COMMISSION on Elections Chairman Andres Bautista said Friday he would ask the Justice Department to reconsider the recommendation of the National Privacy Commission to file criminal charges against him for failing to protect the private information of millions of voters.
In an interview, Bautista said that they should focus on arresting the hacker and not punishing those being hacked.
Bautista also welcomed any investigations to be conducted by concerned agencies and directed the agency’s Information Technology Department to refer the matter to the Cyber Crimes Division of the National Bureau of Investigation and the Department of Science and Technology for independent investigation.
The NPC has earlier ruled that Bautista and the Comelec en banc were criminally liable for the cyber security breach, in violation of the Data Privacy Act of 2012.
The NPC is an independent body mandated to administer and implement the law, and to monitor and ensure compliance with international standards for data protection.
In a statement, Comelec spokesperson James Jimenez said the Comelec en banc directed the IT Department to conduct its own investigation and coordinate closely with both the NBI and DoST.
“The same unstinting cooperation was extended to the National Privacy Commission,” he said.
“The Comelec’s actions in this regard have, in fact, been characterized by openness and the desire to allow the appropriate agencies, with the requisite technical skills to conduct objective investigations, to probe the incident,” the Comelec official said.
The Comelec also pointed out that the NPC itself explicitly declared that the hacking of the Comelec website did not have any adverse effects on the elections of 2016.
“This is, in no small part, due to the Comelec’s determination precisely to “ensure that any attempt to subvert the people’s will, no matter how sophisticated, will not succeed,” Jimenez said.
He said that the hacking of computer systems is a modern global plague and it afflicts all—from the largest IT organizations in the most developed countries—both in government and in the private sector, to the individuals who only use the Internet in the most casual way.
“Enhancing the voter experience was one of Comelec’s two cornerstones during the last May 2016 elections. Towards this end, in the face of this continuing threat which grows in sophistication with every passing day, the Comelec remains steadfast in its commitment to do the best it can to protect the private information of voters,” he added.
The Palace, however, said the Comelec should explain what enabled hackers to gain access to the private information of millions of registered voters.
“It is an issue that simply cannot be swept under the rug,” Communications Secretary Martin Andanar said in a statement.
“We exhort Comelec [to] release a report of an investigation it conducted on the data leak, if any, to maintain the credibility of the constitutional body and uphold the integrity of the electoral process,” he said.
“Let us put an end to election-related maneuverings and ensure that any attempt to subvert the people’s will, no matter how sophisticated, will not succeed,” he added.
On Thursday, the NPC found the Comelec liable for violating the Data Privacy Act of 2012 and recommended the criminal prosecution of Bautista for “the worst recorded breach on a government-held personal database in the world” last March.
In a decision, dated Dec. 28, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures.
“The willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence,” the decision read.
“The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos.
Bautista, however, denied committing any wrongdoing for what has since been called the “Comeleak” that occurred between March 20 and 27 last year and argued that the NPC’s allegations were based on a “misappreciation” of several facts, legal points, and material contexts.
Those included in the data breach were voter databases in the Precinct Finder web application with 75,302,683 records; the voter database in the Post Finder web application with 1,376,067 records; the iRehistro registration database with 139,301 records; the firearms ban database with 896,992 personal data records and 20,485 records of firearms serial numbers; and the Comelec personnel database with 1,267 Comelec personnel.