Commission: Charge Comelec chair for ‘Comeleak’
Comelec Chair Andres Bautista. INQUIRER PHOTO / ELOISA LOPEZ
The National Privacy Commission recommended the filing of criminal charges against Commission on Elections (Comelec) chair J. Andres Bautista, who was found to have committed “gross negligence” of his obligations under the Data Privacy Act of 2012.
This came to light following an investigation into a March 2016 hacking incident that exposed the personal information of millions of voters after data such as their full names, addresses, passport details and birthdays were posted on a website that has since been taken down.
The leakage, dubbed Comeleak, has been described globally as the worst ever recorded breach of a government-controlled database.
READ: Bautista questions NPC decision deeming him liable for ‘Comeleak’
Privacy commission officials said in a press briefing Wednesday that evidence had been turned over to the Department of Justice, which was expected to pursue the case. Nevertheless, they also said that the integrity of the May 9, 2016, polls was not affected by the leak.
The announcement on Wednesday followed a Dec. 28, 2016 decision by the commission that detailed how the Comelec and Bautista violated several provisions of the Data Privacy Act, or Republic Act 10173.
According to the findings, the Comelec failed to address even basic data privacy principles: it had no existing policy covering data privacy and even lacked a data protection officer.
“What is clear is the lack of appreciation on the part of the Comelec chairman that data protection is more than just implementing of security measures, but must begin from the time of collection of personal data, to its subsequent use and processing up to its storage and destruction,” a portion of the Privacy Commission decision read.
According to the Privacy Commission, the breach hit several databases.
There was the voter database in the Precinct Finder web application with 75.3 million records, the database in the Post Finder with 1.38 million records, the iRehistro database with 139,301 records, the firearms ban database with 896,992 records (20,485 firearms’ serial numbers) and the Comelec personnel database, with 1,267 records.
READ: 55M at risk in ‘Comeleak’
The Commission said the database in the Precinct Finder contained complete names, birthdays, gender, civil status, address, birthplace, disabilities, voter ID, voter registration record number, among others.
The Post Finder application had even more details, such as passport information, biometrics description, taxpayers identification numbers, mailing addresses, names of spouses, profession, height, weight, and physical identifying marks.
This indicated how much personal data are “now most likely in the hands of criminal elements”, the commission said.
“The wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence,” the Privacy Commission said, referring to Bautista.
The commission also ordered several “corrective measures.”
It ordered Comelec to appoint a data protection officer within one month, conduct an agency-wide privacy impact assessment within two months, and create a privacy management program and breach management procedure in three months.
The commission also recommended that DOJ launch an investigation under the Cybercrime Prevention Act on its findings that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation.
The Commission said Section 26 of the Data Privacy Act, where the violations occurred, detailed a prison term of from three to six years and a fine of from P500,000 to P4 million. Section 36 shows added penalties for an offender who is also a public officer. This involved disqualification from public office for a period equivalent to double the term of the criminal penalty. CBB/rga
