NPC announces mandatory registration of critical sectors

Posted on Aug 22 2017 - 11:23am by Upgrade Staff

The National Privacy Commission issued a circular providing the procedure for the registration of Data Processing Systems of Personal Information Controllers (PICs) and Personal Information Processors (PIPs) subject to the mandatory registration requirement under the Data Privacy Act and its Implementing Rules and Regulations.


The NPC requires organizations that have at least 250 employees or those that process records involving sensitive personal information of 1000 or more individuals to register their data processing systems with the commission, beginning with the registration of their designated Data Protection Officers (Phase I Registration) on or before 9 September 2017.

In addition, the Privacy Commission identified critical industry sectors are required to register even if they do not meet the preceding criteria. The industry sectors are considered involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects, or where the processing is not occasional.

The sectors identified were the following;

  1. Government branches, bodies or entities, including national government agencies, bureaus or offices, constitutional commissions, local government units, and government-owned and controlled corporations (GOCCs).
  2. Banks and non-bank financial institutions, including pawnshops, non-stock savings and loan associations (NSSLAS)
  3. Telecommunications networks, internet service providers and other entities or organizations providing similar services
  4. Business process outsourcing companies
  5. Universities, colleges and other institutions of higher learning, all other schools and training institutions
  6. Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data.
  7. Providers of insurance undertakings, including life and non-life companies, pre-need companies and insurance brokers
  8. Business involved mainly in direct marketing, networking, and companies providing reward cards and loyalty programs
  9. Pharmaceutical companies engaged in research
  10. Personal information processors (PIPs) processing personal data for a personal information controller (PIC) included in the preceding items, and data processing systems involving automated decision making

Personal Information Controllers (PICs) refer to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. On the other hand, sensitive personal information (SPI) refers to information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; information about an individual’s health, education, genetic or sexual life of a person, as well as legal proceedings involving the individual. Sensitive Personal information also includes government issued identifiers and records.

The new NPC circular 17-01 provides guidelines for the registration of data processing systems as well as notification requirements regarding automated decision-making. The registration and notifications for these data processing systems (Phase II Registration) can be done on-line via the NPC’s registration portal beginning January 2018 until 8 March 2018.

According to Privacy Commissioner Raymund Enriquez Liboro: “In the information age, automated decision making through profiling can have an adverse impact on data subjects, this is the reason we have obligated registration–people should be informed of their rights as data subjects.”

For more information on the Data Privacy Act of 2012, visit

Related Posts

E-commerce startup Poundit raises SG$850K funding,... Poundit, an e-commerce startup operating in the Philippines since 2014, announced that it raised SG$850,000 funding from Singapore-based Cocoon Capita...
KonsultaMD now accessible from all Philippine tele... KonsultaMD, a 24/7 health hotline service by Global Telehealth, Inc., provides access to licensed and professional doctors who give immediate medical ...
Dimension Data offers Uptime Maintenance Support S... Dimension Data is offering its Uptime Maintenance Support Services for Palo Alto Networks in the Philippines, as it eyes to provide IT agility, reduce...
Kingston introduces UV500 family of SSDs Kingston announced that it is shipping the UV500 family line of SSD products. Available in multiple form factors, UV500 will be Kingston’s first 3D NA...
Emerson Network Power to bring its ‘Industri... Emerson Network Power, a business of Emerson, is slated to bring its Industrial Insights roadshow to the Philippines with an exclusive forum in Bagui...
Vertiv defines four primary edge archetypes and th... Vertiv, formerly Emerson Network Power, released Defining Four Edge Archetypes and their Technology Requirements, a global, research-based analysis of...
Kaspersky Lab detects Roaming Mantis attacking sma... Kaspersky Lab researchers discovered a new Android malware distributed through a domain name system (DNS) hijacking technique and targeting smartphone...
Cybercrime and the Internet of Medical Things By Andy Solterbeck Regional Director for APAC, Cylance Hackers can take over your smartphone or intercept telemetry from your fitness band. That’s b...
Research notes amount of malware targeting smart d... The total number of malware samples targeting smart devices has reached more than 7,000, with over half of these emerging in 2017, according Kaspersky...
Bad password habits ‘like leaving the front ... Internet users across the globe are yet to master how to use passwords effectively to protect themselves online. Research from Kaspersky Lab has shown...
About the Author

Leave A Response