Philippines: NPC and Insurance Commission issue joint

in short

On March 11, 2025, the Insurance Commission (IC) and the National Privacy Commission (NPC) issued Joint Consultation No. 2025-001 (“”Joint consultation”), or considerations for the use of privacy enhancement technology (pets) in the insurance industry.

Joint Consulting emphasizes the adoption of pets in the insurance industry, which may complement existing privacy practices to mitigate data privacy risks and ensure protection of personal data processed by the Personal Information Controller (PICS) and Personal Information Processor (PIPS).

This joint consulting applies to insurance providers, insurance and pre-needed companies, health maintenance organizations, mutual welfare associations, their respective agents, brokers, regulators, intermediaries, and all other entities under the regulatory control and supervision of ICs, as well as the PIPs of the above entities.¹

I. Definition and Category of Pets

Pets are defined as follows:

A range of digital technologies, methods and tools that allow data processing and analysis to be performed while protecting the privacy of data subjects and commercial interests of data subjects and images.²

Pets can be classified as follows:³

1. Data obfuscation toolssuch as anonymization, pseudonymization, synthetic data, differential privacy and zero-knowledge proof
2. Encrypted data processing toolssuch as homomorphic encryption, multi-party computing and trusted execution environments
3. Joint and Distribution Analysissuch as joint learning and distribution analysis
4. Data Accountability Toolsuch as threshold secret sharing and personal data storage

ii. Obligations related to pet use

When the overlay entity uses a pet, the following obligations apply:

1. It must ensure that its use of pets complies with the Data Privacy Act, rules and regulations are being implemented, and the issuance of NPCs (collectively, “”Data Privacy Regulations”). Images are responsible for using pets to process personal data, including instances that outsource or subcontract processing to PIPs.
2. It must ensure continuous compliance with its own obligations in data privacy regulations, such as, but not limited to, the implementation of reasonable and appropriate security measures, the use of NPCs (if applicable) to register data processing systems, and compliance with rules for the management of personal data breach, including notice of violations.
3. After adopting pets and after, it may be necessary that it must conduct a privacy impact assessment of the data processing system.
4. It can consider industry standards and best practices, technical compatibility, cost and efficiency to evaluate which pets are best suited for their business purposes. A covered entity can use multiple pets.

It is recommended that when selecting and/or adopting pets, it is recommended that clients in joint consultation pay attention to the precautions and obligations in the processing of personal data.

Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group can be contacted for more information on joint consultations.

1Section 1, Joint consultation.

Section 2, Joint consultation.

3 Section 3, Joint consultation.

* * * * *

Please contact qtinfodesk@qouisumbingtorres.com for inquiries.