Data protection in times of Emergency

The National Privacy Commission recognizes the extraordinary challenges our nation is facing due to this unfamiliar global pandemic. We all share the same concern and the urgent need to contain the spread of the virus. To win this battle against COVID- 19, trusted and verified information is vital. Thus, during this time, it is not only the “misuse” of data that concerns us but also the “missed” use that could have made a difference in containing the disease.

Data protection and privacy should not hinder the government from collecting, using, and sharing personal information during this time of public health emergency. Neither does the law limit public health authorities from using available technology and databases to stop the spread of the virus. The principles contained in the law allow the use of data to treat patients, prevent imminent threats, and protect the country’s public health and still provide the level of protection the citizens expect. The Data Privacy Act of 2012 is an enabler in critical times like this.

We will continue issuing guidance to support our health practitioners and government units to properly and effectively use personal data to ensure the safety and security of everyone. For our front-liners: “To be able to communicate directly with the public, the medical and scientific community, and other government bodies. To coordinate nationally and globally”.

The following FAQs have been collated by our NPC staff to answer questions raised by government agencies, private companies, and the public. We will try our best to continue to respond to your queries in the days ahead.

The direction is lawful and straightforward. COLLECT WHAT IS NECESSARY. DISCLOSE ONLY TO THE PROPER AUTHORITY.

The power of data in responding to this global public health emergency cannot be overstated. The NPC is fully ready to help facilitate the safe and rapid flow of data to fight COVID-19

RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner

FAQs

Questions raised by stakeholders on the processing of personal data concerning the state of public health emergency (PHE) and the COVID-2019 response:

On monitoring of persons entering offices/buildings

1. Can we collect the details (name, contact details, and travel history) of all persons who will be entering our building through a form as may be required by a Department of Health (DOH) circular?

Yes, the building or office administrators may collect such personal data but only as may be necessary with what is required by the DOH.

2. Will the mere filling out and signing of such form amount to the consent required by the Data Privacy Act of 2012 (DPA)?

The basis of the processing of data in this scenario is not consent. Its lawfulness rests on the mandate of the Department of Health, given the declaration of the state of public health emergency in response to the COVID-19 pandemic.

It is advisable, though, to provide a privacy notice informing the visitors of the purpose and basis of the collection of such personal data. Once collected, reasonable and appropriate safeguards must ensure the security of the forms and personal data contained therein.

3. What are the specific data elements that we should collect from guests/visitors?

The specific data elements to be collected should be coordinated with the DOH as these would depend on what the latter needs to facilitate contact tracing.

Further information is available at the DOH website: https://www.doh.gov.ph/2019-nCov/interim-guidelines, and specifically for contact tracing: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf




On employees; collection of personal data

4. Can an employer ask its employees to submit declaration forms that provide personal data – for instance, whether they have traveled to or been in close contact with persons who have gone to regions affected by COVID-19, whether they are experiencing symptoms, etc.?

Yes, employers may collect such personal data. The National Privacy Commission (NPC) reminds all employers to collect what is only necessary, observing the general data privacy principle of proportionality. Once collected, reasonable and appropriate safeguards should ensure the security of the forms and personal data contained therein.

5. What are the specific data elements that an employer should collect?

The specific data elements to be collected should be coordinated with the DOH as these would depend on what the latter needs to facilitate contact tracing.

Further information is available at the DOH website: https://www.doh.gov.ph/2019-nCov/interim-guidelines, and specifically for contact tracing: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf

6. Can the employer disclose the personal data collected from employees to third parties?

Disclosure of employee data in this scenario should be limited to the DOH and other appropriate government agencies and following all existing protocols on the matter.

7. Should we ask our employees to sign a consent form or waiver that their information will be shared with the DOH if needed or requested?

Since the basis for the disclosure is not consent, then no consent form is needed. Instead, a privacy notice should be put in place informing employees of the purpose of collection.




On contact tracing; persons under investigation

8. Does an employer need to ask for the consent of an employee who is a person under investigation (PUI) for COVID-19 when disclosing the PUI’s data to the person/s that such PUI have had contact with during the time of suspected infection?

Contact tracing should be done only upon the authority, guidance, and instruction of the DOH.

See the DOH Interim Guidelines on Contact Tracing available here at this link: https://www.doh.gov.ph/sites/default/files/health-update/DC2020-0048-Reiteration-of-DM2020-0068-Interim-Guidelines-on-Contact-Tracing-for-Confirmed-2019-nCoV-ARD-Cases.pdf

9. If a PUI has been proven positive of the COVID-19, can I freely disclose the identity to everyone within the company? The purpose is to inform those who may have had contact with the person so they can be tested and monitored as well

The company may make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive. The proper authority that does contact tracing is the DOH. It follows that disclosure of the identity of the patient shall be limited to the DOH personnel only, following the PUM/PUI protocol.

Companies should only disclose such personal information as may be necessary to enable other employees to assess their health and potential exposure. Here, revealing the identity of the COVID-19 patient offers no benefit to the patient nor any advantage to other members of the company in assessing their exposure. If someone in your company tests positive, protocols, and guidelines for PUMs/PUIs would apply and, generally, would cover everyone.

10. Can our company issue a press release or statement relating to our employee, who is a confirmed case for COVID-19?

Announcements should come from the DOH or other appropriate government agencies. The government should only make the official announcement regarding COVID-19 cases in the country. Anyone with relevant information should immediately relay it to the DOH for proper handling.

11. Can the DOH release names of PUIs that are purposely evading or escaping mandatory quarantine, as well as those who deliberately lied about their medical and travel history to protect the public and apprise them of the possible threat of contamination?

The DOH needs to consider the following factors when assessing the disclosure of patient information to the public:

• The potential harm or distress to the patient arising from the disclosure
• The potential damage to trust in doctors and health institutions in general

and weigh it versus:

• The potential harm to the public if the information is not disclosed.
• The potential benefits to individuals and society arising from the release of information.



Apart from the Data Privacy Act of 2012, there is another law relevant to this matter. RA No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act penalizes non-cooperation of the persons identified as having a notifiable disease or affected by the health event of public concern.

The DOH makes the crucial call on what information is necessary for release to the public, taking into consideration the state of public health emergency and the overall strategy to contain the virus as directed by the Inter-Agency Task Force.

12. Can the DOH publicly disclose more detailed information of the frequented locations of the persons positive for COVID-19 to inform the public better and help prevent the transmission of the virus?

Yes. The DOH can provide information about the frequented locations of the persons positive for COVID-19 without giving details that would identify individuals.

*** *** ***

Personal information controllers are advised to approach any uncertainty as to the collection and disclosure of personal data of PUIs, PUMs, and confirmed cases of COVID-19 in a reasonable manner.

We trust that all shall be socially responsible. False information about COVID-19 may create more problems. Please refrain from sharing unverified reports and fake news to avoid undue stress and worry due to misinformation.

Finally, we emphasize that the DOH is the primary competent authority handling our country’s response to the COVID-19. We support our health department, the Inter-Agency Task Force for the Management of Emerging Infectious Disease, health front liners, emergency responders, law enforcement officers, and other persons undertaking our country’s response and measures to curtail and eliminate the COVID-19 threat.

For questions or concerns, you may visit our website at https://www.privacy.gov.ph/ and may reach us at [email protected].

###