Gorriceta Africa Cauton & Saavedra | View firm profile
By: Atty. Edsel F. Tupaz (Senior Partner) & Atty. Julia Antoinette S. Unarce (Mid-Level Associate)
October 16, 2025
- Context
On 05 December 2022, the National Privacy Commission (“NPC”) released Circular No. 2022-04 mandating registration of Personal Information Controllers (“PICs”) and Personal Information Processors (“PIPs”) who meet certain qualifications. To recall, a PIC or PIP who employs two hundred fifty (250) or more persons, or processing sensitive personal information of one thousand (1,000) or more individuals, or those processing data that will likely pose a risk to the rights and freedoms of data subject, shall register with the NPC.[1] The registration process is lodged through the NPC’s Registration System (“NPCRS”)
Another key requirement is the registration of Data Processing Systems, which is integrated into the NPCRS registration. A Data Processing System refers to the structure and procedure by which personal data is collected and processed in an information and communications system, or any other relevant filing system, and includes the purpose and intended output of the processing.[2]
The NPC has always advocated for PICs and PIPs to implement privacy-respecting measures in their data processing activities, and has consistently promoted privacy and security even at the onset of artificial intelligence. However, since the foregoing issuances on registration activities, PICs and PIPs have sought clarity from the NPC on what they perceive to be lingering ambiguity, as well as additional guidance on developing and implementing privacy-respecting data processing systems. In view of these events, the NPC issued Advisory No. 2025-02, also known as the Guidelines on Privacy Engineering in Systems Life Cycle Processes. (the “Advisory”).
- Purpose
In the Advisory, the NPC provides guidelines for PICs and PIPs in integrating data privacy into the systems life cycle processes. These include both high-level strategies and specific guidelines on providing clear and practical guide for incorporating privacy engineering principles and practices into the planning, development, testing, deployment, and maintenance of data processing systems.[3] In addition, the Advisory informs PICs and PIPs of specific guidelines in promoting a privacy-by-design and privacy-by-default approach in the development and implementation of data processing systems to safeguard data subjects’ rights,[4] and assist them in meeting their obligations under the Data Privacy Act (“DPA”) and its Implementing Rules and Regulations (“IRR”), by implementing reasonable and appropriate security measures throughout the systems life cycle processes.[5]
The Advisory covers all PICs and PIPs engaged in the processing of personal data through data processing systems.[6] The Advisory discusses the integration of privacy engineering principles and practices in the various stages of the systems life cycle: a) Planning and requirements gathering; b) Designing and development; c) Testing and evaluation; d) Deployment and integration; and e) Operation and maintenance.[7] The measures prescribed under the Advisory shall apply regardless of the system’s phase or status, whether newly developed, currently operational, or undergoing updates.[8]
III. Phases
First phase: Planning and Requirements Gathering
Every system lifecycle begins with the planning and requirements gathering, prior to processing personal data. The NPC emphasizes that during this stage, the PICs and PIPs should be able to determine the lawful basis for the processing of personal data, and ensure that the purpose, scope, and manner of processing are compatible with the declared and specified purpose.[9] In addition, PICs and PIPs shall apply the general data privacy principles of transparency, legitimate purpose, and proportionality in collecting personal data.[10] PICs and PIPs are mandated to conduct a Privacy Impact Assessment (PIA) to identify and evaluate potential risks and effects of the proposed data processing system.[11]
Second phase: Designing and Development
PICs and PIPs are further encouraged to implement privacy measures in the second phase of the lifecycle. Notably, the reduction and/or minimization of processing of personal data are key recommendations in order to uphold privacy considerations for Data Subjects. The NPC prescribes to minimize the processing of personal data by implementing architectures, practices and techniques that reduce the use, collection and retention of personal data to what is necessary in relation to the specified purpose.[12] Another is to implement appropriate security measures to maintain the confidentiality, integrity and availability of personal data, which includes anonymization and pseudonymization, privacy-enhancing technologies, encryption for data, access controls and a disaster recovery plan.[13]
PICs and PIPs should adopt secure software development practices that integrate privacy considerations throughout the systems life cycle processes, including threat modelling, static and dynamic source code and fuzzing, or an automated software testing methods that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities.[14]
Third phase: Testing and Evaluation
Once the lifecycle is set up, PICs and PIPs must be able to test and verify its receptiveness to external factors which may potentially affect its efficiency once deployed. PICs and PIPs must perform data privacy and security testing to verify the effectiveness of the security and privacy controls and settings of the data processing system before deployment.[15] Furthermore, the system must be tested in terms of the usability of its privacy interfaces, such as the accessibility of privacy notices that are clear and understandable, and testing the mechanism on how data subjects can easily exercise their privacy rights through the system.[16] The concept of Privacy Architecture,[17] defined as the design and implementation of processes, controls and systems to ensure privacy principles are upheld in the technological infrastructure of organizations, should be introduced to ensure that technologies, architectures and protocols used in data processing system support data privacy objectives and requirements of the law.[18]
Fourth phase: Deployment and Integration
Implementing privacy measures does not cease once the data processing system is deployed. Upon deployment and integration, PICs and PIPs must provide data subjects with clear and concise privacy notices regarding the collection and processing of their personal data, including their rights and how to exercise them.[19] PICs and PIPs must obtain the proper consent of data subjects when consent is the lawful basis for processing, before collecting and processing their personal data.[20] Lastly, PICs and PIPs must ensure that the default settings of the data processing system provide the maximum privacy protection without manual intervention from data subjects, such as, the security settings enabled by default, opt-in consent mechanisms by default, and disabling location tracking, among others.[21]
Fifth phase: Operation and Maintenance
After the data processing system is deployed and in-use, PICs and PIPs are reminded of their ongoing obligations to ensure privacy and security of personal information. PICs and PIPs must regularly monitor the data processing system for any security incidents and data breaches, and implement policies and procedures for incident response and breach notification.[22] To strengthen compliance, PICs and PIPs must conduct periodic audits and PIAs at least once a year to assess the continued effectiveness of the privacy controls and address any gaps or new risks.[23] In addition, PICs and PIPs must uphold the requests of data subjects in exercising their rights in accordance with the DPA, IRR and the NPC’s issuance on Data Subjects’ Rights.[24] Lastly, training personnel on the secure processing and the application of data processing system is enjoined.[25]
Key Takeaways
The NPC’s Advisory underlines the important requirement to be observed by PICs and PIPs in data processing activities through their data processing systems. The NPC highlights the implementation of privacy engineering principles in all stages of the systems lifecycle, and not only during their deployment and operations. The privacy-by-design and privacy-by-default approaches are upheld by requiring organizations to implement proper safety measures, including the conduct of a privacy effect assessment, data minimization, security controls and ongoing audit. By integrating these practices, PICs and PIPs not only ensure compliance, but also maintain the fundamental rights and freedom of data subjects in today’s developed digital environment.
This article was also published under OneTrust Data Guidance. You may find the full article here: Philippines: NPC guidelines on privacy in engineering in systems life cycle processes | Opinion | DataGuidance