I was about to entitle this essay as: “AFP exempted from NPA” to catch the attention of readers. However, I decided to have a straight one. A title that would really get the curiosity and attention of the proper persons in finding out what I really meant? The NPA might be a diversionary tactic and people interested on the topic of data privacy would not read the essay; and on the other hand, civil military operators, who would be opening the link, will only be disappointed that the topic is not for them. In the article by the way, I am NOT be referring to the New People’s Army but to the National Privacy Act of 2012, or better known as Republic Act (RA) Number 10173.

As we all know, the National Privacy Commission (NPC) is the government agency that is in-charge of data privacy in the Philippines, both the implementation and punitive regulations. Their RA10173, according to them, is founded on “The policy of the State to protect the fundamental human right to privacy of an individual while ensuring free flow of his/her information to promote innovation and growth”. The State’s inherent obligation, therefore, is to ensure that personal information are secured and protected.

The gist of the law simply means that the personal data entrusted by a citizen to any entities must be protected and not be shared to a third party. For example, the data in the Personal Data Sheet (PDS) that a person submitted must not be shared to any insurance or lending companies.

Personal data go through a process of life cycle, namely: collection, storage, use, disclosure, retention and disposal.

For the AFP, its personnel are referred to as GIs, which means “Government Issues”. The last process of their information life cycle, which is DISPOSAL, is never observed. The personal information of all AFP personnel are archived at the Non-Current Record Office of the Adjutant General (OTAG). In this manner, the process that the AFP observes is a blatant violation of the regulation being imposed by NPC. Thus, AFP must be exempted!

Another thing, a Data Protection Officer (DPO) should observe the Breach Reporting Procedures stipulated by law. The DPOs are required to notify immediately NPC and the affected person or data subjects within seventy-two (72) hours upon knowledge; or just even when there is only a reasonable belief by personal information controller or personal information processor that a personal data breach requiring notification has occurred. The DPO shall notify the NPC by submitting a report whether written or electronic, containing the required contents of notification.  The report shall also include the name of a designated representative of the personal information controller, and his or her contact details.

For this manner, I firmly believe that the Department of National Defense (DND) and the Armed Forces of the Philippines (AFP) must be exempted from this Republic Act with regards to reporting breaches. The breach might be a state-sponsored hacking and should be handled with secrecy and care. The AFP must be the one to find out by themselves to identify the attackers. If the NPC is involved, they might announce hastily their findings accusing countries where the possible attacks are coming from. This might trigger a cyberwar. Thus, the AFP must be exempted!

I also firmly believe that DND and AFP must be exempted from this Republic Act with regards to audit and inspection by the NPC and its imposition of punishments.

There are different types of security clearance in handling AFP documents, they are:

1. Classified;
2. Restricted;
3. Secret; and
4. Top Secret

The database of the AFP is considered “Top Secret”. The auditors coming from NPC must have the necessary clearances from ISAFP to perform their mandate inside camps. In their background investigation, the subject must not be related to anybody in an organized crime or terrorists’ groups. If found connected, they will be subject for inquiry or investigation … NPC auditors must be totally clean! To avoid embarrassments, better for NPC to forego the audit and let AFP be exempted!

For these reasons, article number 23 of the General Data Privacy Regularization (GDPR) of the European Union (EU) exempted from audit all things related to National Security and Defense. So why not to follow suit?

However, I still believe that DND should observe the Act through self-regulation only. The ruling group that is task to regulate will be the DND’s DPO Council, composed of DPOs from DND’s different bureaus …