On April 20, 2022, the NPC launched its Data Breach Notification and Management System (DBNMS) which it hailed as “a user-friendly interface that facilitates easy tracking and faster submission of Personal Data Breach Notifications (PDBNs) and Annual Security Incident Reports (ASIRs)” in accordance with NPC Circular No. 16-03.
Data Breach Notification and Management System
The DBNMS provides for an assessment aid for PICs and PIPs to determine whether they are subject to mandatory data breach notification.
The main functionality of the DBNMS is to facilitate the submission of PDBNs.
ASIRs should also be submitted through the DBNMS.
Considering the accessibility of the platform, PICs and PIPs must submit ASIR, even for nil reporting. The presumption that there is no security incident to report that previously arose from non-submission of the ASIR no longer applies. The deadline for the submission of ASIRs for the years 2018 to 2021 is on October 31, 2022, while 2022 ASIRs must be submitted by March 31, 2023. With the roll-out of the online platform, NPC will only accept PDBNs and ASIRs through the DBMNS. Submissions through email, personal filing, ordinary mail, licensed courier service, and any other mode of physical submission are no longer considered as valid.
National Privacy Commission Registration System
On February 3, 2023, the NPCRS, an online platform for private and government entities to register their DPS, went live pursuant to NPC Circular No. 2022-04.
Under NPC Circular No. 2022-04, the two-phased process under NPC Circular No. 17-01 was abolished and registration is now a single process to include both the registration of the Data Protection Officer (DPO) and the registration of the DPS. All information (not otherwise tagged as optional) and all supporting documents must be submitted during registration. There is no facility to save a registration as a draft and return to it at a later time.
Read the latest SyCipLaw TMT and Data Bulletin here or via this link.