THE National Privacy Commission (NPC) is setting a March deadline for the submission of the 2017 Annual Incident Report of personal information controllers (PICs).
In a statement on Thursday, the data-privacy authority reminded the designated personal-information controllers of businesses to submit the report of security incidents that affect personal data under a PIC’s control, including the number of security incidents that affect personal data in each calendar year.
According to the Data Privacy Act, a PIC is any person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
As per the circulars of the NPC, PICs are tasked to report annually these security incidents, or those events that have an impact on the availability, integrity or confidentiality of personal data, even if these adverse events prove unsuccessful.
Among the security incidents included in the report’s scope are cyber attacks on a personal-information database, and unauthorized alteration in a database that alters the personal records of an individual, to that individual’s detriment. But cyber attack that uncovers industrial secrets but which do not involve processing of personal information does not fall under the definition of a security incident.
NPC Commissioner Raymund Liboro said, with the March deadline, PICs can review their privacy program and collation of the report.
“We want to give PICs ample opportunity to audit their privacy program and improve their organization’s efficiency in the way they manage their security incidents. These reports are an essential signpost of any PIC’s commitment to protecting the personal data of its customers and employees. I encourage the PICs concerned to check the NPC web site for further guidance,” Liboro said in a statement.
