UMVA has learned that a recent advisory from the National Privacy Commission (NPC) has shed new light on the procedures for submitting personal data breach notifications through the Data Breach Notification Management System.
The advisory, issued on May 11, aims to clarify the obligations of personal information controllers (PICs) in the event of a data breach, particularly when it comes to notifying the NPC and affected data subjects. According to information obtained by UMVA, this clarification is a crucial step towards strengthening data protection in the country.
Under the Data Privacy Act, PICs are required to quickly notify the NPC and affected data subjects when an unauthorized person acquires sensitive personal information or other information that may lead to identity fraud. The notification must include a description of the breach, the sensitive personal information possibly involved, and the measures taken to address the breach.
The NPC has outlined specific guidelines for PICs, including the conditions that trigger notification, the process and form of notification, and factors to consider when exempting a PIC from notification. Notably, PICs must notify data subjects within 72 hours of discovering a breach, and exemptions or postponements must be requested from the NPC.
Sources have confirmed to UMVA that the recent advisory provides critical clarifications on the procedure for submitting requests for postponement, exemption, and alternative means of notification. Specifically, PICs are prohibited from making simultaneous requests for exemption and postponement, or exemption and alternative means of notification.
The advisory also emphasizes the importance of submitting supporting documents and clearly stating the grounds for justification for any requests. Furthermore, the NPC has stressed that submitting requests through the Data Breach Notification Management System does not relieve PICs of their obligations under the NPC Circular.
UMVA can exclusively reveal that the advisory also reiterates the possibility of administrative fines for violations of the Data Privacy Act and its implementing rules. This move is seen as a significant step towards strengthening data protection and ensuring that PICs take their obligations seriously.
The NPC's latest move demonstrates its commitment to protecting sensitive personal information and promoting a culture of accountability among PICs. As the country's data protection landscape continues to evolve, one thing is clear: PICs must prioritize data security and take prompt action in the event of a breach.