Privacy Commissioner Raymund E. Liboro.

NPC: Data Privacy Act is not a hindrance to contact tracing

The Philippines’ National Privacy Commission (NPC) released its (indirect) response to the claims of Interior Secretary Eduardo Año in an Inquirer report that the country’s Data Privacy Act (DPA) is an obstacle in efforts of contact tracing. In a radio interview, Año was quoted as saying that because the Act “Full information cannot be disclosed.”

“The DPA should not be used as an excuse for not providing COVID patient data necessary for LGU contact tracing that we need to combat the pandemic,” said Privacy Commissioner Raymund Liboro. “Likewise, we call on the individuals affected by COVID to be truthful when providing accurate health information.”

Liboro noted that hospitals were mandated to collect information from patients and provide it to the authorities under the guidelines set by the Department of Health (DOH).

NPC works with DOH on COVID-19 contact tracing, issues privacy guidelines

PH privacy commission reminds gov’t of COVID-19 patients’ privacy

“We want to clarify that the DPA does not prevent hospitals from sharing a COVID-19 patient’s data to proper authorities,” said Liboro. “The law recognizes the guidelines set by DOH on contact tracing procedures that hospitals, LGUs, and contact tracers must follow. In this pandemic, public health and data privacy are on the same side.”

In the past months, before and during the government-imposed lockdowns, the NPC has consistently provided guidelines on the treatment of patient data. (See related posts.)

In its Updated Guidelines on Contact Tracing of Close Contacts of Confirmed Coronavirus Disease Cases, the NPC highlights that “health facilities, public and private, shall cooperate fully with the DOH-Epidemiology Bureau and its regional and local counterparts by ensuring that Local Contact Tracing Teams (LCTTs) are provided access to medical records, facilitating case interviews, and conducting other case investigation and contact tracing activities.”

It consistently reminded institutions that when providing training to LCTTS, local government units must include the secure handling of personal data that was collected.

Liboro emphasized that public and private health institutions, companies, and individuals involved in the COVID response must “collect and process what is necessary and disclose data only to the proper authorities.”

The DOH and NPC, however, advise against publicly naming data subjects suspected of having contracted COVID-19 or confirmed positive for the disease connected with contact tracing efforts.

“Publicly naming an infected individual is equivalent to putting a person’s life at risk, given the physical assaults and discrimination which suspected or confirmed individuals had experienced. Fearing possible harassment and stigma, people may hide their true conditions, leading to lost opportunities in tracking the disease and contact tracing. The policy is counterproductive, will not result in better contact tracing, and will put more lives of front liners at risk,” Liboro said.

The latest NPC advisory opinion on contact tracing reiterated that collection and processing of data must be fully aware of the principles laid out by the DPA and that secure disposal of personal data from records, whether manually or digitally obtained, must be done once the purpose of their collection had been achieved.

“Again, the DPA is not a hindrance to contact tracing efforts and the guidance it provides is necessary, especially in these unfamiliar times, to preserve the basic right of people to data privacy and protection, and build trust,” Liboro said.