Scroll Top
Annual Security Incident Reporting Guide 
Annual Security Incident Reporting Guide 
By InCorp Philippines Guides October 28, 2025
Annual Security Incident Reporting Guide  

A Guide to Annual Security Incident Reports in the Philippines

Effective annual security incident reporting is a critical component of the National Privacy Commission’s data privacy accountability and compliance framework for organizations that fit the criteria for NPC registration in the Philippines. Beyond fulfilling regulatory duties, fulfilling annual security incident reportorial requirements demonstrates an organization’s accountability and transparency in its personal data processing.

This practice is essential for aligning with the stringent requirements of the Data Privacy Act of 2012 (DPA) and associated breach reporting guidelines from the National Privacy Commission (NPC).

What is a Personal Data Breach?

A personal data breach occurs when personal information, sensitive personal information, and privileged information are accessed, disclosed, altered, or destroyed without proper authorization. Such breaches can occur either accidentally or intentionally and may involve data like names, addresses, financial information, health records, or log-in credentials, among others. A Personal Data Breach can be in the nature of the following:

  • Confidentiality Breach. A breach caused by the unauthorized access to or disclosure of personal data.
  • Integrity Breach. A breach resulting from the unauthorized alteration or manipulation of personal data.
  • Availability Breach. A breach caused by the loss, accidental, or unlawful destruction of personal data.

What is a Security Incident?

A security incident is any event or occurrence that compromises or tends to compromise the confidentiality, integrity, or availability of personal data had it not been for safeguards or measures implemented by an organization to protect the same. Below is a list of how the NPC classifies a Security Incident:

  • Theft
  • Identity Fraud
  • Sabotage/Physical Damage
  • Malicious Code
  • Hacking
  • Misuse of Resources
  • Hardware Failure
  • Software Failure
  • Communication Failure
  • Natural Disaster
  • Design Error
  • User Error
  • Operations Error
  • Software Maintenance Error
  • Third-Party/Service Provider
  • Others

What is ASIR?

An Annual Security Incident Report (ASIR) is reported by Personal Information Controllers (PICs) and Personal Information Processors (PIPs) via the NPC’s Data Breach Notification Management System (DBNMS) that catalogs all security incidents encountered by an organization over the preceding calendar year. An ASIR reflects the number of occurrences of security incidents based on the classifications reflected on the DBNMS.

An ASIR is reported between January 1st to March 31st of the subsequent year, covering data privacy incidents that took place during the immediately preceding calendar year.

What is a Mandatory Personal Data Breach Notification?

A personal data breach is a security failure that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This applies to data that is being transmitted, stored, or otherwise processed. Below are the categories of Data Breaches:

Breaches are typically classified into three main types:

  1. Confidentiality Breach: Personal data is disclosed or accessed by an unauthorized party.
  2. Integrity Breach: Personal data is altered or modified without authorization.
  3. Availability Breach: Access to personal data is lost, or the data is destroyed.

The general causes of a data breach as reflected on the DBNMS are the following:

  • Malicious Attack
  • System Glitch
  • Human Error
  • Malicious Attack/System Glitch
  • Malicious Attack/Human Error
  • System Glitch/Human Error

The above-named general causes are further sub-classified in the DBNMS portal.

Responsibility for notification remains with the PIC and does not shift even if processing has been outsourced or subcontracted to a Personal Information Processor (PIP), and the said PIP caused the personal data breach.

What are the Types of Security Measures?

A comprehensive strategy integrates three core types of safeguards to protect personal data that are processed:

  • Organizational security measures. Governance- and people-centered controls that define accountability, roles, and decision-making for data protection. These measures establish policies and procedures, set risk management and compliance routines, and ensure ongoing oversight, training, and documentation to embed privacy across the organization.
  • Physical security measures. Environment- and facility-focused safeguards that protect the places, equipment, and media where personal data is accessed, stored, or transported. They reduce risks from unauthorized entry, theft, damage, or environmental hazards by controlling the physical conditions around data processing activities.
  • Technical security measures. Technology-based controls implemented within systems, applications, and networks to preserve the confidentiality, integrity, and availability of personal data. These measures cover secure system design and configuration, access and identity controls, protective monitoring, and resilience mechanisms across collection, storage, transmission, and processing.

