National Privacy Commission Releases Guidelines on the Processing of Personal Data during Health Emergencies
Recognizing the role of data-driven technologies in addressing the COVID-19 pandemic, the National Privacy Commission (NPC) has released guidelines on the processing of personal data during public health emergencies.
The guidelines state that in implementing strategies such as testing, contact tracing, treatment and the like, the principles of transparency, legitimate purpose, proportionality, safeguards, data subject rights, and accountability shall be taken into account.
Additionally, there must be a lawful basis for processing personal data which shall be based on applicable laws, rules, and regulations. Moreover, the data collected must not be repurposed for marketing, profiling, or other analogous purposes.
The guidelines also provide for limitations in the processing of personal data. Further processing is permissible only when it is compatible with the original purpose, communicated to the data subject, and not beyond what may be reasonably expected by the data subject.
On the other hand, further processing shall be considered incompatible when there will be a great deviation from the original purpose of addressing public health emergencies, result in an unjustified consequence on the rights and freedoms of data subjects, and would not be reasonably expected by the data subject.
Processing for research purposes shall also be permissible as long as it is for a public benefit and subject to existing laws. Moreover, the processing of data for health research shall only involve aggregate or anonymized data, and must secure approval from an Ethics Board.
Personal information controllers (PICs) are called to only collect necessary personal data and are limited to contact tracing forms and COVID-19 vaccine cards. They are likewise called to conduct privacy impact assessments (PIAs) prior to adoption, use, or implementation of any personal data processing systems and adopt adequate security measures. Moreover, PICS must ensure transparency in all personal data processing activities by posting an appropriate privacy notice. These notices shall use clear and plain language and should be conveyed prior to the collection of data.
With respect to application (app) permissions, they must only request minimum permissions, be context-specific, provide adequate user choices, only access sensitive permissions when necessary, and pay attention to libraries.
Personal data collected through these systems shall be stored in a secure manner and shall be retained only as long as necessary. Afterwards, data must be disposed of in a proper and secure manner.
The circular can be accessed here.