FIVE days. Or 120 hours. Or 7,200 minutes. Or 432,000 seconds.
That’s the length of time the Department of Foreign Affairs (DFA) has before being put in the hot seat by the National Privacy Commission (DICT-NPC).
The NPC is an attached agency of the Department of Information and Communications Technology (DICT).
Headed by Commissioner Raymund E. Liboro, the NPC, the guardian of Filipinos’ data, more importantly personal and private information, has opened an inquiry into the DFA’s supposed “data breach” concerning passport details of millions of citizens.
The privacy commission was supposed to start the probe Wednesday, January 16, at the NPC headquarters based at the Philippine International Convention Center (PICC), Pasay City, Metro Manila.
But the DFA, in a letter to the NPC addressed to lawyer Gilbert V. Santos, Director IV, Legal and Enforcement Office, requested a 10-day delay of the inquiry to be made at the latter’s office.
“(O)n behalf of the DFA, I respectfully request the proposed meeting with this Department be reset ten (10) days hence, or on or about 25 January,” Medardo G. Macaraig, data privacy officer (DPO) at the DFA.
Instead of January 25, the NPC gave the DFA only five days, meaning the meeting would be on Monday, January 21, barring any hitch.
“This Department is still conducting an internal investigation on the matter, and would like to be able to appear before the NPC with complete information in order to satisfactorily address NPC’s queries.”
Macaraig relayed to the NPC that the DFA’s preliminary inquiries indicated the absence of data breach because the Department and the Asia Productivity Organization (APO) Production Unit still have custody of the data of passport applicants, nor was it shared or accessed by unauthorized third party.
NPC Commissioner Raymund E. Liboro orders fact-finding probe on alleged ‘passport data breach’ at the DFA. (Image: NPC)
Instead of the supposed meeting at the NPC on Thursday, the DFA sent representatives led by Director Anthony A.L. Mandap of the legal department but only to “formally convey” the Department’s written request for postponement.
The NPC asked the DFA representatives to give preliminary details involving the passport data issue but they were not authorized to speak more than what the DFA letter contained.
On the other hand, as the NPC statement sent to SDN — Science and Digital News indicated the privacy commission did not show impatience, with Liboro saying their initial meeting though short was productive.
“The NPC’s investigation continues. In their own preliminary probe, the DFA said it is in control of the data. That says a lot already to assuage the public. The data in question is not controlled by any unauthorized parties. That was what today’s meeting with the DFA established. The data is under their safekeeping,” Liboro said.
He said he looks forward to the scheduled fact-finding meeting with DFA and APO representatives.
Liboro sees something positive arising from the incident.
“The lessons we could learn from this incident would go a long way in ensuring better government practices. They would form part of the recommendations the NPC shall later issue to government offices contracting third parties.
“We’re looking to the future for ways to further protect personal data. The law obliges data controller like the DFA to strictly implement contractual means to protect data when they deal with third parties and government contractors. We look forward to improving on that based on lessons we learn here,” the NPC commissioner said, a former director of the Science and Technology Information Institute of the Department of Science and Technology (DOST-STII).
The NPC shared with reporters the DFA letter dated January 15.
It can be recalled that Foreign Secretary Teodoro “Teddyboy” Locsin, Jr. revealed in his Twitter feed on January 8that DFA’s former contractor for Philippine passports “took off” with Filipinos’ passport personal data when its contract with the Department lapsed (per a Rappler report).
He later took back his claim and said there was no data breach, only that the passport data is not accessible.
But the controversy has been stirred already.
Thus, the NPC inquiry. (EKU)