Security of Sensitive Data
Plain English Translation
Access to sensitive personal information held by government agencies is strictly limited to employees who have obtained the appropriate security clearance from the head of the source agency. Even where access is approved, it must be restricted to no more than 1,000 records at a time, and only to information strictly necessary for the approved purpose. Off-site access to such data requires additional approval and is subject to specific procedural controls.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement basic role-based access control and ensure all government-related sensitive data is encrypted at rest.
Required Actions (scaleup)
- Deploy a formal, automated approval workflow for off-site data access requests, ensuring hard limits on record extraction and mandatory encryption in transit.
Required Actions (enterprise)
- Enforce zero-trust architecture for all government data access, integrate strict security clearance validation into identity and access management (IAM) pipelines, and automate the 1,000-record threshold blocking.
The law requires the implementation of reasonable and appropriate organizational, physical, and technical measures to comprehensively protect personal data from accidental or unlawful destruction, alteration, and unauthorized access.
RA 10173 requires strict access controls, including mandatory security clearances for personnel, highly secured on-site and online access protocols, and robust encryption for any off-site transportation of the data.
Government agencies must strictly regulate access via security clearances, implement robust technical and logical security measures, and ensure any off-site access is expressly approved by the agency head.
It includes data about an individual's race, marital status, health, education, genetics, sexual life, offenses, social security numbers, and any records specifically classified by law or executive order.
Employees can access this data only when they have obtained a formal security clearance from the head of the source agency and the access is directly necessary for performing their official functions.
Off-site access requires explicit, documented approval from the agency head, must be strictly limited to a maximum of 1,000 records at a time, and the data must be heavily encrypted.
Yes, IRR Section 31 strictly prohibits any government employee or contractor from accessing sensitive personal information without first successfully receiving a formal security clearance.
Expected technical measures include comprehensive data encryption, advanced authentication processes, robust network firewalls, and regular vulnerability assessments to safeguard overall data integrity and confidentiality.
Contractors must explicitly register their personal data processing systems with the National Privacy Commission and adhere to the exact same stringent access and security requirements as the government agency.
Organizations must maintain up-to-date logs of approved security clearances, formal records of off-site access requests, documented encryption protocols, and verified contractor registration certificates. WatchDog Security's Compliance Center can help centralize this evidence, identify gaps, and maintain audit-ready records across RA 10173 and related frameworks.
Off-site access creates risk because approval, encryption, record limits, and audit evidence must all align before data leaves a controlled environment. WatchDog Security's Secure File Sharing can support encrypted transfer workflows, TOTP verification, and audit logs that help teams document who accessed sensitive records, when access occurred, and whether access followed the approved process.
Contractor oversight requires more than storing a registration certificate; agencies need a repeatable way to track which vendors process sensitive personal information, what systems they use, and whether required safeguards remain current. WatchDog Security's Vendor Risk Management can maintain a vendor catalog, risk-tier contractors, and organize security assessments tied to government data processing obligations.
"No employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a security clearance from the head of the source agency."
"Limitation to One thousand (1,000) Records – If a request is approved, the head of the agency shall limit the access to not more than one thousand (1,000) records at a time..."
"In entering into any contract that may involve accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, an agency shall require a contractor and its employees to register their personal data processing system with the Commission..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

