Recently, messages and social media posts have been circulating containing the alleged list and photos of some of the patients who were infected by covid19. And there were even clamors among the public to disclose all information of all those who were infected by the virus for public safety and health reasons.
How shall we treat the information of covid19 patients? Can these information be disclosed? Who shall have access to the information of Covid19 patients?
In the Philippines, it is important for us to understand the relevant laws on privacy the regulate the disclosure of personal data of individuals.
TYPES OF PERSONAL DATA
Under the Data Privacy Act of 2012 (RA 10173), there are three types of personal data namely, (1) personal information; (2) sensitive personal information; and (3) privileged personal information.
Personal information refers to those information from which the identity of an individual is apparent or can reasonably be ascertained. Examples of which are the name and photo of an individual.
Sensitive personal information refers to those information which from their nature can be used to profile an individual and can post a risk/harm to individual once it is disclosed. Examples of which are the individual’s health and those classified by law as confidential.
Privileged personal information refers to those communications about an individual which under the rules of court are considered confidential. Example of which is information shared between a doctor and his patients.
CLASSIFICATION OF INFORMATION OF COVID19 PATIENTS
Now, let us classify the data contained in the list/photos of patients infected with covid19.
Considering that the identity of the persons contained in the list and the photos is apparent, we can classify those data as personal information.
As for the condition of the patients indicating that they are infected with covid19, since it refers to an individual’s health, it is classified as sensitive personal information.
DISCLOSURE OF PERSONAL DATA
It is our opinion that with regard to disclosure of personal data, on top of the criteria for lawful processing of personal data, the more applicable and relevant rule would be the provisions which are specific to data sharing.
“Data sharing” is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned.
The Data Privacy Act and its IRR provide that, as regards data sharing, further processing of personal data collected from a party other than the data subject (individual whose personal data is being processed) shall be allowed under any of the following conditions:
a. Data sharing shall be allowed when it is expressly authorized by law: Provided, that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality.
b. Data Sharing shall be allowed in the private sector if the data subject consents to data sharing. In this case, it is important that the data subject shall be provided with the following information prior to collection or before data is shared:
(a) Identity of the personal information controllers or personal information processors that will be given access to the personal data;
(b) Purpose of data sharing;
(c) Categories of personal data concerned;
(d) Intended recipients or categories of recipients of the personal data;
(e) Existence of the rights of data subjects, including the right to access and correction, and the right to object;
(f) Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
c. Data collected from parties other than the data subject for purpose of research shall be allowed when the personal data is publicly available, or has the consent of the data subject for purpose of research.
d. Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered a data sharing agreement.
VIOLATION OF DATA PRIVACY ACT
Based from the above requirements, it is our opinion that the disclosure of the personal data of the patients of covid19 to the public violates the requirements of data sharing under the Data Privacy Act.
First, the sharing of the personal data of patients of covid19 is not authorized by law. In fact, under RA 11332, unauthorized disclosure of private and confidential information pertaining to a patient’s medical condition or treatment is prohibited. Further, when the list and the photos were circulated online, there were no adequate safeguards for data privacy and security, and there were no clear indication that the processing adheres to principles of transparency, legitimate purpose and proportionality.
Second, the consent of the data subjects were not secured prior to data sharing. The patients identified were not even apprised as to the identity of the persons who will share their data.
Third, the data shared is a private and confidential information which is not yet made publicly available by the DOH. It is clear from RA 11332 that data collection, analysis, and the dissemination of information from official disease surveillance and response systems can only be done by authorized personnel from the DOH and its local counterparts.
In sum, considering the sensitivity of the health condition of the patients of covid19, the public should therefore exercise precaution in sharing these personal data absent any conditions allowed by law for data sharing.