NPC Releases Advisory Opinion on Data Sharing with the Philippine National Police
The National Privacy Commission (NPC) released Advisory Opinion No. 2021-043 on data sharing with the Philippine National Police (PNP). In particular, the advisory opinion addressed whether the personal and sensitive personal information of drug surrenderers undergoing rehabilitation may be shared by the Iloilo City Health Officer (CHO) with the PNP.
Under NPC Circular 2020-03, data sharing is defined as the “sharing, disclosure, or transfer to a third party of personal data under the custody of a personal information controller to one or more other personal information controller/s.” Moreover, a data sharing agreement (DSA) is defined as a “a contract, joint issuance or any similar document which sets out the obligations, responsibilities and liabilities of the PICs involved in the transfer of personal data between or among them, including the implementation of adequate standards for data privacy and security and upholding the rights of the data subjects.”
The NPC stated that while a DSA is not mandatory, its execution is evidence of best practice and a demonstration of accountability among the parties. In this case, the data protection officers (DPOs) of local government unit and the PNP may likewise be consulted to provide a better understanding of the DSA and its possible necessity.
Under the NPC circular, data sharing may be based on any of the criteria for lawful processing under Sections 4, 12, or 13 of the Data Privacy Act of 2012 (DPA). Additionally, the same circular does not prohibit the sharing, disclosure, or transfer of personal data if already authorized by law.
In this instance, the processing by the PNP may fall under any of the instances in Section 13 of the DPA, specifically processing provided for by existing laws and regulations.
In any event, the NPC reiterated that both parties must adhere to the general data privacy principles of transparency, legitimate purpose, and proportionality in processing personal data. For legitimate purposes, processing must be compatible with a declared purpose not contrary to law, morals, or public policy. With respect to proportionality, the processing must be relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
Hence, the PNP must declare the specific purpose(s) for requesting the data in accordance with Section 11 (a) of the DPA. Additionally, the PNP must cite the specific provisions of laws, rules, and regulations mandating it to process the personal data of drug surrenderers.
If the PNP clarifies that its processing falls under Section 4(e) of the DPA, “it means that the provisions on the lawful criteria for processing of personal data under Sections 12 and 13 of the DPA do not apply and the exemption from the requirements is only to the minimum extent
necessary to achieve the specific purpose, function, or activity.”
In choosing the lawful basis for processing, the PNP as personal information controller (PIC) must choose the lawful basis that most closely reflects the true nature of the relationship with the data subject and the purpose of the processing.
Moreover, the NPC stated that statistical data may be submitted in lieu of the personal data of data subjects in line with purpose limitation and data minimization requirements.
The full advisory opinion can be accessed here.