Search for:

The National Privacy Commission recently announced that the deadline for the submission of Annual Security Incident Reports for the years 2018 to 2021 is on 31 October 2022, while the deadline to submit the 2022 version of said report is on 31 March 2023.

In brief

Through its official website bulletin, the National Privacy Commission (NPC) formally announced the deadlines for submission of the Annual Security Incident Reports (ASIRs). According to the NPC, ASIRs for the years 2018 to 2021 are due on 31 October 2022, while ASIRs for 2022 must be submitted within the period of 1 January 2023 to 31 March 2023.

ASIRs must contain the following information:

  • Summary of the number of security incidents1 encountered in a particular calendar year and categorized by type, i.e., theft, identity fraud, sabotage/physical damage, malicious code, hacking, misuse of resources, hardware failure, software failure, communication failure, natural disaster, design error, user error, operations error, software maintenance error, third-party service, and other analogous causes
  • Summary of the number of personal data breaches2 encountered in a particular calendar year and classified based on the application of the breach notification obligations, i.e., mandatory and voluntary notification

For this purpose, ASIRs must be filed via the NPC’s Data Breach Notification Management System (DBNMS), as the NPC no longer accepts ASIR submissions via email, personal filing, or courier/postal delivery. Learn more about the DBNMS by reading our recent client alert on the matter, which is available here.

Recommended actions

Clients are urged to prepare their respective ASIRs (covering the years 2018 to 2021) in order to ensure timely submission to the NPC by 31 October 2022. We also recommend commencing preparations for the submission of the 2022 ASIR, since the period for submission of the same runs from 1 January 2023 to 31 March 2023.

Failure to submit the ASIR is a violation of NPC issuances, which may be taken into consideration by the NPC on whether a personal information controller (PIC) or personal information processor (PIP) may be subject to a compliance check by the NPC. The NPC’s evaluation or examination of a PIC or PIP’s compliance with the requirements of the Data Privacy Act of 2012, its Implementing Rules and Regulations, and NPC issuances include privacy sweeps, documents submission, and on-site visits.


1 ‘Security incident’ is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach if not for safeguards that have been put in place.
2 ‘Personal data breach’ refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
(a) An availability breach resulting from loss, accidental or unlawful destruction of personal data
(b) An integrity breach resulting from alteration of personal data
(c) A confidentiality breach resulting from the unauthorized disclosure of or access to personal data


LOGO Philippines_QuisumbingTorres_Manila

Please contact [email protected] for inquiries.

VISIT QUISUMBING TORRES SITE

Author

Bienvenido Marquez III is a partner and head of Quisumbing Torres' Intellectual Property, Data and Technology Practice Group. He also co-heads the Consumer Goods & Retail Industry Group and is a member of the Technology, Media & Telecommunications Group. He participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. He is a member of Baker McKenzie's Asia Pacific Intellectual Property Steering Committee and the Asia Pacific Intellectual Property Business Unit for Brand Enforcement. He is immediate Past President of the Philippine Chapter of the Licensing Executives Society International (2019-2021), and is currently co-chair of the LESI Asia Pacific. He is also a member of the Anti-Counterfeiting Committee of the International Trademarks Association (INTA). Bien has vast experience in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions, cyber security and cybercrime. He has been consistently ranked as a leading individual for Intellectual Property and TMT in Legal 500 Asia Pacific, Chambers Asia Pacific, asialaw Leading Lawyers, Managing IP Stars, Asia IP, and World Trademark Review. He was also recognized as a Volunteer Service Awardee by INTA in 2018.

Author

Divina Ilas-Panganiban is a partner in Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT Steering Committee. She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Chairperson of the Committee on Intellectual Property Rights, The American Chamber of Commerce of the Philippines, and the Chairperson of the Committee on Intellectual Property Rights of the European Chamber of Commerce. Divina heads the Subcommittee for East Asia and the Pacific of the Unreal Campaign of the International Trademarks Association (INTA) and is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP).

Author

Jose Angelo Tiglao, CIPM, CIPP/E, CIPT, is an associate with the Intellectual Property, Data and Technology Practice Group as well as the Consumer Goods and Retail Industry Group at Quisumbing Torres. He is a Certified Information Privacy Professional (Europe), a Certified Information Privacy Manager, and a Certified Information Privacy Technologist by the International Association of Privacy Professionals (IAPP). He is currently the Young Privacy Professional of the IAPP KnowledgeNet Philippine Chapter and previously served as the Assistant Corporate Secretary of the Licensing Executives Society Philippines. He is also actively engaged in teaching several law subjects in the De La Salle University College of Law.

Write A Comment