Frequently Asked Questions: Annual Security Incident Report

Our company did not register with the NPC as we believe we do not fall under any of the conditions for mandatory registration. Do we need to submit the Annual Security Incident Report?

Yes, all personal information controllers (PICs) and personal information processors (PIPs) are required to submit the Annual Security Incident Report if they had a security incident any time from January 1 to December 31, 2017. This is regardless whether they registered with the NPC or not.

Back To Top

There are four templates in NPC Advisory 2018-02. Do I need to fill out all the templates and submit by June 30, 2018?

For the Annual Security Incident Report submission which is due on June 30, 2018, you only need to submit Annex A if you are a PIC, Annex B if you are a PIP, or Annexes A & B if you are both a PIC and PIP.

Please note that it is likely that PIPs are also PICs in their own right, such as when they process the personal data of their employees, among others. As such, they will need to accomplish Annexes A & B, if they experienced any security incident within the calendar year.

On the other hand, Annexes C & D are templates for Mandatory Personal Data Breach Notification which you need to accomplish and transmit within seventy-two (72) hours upon knowledge of or reasonable belief that a reportable breach has occurred, based on NPC Circular 2016-03.

A reportable breach happens when all these circumstances are present: (1) there is sensitive personal information involved or information that can be used to enable identity fraud; (2) there is reasonable ground to believe the data is in the hands of an unauthorized person; and (3) there is a likelihood of a real risk of serious harm to the data subject.

Back To Top

What does Section 4 – Presumption in NPC Advisory 2018-01 mean?

It means that PICs or PIPs that did not sustain any security incident do not need to submit any Annual Security Incident Report. Please note, however, that given the wide latitude of events that may be described as a security incident, the likelihood of that number being zero is close to nil.

Back To Top

What were the changes from NPC Advisory 18-01 to 18-02?

NPC Advisory 2018-02 updated the recommended templates, removing Annexes E, F and G since they are internal documents that need not be submitted to the NPC. Said Annexes were initially included to aid PICs and PIPs in their internal security incident documentation. However, upon consideration of stakeholders’ feedback, the Commission decided to remove said Annexes to avoid confusion, and to allow PICs and PIPs to focus on the reports that they need to submit by June 30, 2018.

Back To Top

Can a single security incident affect confidentiality, integrity and availability all at the same time?

Yes. A security incident can be classified under more than one category. Further, a reportable breach necessarily is a data breach that involves confidentiality, and it may or may not also involve integrity and/or availability.

Back To Top

We have submitted an Annual Report before NPC released Advisory 18-02, do we have to update or submit another one using the recommended template?

No, you do not need to resubmit the report using the template.

Back To Top

What is the implication of non-submission of the Annual Security Incident report?

We would presume you have no security incident whatsoever to report.

Back To Top

If I have already submitted the report via the digital form, do I need to also submit the hardcopy?

No. We will accept the report in either of the three formats (the digital form, via email, or in hardcopy). We prefer, however, that submissions be thru the digital form.

Take note that the system cannot give you an e-mailed acknowledgment that we have received your electronic submission.

Back To Top

Does the law or IRR define security incident?

A “security incident” is defined as an event or occurrence that:

  1. affects or tends to affect data protection, or
  2. may compromise the availability, integrity, and confidentiality of personal data.

It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.

This means that a security incident does not need to involve only personal data. This definition should also be read in conjunction with Section 22 of NPC Circular 2016-03 that explicitly requires PICs and PIPs to report on security incidents, even if they don’t involve personal data.

Back To Top