National Privacy Commission

The National Privacy Commission, or NPC, is an independent body created under Republic Act No. 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act, and to monitor and ensure compliance of the country with international standards set for data protection. It is attached to the Philippines' Department of Information and Communications Technology (DICT) for purposes of policy coordination, but remains independent in the performance of its functions. The Commission safeguards the fundamental human right of every individual to privacy, particularly Information privacy while ensuring the free flow of information for innovation, growth, and national development.

In order to fulfill its mandate, the commission is vested with a broad range of powers, from receiving complaints and instituting investigations on matters affecting personal data protection to compelling entities to abide by its orders in matters affecting data privacy. It also represents the Philippine Government internationally on data protection related issues. The Commission formulates and implements policies relating to the protection of personal data, including the relevant circulars and advisory guidelines, to assist organisations in understanding and complying with the Data Privacy Act. The commission also reviews organizational actions in relation to data protection rules and issue decisions or directions for compliance where necessary. It is mandated to work with relevant sector regulators in exercising its functions.

Beyond regulating data protection issues, the NPC also undertakes public and sector-specific educational and outreach activities to help organizations adopt good data protection practices and to help individuals to better understand how they may protect their own personal data from misuse.

History
The Data Privacy Act of 2012 is the first law in the Philippines which acknowledges the rights of Individuals over their Personal Data and Enforcing the responsibilities of entities who process them.

The initial definition was offered first in Republic Act 8792, Section 32 better known as the eCommerce Act of the Philippines and was formally introduced by the Department of Trade and Industry (DTI) on its Department Administrative Order #08 – Defining Guidelines for the Protection of Personal Data in Information Private Sector. Along with the Anti-Cybercrime Bill (now RA 10175), The first draft of the law started in 2001 under the Legal and Regulatory Committee of the former Information Technology and eCommerce Council (ITECC) which is the forerunner of the Commission on Information and Communication Technology (CICT). It was headed by former Secretary Virgilio "Ver" Peña and the committee was chaired by Atty. Claro Parlade. It was an initiative of the Information Security and Privacy Sub-Committee chaired by Albert Dela Cruz who was the President of PHCERT together with then Anti-Computer Crime and Fraud Division Chief, Atty. Elfren Meneses of the NBI. The administrative and operational functions was provided by the Presidential Management Staff (PMS) acting as the CICT secretariat.

With rising concerns by the Information Technology and Business Process Association of the Philippines (IBPAP) of an absence of a Data Privacy Law, Philippine Congress passed Senate Bill No. 2965 and House Bill No. 4115 on June 6, 2012. President Benigno S. Aquino III signed Republic Act No. 10173 or the Data Privacy Act of 2012 on August 15, 2012. The law was influenced by the Data Protection Directive and the APEC Privacy Framework.

President Aquino appointed on March 7, 2016, Raymund Liboro as inaugural head of the commission with Damian Domingo O. Mapa and Ivy D. Patdu as inaugural deputy privacy commissioners. With fixed terms of office, they continued with their roles during the administration of President Rodrigo Duterte.

After consultation with various private organizations, civil societies and a series of public hearings in Manila, Cebu and Davao, the Implementing Rules and Regulations of the Data Privacy Act was signed on August 24, 2016. It took effect on September 9, 2016.

In May 2016, the Commission formally investigated the Commission on Elections for the Commission on Elections data breach one of the largest security breach in government held personal data. On February 21, 2017, NPC announced that the Commission on Elections was being investigated for another security breach due to alleged theft of a computer containing personal data of voters.

The NPC also began coordinating with different sectors on privacy and data protection. In 2016, the National Privacy Commission was accepted as a member in the International Conference of Data Protection and Privacy Commissioners and the Asia Pacific Privacy Authorities.