Rule III. National Privacy Commission
Section 8. Mandate. The National Privacy Commission is an independent body mandated to administer and implement the Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.
Section 9. Functions. The National Privacy Commission shall have the following functions:
a. Rule Making. The Commission shall develop, promulgate, review or amend rules and regulations for the effective implementation of the Act. This includes:
- Recommending organizational, physical and technical security measures for personal data protection, encryption, and access to sensitive personal information maintained by government agencies, considering the most appropriate standard recognized by the information and communications technology industry, as may be necessary;
- Specifying electronic format and technical standards, modalities and procedures for data portability, as may be necessary;
- Issuing guidelines for organizational, physical, and technical security measures for personal data protection, taking into account the nature of the personal data to be protected, the risks presented by the processing, the size of the organization and complexity of its operations, current data privacy best practices, cost of security implementation, and the most appropriate standard recognized by the information and communications technology industry, as may be necessary;
- Consulting with relevant regulatory agencies in the formulation, review, amendment, and administration of privacy codes, applying the standards set out in the Act, with respect to the persons, entities, business activities, and business sectors that said regulatory bodies are authorized to principally regulate pursuant to law;
- Proposing legislation, amendments or modifications to Philippine laws on privacy or data protection, as may be necessary;
- Ensuring proper and effective coordination with data privacy regulators in other countries and private accountability agents;
- Participating in international and regional initiatives for data privacy protection.
b. Advisory. The Commission shall be the advisory body on matters affecting protection of personal data. This includes:
- Commenting on the implication on data privacy of proposed national or local statutes, regulations or procedures, issuing advisory opinions, and interpreting the provisions of the Act and other data privacy laws;
- Reviewing, approving, rejecting, or requiring modification of privacy codes voluntarily adhered to by personal information controllers, which may include private dispute resolution mechanisms for complaints against any participating personal information controller, and which adhere to the underlying data privacy principles embodied in the Act and these Rules;
- Providing assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person, including the enforcement of rights of data subjects;
- Assisting Philippine companies doing business abroad to respond to data protection laws and regulations.
c. Public Education. The Commission shall undertake necessary or appropriate efforts to inform and educate the public of data privacy, data protection, and fair information rights and responsibilities. This includes:
- Publishing, on a regular basis, a guide to all laws relating to data protection;
- Publishing a compilation of agency system of records and notices, including index and other finding aids;
- Coordinating with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal data in the country;
d. Compliance and Monitoring. The Commission shall perform compliance and monitoring functions to ensure effective implementation of the Act, these Rules, and other issuances. This includes:
- Ensuring compliance by personal information controllers with the provisions of the Act;
- Monitoring the compliance of all government agencies or instrumentalities as regards their security and technical measures, and recommending the necessary action in order to meet minimum standards for protection of personal data pursuant to the Act;
- Negotiating and contracting with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
- Generally performing such acts as may be necessary to facilitate cross-border enforcement of data privacy protection;
- Managing the registration of personal data processing systems in the country, including the personal data processing system of contractors and their employees entering into contracts with government agencies that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals.
e. Complaints and Investigations. The Commission shall adjudicate on complaints and investigations on matters affecting personal data: Provided, that In resolving any complaint or investigation, except where amicable settlement is reached by the parties, the Commission shall act as a collegial body. This includes:
- Receiving complaints and instituting investigations regarding violations of the Act, these Rules, and other issuances of the Commission, including violations of the rights of data subjects and other matters affecting personal data;
- Summoning witnesses, and requiring the production of evidence by a subpoena duces tecum for the purpose of collecting the information necessary to perform its functions under the Act: Provided, that the Commission may be given access to personal data that is subject of any complaint;
- Facilitating or enabling settlement of complaints through the use of alternative dispute resolution processes, and adjudicating on matters affecting any personal data;
- Preparing reports on the disposition of complaints and the resolution of any investigation it initiates, and, in cases it deems appropriate, publicizing such reports;
f. Enforcement. The Commission shall perform all acts as may be necessary to effectively implement the Act, these Rules, and its other issuances, and to enforce its Orders, Resolutions or Decisions, including the imposition of administrative sanctions, fines, or penalties. This includes:
- Issuing compliance or enforcement orders;
- Awarding indemnity on matters affecting any personal data, or rights of data subjects;
- Issuing cease and desist orders, or imposing a temporary or permanent ban on the processing of personal data, upon finding that the processing will be detrimental to national security or public interest, or if it is necessary to preserve and protect the rights of data subjects;
- Recommending to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties specified in the Act;
- Compelling or petitioning any entity, government agency, or instrumentality, to abide by its orders or take action on a matter affecting data privacy;
- Imposing administrative fines for violations of the Act, these Rules, and other issuances of the Commission.
g. Other functions. The Commission shall exercise such other functions as may be necessary to fulfill its mandate under the Act.
