Thales banner

Data Security Compliance with NPC Circular 2023-06

Thales can help organizations in the Philippines protect personal data and comply with the guidelines with a Data-centric Security approach.

National Privacy Commission (NPC) Circular 2023-06

APAC

On April 1, 2024, the National Privacy Commission (NPC) issued Circular 2023-06 to strengthen personal data protection in the Philippines by governing the security of personal data in the government and private sector. The NPC Circular 2023-06 for the Security of Personal Data in the Government and Private Sector provides updated requirements for the security of personal data.

As one of the leaders in data security, Thales enables organizations to comply with this circular in some key sections by recommending the appropriate data security and identity management technologies.

  • Regulation
  • Compliance

Regulation Overview

The NPC Circular 2023-06 for the Security of Personal Data in the Government and Private Sector provides updated requirements for the security of personal data processed by a personal information controller (PIC) or a personal information processor (PIP). The Circular also sets provisions on the storage of personal data, ensuring data subjects’ information is stored for the necessary duration and protected through industry standards and best practices.

Additionally, the Circular outlines stringent provisions for access to personal data, specifying procedures for authorized personnel, acceptable use policies, secure authentication mechanisms, and measures for remote disconnection or deletion of data on mobile devices, among others.

Penalties 

Violating the Circular may result in the issuance by the NPC of compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines against the PIC or PIP. In addition, failure to comply with the Circular may result in criminal, civil and administrative liabilities and disciplinary sanctions against any erring officer or employee of the PIC or PIP. There is a transitory period of 12 months from the effectivity of the Circular or until 30 March 2025 to comply with the foregoing requirements.

Thales helps organizations comply with Circular 2023-06 by addressing some of the sections on Privacy Impact Assessment (PIA), Control Framework for Data Protection, Privacy-By-Design and Privacy-By-Default, Storage, Access and Disposal of Personal Data.

NPC Circular 2023-06

Thales Solutions

2.1 Data Classification

 

SECTION 5. Privacy Impact Assessment (PIA) - a data inventory

A crucial step is understanding what constitutes sensitive data, where and how it is stored, and who can access it, and introducing data activity monitoring.

CipherTrust Data Discovery & Classification discovers and classifies data in all the data stores in an organization’s data estate, from structured to semi-structured to unstructured across on-premises, hybrid, cloud, and multi-cloud environments. This visibility enables organizations to build a robust data privacy and security foundation.

Imperva Data Security Fabric Data Activity Monitoring (DAM) is a comprehensive solution that not only classifies and discovers valuable data but also provides proactive controls, predictive analytics, and security assessments, enabling centralized command across file stores, assets, and multiple clouds.

  • Imperva Data Security Fabric (DSF) improves data governance by identifying sensitive data, enabling better understanding, workflow management, and compliance reporting by mapping file and database servers.
  • Imperva Data Security Fabric Data Risk Analytics (DRA) Imperva Data Security Fabric Data Risk Analytics monitors and analyzes data access by database and privileged user accounts, detecting compliance or security policy violations. It provides real-time alerts, user access blocking, and cost-effective data retention for audits.

SECTION 6. Control Framework for Data Protection

Imperva Data Security Fabric Data Activity Monitoring (DAM) is a continuous monitoring system that provides detailed audit trails for various data storage platforms, including relational databases, NoSQL databases, mainframes, big data platforms, and data warehouses, and automatically captures detailed data activity for auditing purposes.

RULE II: EMBEDDING PRIVACY-BY-DESIGN AND PRIVACY-BY-DEFAULT

 

SECTION 7. Privacy-By-Design and Privacy-By-Default

Organizations can secure sensitive data privacy by design with Thales Tokenization and Transparent Encryption. CipherTrust Tokenization permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data without exposing sensitive data during the analysis or in reports.

CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies, providing a separation of roles. Organizations can add Multi-Factor Authentication (MFA) for additional protection, limiting privileged users' access.

RULE III. STORAGE OF PERSONAL DATA

 

SECTION 10. Service Provider as Personal Information Processor

SECTION 11. Protection of Personal Data.

CipherTrust Data Security Platform offers various data protection features, including Transparent Encryption at the file system layer, ransomware protection using real-time behavior monitoring, database protection with key management, and application layer libraries for C and Java. It also provides a gateway for encryption without modifying application code.

Organizations can enhance protection of sensitive data by masking them with CipherTrust Data Security Platform through below:

  • CipherTrust Tokenization offers various data security features like file-level encryption, application-layer encryption, database encryption, static data masking, vaultless tokenization, policy-based dynamic data masking, and vaulted tokenization.
  • CipherTrust Transparent Encryption secures sensitive data by enforcing granular privileged-user-access management policies, ensuring only authorized users and processes can view unencrypted data, and preventing unauthorized access to third-party cloud storage without valid reasons.
  • CipherTrust Enterprise Key Management enhances key management in cloud and enterprise environments, ensuring high security and centralization for home-grown encryption and third-party applications using FIPS 140-2-compliant appliances.

RULE IV. ACCESS TO PERSONAL DATA

 

SECTION 12. Access to or Modification of Databases.

SECTION 13. Restricted Access.

SECTION 16. Online Access to Personal Data.

Imperva Data Security Fabric Data Risk Analytics monitors data access and activity for all databases, providing visibility to identify risky data access for all users, including privileged users. It delivers real-time alerting and user access blocking of policy violations, while retaining years of data for audits.

Thales Identity and Access Management Solutions limit access based on roles and context, while Thales SafeNet Trusted Access CipherTrust Transparent Encryption (CTE) controls access to restricted information by encrypting sensitive data and enforcing granular privileged-user-access management policies.

Thales Identity and Access Management Solutions limit access based on roles and context, while Thales SafeNet Trusted Access manages access to cloud services and enterprise applications.

RULE VII. GUIDELINES FOR DISPOSAL OF PERSONAL DATA

 

SECTION 28. Disposal and Destruction of Personal Data.

SECTION 29. Logs Retention.

SECTION 30. Procedures for Disposal and Destruction.

SECTION 31. Personal Data Disposal Service Provider.

CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenization offer a "crypto-shreds" function that destroys the encryption key for the encrypted data and ensures that the information cannot be restored.

CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments, ensuring secure asset disposal and effective deletion of encrypted information using FIPS 140-2-compliant virtual or hardware appliances.

RULE VIII. MISCELLANEOUS PROVISIONS

 

SECTION 32. Threat monitoring and vulnerability management.

Threat monitoring is one crucial capability for organizations to prevent, detect, and respond to a cyberattack. Imperva Data Security Fabric and Thales CipherTrust Transparent Encryption Ransomware Protection can help organizations address this challenge.

Imperva Data Security Fabric Data Risk Analytics monitors data access and activity for all databases, providing visibility to identify risky data access for all users. It combines deep domain security expertise with machine learning to identify suspicious behaviors violating security policies. CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity, alerting or blocking malicious activity before ransomware can take hold.

Recommended Resources

Addressing the requirements of NPC Circular 2023-06 for the Security of Personal Data in the Philippines - Compliance Brief

Addressing the requirements of NPC Circular 2023-06 for the Security of Personal Data in the Philippines - Compliance Brief

The National Privacy Commission (NPC) introduces circulars to provide organizations with guidance on complying with the Data Privacy Act of 2012 in the Philippines, its implementing rules and regulations, and other NPC issuances. On April 1, 2024, the NPC issued Circular 2023...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...