Schools urged to ensure privacy in drug testing

MANILA, Philippines - The National Privacy Commission (NPC) has urged schools and agencies to strengthen their systems security and ensure the confidentiality of data when implementing the drug testing policy.

“It’s incumbent on those who will proceed on instituting or embarking on data processing to be aware of the risks, to be cognizant of the benefits and to be able to exercise the right controls,” privacy commissioner Raymund Liboro said.

“If you cannot protect it, don’t collect it. If you need to collect it, then make sure that you’d be able to protect it. Any organization that will embark on a processing exercise should be willing and be able to comply with that,” he stressed.

Liboro noted the laws that protect data and penalize those who fail to secure its privacy, especially those classified as sensitive personal information like the results of drug testing.

In their respective orders, the Department of Education and the Commission on Higher Education (CHED) mandated the conduct of random drug testing in secondary schools and tertiary institutions as contained in the comprehensive dangerous drugs law.

It also allowed higher education institutions to conduct mandatory drug tests and use these as basis for retention or admission of students, provided they follow strict guidelines.

Both agencies affirmed that confidentiality will be ensured in drug testing programs and that these will not be used to discriminate against those who would test positive.

“The schools will have to have policies in case there are requests for those data. Medical and health information – these should be considered sensitive personal information which in general should not be disclosed,” said NPC deputy commissioner Ivy Patdu.

Data privacy registration

The NPC on Friday held an assembly of data protection officers in higher education institutions to strengthen awareness and heighten the information campaign on the data privacy law.

It reminded all organizations covered by the law to submit the mandatory registration requirements by Sept. 9.

Under NPC guidelines, all organizations with at least 250 employees or those that process sensitive personal information of 1,000 or more individuals will have to register their data processing systems with the commission.

Also covered are those in the identified critical sectors, which are required to register even if they do not meet the criteria in the number of employees or sensitive personal information being processed.

Critical sectors include all government entities, financial institutions, telecommunications networks, business process outsourcing, academic institutions, hospitals and other health facilities, insurance providers, pharmaceutical companies and marketing and networking business.

Patdu said failure to submit the requirements on time might result in various penalties, including the contempt or issuance of an enforcement action.

“Depending on the circumstance, you may become an unauthorized processing unit if you wouldn’t register. Of course, if there is a complaint, you won’t be able to demonstrate that there were efforts to comply (with the law if you do not register),” she added.