Book a demo Log in / Sign up

Incident Response Form Template for the Philippines

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Incident Response Form?

The Incident Response Form is a critical document used by organizations in the Philippines to manage and document security incidents, data breaches, and other security-related events. This document is designed to comply with the requirements set forth by the Data Privacy Act of 2012 (RA 10173), the Cybercrime Prevention Act of 2012 (RA 10175), and various circulars issued by the National Privacy Commission. The form enables organizations to systematically record incident details, track response actions, document impact assessments, and maintain compliance with mandatory reporting requirements. It serves as an essential tool for incident management teams, providing a structured approach to incident documentation while ensuring all necessary information is captured for internal analysis, regulatory reporting, and potential legal proceedings.

Frequently Asked Questions

Is an Incident Response Form legally binding under Philippine law?

Yes, an Incident Response Form becomes legally binding when it documents incidents involving personal data under the Data Privacy Act of 2012 (Republic Act 10173). Organizations must maintain accurate incident records and report qualifying data breaches to the National Privacy Commission within 72 hours. Failure to properly document incidents can result in administrative fines and penalties.

How long do I have to file an Incident Response Form with Philippine authorities?

Under the Data Privacy Act of 2012, organizations must report personal data breaches to the National Privacy Commission within 72 hours of becoming aware of the incident. For cybercrime-related incidents, immediate reporting to the PNP Anti-Cybercrime Group is required. Internal incident documentation should begin immediately upon discovery.

Can Philippine authorities penalize my organization for incomplete incident documentation?

Yes, the National Privacy Commission can impose administrative fines ranging from PHP 500,000 to PHP 5,000,000 for non-compliance with incident reporting requirements under the Data Privacy Act. Incomplete or missing incident documentation may also hinder your organization's ability to demonstrate due diligence in regulatory investigations or civil litigation.

How does an Incident Response Form differ from a regular incident report in the Philippines?

An Incident Response Form under Philippine law specifically addresses data privacy and cybersecurity incidents with structured fields for personal data impact assessment, breach classification, and NPC reporting requirements. Regular incident reports focus on general operational issues without the specific data protection elements required by Republic Act 10173 and cybercrime prevention legislation.

How long does it typically take to properly complete an Incident Response Form?

Initial incident documentation should be completed within 2-4 hours to meet urgent reporting deadlines. However, comprehensive incident analysis including root cause investigation, impact assessment, and remediation planning can take 24-72 hours. The form should be updated continuously as new information becomes available during the response process.

Which Philippine agencies must receive copies of my Incident Response Form?

For personal data breaches, submit to the National Privacy Commission within 72 hours. Cybercrime incidents require immediate reporting to the PNP Anti-Cybercrime Group. Financial institutions must also notify the Bangko Sentral ng Pilipinas for incidents affecting banking data. Industry-specific regulators may have additional notification requirements depending on your sector.

Are there common mistakes Filipino organizations make when filing incident response forms?

Common errors include failing to classify incidents correctly under the Data Privacy Act categories, missing the 72-hour NPC notification deadline, inadequate personal data impact assessment, and not documenting remediation efforts properly. Many organizations also forget to update forms with post-incident analysis findings required for comprehensive compliance documentation.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

Philippines

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Incident Report

Sector

Business

Cost

Free to use

Last updated

About the Incident Response Form

An Incident Response Form is a structured document that helps you systematically document, investigate, and respond to security incidents in compliance with Philippine data protection and cybersecurity laws. This form ensures you capture all necessary information required by the National Privacy Commission and other regulatory bodies while maintaining a clear audit trail of your incident response activities.

When do you need this document?

You need an Incident Response Form whenever your organization experiences any security-related event that could impact personal data, systems, or operations. This includes data breaches affecting personal information, unauthorized access to systems, malware infections, phishing attacks, or any suspected cybersecurity incident. Under the Data Privacy Act of 2012, you're required to document incidents involving personal data within specific timeframes, making this form essential for regulatory compliance. You'll also need it for internal incident tracking, insurance claims related to cyber incidents, and coordination with law enforcement when criminal activity is suspected.

Key legal considerations

The form must capture specific elements required by Philippine law, including precise timestamps, affected data categories, potential harm to data subjects, and immediate containment measures taken. You need to document the incident's scope, including which personal information categories were compromised and the number of affected individuals. The form should detail your assessment methodology, response team members involved, and communication plans for notifying affected parties. Consider including fields for legal privilege protection when external counsel is involved, and ensure the form supports both internal incident management and external regulatory reporting requirements. Documentation quality directly impacts your ability to demonstrate compliance during regulatory investigations.

Legal requirements in Philippines

Under the Data Privacy Act of 2012 and NPC Circular 16-03, you must notify the National Privacy Commission of personal data breaches within 72 hours of becoming aware of the incident. The form must support this timeline by capturing when the incident occurred, when it was discovered, and when key stakeholders were notified. NPC Circular 2020-01 specifies additional reporting requirements including impact assessments and remedial measures taken. The Cybercrime Prevention Act of 2012 may require coordination with law enforcement for certain incident types, so your form should accommodate this reporting pathway. You must maintain incident records for at least five years and ensure they're available for NPC inspections. The form should also support notification requirements to affected data subjects when the breach poses high risk to their rights and freedoms.

GOVERNING LAW

Applicable law

This Incident Response Form is drafted to comply with Philippines law. Key legislation includes:

Data Privacy Act of 2012 (Republic Act 10173): The primary law governing personal data protection in the Philippines, setting requirements for data breach notifications and incident response procedures
Cybercrime Prevention Act of 2012 (Republic Act 10175): Provides legal framework for the prevention, investigation, and prosecution of cybercrimes, relevant for security incidents involving digital systems
NPC Circular 16-03 on Personal Data Breach Management: Details the mandatory breach notification procedures and incident response requirements set by the National Privacy Commission
NPC Circular 2020-01: Guidelines on Security Incident and Personal Data Breach Reporting, including specific timeframes and procedures for notification
E-Commerce Act of 2000 (Republic Act 8792): Relevant for incidents involving electronic transactions and digital records
Consumer Act of the Philippines (Republic Act 7394): Applicable when incidents affect consumer rights and require consumer notification
BSP Circular No. 982: Guidelines on Information Security Management for financial institutions, including incident response requirements for banking and financial sector

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it