THE newly formed National Privacy Commission has recommended the filing of criminal charges against Commission on Elections Chairman Andres Bautista for the massive data breach in which the personal data of millions of voters were compromised in March 2016.
The move is a pointed reminder to those entrusted with sensitive data to do all they can to safeguard the privacy of that information and to make sure it does not fall into unauthorized hands.
In what has been described as one of the world’s worst recorded data breaches of a government office, hackers gained access to 16 databases kept in the Comelec website on March 27, 2016, and made these public.
The stolen archive was full of sensitive data, including personal and passport information and fingerprint data, leaving every registered voter in the Philippines susceptible to fraud, identity theft and other risks.
The stolen information included the voter database in the Precinct Finder web application with 75.3-million records and the voter database in the Post Finder web application with 1.38-million records. Also stolen were a firearms ban database, with 896,992 personal data records and 20,485 records of firearms serial numbers, and the Comelec personnel database of 1,267 Comelec officials and employees.
The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion or deactivation, registration date, and update time.
The voter database in the Post Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, and the voter’s addresses in the Philippines and abroad, post or country of registration.
In its decision dated Dec. 28, the Commission said Bautista’s “willful and intentional disregard of his duties as head of agency” was tantamount to gross negligence, and recommended that charges be filed against him for violations of the Data Privacy Act of 2012.
In his defense, Bautista sought to pass on the responsibility to others in the Comelec, including his fellow commissioners and the IT Department on which he depend ed for expert advice.
“The chairman, after exercising the diligence required by law in supervising and monitoring all departments under him… is not the collector, processor, and custodian of the database,” Bautista said.
He added that as head of agency, he generally trusted the advice and recommendation of the Comelec’s IT experts. If those experts were not found liable, why should he be held responsible, he said.
The answer to Bautista’s query, however, can be found in Section 22 of the Data Privacy Act itself, which states that the head of each government agency shall be responsible for complying with the security requirements laid out in the law.
One clear sign that Bautista did not take data privacy seriously was his efforts to play down the impact of the website hacking in March 2016.
Then in June last year, Bautista’s fellow commissioner called him out for failing to act with urgency on the hacking of the Comelec website.
They said Bautista declined to assume direct control and supervision of the task force created after the incident, “asserting that he is constrained by his limited information technology knowledge.”
In response, they pointed out that as the commission’s chief executive, he “is mandated to direct and supervise” operations and administration of the poll body, including that of the IT Department.
“The lackadaisical attitude towards complying with relevant laws fosters a suspicion of a complete abandon[ment] of the functions and duties of a head of agency. Further, even the National Privacy Commission has aired its complaint of the difficulty as well as slow pace in obtaining documents from the Commission relevant to their investigation,” the commissioners wrote.
Now, Bautista’s inaction seems to have caught up with him. All too late, he might finally realize that data privacy is a serious business, after all.