A few weeks back I attended the eHealth summit at the PICC and heard the keynote address of Raymond Liboro, first commissioner of the National Privacy Commission (NPC). Dr. Atty Ivy Patdu, NPC deputy commissioner was also at the event as a discussant in the panel on big data and privacy. She declared that the National Privacy Commission was working day and night to finish the implementing rules and regulations of the Data Privacy Act of 2012.
Let’s take a step back and follow the sequence of events.
The long title of the Data Privacy Act of 2012 states, it is an –
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES
Section 7 states the functions of the National Privacy Commission. Section 39 states
SEC. 39. Implementing Rules and Regulations (IRR). – Within ninety (90) days from the effectivity of this Act, the Commission shall promulgate the rules and regulations to effectively implement the provisions of this Act.
Commissioner Liboro took his oath as commissioner of the National Privacy Commission last March 6, 2016. The next day March 7, Dr. Atty. Ivy Patdu and Dondi Mapa also took their oath as deputy commissioners of the National Privacy Commission.
Last May 23, 2016 President Aquino signed Republic Act No. 10844 Department of Information and Communications Technology Act of 2015 –
AN ACT CREATING THE DEPARTMENT OF INFORMATION AND COMMUNICATIONS TECHNOLOGY, DEFINING ITS POWERS AND FUNCTIONS APPROPRIATING FUNDS THEREFOR, AND FOR OTHER PURPOSES
Section 9 of the Data Privacy Act of 2012 mentions the Department of Information and Communications Technology (DICT) –
SEC. 9. Organizational Structure of the Commission. – The Commission shall be attached to the Department of Information and Communications Technology (DICT) and shall be headed by a Privacy Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems and one to be responsible for Policies and Planning. The Privacy Commissioner and the two (2) Deputy Privacy Commissioners shall be appointed by the President of the Philippines for a term of three (3) years, and may be reappointed for another term of three (3) years. Vacancies in the Commission shall be filled in the same manner in which the original appointment was made.
It seems that all the elements to implement the Data Privacy Act are in place. And today at last June 17, I received a copy of the much awaited draft of the implementing rules and regulations of the Data Privacy Act from Dr. Atty. Ivy Patdu!
If you have any comments about this draft, please email firstname.lastname@example.org.
Good day Dr Tan.
I would like to ask if the data privacy act covers retrospective researches? Is it required to get patient consent for retrospective studies?
How about in a situation such as below:
Information recorded by the researcher does not identify the subject. Individually identifiable data elements are not be recorded. Additionally, the researcher did not keep a linking list of any sort. it is not possible to figure out which data belong to a patient, once the data have been recorded by the researcher.
Thank you very much for your help!
In my (non-legal) opinion yes it will cover because you are still dealing with sensitive health information. In the situation you have described however, it seems that you have taken the necessary precautions to keep the data safe and therefore you should have no worries that you are violating the law.