The Philippine government has been using the same rules for handling classified information since 1964, long before computers, the internet, cloud computing, and artificial intelligence (AI) became part of everyday government operations.
That changes with Executive Order (EO) No. 119 signed by President Ferdinand Marcos Jr., which introduces new rules on where government data can be stored, how it should be classified, and which information must remain inside the Philippines.
The order replaces Memorandum Circular No. 78, a policy written when government records were kept on paper. Today, agencies increasingly rely on digital systems to deliver public services, making it necessary to update rules for protecting government information.
“Data is the foundation of our digital future. We must protect critical government information while ensuring that the Philippines remains open to innovation, cloud technologies, and global digital partnerships,” said DICT Secretary Henry R. Aguda.
One of the biggest changes under EO 119 is the introduction of a data residency framework. Instead of requiring all government information to be handled the same way, the order classifies data according to its sensitivity.
Highly classified information marked Top Secret and Secret must be stored only within Philippine territory, including Philippine embassies and consulates overseas. Confidential data will generally remain in the country but may be processed or stored abroad if approved and protected by appropriate safeguards.
Less sensitive information classified as Restricted and Open Access may be stored on secure cloud platforms that meet cybersecurity and encryption standards.
For ordinary Filipinos, the changes are largely happening behind the scenes. But they affect how government agencies adopt technologies such as cloud computing, online public services, and AI while ensuring sensitive government information remains protected.
The order also gives technology companies clearer rules when providing cloud and digital infrastructure services to government agencies. Until now, companies have faced uncertainty because the country’s data classification policy was written decades before modern digital services existed.
The Department of Information and Communications Technology (DICT), which drafted the policy, said it consulted more than 50 stakeholders, including government agencies, security organizations, the National Privacy Commission, foreign chambers of commerce, business groups, telecommunications companies, cloud providers, and digital infrastructure operators. The department also reviewed 18 formal position papers before finalizing the framework.
The executive order applies only to government-owned information. It does not affect data owned by private companies or personal information held by businesses.
To oversee implementation, EO 119 creates the Joint Oversight Committee for Data Classification, co-chaired by the DICT and the National Security Council. The committee will issue implementing guidelines within 120 days after the order takes effect.
Government agencies will have three years to comply. During the first year, agencies will identify and classify their data. Compliance for Top Secret and Secret information will be required in the second year, while full implementation for all government data classifications will follow in the third year.