Bautista to Nat'l Privacy Commission: Why punish the hacked?

The National Privacy Commission said that Commission on Election Chair Andy Bautista's supposed willful disregard of his duties as head of agency is tantamount to gross negligence.
Philstar.com/Efigenio Toledo IV, File

MANILA, Philippines — Commission on Elections Chairman Juan Andres "Andy" Bautista questioned the decision of the National Privacy Commission finding him criminally liable for a data breach last year.

The NPC found that the Comelec violated Sections 11, 20 and 21 of Republic Act 10173 or the Data Privacy Act.

"With all due respect to the NPC membership, we believe that the NPC decision was based on a misappreciation of several facts, legal points, and material contexts," Bautista said in an official statement.

Bautista noted that many private IT companies and government agencies in the country and abroad have also been confronted by data breach or hacking despite security measures.

Close Ad X

The Comelec chair stressed that the agency has been following generally accepted standards and international best practices for its technology-related services.

"Given the foregoing, should the focus not be on apprehending the hackers instead of punishing the hacked?" Bautista asked.

Defending himself, Bautista added that the Comelec relied on its IT Department for expert advice on data security.

The NPC named Bautista as solely responsible for the data breach, which led to the leakage of data of millions of Filipino voters.

"As the head of agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts," Bautista said.

"And if Comelec IT specialists directly in charge of operating the website were found not liable, what more those who merely oversee their work and in particular, the head of agency?" the Comelec chief added.

As corrective measures, the NPC ordered the Comelec and Bautista to appoint a data protection officer and conduct an agency-wide privacy impact assessment.

The Comelec was also ordered to implement organizational, physical and technical security measures in compliance with the Data Privacy Act.

Show comments