Data Privacy and Security

Data Privacy Act 2012 or RA 10173, is a comprehensive

and strict privacy legislation “to protect the fundamental
human right of privacy, of communication while ensuring free
flow of information to promote innovation and growth.”

It protects and maintains the right of customers to

confidentiality by setting a legal list of rules for companies to
regulate the collection, handling, and disposal of all personal
information.
 Data Privacy Act 2012 or RA 10173
With this, every one knows that all personal
health information are confidential and with the
growing digital economy, stricter privacy and
security protections of health data must be
implemented.
 What are the Scopes of Data Privacy Act?
●
This Act applies to the processing of all types personal
information and to any natural and juridical person
involved in personal information processing including
those personal information controllers and processors
who, although not found or established in the
Philippines, use equipment that are located in the
Philippines, or those who maintain an office, branch or
agency in the Philippines.
 The processing of the personal information shall be allowed,
subject to compliance with the requirements of this Act and other
laws allowing disclosure of information to the public and
adherence to the principles of transparency, legitimate purpose
and proportionality.

●
Personal information refers to any information whether recorded in
a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the
entity holding the information, or when put together with other
information would directly and certainly identify an individual.
●
Privileged information refers to any and all forms of
data which under the Rules of Court and other
pertinent laws constitute privileged communication.
●
The processing of sensitive personal information
and privileged information shall be prohibited
unless consent was given.
– About an individual’s race, ethnic origin, marital status,
age, color, and religious, philosophical or political
affiliations;
– About an individual’s health, education, genetic or sexual
life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such
person, the disposal of such proceedings, or the
sentence of any court in such proceedings;
– Issued by government agencies peculiar to an individual
which includes, but not limited to, social security
numbers, previous or current health records, licenses or
its denials, suspension or revocation, and tax returns;
– Specifically established by an executive order or an act
of Congress to be kept classified.
These personal information must be
safeguarded and protected against any
accidental or unlawful destruction, alteration,
disclosure and other unlawful processing.
What are the rights of the data subject?
The data subject or the individual sharing his/her personal information has right to be fully informed of
several factors of the data collecting process. This list includes, but isn’t limited to:

(1) the purpose for use

(2) scope and methods for access

(3) the recipients or classes of recipients to whom they are or may be disclosed;

(4) the identity and contact details of the personal information controller

(5) the period for which the information will be stored for

(6) access to their rights.

 What is the penalty?
Violations include improper/unauthorized processing,
handling or disposal of personal information.

Violators can be penalized by imprisonment up to six

years and a fine of not less than Five hundred
thousand pesos (PHP 500,000) but not more than
Five million pesos (Php5,000,000.00).
 What should the management and health care
professionals need to take in compliance with the Act?
Companies and healthcare professional must ensure that the
methods of their data collection and processing regarding health
information are properly handled with confidentiality and the data
subjects must be well-aware of the process, including a breach
of security, should there be any.

A Data Protection Officer must be appointed to create privacy

knowledge programs and privacy and data policies to regulate
the handling of all types of information and to regularly review
the quality of data protection.
 So what does this mean for Health
professionals?
●
Health professionals have the right to access their contracts or
working agreement and know the scope of their work in occupational
health and safety.
●
They must understand their confidentiality and non-disclosure
agreement to the company that they are working.
●
All gadgets used in data collection and processing must be taken care
of including laptops, mobile phones, tablets and desktop computers.
These gadgets should be password protected and encrypted.
●
Ensure that all the health records and reports are confidential.
 So what does this mean… (con’t.)
●
Be careful with paper medical records and reports. These records must
be properly stored and must be accessed by authorized staff only.
●
Ensure that your clinic computer or laptops are locked when leaving the
clinic so that trackers and reports would not be exposed.
●
Avoid posting patients or any activities inside your clinics or treatment
rooms to any form of social media.
●
Don’t use your own home laptops for any personal/sensitive data.
●
Only record relevant information in your health trackers and medical
records. Data held must not be excessive.
 So what does this mean… (con’t.)
●
Only use personal data for the purpose for which it
was obtained.
●
Limit the recipients and information of your health
reports
●
Only access what you need to do your job.
●
If in doubt ask for advice (if you can, use a data
protection officer or a lawyer).
 References/Sources:
●
Ayoh Office Health. Data Privacy Act In Office Health.
https://ayohhealth.com/2019/05/30/data-privacy-act-in-office-health/. Accessed
November 24, 2020.
●
Leandro Angelo Aguirre. Data privacy act of 2012.
https://www.privacy.gov.ph/wp-content/files/attachments/ppt/DPO17Overview.pdf.
Accessed November 24, 2020.
●
Dr. Rolando R. Lansigan. 2017. Primer on the Data Privacy Act (DPA) of 2012 -
ABCD-S: "Awareness, Breach Management, Compliance, Data Protection Officer
and Security Measures“. National Privacy Commission.