Privacy watchdog’s biggest test
Quis custodiet ipsos custodes?” the Roman poet Juvenal once asked. Who watches the watchmen?
Nearly two millennia later, we are once more compelled to ask that very same question—this time in a more modern context—after it was revealed last week that sensitive personal information of over 1.2 million Filipinos may have been exposed in a data breach of the records of several government agencies, including some of the country’s leading law enforcement bodies like the Philippine National Police and its Special Action Force, the National Bureau of Investigation, as well as the Bureau of Internal Revenue.
This development is, to say the least, alarming because it potentially involves the most sensitive information a citizen can have, involving not just common personal details, but also extremely intimate ones like outstanding legal cases or criminal records, financial data and tax returns, and many others that can be exploited by so-called bad actors.
It is even more alarming that the alleged data breaches involve government agencies that are expected to have the highest standards of protection for sensitive information, precisely because of the nature of their agencies’ roles involving law enforcement and the regulation of activities.
If the public’s trust in these institutions were low before this incident, whether due to perceptions of high levels of corruption or low levels of competence, it is certainly even lower now.
This bodes ill for the efforts of the government to encourage citizens to conduct more of their dealings with the state, whether it be paying regulatory fees or applying for licenses, into the digital sphere since the outbreak of the COVID-19 pandemic.
We are grateful to the enterprising people of the private sector who, of their own volition, scour cyberspace in search of dangerous data breaches and, in the case of vpnMentor’s researcher Jeremiah Fowler, warned the concerned agencies early on about these vulnerabilities.
Naturally, his findings must be taken seriously and his report’s veracity examined thoroughly. But our authorities must act expeditiously on this issue. It is unacceptable that, as Fowler claims, the warning flags were raised by him as early as January while the concerned agencies only took remedial measures in March. In an environment where technological advances have made it possible to exploit data breaches in a matter of seconds, a delay of this duration in our government agencies’ response is unacceptable. And it is unfathomable, given the magnitude of the problem.
As such, it is critical that policymakers both at the macro and micro levels implement top-to-bottom reviews of their respective agencies to ensure that the information entrusted to them will be handled with the utmost care.
Like banks handling the hard-earned money of their depositors, these government agencies are handling and taking care of something equally, if not more, valuable to their owners: information.
It bears noting that this alleged data breach is a key test—possibly the biggest test to date—for the National Privacy Commission whose creation was mandated by the Data Privacy Act of 2012 but was formed only in 2016, making it a relatively young agency.
With an annual budget that is equivalent to only a fraction of what large private corporations spend for their information technology and cybersecurity needs, the privacy regulator almost certainly does not have all the manpower and resources it needs to monitor all potential holes in the data systems of government agencies, let alone those in the private sector.
If we are serious about the integrity of our data—especially in the modern environment where data is said to be the new gold—we have to further empower our “watchmen” like the National Privacy Commission to do their jobs properly.
At the same time, however, the privacy watchdog has to show that it is up to the challenge of safeguarding our data even if it means imposing sanctions on their brethren in government service that include powerful law enforcement agencies.
It is one thing for a regulator to impose sanctions on private entities that are required by law to comply with the mandates of state agencies, but it is another matter completely to call to account one’s peers in government, especially if those peers can exercise power over you in other affairs.
If the data breach is confirmed, the National Privacy Commission must impose sanctions on government agencies that fell short of their fiduciary responsibilities to the public.
So who watches the watchmen?
The answer is easy, but the task is difficult: We do. We all do. Ultimately, it’s up to us citizens to keep those we entrust with vital roles—like safeguarding information—faithful to their assigned duties.
