MANILA, Philippines - Commission on Elections (Comelec) Chairman Andres Bautista met with President Duterte on Tuesday at Malacañang, barely two weeks after the National Privacy Commission (NPC) started a probe over another supposed data breach in Wao, Lanao del Sur last Jan. 11.
Presidential spokesman Ernesto Abella was mum on the details of the meeting between Duterte and Bautista, who has also been under fire for the large-scale data breach following the hacking of the Comelec website and stealing of data and biometrics of some 55 million voters last year.
When pressed by reporters about the meeting, Abella indicated that it was Bautista who could have reached out to the President. “I would not know whether it’s questionable or not but if I go by his statements, some of these meetings have been programmed about two or three months ago,” Abella said. “Usually, it’s not the President who calls… usually it’s the (other party).” Apart from the breach last year, the Comelec is also facing inquiry after the theft of a Comelec computer that contained data from the Voter Registration System and voter search applications, the National List of Registered Voters and biometric records of registered voters in Wao, Lanao del Sur.
Sought for comment, Bautista said the data breach issue “was not even discussed” during his meeting with the President last Tuesday. “We discussed the May 2016 elections and the ongoing preparations for the May 2017 barangay and (Sangguniang Kabataan) elections. We also talked about possible amendments to the Omnibus Election Code,” he told The STAR.
Duterte’s meeting with Bautista came a few months after the NPC found that the Comelec violated the Data Privacy Act of 2012 and recommended the criminal prosecution of Bautista for the data breach that occurred between March 20 and 27, 2016. In its decision dated Dec. 28, 2016 on NPC Case No. 16-001, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures.
“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec’s privacy and security policies and practices,” the decision read.
The NPC said the Comelec “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in the dispense of the agency’s duty as “personal information controller.” The document, meantime, mentioned Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.