NPC announces mandatory registration of critical sectors

Posted on Aug 22 2017 - 11:23am by Upgrade Staff

The National Privacy Commission issued a circular providing the procedure for the registration of Data Processing Systems of Personal Information Controllers (PICs) and Personal Information Processors (PIPs) subject to the mandatory registration requirement under the Data Privacy Act and its Implementing Rules and Regulations.


The NPC requires organizations that have at least 250 employees or those that process records involving sensitive personal information of 1000 or more individuals to register their data processing systems with the commission, beginning with the registration of their designated Data Protection Officers (Phase I Registration) on or before 9 September 2017.

In addition, the Privacy Commission identified critical industry sectors are required to register even if they do not meet the preceding criteria. The industry sectors are considered involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects, or where the processing is not occasional.

The sectors identified were the following;

  1. Government branches, bodies or entities, including national government agencies, bureaus or offices, constitutional commissions, local government units, and government-owned and controlled corporations (GOCCs).
  2. Banks and non-bank financial institutions, including pawnshops, non-stock savings and loan associations (NSSLAS)
  3. Telecommunications networks, internet service providers and other entities or organizations providing similar services
  4. Business process outsourcing companies
  5. Universities, colleges and other institutions of higher learning, all other schools and training institutions
  6. Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data.
  7. Providers of insurance undertakings, including life and non-life companies, pre-need companies and insurance brokers
  8. Business involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs
  9. Pharmaceutical companies engaged in research
  10. Personal information processors (PIPs) processing personal data for a personal information controller (PIC) included in the preceding items, and data processing systems involving automated decision making
READ:  Creating business advantage thru digital transformation of Phl’s businesses

Personal Information Controllers (PICs) refer to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. On the other hand, sensitive personal information (SPI) refers to information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; information about an individual’s health, education, genetic or sexual life of a person, as well as legal proceedings involving the individual. Sensitive Personal information also includes government issued identifiers and records.

The new NPC circular 17-01 provides guidelines for the registration of data processing systems as well as notification requirements regarding automated decision-making. The registration and notifications for these data processing systems (Phase II Registration) can be done on-line via the NPC’s registration portal beginning January 2018 until 8 March 2018.

According to Privacy Commissioner Raymund Enriquez Liboro: “In the information age, automated decision making through profiling can have an adverse impact on data subjects, this is the reason we have obligated registration–people should be informed of their rights as data subjects.”

For more information on the Data Privacy Act of 2012, visit

Related Posts

Kaspersky Lab joins INTERPOL-led Cybercrime Operat... Kaspersky Lab announced its participation in an INTERPOL-led cybercrime operation involving public and private sectors across the ASEAN region. Nearly...
MSI-ECS partners with DJI to launch drones, aerial... Confident about the bright prospect of drones for both personal and commercial applications in the Philippines, IT distributor MSI-ECS Philippines lau...
Banks spend on IT security 3x higher than non-fina... Financial institutions are under pressure to ramp up security, with trends such as the increased take-up of mobile banking putting banks’ IT infrastru...
Fortinet introduces Blockchain distributed ledger ... Fortinet introduced the Blockchain, a distributed ledger technology that is said to store and simplify business transactions while reducing costs and ...
KINGMAX launches AirQ Check air quality monitoring... KINGMAX launched the AirQ Check Air Quality Monitoring Mobile Device, a portable device that allows users to check air quality around them anytime, an...
OPINION | Smart city disruptions and predictions By Dr. Renato de Castro International Advisor, World e-Governments Organisation of Cities & Local Governments (WeGO) By 2030, 70 percent of the ...
Experts agree that gov’t and private sector should... “The government is working to keep the Internet safe to people and business.” This is according to Department of Information and Communications Techno...
iflix releases revamped and improved user experien... iflix, a Subscription Video on Demand (SVoD) service for emerging markets, released an all new revamped and improved iflix user experience and feature...
Gov’t, private sector launch tech-enabled initiati... Several government agencies led by the Department of Education (DepEd), in partnership with private sector companies, launched the first and biggest p...
Dell unveils next gen IT solutions Dell Philippines, in partnership with Microsoft, announced a roundup of Windows 10-based desktops, laptops and workstations; as well as new entry-leve...
About the Author

Leave A Response