On April 1, 2024, the National Privacy Commission (NPC) issued two circulars to further strengthen personal data protection in the Philippines. The NPC Circular 2023-05 outlines the prerequisites for organizations and certification bodies (CBs) participating in the Philippine Privacy Mark (PPM) Certification Program, while the NPC Circular 2023-06 governs the security of personal data in the Government and private sector.

NPC Circular 2023-05

The PPM Certification Program is an initiative by the NPC to assess public and private organizations to ensure the secure and protected processing of personal information in implementing their respective data privacy and protection management systems.

Circular 2023-05 provides the prerequisites for certification of personal information controllers (PIC) or personal information processors (PIP) and accreditation of CBs under the PPM Certification Program.

Under Circular 2023-05, a PIC or PIP seeking certification under the PPM Certification Program must be certified with ISO/IEC 27001 and ISO/IEC 27701 standards for information security management systems (ISMS) and privacy information management system (PIMS) respectively. CBs must also meet these standards, along with ISO/IEC 17021-1 for accreditation.

Circular 2023-05 took effect on March 15, 2024.

NPC Circular 2023-06

The NPC Circular 2023-06 provides updated requirements for the security of personal data processed by a PIC or PIP. To ensure data security, Circular 2023-06 enumerates the general obligations of a PIC or PIP which include the designation and registration of a data protection officer (DPO), registration of data processing systems, conducting Privacy Impact Assessment (PIA), implementing a privacy management program, periodic training of personnel on privacy and data protection policies, and compliance with the orders of the NPC.

Circular 2023-06 also sets provisions on the storage of personal data, ensuring data subjects' information is stored for the necessary duration and protected through industry standards and best practices.

Additionally, Circular 2023-06 outlines stringent provisions for access to personal data, specifying procedures for authorized personnel, acceptable use policies, secure authentication mechanisms, and measures for remote disconnection or deletion of data on mobile devices, among others.

Circular 2023-06 provides that a PIC or PIP must implement a business continuity plan to mitigate potential disruptive events. It must indicate the process of personal data backup, restoration, and remedial time, including the periodic review of the plan taking into account disaster recovery, privacy, business impact assessment, crisis communications plan, and telecommuting policy.

Circular 2023-06 expressly repeals NPC Circular No. 16-01 and took effect on March 30, 2024.

You can read the press release here, Circular 2023-05 here, and Circular 2023-06 here.