What is NPC’s 72-hour Rule?

The PIC must inform the NPC and the affected data subjects within 72 hours from gaining actual knowledge of, or forming a reasonable belief that a personal data breach has occurred.

  • Guidance for the notice:
    • It may be issued based on the facts known at the time.
    • It should be delivered to each data subject individually, via written or electronic communication, unless disproportionate effort is required. In such a case, notification though public communication channels may be allowed subject to NPC approval.
    • Its substance should mirror the notice provided to the NPC.
  • The communication must also clearly set out:
    • How data subjects can obtain additional information or updates.
    • Practical steps they can take to reduce or mitigate risks arising from the breach.
    • The process for accessing available support or assistance.

Failure to Notify

A failure to notify is presumed when the Commission does not receive a notification from the Personal Information Controller (PIC) within five (5) days from the point the PIC knew of, or had reasonable grounds to believe, that a personal data breach occurred.

Sanctions under Section 30 of the DPA (for Concealment of Security Breaches Involving Sensitive Personal Information):

  • Imprisonment: One (1) year and six (6) months up to five (5) years
  • Fine: Php 500,000 to Php 1,000,000

Per NPC Circular No. 2022-01, failure to notify the NPC and the affected data subjects of a personal data breach as stipulated in Section 20 (f) of the DPA not covered by Section 30, an organization shall be administratively liable for a fine equivalent to:

  • 0.25% to 2% of the PIC’s annual gross income for the immediately preceding year of the violation for major infractions
  • 0.5% to 3% of the PIC’s annual gross income for the immediately preceding year for grave infractions.

Let Us Assist You with Your ASIR and Data Breach Reporting

Talk To Us

Frequently Asked Questions

What is the difference between a security incident and a personal data breach?

A security incident is any event or occurrence that compromises or tends to compromise the confidentiality, integrity, or availability of personal data if it had not been for safeguards employed by an organization to protect such data. A personal data breach is a specific type of security incident involving unauthorized access, disclosure, alteration, or destruction of personal data.

When is a data breach notification mandatory in the Philippines?

Notification to the National Privacy Commission (NPC) and affected data subjects is mandatory when three conditions are met. The breach must involve sensitive personal information (or data that can enable identity fraud), there must be a reason to believe it was acquired by an unauthorized person, and it is likely to pose a real risk of serious harm.

When there is doubt as to the need for mandatory notification, consider the following factors as well:

  1. The likelihood of harm or negative consequences on the affected data subjects;
  2. How notification could reduce risks arising from the personal data breach;
  3. If the data involves:
    • Information that would likely affect national security, public safety, public order, or public health;
    • At least one hundred (100) persons;
    • Information required by all applicable laws or rules to be confidential; or
    • Personal data of vulnerable groups

What are the penalties for concealing personal data breaches?

Under Section 30 of the DPA, sanctions for failure to notify can be severe. Penalties may include imprisonment from 1.5 to 5 years, a fine from PHP 500,000 to PHP 1,000,000, and an administrative fine of 0.5% up to 3% of the organization’s annual gross income from the preceding year of the violation, for grave infractions covering personal data breaches pursuant to Section 20 (f) of the DPA.

What records should we keep for ASIR and breach reporting?

Organizations should maintain detailed records of all security incidents and data breaches. This documentation should include number of occurrences, how the breach occurred and identified vulnerabilities, incident chronology, response actions, among other details, forming the basis for proper reporting or notification.

Author

  • incorp_ph logo

    InCorp Philippines (Formerly Kittelson and Carpo Consulting) is a professional services company that offers various corporate services such as incorporation, business registration, corporate compliance, immigration/visas, and other related services to local and foreign companies doing business in the Philippines.

    View all posts

Leave a comment