Data privacy 101: How does one manage data breaches and security incidents?

We live in an era when personal data is so valuable that many business models and economies are now actually built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.

To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s day-to-day operations is a daunting but necessary task.

To remedy this, we've gone straight to the source, and signed up two experts – Jam Jacob, the data protection officer of the Ateneo de Manila University and former head of the Privacy Policy Office of the NPC; and Ivy Patdu, Deputy Privacy Commissioner for Policies and Planning of the NPC.

The two will be authoring a series of articles that take up the various compliance elements of the law, as seen from two vantage points, and presented in FAQ form. In this issue, they talk about security incidents. 

What is the difference between a security incident and a personal data breach?

Ivy: NPC Circular No. 16-03, which concerns personal data breach management, defines a security incident as “an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data."

It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place. The term was adopted from Section 20 of the DPA which requires security measures for correcting and mitigating “security incidents." Given its current use, it would appear that the term is meant to refer to “information security incidents”, which are defined under the ISO 27000 series as “one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations."

Meanwhile, the same NPC circular defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed." This definition was lifted from the European Union’s General Data Protection Regulation (GDPR) and is read within the context of Chapter V of the DPA. The DPA itself does not define a personal data breach and uses the term “breach” or “security breach”. 

Considering the DPA’s reference to the term and its definition under NPC Circular 16-01, “security incidents” refer to information security incidents. Whether they involve personal data or not does not matter, as long as it is possible for them to compromise the security of information, in general.  On the other hand, personal data breaches refer to an actual breach of security involving personal data. 

What are the different types of personal data breaches?

Jam: There are three main types:

What kind of personal data breach needs to be reported to the NPC?

Jam: The DPA provides for the conditions that determine which data breaches need to be reported to the NPC (and the affected individuals). The law says these three conditions must all be present:

What should a breach notification to the NPC contain?

Ivy: The notification should include:

The specific contents which should be included in the notification are provided in NPC Circular No. 16-03. 

What are some common causes of security incidents?

Jam: Plenty of things could lead to or cause a security incident. Some are man-made. Others are not. Among the notable ones include:  

What can organizations do to avoid or at least minimize the risk of experiencing security incidents? 

Ivy:  The organization should have a security incident or breach management program. This should not be viewed as referring only to an organization’s incident response procedure, or the actions taken once there is already reason to believe that a breach has occurred.

The program should include preventive and minimization procedures, too. This generally requires the development and implementation of security measures for data protection. It also means the implementation of a privacy management program, which must include data governance, risk assessment, and capacity building.

Strong data processing systems should be built, using both a privacy-by-design and -by-default approach. There should also be processes for regular monitoring, incident response and reporting, and harm mitigation protocols and regular review of the breach management program. These would not guarantee an incident-free environment, but they go a long way in making sure such incidents are few and far between, and do not give rise to serious harm or damage.

Ivy Patdu is a member of the National Privacy Commission, sitting as its deputy privacy commissioner responsible for policies and planning. She is also a member of the e-Health Privacy Expert’s Group and faculty member of the Ateneo de Manila Law School and San Beda College of Law-Alabang. She has worked on data privacy since 2011. 

Jam Jacob (@jamjacob) is the data protection officer of the Ateneo de Manila University. He is also the coordinator for the Privacy and Surveillance Program of the Foundation for Media Alternatives, a civil society organization, and is a consultant to several organizations both in government and the private sector. He previously served as head of the Privacy Policy Office of the National Privacy Commission, and has worked on data privacy since 2011.