Data Privacy Awareness

Carl Demetria MD MIS MSPPM CHIA DPBEM

Data Protection Officer
WVSU Medical Center
Objectives
• To introduce the following concepts:
• Data Privacy Act 2012
• Data Privacy Principles
• Privacy Impact Assessment
• Relevant details of WVSUMC Data Privacy Policy
• To illustrate some advisory opinions from the 2020-2021
Compendium of NPC Issuances
• For participants to be aware of these concepts and apply it to
their workplace.
Data Privacy Act of 2012
• Republic Act 10173
• An Act protecting individual personal information in information
and communications systems in the government and the private
sector, creating for this purpose a National Privacy Commission,
and for other purposes
• Protect the fundamental human right of privacy of
communication while ensuring free flow of information to
promote innovation and growth; state obligation to ensure that
personal information are secured and protected (Sec 2)
National Privacy Commission
• Independent body
• Administers and implements DPA
• Attached to DICT
Functions of the NPC
• Rule Making
• Advisory
• Public Education/Information
• Compliance and Monitoring
• Complaints and Investigation
• Enforcement

• Rule III Sec 8 DPA IRR

Data Processing
• any operation or any set of operations performed upon personal
data including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or
destruction of data.
• may be performed through automated means, or manual
processing, if the personal data are contained or are intended to
be contained in a filing system

• Rule I Sec 1 (o) DPA IRR

Other Key Terms
• Data subject
• Individual whose information (personal, sensitive personal, or
privileged) is processed
• Personal Information Controller
• Person or organization
• Controls the processing of personal data or instructs another to
process personal data on its behalf
• Personal Information Processor
• Data Protection Officer
• Responsible for the overall management of compliance to the DPA
 Relevant Sections for Administrative Fines
 Sec 7 (a): NPC to ensure compliance of PIC
 Sec 11: General Data Privacy Principles
 Sec 16: Rights of the Data Subject
 Sec 20: Security of Personal Information
 Sec 24: Government contractors must register
 Sec 30: Concealment of Security Breaches Involving Sensitive
Personal Information
Rights of Data Subjects
• Right to be Informed
• Right to Access
• Right to Correct/Rectify
• Right to Erasure/Blocking
• Right to Object
• Right to Damages
• Right to Data Portability
• Right to File a Complaint

• Rule VIII Sec 34 DPA IRR

Right to be Informed
• Whether personal data is/will be/has been processed
• Description of data to be entered
• Purposes for which they are being or will be processed
• Basis of processing, when processing is not based on consent
• Scope and method of processing
Right to be Informed
• Recipients of data
• Methods for automated access, logic involved, significance and
consequences of processing
• Identity and contact details of PIC
• Period of storage
• Existence of rights as data subjects, including right to access,
correction, object to processing, and lodge a complaint with
NPC
Right to Access
• Contents of data processed
• Source of data
• Names and addresses of recipients; reasons for disclosure
• Manner of data processing
• Information on automated decision making processes
• Date when data was last accessed or modified
• Designation, name, address of PIC
Right to Correct/Rectify
• Dispute inaccuracy or error in the personal data and have the
personal information controller correct it immediately and
accordingly, unless the request is vexatious or otherwise
unreasonable
Right to Erasure/Blocking
• Block or remove data, upon proof that:
• Data is incomplete, outdated, false, or unlawfully obtained
• Data is used for purpose not authorized by data subject
• Data is no longer necessary for purpose for which they were collected
• Data subject withdraws consent or objects to the processing, no other
legal ground for processing
Right to Erasure/Blocking
• Block or remove data, upon proof that:
• Data concerns private information prejudicial to data subject, unless
justified by freedom of speech, of expression, or of the press or
otherwise authorized
• Processing is unlawful
• PIC or PIP violated the rights of the data subject.
Right to Object
• Object to processing of data

