COA notes dearth of data privacy officers despite law

MANILA, Philippines — The Commission on Audit (COA) has called out the National Privacy Commission (NPC) for its “inadequate” information dissemination efforts, as shown by the dismal number of data privacy officers and systems in both the government and the private sector.

Despite being compulsory under the law, only 7.7 percent, or 164 of the 2,130 government agencies, had registered their data privacy officers (DPO) and data processing systems (DPS) in 2023, COA noted in its annual report.

READ: Data privacy in the age of AI

The level of compliance was worse in the private sector, where only 0.59 percent, or 4,390 out of the 744,115 personal information processors (PIP), had registered.

Republic Act No. 10173, or the Data Privacy Act of 2012, defines the PIP as the person tasked with the processing of personal data upon the directive of another person called a personal information controller (PIC), who keeps, uses, transfers, or discloses such data.

A PIP or PIC then would have to designate a DPO, who should have expertise in data protection practices and a “sufficient understanding” of the systems used for data privacy.

“The sustainability of strengthening the commission’s compliance efforts in its data privacy response was not guaranteed with a low registration rate of [DPO] and [DPS] among the government and private entities,’’ the COA report said.

Limited manpower

The state auditors blamed the low compliance on the “inadequate advocacy programs [and] information dissemination’’ regarding the registration requirement.”

They also cited the “limited manpower” of the NPC’s complaints and monitoring division and the public information and assistance division, which were supposed to push such efforts.

The low number of data privacy officers and systems in place continued to “defeat the purpose” of the DPA, the report added.

According to NPC Circular No. 2022-04, a PIP or PIC in charge of at least 250 employees should register any newly implemented data processing system within 20 days of its rollout.

An organization may register only one data privacy officer, except when it also has several branches or offices.