Section 10. Administrative Issuances. The Commission shall publish or issue official directives and administrative issuances, orders, and circulars, which include:
a. Rules of procedure in the exercise of its quasi-judicial functions, subject to the suppletory application of the Rules of Court;
b. Schedule of administrative fines and penalties for violations of the Act, these Rules, and issuances or Orders of the Commission, including the applicable fees for its administrative services and filing fees;
c. Procedure for registration of data processing systems, and notification;
d. Other administrative issuances consistent with its mandate and other functions.
Section 11. Reports and Information. The Commission shall report annually to the President and Congress regarding its activities in carrying out the provisions of the Act, these Rules, and its other issuances. It shall undertake all efforts it deems necessary or appropriate to inform and educate the public of data privacy, data protection, and fair information rights and responsibilities.
Section 12. Confidentiality of Personal Data. Members, employees, and consultants of the Commission shall ensure at all times the confidentiality of any personal data that come to their knowledge and possession: Provided, that such duty of confidentiality shall remain even after their term, employment, or contract has ended.
Section 13. Organizational Structure. The Commission is attached to the Department of Information and Communications Technology for policy and program coordination in accordance with Section 38(3) of Executive Order No. 292, series of 1987, also known as the Administrative Code of 1987. The Commission shall remain completely independent in the performance of its functions.
The Commission shall be headed by a Privacy Commissioner, who shall act as Chairman of the Commission. The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges, and emoluments equivalent to the rank of Secretary.
The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners. One shall be responsible for Data Processing Systems, while the other shall be responsible for Policies and Planning. The Deputy Privacy Commissioners must be recognized experts in the field of information and communications technology and data privacy. They shall enjoy the benefits, privileges, and emoluments equivalent to the rank of Undersecretary.
Section 14. Secretariat. The Commission is authorized to establish a Secretariat, which shall assist in the performance of its functions. The Secretariat shall be headed by an Executive Director and shall be organized according to the following offices:
- Data Security and Compliance Office;
- Legal and Enforcement Office;
- Finance and Administrative Office;
- Public Information and Assistance Office.
Majority of the members of the Secretariat, in so far as practicable, must have served for at least five (5) years in any agency of the government that is involved in the processing of personal data including, but not limited to, the following offices: Social Security System (SSS), Government Service Insurance System (GSIS), Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine Postal Corporation (Philpost).
The organizational structure shall be subject to review and modification by the Commission, including the creation of new divisions and units it may deem necessary, and shall appoint officers and employees of the Commission in accordance with civil service law, rules, and regulations.
Section 15. Effect of Lawful Performance of Duty. The Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf or under their direction, shall not be civilly liable for acts done in good faith in the performance of their duties: Provided, that they shall be liable for willful or negligent acts, which are contrary to law, morals, public policy, and good customs, even if they acted under orders or instructions of superiors: Provided further, that in case a lawsuit is filed against them in relation to the performance of their duties, where such performance is lawful, he or she shall be reimbursed by the Commission for reasonable costs of litigation.
Section 16. Magna Carta for Science and Technology Personnel. Qualified employees of the Commission shall be covered by Republic Act No. 8349, which provides a magna carta for scientists, engineers, researchers, and other science and technology personnel in the government.
- Extension of Filing Periods and Suspension of Hearings for March 29 to April 4, 2021: SC Administrative Circular No. 14-2021 (Full Text) - March 28, 2021
- ECQ Bubble for NCR, Bulacan, Cavite, Laguna and Rizal: Resolution No. 106-A (Full Text) - March 27, 2021
- Guidelines on the Administration of COVID-19 Vaccines in the Workplaces (Labor Advisory No. 3) - March 12, 2021