• Unless:
• Personal data needed pursuant to a subpoena
• Collection and processing are for obvious purposes
• Necessary for the performance of or in relation to a contract or service
• Employer-employee relationship between the collector and the data
subject
Right to Damages
• Indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized
use of personal data
Right to Data Portability
• For data processed electronically
• Obtain from PIC a copy of data in an electronic or structured
format that is commonly used and allows for further use
Right to File a Complaint
• If personal information has been misused, maliciously
disclosed, improperly disposed, or any of the data privacy rights
have been violated
Data Privacy Principles
• Transparency
• Legitimate Purpose
• Proportionality
Transparency
• Data subject must be aware of the nature, purpose and extent
of the processing of his/her personal data, including the risks
and safeguards involved, the identity of the PIC, rights as a data
subject, and how these can be exercised
• Information on data processing must be easy to understand,
accessible
• Data subject must have reasonable access on demand
• For electronic data, can access a copy in a structured format
(data portability)
Privacy Notice
• Description of service
• Personal data to be collected, method of collection, timing of
collection
• Purpose of collection of data, method of use
• Storage and transmission, location of data
• Third-party transfers (if applicable)
• Retention period
• Participation of data subject (how consent is obtained)
• Contact information for inquiries or complaints
Legitimate Purpose
• Processing of data shall be compatible with a declared and
specified purpose which must not be contrary to law, morals, or
public policy
Consent
• Data subject must exercise control over how data will be used
• Consent requires a freely given, specific, and informed
indication of will, evidenced by a written or electronic record
• Consent must be unbundled from other terms and conditions
• Implied, implicit or negative consent is not recognized
Proportionality
• Processing of information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and
specified purpose
Other Principles
• Data Quality
• Ensure that data is accurate, complete and up-to-date
• Inaccurate or incomplete data must be rectified, supplemented,
destroyed, or their further processing restricted
• Security Safeguards
• Organizational Commitment
• Program Controls
• Continuing Assessment and Development
Privacy Impact Assessment
• Process to evaluate and manage privacy impacts in an
organization’s programs, processes, activities, systems and
operations
Objectives of Conducting a PIA
• Identify privacy risks and vulnerabilities
• Determine
• Adherence to transparency, legitimacy, proportionality
• Lapses in organizational, physical, and technical security measures
• How the organization upholds the rights of the data subjects
• Establish a control framework that should address all the issues
identified
When is PIA necessary?
• As baseline
• Prior to implementation of new programs
• Changes to processing of data
• When entering into a data-sharing agreement
• Large-scale data collection
Benefits of PIA
• Promote privacy awareness
• Good governance
• Compliance
• Cost-effective
• Prevents privacy risks
• Identifies privacy strategies
Questions to consider during PIA
• What do I process and how?
• Do I comply with the law?
• What are the risks?
• What can I do about it?
• When will I reassess?
Data Life Cycle
• Collection
• Use and access
• Sharing and transfers
• Storage and retention
• Disposal
Records of Processing Activities
• Data inventory
• Data flow
• Purpose of processing
• Sources and recipients of personal data
• Accountable and responsible persons
• Existing safeguards
 Salient Points of the
WVSUMC Data Privacy Policy
Policy Objectives
 To uphold the data rights of all data subjects of the WVSUMC.
 To comply with the provisions of RA 10173, its IRR, NPC issuances, and other
regulations related to data privacy.
 To foster and maintain awareness on data privacy, including how we safeguard data
privacy rights, among employees and data subjects.
 To minimize, if not eliminate, risks that threaten data privacy rights.
Activities
 Privacy Notice
 Awareness-building activities
 Monitoring compliance
 Privacy Impact Assessment
 Develop and implement data privacy procedures relevant
to their mandate
Activities
 Data inventory, data flow, stated lawful purpose, sources
and recipients, accountable and responsible persons,
existing safeguards
 Procedure on Data Breach Response
 Data Privacy Committee
 Evaluate data processing activities and make relevant
recommendations
Role of Unit/Department Heads
 Privacy Notice
 Awareness-building activities
 Compliance –> monitoring as part of regular workflow
 Conduct PIA
 Assess risks –> Develop and implement data privacy procedures relevant to their
mandate
 Document data processing activities
 Document data privacy and security activities
Role of the Medical Center Chief
• As PIC – can designate Unit/Department Heads
• PIC determines privacy risks
• Designates/recommends DPO, Committee
Role of the Data Protection Officer
• No conflict of interest
• Independent, has autonomy
• Bound by confidentiality, secrecy
• Opinions have due weight
• Monitors compliance, ensures PIA, advices PIC
• Cooperate, coordinate and seek advice of NPC
Data Privacy Committee
• Chairman
• Unit and Department Heads
• Data Breach Response Team
• Data Privacy Training and Awareness Team (defunct)
Role of Data Privacy Committee
• Compliance
• Conduct PIA
• Security Incident Management
• Awareness
• Policy development and review – privacy by design approach
Essential Principles
• Privacy Mission: The WVSUMC is committed to delivering
health services effectively and efficiently while protecting the
data privacy rights of its patients, employees, and other data
subjects.

