Exercising Breach Reporting Procedures

Please click this link to access the Data Breach Notification Management System (DBNMS).

Personal Data Breach and Security Incidents

A security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.

A Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:

  1. An availability breach resulting from loss, accidental or unlawful destruction of personal data;
  2. Integrity breach resulting from alteration of personal data; and/or
  3. A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
  4. Example of personal data breach:

    (1) Lost or stolen laptops, removable storage devices, or paper records containing personal information;

    (2) databases containing personal information being “hacked” into or otherwise illegally accessed by individuals outside of the agency or organization.

Security Incident Management Policy

All personal information controllers (“PIC”) and processors must implement a security incident management policy. This policy is for managing security incidents, including data breaches.

In drafting your security incident management policy and personal data breach management procedure, the following must be included:

  • Creation of a security incident response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach;
  • Implementation of organizational, physical, and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident;
  • Implementation of an incident response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;
  • Mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and
  • Compliance with the Data Privacy Act, its IRR, and all related issuances by the NPC pertaining to personal data breach notification.

The Security Incident Management Policy must also include measures intended to prevent or minimize the occurrence of a personal data breach. These measures include:

  • Conduct of a privacy impact assessment to identify attendant risks in the processing of personal data. It shall consider the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
  • Data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
  • Implementation of appropriate security measures that protect the availability, integrity, and confidentiality of personal data being processed;
  • Regular monitoring for security breaches and vulnerability scanning of computer networks;
  • Capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
  • Procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the effectiveness of the security measures.

Security Incident Response Team

The Security Incident Response Team is responsible for:

  • Implementing security incident management policy of the personal information controller or personal information processor;
  • Managing security incidents and personal data breaches; and
  • Compliance by the personal information controller or personal information processor with the relevant provisions of the Act, its IRR, and all related issuances by the Commission on personal data breach management.

The functions of the Security Incident Response Team may be outsourced and there is no precise formula for its composition. However, its members must, as a collective unit, be ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirements.

Data Breach Notification Management System

The Data Breach Notification Management System (DBNMS) is a user-friendly interface that facilitates easy notification and tracking of reports.

After successfully creating an account, the PIC may proceed with the submission of the PDBN or submit an ASIR.

To guide you in navigating the DBNMS, please watch the videos below:

  1. How to create a DBNMS account
  2. How to submit a Personal Data Breach Notification report
  3. How to comply with the required documents and information
  4. How to submit an Annual Security Incident Report

For concerns relating to the system, email us at [email protected]

Annual Security Incident Reports

An Annual Security Incident Report (ASIR) is a report to the Commission containing all security incidents and personal data breaches in a calendar year, including those not covered by the mandatory notification requirements. ASIRs shall be submitted to the Commission annually and contain the following information:

  1. (1) number of incidents and breach encountered; and
  2. (2) number of incidents classified according to their causes and as to whether they are considered mandatory or voluntary data breach notifications or as other security incidents.

Following the launch of the DBNMS, the Commission ONLY accepts submission of ASIRs through the System. Any ASIR submitted outside of the DBNMS shall not be considered as valid. The deadline for the submission of ASIRs for the years 2018 to 2021 is on 31 October 2022. For 2022 ASIRs, the DBNMS shall accept submissions from 1 January 2023 to 31 March 2023.

As provided in the DBNMS, the following information must be accomplished in the ASIR :

Personal Information Controller Tab – contains the general information of the breaches or incidents encountered:

  1. (1) Year ¬– of the Report
  2. (2) City/ Municipality – where the PIC is located
  3. (3) Summary of Security Incidents (SI) and Privacy Breach – Number of Security Incidents and Privacy Breaches for the previous Year.
    • Mandatory Breach Notification
    • Voluntary Breach Notification
    • Other security incident

How Security Incidents Occurred Tab – contains the number of Security Incidents and Privacy Breach reports according to cause:

    (1) Theft – committed by any person who, with intent to gain but without violence against or intimidation of persons nor force upon things, shall take personal property of another without the latter’s consent. The act includes any person who having found a lost property refused to deliver the same to the local authorities or to the owner and any person who after having maliciously damaged the property of another, shall remove or make use of the fruits or object of the damage caused by him (Article 308, Revised Penal Code)

    (2) Identity Fraud – Incidents or events that resulted to a successful attempt of using someone’s identity

    (3) Sabotage / Physical damage – incidents or events that resulted to an internal or external deliberate act of destruction or disruption of the organization’s personal data processing

    (4) Malicious code – harmful computer programming scripts designed to create or exploit system vulnerabilities. This code is designed by a threat actor to cause unwanted changes, damage, or ongoing access to computer systems. Malicious code may result in back doors, security breaches, information and data theft, and other potential damages to files and computing systems (Kaspersky Resource Center)

    (5) Hacking – the act of compromising digital devices and networks through unauthorized access to an account or computer system.

    (6) Misuse of Resources – incidents or events that resulted to the deviation from the intended use of any element of a personal data processing system needed to perform required operations.

