Yes, all personal information controllers (PICs) and personal information processors (PIPs) are required to submit the Annual Security Incident Report if they had a security incident any time from January 1 to December 31, 2017. This is regardless whether they registered with the NPC or not.Back To Top
For the Annual Security Incident Report submission which is due on June 30, 2018, you only need to submit Annex A if you are a PIC, Annex B if you are a PIP, or Annexes A & B if you are both a PIC and PIP.
Please note that it is likely that PIPs are also PICs in their own right, such as when they process the personal data of their employees, among others. As such, they will need to accomplish Annexes A & B, if they experienced any security incident within the calendar year.
On the other hand, Annexes C & D are templates for Mandatory Personal Data Breach Notification which you need to accomplish and transmit within seventy-two (72) hours upon knowledge of or reasonable belief that a reportable breach has occurred, based on NPC Circular 2016-03.
A reportable breach happens when all these circumstances are present: (1) there is sensitive personal information involved or information that can be used to enable identity fraud; (2) there is reasonable ground to believe the data is in the hands of an unauthorized person; and (3) there is a likelihood of a real risk of serious harm to the data subject.Back To Top
It means that PICs or PIPs that did not sustain any security incident do not need to submit any Annual Security Incident Report. Please note, however, that given the wide latitude of events that may be described as a security incident, the likelihood of that number being zero is close to nil.Back To Top
NPC Advisory 2018-02 updated the recommended templates, removing Annexes E, F and G since they are internal documents that need not be submitted to the NPC. Said Annexes were initially included to aid PICs and PIPs in their internal security incident documentation. However, upon consideration of stakeholders’ feedback, the Commission decided to remove said Annexes to avoid confusion, and to allow PICs and PIPs to focus on the reports that they need to submit by June 30, 2018.Back To Top
Yes. A security incident can be classified under more than one category. Further, a reportable breach necessarily is a data breach that involves confidentiality, and it may or may not also involve integrity and/or availability.Back To Top
No, you do not need to resubmit the report using the template.Back To Top
We would presume you have no security incident whatsoever to report.Back To Top
No. We will accept the report in either of the three formats (the digital form, via email, or in hardcopy). We prefer, however, that submissions be thru the digital form.
Take note that the system cannot give you an e-mailed acknowledgment that we have received your electronic submission.Back To Top
A “security incident” is defined as an event or occurrence that:
It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.
This means that a security incident does not need to involve only personal data. This definition should also be read in conjunction with Section 22 of NPC Circular 2016-03 that explicitly requires PICs and PIPs to report on security incidents, even if they don’t involve personal data.Back To Top