DATA PRIVACY ACT is not a hindrance in contact tracing

August 11, 2020 | 5:10 PM GMT+0800 Last Edit: August 12, 2020

  • Hospitals have the duty to disclose the necessary COVID patient details to LGU contact tracers following the DOH guidelines.
  • COVID patients should be truthful in providing accurate personal details.
  • In this pandemic, public health and data privacy are on the same side.

The National Privacy Commission (NPC) reiterates that the Data Privacy Act (DPA) is not a hindrance to contact tracing initiatives, saying that it seeks to protect individuals from discrimination, harassment, and acts of social vigilantism amid the COVID-19 pandemic.

“We want to clarify that the DPA does not prevent hospitals from sharing a COVID-19 patient’s data to proper authorities. The law recognizes the guidelines set by DOH on contact tracing procedures that hospitals, LGUs, and contact tracers must follow. In this pandemic, public health and data privacy are on the same side,” Privacy Commissioner Raymund E. Liboro said.

“The DPA should not be used as an excuse for not providing COVID patient data necessary for LGU contact tracing that we need to combat the pandemic,” Liboro noted that hospitals were mandated to collect information from patients and provide it to the authorities under the guidelines set by the Department of Health (DOH). “Likewise, we call on the individuals affected by COVID to be truthful when providing accurate health information,” he added.

Department Memorandum 2020 – 0189 of the DOH, or the Updated Guidelines on Contact Tracing of Close Contacts of Confirmed Coronavirus Disease Cases, says that “health facilities, public and private, shall cooperate fully with the DOH – Epidemiology Bureau and its regional and local counterparts by ensuring that Local Contact Tracing Teams (LCTTs) are provided access to medical records, facilitating case interviews, and conducting other case investigation and contact tracing activities.” When providing training to LCTTS, local government units must include the secure handling of personal data that was collected.

Liboro emphasized that public and private health institutions, companies, and individuals involved in the COVID response must “collect and process what is necessary and disclose data only to the proper authorities.”

“The NPC has provided public health emergency bulletins, advisory opinions as guidance for personal information controllers, especially healthcare providers. Our Commission has been coordinating closely with the Department of Health to ensure that the DPA will not be an obstruction in the proper conduct of contact tracing,” the NPC chief said.

In Advisory Opinion 2020 – 022, a response to the request of the Private Hospitals Association of the Philippines, Inc. for clarification of contact tracing protocols, the Commission cited as bases DOH’s Updated Guidelines on Contact Tracing, which limits the disclosure of COVID-19 personal data, and the DOH-NPC Joint Memorandum Circular (JMC) on the Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response.

The guidelines provide that disclosure of patient identifiers or data is allowed but limited only to authorized entities, officers, and personnel.

Any disclosure must serve “a public purpose or function” that would allow relevant authorities to reach those who may have come into close contact with a COVID-19 positive individual so they may be promptly alerted and provided preventive counseling or care.

The guidelines prohibit disclosure of names and other personal identifiers that can single out a patient to the public, the media, or any other public-facing platforms without the patient’s written consent or his/her authorized representative or next of kin.

Risks of publicly naming infected individuals

The DOH and NPC advise against publicly naming data subjects suspected of having contracted COVID-19 or confirmed positive for the disease connected with contact tracing efforts.

“Publicly naming an infected individual is equivalent to putting a person’s life at risk, given the physical assaults and discrimination which suspected or confirmed individuals had experienced. Fearing possible harassment and stigma, people may hide their true conditions, leading to lost opportunities in tracking the disease and contact tracing. The policy is counterproductive, will not result to better contact tracing, and will put more lives of front liners at risk,” Liboro said.

The latest NPC advisory opinion on contact tracing reiterated that collection and processing of data must be fully aware of the principles laid out by the DPA and that secure disposal of personal data from records, whether manually or digitally obtained, must be done once the purpose of their collection had been achieved.

Liboro also reasserted the points in NPC Bulletin No. 3 issued in March.

“Again, the DPA is not a hindrance to contact tracing efforts and the guidance it provides is necessary, especially in these unfamiliar times, to preserve the basic right of people to data privacy and protection, and build trust,” he said.

# # #