The National Privacy Commission (NPC) has recommended that criminal charges be filed against Commission on Elections (COMELEC) Chairman Andres Bautista for violating the Data Privacy Act of 2012 in relation to the breach of voter data that occurred between March 20 and 27, 2016.
The NPC said the Comelec violated Sections 11, 20 and 21 of Republic Act No. 10173 known as the Data Privacy Act of 2012 in line with the agency's mandate as 'personal information controller.'
Comelec Chairman Bautista was cited for having violated the provisions of Sections 11, 20, 21 and 22 in relation to Section 26 of the same law.
The commission emphasized the Comelec chairman's lack of appreciation of the principle that data protection is more than just implementation of security measures.
"Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec's privacy and security policies and practices," the NPC said in its decision dated December 28, 2016 on NPC Case No. 16-001, which was released to media Thursday.
The personal data in the breach was contained in several databases kept in the website: the voter database in the Precinct Finder web application containing 75,302,683 records; voter database in the Post Finder web application which contains 1,376,067 records; iRehistro registration database with 139,301 records; firearms ban database containing 896,992 personal data records; 20,485 records of firearms serial numbers and the Comelec personnel database containing of 1,267 Comelec personnel.
The sheer volume of data makes the incident the worst recorded breach on a government-held personal database in the world, according to the NPC.
The decision stated that among the sensitive personal information contained in the Precinct Finder application were each voter's complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date and update time.
Meanwhile, the voter database in the Post Finder application contained information on each voter's verified name, date of birth, gender, civil status, post of registration, passport information with number and expiry date, taxpayer identification number, email address, mailing address, spouse's name, the complete names of the voter's mother and father, the voter's addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative's complete name, citizenship, registration assistor, profession, sector, height and weight, identifying remarks, biometrics description, voting history, mode of voting and other textual information for the voter registration system.
The decision further depicted how much personal data are now most likely in the hands of criminal elements as a result of the Comelec data breach.
Furthermore, the NPC said the willful and intentional disregard of Comelec Chairman Bautista's duties as head of agency is tantamount to gross negligence.
"The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access," according to the NPC decision.
"A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action," it added.
Section 26 of the Data Privacy Act imposes imprisonment from three to six years and a fine from PHP 500,000 to PHP 4,000,000.
Meanwhile, Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the criminal penalty.
The NPC has ordered the Comelec to implement the following corrective measures:
Appoint a Data Protection Officer within a month from receipt of the decision, conduct an agency-wide Privacy Impact Assessment within two months and create a Privacy Management Program and a Breach Management Procedure within three months; and,
The Comelec should also implement organizational, physical and technical security measures in compliance with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01 on Security of Personal Data in Government Agencies within six months upon receipt of the decision.
The NPC has also found that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation (NBI). It recommended to the Secretary of Justice that this should be further investigated under the Cybercrime Protection Act.
Source: Philippines News Agency