Security Incident Reporting
Plain English Translation
All security incidents and breaches must be documented, even those that do not trigger formal NPC notification obligations. An electronic summary of all such incidents must be submitted to the NPC annually. This internal reporting discipline creates accountability, supports trend analysis, and demonstrates to regulators that the organization actively monitors its security posture.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement a basic ticketing system or secure access-controlled spreadsheet to log all security incidents and near-misses.
- Assign a dedicated security or compliance individual to aggregate the log and submit the ASIR annually.
Required Actions (scaleup)
- Integrate automated security monitoring tools with a centralized incident management platform to auto-populate the security incident register.
- Establish documented workflows to classify incidents as notifiable vs. non-notifiable.
Required Actions (enterprise)
- Deploy a comprehensive GRC platform integrated with SIEM for real-time tracking, automated compliance reporting, and streamlined ASIR generation.
- Conduct regular tabletop exercises to test incident classification and validate reporting SLAs.
The ASIR is a mandatory electronic summary submitted annually to the National Privacy Commission detailing all security incidents, including aggregated data for non-notifiable events, to demonstrate compliance.
Personal Information Controllers (PICs) and Personal Information Processors (PIPs) that process personal data and are required to register their data processing systems must submit the ASIR.
The ASIR must encompass all security incidents and security breaches, including both those that required immediate NPC notification and non-notifiable security incidents.
Yes, Section 41 of the IRR mandates that all security incidents be documented internally in a register, even if they do not meet the threshold for mandatory 24-hour breach notification.
The ASIR must be submitted annually. Specific deadlines are dictated by the latest NPC Circulars, typically falling within the first quarter of the succeeding calendar year.
Organizations log into the NPC's Data Breach Notification Management System (DBNMS) portal online, fill out the required aggregated incident metrics, and submit the electronic summary directly to the Commission.
A security incident is any event that affects or tends to affect data protection. A breach is a specific type of incident that leads to actual unlawful processing or compromises confidentiality, integrity, or availability.
Under the Philippines DPA IRR Section 38(a), a qualifying personal data breach must actually be reported to the Commission and affected data subjects within 24 hours, not 72 hours.
The register must document the facts surrounding the incidents, the effects or impacts of the incident, and the specific remedial actions taken by the organization.
Failure to submit the ASIR or maintain proper incident logs is considered a compliance violation, which can result in administrative investigations, enforcement orders, and potential fines from the NPC.
Security incident reporting often fails when incident records are scattered across tickets, emails, spreadsheets, and security tools. WatchDog Security's Compliance Center can help centralize evidence, map incident records to Philippines DPA requirements, and support a more consistent review process before ASIR submission.
An incident register should not only preserve records for reporting; it should also help identify recurring weaknesses that need remediation. WatchDog Security's Risk Register can help teams score incident-related risks, assign treatment plans, and report unresolved exposure to leadership.
"All security incident or security breach shall be documented even if not covered by the notification requirements... An electronic summary shall be submitted to the Commission annually."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | WatchDog GRC Team | Initial publication |

