Agencies reminded to appoint data protection officers

MANILA, Philippines - The National Privacy Commission (NPC) is warning private and public organizations handling personal information to immediately appoint their respective data protection officers (DPOs) or face consequences for non-compliance. 

NPC commissioner Raymund Liboro said agencies not complying with such provision of the Data Privacy Act of 2012 could not make any excuses to escape liability.

Chapter 8 of Republic Act 10173, or the Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector and which also created the NPC, states the penalties for those violating the law.

“Personal data handling is a public trust and carries with it a burden of accountability. No amount of ignorance or legal naiveté can erase that accountability,” Liboro said.

“The Data Privacy Act of 2012 is about making sure those we entrust with our personal data are actually trustworthy by compelling them to do everything they can to protect (such data),” he added. 

The privacy commissioner issued the statement on the heels of the body’s decision to sanction the Commission on Elections (Comelec), specifically Chairman Andres Bautista, over the leak of personal data of over 72 million voters last year. 

Among its findings was the failure of the poll body to designate a DPO who would be accountable for data privacy as required by the law. 

“If you process a lot of personal data, you could be a disaster waiting to happen if you fail to apply the principles provided in the law,” Liboro said.

Under the law, DPOs are defined as individuals or groups of people who are accountable for the organization’s compliance with the privacy law. 

“The DPO is essentially tasked to champion people’s privacy rights from within his or her organization. In so doing, the DPO is able to minimize the risks of privacy breaches, address underlying problems and reduce the damage arising from breaches if and when they do occur,” Liboro said. 

“Complying with the law produces a lot of upside. Showing the public your commitment to protect their personal data leads to increased consumer trust and thus, higher patronage,” he added. 

The official said the job of the DPO as defined by law is focused on protecting data from the time that it was collected up to storage, sharing and even destruction. 

The NPC recently lauded government agencies that started to comply with the provisions of the law. 

Among those cited were the Departments of Health and National Defense, Philippine Health Insurance Corp. (PhilHealth), the National Economic and Development Authority and the Metro Manila Development Authority.