Published 28 November 2022, The Daily Tribune

Since the passage of the Data Privacy Act in 2012, entities engaged in the processing of personal information have been on the constant lookout for any changes or development in the law. While the DPA is a relatively new regulation at the time, this does not mean that enforcement and compliance were not prioritized by the regulator and the affected sectors alike.

One of the more important scenarios that Personal Information Controllers and Personal Information Processors should be on the lookout for, are incidents of a breach or any unauthorized access to personal information. NPC Circular 16-03 or the Circular on Personal Data Breach Management outlines at length what PICs and PIPs should do in cases of suspected and confirmed personal data breach incidents. The most crucial of which is compliance with the mandatory 72-hour notification requirement if applicable.

In order to comply, PICs and PIPs must establish a system where reported or discovered incidents can be timely documented, evaluated and reported. This is usually already part of the organization’s data security and privacy functions. The process usually ends with the execution of an incident report detailing how the disclosure occurred, the scope, nature, and extent of the breach, what personal information is involved, and how many data subjects are affected. These are the minimum information needed in order for the PIC and PIP to assess if the NPC and/or the data subject must be notified.

In case of doubt, NPC Circular 16-03 also provides that notification may only be delayed but to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The PIC and PIP need not be absolutely certain of the scope of the breach prior to notification, and where there is uncertainty PICs and PIPs shall primarily consider, the likelihood of harm or negative consequences on the affected data subjects, and how notification of the NPC and the data subjects, could reduce the risks The PIC and PIP shall also consider if the personal data reasonably believed to have been compromised involves:

a. Information that would likely affect national security, public safety, public order, or public health;

b. At least one hundred (100) individuals;

c. Information required by applicable laws or rules to be confidential; or

d. Personal data of vulnerable groups.

Incidents determined by the PIC or PIP as not subject to the mandatory notification must still be documented and reported to the NPC through the submission of annual security incident reports.

More recently, the NPC has announced that all Personal Data Breach Notifications and Annual Security Incident Reports shall be submitted through the Data Breach Notification Management System online platform. The DBNMS may be accessed at https//

PIPs and PICs are thus encouraged to create an account in the platform. Should an incident occur, the website can also be used as a guide by the PIC and PIP because the report cannot be submitted with incomplete information and there are various sections in the platform explaining what information is sought by the NPC. Requests for more time to submit the information and exemptions from notifications can also be submitted online.

As they say, however, prevention is still better — and a robust data privacy policy and security measures that are well enforced and communicated down the line will help mitigate any of these incidents from occurring in the first place.

For more of Dean Nilo Divina’s legal tidbits, please visit For comments and questions, please send an email to