THE National Privacy Commission (NPC) on Monday, January 14, said that it will conduct a fact-finding investigation on the alleged data breach in the Philippine passport system.
NPC Commissioner Raymund Liboro said that the commission was slated to meet with the Department of Foreign Affairs (DFA) officials on Wednesday to discuss the issue.
“There is no visible proof that a data leak happened. There is also no visible proof that data has been used illegally. There has to be an end-to-end guarantee that sensitive data are safe. The public has the right to complain against Foreign Affairs department amid data breach,” Liboro said.
DFA Assistant Secretary Elmer Cato in a Twitter post announced that applicants must bring a copy of their birth certificate when renewing their passports since the department no longer holds the document they initially submitted.
“Applicants renewing brown or green passports or maroon machine-readable passports are required to submit birth certificates because we need to capture and store the document in our database as we no longer have the physical copy of the document submitted when they first applied,” Cato said.
The tweet earned the ire of the public when DFA Secretary Teodoro “Teddy Boy” Locsin Jr. explained that the data was breached by the previous contractor who “took all the data when the contract got terminated.”
“Because the previous contractor got pissed when terminated it made off with data. We did nothing about it or couldn’t because we were in the wrong,” Locsin said as reported by The Philippine Daily Inquirer.
No data lost – former DFA secretary
However, former DFA Secretary Perfecto Yasay said that data has not been lost and that Locsin was misinformed since the data was handed over to the Bangko Sentral ng Pilipinas (BSP) when French firm Francois-Charles Oberthur Fiduciaire (FCOF or Oberthur) and the DFA tapped another contractor, APUI, for passport production.
“I don’t believe and I say this very categorically. I’ll say he was misinformed. The data has always been with the DFA. There was no running away (with the data). From what I gathered, all data were all in those equipment turned over to us by Bangko Sentral. Hence, no data lost,” he told Rappler.
This was also confirmed by APO Production Unit chairman Michael Dalumpines who noted that the passport information is in their plant in Lima (Lipa-Malvar) Technology Center in Batangas, and is accessible to the DFA.
“Passport data are with us, DFA maintains a small office in our plant and the DFA officers have full access [to] data from old green passports, machine-readable passports, as well as the current e-passports,” Dalumpines said.
Yasay said that the said issue is only a misunderstanding. However, he noted that French contractor Oberthur should not be blamed and that “to say now that Oberthur ran away with the data is completely false and malicious.”
“When APO and UGEC came in Oberthur withdrew, after all, it was just assisting the government in the management and operation of the system for free. It had already completed its contract,” Yasay said.
The NPC said that they will review the contracts between the DFA and the private contractor. The commission is set to have 15,000 data protection officers that will help them investigate the data breach.
Republic Act 10173 or the Data Privacy Act of 2012 imposes stiff penalties for violations of the provisions of the law, including fines of up to P5 million and imprisonment of up to six years.