Republic of the Philippines

Department of Health
OFFICE OF THE SECRETARY

April 24, 2023

MEMORANDUM

This is in response to your request for review of the Data Sharing Agreement (DSA) between
the Department of Health (DOH) and San Lazaro Hospital National Reference Laboratory
FOR : ALETHEA DE GUZMAN, MD, MCHM, PHSAE
Director IV
Epidemiology Bureau

FROM : GLORIA NENITA V. VELASCO, MD, DipEpi, MScPH

OIC-Director IV
Knowledge Management and Information Technology Service

SUBJECT : Request for Review of the Data Sharing Agreement between

the Department of Health (DOH) and San Lazaro Hospital
National Reference Laboratory STD/AIDS Cooperative
Central Library (SLH NRL SACCL)
STD/AIDS Cooperative Central Library (SLH NRL SACCL). Upon careful review, the Knowledge
Management and Information Technology Service respectfully endorse the following
recommendations to the draft:

1. Title. Kindly revise the title to: “Data Sharing Agreement between the Department of Health
(DOH) and San Lazaro Hospital National Reference Laboratory STD/AIDS Cooperative
Central Laboratory (SLH NRL SACCL) for the Sharing of HIV Surveillance Data and
Reports”

2. Identity of the Personal Information Controller (PIC). According to the National Privacy
Commission (NPC) Circular No. 2020-03's Sections 1 and 3, Data Sharing Agreements may
only be signed by or among PICs. As a result, the Secretary of Health, who serves as the PIC,
is the only person authorized to represent the DOH. With this, kindly replace the DOH
representative with "Officer-in-Charge, Dr. Maria Rosario S. Vergeire, MPH, CESO II."

3. Personal Information Processor/s (PIP). If PIPs or third parties are engaged in the
processing of personal data, please list their identity, role and responsibilities, and controls on
how the PICs can hold them accountable for any unauthorized processing (e.i., Non-
Disclosure and Confidentiality Agreement). If there is none remove provisions discussing
third party involvement such as Article 5, item 12 (i and ii) and Article 7.

4. Personal Data to be Shared. Please enumerate all personal information and sensitive
personal information that each party will share to each other. Also add this provision, “If
there is a need to update the list of data elements to be shared and exchanged enumerated in

Building 1, San Lazaro Compound, Rizal Avenue, Sta. Cruz, 1003 Manila ● Trunk Line 651-7800 local 1113, 1108, 1135
Direct Line: 711-9502; 711-9503 Fax: 743-1829 ● URL: http://www.doh.gov.ph; e-mail: dohosec@doh.gov.ph
 this DSA, a consensus reached by the Parties shall be deemed sufficient and valid, without
the need to amend this DSA. The said updates, and other agreements on the data elements,
shall be supported by a joint issuance or order duly signed by the heads of the Parties [in case
the other party is a government agency. Otherwise, the updates and agreements shall be in
writing and duly signed by the Parties or its authorized representatives.

5. Term or Duration of the Agreement. Section 9 (D) of NPC Circular No. 2020-03 states that
“Perpetual data sharing or DSAs that have indeterminate terms are invalid. Parties are free
to renew or extend a DSA upon its expiration. The DSA should be subject to the conduct of
periodic reviews which should take into consideration the sufficiency of the safeguards
implemented for data privacy and security.” Accordingly, please change the effectivity of the
DSA from “indefinitely” to a more finite unit. You may set the duration to five (5) years as
this is the maximum allowed duration by the NPC.

6. Operational Details. The DSA makes no reference to the specifics of how personal data
would be shared or transferred. Also, elaborate the accepted data exchange procedures, such
as paper-based sharing, sharing via portable media, fax, mailing, internet access, webservice,
application programming interface, or a mix of the aforementioned.

7. Online Access. There should be a separate section covering online access to personal data.
This should include the rationale for allowing online access, the parties that shall be granted
online access, types of personal data shall be accessible online, anticipated frequency and
volume of access, and the program/middleware and encryption method/standards that will be
used.

