Authored by Bienvenido A. Marquez III, Divina Pastora V. Ilas-Panganiban and Neonette E. Pascual at Quisumbing Torres

All personal information controllers and processors, including those who are not required to register with the National Privacy Commission (NPC), are advised to file their respective annual security incident reports covering the period of January to December 2018 on or before 31 March 2019. The deadline for filing the report has been set by the NPC in NPC Advisory No. 2018-01 (Guidelines on Security Incident and Personal Data Breach Reportorial Requirements) dated 2 February 2018.[1] The NPC has not announced to date if it will extend this deadline as indicated in the advisory.

The Annual Security Incident Report should contain a summary of the number of security incidents[2] encountered in 2018 and categorized by type, i.e. theft, fraud, sabotage/physical damage, malicious code, hacking/logical infiltration, misuse of resources, hardware failure, software failure, hardware maintenance error, communication failure, fire, flood, design error, user error, operations error, software maintenance error, third party service, and other analogous causes.

A tally of personal data breaches[3] encountered by the personal information controller last calendar year also has to be included in the report and classified based on the application of the breach notification obligations and impact on the confidentiality, integrity, and availability of personal data.

The security incident report templates[4] should be completed by an authorized representative of the reporting company and sent to Alternatively, the report may be filed through the NPC’s online annual security incident reporting system at the NPC’s official website.

Clients are urged to prepare their respective annual security incident reports in order to meet the current filing deadline of 31 March 2019.  Failure to meet the reportorial requirement is a violation of the issuances of the NPC which may be taken into consideration by the commission on whether a personal information controller or processor may be subject to a compliance check by the NPC pursuant to NPC Circular No. 18-02 (Guidelines on Compliance Checks) dated 20 September 2018.  The NPC’s evaluation or examination of a personal information controller or processor’s compliance with the requirements of the Data Privacy Act of 2012 and NPC issuances include privacy sweeps, documents submission, and on-site visits

[1] “The Annual Security Incident and Personal Data Breach Report is due for submission at the end of the first quarter of the succeeding calendar year.”

[2] “Security incident“ is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach if not for safeguards that have been put in place.

[3] “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
(a) An availability breach resulting from loss, accidental or unlawful destruction of personal data
(b)  Integrity breach resulting from alteration of personal data; and/or
(c)  A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.

[4] Available at