Authored by Bienvenido A. Marquez III, Divina Pastora V. Ilas-Panganiban and Neonette E. Pascual

The National Privacy Commission (NPC) announced on 21 March 2019 the indefinite postponement of the deadline for filing the annual security incident report (ASIR) for 2018.[1]  The initial deadline for filing the 2018 ASIR was 31 March 2019, pursuant to NPC Advisory No. 2018-01 (Guidelines on Security Incident and Personal Data Breach Reportorial Requirements) dated 2 February 2018.[2] The Commission postponed the deadline while it is still revising some of its key processes to “enhance reportorial efficiency,” “harmonize documents submission to the Department of Information and Communications Technology,” and “improve user experience for Personal Information Controllers (PICs) and Personal Information Processors (PIPs).”  According to the NPC, its system for previously submitted data, as well as the ASIR templates, will be improved and revised based on existing report templates and stakeholders’ feedback.

Clients are urged to continue to collate relevant information on any and all security incidents encountered by your personal information processing activities in order to comply with the requirements of the Data Privacy Act of 2012 for the implementation of “regular monitoring for security incidents and a process for taking preventive, corrective and mitigating action against security incident that can lead to security breach.”[3] The regular monitoring for security incidents also ensures prompt and effective data breach response mechanisms that would enable timely notification to the NPC and affected data subjects, when required, and of the implementation by the PIC of any necessary risk mitigating measures.

See our recent alert here


[1] NPC postpones submission of 2018 Annual Security Incident Report, https://www.privacy.gov.ph/2019/03/npc-postpones-submission-of-2018-annual-security-incident-report/, last accessed on 22 March 2019.
[2] “The Annual Security Incident and Personal Data Breach Report is due for submission at the end of the first quarter of the succeeding calendar year.”
[3] Section 20(c)(4), Data Privacy Act of 2012 (R.A. No. 10173).