Global Data and Cyber Handbook

Philippines

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 7 January 2025

Yes.

         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

         obligation to take specific security measures e.g., encryption

         requirement to undertake third party due diligence (security assessment of third party providers)

Please note that NPC Circular No. 2023-06 sets out the minimum security requirements to protect personal data. The circular applies to both private and public sector entities.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 7 January 2025

         financial services requirements

         providers of critical infrastructure

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

         Data privacy

         Securities or public company

         network information security

         health

         financial services

         telecommunications

         critical infrastructure

         other

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 7 January 2025

Yes.

"Personal data breach" refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

The obligation to notify the NPC and affected data subjects of a personal data breach arises if all of the following conditions are met:

  • The personal data involves sensitive personal information or any other information that may be used to enable identity fraud. For this purpose, "other information" includes: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like PhilHealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
  • There is reason to believe that the information may have been acquired by an unauthorized person.
  • The personal information controller or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
Controllers/Owners have to notify:

Last review date: 7 January 2025

         data protection authorities

The PIC should notify the NPC within 72 hours of having knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.

Moreover, the PIC should notify the NPC by submitting a report, whether written or electronic, containing the required contents of notification within 72 hours of the detection of the breach. The report should also include the name of a designated representative of the PIC, and their contact details.

         affected individuals

The PIC should notify the affected data subject within 72 hours of having knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.

In cases where the affected data subjects are minors, the PIC should notify both the children and their parents or guardians.

Processors/Agents have to notify:

Last review date: 7 January 2025

         controller/ owner

To facilitate the timely reporting of a personal data breach, the PIC should use contractual or other reasonable means to require the PIP to report any knowledge or reasonable belief that a personal data breach has occurred. The PIP should promptly report this to enable the PIC to comply with its obligation to notify the data protection authorities and affected individuals within 72 hours of detection of the breach.

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 7 January 2025

Yes.

         financial services requirements

Obligations of institutions supervised by Bangko Sentral ng Pilipinas (BSIs)

The Bangko Sentral ng Pilipinas supervises the operations of banks and exercises regulatory powers over finance companies and non-bank financial institutions performing quasi-banking functions, in accordance with the New Central Bank Act and other pertinent laws.

Details regarding the identified data security breach notification requirements

An information security incident or security breach refers to security events that have a significant probability of compromising business operations and threatening the confidentiality, integrity, or availability of a BSI's information system(s). All BSIs should report any cybersecurity issues to the Bangko Sentral ng Pilipinas within two hours of first detection and submit an updated report within 24 hours.

 

{{ $store.state.loadingScreen.message }} ...