| SUBJECT: The Rule on ‘Confidentiality of SIM Data’ |
I. Introduction
This memorandum provides an exhaustive analysis of the legal framework governing the confidentiality of Subscriber Identity Module (SIM) registration data in the Philippines. The primary focus is on Republic Act No. 11934, also known as the “SIM Registration Act,” its Implementing Rules and Regulations (IRR), and relevant provisions from other special laws. The memo will examine the scope of confidentiality, the entities bound by the rule, permissible disclosures, penalties for violations, and comparative perspectives.
II. Statement of the Issue
The central issue is to determine the legal parameters of the confidentiality rule imposed on SIM registration data, including the nature of the information protected, the obligations of Public Telecommunications Entities (PTEs) and other custodians, the exceptions to non-disclosure, and the legal consequences for unauthorized access, use, or disclosure.
III. Governing Law: The SIM Registration Act (R.A. No. 11934)
The cornerstone of the confidentiality rule is Section 6 of R.A. No. 11934, which unequivocally states: “All information obtained in the process of the SIM registration shall be treated as absolutely confidential.” This creates a statutory privilege over the data. The law further mandates that the PTE or its direct seller shall ensure the secure and confidential storage of the data. The Data Privacy Act of 2012 (R.A. No. 10173) is expressly declared applicable as a supplementary law, imposing additional data protection obligations.
IV. Scope of Confidential Information
The confidential information encompasses all data obtained during the registration process. This includes, but is not limited to:
The subscriber’s* full name, date of birth, sex, and address.
The subscriber’s* government-issued identification document details (e.g., ID number, issuing agency).
The SIM* serial number.
* The mobile number.
A sworn statement* attesting to the truthfulness of the provided information.
This data collectively forms a sensitive profile that is afforded the highest degree of protection under the law.
V. Entities Bound by the Confidentiality Rule
The duty of confidentiality is imposed on:
VI. Exceptions and Permissible Disclosures
The absolute confidentiality rule is not without exceptions. Disclosure is permitted only under the following specific circumstances, as outlined in Section 9 of the law:
a. Upon lawful order of a court or other competent authority with jurisdiction over a relevant case.
b. Upon written request from a law enforcement agency investigating a specific crime that involves the SIM or mobile number in question. The request must be based on a probable cause and the crime must be one punishable under the Revised Penal Code or a special law.
c. Upon written consent of the subscriber.
Any disclosure made must be logged, and the PTE is required to notify the affected subscriber of the disclosure within three (3) days, unless such notification would compromise an ongoing investigation.
VII. Comparative Analysis with Other Data Confidentiality Rules
The confidentiality rule under the SIM Registration Act is one of several sector-specific data protection regimes. The table below provides a comparative overview.
| Aspect of Confidentiality | SIM Registration Act (R.A. 11934) | Data Privacy Act (R.A. 10173) | Bank Secrecy Law (R.A. 1405) |
|---|---|---|---|
| Nature of Protection | Absolute confidentiality mandated by statute for a specific dataset. | Comprehensive data protection principles (confidentiality, integrity, availability) for personal data and sensitive personal information. | Absolute confidentiality of deposits, investments, and trust accounts. |
| Scope of Information | SIM registration data obtained from the subscriber. | All types of personal data and sensitive personal information processed by any entity. | Deposits, withdrawals, balances, investments, and trust accounts. |
| Primary Custodians | PTEs, direct sellers, DICT, NTC. | Personal information controllers and personal information processors. | Banks, financial institutions, trust corporations. |
| Key Exceptions to Disclosure | 1. Court order. 2. Request by law enforcement for a specific crime. 3. Subscriber consent. |
1. Subscriber consent. 2. Legitimate interests of controller or third party. 3. Vital interests of data subject. 4. Compliance with a legal obligation. |
1. Written consent of the depositor. 2. Court order in cases of impeachment, bribery, or where the money is the subject of litigation. 3. Upon inquiry by the Commissioner of Internal Revenue for a decedent’s tax liability. |
| Penalty for Unauthorized Disclosure | Imprisonment of 6 months to 6 years and/or a fine of P100,000 to P500,000 (under Section 10). | Imprisonment of 1 to 5 years and/or a fine of P500,000 to P2,000,000 (under Section 32). | Imprisonment of up to 5 years or a fine of up to P20,000, or both. |
VIII. Penalties for Violation
Violation of the confidentiality provision under Section 6 is penalized under Section 10 of the SIM Registration Act. The prohibited acts include unauthorized access, use, disclosure, or publication of the SIM registration data. The prescribed penalty is prison correctional (6 months and 1 day to 6 years) and/or a fine ranging from One Hundred Thousand Pesos (P100,000) to Five Hundred Thousand Pesos (P500,000). If the offender is a juridical person, its responsible officers shall be liable. Furthermore, violations may also constitute offenses under the Data Privacy Act, subjecting the offender to potential liability under both laws.
IX. Procedural Safeguards and Implementation
The Implementing Rules and Regulations (IRR) issued by the DICT, NTC, and National Privacy Commission (NPC) provide operational details. Key safeguards include:
Mandatory registration of data processing systems with the NPC*.
Implementation of organizational, physical, and technical security measures compliant with the Data Privacy Act and its IRR*.
* Strict access controls and audit trails for any query or disclosure of the registration database.
The requirement for law enforcement agencies to submit a notarized written request and to document the specific case and the necessity of the data, ensuring a check against fishing expeditions*.
X. Conclusion
The rule on confidentiality of SIM data under R.A. No. 11934 establishes a robust, quasi-absolute statutory shield for subscriber information. It imposes a direct and stringent obligation on PTEs and related entities, with severe penalties for breach. While it permits disclosure under narrow, legally circumscribed exceptions, the default position is one of strict non-disclosure. This regime operates in conjunction with, and is reinforced by, the broader Data Privacy Act, creating a layered defense for subscriber data privacy. Legal practitioners and entities handling such data must adhere to the highest standards of care to avoid significant criminal and administrative liability.
