NPC looks into reports of COVID-19 privacy violation incidents

National Privacy Commission (NPC) received reports of identity or personal information breaches involving suspect, probable, and confirmed patients of COVID-19. The highly contagious disease, which is known to have originated in Wuhan, China, has claimed lives and affected millions across the world.

Some people — patients and frontliners — have been discriminated against for fear of contagion. This is just one of the reasons, the Philippines’ data privacy watchdog has been persistently reminding institutions and authorities to protect patients’ sensitive personal information.

“The NPC is now looking into said breach incidents, in accordance with our internal procedures and in collaboration with concerned Personal Information Controllers (PICs), for remediation and other purposes within the bounds of the Data Privacy Act of 2012,” said Privacy Commissioner Raymund Liboro in a statement.

NPC says COVID-19 apps must be transparent in data collection

NPC warns ‘social vigilantes’ for threats against medical frontliners

The Commissioner also urged Data Protection Officers (DPOs) “to strengthen the protection of patient data” adding that “fostering mutual trust and protection between patients, health institutions and authorities is crucial in dealing with the COVID-19 pandemic.”

The NPC shared some of the organizational, physical, and technical security measures that health institutions and their staff may enforce to protect patient data against unauthorized disclosure:

1. Regularly remind officials and employees of their ethical and legal duty to protect patient data. This reminder may come in the form of strategically located posters or print outs informing every one of their responsibility to protect the confidentiality, integrity and availability of patient data, which they have been entrusted with. Health institutions may want to emphasize that unauthorized disclosure is a prohibited act, both under Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act of 2012. They should ensure that non-disclosure agreements and related contracts are in place and enforced.

2. Establish access control for patient data based on least privileges. Only provide access on a “need-to-know” basis. This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions.

3. Equip facilities with physical access controls. Protect physical access to facilities through locks and alarms. This is to ensure that only authorized personnel have access to facilities that house the systems and the data. At the same time, keep documents containing patient data in locked cabinets or secure rooms when not in use.

4. Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information.

5. Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data through the use of privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.

6. Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives), to store patient data is unavoidable, ensure that the files are encrypted and password protected. Also, make sure they are kept secure in your person when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where it may be accessed by unauthorized individuals.

7. Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.

8. Communicate securely. Choose a secure platform for care team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.