The National Privacy Commission (NPC) received concerns on the collection of vaccination information by the local government units (LGUs), specifically the barangays, as directed by the Department of the Interior and Local Government (DILG).
We understand from various news reports and media interviews that the DILG ordered barangays to submit their respective lists of unvaccinated residents through a Memorandum Circular (copy of which is not yet available at the DILG website as of this writing). To do this, the DILG mentioned in the interviews that the LGUs will be required to conduct a survey within their localities and gather information on residents who have yet to be vaccinated, which may be done through house-to-house interviews and will require the presentation of residents’ vaccine cards and valid IDs.
The NPC recognizes that this personal data processing activity is still pursuant to the government’s pandemic response, specifically on the current need to have accurate data of unvaccinated residents in relation to the initiative to further encourage everyone eligible to be vaccinated against COVID-19 and to promote vaccine booster uptake. As such, we emphasize that this processing activity is not based on the consent of the data subjects; rather, the same is based on the applicable laws, rules, and regulations governing the DILG and the various LGUs in relation to their critical responsibilities during this ongoing public health emergency.
With this, we remind the DILG and all LGUs of their obligations under the Data Privacy Act of 2012 (DPA) as personal information controllers (PICs).
PICs should not collect any unnecessary personal data from the residents, in keeping with the principle of proportionality. Only those personal data which are relevant to the purpose of having an accurate inventory of unvaccinated residents should be collected, in relation to the recent directives of the government to regulate mobility of unvaccinated persons.
These lists of vaccinated and unvaccinated individuals, including those who already received booster shots, contain sensitive personal information which shall be processed only for the declared and specified purpose as mentioned above, in line with the response to the public health emergency.
These lists shall not be further processed for any incompatible purpose. Further processing is incompatible when:
Processing for unauthorized purpose/s is punishable with imprisonment of up to seven years and a fine of up to two million pesos under the DPA.
- It would be very different from the original purpose of responding to public health emergencies as part of public health measures or there is no clear and reasonable link between such original purpose and the purposes of the intended further processing;
- It would result in an unjustified consequence on the rights and freedoms of the individual;
- It would not be reasonably expected by the individual considering the context in which the personal data has been collected.
The DILG and the LGUs shall implement safeguards to protect these lists against accidental, unauthorized, or otherwise unlawful use or access. The following and other similar actions are prohibited:
These information should only be accessible and disclosed to specific authorized persons. Such authority should be documented either in an official written policy or written authority identifying them by name or by their position or designation. Any unauthorized disclosure shall be punishable under the DPA and other applicable laws.
- unauthorized copying and distribution of the lists;
- posting of the lists, whether physically or online;
- taking photos of the same;
- live streaming the actual collection of information done by the barangay personnel.
Submissions of these lists to the authorized recipients identified by the DILG, whether through paper-based or electronic systems, should be done in a secure manner:
LGUs shall keep records of all submissions/transmittals for reportorial requirements. All involved PICs shall be held accountable for the processing of personal data on these lists.
- In the case of transmission by mail, courier, or hand carried by LGU personnel to the DILG – sealed envelopes should be used, no sensitive personal information should be visible through the envelope window, where applicable, and the envelopes should be marked “confidential”, among others;
- For electronic transmissions – the use of encryption using Advanced Encryption Standard with a key size of 256 bits (AES-256), passwords for access should be implemented, among others.
For transparency, the DILG and/or the LGUs should prepare a privacy notice specific to this processing activity which they should provide to the residents during the interview and post on their official websites or social media platforms. It is recommended that the privacy notice be translated to either Filipino or another language or dialect so that it will be better understood by the data subjects in the locality. The privacy notice should sufficiently inform the residents of the details of the processing of their vaccination status, their rights as data subjects, among other necessary information.
Any public official or employee found guilty of a violation of the DPA shall in addition to the imprisonment and fine, suffer an accessory penalty consisting of disqualification to occupy public office for a term double the term of criminal penalty imposed.
We maintain that privacy rights and public health requirements are not in conflict with each other. The rights and principles of data privacy are fully compatible with the tasks necessary to address the pandemic.
For any data privacy concerns, we may be reached at [email protected].
*** *** ***