When I read the Data Privacy Act the first time, I did not
quite understand it. But I really had to
understand it because it’s not only a requirement for class but I also need it
for work.
Going back to the question, YES it is adequate, but
INCOMPLETE when applied to health.
There are four things that we do with data.
- We gather or collect data, through different means – interview, surveys, or related literature and so on.
- We process data – from data, we form information, through these information we have knowledge.
- We also store data through different means – through physical copies or electronic copy.
- And we also exchange data
For me adequacy on the Data Privacy Act would mean that all
these four actions are taken into consideration in that law, provisions that
protects the “DATA SUBJECT” when his data is gathered, processed, collected,
stored and exchanged. To manage all
these there should be entities that should be responsible in safeguarding the
DATA SUBJECT and his data.
For health care, from data gathering to point where you need
to get the patients consent, it all boils down to the patient’s safety. To achieve this, confidentiality must not be
broken when data exchanged from the patient to his health care provider. There must be trust and privacy must be
provided all the time. To achieve all
these there must be the proper security in the patient’s health information.
Anytime that there will be a breach of security is a an opportunity for anyone
to harm the patient.
.jpg)
IS IT ADEQUATE?
YES! As I compare it to the Model State Public Health Privacy Act of the United
States which according to Dr. Lawrence O Gostin of Georgetown Law Center “Protecting
public health requires the acquisition, use, and storage of extensive
health-related information about individuals. The electronic accumulation and
exchange of personal data promises significant public health benefits but also
threatens individual privacy; breaches of privacy can lead to individual discrimination
in employment, insurance, and government programs. Individuals concerned about
privacy invasions may avoid clinical or public health tests, treatments, or
research. The Model State Public Health
Privacy Act provides strong privacy safeguards for public health data while
preserving the ability of state and local public health departments to act for
the common good”.
I say that the the Data Privacy is ADEQUATE but INCOMPLETE. I suggest that more specific ruling over health care data, health information can do so much as well as damage to the person
So, how adequate is the Data Privacy Act? I am not an expert on Law, so I purposely
just copied the text from the law and change the font style of the provisions
that I want to put emphasize in, rather than interpreting it.
On Chapter II of the Data Privacy Act, on Section 7 the
National Privacy Commision is responsible to safeguard that the and the data
subjects are protected.
THE NATIONAL PRIVACY COMMISSION
SEC. 7. Functions of the National Privacy
Commission. – To
administer and implement the provisions of this Act, and to monitor and ensure
compliance of the country with international standards set for data protection,
there is hereby created an independent body to be known as the
In Chapter III, these were discussed.
The collection, processing, use, storage and the
length of time the data is stored given that the data subject has given his
consent as Criteria for Lawful Processing of Personal Information
(a)
Collected for specified and legitimate purposes determined and declared
before, or as soon as reasonably practicable after collection, and later
processed in a way compatible with such declared, specified and legitimate
purposes only; (b) Processed fairly and lawfully; (c) Accurate, relevant and, where
necessary for purposes for which it is to be used the processing of personal
information, kept up to date; inaccurate or incomplete data must be rectified,
supplemented, destroyed or their further processing restricted; (d) Adequate
and not excessive in relation to the purposes for which they are collected and
processed; (e) Retained
only for as long as necessary for the fulfillment of the purposes for which
the data was obtained or for the establishment, exercise or defense of legal
claims, or for legitimate business purposes, or as provided by law; and (f) Kept in a form which permits identification
of data subjects for no longer than is necessary for the purposes for which the
data were collected and processed: Provided,
That personal information collected for other purposes may lie processed
for historical, statistical or scientific purposes, and in cases laid down in
law may be stored for longer periods:Provided,
further,That adequate safeguards are guaranteed by said laws authorizing
their processing. The personal information controller must ensure implementation
of personal information processing principles set out herein.
Criteria for Lawful Processing of Personal Information. – The
processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given
his or her consent;
(b) The processing of personal
information is necessary and is related to the fulfillment of a contract with
the data subject or in order to take steps at the request of the data subject
prior to entering into a contract;
(c) The processing is necessary for
compliance with a legal obligation to which the personal information controller
is subject;
(d) The processing is necessary
to protect vitally important interests of the data subject, including life and
health;
(e) The processing is necessary
in order to respond to national emergency, to comply with the requirements of
public order and safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the fulfillment of its
mandate; or
(f) The processing is necessary for the
purposes of the legitimate interests pursued by the personal information
controller or by a third party or parties to whom the data is disclosed, except
where such interests are overridden by fundamental rights and freedoms of the data
subject which require protection under the Philippine Constitution.
SEC. 13. Sensitive Personal
Information and Privileged Information. – The processing of sensitive personal
information and privileged information shall be prohibited, except in the following
cases:
(a) The data subject has given his or
her consent, specific to the purpose prior to the processing, or in the case of
privileged information, all parties to the exchange have given their consent
prior to processing;
(b) The processing of the same is
provided for by existing laws and regulations: Provided, That such regulatory
enactments guarantee the protection of the sensitive personal information and
the privileged information: Provided, further,That the consent of the data
subjects are not required by law or regulation permitting the processing of the
sensitive personal information or the privileged information;
(c) The processing is necessary
to protect the life and health of the data subject or another person, and the
data subject is not legally or physically able to express his or her consent
prior to the processing;
(d) The processing is necessary
to achieve the lawful and noncommercial objectives of public organizations and
their associations: Provided, That such processing is only confined and related
to the bona fide members of these organizations or their associations:
Provided, further, That the sensitive personal information are not transferred
to third parties: Provided, finally, That consent of the data subject was
obtained prior to processing;
(e) The processing is necessary for
purposes of medical treatment, is carried out by a medical practitioner or a
medical treatment institution, and an adequate level of protection of personal
information is ensured; or
(f) The processing concerns such
personal information as is necessary for the protection of lawful rights and
interests of natural or legal persons in court proceedings, or the
establishment, exercise or defense of legal claims, or when provided to
government or public authority.
Furthermore, on Chapter IV the rights of the data subject is
discussed thoroughly.
SEC. 16. Rights of the Data Subject. – The data subject is entitled to:
(a) Be informed whether personal
information pertaining to him or her shall be,
are being or have been processed;
(b) Be furnished the information
indicated hereunder before the entry of his or her personal information into
the processing system of the personal information controller, or at the next
practical opportunity:
(1) Description of the personal
information to be entered into the system;
(2) Purposes for which they are being or
are to be processed;
(3) Scope and method of the personal
information processing;
(4) The recipients or classes of
recipients to whom they are or may be disclosed;
(5) Methods utilized for automated
access, if the same is allowed by the data subject, and the extent to which
such access is authorized;
(6) The identity and contact details of
the personal information controller or its representative;
(7) The period for which the information
will be stored; and
(8) The existence of their rights, i.e.,
to access, correction, as well as the right to lodge a complaint before the
Commission.
Any information supplied or declaration
made to the data subject on these matters shall not be amended without prior
notification of data subject: Provided, That the notification under subsection
(b) shall not apply should the personal information be needed pursuant to a
subpoena or when the collection and processing are for obvious purposes,
including when it is necessary for the performance of or in relation to a
contract or service or when necessary or desirable in the context of an
employer-employee relationship, between the collector and the data subject, or
when the information is being collected and processed as a result of legal
obligation;
(c) Reasonable access to, upon demand,
the following:
(1) Contents of his or her personal
information that were processed;
(2) Sources from which personal
information were obtained;
(3) Names and addresses of recipients of
the personal information;
(4) Manner by which such data were
processed;
(5) Reasons for the disclosure of the
personal information to recipients;
(6) Information on automated processes
where the data will or likely to be made as the sole basis for any decision
significantly affecting or will affect the data subject;
(7) Date when his or her personal
information concerning the data subject were last accessed and modified; and
(8) The designation, or name or identity
and address of the personal information controller;
(d) Dispute the inaccuracy or error in
the personal information and have the personal information controller correct
it immediately and accordingly, unless the request is vexatious or otherwise
unreasonable. If the personal information have been corrected, the personal
information controller shall ensure the accessibility of both the new and the
retracted information and the simultaneous receipt of the new and the retracted
information by recipients thereof: Provided, That the third parties who have
previously received such processed personal information shall he informed of
its inaccuracy and its rectification upon reasonable request of the data subject;
(e) Suspend, withdraw or order the
blocking, removal or destruction of his or her personal information from the
personal information controller’s filing system upon discovery and substantial
proof that the personal information are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are no longer necessary for the
purposes for which they were collected. In this case, the personal information
controller may notify third parties who have previously received such processed
personal information; and
(f) Be indemnified for any damages
sustained due to such inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal information.
