—Carlo E. Abarquez, Partner
—Gio Raymond P. Ceniza, Associate

The Covid-19 pandemic has taken over and affected our daily lives the past months.  In the “New Normal”, people are expected to wear face masks, to maintain social distancing, to limit unnecessary movement. Even the manner in which we interact with people has changed – no more handshakes and intimate greetings. Likewise, people has increased demand for more information on the health status of their neighbors. 

In some cases, however, the demand and sharing of health status became too extreme that these resulted to discrimination and/or harassment. Unfortunately, the paranoia surrounding Covid-19 has led to the singling out and ostracizing of suspected, probable or confirmed Covid-19 patients from the community.

The following are general guidelines on how communities, companies, employers and/or personal information controllers must deal with the health and personal information of their data subjects.

Who are Personal Information Controllers (PICs)?

Persons or organizations who control the collection, holding, processing or use of personal information are PICs.[1]  Among the more common PICs are banks, employers, condominium associations and hospitals with respect to personal information of their clients, employees, residents, and patients (collectively referred to as “data subjects”).

What are the responsibilities of PICs under the DPA?

PICs in general must implement reasonable and appropriate organizational[2], physical[3] and technical[4] measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure; against natural dangers like accidental loss or destruction; against human dangers like unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination; and against any other unlawful processing.[5]

The responsibility of securing personal information extends to the employees and/or relevant members of PICs.

In the current Covid-19 crisis, PICs receive immense pressure in revealing the health information of their data subjects.  There have been news reports where hospitals, employers, government employees[6] succumbed to this pressure and were careless in disclosing the health information of their data subjects.  There are also reports of discrimination, harassment and physical assaults on suspected, probable and confirmed Covid-19 patients and even health workers because of this disclosure. PICs must exercise caution when disclosing health information as they cannot do so without the express consent of the data subject. Otherwise, unauthorized disclosure will subject the PIC to penalties and/or sanctions under the DPA.

NPC advisory of personal information during the Covid-19 pandemic

The NPC issued public health emergency Bulletin No. 7 to address data privacy questions relative to the Covid-19 situation, reiterating that even in times of calamity or a state of a public health emergency, rules on patient privacy, confidentiality of health records, medical ethics, and data subjects’ rights remain in effect and upholding them equates to protecting lives.

The NPC asserted that the DPA is not a hindrance to the Covid-19 response. There is a law[7] that requires suspected, probable and confirmed Covid-19 patients to provide transparent and truthful information to the Department of Health (“DOH”), hospitals and other pertinent public authority on their health data, or risk being penalized with fines or sanctions.  The same law taken together with the DPA allows the DOH to share personal information, so long as what is shared is necessary and subject to proper authority. 

The NPC also cautioned suspected, probable and confirmed Covid-19 patients and even health workers from sharing or consenting to share their personal data to the general public for purposes of “contact tracing”.  Doing so may not be as helpful to “contact tracing” interventions as this can only induce fear among them given the multiple reports on physical assaults, harassment, and discrimination they endure. The threats to their safety and security may even discourage transparent and truthful reporting of their symptoms to public authorities, take confirmatory tests, and submit to treatments.

NPC Phase I Registration Reminders

Last March 6, 2020, the NPC reminded the general public on the requirement for covered Personal Information Controllers and Personal Information Processors (PIPs) to register their Data Protection Officers to avoid potential liability and sanctions under the DPA. The NPC further disclosed that it aims to launch an automated registration system for the Phase I (registration of Data Protection Officers) registration by July 2020.  The validity of current Phase I registrations have been extended from March 8, 2020 to August 31, 2020 in order to properly operationalize the automated registration system.

---

[1] Section 3(h), of Republic Act No. 10173 otherwise known as The Data Privacy Act of 2012 (“DPA”).  PICs also include persons or organizations who instruct another person or organization to collect, hold, process, use, transfer or disclose personal information on their behalf.

[2] Organizational measures include organizational policies (i.e. policies on storage and retention of physical files, when to transfer physical files digitally, levels of authorization / access in the organization to personal information) to protect data.

[3] Physical measures include tangible or concrete policies (i.e. storage of physical files in secure filing cabinets, locked storage rooms; offsite location of servers and physical files, shredding of physical files when no longer needed) to protect data.

[4] Technical measures include technical / IT policies information technology (IT) (i.e. downloading policies within the organization; utilization of encryption technology) to protect data.

[5] Section 20 of the DPA.

[6] Section 22 of the DPA provides that the head of each government agency or instrumentality shall be responsible for complying with security requirements of PICs and the National Privacy Commission (“NPC”) shall monitor compliance and recommend necessary action as the case may be.

[7] R.A. No. 11332 otherwise known as the “Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act”