At the public consultation on the draft IRR of the Data Privacy Act #PrivacyPH pic.twitter.com/pYZeohbhhY
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
Let’s build a culture of privacy! That’s my main takeaway from the public consultation held by the National Privacy Commission for the implementing rules and regulations of the Data Privacy Act of 2012 last July 13 at the University of the Philippines Diliman. No less than the Commissioner himself said it.
Create a culture of privacy protection in the country. – Comm. Liboro #DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
I attended this forum because of my interest in social media and healthcare. I had given a talk during the annual convention of the Philippine Pediatric Society on patient confidentiality and the social network last April. In the tell-all world of social media, what impact will the Data Privacy Act have?
Foster “privacy by design” by embedding in tech, business practices & physical infrastructures – @PrivacyPH Comm Liboro #DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
How can we foster privacy by design when there exists a privacy paradox?
How can we strike a balance?
Protect individual privacy while supporting public services. Develop guideline on info sharing by govt agencies – Liboro #DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
Protect right to privacy while ensuring free flow of information for innovation & growth. – Comm. Liboro @PrivacyPH#DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
I realized in a roomful of lawyers, researchers, academics, bankers, insurance people etc that everyone wanted to find out if they were covered or exempted by the law. As the day wore on, I marveled at how many viewpoints existed as far as interpreting the law was concerned. But as the purpose of the IRR was to clarify the law, Commissioner Liboro said that in matters of interpretation –
The law will always side with the data subject. @privacyph Comm Liboro on the Data Privacy Act #DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
To understand the spirit of the law, it is vital to understand what personal data is. Health-related data is always sensitive personal data.
Defining personal data #DataPrivacyPH pic.twitter.com/ap89pOLgnm
— Jane U. (@philippinebeat) July 13, 2016
Once you understand that concept, move on to the definition of a personal information controller. Many people stood up to clarify this definition as much of the penalties for violating the law lie squarely on the shoulders of the personal information controller.
Who’s to blame? Concerns raised regarding exclusion of who is considered Personal Info Controller. #DataPrivacyPH pic.twitter.com/3b9nkPuaKo
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
Ongoing debate about defining personal info controller. Dahil di puwedeng ikulong ang korporasyon, tao ang makukulong #DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
Two interesting issues raised about social media and the law.
Everyone on Facebook can be considered personal info controller. So not only orgs/enterprise covered. Heard at #DataPrivacyPH consultation
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
So we do have to be careful about what we reveal on Facebook. The follow up question to that was puzzling though. Because personal information controllers are required to register with the National Privacy Commission, does that mean all Facebook users have to register? Everyone shook their heads.
Q on intermediary liability of YouTube or FB in case someone posts a video of another w/o consent? Ans. Case to case #DataPrivacyPH
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
This is also of particular interest to me as I have a Facebook page. If someone reveals health information of another, i.e. a husband revealing lab tests of his wife without her consent on my Facebook page, is the page owner (me!) also partly liable for providing an opportunity for this misconduct? How about Facebook?
A related question was also tweeted to me that I wasn’t able to ask.
@endocrine_witch can you ask about policies in using Google and Facebook for gov’t and SUCs?
— Rom (@rom) July 13, 2016
How can we ensure we are complying with the law? We should always ask consent for the data we collect, from the data subject. And because someone asked why it was specified in the IRR that consent is time bound –
Walang forever sa consent 🙂 Atty Patdu comments re: time bound @PrivacyPH#PrivacyPH#DataPrivacyPHpic.twitter.com/YqmdXz2kju
— Iris Thiele Isip Tan (@endocrine_witch) July 13, 2016
I have many more tweets but I will end here. As is always said ignorantia legis neminem excusat, ignorance of law excuses no one. Please read the IRR of the Data Privacy Act!
Read proposed IRR of #DataPrivacyPH and comment or suggest . https://t.co/qay1VLoPsk
— Noemi L. Dado (@momblogger) July 13, 2016