NPC issues rules governing personal data protection, certification of data handlers

THE National Privacy Commission (NPC) said it issued two circulars outlining the tasks of data handling personnel and laying down the rules governing certification of organizations deemed compliant with data-handling rules.

In a statement on Monday, the regulator said NPC Circular 2023-06, or the Security of Personal Data in the Government and Private Sector, took effect on March 30, while NPC Circular 2023-05 or the Prerequisites for the Philippine Privacy Mark Certification Program took effect on March 15.

In the circular implemented last week, the NPC set the general obligations of personal information controllers (PICs) and personal information processors (PIPs). 

These requirements include the designation of a data protection officer, the registration of data processing systems, the conduct of privacy impact assessments, the implementation of privacy management programs, the training of personnel, and compliance with NPC orders.

NPC 2023-06 also set provisions regarding the storage of personal data, limiting the storage for only a necessary duration, while outlining industry standards and best practices for protection.

The circular also provides that PICs and PIPs should have acceptable-use policies, secure authentication mechanisms, and measures for deleting data on mobile devices.

It also tasks PICs and PIPs with implementing a business continuity plan containing the organizations’ mitigation efforts during potential disruptive events.

“(The plan) must indicate the process of personal data backup, restoration, and remedial time, including the periodic review of the plan taking into account disaster recovery, privacy, business impact assessment, a crisis communications plan, and telecommuting policy, among others,” the NPC said.

Meanwhile, NPC Circular 2023-05 outlines the requirements for certifying PICs and PIPs and accrediting recipients of the Philippine Privacy Mark.

In this circular, PICs and PIPs seeking certification must attain the ISO/IEC 27001 and ISO/IEC 27701 standards for Information Security Management Systems and Privacy Information Management System, respectively.

Aside from meeting the standards for PICs and PIPs, certification bodies must also attain the ISO/IEC 17021-1 norm for accreditation. — Justine Irish D. Tabile