    (7) Hardware Failure – incidents or events that resulted to the termination of the ability of all or part of the physical components of a personal processing system to perform

    (8) Software Failure- incidents or events that resulted to the termination of the ability of all or part of the programs, procedures, rules, and associated documentation of a personal data processing system to perform a required function.

    (9) Communication Failure – incidents or events that resulted to unexpected release of personal data through any communication means or platform.

    (10) Natural disaster – incidents or events that resulted to the abnormal intensity of a natural agent (flood, mudslide, earthquake, avalanche, drought) that caused availability issues.

    (11) Design Error – incidents or events that resulted to incorrect, incomplete, or poorly communicated design of a system or software to reduce the possibility of user making mistakes.

    (12) User error – incidents or events that resulted to mistake of human action or inaction that produce an unintended result.

    (13) Operations error – incidents or events that resulted due to improper execution of the organization operational procedures.

    (14) Software Maintenance Error – incidents or events that resulted to improper execution of software maintenance such as improving and boosting the software performance and correcting issues or bugs

    (15) Third Party / Service Provider – incidents or events that resulted that exposed personal data of the organization caused by their official third-party partners or service providers

    (16) Others – incidents or reports that do not fall to the criteria mentioned above.

Mandatory Notification

Not all personal data breaches need to be notified to the NPC and the affected data subjects. Notification is mandatory only when ALL the following elements are present:

  • There is a breach of sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud;
  • The data is reasonably believed to have been acquired by an unauthorized person; and
    • Other information includes, but not limited to, the following:
      • Data about the financial or economic situation of the data subject;
      • Usernames, passwords, and other login data;
      • Biometric data;
      • Copies of identification documents, licenses, or unique identifiers like Philhealth, SSS, GSIS, TIN number; or
      • Other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
  • The data is reasonably believed to have been acquired by an unauthorized person; and
  • The personal information controller believes that the data breach is likely to give rise to a real risk of serious harm to the affected data subject.

When there is doubt as to whether notification is necessary, consider factors:

  1. The likelihood of harm or negative consequences on the affected data subjects;
  2. How notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred; and
  3. If the data involves:
    • Information that would likely affect national security, public safety, public order, or public health;
    • At least one hundred (100) individuals;
    • Information required by all applicable laws or rules to be confidential; or
    • Personal data of vulnerable groups.

This obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.

Personal Data Breach Notification Form (PDBNF)

A Personal Data Breach Notification Form (PDBNF) is an online form used for the submission of personal data breach notification for those breaches that meet all the elements of mandatory reporting. If the incident does not meet all these requirements, document it and include it in the Annual Security Incident Report to be submitted to the NPC on the following year.

Following the launch of the DBNMS, the Commission ONLY accepts submission of PDBNFs through the System. Any ASIR submitted outside of the DBNMS shall not be considered as valid.

PDBNFs should be accomplished and submitted within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.

The following pieces of information must be stated in the PDBNF:

Notification Type Tab
  • Representative Field and Email address –If the PIC is being represented by another individual, firm, or entity (such as law firms), the representative’s name with its corresponding email address shall be indicated as such. If the PIC is not being represented, simply copy the name of the PIC and its registered email.
  • Date of Occurrence and Date of Discovery –Indicate the significant dates of the incident. If the date of occurrence of the of the incident cannot be determined at the time of notification, leave it blank.
  • Brief Summary – Indicate a short but substantive description of the nature of the breach being reported. It must, at the very least, state the short facts constituting the requirements for mandatory breach reporting.
  • Notification Type – (a) Involves SPI or data that may enable identity fraud, (b) Acquired by an unauthorized person, (c) Likely to give a real risk of serious hard to data subjects. For each applicable field, provide a brief explanation.
Personal Data Breach Notification Details Tab
  • General cause and specific cause
  • With Request – refers to any request made to the Commission in relation to the PDBNF (see Preliminary request).
  • How breach occurred + DPS vulnerability – Description of how the breach occurred and the vulnerability of the data processing system that made the breach possible.
  • Chronology – refers to the chronology of events from discovery of the incident until recovery
  • Number of DS/Record – approximate number of affected data subjects and/or records
  • Description/ Nature – Determine the nature of the breach (availability, integrity, or confidentiality breach). (a) Availability breach resulting from loss, accidental, or unlawful destruction of personal data, (b) Integrity breach resulting from alternation of personal data, (c) Confidentiality breach resulting from the unauthorized disclosure of or access to personal data. The nature of the breach may be a combination of any of the foregoing breaches (e.g. Integrity and confidentiality breach, etc.)
  • Likely consequences – provide how the incident will affect both the Personal Information Controller and its data subject.
  • DPO – Name of the data protection officer or any other accountable person, and his/her contract information.
  • SPI – indicate/enumerate the Sensitive Personal Information compromised. SPI pertains to the personal information about any of the following : (a) an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and (d) those information specifically established by an executive order or an act of Congress to be kept classified.
  • Other info that may enable identity fraud – Data about the financial or economic situation of the data subject (e.g. usernames, passwords and other log-in credentials, biometric data, copies of identification documents, licenses or unique identification like Philhealth, SSS, GSIS, TIN, or other similar information, which may be made as basis of decisions concerning the data subject, including the grant of rights or benefits.
  • Measures to address the breach – specific measures taken to address the incident including the results of the investigation conducted.
  • Measure to secure/ recover personal data – actual measures taken to secure or recover personal data.
  • Actions to inform data subjects – The actual manner of notification (e.g., email, physical mail etc.) including any assistance extended to data subjects, if applicable.
  • Measures to prevent recurrence of incidence – actual or proposed actions done to addressing the compromised vulnerability and prevent the same incident from happening in the future
  • Record type – Type of records that was compromised (e.g digital records in electronic system, etc.)
  • Data subjects- Type of data subjects affected who may be PIC’s (a) own employees, (b) customers, (c) personal data of vulnerable groups, or (d) others.

