Gov’t adopts cybersecurity measures for nat’l ID system

Gov’t adopts cybersecurity measures for nat’l ID system

ROLLOUT. The Philippine Statistics Authority starts collecting data from low-income Filipinos in areas identified as low-risk for Covid-19. This is part of the government’s rollout of PhilSys’ pre-registration phase.

MANILA – The government assured the adoption of cybersecurity measures in the implementation of the Philippine Identification System (PhilSys) or the national ID system.

The Philippine Statistics Authority (PSA), which leads the management and implementation of PhilSys, with technical assistance from the Department of Information and Communication Technology (DICT), assured that the PHP27.8 billion total budget for the implementation of PhilSys includes the protection of the data collected by registration officers.

In a virtual press briefing on Oct. 9, DICT Undersecretary Denis Villorente said PhilSys is a secured system.

“We adopt security measures in compliance with the international standards organization, 27,000 families of standards,” Villorente said.

With the PhilSys implementation, Villorente said the PSA will be establishing its own cybersecurity computer emergency response team, as well as installing a security operations center that will coordinate with the national computer emergency response team, in order to sustain the government’s national cybersecurity plan for Filipinos.

“The IT systems will all be subject to review by independent third parties to be able to identify that this is truly secure and no vulnerabilities are present in the system,” he said.

Private, secured

Villorente said the government will adopt a privacy-protective system for the PhilSys.

“So, I think this is very important to understand that it is governed by the Data Privacy Act as well as the PhilSys Act and through these, it strictly limits who can access personal data collected and stored within the system,” he added.

The Data Privacy Act of 2012 and the PhilSys Act have strict controls over the circumstances that data in the PhilSys registry can be accessed and shared.

The PSA earlier assured that the only “person who can provide data stored in the PhiSys registry, remains to be the owner of the data.”

“We are subject to independent oversight of the National Privacy Commission. The system adopts a privacy by design approach, so privacy best practices are embedded in the technical architecture and this includes data administration – meaning we only collect data that is essential and required under the law and no more,” Villorente said.

“We adopt the principle of proportionality such that for most transactions, the only response from the system will be a ‘yes’ or ‘no’ verification of identity and no biometric data of citizens will be shared to third parties,” he added.

For electronic know your customer (KYC) transactions, Villorente said only demographic information will be shared under PhilSys.

He said the specific demographic details will be limitedly accessed base on the ‘use case’ from the relying parties.

According to the PhilSys primer, in rare or exceptional cases, no information shall be disclosed without the consent of the data owner to adhere to the privacy setup of the project.

When the compelling interest of public health or safety, it said, relevant information may be disclosed upon order from the court.

“Another important feature that we have adopted with the PhilSys is the use of tokenization both at the frontend and at the backend,” Vilorente said.

Identity authentication

Filipinos who will register for PhilSys will be provided with a 12-digit PhilSys number or personal serial number (PSN) that they can present for identity authentication.

“It should be noted that the PSN, the unique number issued to the citizen, is a number that is good for life and will not be subject to re-issuance,” he explained.

The PhilSys number will be the primary credential of the citizens, Villorente said.

However, the 12-digit PhilSys number (PSN) will not be printed on the physical ID card for security purposes.

“For the frontend, we will not be relying solely on the PSN, so citizens need not expose their PSN to relying parties,” he said.

Instead, the issued PhilID card number is the one that will be printed on the card, Villorente said.

“On the other hand, the PCN which is the number that is printed on the card, when a card expires and a citizen received another card, it will have a different PCN number. So the PCN is only good for the life of the card and it can be revoked,” he explained.

Villorete added that they will provide a “token” that is specific to a relying party.

“For transactions, we encourage the use of the alias PSN so that is a number that is only valid for that particular transaction, on the other hand, we’ll also discourage the use of PCN for seeding of information stored in databases of relying parties,” he said.

Hybrid cloud solution

PhilSys, he said, allows citizens to temporarily lock and unlock the use of their identity for online authentication purposes, which can protect them against fraud activities.

“We intend the PhilSys to harness the strengths of cloud technology and so we have adopted a hybrid cloud solution for our system integrator to leverage the inherent efficiency, availability and scalability of cloud while maintaining control and security safeguards by storing data that’s collected under PhilSys in government data centers,” he said.

He added that the government has also adopted a “hybrid cloud solution” for the Phil ID system integrator requirement.

The systems integrator is the core software and information technology (IT) infrastructure of the PhilSys.

Villorente said the authentication services for PhilSys would be provided both online and offline.

“We intend to deliver the best and most secured PhilSys to Filipinos and we believe that there is hybrid cloud solution [that] opens more opportunities to PhilSys to link with other government agencies, the private sector including banks and financial institutions,” he said.

The PSA earlier said the hybrid cloud architecture allows the management and security of the registrants’ records collected from the PhilSys registry centers while providing client-facing PhilSys services and applications on cloud technology.

The PSA has started rolling out the pre-registration phase of the PhilSys for at least 5 million targeted low-income household heads on October 12.

The PSA has started collecting demographic data from targeted low-income Filipinos in 664 cities and municipalities in 32 provinces identified as “low-risk” areas for coronavirus outbreak which include Ilocos Sur, La Union, Pangasinan, Cagayan, Isabela, Bataan, Bulacan, Nueva Ecija, Pampanga, Tarlac, Zambales, Batangas, Cavite, Laguna, Quezon, Rizal, Albay, Camarines Sur, Masbate, Antique, Capiz, Iloilo, Negros Occidental, Bohol, Cebu, Negros Oriental, Leyte, Compostela Valley, Davao Del Norte, Davao Del Sur, Davao Occidental, and Tawi-Tawi.

Signed into law by President Rodrigo R. Duterte in August 2018, Republic Act 11055, or the Philippine Identification System Act, aims to establish a single national ID for all Filipinos and resident aliens.

The national ID shall be a valid proof of identity that shall be a means of simplifying public and private transactions, enrollment in schools, and the opening of bank accounts.

It will also boost efficiency, especially in dealing with government services where people will only need to present one ID during transactions. (PNA)

Leave a Reply