SEC. 17. Transmissibility of Rights of
the Data Subject. – The lawful heirs and assigns of the data subject may invoke
the rights of the data subject for, which he or she is an heir or assignee at
any time after the death of the data subject or when the data subject is
incapacitated or incapable of exercising the rights as enumerated in the
immediately preceding section.
SEC. 18. Right to Data
Portability. – The data subject shall have the right, where personal
information is processed by electronic means and in a structured and commonly
used format, to obtain from the personal information controller a copy of data
undergoing processing in an electronic or structured format, which is commonly
used and allows for further use by the data subject. The Commission may specify
the electronic format referred to above, as well as the technical standards,
modalities and procedures for their transfer.
SEC. 19. Non-Applicability. – The
immediately preceding sections are not applicable if the processed personal
information are used only for the needs of scientific and statistical research
and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject:Provided,That the personal information shall
be held under strict confidentiality and shall be used only for the declared
purpose. Likewise, the immediately preceding sections are not applicable to
processing of personal information gathered for the purpose of investigations
in relation to any criminal, administrative or tax liabilities of a data
subject.
On chapter V, the security was further discussed.
(c)
The determination of the appropriate level of security under this section must
take into account the nature of the personal information to be protected, the
risks represented by the processing, the size of the organization and complexity
of its operations, current data privacy best practices and the cost of security
implementation. Subject to guidelines as the Commission may issue from time to
time, the measures implemented must include:
(1) Safeguards to protect its
computer network against accidental, unlawfuInl or unauthorized usage or
interference with or hindering of their functioning or availability;
(2) A security policy with
respect to the processing of personal information;
(3) A process for identifying and
accessing reasonably foreseeable vulnerabilities in its computer networks, and
for taking preventive, corrective and mitigating action against security
incidents that can lead to a security breach; and
(4) Regular monitoring for
security breaches and a process for taking preventive, corrective and
mitigating action against security incidents that can lead to a security
breach.
(d) The personal information
controller must further ensure that third parties processing personal
information on its behalf shall implement the security measures required by
this provision.
In
chapter VI, the accountability of the information controller was discussed,
SEC. 21. Principle of Accountability. – Each personal information
controller is responsible for personal information under its control or
custody, including information that have been transferred to a third party for
processing, whether domestically or internationally, subject to cross-border
arrangement and cooperation.
And
was the responsibilities of the agencies was discussed, the limitations and
encryption was also included.
SEC
22. Responsibility of Heads of Agencies. – All sensitive personal information
maintained by the government, its agencies and instrumentalities shall be
secured, as far as practicable, with the use of the most appropriate standard
recognized by the information and communications technology industry, and as
recommended by the Commission. The head of each government agency or
instrumentality shall be responsible for complying with the security
requirements mentioned herein while the Commission shall monitor the compliance
and may recommend the necessary action in order to satisfy the minimum
standards.
SEC. 23. Requirements Relating to Access by Agency Personnel to
Sensitive Personal Information. – (a) On-site and Online Access – Except as may
be allowed through guidelines to be issued by the Commission, no employee of
the government shall have access to sensitive personal information on
government property or through online facilities unless the employee has received
a security clearance from the head of the source agency.
(b) Off-site Access – Unless otherwise provided in guidelines to be
issued by the Commission, sensitive personal information maintained by an
agency may not be transported or accessed from a location off government
property unless a request for such transportation or access is submitted and
approved by the head of the agency in accordance with the following guidelines:
(1) Deadline for Approval or Disapproval – In the case of any request
submitted to the head of an agency, such head of the agency shall approve or
disapprove the request within two (2) business days after the date of
submission of the
request. In case there is no action by the head of the agency, then
such request is considered disapproved;
(2) Limitation to One thousand (1,000) Records – If a request is
approved, the head of the agency shall limit the access to not more than one
thousand (1,000) records at a time; and
(3) Encryption – Any technology used to store, transport or access
sensitive personal information for purposes of off-site access approved under
this subsection shall be secured by the use of the most secure encryption
standard recognized by the Commission.
The requirements of this subsection shall be implemented not later than
six (6) months after the date of the enactment of this Act.
SEC. 24. Applicability
to Government Contractors. – In entering into any contract that may involve
accessing or requiring sensitive personal information from one thousand (1,000)
or more individuals, an agency shall require a contractor and its employees to
register their personal information processing system with the Commission in
accordance with this Act and to comply with the other provisions of this Act
including the immediately preceding section, in the same manner as agencies and
government employees comply with such requirements.
No comments:
Post a Comment