June 23, 2018, 10:18 am
Facebook iconTwitter iconYouTube iconGoogle+ icon

Privacy Commission cautions DOH on Dengvaxia master list

THE National Privacy Commission (NPC) has advised the Department of Health (DOH) to be circumspect in sharing sensitive personal information of individuals, saying it should only do so if it deems that such sharing or disclosure is authorized under law, adheres to data privacy principles, and there are reasonable and appropriate security measures in place to protect the data.

In an advisory opinion dated 26 February 2018 issued in response to the formal request made by the DOH, Privacy Commissioner Raymund Enriquez Liboro said the disclosure to another government agency or private entity of a copy of the DOH master list of individuals vaccinated with Dengvaxia must be “provided for by existing laws and regulations or a data subject has given his or her consent.”

“We emphasize that the government is one of the biggest repositories of the personal data of citizens. The government or its agencies, however, do not have the blanket authority to access or use the information about private individuals under the custody of another agency,” Liboro said.

The DOH Dengvaxia master list has recently been subject of access requests coming from the Public Attorney’s Office (PAO), some private organizations, and members of the media. The information contained in the list is considered as sensitive personal information, and relates to minors, which the NPC identifies as a vulnerable group of data subjects.

In the advisory opinion, Liboro said personal data provided to government or public authorities may be processed without consent when it is done pursuant to the particular agency’s constitutional or statutory mandate, and subject to the requirements of the Data Privacy Act of 2012 (DPA).

 In the case of the request by the PAO to obtain the DOH master list, this general rule does not apply. The agency, however, may be allowed access to the data of the specific victims it represents as their duly authorized legal counsel.

“Should the PAO be authorized as the legal representative of the minor data subjects, they may then be provided information on the particular data subject they are representing, subject to the presentation of proof of such authorization,” Liboro said.    

 As to the request of media and other private organizations, Liboro said the disclosure of statistical or aggregated data, without any personal or sensitive personal information, should suffice. Otherwise, the release of a copy of the master list in its raw version would be tantamount to an unwarranted invasion of personal privacy.

In related news, the NPC also reiterates the deadline for the submission of requirements to for Phases 1 and NPC also reiterated that Phase 2 of the registration process, which is the registration of personal data processing systems of personal information controllers and processors operating in the Philippines, is due on March 8, 2018. The deadline to register Data Protection Officers (DPOs) with the NPC, constituting the Phase 1 of the registration process, was last September 9, 2017 but this was also extended to the March 8 deadline.
No votes yet

Column of the Day

Unbridled brazenness

DODY LACUNA's picture
By DODY LACUNA | June 22,2018
‘Outrage over the killing of priests today in our country will persist and, if real justice is not served soon will, in all probability, combine for a growing social and political unrest with a polarized Church.’

Opinion of the Day

Tough days ahead

Jose Bayani Baylon's picture
By JOSE BAYANI BAYLON | June 22, 2018
‘It’s high stakes and tightrope walking that also means that a small miscalculation could upend everything.’