Gov't agencies, private orgs told to appoint data protection officers

MANILA, Philippines – The country's main privacy body reminded the heads of public and private organizations that handle personal information to appoint data protection officers (DPO) as soon as possible, in compliance with the law.

The National Privacy Commission (NPC) issued the reminder a week after the release of its decision finding Commission on Elections (Comelec) Chairman Andres Bautista liable for the voters' data leak in March 2016. Among the NPC's findings was that the Comelec had failed to designate such officer.

In a statement on Thursday, January 12, the NPC said that the designation of DPOs is required under Republic Act 10173 or the Data Privacy Act of 2012.

It is also the first item in the privacy body's "5 commandments" to make compliance with the law "as practical as possible." (READ: Gov't should protect citizens' personal data – NPC's Liboro)

The data protection officer will be accountable for ensuring compliance as regards everything related to data privacy and security, the commission added.

"Personal data handling is a public trust, and carries with it a burden of accountability. No amount of ignorance or legal naiveté can erase that accountability," said NPC Commissioner Raymund Liboro.

Officially designating a DPO also signals an organization's "commitment to comply" with the law, Liboro said.

The Data Privacy Act, he added, "is about making sure those we entrust with our personal data are actually trustworthy by compelling them to do everything they can to protect it."

Section 21(b) of RA 10173 states that a personal information controller – a person or organization who controls the collection, processing, or use of personal information – "shall designate an individual or individuals who are accountable for the organization’s compliance with this Act."

This is reiterated in Section 26 of RA 10173's implementing rules and regulations, said the NPC.

"The DPO is essentially tasked to champion people's privacy rights from within his or her organization," said Liboro. 

"In so doing, the DPO is able to minimize the risks of privacy breaches, address underlying problems, and reduce the damage arising from breaches if and when they do occur," he said.

The said officer is expected to adhere to data privacy principles, implement necessary security measures, and uphold the rights of data subjects.

In addition, the DPO's job is focused on protecting data, from collection to storage, sharing and destruction, said the NPC. "Part of this job includes providing data subjects with access to their personal data, and instructions on how they can object to processing and obtain relief when needed."

As for micro, small and medium enterprises (MSME), the DPO can even be the business owner, said Liboro. "What is important is developing a culture of privacy within their organization and ensuring their employees are aware of data privacy principles."

Finally, the NPC said that apart from a strong strategic framework, the job of a data protection officer requires committed support from top management."

Liboro then commended government agencies that have complied with the Data Privacy Act. Among them are the Department of Health, Philhealth, and the Department of National Defense.

He said the National Economic and Development Authority (NEDA) and the Metropolitan Manila Development Authority (MMDA) have appointed data protection officers. – Rappler.com

Michael Bueza

Michael Bueza is a researcher and data curator under Rappler's Research Team. He works on data about elections, governance, and the budget. He also follows the Philippine pro wrestling scene and the WWE. Michael is also part of the Laffler Talk podcast trio.

image