By Amado “Jun” Malacaman, Jr.
Is contact tracing really possible without revising the Data Privacy Act of 2012?
Under this coronavirus pandemic, the Department of Health (DOH) is required to initiate contact tracing when a person reports positive for infection from the coronavirus. That means asking for personal information about other persons, that the infected person may have been in contact with in the past 5 or 6 days. The purpose is to locate as many of these possible infected persons so that they may be isolated or quarantined soonest. Contact tracing is a must if we are to slow down the spread of the virus.
Giving out or sharing personal information of other people without their permission is however a violation of the data privacy law. But there are applicable exceptions:
Sharing or disclosing personal information, under the current situation is allowed, without the need for permission or consent from the subject individual if: sharing such personal information is to protect one’s life or the lives of other persons, or if personal data is provided to government or public authority pursuant to a constitutional or statutory mandate. So, consent for contact training purposes is not needed.
The Ensuing Dilemna
As a result of the national emergency and with people’s health and safety at risk, the IATF, under Resolution 22 is allowing the “mandatory public disclosure of personal information relating to positive Covid-19 cases to enhance the contact-tracing efforts of the government.”
Prior to Resolution 22, dated April 8, 2020, the DOH did not have a clear and firm guideline on the release of personal information due to the data privacy law. Ergo, the need for an explicit mandate.
But how clear and resolute is the instruction “mandatory public disclosure…” in terms of complying with the data privacy law? And can the data privacy law still be violated under this open-ended “public disclosure” notice?
The answer is yes. On three accounts:
1. Personal information may be disclosed to or shared with legitimate and authorized personnel only. The word “public” in this IATF mandate should be construed as authorized personnel only. In the case of contact tracing under this pandemic situation, this would mean personnel authorized only by the OCD or Office of Civil Defense, since by way of Resolution 22, the OCD has been appointed to “lead the contact-tracing efforts of the government.”
Public disclosure will not be needed anyway, as only authorized contact tracing personnel should have access to and legitimate use of personal data entrusted in their care.
2. The collection, processing, sharing and disposal of the personal information shall be in accordance with the privacy principles of Transparency, Legitimate Purpose, and Proportionality. This means “disclosure” is not in itself an executable action by and of the OCD authorized personnel as yet. There is a need still, for all “authorized” personnel to be fully trained on these privacy principles and ensure that these are strictly complied with when conducting their contact tracing activities.
The data privacy law requires that all persons authorized to collect, process, share, dispose, or safeguard personal data, shall be fully trained in the proper conduct of protecting and ensuring the confidentiality, integrity, and availability of the personal data in their care.
It is for this reason that in the same Resolution 22, the DOH and the OCD have been “directed to enter into a data-sharing agreement (DSA) in accordance with Republic Act No. 10173 or the Data Privacy Act.” This DSA assures the data subjects or the COVID-19 patients and those whose names are in the contact lists that their personal data privacy are continually protected against unscrupulous or unauthorized use while under custody and care of the OCD and DOH contact tracing personnel. Contact tracers are employed to protect the health and life of COVID-19 would-be victims. To effectively do so, they should be trained to protect their personal data too.
3. The personal data in the case of contact tracing includes not only the names and contact numbers of all those initially infected but all other persons discovered or identified over the life of the contact tracing activities. All the other data privacy rights of these individuals, including those of the OCD contact tracers themselves and other OCD, DOH, and IATF staff who may have been involved or of assistance in the contact tracing effort shall also be protected and covered by the data privacy law. These include the rights to be informed, to access, to correct, and all other rights applicable and allowable that do not in any way restrict the contact tracing efforts of the government. The identities and personal information of contact tracers shall also be the subject of proper data privacy protection under the data privacy law of the Philippines.
Yes, the names, contact numbers and all other personal information of COVID-19 suspects or victims, may be collected and processed as needed to support the contact tracing effort of the country to slow down and eventually eliminate the coronavirus outbreak in the country.
Proper data protection measures, however must still be employed by authorized personnel entrusted with these personal data to ensure that people’s rights to personal data privacy be maintained as required under the data privacy law without prejudice to the country’s dire need to deal with the pandemic in the most aggressive manner. Yes, it is possible to achieve both goals under the law.
Amado “Jun” Malacaman, Jr. is one of the country’s top ICT professional and Management Consultant specializing in Information Systems Management, Info Security, Data Privacy and Training. He has worked as programmer, systems analyst, CIO and President of several multinational companies in the Philippines and abroad.
His international experience includes: President of Software Merchants, California, USA; General Manager of SGV-Byrne Technologies, Hong Kong; and Senior Lecturer/Trainor at I/ACT (conducting various IT and Project Management training courses in Malaysia, Singapore, Taiwan, Hong Kong, Indonesia, Thailand, and Korea).
Mr. Malacaman, Jr. is a past president of the following industry associations: IT Foundation of the Philippines (ITFP); Information Systems Security Society of the Philippines (ISSSP); Philippine Marketing Association (PMA); and United Software Exporters of the Philippines (USEPhil).
To learn more about Data Privacy Act and how your company can comply to the law, we are inviting your company to join our Online Training and Workshop on Accelerating your Journey to Data Privacy Compliance.
This will be a three (3) half day online training and workshop to be held on June 16-18, 2020 from 1:00pm to 5:00 pm via Zoom.
Please visit our website https://www.pvpi.co/data-privacy-compliance for more details and to REGISTER!!!