By Patrizia Paola C. Marcelo, Reporter
THE National Privacy Commission (NPC) is set to conduct a privacy compliance “sweep” as it intensifies monitoring of organizations.
“We will be issuing a compliance sweep advisory, but the compliant sweep [this time], we think we can cover more companies. We came up with more ways to look for, check for compliance, not just through one method,” NPC Commissioner Raymund E. Liboro told reporters on Monday, but did not specify a timeline.
The NPC is will check the compliance of businesses with Republic Act 10173 or the Data Privacy Act or 2012, as well as international standards for data protection.
The review will cover company websites, applications, and mobile services.
The NPC said the privacy compliance sweep will be a random, quick and partial scan of an organization’s public units and channels. The results will be used as the basis for further investigations and full-scale compliance checks.
Among the punishable offenses under Data Privacy Act are: unauthorized processing of personal information and sensitive personal information; accessing personal information and sensitive personal information due to negligence; improper disposal of personal information and sensitive personal information; and processing of personal information and sensitive personal information for unauthorized purposes.
Other offenses include: unauthorized access or intentional breach; concealment of security breaches involving sensitive personal information; malicious disclosure; and unauthorized disclosure.
Penalties for violation of the Data Privacy Act range from six months to three years’ imprisonment, plus anywhere from P100,000 to P5 million in fines.
Statistics from the NPC show that as of end-April, there have been 208 data privacy cases filed with the NPC, nearly at par with the 221 cases filed for the entire 2017.
As of April 30, the NPC said there were 57 breach notifications, 21 complaints, 126 inquiries, and four investigations. Out of the 208 filed cases, 102 are pending action by the NPC.
Mr. Liboro noted the growing number of cases is due to the greater awareness of data privacy laws and consumers’ rights.
He added that companies should know that more consumers are becoming more aware of their privacy rights, citing a Social Weather Stations (SWS) survey last year which showed that 94% of Filipinos wanted to know more about how their personal data provided during transactions were used.
“We tell companies, ‘if you think people are not interested in how their personal data are used, you’re wrong,’” Mr. Liboro said.
Earlier this month, NPC had ordered Wenphil Corp., operator of Wendy’s Philippines, to notify persons affected in the breach and wholesale leak of its database on April 23. The NPC said that around 82,150 records were exposed in the incident, wherein unknown individuals published online the database from the Wendy’s website.
The NPC had also ordered Jollibee Foods Corp. (JFC) to indefinitely suspend the operations of its delivery website and other online processing operations with the public due to identified vulnerabilities in the restaurant chain’s website. NPC said that vulnerabilities in JFC’s website indicated a “very high risk” that approximately 18 million persons currently on the database will be exposed to harm.
The NPC will be holding its first Privacy Awareness Week from May 28 to May 31. During the week, the NPC will launch the Philippine Data Privacy Council, where sectors primarily involved in persons’ data will be included, such as the business process outsourcing (BPO) sector, government, banks, telcos, hotels and nonbank financial institutions.