‘Comeleak’: Poll chief rapped for data breach
THE National Privacy Commission found the Commission on Elections liable for violating the Data Privacy Act of 2012 and recommended the criminal prosecution of Chairman J. Andres D. Bautista for “the worst recorded breach on a government-held personal database in the world” last March.
In a decision, dated Dec. 28, on NPC Case No. 16-001, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures.
“The wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence,” the decision read.
“The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos.
“A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” the NPC added.
But Bautista denied committing any wrongdoing for what has since been called the “Comeleak” that occurred between March 20 and 27 last year and argued that the NPC’s allegations were based on a “misappreciation” of several facts, legal points, and material contexts.
Bautista challenged the NPC to file charges against him and will face any case, even impeachment, in connection with the massive leak of millions of voters’ personal information from the Comelec database.
The document said Bautista personally violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26 of the same law.
Section 26 penalizes accessing sensitive personal information due to negligence, imposes imprisonment of three to six years and a fine of P500,000 to P4,000,000.
The NPC said the data breach showed the poll body violated Sections 11, 20 and 21 of the Republic Act No. 10173 in dispensing its duty as “personal information controller.”
“Data privacy is more than the deployment of technical security. It also includes the implementation of physical and organizational measures as well as regular review, evaluation, and updating of Comelec’s privacy and security policies and practices,” the decision read.
Meantime, Section 36 accords additional penalties when the offender is a public officer, specifically disqualification from public office for a period equivalent to double the term of the criminal penalty.
The personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application with 75,302,683 records; (b) the voter database in the Post Finder web application with 1,376,067 records; (c) the iRehistro registration database with 139,301 records; (d) the firearms ban database with 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the Comelec personnel database with 1,267 Comelec personnel.
Further illustrating the breadth of the breach, the NPC decision also gave a rundown of what types of compromised sensitive personal information were contained in Comelec’s two web-based applications.
“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”
“The voter database in the Post Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system,” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the Comelec data breach.