WikiFrameworksPhilippines DPA (2012)Security Incident Reporting

Security Incident Reporting

Plain English Translation

All security incidents and breaches must be documented, even those that do not trigger formal NPC notification obligations. An electronic summary of all such incidents must be submitted to the NPC annually. This internal reporting discipline creates accountability, supports trend analysis, and demonstrates to regulators that the organization actively monitors its security posture.

Executive Takeaway

Organizations must internally document all security incidents and submit an Annual Security Incident Report (ASIR) to the NPC.

ImpactHigh
ComplexityMedium

Why This Matters

  • Demonstrates ongoing compliance and proactive security monitoring to the National Privacy Commission.
  • Ensures non-notifiable security events are tracked to prevent systemic vulnerabilities from escalating into major breaches.
  • Failure to submit the ASIR or maintain comprehensive incident logs violates NPC regulations and incurs administrative penalties.

What “Good” Looks Like

  • A centralized, up-to-date security incident register documenting the facts, impacts, and remedial actions for all events; tools like WatchDog Security's Compliance Center can help organize evidence and reporting records.
  • Timely submission of the ASIR to the NPC through the official online reporting portal.
  • Clear internal policies distinguishing between non-notifiable incidents and major breaches requiring immediate notification, with recurring issues escalated into treatment plans using tools like WatchDog Security's Risk Register.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The ASIR is a mandatory electronic summary submitted annually to the National Privacy Commission detailing all security incidents, including aggregated data for non-notifiable events, to demonstrate compliance.

Personal Information Controllers (PICs) and Personal Information Processors (PIPs) that process personal data and are required to register their data processing systems must submit the ASIR.

The ASIR must encompass all security incidents and security breaches, including both those that required immediate NPC notification and non-notifiable security incidents.

Yes, Section 41 of the IRR mandates that all security incidents be documented internally in a register, even if they do not meet the threshold for mandatory 24-hour breach notification.

The ASIR must be submitted annually. Specific deadlines are dictated by the latest NPC Circulars, typically falling within the first quarter of the succeeding calendar year.

Organizations log into the NPC's Data Breach Notification Management System (DBNMS) portal online, fill out the required aggregated incident metrics, and submit the electronic summary directly to the Commission.

A security incident is any event that affects or tends to affect data protection. A breach is a specific type of incident that leads to actual unlawful processing or compromises confidentiality, integrity, or availability.

Under the Philippines DPA IRR Section 38(a), a qualifying personal data breach must actually be reported to the Commission and affected data subjects within 24 hours, not 72 hours.

The register must document the facts surrounding the incidents, the effects or impacts of the incident, and the specific remedial actions taken by the organization.

Failure to submit the ASIR or maintain proper incident logs is considered a compliance violation, which can result in administrative investigations, enforcement orders, and potential fines from the NPC.

Security incident reporting often fails when incident records are scattered across tickets, emails, spreadsheets, and security tools. WatchDog Security's Compliance Center can help centralize evidence, map incident records to Philippines DPA requirements, and support a more consistent review process before ASIR submission.

An incident register should not only preserve records for reporting; it should also help identify recurring weaknesses that need remediation. WatchDog Security's Risk Register can help teams score incident-related risks, assign treatment plans, and report unresolved exposure to leadership.

PHILIPPINES-DPA IRR Rule IX, Section 41(b)

"All security incident or security breach shall be documented even if not covered by the notification requirements... An electronic summary shall be submitted to the Commission annually."

PHILIPPINES-DPA IRR Rule IX, Section 38(a)

"The Commission and affected data subjects shall be notified within 24 hours upon knowledge of or reasonable belief... that a security breach has occurred."

VersionDateAuthorDescription
1.0.02026-05-05WatchDog GRC TeamInitial publication