Data breach notification

1. Data Breach Notification

a. 72-hour notice

 [The NPC] and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. (Section 38[a], Rule IX, IRR of the Data Privacy Act)

b. When breach involves sensitive personal information

Notification of personal data breach shall be required when sensitive personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. (Section 38[b], Rule IX, Ibid.)

c. NPC Investigation

Depending on the nature of the incident, or if there is delay or failure to notify, [the NPC] may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures. (Section 38[c], Rule IX, Ibid.)

2. Contents of Notification

The notification shall at least describe the nature of the breach, the personal data possibly involved, and the measures taken by the entity to address the breach. (Section 39, Rule IX, Ibid.)

The notification shall also include measures taken to reduce the harm or negative consequences of the breach, the representatives of the personal information controller, including their contact details, from whom the data subject can obtain additional information about the breach, and any assistance to be provided to the affected data subjects. (Ibid.)

3. Delay of Notification

Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. (Section 40, Rule IX, Ibid.)

a. Compliance and good faith

In evaluating if notification is unwarranted, [the NPC] may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal data. (Section 40[a], Rule IX, Ibid.)

b. Exemption from notice

[The NPC] may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest, or in the interest of the affected data subjects. (Section 40[b], Rule IX, Ibid.)

c. Postponement

[The NPC] may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. (Section 40[c], Rule IX, Ibid.)

4. Breach Report

a. Contents of notice

The personal information controller shall notify [the NPC] by submitting a report, whether written or electronic, containing the required contents of notification. The report shall also include the name of a designated representative of the personal information controller, and his or her contact details. (Section 41[a], Rule IX, Ibid.)

b. Security incidents

All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements. (Section 41[b], Rule IX, Ibid.)

In the case of personal data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the personal information controller. (Ibid.)

In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation. (Ibid.)

These reports shall be made available when requested by the Commission. A general summary of the reports shall be submitted to [the NPC]. (Ibid.)

5. Procedure for Notification

The Procedure for breach notification shall be in accordance with the Act, these Rules, and any other issuance of [the NPC]. (Section 42, Rule IX, Ibid.)


Republic Act No. 10173, Data Privacy Act of 2012

2016 IRR of the Data Privacy Act

Disclaimer: All information is for educational and general information only. These should not be taken as professional legal advice or opinion. Please consult a competent lawyer to address your specific concerns. Any statements or opinions of the author are solely his own and do not reflect that of any organization he may be connected.

Table of Contents

Read more

Law Articles

Grave threats, Revised Penal Code

1. Concept and legal basis Art. 282. Grave threats. – Any person who shall threaten another with the infliction upon the person, honor or property

Treason, Revised Penal Code

1. Concept Art. 114. Treason – Any Filipino citizen who levies war against the Philippines or adheres to her enemies, giving them aid or comfort

Direct bribery, Revised Penal Code

1. Concept Article 210. Any public officer who shall agree to perform an act constituting a crime, in connection with the performance of this official