Gov't should protect citizens' personal data – NPC's Liboro
MANILA, Philippines – With governments storing more information about its people, it is crucial to protect data from the threat of hacking and other cybersecurity attacks.
In an interview with Rappler on Thursday, January 12, National Privacy Commission (NPC) head Raymund Liboro said the government should be better equipped in terms of data privacy and cybersecurity.
"The law is very harsh on government because it is the government's role to protect the citizens. We cannot leave the fighting to our own citizens in this regard," Commissioner Liboro said. "The problem is so huge, the government should set an example and take the lead."
This is in light of an NPC ruling on January 5 where the Commission on Elections (Comelec) and its chairman Andres Bautista were found to have violated Republic Act 10173 or the Data Privacy Act of 2012, following the leak of over 70 million voters' registration data in March 2016.
The NPC also found Bautista "criminally liable" for the data breach, "on account of gross negligence."
"It's a direct result of a failure to implement and execute a top-to-bottom approach in data protection, the lack of a clear governance policy when it comes to data security and data privacy, handling sensitive personal information. Basically, the hands-off policy that Bautista took as head of agency," Liboro said.
While Bautista argued that more attention should be given to punishing the hackers instead of the hacked, Liboro said the Data Privacy Act "spells out the obligations of those that process the data."
With the Comelec being one of the country's biggest processors of personal data, Liboro said the poll body "should have recognized that this law is actually addressing their role as a personal [information] controller."
Nonetheless, Liboro recognized that the Comelec has implemented more stringent measures since the hacking incident.
"I was quite happy yesterday because I got letter from the Comelec, and they were about to conduct a 3-day seminar involving Comelec executives on the law," he said.
"By all means, if we can help them through the process, then we will be very happy to do that."
'21st century response'
Liboro also clarified that the Comelec "is not being faulted here just because they were hacked."
"What we do is actually, whenever you get hacked, the privacy commission will not go there to ask you how many millions you spent on hardware or software, or who are your IT 'superstars,'" he said. "It's basically, did you follow the requirements of the law?"
Liboro called RA 10173 a "self-executory," "comprehensive," and "world-class law."
"The Data Privacy Act, it's a 21st century law for 21st century concerns and crimes. You cannot address 21st century crimes by thinking 20th century or [by sticking to] practices that we've done in the 20th century," he said.
He shared the NPC's "5 commandments" for government agencies and private organizations that handle personal information:
- Commit to comply: Appoint a Data Protection Officer (DPO)
- Know your risks: Conduct a Privacy Impact Assessment
- Write your plan: Create a Privacy Management Program
- Be accountable: Implement your privacy and data protection measures
- Be prepared for breaches: Regularly exercise your Breach Reporting Procedure
"Privacy is a right. Collecting data is not," the commissioner pointed out.
"Our call is for everyone to be prepared, because [online attacks] might happen to you anytime."
Culture of privacy
He added, "It's really painful, because these are the lessons we learn when these things happen: Response will always be more difficult and expensive than prevention." (READ: Experts fear identity theft, scams due to Comelec leak)
Liboro reminded the public to "start being aware and start practicing what I call data security or data privacy hygiene, like changing your passwords regularly, being aware of malware, or not clicking suspicious attachments in your email." (READ: After Comelec data leak, what to do to protect yourself?)
With recent events exposing the dangers and the threats of the Internet, Liboro emphasized the importance of putting up safeguards to secure data.
"I think we should all band together... in developing an enlightened populace... a discerning populace," he said. "The march toward digital cannot be stopped."
Liboro then said that his mission in the NPC "is to build this culture of privacy for the population... Privacy is not dead. Privacy is important."
"If we can have responsible digital citizens now, probably our children will also hopefully develop a kind of good practice or best practice or a kind of discernment. That's the only way we can influence the next generation."
He added that data privacy and security are "not only for the geeks" but rather "something that should be second nature to any organization."
"Data has value. Data will outlive all hardware, software, computer systems. It will outlive anyone here," Liboro said.
"You've got to handle data the way you handle money, the way you handle something that you love. It's not something that you give away." – Rappler.com