Thanks to the fact that my friends know I work in Privacy, I am usually at the receiving end of random questions on data breaches. The other day, the question I got was: If a company-issued device containing personal data was stolen, is the company required to report the personal data breach to the National Privacy Commission (NPC)? Interesting question.

Here are our facts: Company A issues a laptop to Mr. Employee for his use while working from home during the Enhanced Community Quarantine period (the "lockdown"). Company A issues instructions to Mr. Employee that the device should be used exclusively for the performance of Mr. Employee's work, which does not involve the processing of personal data. However, Mr. Employee does not heed Company A's instructions. Mr. Employee uses the laptop for his personal transactions, storing scans of his government-issued IDs in the laptop. One day, Mr. Employee forgets the laptop in the backseat of his car and the laptop is stolen. Mr. Employee immediately report the theft to Company A and discloses that copies of his government-issued IDs are saved in the laptop.

Section 11 of NPC Circular No. 16-03 on Personal Data Breach Management (You will remember that we talked about this in a previous post.) sets the following requisites for mandatory reporting (Note: all requisites must be present):

1. The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;

2. There is a reason to believe that the information may have been acquired by an unauthorized person; and

3. The PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

Since we know that government-issued IDs were stored in the laptop and that the laptop was stolen, we can say that the first and second requisites are present. For purposes of our discussion, we also assume that the theft would give rise to a real risk of serious harm to Mr. Employee. Given this, it appears that we can tick all the boxes for mandatory reporting.

Is Company A obligated to report the personal data breach to the NPC?

To answer this question, we go back to the Implementing Rules and Regulations of the Data Privacy Act (the "IRR"). Section 38 of the IRR states that it is the personal information controller (PIC) that notifies the NPC and affected data subjects of the personal data breach. The IRR defines PIC as "a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.

In this case, the personal data was not related to Mr. Employee's performance of his work functions. Company A did not instruct Mr. Employee to save his IDs to the laptop, and the processing of said personal data was not under Company A's control. In other words, Company A was not the PIC of said personal data of Mr. Employee. Considering that Section 38 of the IRR mandates the PIC to report and Company A is not the PIC of said personal data, I would say that Company A is not obligated to report the personal data breach to the NPC.