National Privacy Commission (NPC) Data Privacy Act (DPA) Registration for Doctors in the Philippines – Phase 1

*Editor’s note: this article was revised on 1 July 2018 to reflect the addition of a registration method for individual professionals on the NPC’s website. 

We received a call the other day. Then we received a support ticket. Then we got an email.

Then messages started coming in by the dozens per hour.

“I was told that I need to register with NPC. Am I violating anything by using SeriousMD?”

“I need to register if I have 1000 patients??? That is just half my year. What should I do now?”

“I thought going paperless was easy, now, I have to register with NPC? Makes me want to go back to paper.”

“Should I worry about using an EMR because of the NPC deadline?”

“I got this message from another doctor with these images. What will happen now??”

  • PMA Data Privacy Act

Sound familiar?

This Data Privacy Act compliance deadline has caught a lot of doctors off-guard.

Here at SeriousMD, we treat all of you like family and we want to make things as easy as possible for you.

There’s no need to panic. The registration deadline was extended to March 8, 2018 July 2, 2018 and in this article we’ll explain what you need to do. If you have other questions that are not covered here, just let us know and we’ll try our best to answer them.

So, let’s get started.


First of all, doctors are not violating anything by using SeriousMD. Both SeriousMD users as well as those still using paper records are required by the NPC to register.

You simply need to register with the NPC if you have collected information or process at least 1000 records.

If you are processing any of this information, you are required to register:

  • information that would likely affect national security, public safety, public order, or public health;
  • information required by applicable laws or rules to be confidential;
  • vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP;
  • automated decision-making or profiling

There are 2 Phases that you need to know about. 

  • Phase 1 – A PIC (personal information controllers) or PIP (personal information processors) through its DPO (Data Protection Officer) shall accomplish the prescribed application form, and submit the same to the Commission together with all supporting documents. Upon review and validation of the submission, the Commission shall provide the PIC or PIP via email an access code, which shall allow it to proceed to Phase II of the registration process.
    In Short: You just have to register.
  • Phase 2 –  Using the access code provided by the Commission, a PIC or PIP shall proceed to the online registration platform and provide all relevant information regarding its data processing systems. The Commission shall notify the PIC or PIP via email to confirm the latter’s successful completion of the registration process: Provided, that registration may be done in person at the office of the Commission in the event that online access is not available.
    In Short: Provide further requirements.

This article will cover Phase 1.
* Disclaimer. This article is for informational purposes only and not for the purpose of providing legal advice.


Phase 1: Registration

There are two ways to complete Phase 1:

  1. Through registration as an individual professional
  2. Through registration as a DPO or data processing officer

Which one should you use? Simple: register as an individual professional if your practice is not registered under a different identity. If your practice is registered as an entity, however (e.g. a corporation, private institution, medical group, etc.), register as a DPO.

We’ll give you a basic overview of each one. For quick reference, though, registration as an individual professional is easier, because it means you won’t have to get anything notarized.

Phase 1 Registration for Individual Professionals

Step 1. Download the form for individual professionals.

Step 2. Fill out the form digitally. They won’t accept a handwritten one.

When filling out the form, be sure that you fill it out on your computer. Since the form is a PDF file, you will probably be filling it out with either Adobe Acrobat (for Windows users) or Preview (for Mac users). You can also do it on an iOS device with a PDF editor app (like Adobe Fill & Sign) or Adobe Reader on Android. Just open the file with any of these programs and select the empty spaces/blanks, then type your information.

Note: Don’t have any of the above programs on your computer or just looking for an alternative? Try ApowerPDF. Note that you have to select the online version and download a small launcher app to start the tool. If you want to use an offline program instead, try PDF Xchange Editor.

Here are some rules to follow when filling out the form:

  • Find all the fields that are not applicable and fill them out with N/A. Make sure there are no blank fields afterwards by checking the form again after you are done.
  • If you have more than one profession, indicate all ID numbers.

Step 3. Add your signature to the form.

There are two ways to do this: digitally and by hand.

Doing it digitally is easier. Just open the form in a PDF reader/editor again, then follow the steps in the tutorials below.