• Privacy Vision: The WVSUMC meets the standards of data

protection that its patients, employees, and other data subjects
are entitled to, as well as the needs and expectations of its
clients regarding health care delivery.
Essential Principles
• The WVSUMC recognizes the value of data in research, training, and policy-
making for service delivery, and will not impede its proper and lawful use
provided that adequate safeguards are in place and data subject rights are
upheld.
• The WVSUMC and its employees must be constantly vigilant in protecting the
sensitive personal information of its data subjects, and care in handling
information must be built into the processes and procedures of each Unit and
Department.
• The WVSUMC and its professional staff recognizes the privileged information
handled during patient encounters and shall ensure the protection and care in
handling this information.
Essential Principles
• The WVSUMC commits to upholding the data privacy principles of transparency,
legitimate purpose, and proportionality.
• Transparency: data subjects shall be informed about the nature, purpose, method, and extent of
processing their data. A Privacy Notice shall be posted in conspicuous areas so that all data subjects
can be made aware of their rights as data subjects and how these rights can be exercised.
• Legitimate purpose: the data collected from all data subjects shall be for a declared purpose which
must be known at time of collection, or made available at any point during the encounter with the
patient or employee.
• Proportionality: the method and extent of data processing shall be aligned to the legitimate purpose
that is declared to the patient or employee.
Essential Principles
• The WVSUMC commits to upholding the rights of data subjects
xxx
• Right to be informed;
• Right to object;
• Right to access;
• Right to rectification;
• Right to erasure or blocking;
• Right to damages;
• Right to data portability; and
• Right to file a complaint.
Essential Principles
• The different Units and Departments of the WVSUMC commit to
conducting a Privacy Impact Assessment during the following
periods:
• As baseline;
• Prior to implementing new programs, services or activities that will
require data processing;
• Prior to changes in how personal data is processed;
• Prior to entering a data sharing agreement or outsourcing contract; and
• Prior to large-scale data collection or processing of large data sets.
Essential Principles
• The different Units and Departments of the WVSUMC will keep a record
of all data processing activities throughout the entirety of the data life
cycle, and submit a copy to the Data Protection Officer. This record
must include:
• Data Inventory;
• Data Flow;
• Purpose of data processing;
• Sources and recipients of personal data;
• Accountable and responsible persons;
• Existing safeguards; and
• Policies or procedures impacting data in each stage of the data life cycle.
Essential Principles
• xxx implementation of various security measures, including organizational, physical and technical measures, to maintain and
ensure the confidentiality, availability and integrity of data xxx
• xxx maintaining a Security Incident Management Program, which includes breach management, as well as the maintenance of
security protocols to maintain and ensure the confidentiality, availability and integrity of data.
• xxx a comparable level of protection when personal data is being processed by a third party. xxx require appropriate Data
Sharing Agreements to third parties that will process the data of its data subjects. xxx Confidentiality Agreements to all xxx
performing data processing activities xxx
• xxx on-going training and awareness of data privacy principles, rights of data subjects, and data protection procedures xxx
 Selected Advisory Opinions from
2020-2021 Compendium of NPC Issuances
Advisory Opinion No. 2019-052
• Re: Teenage Pregnancy Registry
• Did not have specific purpose or statutory basis for collection of
sensitive personal information (health data)
• Criteria for lawful processing of data
• Adhere to transparency, legitimate purpose, and proportionality
Advisory Opinion No. 2020-009
• Re: Deletion of Electronic Medical Records
• Removal of pre-employment medical records by a clinic upon
request of corporate clients who paid for service
• Both the clinic and the corporate client are PICs in their own
right; with different and separate purposes for collection
• Ideal to get the consent of the data subject prior to deletion
• Each PIC must inform data subjects through appropriate means
the time frame for retention and deletion of health records in
order for right to access to be upheld
Advisory Opinion No. 2020-010
• Re: Philhealth Inspection and Monitoring Activities
• Philhealth personnel declined signing an NDA while visiting to inspect
and monitor compliance to circulars on fraud prevention
• Mandate of Philhealth allows it to process personal data, but it is still
subject to responsibilities as PIC
 Implementing security measures

