
Signed by President Ferdinand R. Marcos, Jr. on July 13, 2026, Executive Order No. 119 completely overhauls how the Philippine government handles digital data. By setting up a robust, modern framework for data classification and residency, this directive bridges the gap between traditional bureaucracy and modern cloud computing.
Here are the seven essential takeaways you need to know about this landmark policy and why it is a game-changer for digital governance.
1. It drags Philippine data policy out of the 1960s
The Detail: Prior to this new order, the country’s government data rules were governed by an outdated, paper-based administrative framework issued all the way back in 1964.
Why It Matters: A sixty-year-old framework simply cannot cope with modern cybersecurity threats, cloud storage, and cross-border data transfers. This executive order officially modernizes Philippine data systems to handle contemporary digital realities.
2. It covers digital government data—even when held by private companies
The Detail: The order covers all government data in digital or hybrid forms controlled by national government agencies, state colleges, and government corporations.
Why It Matters: While the order doesn’t apply to purely private or commercial data, it absolutely applies to government data managed or stored by private contractors. If a private firm handles government cloud services, public-private partnerships, or critical infrastructure, the contracting agency must write strict security and contractual safeguards into their agreements.
3. Classifications are simplified into four tiers
The Detail: Under the updated framework, government data is split into two general classes: Open Access Data (which is unclassified) and Restricted Access Data. Restricted data is categorized into four tiers based on the damage a leak would cause:
Top Secret: Information that would cause exceptionally grave damage to national security, economy, or politics.
Secret: Information that would cause serious injury to national interests or government operations.
Confidential: Information that would cause prejudicial effects, administrative embarrassment, or injury to an individual.
Restricted: General official matters requiring lighter, standard protections.
Why It Matters: Clear-cut rules prevent overclassification. Overclassifying data creates massive administrative delays, runs up public expenses, and keeps public records unnecessarily locked away.
4. A unified central registry is coming
The Detail: Agencies can no longer classify files arbitrarily. They must use a risk-based assessment—including formal inventories and privacy impact assessments—to determine classification. Furthermore, every single classification, along with its basis and risk assessment, must be recorded in a central registry developed and maintained by the Department of Information and Communications Technology (DICT).
Why It Matters: This database ensures high-level accountability across agencies. By centralizing classification records, it prevents arbitrary secrecy and establishes a transparent audit trail of what is being protected and why.
5. Digital sovereignty is asserted through strict data residency
The Detail: The executive order declares that all government data remains subject to Philippine laws and jurisdiction, no matter where it is physically stored. It sets clear boundaries on physical hosting:
Top Secret & Secret: Must be stored strictly on Philippine soil or within sovereign jurisdictions (like embassies or consulates).
Confidential: Must generally stay in the Philippines, with external hosting permitted only as a highly regulated exception requiring prior approval.
Restricted & Open Access: Can be hosted on secure, encrypted cloud platforms regardless of physical location.
Why It Matters: This keeps the nation’s most sensitive diplomatic, intelligence, and military secrets completely out of foreign reach, while still allowing non-sensitive operations to benefit from global cloud infrastructure.
6. A new joint oversight committee holds the reins
The Detail: To manage implementation, a Joint Oversight Committee for Data Classification has been established.
Co-Chairs: DICT and the National Security Council (NSC).
Members: Includes departments of local government, intelligence agencies, the privacy commission, the statistics authority, and the national archives.
Why It Matters: This committee is tasked with issuing the final implementing guidelines within 120 days. It serves as a centralized authority to resolve inter-agency classification disputes and continuously audit compliance across the bureaucracy.
7. It faces a hard three-year deadline with real penalties
The Detail: Government agencies must transition to full compliance under a strict three-year phased timeline:
Year 1: Capacity building, complete data inventories, and initial mapping of datasets and workloads.
Year 2: 100% compliance for all Top Secret and Secret datasets.
Year 3: 100% compliance for all remaining data.
Why It Matters: Public officials or employees who fail to meet these milestones face administrative and disciplinary sanctions under existing laws.
Disclosures: This research was compiled with the help of some AI tools including Notebook LM with editorial oversight.
Your subscription could not be saved. Please try again.
Your subscription has been successful.
READ NEXT
EDITORS' PICK
MOST READ
View original source — Philippine Daily Inquirer ↗


