Data Privacy

Data Privacy Rights Remain Despite COVID-19 Crisis

Even in times of calamity or a state of a public health emergency, rules on patient privacy, the confidentiality of health records, and data subjects’ privacy rights remain in effect. There is no need to relax the Data Privacy Act since Republic Act No. 11332 (An Act Providing Policies and Prescribing Procedures on Surveillance and Response to Notifiable Diseases, Epidemics, and Health Events of Public Health Concern) already requires patients of infectious diseases to disclose personal information, and the Department of Health to share said information under certain conditions.

Thus, authorities and institutions should collect only what is necessary and share information only to the proper authority:

On providing financial aid and other relief packages to those affected by the enhanced community quarantine:

  • All government offices, including local government units, should collect only the necessary personal details, such as those required according to usual accounting, auditing, and budgeting rules and regulations when disbursing public funds under other applicable laws and regulations.
  • Employers are not required to obtain consent from affected workers when submitting requirements to government regulatory agencies mandated to distribute aid to said workers.

On disclosure by patient of personal data to the general public:

  • If a COVID-19 patient (whether classified as confirmed, probable or suspect) would want to disclose his/her personal and health information to the public, that is his/her personal choice.
  • Law requires that patient’s consent to public disclosure is freely given, such that any pressure or compulsion would contradict the voluntariness of the act. Patients should be made aware of the risks that may arise from the disclosure, including the risk of being subjected to violent physical attacks, discrimination and harassment.

On protecting patient data in health institutions:

  • Health workers’ access to patient information should be on a “need-to-know” basis. This means that they are allowed only the minimum and necessary access to enable the performance of their functions.
  • Health workers should only disclose patient information to proper authorities and in appropriate areas. Health workers should thus refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances.
  • Health institutions should ensure that adequate security measures are in place. Facilities should thus be equipped access controls such as locks and alarms, and encryption and password protection.

Patients and data subjects will only fully and truthfully disclose the needed information to authorities if they feel assured that the information will be properly used for treatment, relief distribution, disease surveillance and response, and will be protected against any type of misuse, such as unauthorized disclosure, which has proven to result in stigma-driven physical assaults, harassments, and acts of discrimination.

In this light, protection of privacy rights, especially during the state of a public health emergency, is thus tantamount to protecting lives.

Click to read entire text of the following issuances:

This updates the previous article "Data Collection and Disclosure Amid COVID-19 Public Health Emergency."

Disclaimer: The information in this website is provided for general informational purposes only. No information contained in this post should be construed as legal advice from Platon Martinez or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances.