Section 20 of the Data Privacy Act of 2012 states that the personal information controller – in this case, the Comelec – must safeguard personal information "against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing."