On 11 March 2025, the Insurance Commission (IC) and the National Privacy Commission (NPC) issued Joint Advisory No. 2025-001 (“Joint Advisory“), or Considerations on the Use of Privacy Enhancing Technologies (PETs) in the Insurance Industry. 

The Joint Advisory values the adoption of PETs in the insurance industry, which may supplement existing privacy-preserving practices to mitigate data privacy risks and ensure protection of personal data processed by personal information controllers (PICs) and personal information processors (PIPs). 

In depth

The Joint Advisory applies to insurance providers, insurance and pre-need companies, health maintenance organizations, mutual benefit associations, their respective agents, brokers, adjusters, intermediaries, all other entities under the regulatory control and supervision of the IC, and PIPs of the foregoing entities.¹

I. Definition and categories of PETs

PETs are defined as follows:

A collection of digital technologies, approaches and tools that permit data processing and analysis while protecting the confidentiality, and in some cases also the integrity and availability, of the data and thus the privacy of the data subjects and commercial interests of PICs.²

PETs may be categorized as follows:³

1. Data obfuscation tools, such as anonymization, pseudonymization, synthetic data, differential privacy and zero-knowledge proofs
2. Encrypted data processing tools, such as homomorphic encryption, multiparty computation and trusted execution environments
3. Federated and distributed analytics, such as federated learning and distributed analytics
4. Data accountability tools, such as threshold secret sharing and personal data stores

II. Obligations in relation to the use of PETs

The following obligations apply when a covered entity uses PETs:

1. It must ensure that its use of PETs is compliant with the Data Privacy Act, is Implementing Rules and Regulations, and the issuances of the NPC (collectively, “Data Privacy Regulations“). PICs are responsible for the processing of personal data using PETs, including instances when the processing is outsourced or subcontracted to a PIP.
2. It must ensure continuous compliance with its own obligations under the Data Privacy Regulations, such as, but not limited to, implementing reasonable and appropriate security measures, registration of the data processing system(s) with the NPC (if applicable), and compliance with rules on personal data breach management, including breach notification.
3. Prior to the adoption of PETs and thereafter as may be necessary, it must conduct a privacy impact assessment on the data processing system.
4. It may consider industry standards and best practices, technical compatibility, costs, and efficiency in assessing which PETs are most suitable for its business purposes. A covered entity may utilize more than one PET.

Recommended actions

Clients covered by the Joint Advisory are advised to take note of the considerations and obligations when selecting and/or adopting PETs in the processing of personal data.

Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group may be reached for further information on the Joint Advisory.

¹ Section 1, Joint Advisory.

² Section 3, Joint Advisory.

³ Section 3, Joint Advisory.