MANILA, Philippines — The National Privacy Commission on Thursday found Commission on Elections Chairman Juan Andres "Andy" Bautista criminally liable for a breach the Comelec's database last year.
Prior to the May 2016 national elections, the Comelec website was hacked, which later led to the leakage of voters' data.
"The voter database in the Precinct Finder application contained each voter's complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date and update time," the privacy commission said.
Data on millions of Filipino voters stolen from the Comelec database was made available online for downloading by a group of hackers.
In its decision, the commission stressed Bautista's lack of appreciation for data protection, which it said is more than just the implementation of security measures.
"Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec's privacy and security policies and practices," the NPC said in its decision dated Dec. 28, 2016 and released Thursday.
The Comelec violated Sections 11, 20 and 21 of Republic Act 10173 or the Data Privacy Act in the dispense of its duty as personal information controller, the commission said.
Bautista also violated several provisions of the same law, the NPC said.
The Data Privacy Act penalizes accessing sensitive personal information due to negligence and imposes imprisonment from three to six years and a fine from P500,000 to P4 million.
The law also accords additional penalties when the offender is a public officer. This consists of disqualification from public office.
The NPC concluded that Bautista's willful and intentional disregard of his duties as head of agency is tantamount to gross negligence.
"A head of agency making his acts depend on the recommendations of the executive director of the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action," the decision read.
Bautista was ordered to appoint a data protection officer and conduct an agency-wide privacy impact assessment.
The NPC also recommended that Justice Secretary Vitaliano Aguirre II look further into possible prosecution under the Cybercrime Prevention Act.