4 June 2021
Perhaps never in the history of the Philippines have we been made to provide personal information as frequently as during this pandemic. Almost everywhere we go, we are required to have our contact tracing apps scanned or we may have to manually fill in some logbook or contact tracing sheets and provide our age, place of residence, e-mail address, contact number, and health and travel information.
Of course, with Philippines battling a health crisis for more than a year now, there is a legitimate interest sought to be addressed by the collection of personal information. However, with the pervasiveness of data collection, it can sometimes be a little too cumbersome or an anxiety-inducing task that prompts us to ask if our privacy is adequately protected. In this case, the role of the Data Privacy Act may be well worth looking into.
For instance, people in some localities who had to travel from one place to another must register on several contact tracing apps developed or used by different local government agencies or entities. Not only that, as these systems may have to process large quantities of data, sometimes they become inaccessible or suffer glitches which would prompt people to repeat the registration process. To an ordinary citizen with limited access to registration or internet facilities, this process can be quite daunting if not oppressive.
Under the Data Privacy Act, an option which the different government agencies or instrumentalities may want to consider to possibly reduce the number of times people have to register in contact tracing systems or in systems used to deliver the government’s COVID-19 programs is data sharing. The National Privacy Commission, through Circular No. 2020-03, has issued the guidelines on Data Sharing Agreements among personal information controllers. A data sharing agreement foremost provides for the purpose and lawful basis for data sharing, responsibilities of the parties involved, operational details, security, data subjects’ rights, retention and data disposal. Considering the different capacities of personal information controllers, as in the case of local government units, the conclusion of a data sharing agreement is considered a sound recourse and demonstrates accountable personal data processing as well as good faith in complying with the requirements of the Data Privacy Act.
Now, with the roll out of the government’s vaccination program, there is yet again the necessity to provide information to authorities and this time one more in detail about our health conditions to generate the master list needed for the vaccination program.
Based on the reports received by the National Privacy Commission, sometimes the means by which information related to vaccination are collected use channels which render more vulnerable the privacy of data subjects, as when one is asked to provide personal details by commenting in a social media platform to indicate one’s interest to avail of a vaccine.
With this, the National Privacy Commission issued NPC PHE Bulletin No. 19 to provide additional guidance in improving the means of personal data processing for the COVID-19 vaccination program. The bulletin highlighted the need for local government units and personal information controllers to implement reasonable and appropriate safeguards, particularly physical, organizational, and technical security measures, to ensure the protection of personal data against any unlawful processing, alteration, disclosure, or destruction.
As the minimum required data for master listing is a comprehensive record of a potential vaccinee containing sensitive personal information, the same should be treated with utmost confidentiality and should not be posted on public platforms. To do so, stakeholders are advised to disclose patient data only to proper authorities and in appropriate areas, ensure that computer displays are protected from unauthorized or accidental viewing, storage media are properly locked, patient data are encrypted, both in-transit and at rest, and that there are facilities for secure communication.
To further protect the integrity of data, conducting independent security audits and tests, strengthening of systems against prominent web attacks, updating systems and its components, and backing up of data are likewise recommended.
Admittedly, the recommendations demand that the stakeholders do more of a balancing act between safeguarding privacy and addressing the pressing health emergency. However, as the National Privacy Commission emphasized, while we have competing priorities at this time, compliance with the Data Privacy Act of 2012 must also be given priority, and that this should not be considered as a hindrance to the COVID-19 response.
This delicate balancing of interests can thus be seen as a call for conscientious cooperation among the different stakeholders so that we can all get through this pandemic without having to compromise our precious privacy.
The views and opinions expressed in this article are those of the author. This article is for general informational and educational purposes only and not offered as and does not constitute legal advice or legal opinion.
For further information, please contact:
Genie Celini D. Nuevo, Senior Associate,
gdnuevo@accralaw.com