Philippines: New NPC guidelines on body-worn cameras and alternative recording devices

On 26 May 2025, the Philippine National Privacy Commission (NPC) released Circular No. 2025-01 entitled “Guidelines on the Processing of Personal Data Collected Using Body‑Worn Cameras” (“Circular“). It sets out comprehensive requirements for personal information controllers (PICs) and processors (PIPs) that use body-worn cameras (BWCs) or alternative recording devices (ARDs), such as mobile phones or action cameras, in law enforcement, security, vlogging and other recording activities.

While the Circular took effect on 10 June 2025, PICs and PIPs have until 9 August 2025 to ensure full compliance.

Recommended actions

Clients that deploy BWCs or ARDs are strongly encouraged to take proactive steps to ensure compliance with the Circular by 9 August 2025.

Quisumbing Torres is ready to advise organizations regarding internal policies and procedures, privacy impact assessments, controls, data retention and training programs in relation to the Circular’s requirements. We also provide guidance on compliance documentation, implementation of privacy safeguards and proper handling of data subject rights.

For assistance or further inquiries related to the Circular or matters related to the Data Privacy Act of 2012 (DPA), please feel free to reach out to Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group.

In more detail

Scope

The Circular applies to PICs and PIPs processing personal data collected through BWCs¹ or ARDs.² Note that the Circular will not apply when the personal data collected through BWCs or ARDs are used for purely personal, family or household affairs,³ although such use should still be subject to the privacy rights of the relevant individuals.

Application of data privacy principles

PICs that process personal data through BWCs or ARDs must comply with the various privacy principles under the DPA, the following in particular:

Lawfulness: Processing must be based on a lawful basis under Section 12 or 13 of the DPA or a special case under Section 4, if applicable.

In the case of law enforcement or security, PICs must also comply with relevant Supreme Court rules, i.e., Rules on the Use of Body-Worn Cameras in the Execution of Warrants and other applicable laws.

Transparency: PICs must provide data subjects with sufficient privacy notice, using clear, concise and plain language.

In the case of law enforcement or security, the Circular imposes specific requirements, as follows:

The notice must be translated into Filipino or another language or dialect, so that it can be better understood by data subjects.
Law enforcement officers or security guards should also have visible signage on them or a warning light on the BWC or ARD to indicate that the device has been activated and is recording.
PICs should provide data subjects with a published privacy notice, or direct them to a privacy notice placed or made available in a conspicuous or easily accessible place, e.g., a website, office premises, etc.
Such privacy notice shall likewise be incorporated in the guidelines on the use of BWCs or ARDs, which shall also be readily accessible and published.
In certain limited instances, information on the processing of personal data using BWCs or ARDs may be given to data subjects at the next practical opportunity.

In the case of vlogging, the privacy notice should also inform individuals of the fact that the resulting footage will be uploaded, posted, published or otherwise shared online, and how they may exercise their data privacy rights. Such privacy notice shall be made available by the vlogger on all their online platforms.

Legitimate purpose: The processing of personal data shall be compatible with a declared and specified purpose, which must not be contrary to law, morals or public policy.
Proportionality: The processing of personal data through the use of BWCs or ARDs shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. The collection and further processing of personal data through BWCs or ARDs should only be to the extent necessary to fulfill the legitimate purpose.
Fairness: The processing of personal data using BWCs or ARDs shall not be unduly oppressive upon data subjects.

For vlogging, in cases where vloggers are recording footage of themselves in action, vloggers shall ensure that that personal data processing activities are done in a fair and lawful manner and affected data subjects will be able to exercise their rights. Vloggers are also required to use available technology that can mask images of bystanders, especially children and other vulnerable individuals.

Security measures

PICs and PIPs must adopt technical, physical and organizational controls. These safeguards shall include the following:

Training: Conduct regular and documented training (at least annually and during onboarding) for all relevant personnel on the proper use of BWCs or ARDs, covering data subject rights, data privacy and protection principles, due process requirements, and potential administrative, civil and criminal penalties under the DPA.
Access control: Implement strict access controls to BWC or ARD recordings by designating authorized personnel in line with the applicable laws, rules and regulations (e.g., Supreme Court issuances, PNP rules, NPC advisories), establishing a documented access control policy requiring security clearances and handling data subject access requests in accordance with NPC Circular No. 2024-02, if applicable.
Device capabilities: Ensure that BWCs or ARDs have key technical features, including standard open-format recordings with metadata, tamper-proof data handling, built-in time/date/location stamps, compatibility with third-party software and a clearly visible visual recording indicator.
Encryption: Use appropriate encryption software when safeguarding recordings during rest and in transit.
Clear policy: Establish a clear policy for downloading, transmitting and storing BWC or ARD recordings on another device to facilitate data subject access requests.
Retention and disposal: Retain BWC or ARD recordings only as long as necessary, but generally, such recordings should only be retained for up to 30 calendar days, unless its further retention is allowed under applicable laws, rules and regulations. Recordings should also be disposed in a secure manner that would prevent unauthorized further processing.

Data subject rights

PICs should provide mechanisms for data subjects to exercise their rights under the DPA, while allowing for reasonable limitations, such as ongoing police operations, national security concerns or public safety. Once these limitations cease, the data subject rights should be honored, with footage tagged and archived for future release.

PICs should also ensure that access to recordings considers the rights of other individuals, such as by masking the images of other individuals captured in the recording prior to the release of the footage.

In the event that there is a delay in acting upon a request or when the request itself is denied, the PIC is required to provide the data subject the reason for such delay or denial.

Privacy impact assessment

PICs must conduct a privacy impact assessment (PIA) prior to the adoption, use or implementation of BWCs or ARDs, or within a reasonable time thereafter as may be determined by the PIC. Such PIA should be regularly reviewed and updated when appropriate, such as when there are changes in the governing law or regulations.

Regular review

PICs, through their data protection officers, should regularly assess policies and security measures, factoring in evolving best practices, standards and new technologies.

Noncompliance

Noncompliance with any of these requirements may lead to administrative penalties being imposed by the NPC, such as compliance/enforcement orders, administrative fines of up to PHP 5 million (approximately USD 90,900) for a single violation, cease and desist orders and temporary or permanent bans on personal data processing. In addition, affected data subjects may recover damages through civil indemnity claims for violations of their data privacy rights, specifically the right to be informed. Finally, if the violation amounts to a criminal offense under the DPA, such as unauthorized processing of personal data, criminal penalties may be imposed upon the responsible officer(s) who participated in, or by their gross negligence, allowed the crime to be committed.

¹The term “body-worn camera” or “BWC” refers to an electronic camera worn by a person that is capable and intended for creating, generating, sending, receiving, storing, displaying and processing audiovisual recordings.

²The term “alternative recording device” or “ARD” refers to an electronic device or gadget with a camera system, other than a BWC, that is capable of creating, generating, sending, receiving, storing, displaying and processing audiovisual recordings and is capable of being worn on the body, handheld, attached to the person of an individual or operated as an alternative or substitute for BWC. This includes, but is not limited to, digital cameras, mobile phones, action cameras, smart watches or smart eyeglasses, and other similar devices.

³The phrase “purely personal, family or household affairs” refers to the uses that are not intended for profit or commercial gain and where footages are not uploaded, posted, published or otherwise shared online. This includes the use of BWCs or ARDs by individuals, e.g., motorcycle drivers, bicyclists, etc., for personal security purposes. Nevertheless, the totality of the circumstances surrounding the use of BWCs or ARDs will be considered in determining whether the specific activity falls under the exception.