Just click on the link that applies to your case. For example, if your PDF editor is Adobe Acrobat and you’re using a Windows computer, click on the first of the links below:

If you want to do it by hand, you will need a scanner. This is because you have to follow these steps if signing the form by hand:

  1. Print out the form.
  2. Sign the printed form.
  3. Scan the printed form to turn it into a digital document again.

Step 4. Save the form.

How you do this depends on what you did in the previous step (how you added your signature). If you signed it digitally, you only need to save 1 PDF file.

If, however, you signed the form by hand instead, you need to save 2 files. One is the PDF file you filled out electronically before you signed it and the other is the PDF file you scanned after you signed it. Remember that both PDF files should show a completely filled out form, though only one should have a signature (the scanned one). Use this naming formula: LASTNAMEFIRSTNAME_dpo.pdf

So, if your name is Juan dela Cruz, for example, the first PDF should be named delacruzjuan_dpo.pdf and the second one delacruzjuan_scanned.pdf.

Having trouble changing your files’ names? Here are the quick ways to do it:

  • On a Windows computer: Hover your cursor above the file’s icon, then right click and select “Rename”. Type the new name. Hit the Enter key.
  • On a Mac computer: Click on the file’s icon using OS X Finder, then hit the Return key and type the new name. Hit the enter key.
  • On an iPhone or iPad: Using the Files app, select the name of the file by tapping directly on it. Type the new name. Just tap on “Done” once finished.
  • On an Android device: Using your file manager (this is named different things, depending on the device, with the most common variants being File Manager, Files, or My Files), look for the file on your device. Once you see it, tap on it and hold: this will bring up command options. If “Rename” is not immediately among them, just select the “…” or “More” option and you should see it there.

Step 5. Send the file (or files, if you signed by hand) to dpo_indprof@privacy.gov.ph

Step 6. Wait for an email or text message for a verification code that gives you access to Phase 2.

It should be sent to the email address and mobile number you supplied in the form.

Phase 1 Registration as a DPO for Businesses/Corporations/Medical Groups, etc.

This is rather a longer process, so we’re going to give you a short, bulleted version of it here, then a more detailed (broken down) version later. Here is the short version:

  • Fill up their form as the DPO (What’s a DPO?). They call it the DPO (Data Protection Officer) form.
  • Have the DPO form notarized.
  • Prepare a notarized Secretary’s Certificate (Corporations)
  • Prepare a Certified True Copy of your Certificate of Registration (Get a certified true copy from DTI for a sole proprietor, or SEC Certificate for a corporation. I’ll go through your options below.)
  • Submit the above requirements to NPC.
  • Wait for email for access to Phase 2.

Here’s a video and an image that you can share with other doctors.

NPC-National-Privacy-Commission-Data-Privacy-Act-DPA-Registration-for-Doctors-in-the-Philippines-Phase-1 copy

Share this with other doctors

Now for the long version of registering for Phase 1 as a DPO:

Step 1. Complete the DPO Form

  • Download the DPO form by clicking here.
  • Print it out.
  • Fill up the form.
  • Your DPO (What’s a DPO?) can be your secretary or yourself. Essentially, the DPO is the doctor, unless you have another staff member dedicated to handling the safekeeping of all your records for both digital and/or paper charts.
  • Your DPO and Head of Agency (in this case, it’s most likely that you are the head) should sign at the bottom of the form.
  • Get it notarized.

Step 2. Prepare the Requirements

Requirements For Private Entities (Sole-Proprietorship)

  • Certificate of Registration DTI (Get a Certified True Copy from DTI)

Requirements For Private Entities (Corporation)

  • Duly-notarized Secretary’s Certificate authorizing appointment or designation of Data Protection Officer. (Because we love you, here’s a copy that we created that you can use and fill up. Make sure to get it notarized.)
  • Certified True Copy of SEC Certificate (Certificate of Registration), AOI, By-Laws
  • General Information Sheet

Step 3. Submit All Documents

  • Either personally deliver the documents OR…
  • Send via registered mail or private courier service (to the National Privacy Commission)
  • Note: Before sending the documents, we recommend calling up the NPC directly to check if the address provided is still correct.
  • Address: 5th Floor Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila, Philippines

After they receive the documents and process them, you will receive an email confirmation like this.

