By Myla Iglesias, May 29, 2018, Malaya

The National Privacy Commission (NPC) said it is ready to deal with possible personal data breaches with the implementation of the national identification (ID) card system.

NPC supports the creation of the Philippine Identification System (PhilSys) and the issuance to  all Filipinos of ID card, to be called the PhilID which give them easy access to public and private sector services that require proof of identity.

NPC is part of the technical working group (TWG) spearheaded by the National Economic and Development Authority  and the Philippine Statistics Authority (PSA) on the national ID system. The TWG threshed out the various issues and concerns, including privacy and data protection issues, and drafted the bill which was largely adopted as Senate Bill (SB) No. 1738.

Raymund Liboro, NPC commisioner said “As a commission, our mandate is to ensure compliance with Republic Act 10173, better known as the Data Privacy Act (DPA) of 2012. Our primary job is to uphold the law for those who handle personal data, called information controllers; and to remind individuals, referred to as data subjects, of their rights over their personal data and the way it is processed—meaning, how it is collected, stored, altered, erased and even destroyed.”

“The law applies to the processing of all types of personal information and it applies to all entities involved in the processing of personal data.  Any organization that processes personal data relating to identifiable individuals, either on a computer system or even in a physical and structured filing system like hospital records in steel cabinets, is considered a `personal information controller’,” said Liboro in  his speech at the opening of the National Data Privacy Conference at the PICC yesterday.

In the Bicameral Conference Committee hearing on House Bill No. 6221 and SB  1738 last May 22, the section on protection against unlawful disclosure of information/records was adopted.

This provision recognizes three specific instances where the disclosure, collection, recording, conveyance, dissemination, publication or use of the information of registered persons is allowed, namely: when there is consent of the registered person, when the compelling interest of public health or safety so requires, relevant information may be disclosed upon order of a competent court, provided that the risk of significant harm to the public is established and the owner of the information is notified within 72 hours of the fact of such disclosure, and when the registered person requests the PSA  to provide access to his or her registered information and record history.