Data Breach Notification, Data Privacy Law
Concept
“Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (IRR, Section 3[k])
Data Breach Notification
Section 38. Data Breach Notification.
a. The Commission and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred.
b. Notification of personal data breach shall be required when sensitive personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
c. Depending on the nature of the incident, or if there is delay or failure to notify, the Commission may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures. (IRR, Rule IX)
When to notify NPC and data subjects
The [NPC] and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours:
1) upon knowledge of a personal data breach requiring notification has occurred, or
2) when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. (IRR, Section 38[a], Rule IX)
When required
Notification of personal data breach shall be required when sensitive personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the [NPC] believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. (IRR, Section 38[b], Rule IX)
NPC Investigation
1) The [NPC] may investigate the circumstances surrounding the personal data breach:
a) depending on the nature of the incident, or
b) if there is delay or failure to notify. (IRR, Section 38[c], Rule IX)
2) Investigations may include on-site examination of systems and procedures. (IRR, Section 38[c], Rule IX)
Contents of Notification
Section 39. Contents of Notification. The notification shall at least describe the nature of the breach, the personal data possibly involved, and the measures taken by the entity to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach, the representatives of the personal information controller, including their contact details, from whom the data subject can obtain additional information about the breach, and any assistance to be provided to the affected data subjects. (IRR, Rule IX)
The notification shall at least describe:
1) the nature of the breach,
2) the personal data possibly involved,
3) the measures taken by the entity to address the breach,
4) measures taken to reduce the harm or negative consequences of the breach,
5) the representatives of the personal information controller, including their contact details, from whom the data subject can obtain additional information about the breach, and
6) any assistance to be provided to the affected data subjects. (IRR, Section 39, Rule IX)

Figure 1. Contents of Data Breach Notification
Delay of Notification
Section 40. Delay of Notification. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal data.
b. The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest, or in the interest of the affected data subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. (IRR, Rule IX)
Grounds for delay of notification
Notification may be delayed only:
1) to the extent necessary to determine the scope of the breach,
2) to prevent further disclosures, or
3) to restore reasonable integrity to the information and communications system. (IRR, Section 40, Rule IX)
Factors whether notification was unwarranted
In evaluating if notification is unwarranted, the Commission may take into account:
1) compliance by the personal information controller with this section and
2) existence of good faith in the acquisition of personal data. (IRR, Section 40[a], Rule IX)
Exemption from notification
The Commission may exempt a personal information controller from notification where in its reasonable judgment:
1) such notification would not be in the public interest, or
2) in the interest of the affected data subjects. (IRR, Section 40[b], Rule IX)
Postponement of notification
The [NPC] may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. (IRR, Section 40[c], Rule IX)
Breach Report
Section 41. Breach Report.
a. The personal information controller shall notify the Commission by submitting a report, whether written or electronic, containing the required contents of notification. The report shall also include the name of a designated representative of the personal information controller, and his or her contact details.
b. All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements. In the case of personal data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the personal information controller. In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the Commission. A general summary of the reports shall be submitted to the Commission annually. (IRR, Rule IX)
Contents of breach report
The personal information controller shall notify the Commission by submitting a report, whether written or electronic, containing:
1) the required contents of notification,
2) the name of a designated representative of the personal information controller, and his or her contact details. (IRR, Section 41[a], Rule IX)
Security incident report
1) All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements. (IRR, Section 41[b], Rule IX)
2) In the case of personal data breaches, a report shall include:
a) the facts surrounding an incident,
b) the effects of such incident, and
c) the remedial actions taken by the personal information controller. (IRR, Section 41[b], Rule IX)
3) In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation.

Figure 2. Contents of Security Incident Report
Reports available upon request by NPC
These reports shall be made available when requested by the [NPC].
Annual submission of reports to NPC
A general summary of the reports shall be submitted to the [NPC] annually. (IRR, Section 41[b], Rule IX)
Procedure for Notification
Section 42. Procedure for Notification. The Procedure for breach notification shall be in accordance with the Act, these Rules, and any other issuance of the Commission. (IRR, Rule IX)
The Procedure for breach notification shall be in accordance with the [Data Privacy Law, its IRR], and any other issuance of the Commission. (IRR, Section 42, Rule IX)
REFERENCES
National Privacy Commission. (n.d.) Implementing Rules and Regulations or Republic Act No. 10173, also known as the “Data Privacy Act of 2012”. https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/
National Privacy Commission. (n.d.). Powers & Functions. https://privacy.gov.ph/powers-functions/
Republic Act No. 10173. (2012). Data Privacy Act of 2012. https://privacy.gov.ph/data-privacy-act/
