THE National Privacy Commission (NPC) has recommended the filing of criminal charges against Commission on Elections (Comelec) Chair Andres Bautista for the leakage of millions of personal voter information during the 2016 polls.
In a decision dated December 28, the NPC said it found the Comelec guilty of several violations of the Data Privacy Act of 2013 for the data leak that occurred between March 20 and 27, 2016.
In its 35-page decision, the NPC said the Comelec violated Sections 11, 20, and 21 of Republic Act 10173 or the Data Privacy Act of 2013.
Comelec chief Bautista was also found to have violated the same sections, as well as Section 22 in relation to Section 26 of the Data Privacy Act.
The NPC criticized Bautista for not acting on the Comelec's need for a stricter cyber security measures and named him as the sole liable for the data breach.
"Data privacy is more than the deployment of technical security. It also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec's privacy and security policies and practices," the decision read.
As corrective measures, the NPC ordered Bautista to appoint a data protection officer and conduct an agency-wide privacy impact assessment.
The poll body was also ordered to implement organizational, physical and technical security measures in compliance with the Data Privacy Act.
On March 27, 2016, a group of hackers defaced the Comelec's page and exposed the personal information of more than 55 million voters.
Global security software company Trend Micro named the data leak as the "biggest government related data breach in history."
In a statement issued on Thursday, Bautista questioned the decision of the NPC and defended himself and the poll body, as according to him, the one to be punished are the hackers and not the hacked.
"As the head of agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts," Bautista said.
"And if Comelec IT specialists directly in charge of operating the website were found not liable, what more those who merely oversee their work and in particular, the head of agency?" the Comelec chief added.
Bautista also argued that many private IT companies and government agencies in abroad have also been victims of hacking despite strict security measures. (Sunnex)