Professional Documents
Culture Documents
ORDER
(To Submit Additional Documents and Information)
In accordance with (i) Section 1 of Rule VII of the 2021 NPC Rules of Procedure which
states that “[t]he investigating officer shall not be limited to the pleadings, allegations, issues and
evidence submitted before him or her. x x x In the course of the investigation, the complainant
and/or respondent may be required to furnish additional information, document or evidence, or
to produce additional witnesses;” (ii) Section 4, Rule X, of the 2021 NPC Rules of Procedure which
authorizes the Commission to require parties subject of an investigation to furnish additional
information, document, or evidence; and (iii) Section 9 (e) (2) of Rule III of the Implementing
Rules and Regulations for the Data Privacy Act which authorizes the Commission to require the
production of evidence through a subpoena, the following information and documents are
required from the Land Transportation Office (“LTO”):1
1. Contract between LTO and StradCom Corporation (“StradCom”), including the Terms of
Reference, Technical Specifications, Bid Data Sheet, Schedule of Requirements, and other
bidding documents identifying the details of the goods or service procured from
StradCom;
2. Updates on the contract or project with StradCom, including whether or not the system
involved is still used and the name of the party operating or managing the system at
present, if any;
4. Copies of Privacy Impact Assessments (PIA) conducted prior to launching of the system
and website, as well as PIA closest to the incident in question, if any;
5. Proof of implementation of existing security measures, such as (i) firewall, (ii) Intrusion
Prevention System, (iii) Secure Socket Layer, (iv) Completely Automated Public Turing
Testo To Tell Computers and Humans Apart, (v) security enhancements to web
application system, (vi) addition of IT security protocols as part of the organizational
procedures, (vii) results of monitoring the internet for similar sites.2
1
While the complaint was filed prior to the effectivity of the 2021 NPC Rules of Procedure, Section 1 of Rule XII of the
2021 NPC Rules of Procedure states that “[t]hese Rules shall apply to all complaints filed after its effectivity. It shall
also apply to pending proceedings, except to the extent that their application would not be feasible or would work
injustice.”
2 Please see Breach Report for LTO attached as Annex “D” to Letter dated 7 July 2021 from LTO.
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
Page 2 of 2
7. Other organizational, physical, and technical measures existing prior to the incident and
carried out by LTO and its third party personal information processors to secure LTO’s
system and websites, including LTO.net.ph. These should be supported by
documentation (such as orders, policies, manuals, and other proof that the measures were
duly issued by the LTO or its personal information processor) and proof of
implementation of the said measures; and
8. Copy of the LTO’s Security Incident Management Policy and Data Breach Response Team,
including supporting documentation and proof of implementation.
LTO is hereby given a period of fifteen (15) days from receipt hereof to comply with this
order. Documents may be sent to complaints@privacy.gov.ph.
SO ORDERED.
Approved by:
3Ibid.
Ref No.: CID-22-1091 NPC_LEO_CID_ORD-V1.0,R0.0,05 May 2021
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228