NPC Data Privacy Act Email Phase 1 Phase 2

Expect an email like this from NPC once they process your registration for Phase 1.

That’s actually it for Phase 1.


Frequently Asked Questions for Phase 1:

Q: I am a doctor and I have over a thousand records BUT I do not have a clinic. Should I register?

A: We recommend that you just register. Better to be safe.

Q: I have 900 records. Do I need to register?

A: Their requirement is 1000 but here at SeriousMD, we’d like to keep things simple. Always err on the side of caution. Just register now, it doesn’t hurt to do things in advance.

Q: Is there another address for the NPC?

A: We were told that they will be moving to a new office. No official notification yet as to where their new address will be. So for now, it’s still 5th Floor Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila, Philippines

Q: Is this just for doctors keeping digital records?

A: No. Whether you are keeping digital records or written records, you are still required to register.

Q: The NPC DPA deadline is still far away, can I register now?

A: Yes, you definitely can.

Q: What’s the difference if I register online or do it offline. It seems to be the same.

A: We recommend doing it offline since you are STILL submitting the documents manually anyway but if you prefer the online route, here’s what you need to do.

  • Go to the NPC website (Click here to go to their website)
  • Click on the Register button and Pick an Organization type. (Sole Proprietor, Corporation, etc.)
  • Fill up the online DPO form.
  • You will see a page at the end (basically telling you to watch out for their email and SMS with the code for your account.)
  • Then it will ask you to print it out, sign it and have it notarized.
Online Registration NPC Data Privacy Act

Press Download and Print PDF Button

Technically, it’s just the same as the instructions above, you just had a form generated for you instead of you writing on it and you will get your account code earlier but you will still have to submit the requirements manually.

Q: What’s a DPO?

A: Here’s the official description from NPC. “Data Protection Officer” or “DPO” refers to an individual designated by the head of agency or organization to be accountable for its compliance with the Act, its IRR, and other issuances of the Commission: Provided, that, except where allowed otherwise by law or the Commission, the individual must be an organic employee of the government agency or private entity: Provided further, that a government agency or private entity may have more than one DPO.

In short: A DPO is a Person assigned by the Entity (the one processing information) to be responsible for everything related to the records, including safekeeping of the records, making sure the entity’s operations are in compliance with the data privacy act or other mandates by the NPC, as well as being the point of contact for the NPC.

The DPO assigned is usually the doctor but in some cases, your secretary can be assigned if they are responsible for safekeeping the records.


TL;DR (Too Long; Didn’t Read)

  • The DPA (Data Privacy Act) just provides for the “keeper” of the files to be conscious about privacy concerns of the patients
  • It’s NOT just for EMR or digital data, but also for physical records as long as doctors keep identifiable information about a person, they are required to register. So, technically, all clinics with over 1000 records should be registered.
  • SeriousMD is already registered with NPC for compliance.
  • There are 2 phases for NPC registration. Phase 1 and Phase 2. See the function for each phase above.
  • You just need to process Phase 1 before the March 8, 2018 July 2, 2018 deadline.
  • Once processed by the NPC, you will receive an email.
  • Another email and/or SMS will come at least a week after to notify you about Phase 2.

Notes About Phase 2:

  • By going with SeriousMD, we handle the checks on how the data is stored versus a one-off system or app or by using MS Word or any other software that doesn’t have any at all.
  • So, in short, it’s easier and more secure with SeriousMD because we handle the long checklist (Phase 2 of NPC’s requirements) on how to store and protect data. It’s definitely safer than storing files on your computer on your own. Check how we secure your data.

Share this post to other doctors on social media by clicking the Facebook, Twitter, Whatsapp or other buttons you can see on left side of this page.


This space is reserved for our article about Phase 2.

The requirements for Phase 2 can be complicated. As a SeriousMD user, we will definitely be able to help you out with Phase 2. Link to the article coming soon. If you still aren’t using SeriousMD for your practice, then sign up today!