Analysis: NPC Recommends Prosecution of COMELEC Chairman Bautista for Data Privacy Breach (Part I of II)

Last January 5, 2017, the National Privacy Commission (NPC) recommended the filing of criminal charges against COMELEC Chairman Andres Bautista in the aftermath of the “Comeleak” incident.

As of time of writing, the NPC has not yet released the full text of its decision. However, portions of the Commission’s reasoning can be read in an article on its official website.

According to the NPC, the COMELEC Chairman’s culpability lies in his failure to take adequate measures to secure the COMELEC’s voter registration databases, which contains what the law defines as personal and sensitive personal information. Quoting the decision, the online article reads:

[T]he wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.

A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action…
The decision is sanctioned under the NPC’s power under Section 7(b) of the Data Privacy Act to receive complaints and institute investigations, as well Section 7(i) of the said law, which allows the NPC to recommend to the Department of Justice (DOJ) the prosecution of any of the violations specified under the law.

It will still be up to the DOJ to conduct its own investigation and decide if there is sufficient evidence to support a formal charge.

Read more from: Elegal.ph