In adopting to the fast-changing pace of the development of technology and communication globally, the National Privacy Commission ("NPC") continues to advocate policies that will adopt generally accepted international principles and standards for personal data protection.
NPC's Data Security and Compliance Office issued the following advisories on the adoption of the following sets of international standards. These international standards are approved for adoption as part of the Philippine National Standards by the Bureau of Philippine Standards.
- ISO/IEC 29100 – Privacy framework
This international standard provides a privacy framework which (i) specifies a common privacy terminology; (ii) defines the actors and their roles in processing personally identifiable information; (iii) describes privacy safeguarding considerations; and (iv) provides references to known privacy principles for information technology.
- ISO/IEC 29151 – Code of practice for personally identifiable information protection
This establishes objectives and guidelines for implementing controls to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information ("PII"). The guidelines take into consideration the requirements for processing PII which may be applicable within the context of an organisation's information security risk environment(s).
- ISO/IEC 24760 – A framework for identity management
This International Standard defines the terms and core concepts of identity, identity management and their relationships. This serves as a guide for organisations to make identity-based decisions, which they may use to grant or deny access to applications or other organisational resources.
- ISO/IEC 29134 – Guidelines for privacy impact assessment
This provides guidelines for the process on privacy impact assessments ("PIA") and the structure and content of a PIA report. This is applicable to all types and sizes of organisations, including public companies, private companies, government entities and not-for-profit organisations.
According to NPC, the adoption of these international standards involves an organisation's data protection efforts. Personal Information Controllers and Personal Information Processors adopting the international standards must implement these on top of their compliance with the Data Privacy Act of 2021, its implementing rules and regulations, and other issuances of the NPC.