 Adhering to transparency, legitimate purpose, proportionality

 Upholding data subjects rights

Advisory Opinion No. 2020-010
• Re: Philhealth Inspection and Monitoring Activities
• Existing transfers or submissions is authorized by current
Performance Commitment – Philhealth not compelled to sign
NDA or DSA
• A separate Data Sharing Agreement if necessary and
appropriate in certain circumstances
Advisory Opinion No. 2020-019
• Re: Public Disclosure of the List of Social Amelioration Program
Beneficiaries
• Meant to enable LGUs to comply with legal obligations
• DPA will not hinder LGUs in disclosing information essential for
public to know (demand for transparency in distributing financial
assistance)
• Must adhere to proportionality: sensitive personal information
not necessary for purpose of disclosure
• DILG and LGUs responsibilities as PICs – privacy notice
Advisory Opinion No. 2021-042
• Re: Disclosure of List of Frontline Workers Affected by COVID-
19
• Request to DOH, for fundraising
• DOH must obtain consent of affected frontline health workers or
their heirs for those that are deceased
• The rights of the data subjects must be considered
• DOH may opt to provide statistical data only instead of personal
information
Advisory Opinion No. 2021-014
• Re: Posting of Photo in a Social Media Platform Without Consent
• Intimate photo taken while dining in a restaurant then posted with a
derisive caption
• The protection of the right to privacy extends to public spaces and
information that is publicly available
• Affected data subject is entitled to suspend, withdraw, or order the
blocking, removal, or destruction of personal information upon discovery
and substantial proof that these are unlawfully obtained, used for
unauthorized purposes, or are no longer necessary for the purpose of
collection
Advisory Opinion No. 2021-035
• Re: Data Sharing Agreement between Philhealth and City Civil
Registrar on Reporting of Recorded Deaths
• Basis of processing by Philhealth is quasi-judicial powers to
conduct investigations pursuant to RA 7875 and RA 10606
• Proportionality: processing must be necessary and not
excessive in relation to a declared and specified purpose
• Clarify as to specific legal basis for requiring extensive report on
all registered deaths
Advisory Opinion No. 2021-038
• Re: Data Sharing for the National Health Workforce Registry
• DSA between DOH and Professional Regulation Commission
• DOH should assess whether some personal data is needed
• DOH as a public authority fulfilling mandate – no consent
needed
• Privacy notice
• Privacy impact assessment
• Privacy by design
 Every time you find yourself here,
it’s because you chose to come back.