The National Privacy Commission, before the SIM Registration Act became law, proposed ways to keep users’ data safe from breaches and misuse.
While the NPC does support the newly passed SIM Registration Act, before it was approved, the commission had detailed the ways that would help its implementation be safe from data breaches and security risks.
During SIM registration, new and existing SIM card owners are required to submit personal information like names, full addresses, birthdays, valid IDs, and more. Learn more about the process here.
This means that whatever collection method or data center these data will be collected in will be prone to attacks. Overcollection and improper monitoring practices may also result in a massive data leak.
- SIM card expiration of Smart, Globe, DITO, GOMO, TNT, TM
- How to switch networks with Mobile Number Portability
To help fight this, NPC said that they will closely coordinate with different agencies to create the necessary guidelines for the proper implementation of the law.
The commission also said that there’s a need to create a “technology-neutral approach” and that it should be future-proof to keep the rights and freedoms of the data subjects protected.
For one, since retailers don’t have the resources or the proper experience to verify and authenticate user identities, the SIM registration form should only be done on a platform or website provided by public telecommunications entities (PTEs).
Meanwhile, for registrations in remote areas with limited internet access, the registration will be handled by the PTEs together with a concerned government agency.
NPC is also not in favor of using a centralized database or server as it would increase the risk in case a hacking it security breach happens.
As per Senate Bill 1310, the registration forms will be stored on the concerned PTE’s database that will act as a SIM Register, which can only be used to process, activate, or deactivate a SIM.
In case the SIM Register gets attacked, the bill states that the PTE should report the event to the Department of Information and Communication Technology (DICT) within 24 hours.