DPO would be accountable for ensuring compliance with everything related to data privacy and security.

“Personal data handling is a public trust, and carries with it a burden of accountability. No amount of ignorance or legal naiveté can erase that accountability,” Liboro said.

“The Data Privacy Law of 2012 is about making sure those we entrust with our personal data are actually trustworthy by compelling them to do everything they can to protect it,” he added.

For his part, NPC spokesperson Atty. Rashy Rellosa said the data protection officer would help minimize the damage from theft of personal data and guarantee that the system cannot be breached.

The DPO’s job is focused on protecting data—from collection, to storage, to sharing and destruction. Part of this job includes providing data subjects with access to their personal data, and instructions on how they can object to processing and obtain relief when needed.

A DPO must be an advocate for the protection of the right to data privacy of the people through showing his/her willingness to understand information security and privacy principles and the capability to monitor compliance.

The DPO is expected to facilitate compliance with the privacy act, which requires the following: adherence to data privacy principles, implementing organizational, physical and technical security measures and upholding the rights of data subjects.

“For MSMEs that process personal data, the DPO can even be the business owner, what is important is developing a culture of privacy within their organization and ensuring their employees are aware of data privacy principles,” according to Liboro.

The NPC recently recommended the filing of criminal charges against Commission on Elections (Comelec) Chairman Andres Bautista on the breach of voter data that occurred between March 20 and 27, 2016.

In its decision dated December 28, 2016, the privacy body said COMELEC has failed to designate an accountable officer for data privacy, as required under Section 21 of the Data Privacy Act of 2012. In Section 21 of the Data Privacy Act of 2012, the DPO is defined as an “individual or individuals who are accountable for the organization’s compliance” with the privacy law, so designated by the organization in the exercise of its duty as a “personal information controller” (PIC).

This requirement is echoed in the law’s implementing rules and regulations (IRR), under Section 26, which states that such individuals “shall function as data protection officer” and would “be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.”

The National Privacy Commission is a regulatory and quasi-judicial body organized by virtue of RA 10173, otherwise known as the Data Privacy Act of 2012. Headed by one commissioner and two deputy commissioners, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation