President Ferdinand Marcos Jr. has ordered the modernization of the government’s data classification system and the establishment of frameworks governing data residency and cross-border transfers to protect national security, uphold data sovereignty and ensure compliance with existing laws.
Executive Order (EO) No. 119, signed on behalf of the President by Executive Secretary Ralph Recto on July 13 and published in the Official Gazette on July 14, updates a government data classification framework established more than six decades ago.
The previous system was created under Memorandum Circular No. 78 in 1964 and amended through MC No. 196 in 1968.
“The existing data classification framework established under MC No. 78, as amended, was formulated in the context of a paper-based bureaucracy and is no longer fully responsive to the demands of contemporary digital governance, cybersecurity risks, cloud computing environments, and cross-border data flows,” Executive Order 119 read.
“There is a need to update and modernize the government’s classification structure and to establish a coherent policy framework on data residency and cross-border data transfers to safeguard national security, uphold data sovereignty, ensure compliance with existing laws, and support secure digital transformation across government,” the EO added.
Under the order, all government data in digital or hybrid form that are owned, processed or controlled by national government agencies and instrumentalities must adopt a unified and risk-based framework for classification, protection, handling and management.
The directive also covers government-owned or -controlled corporations and state universities and colleges.
Government information will be classified either as Restricted Access Data or Open Access Data.
Restricted Access Data covers official matters requiring protection in the interest of national security, including information categorized as Top Secret, Secret and Confidential.
Open Access Data refers to information or matters that do not involve national security and have been designated as unclassified or open, subject to applicable laws, rules and regulations.
Data classified as Top Secret and Secret must be stored within Philippine territory or in other territories over which the Philippines exercises sovereignty or jurisdiction.
Confidential data must also generally be stored and maintained within Philippine territory or territories under Philippine sovereignty or jurisdiction.
As an exception, Confidential Data may be stored or processed outside Philippine territory, provided the responsible agency obtains the express prior approval of the Joint Oversight Committee for Data Classification.
Data classified as Restricted may be stored on a secured cloud-computing platform, subject to encryption, risk-mitigation measures and other cybersecurity requirements.
All other government information, including Open Access Data, may be stored on secure cloud-computing platforms regardless of the physical location or ownership of the platform, subject to the same cybersecurity safeguards.
The order also creates the Joint Oversight Committee for Data Classification, which will be co-chaired by the Department of Information and Communications Technology (DICT) and the National Security Council (NSC). The DICT will head the committee’s secretariat.
Its members will include the Department of the Interior and Local Government, National Intelligence Coordinating Agency, Department of Foreign Affairs, National Privacy Commission, Philippine Statistics Authority and National Archives of the Philippines.
Government agencies have three years to fully comply with the establishment and implementation of the updated data classification framework.
