NPC issues new orders on data protection
MANILA, Philippines — The National Privacy Commission (NPC) has issued guidelines creating a system that will govern the issuance of the Philippine Privacy Mark (PPM) certificates on public and private organizations and companies that handle and control personal data of Filipino subjects.
NPC Circular 2023-05 outlines the prerequisites for organizations and certification bodies participating in the PPM Certification Program, while NPC Circular 2023-06 governs the security of personal data in the government and private sector.
The creation of an ecosystem for the issuance of PPMs was meant to further strengthen personal data protection in the Philippines, according to Commissioner John Henry Naga of the NPC.
“Through these circulars, the NPC aims to provide guidance to organizations in further complying with the Data Privacy Act of 2012, its implementing rules and regulations and other issuances of the NPC,” Naga said.
“Likewise, these circulars (are) in line with the NPC’s vision to further empower data subjects, especially in identifying organizations that they can trust,” he added.
The PPM Certification Program is an initiative by the NPC to assess public and private organizations to ensure secure and protected processing of personal information in implementing their respective data privacy and protection management systems.
NPC Circular 2023-05, which took effect last March 15, provides the prerequisites for certification of personal information controllers (PICs) or personal information processors (PIPs) and accreditation of certification bodies under the PPM certification program.
Under the circular, a PIC or PIP seeking certification under the PPM Certification Program must be certified with ISO/IEC 27001 and ISO/IEC 27701 standards for information security management systems (ISMS) and privacy information management system, respectively.
Certification bodies must also meet these standards, along with ISO/IEC 17021-1, for accreditation.
NPC Circular 2023-06 provides updated requirements for the security of personal data processed by a PIC or PIP.
To ensure data security, the circular enumerates the general obligations of a PIC or PIP, which includes the designation and registration of a data protection officer, registration of data processing systems, conduct of privacy impact assessment, implementation of a privacy management program, periodic training of personnel on privacy and data protection policies, and compliance with the orders of the NPC.
- Latest
- Trending