NPC clarifies reporting requirements with Advisory №2018–01

Earlier this week, the National Privacy Commission released NPC Advisory №2018–01 (Guidelines on Security Incident and Personal Data Breach Reportorial Requirements). The issuance has disappeared from the NPC website. I’ll be adding a link to it when it goes back up.

The Guidelines provided templates for the NPC’s reporting requirements:

• Summary of Annual Security Incident and Personal Data Breach Reports for PICs (Annex A),
• Summary of Annual Security Incident and Personal Data Breach Reports for PIPs (Annex B),
• Mandatory Notification: Personal Data Breach for Data Subjects (Annex C),
• Mandatory Notification: Personal Data Breach for the National Privacy Commission (Annex D),
• Summary Report of PICs of Security Incidents Amounting to a Personal Data Breach not covered by mandatory notification requirements (Annex E),
• Summary Report of PIPs of Security Incidents Involving Personal Data Processing on Behalf of Personal Information Controllers Amounting to a Personal Data Breach (Annex F), and
• Summary Report of Highly Confidential Information (Annex G).

This issuance comes just a little over a week before the deadline for the submission of annual reports of security incidents and personal data breaches (for calendar year 2017), which fall on 30 June 2018. It would have been ideal if the Guidelines were issued a little earlier but I don’t expect that PICs and PIPs will have a hard time completing the report for the following reasons:

1. The IRR already required PICs and PIPs to keep records of security incidents and personal data breaches so they are not expected to start preparing the reports from scratch, and
2. The templates only require numbers and not the particulars of security incidents and personal data breaches.

PICs and PIPs are, however, required to keep summary reports of security incidents and personal data breaches and they are expected to have these on hand if and when the NPC conducts a compliance audit.

Through the Guidelines, the NPC has also clarified that PICs and PIPs with zero security incidents and personal data breaches no longer need to file any report to the NPC. Section 4 of the Guidelines say that “non-submission xxx shall create the presumption that no such security incident or personal data breach occurred during the covered period.

Here are the my other key takeaways:

• There are separate templates for the annual report for PICs and PIPs. This means that PICs who also serve as PIPs for other entities must file two separate annual reports. My question here is, are PICs still required to include in their annual report the security incidents and personal data breaches that occur on data processing done for them by their PIPs?
• Note the difference in wording of the template for mandatory notification for data subjects and the NPC. The template for the data subjects requires the PIC to include a brief description of the database while the template for the NPC requires a brief description of the data. Is this a typo or was there a special reason for the difference?
• The templates require extensive information to be provided the data subjects and the NPC. Considering that the mandatory notification must take place within 72 hours, all the information asked for may not be available at that time to the PIC. The PIC must note then that the likelihood that it will make a series of communications to both the data subjects and the NPC as more information become available and/or is confirmed.

Here’s the link to the annual reports online.