NPC Issues Guidelines on Personal Data Processing Using Body-Worn Cameras and Recording Devices

On 26 May 2025, the National Privacy Commission (“NPC”) has issued NPC Circular No. 2025-01, or the Guidelines on the Processing of Personal Data Collected Using Body-Worn Cameras, (the “Circular”), which establishes protocols for the responsible use of body-worn cameras (“BWCs”) and alternative recording devices (“ARDs”) in the Philippines. The Circular aims to protect the data privacy rights of individuals and ensure accountability in the processing of personal data captured through these technologies.

The Circular applies to personal information controllers (“PICs”) and personal information processors (“PIPs”) engaged in the use of BWCs and ARDs, excluding uses for purely personal, family, or household affairs. However, even in such cases, users are reminded to respect the privacy rights of individuals.

Definitions provided include BWCs as wearable electronic cameras capable of capturing audio-visual recordings, and ARDs as other devices such as mobile phones, action cameras, and smart wearables used for similar purposes. The Circular also defines roles such as data custodians and outlines the scope of law enforcement operations covered.

The lawful basis for processing personal data using BWCs or ARDs must align with the Data Privacy Act of 2012 (“DPA”), particularly Sections 12 and 13, and must adhere to the principles of transparency, legitimate purpose, proportionality, and fairness. Law enforcement agencies and private security providers are required to provide clear privacy notices, ensure recordings are used only for lawful and specified purposes, and avoid excessive data collection.

Vloggers and other individuals using BWCs or ARDs for content creation are also covered. They must ensure transparency, provide privacy notices on their platforms, and use masking technologies to protect bystanders, especially vulnerable individuals. Entities using these devices for training, monitoring, or evaluation must comply with the same legal and privacy standards.

PICs and PIPs are required to implement organizational, technical, and physical safeguards, including regular training, access control policies, encryption, and secure storage. Recordings must be retained only as long as necessary and disposed of securely. Devices must meet technical standards such as non-editable formats, metadata preservation, and visible recording indicators.

Data subjects must be informed of recordings unless doing so is impractical or unsafe. Their rights under the DPA must be upheld, including access to recordings, subject to limitations related to law enforcement or public safety. Requests must be evaluated carefully, and any denial or delay must be justified.

PICs are also required to conduct privacy impact assessments prior to or shortly after implementing BWCs or ARDs, and to regularly review internal policies and security measures. Violations of the Circular may result in criminal, civil, or administrative liability under the DPA.

The Circular takes effect fifteen (15) days after its publication in the Official Gazette or a newspaper of general circulation. PICs and PIPs are given sixty (60) days from effectivity to comply with its provisions.

The full text is available in this link.