Comelec chair ‘criminally liable’ for data leak
The National Privacy Commission says that the Commission on Elections and its chairman Andres Bautista violated provisions of the Data Privacy Act of 2012
LIABILITY. Commission on Elections Chairman Andres Bautista. File photo by Joel Liporada/Rappler
MANILA, Philippines – The National Privacy Commission (NPC) found that Commission on Elections (Comelec) Chairman Andres Bautista is “criminally liable” for the leak of voters’ data in March 2016.
In response, Bautista said that the privacy body’s decision was based on “misappreciation of several facts, legal points, and material contexts.”
In its 35-page decision on December 28, 2016, the NPC found that the poll body, as the personal information controller, violated Sections 11, 20, and 21 of Republic Act 10173 or the Data Privacy Act of 2012.
The NPC also said that Bautista likewise violated Sections 11, 20, 21, and 22 of the same law.
In a statement on Thursday, January 5, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just the implementation of security measures.
The privacy body also said that Bautista’s “willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence.”
The data leak involved 75,302,683 voters’ registration records (including deactivated or disapproved records) in Comelec’s Precinct Finder web application, 1,376,067 records in its Post Finder web application, plus 139,301 records in its iRehistro portal, 896,992 records in its gun ban database, 20,485 records of firearms serial numbers, and records of 1,267 Comelec personnel.
Hackers were able to access these data in late March and made it available to the public through a searchable website. The website was soon taken down.
“The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access,” it added.
“[I]t also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec’s privacy and security policies and practices,” the NPC said in its decision.
Section 26 of RA 10173, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine between P500,000 and P4 million.
Section 36 imposes additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty.
Corrective measures
The NPC, however, cleared Comelec commissioners Christian Robert Lim and Al Parreño, executive director Jose Tolentino Jr, spokesperson James Arthur Jimenez, and information technology officers Ferdinand de Leon, Jeannie Flororita, and Eden Bolo from criminal responsibility.
NPC Deputy Commissioner Ivy Patdu said the body did not find sufficient evidence to recommend charges against these officials. She added that the responsibility “ultimately falls within the head of agency.”
The NPC also clarified that the results of the 2016 elections were not affected. “In its zeal to protect the vote, it failed to protect the voter,” said Deputy Commissioner Damian Domingo Mapa.
In addition, the privacy body ordered the Comelec and Chairman Bautista to conduct an “independent security audit of all of its personal data processing systems, including those hosted by service providers, within 3 months and conduct a similar audit annually for the next 5 years.”
The NPC also ordered the Comelec to do the following corrective measures:
1. appoint a data protection officer within 1 month from receipt of the decision
2. conduct a privacy impact assessment within 2 months from receipt
3. create a privacy management program within 3 months from receipt
4. create a breach management procedure within 3 months from receipt
5. implement organizational, physical, and technical security measures within 6 months from receipt ##
2. conduct a privacy impact assessment within 2 months from receipt
3. create a privacy management program within 3 months from receipt
4. create a breach management procedure within 3 months from receipt
5. implement organizational, physical, and technical security measures within 6 months from receipt ##
– Rappler.com