top of page

Public Disclosure is just a misnomer: How to Contact Trace without Violating Data Privacy?

By Amado “Jun” Malacaman, Jr.

Is contact tracing really possible without revising the Data Privacy Act of 2012?

Under this coronavirus pandemic, the Department of Health (DOH) is required to initiate contact tracing when a person reports positive for infection from the coronavirus. That means asking for personal information about other persons, that the infected person may have been in contact with in the past 5 or 6 days. The purpose is to locate as many of these possible infected persons so that they may be isolated or quarantined soonest. Contact tracing is a must if we are to slow down the spread of the virus.

Giving out or sharing personal information of other people without their permission is however a violation of the data privacy law. But there are applicable exceptions:

Sharing or disclosing personal information, under the current situation is allowed, without the need for permission or consent from the subject individual if: sharing such personal information is to protect one’s life or the lives of other persons, or if personal data is provided to government or public authority pursuant to a constitutional or statutory mandate. So, consent for contact training purposes is not needed.

The Ensuing Dilemna

As a result of the national emergency and with people’s health and safety at risk, the IATF, under Resolution 22 is allowing the “mandatory public disclosure of personal information relating to positive Covid-19 cases to enhance the contact-tracing efforts of the government.”

Prior to Resolution 22, dated April 8, 2020, the DOH did not have a clear and firm guideline on the release of personal information due to the data privacy law. Ergo, the need for an explicit mandate.

But how clear and resolute is the instruction “mandatory public disclosure…” in terms of complying with the data privacy law? And can the data privacy law still be violated under this open-ended “public disclosure” notice?

The answer is yes. On three accounts:

1. Personal information may be disclosed to or shared with legitimate and authorized personnel only. The word “public” in this IATF mandate should be construed as authorized personnel only. In the case of contact tracing under this pandemic situation, this would mean personnel authorized only by the OCD or Office of Civil Defense, since by way of Resolution 22, the OCD has been appointed to “lead the contact-tracing efforts of the government.” Public disclosure will not be needed anyway, as only authorized contact tracing personnel should have access to and legitimate use of personal data entrusted in their care.

2. The collection, processing, sharing and disposal of the personal information shall be in accordance with the privacy principles of Transparency, Legitimate Purpose, and Proportionality. This means “disclosure” is not in itself an executable action by and of the OCD authorized personnel as yet. There is a need still, for all “authorized” personnel to be fully trained on these privacy principles and ensure that these are strictly complied with when conducting their contact tracing activities. The data privacy law requires that all persons authorized to collect, process, share, dispose, or safeguard personal data, shall be fully trained in the proper conduct of protecting and ensuring the confidentiality, integrity, and availability of the personal data in their care.

It is for this reason that in the same Resolution 22, the DOH and the OCD have been “directed to enter into a data-sharing agreement (DSA) in accordance with Republic Act No. 10173 or the Data Privacy Act.” This DSA assures the data subjects or the COVID-19 patients and those whose names are in the contact lists that their personal data privacy are continually protected against unscrupulous or unauthorized use while under custody and care of the OCD and DOH contact tracing personnel. Contact tracers are employed to protect the health and life of COVID-19 would