8. Retention and Disposal of Personal Data. The DSA shall specify the guidelines for the
retention of shared data and specify the approach to be taken for its secure return, erasure, or
disposal, as well as a timetable.

9. Consent. There should be a separate article discussing the consent of the data subject. This
article should explain the process by which the parties charged with the collection of personal
data directly obtain the consent from the data subject. The consent should at least have the
following information:

a. The identity of personal information controllers (PICs) and personal information

processors (PIPs) that will be given access to the Personal Data;
b. The purpose of data sharing;
c. The categories of Personal Data concerned;
d. Intended recipients or categories of recipients of the Personal Data;
e. Existence of the rights of data subjects, including their right to access and correct the data,
and their right to refuse its collection. However, the other party shall be informed of any
request to access or correct the personal information if it is the subject matter of this sharing
agreement; and
f. Other information that would sufficiently notify the data subject of the nature and extent of
data sharing, and the manner of its processing.

10. Security and Data Breaches. In order to protect the shared data, the parties should include the
use of reasonable and appropriate organizational, physical, and technical security measures,
 Republic of the Philippines
Department of Health
OFFICE OF THE SECRETARY

which are detailed in the attached DSA template. The parties should also create a procedure
for handling data breaches.
Lastly, we defer the final review and clearance of the draft Data Sharing Agreement to the
Office for Legal Affairs, as the oversight for Data Privacy.

Attached for your reference is DM 2020-0344 discussing the template for DSAs and the
process of accomplishing it. Also attached for your reference is the DOH NDCA template for your
reference. For further inquiries, your staff may contact Mr. Reinier Estrella of this Office through
phone number, (02) 8651-7800 local 1949, or email at rjestrella@doh.gov.ph or
ehealth@doh.gov.ph.

Thank you very much.

Building 1, San Lazaro Compound, Rizal Avenue, Sta. Cruz, 1003 Manila ● Trunk Line 651-7800 local 1113, 1108, 1135
Direct Line: 711-9502; 711-9503 Fax: 743-1829 ● URL: http://www.doh.gov.ph; e-mail: dohosec@doh.gov.ph
 FOR : ALETHEA DE GUZMAN, MD, MCHM, PHSAE
Director IV
Epidemiology Bureau

FROM : GLORIA NENITA V. VELASCO, MD, DipEpi, MScPH

OIC-Director IV
Knowledge Management and Information Technology Service

SUBJECT : Request for Review of the Data Sharing Agreement between

the Department of Health (DOH) and San Lazaro Hospital
National Reference Laboratory STD/AIDS Cooperative
Central Library (SLH NRL SACCL)

April 24, 2023

MEMORANDUM

This is in response to your request for review of the Data Sharing Agreement (DSA) between
the Department of Health (DOH) and San Lazaro Hospital National Reference Laboratory
STD/AIDS Cooperative Central Library (SLH NRL SACCL). Upon careful review, the Knowledge
Management and Information Technology Service respectfully endorse the following
recommendations to the draft:

1. Title. Kindly revise the title to: “Data Sharing Agreement between the Department of Health
(DOH) and San Lazaro Hospital National Reference Laboratory STD/AIDS Cooperative
Central Laboratory (SLH NRL SACCL) for the Sharing of HIV Surveillance Data and
Reports”

2. Identity of the Personal Information Controller (PIC). According to the National Privacy
Commission (NPC) Circular No. 2020-03's Sections 1 and 3, Data Sharing Agreements may
only be signed by or among PICs. As a result, the Secretary of Health, who serves as the PIC,
is the only person authorized to represent the DOH. With this, kindly replace the DOH
representative with "Officer-in-Charge, Dr. Maria Rosario S. Vergeire, MPH, CESO II."

3. Personal Information Processor/s (PIP). If PIPs or third parties are engaged in the
processing of personal data, please list their identity, role and responsibilities, and controls on
how the PICs can hold them accountable for any unauthorized processing (e.i., Non-
Disclosure and Confidentiality Agreement). If there is none remove provisions discussing
third party involvement such as Article 5, item 12 (i and ii) and Article 7.

