The Commission has, since its inception, actively communicated to stakeholders the requirements for compliance with the Data Privacy Act. In most instances of breach, personal information controllers have reciprocated our active efforts to build a culture of data privacy and security by providing detailed information about the incident. After all, they recognize that the NPC is their foremost partner in government when it comes to modernizing our approach to such matters.
Last week Uber publicly announced a personal data breach that had occurred in October 2016. For over a year the breach went unreported. Their Data Protection Officer here in the country reached out tothe NPC to acknowledge the pronouncement made by their CEO. As Uber was unable to provide more details about the breach, the Commission referred them to NPC Circular 16-03 on Personal Data Breach Management particularly on proper breach notification procedures. Consequently, Uber wrote to your National Privacy Commission and provided moredetails about the data breach of October 2016, confirmingthe exposure of the personal information of Filipinos.
Additionally, they have declared the following: Two individuals outside Uber inappropriately accessed user data stored on a third-party cloud-based service that Uber uses.The two Uber employees who led the response to the data breach are no longer with Uber.The compromised data includes the names and driver’s license of around 600,000 drivers in the United States and some personal information of 57 million Uber users around the world. The information includes names, emailaddresses and mobile phone numbers.The incident did not breach Uber’s corporate systems; there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.Filipino data subjects are affected, but there is no indication that any Filipino driver’s licenses were downloaded.Uber has implemented security measures to restrict access to and strengthen controls on their cloud-based storage accounts.
Under the principle of accountability, we require personal information controllers within our jurisdiction to provide detailed information on the nature of the incident, the scope of the exposure, and the remedial measures taken.
We appreciate the continued participation and cooperation of Uber in the ongoing query. On their own initiative, Uber has placed an information page available within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.
Rest assured that the NPC is not here to merely prosecute offenses against data privacy, but to work with all stakeholders to ensure that we keep moving toward a safer data ecosystem where data flows freely and securely.
Such an environment forms the foundation of trust, which breeds stability, and which in turn breeds progress for nations. In this, all of us—from businesses whose lifeblood is data, to private citizens who avail of services, to governments whose express purpose is to make life better for its constituents—should be united.
(Erratum. In last week’s column on cross border privacy rules, I mistakenly mentioned the US-ASEAN Business Council as taking part in the upcoming workshop on the CBPR. The esteemed group is not part of the program. My apologies to them for the inadvertent inclusion)
For news and updates, please like the National Privacy Commission’s page on Facebook. Email firstname.lastname@example.org for and questions.
All Credit Goes There : Source link