March 19, 2020 | 2:50 PM GMT+0800 Last Edit: November 11, 2021
Data protection in times of Emergency
The National Privacy Commission recognizes the extraordinary challenges our nation is facing due to this unfamiliar global pandemic. We all share the same concern and the urgent need to contain the spread of the virus. To win this battle against COVID- 19, trusted and verified information is vital. Thus, during this time, it is not only the “misuse” of data that concerns us but also the “missed” use that could have made a difference in containing the disease.
Data protection and privacy should not hinder the government from collecting, using, and sharing personal information during this time of public health emergency. Neither does the law limit public health authorities from using available technology and databases to stop the spread of the virus. The principles contained in the law allow the use of data to treat patients, prevent imminent threats, and protect the country’s public health and still provide the level of protection the citizens expect. The Data Privacy Act of 2012 is an enabler in critical times like this.
We will continue issuing guidance to support our health practitioners and government units to properly and effectively use personal data to ensure the safety and security of everyone. For our front-liners: “To be able to communicate directly with the public, the medical and scientific community, and other government bodies. To coordinate nationally and globally”.
The following FAQs have been collated by our NPC staff to answer questions raised by government agencies, private companies, and the public. We will try our best to continue to respond to your queries in the days ahead.
The direction is lawful and straightforward. COLLECT WHAT IS NECESSARY. DISCLOSE ONLY TO THE PROPER AUTHORITY.
The power of data in responding to this global public health emergency cannot be overstated. The NPC is fully ready to help facilitate the safe and rapid flow of data to fight COVID-19
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner
Questions raised by stakeholders on the processing of personal data concerning the state of public health emergency (PHE) and the COVID-2019 response:
On monitoring of persons entering offices/buildings
Yes, the building or office administrators may collect such personal data but only as may be necessary with what is required by the DOH.
The basis of the processing of data in this scenario is not consent. Its lawfulness rests on the mandate of the Department of Health, given the declaration of the state of public health emergency in response to the COVID-19 pandemic.
It is advisable, though, to provide a privacy notice informing the visitors of the purpose and basis of the collection of such personal data. Once collected, reasonable and appropriate safeguards must ensure the security of the forms and personal data contained therein.
The specific data elements to be collected should be coordinated with the DOH as these would depend on what the latter needs to facilitate contact tracing.
Further information is available at the DOH website: https://www.doh.gov.ph/2019-nCov/interim-guidelines, and specifically for contact tracing: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf
On employees; collection of personal data
Yes, employers may collect such personal data. The National Privacy Commission (NPC) reminds all employers to collect what is only necessary, observing the general data privacy principle of proportionality. Once collected, reasonable and appropriate safeguards should ensure the security of the forms and personal data contained therein.
The specific data elements to be collected should be coordinated with the DOH as these would depend on what the latter needs to facilitate contact tracing.
Further information is available at the DOH website: https://www.doh.gov.ph/2019-nCov/interim-guidelines, and specifically for contact tracing: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf
Disclosure of employee data in this scenario should be limited to the DOH and other appropriate government agencies and following all existing protocols on the matter.
Since the basis for the disclosure is not consent, then no consent form is needed. Instead, a privacy notice should be put in place informing employees of the purpose of collection.
On contact tracing; persons under investigation
Contact tracing should be done only upon the authority, guidance, and instruction of the DOH.
See the DOH Interim Guidelines on Contact Tracing available here at this link: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf
The company may make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive. The proper authority that does contact tracing is the DOH. It follows that disclosure of the identity of the patient shall be limited to the DOH personnel only, following the PUM/PUI protocol.
Companies should only disclose such personal information as may be necessary to enable other employees to assess their health and potential exposure. Here, revealing the identity of the COVID-19 patient offers no benefit to the patient nor any advantage to other members of the company in assessing their exposure. If someone in your company tests positive, protocols, and guidelines for PUMs/PUIs would apply and, generally, would cover everyone.
Announcements should come from the DOH or other appropriate government agencies. The government should only make the official announcement regarding COVID-19 cases in the country. Anyone with relevant information should immediately relay it to the DOH for proper handling.
The DOH needs to consider the following factors when assessing the disclosure of patient information to the public:
and weigh it versus:
Apart from the Data Privacy Act of 2012, there is another law relevant to this matter. RA No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act penalizes non-cooperation of the persons identified as having a notifiable disease or affected by the health event of public concern.
The DOH makes the crucial call on what information is necessary for release to the public, taking into consideration the state of public health emergency and the overall strategy to contain the virus as directed by the Inter-Agency Task Force.
Yes. The DOH can provide information about the frequented locations of the persons positive for COVID-19 without giving details that would identify individuals.
*** *** ***
Personal information controllers are advised to approach any uncertainty as to the collection and disclosure of personal data of PUIs, PUMs, and confirmed cases of COVID-19 in a reasonable manner.
We trust that all shall be socially responsible. False information about COVID-19 may create more problems. Please refrain from sharing unverified reports and fake news to avoid undue stress and worry due to misinformation.
Finally, we emphasize that the DOH is the primary competent authority handling our country’s response to the COVID-19. We support our health department, the Inter-Agency Task Force for the Management of Emerging Infectious Disease, health front liners, emergency responders, law enforcement officers, and other persons undertaking our country’s response and measures to curtail and eliminate the COVID-19 threat.
For questions or concerns, you may visit our website at https://www.privacy.gov.ph/ and may reach us at [email protected].
###