MANILA, Philippines – The National Privacy Commission has begun its investigation into the Commission on Elections after the desktop computer of the Office of the Election Officer was stolen in Wao, Lanao del Sur.
NPC said the computer stolen last January 11, contains data from the Voter Registration System (VRS) and Voter Search applications, and the National List of Registered Voters (NLRV) . It was also said to carry biometric records of registered voters in Wao, Lanao del Sur.
The privacy watchdog said its initial probe revealed that all Comelec filed offices across the country maintain their own electronic copies of the NLRV, which contains the personal information of roughly 55 million voters. It added that the NLRV database was also used in the Precinct Finder application, which was exposed in last year's Comelec website data breach.
NPC expressed concern over the ongoing voter registration nationwide and subsequently ordered the poll body to take serious measures to address its data processing vulnerabilities as it considers the stolen computer the “second large-scale data breach” of the Comelec in months.
"This is already Comelec's second large-scale data breach in a span of less than a year--- a case of a database being breached twice under different circumstances. This time, it involves actual large-scale biometrics data of voters in a municipality,” Privacy Commissioner Raymund Enriquez Liboro said in a release.
“We will delve deeper into the problem o possibly recommend other measures for Comelec to implement to protect voter data nationwide,” he added.
The NPC issued Compliance Order dated Feb. 13, 2017, directing the Comelec to erase all copies of the NLRV in the Comelec's computers in the different municipalities and cities if the poll body cannot secure the database using appropriate organizational, physical and technical measures.
The privacy commission also asked the Comelec to inform all data subjects affected by the personal data breach within two weeks. It recommended that the poll body can notify individuals with records through publication in two newspapers of general circulation.
The poll body as also ordered to individually notify the data subjects with records in the VRs in Wao, Lao del Sur.
Liboro said the recent breach “illustrates that there are many ways to lose personal data.” He noted that data protection is not only an IT security issue involving firewalls but also a governance matter that covers organizational and physical measures to protect data.
“In this case, failure to secure the very computer containing personal data can be just as disastrous. If the Comelec won't address the problem systematically, this will happen again and again," Liboro added. — Rosette Adel