There is an appeal asking the persons who are PUM/PUI/Covid19+ to make voluntary disclosure of their identities.
It is our opinion that this can be done considering that under the Data Privacy Act (DPA), consent is one of the criteria to lawfully process a personal data. Consent is also one of criteria where data sharing shall be allowed.
In case of data sharing, if the data subject consents to it, there are conditions provided for by the DPA that should be complied with prior to collection or before data is shared
The disclosure of patient’s information is not a one way ticket to unlimited access. There are requirements that should be observed and most of it provides for the obligations of the recipient of the data.
The DPA provides that it is important that the data subject shall be provided with the following information prior to collection or before data is shared:
(a) Identity of the personal information controllers or personal information processors that will be given access to the personal data;
– it is important to provide the patient with the details of the persons/organizations who will be given access to his data. Thus, if we want to have access to the data of the patient, we also have to disclose our identity to the patient. This will ensure that only those who has the need to know will be given access to the patient’s personal data.
(b) Purpose of data sharing;
– the patient must be made aware of the legitimate purpose prior to collection/sharing of his personal data. He/she who wants to have access to the data must present a valid reason for him to be given such access. Use of data will be limited only to the declared purpose.
(c) Categories of personal data concerned;
– the patient shall be apprised as to what type of data is necessary for collection/data sharing. As much as possible, data shall be minimized and shall be relevant to the stated purpose.
(d) Intended recipients or categories of recipients of the personal data;
– the PIC/PIP must disclose to the patient the recipients of his personal data. This is to ensure that the data will be shared only to those identified recipients.
(e) Existence of the rights of data subjects, including the right to access and correction, and the right to object;
– the patient shall be made aware of his rights under the DPA which the rights to be informed, to object, to access, to rectification, to erasure or blocking, to damages, to file a complaint and to data portability. This rights will be not be waived by reason of the data sharing. The recipients are therefore obliged to respect these privacy rights of the patient.
(f) Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
All told, the patient can give his consent to the processing and sharing of his personal data. Once consent is given, there are corresponding responsibilities that should be undertaken by the recipient of the data shared.
As for data sharing, without such consent, without authority under the law or, or if not authorized by DOH, as discussed in our previous post, disclosure of the information will be violative of RA 10173 and RA 11332.