PBBM Updates Framework for Government Data Security and Cross-Border Transfers

Manila: President Ferdinand R. Marcos Jr. has signed Executive Order (EO) 119, modernizing the government's data security framework with a focus on data classification, residency, and cross-border transfers. This update aims to bring the framework in line with contemporary digital governance needs.

According to Philippines News Agency, EO 119, signed on July 13, revises the Government Data Classification Framework initially established under Memorandum Circular (MC) 78 from 1964. MC 78, which itself amended MC 196 from 1968, originally governed the security of classified information in government offices. The new EO acknowledges that the existing framework was designed for a paper-based bureaucracy and is now insufficient for the challenges posed by digital governance, cybersecurity risks, and cloud computing environments.

The updated order mandates a unified, risk-based approach for classifying and managing government data across national agencies, instrumentalities, government-owned corporations, and educational institutions. While it encourages the legislature, judiciary, constitutional commissions, Office of the Ombudsman, and local government units to adopt the framework, it specifically excludes private sector data unless processed on behalf of the government.

Under the new Data Classification Framework, government data is categorized as either Restricted Access Data or Open Access Data. Restricted Access Data, which requires protection for national security, can be further classified into top secret, secret, confidential, and restricted categories. All data classifications and risk assessments are to be documented in a registry system managed by the Department of Information and Communications Technology (DICT).

The EO prohibits overclassification to uphold data integrity and prevent unnecessary administrative burdens. It stipulates that cross-border data transfers involving personal or sensitive information will require protective guarantees. The DICT, in collaboration with the National Privacy Commission and other stakeholders, is tasked with developing a comprehensive training framework on data protection.

Additionally, the EO establishes a Joint Oversight Committee for Data Classification (JOC-DC) to monitor compliance and ensure that agencies submit annual reports, which will be consolidated and forwarded to the President. Agencies are expected to achieve full compliance with the EO within three years of its enactment.