(Eagle News) — The Commission on Elections (COMELEC) and its chair Juan Andres Bautista violated the Data Privacy Act of 2012 and should be charged criminally, according to the National Privacy Commission.
This is for the leakage of voters’ data prior to the May 2016 elections when the Comelec’s website was hacked.
“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date and update time,” the privacy commission said.
The NPC said that Bautista faces the possibility of being fined an amount of P500,000 to P4million, and a jail term of three to six years, if he would be found guilty for his negligence that allowed outsiders to access sensitive personal information.
These penalties are provided under the Data Privacy Act.
“A head of agency making his acts depend on the recommendations of the executive director of the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action,” stated the NPC decision dated Dec. 28, 2016 released on Thursday, January 5, 2017.
Valuable information on millions of Filipino voters were stolen from the Comelec database as a result of the hacking, and was was made available online for downloading by the hackers.
Bautista could also be disqualified from public office as an additional penalty.
The privacy commission said that Bautista’s willful and intentional disregard of his duties as head of agency was tantamount to gross negligence.
He was ordered to appoint a data protection officer and conduct an agency-wide privacy impact assessment.
The commission also recommended the Department of Justice to look into possible prosecution under the Cybercrime Prevention Act.
According to the NPC decision, Comelec violated Sections 11, 20 and 21 of Republic Act 10173 or the Data Privacy Act in the dispense of its duty as personal information controller.
It said that Bautista had also violated several provisions of the same law.
The NPC pointed out the Comelec chair’s “lack of appreciation” for data privacy.
“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec’s privacy and security policies and practices,” the NPC said in its decision.
Meanwhile, Comelec Chair Bautista questioned the NPC’s ruling saying that hacking of websites, happens worldwide, and that he and the poll body should not be made responsible for any breach in the Comelec’s database.
He also questioned the credibility of the NPC which was only established in March last year.
Bautista, in an interview with CNN Philippines, said he was surprised with the NPC’s decision.
“Nakakabigla ito dahil sa aking palagay may mga pagkakamaling nakikita ang NPC. Ang hacking ay nangyayari sa buong mundo. Kahit sa U.S. government, naha-hack. Dapat bigyang tuon ang yung paghuli ng mga hacker kaysa parusahan ang naha-hack. (This is surprising because in my view, there were mistakes that the NPC noticed. Hacking happens all over the world. Even the U.S. government was hacked. The effort should be focused on arresting the hackers instead of punishing those who were hacked),” he said.
He also defended the Comelec, denying that there was negligence on their part as concluded by the NPC.