NPC to probe unauthorized disclosure of COVID patients’ information

MANILA, Philippines — The National Privacy Commission (NPC) is looking into incidents of unauthorized disclosure on social media of personal information of more than 150 individuals who are either suspected or confirmed to have the coronavirus disease 2019 or COVID-19. 

NPC said it received 17 personal data breach notifications involving 154 suspected or confirmed COVID-19 patients from March 15 to April 23. Of these, seven were received from personal information controllers (PICs) and 10 from ordinary citizens.

Data breach notifications involve the posting of photo, as well as other personal details such as name, gender, address, date of birth and phone and emergency contact on social media. 

Privacy commissioner Raymund Liboro said the NPC is investigating the breach incidents together with the PICs, in relation to the Data Privacy Act of 2012.

“With a view to preventing similar instances of unauthorized disclosure from happening, we call on health institutions and their Data Protection Officers to strengthen the protection of patient data. After all, fostering mutual trust and protection between patients, health institutions and authorities is crucial in dealing with the COVID-19 pandemic,” he said. 

He added that patients will only provide the needed information to authorities if they are assured the data would be properly used for treatment, disease surveillance and response, and protected against misuse, including unauthorized disclosure which may lead to physical assaults, harassment and acts of discrimination.

To protect patient data against unauthorized disclosure, the NPC recommends that health institutions remind their officials and staff of their responsibility to protect the patient’s data. 

Unauthorized disclosure is prohibited under Republic Act 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act.

NPC also recommends that health institutions establish access control for patient data so that health personnel will only have the minimum and necessary access to enable the performance of their functions. To prevent accidental viewing and disclosure of data, health institutions are advised to use privacy screens and passwords for computers as well as encrypting documents with a password of sufficient strength.

When logging into accounts, health institutions may also use a second-factor authenticator in addition to setting a strong password.

Also part of protecting patient information is to avoid disclosure of data, even to authorities, in public areas as well as securing a platform for team collaboration and communication. – With Rainier Allan Ronda