Professional Documents
Culture Documents
The law came into effect August 2018. Everyone is compelled to register beginning on
September 2019: Filipino and expat (resident aliens) alike. The implementing rules is
expected to be signed today, October 6.
We need to integrate into our KYC process whatever authentication system and
database PSA (Philippine Statistics Authority, the lead government agency in this
initiative) will develop. This is a standalone system that we will send queries to
whenever we want to verify a person’s identity.
The PhilID is designed to know whether person X is really person X. However, it also
stores all authentication requests so the person will be able to review if and when
somebody checks his identity, and who that requestor is. Moving forward, loan
applicants and third-party buyers will know whenever we do identity checks on them.
It is not yet clear whether the PhilID card will be mandatory (and whether there will be
enough, on time) for everyone. The card will contain the demographic data and the QR
code incorporating the registrant’s fingerprint on it. The physical card itself is not
essential, but the assigned PSN (PhilSys Number) is needed to make the verification
query on the PSA database.
The government plans to pilot-test this project on 1M Filipinos in 3 separate regions by
December. The process for that pilot project has yet to be drawn up.
CLAUSES DISCUSSED
Demographic data
Full name
Sex
Birth date
Place of birth
Blood type
Address (required: permanent; optional: present)
Citizenship (including for resident alien)
Optional: marital status, mobile number, email address
Biometric data
Facial photo
Fingerprints (10)
Iris scan
Documentary requirements For those who do not have any valid proof of identity, an
introducer who is of legal age and has his own PSN shall be
required for registration
Cancellation/deactivation Death, loss of Filipino citizenship, etc.
of PSN
Authentication Online authentication: PSN and biometric information
will be used to validate identity
Offline authentication: presentation of PhilID and
matching the fingerprint in the QR code and OTP to
validate identity for transactions and services as
enumerated in the law
Protection against unlawful No disclosure unless with
disclosure Consent of the data subject
Court order
OPEN FORUM PANELISTS:
National Privacy Commission
Bangko Sentral ng Pilipinas
Philippine Statistics Office
Department of Information and Communication Technology
3. Use of the ID
Q: Will my ID have to be authenticated every time I use it? Does that mean that the system will
always be online?
A: Yes, it will be authenticated every time. But each government agency will have its own
authentication process and other requirements for transaction. Yes, the dream is that the
system will be online all or almost all the time.
Q: Does the offline authentication mean that each government agency will have its own copy of
the database? How do you plan to ensure the integrity of the database in that case?
A: No, the government agencies won’t have their own database. The fingerprint you present in
person will have to be matched against the fingerprint embedded in the QR code on your card.
Then the agency will just have to match those 2 datasets to authenticate your identity “offline”.
4. Fingerprints of manual laborers are probably already busted. People with eye defects will
not have efficient iris scanning.
A: There are 3 biometric information: facial photo, iris scan, and fingerprint. A person can
provide at least 1 one of these.
8. Record history
Q: If this is just an identity card, why do we need a record history of all transactions you’ve
made?
A: Logs are limited only to date of authentication request, requesting entity, and response to
the request. What we want to ensure is that people will know whether there had been an
unauthorized authentication request that was made on his identity. It does not contain any
information regarding the nature of the transaction behind the authentication request. This is
different from the transaction log of the actual service that you availed of, which is outside of
the PhilSys.
Q: Should we not include a time limit for the record history retention?
A: We can consider this. We can match the retention period with the statute of limitations for
filing fraud cases so that we can still make use of the information that we find in our record
history.
9. Budget
Q: Do we have money to make this effective? Will you providing training to all government
agencies and upgrade their technologies to ensure that they will be able to keep up with the
law?
A: We recognize that there will be many labor pains in bringing this initiative to fruition. Budget
will be coming from the General Appropriations Act. We are bound to promulgate an IRR within
60 days from the enactment of the law, but that doesn’t mean that the IRR is set in stone. We
can always update the IRR as necessary.
10. Breach management
A: The PhilSys has been working with the NPC for breach response and penetration testing, but
of course we cannot guarantee that it will be completely hacker-proof. We can learn from the
experience in other jurisdictions where the digital ID system is now more mature. We’re also
trying to insulate the PhilSys from all other databases precisely to discourage hacking.
Tokenization is also one of the things we’re looking at to ensure that the databases will not be
linked together to create a deep profile of any person.