4. Personal Data to be Shared. Please enumerate all personal information and sensitive
personal information that each party will share to each other. Also add this provision, “If
there is a need to update the list of data elements to be shared and exchanged enumerated in
 Republic of the Philippines
Department of Health
OFFICE OF THE SECRETARY

this DSA, a consensus reached by the Parties shall be deemed sufficient and valid, without
the need to amend this DSA. The said updates, and other agreements on the data elements,
shall be supported by a joint issuance or order duly signed by the heads of the Parties [in case
the other party is a government agency. Otherwise, the updates and agreements shall be in
writing and duly signed by the Parties or its authorized representatives.

5. Term or Duration of the Agreement. Section 9 (D) of NPC Circular No. 2020-03 states that
“Perpetual data sharing or DSAs that have indeterminate terms are invalid. Parties are free
to renew or extend a DSA upon its expiration. The DSA should be subject to the conduct of
periodic reviews which should take into consideration the sufficiency of the safeguards
implemented for data privacy and security.” Accordingly, please change the effectivity of the
DSA from “indefinitely” to a more finite unit. You may set the duration to five (5) years as
this is the maximum allowed duration by the NPC.

6. Operational Details. The DSA makes no reference to the specifics of how personal data
would be shared or transferred. Also, elaborate the accepted data exchange procedures, such
as paper-based sharing, sharing via portable media, fax, mailing, internet access, webservice,
application programming interface, or a mix of the aforementioned.

7. Online Access. There should be a separate section covering online access to personal data.
This should include the rationale for allowing online access, the parties that shall be granted
online access, types of personal data shall be accessible online, anticipated frequency and
volume of access, and the program/middleware and encryption method/standards that will be
used.

8. Retention and Disposal of Personal Data. The DSA shall specify the guidelines for the
retention of shared data and specify the approach to be taken for its secure return, erasure, or
disposal, as well as a timetable.

9. Consent. There should be a separate article discussing the consent of the data subject. This
article should explain the process by which the parties charged with the collection of personal
data directly obtain the consent from the data subject. The consent should at least have the
following information:

a. The identity of personal information controllers (PICs) and personal information

processors (PIPs) that will be given access to the Personal Data;
b. The purpose of data sharing;
c. The categories of Personal Data concerned;
d. Intended recipients or categories of recipients of the Personal Data;
e. Existence of the rights of data subjects, including their right to access and correct the data,
and their right to refuse its collection. However, the other party shall be informed of any
request to access or correct the personal information if it is the subject matter of this sharing
agreement; and
f. Other information that would sufficiently notify the data subject of the nature and extent of
data sharing, and the manner of its processing.

Building 1, San Lazaro Compound, Rizal Avenue, Sta. Cruz, 1003 Manila ● Trunk Line 651-7800 local 1113, 1108, 1135
Direct Line: 711-9502; 711-9503 Fax: 743-1829 ● URL: http://www.doh.gov.ph; e-mail: dohosec@doh.gov.ph
 10. Security and Data Breaches. In order to protect the shared data, the parties should include
the use of reasonable and appropriate organizational, physical, and technical security
measures, which are detailed in the attached DSA template. The parties should also create a
procedure for handling data breaches.
Lastly, we defer the final review and clearance of the draft Data Sharing Agreement to the
Office for Legal Affairs, as the oversight for Data Privacy.

Attached for your reference is DM 2020-0344 discussing the template for DSAs and the
process of accomplishing it. Also attached for your reference is the DOH NDCA template for your
reference. For further inquiries, your staff may contact Mr. Reinier Estrella of this Office through
phone number, (02) 8651-7800 local 1949, or email at rjestrella@doh.gov.ph or
ehealth@doh.gov.ph.

Thank you very much.

Originating
PPMEU ESD
Office
Initial

REINIER J. ESTRELLA CHERRIE D. ESTEBAN

Project Officer I Division Chief
Date
Related Issuance: RA 10173, DM 2020-0344
Keywords: Data Sharing Agreement, DSA, Data Privacy Act