Skip to content

Let’s build a culture of privacy!

Let’s build a culture of privacy! That’s my main takeaway from the public consultation held by the National Privacy Commission for the implementing rules and regulations of the Data Privacy Act of 2012 last July 13 at the University of the Philippines Diliman. No less than the Commissioner himself said it.


I attended this forum because of my interest in social media and healthcare. I had given a talk during the annual convention of the Philippine Pediatric Society on patient confidentiality and the social network last April. In the tell-all world of social media, what impact will the Data Privacy Act have?




How can we foster privacy by design when there exists a privacy paradox?



How can we strike a balance?


I realized in a roomful of lawyers, researchers, academics, bankers, insurance people etc that everyone wanted to find out if they were covered or exempted by the law. As the day wore on, I marveled at how many viewpoints existed as far as interpreting the law was concerned. But as the purpose of the IRR was to clarify the law, Commissioner Liboro said that in matters of interpretation –


To understand the spirit of the law, it is vital to understand what personal data is. Health-related data is always sensitive personal data.



Once you understand that concept, move on to the definition of a personal information controller. Many people stood up to clarify this definition as much of the penalties for violating the law lie squarely on the shoulders of the personal information controller.




Two interesting issues raised about social media and the law.


So we do have to be careful about what we reveal on Facebook. The follow up question to that was puzzling though. Because personal information controllers are required to register with the National Privacy Commission, does that mean all Facebook users have to register? Everyone shook their heads.

This is also of particular interest to me as I have a Facebook page. If someone reveals health information of another, i.e. a husband revealing lab tests of his wife without her consent on my Facebook page, is the page owner (me!) also partly liable for providing an opportunity for this misconduct? How about Facebook?

A related question was also tweeted to me that I wasn’t able to ask.


How can we ensure we are complying with the law? We should always ask consent for the data we collect, from the data subject. And because someone asked why it was specified in the IRR that consent is time bound –


I have many more tweets but I will end here. As is always said ignorantia legis neminem excusat, ignorance of law excuses no one. Please read the IRR of the Data Privacy Act!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.