The National Privacy Commission (NPC) released circulars aimed at further enhancing personal data protection in the Philippines.
“Through these Circulars, the NPC aims to guide organizations in further complying with the Data Privacy Act of 2012, its implementing rules and regulations, and other issuances of the NPC,” said Privacy Commissioner Atty. John Henry Naga.
The NPC Circular 2023-05, which came into effect on March 15, 2024, lists what organizations and Certification Bodies (CBs) need to do to join the Philippine Privacy Mark (PPM) Certification Program. The NPC Circular 2023-06, which repeals NPC Circular No. 16-01 took effect on March 30, 2024, looks after how personal data is kept safe in the government and private sectors.
READ:
NPC releases changes in data processing for loan transactions
NPC cautions on potential data privacy violations in use of ‘cc’ in emails
This initiative, designed to ensure the secure processing of personal information, mandates adherence to rigorous standards. Under this circular, entities seeking certification must be compliant with ISO/IEC 27001 and ISO/IEC 27701 standards for Information Security Management Systems (ISMS) and Privacy Information Management System (PIMS), respectively. Certification Bodies (CBs) are also required to meet these standards, alongside ISO/IEC 17021-1 for accreditation.
Updated requirements
The second circular, NPC Circular 2023-06, focuses on the security of personal data in both government and private sectors. It lays out updated requirements for data security, emphasizing obligations such as the appointment of a data protection officer, conducting Privacy Impact Assessments (PIA), implementing Privacy Management Programs, and adhering to NPC directives.
NPC Circular 2023-06 provides detailed provisions regarding the storage and access to personal data, including stringent measures for authorized personnel and secure authentication mechanisms. It also mandates the formulation of Business Continuity Plans to mitigate potential disruptions, ensuring the integrity and availability of personal data.