Rajah & Tann Regional Round-Up
your snapshot of key legal developments in Asia
Issue 3 - Jul/Aug/Sep 2021

NPC Issues Advisories on Adoption of International Data Protection Standards on Security Techniques

In adopting to the fast-changing pace of the development of technology and communication globally, the National Privacy Commission ("NPC") continues to advocate policies that will adopt generally accepted international principles and standards for personal data protection.

NPC's Data Security and Compliance Office issued the following advisories on the adoption of the following sets of international standards. These international standards are approved for adoption as part of the Philippine National Standards by the Bureau of Philippine Standards.

  1. ISO/IEC 29100 – Privacy framework

  2. This international standard provides a privacy framework which (i) specifies a common privacy terminology; (ii) defines the actors and their roles in processing personally identifiable information; (iii) describes privacy safeguarding considerations; and (iv) provides references to known privacy principles for information technology.

  3. ISO/IEC 29151 – Code of practice for personally identifiable information protection

  4. This establishes objectives and guidelines for implementing controls to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information ("PII"). The guidelines take into consideration the requirements for processing PII which may be applicable within the context of an organisation's information security risk environment(s).

  5. ISO/IEC 24760 – A framework for identity management

  6. This International Standard defines the terms and core concepts of identity, identity management and their relationships.  This serves as a guide for organisations to make identity-based decisions, which they may use to grant or deny access to applications or other organisational resources.

  7. ISO/IEC 29134 – Guidelines for privacy impact assessment

This provides guidelines for the process on privacy impact assessments ("PIA") and the structure and content of a PIA report. This is applicable to all types and sizes of organisations, including public companies, private companies, government entities and not-for-profit organisations.

According to NPC, the adoption of these international standards involves an organisation's data protection efforts. Personal Information Controllers and Personal Information Processors adopting the international standards must implement these on top of their compliance with the Data Privacy Act of 2021, its implementing rules and regulations, and other issuances of the NPC.

Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice.


Gatmaytan Yap Patacsil Gutierrez
& Protacio (C&G Law)
30/F 88 Corporate Center
Sedeño cor. Valero Streets
Salcedo Village, Makati City 1227


Ben Dominic R Yap
Managing Partner
D +632 8894 0377
F +632 8552 1978

Jaime Renato B Gatmaytan
D +632 8894 0377
F +632 8552 1978

Norma Margarita B Patacsil
D +632 8894 0377
F +632 8552 1978

Anthony Mark A Gutierrez
D +632 8894 0377
F +632 8552 1978

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This update is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this update.