The National Privacy Commission (NPC) has reiterated that chief executives of public and private organizations who process personal information must designate their own Data Protection Officers (DPOs) stressing its urgency following its decision on the "Comeleak" breach, which was made public last week.
NPC Chairman and Privacy Commissioner Raymund Enriquez Liboro said organizations that have yet to comply with the Data Privacy Act of 2012 should immediately appoint their own DPO, who would be accountable for ensuring compliance as regards everything related to data privacy and security. Liboro said officially designating a DPO signals an organization's "commitment to comply" with the law.
"Personal data handling is a public trust, and carries with it a burden of accountability. No amount of ignorance or legal naiveté can erase that accountability," Liboro said.
"The Data Privacy Law of 2012 is about making sure those we entrust with our personal data are actually trustworthy by compelling them to do everything they can to protect it," Liboro added.
In its decision dated December 28, 2016, the privacy body said COMELEC has failed to designate an accountable officer for data privacy, as required under Section 21 of the Data Privacy Act of 2012.
"If you process a lot of personal data, you could be a disaster waiting to happen, if you fail to apply the principles provided in the law " Liboro said.
In Section 21 of the Data Privacy Act of 2012, the DPO is defined as an "individual or individuals who are accountable for the organization’s compliance" with the privacy law, so designated by the organization in the exercise of its duty as a "personal information controller" (PIC). This requirement is echoed in the law'simplementing rules and regulations (IRR), under Section 26, which states that such individuals "shall function as data protection officer" and would "be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security."
“The DPO is essentially tasked to champion people's privacy rights from within his or her organization. In so doing, the DPO is able to minimize the risks of privacy breaches, address underlying problems, and reduce the damage arising from breaches if and when they do occur.
Complying with the law produces a lot of upside.” Showing the public your commitment to protect their personal data, lead to increased consumer trust and thus, higher patronage.”, Privacy Commissioner Liboro said.
The DPO is expected to facilitate compliance with the privacy act, which requires the following:
Adherence to data privacy principles
Implementing organizational, physical and technical security measures
Upholding the rights of data subjects
With a view to upholding the rights of data subjects, the DPO’s job is focused on protecting data --- from collection, to storage, to sharing and destruction. Part of this job includes providing data subjects with access to their personal data, and instructions on how they can object to processing and obtain relief when needed.
“What is absolutely required of the DPO is willingness to understand information security and privacy principles and the capability to monitor compliance based on the law. Or in short, he or she has to be an advocate for privacy rights of the data subject,” Liboro said. “For MSMEs that process personal data, the DPO can even be the business owner, what is important is developing a culture of privacy within their organization and ensuring their employees are aware of data privacy principles.” Liboro added.
A DPO, however, could not effectively function in a vacuum. Apart from a strong strategic framework, the job requires committed support from top management.
Lauding National Government Agencies who comply with the law.
From recent consultations with several National Government Agencies, the Commission was pleased to note that some agencies have been complying and/or starting to comply with the provisions of the Data Privacy Act of 2012 like: Department of Health, Philhealth and the Department of National Defense to name a few. Privacy Commissioner Liboro also noted,” even the NEDA has a designated Data Protection Officer who was appointed by management years ago after the law had been passed. The MMDA upon the instructions of Chairman and GM Thomas Orbos have recently appointed their own Data Protection Officer to comply with the law.” The proactive heads of these agencies must be commended for displaying zeal in protecting personal data in their agencies’ possession.”, Privacy Commissioner Liboro added.