Requests in Relation to Data Breach Notifications

If it is not reasonably possible to submit a complete Personal Data Breach Notification Form to the Commission or to notify the data subjects within the prescribed period, the Personal Information Controller is still required to submit a PDBNF, with the available information at hand, along with any of the following request:

  • Exemption from data subject notification
    • A personal information controller may be exempted from the notification requirement if it is not reasonably possible to notify the data subjects within the prescribed period provided that the Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects.
  • Postponement of data subject notification
    • The Commission may authorize the postponement of notification where if it is not reasonably possible to notify the data subjects within the prescribed period provided and it may hinder the progress of a criminal investigation related to a serious breach, taking into account the following circumstances: a) Information that would likely affect national security, public safety, public order, or public health, b) at least one hundred (100) individuals, c) information required by applicable laws or rules to be confidential, d) personal data of vulnerable group, and e) other risks posed by the personal data breach.
  • Extension of time for submission of Full Report and other documents
    • The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply.
  • Alternative means of notification to affected data subjects. –
    • Notification of affected data subjects shall be done individually. However, if individual notification is not possible or would require a disproportionate effort, the PIC may request for the approval of the NPC to use alternative means of notification, such as through public communication or any similar measure through public communication or any similar measure.

Request(s) shall be submitted with the PDBNF. Request shall be resolved by the Commission and an Order or Resolution granting or denying the request shall then be issued through the DBNMS. The Commission may also require the PIC to submit additional information for further evaluation.

Data Subject Notification

Under the Data Privacy Act, the data subject has the right to be notified In the enforcement of this right, the PIC MUST NOTIFY the data subject within seventy-two (72) hours upon knowledge of or reasonable belief that a personal data breach has occurred.

  • The notification may be made based on available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects;
  • Notification to the data subjects must be sent individually, either by written or electronic means.
  • The notification shall have the same content as those made to the National Privacy Commission but shall include instructions on how data subjects will get further information; and recommendations on how to minimize risks resulting from breach and how to secure any form of assistance.

Delay in the notification to data subject

Generally, there shall be no delay in notification, except to the extent necessary to determine the following:

  • the scope of the breach;
  • to prevent further disclosures; or
  • to restore reasonable integrity to the information and communications system.

If the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive, personal information will harm or adversely affect the data subject, delay is not allowed. In both instances, the Commission shall be notified within the 72-hour period based on available information. If it is not possible to notify the affected data subjects within the required period, the PIC may submit a request for postponement of data subject notification through the DBNMS.

Failure to notify

If the PIC fails to notify the Commission or data subjects, or there is unreasonable delay to the notification, the Commission shall determine if such failure or delay is justified. Failure to notify shall be presumed if the Commission does not receive notification from the personal information controller within five (5) days from knowledge of or upon a reasonable belief that a personal data breach occurred. In this case, the PIC may be sanctioned either under the Guidelines on Administrative Fines (NPC Circular No. 2022-01) or the DPA.

Under Section 30 of the DPA, Concealment of Security Breaches involving Sensitive Personal Information is committed by those, having knowledge of the security breach and with an obligation to inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the NPC that the breach has happened. This carries a penalty of imprisonment from one (1) year and six (6) months to five (5) years, and a fine of Five Hundred Thousand Pesos (P500,000.00) to One Million Pesos (P1,000,000.00).

Under NPC Circular No. 2022-01, any failure to notify the NPC and the affected data subject(s) of a personal data breach pursuant to Section 20 (f) of the DPA not covered under Section 30 of the DPA for Concealment of Security Breaches involving Sensitive Personal Information shall be administratively liable for a fine equivalent to 0.25% to 2% of the annual gross income of the immediately preceding year of the violation.

Evaluation and Investigation

Upon receipt of the PDBNF, the evaluating officer shall prepare the Breach Notification Evaluation Report (BNER). After the receipt of all the documents required to assess the submission, the CMD shall either endorse the case for further investigation of the Complaints and Investigation Division (CID) if there is a finding of a possible data privacy violation, and docket the same as a sua sponte case otherwise, the case will be endorsed to the Commission en banc for direct adjudication on the other issues.

The investigation by CID may include an on-site examination of systems and procedure and/or a technical investigation. During investigation, the PIC may be required by the investigating team to furnish additional information, document or evidence, or to produce additional witness.