Privacy & Information Security Law Blog

On April 25, 2020, the Philippines National Privacy Commission (“NPC”) issued a statement that it is investigating several breach notifications it has received relating to the unauthorized disclosure of sensitive personal information of confirmed and suspected COVID-19 patients (the “Statement”).

According to MLex, a communications officer for the NPC has confirmed that the regulator will focus primarily on remedial measures rather than on the imposition of fines as it investigates the 17 breach notifications reports it received between March 15 and April 23, 2020.

In the Statement, the NPC calls upon health institutions and their data protection officers to strengthen the protection of patient data and outlines eight measures that can be implemented to further this objective, including:

1. Regularly remind officials and employees of their ethical and legal duty to protect patient data (e.g., via strategically placed posters and print outs, and by emphasizing that unauthorized disclosure of health data is a prohibited act);
2. Implement access controls for patient data based on least privileges (i.e., on a “need-to-know” basis);
3. Install physical access controls to health facilities (e.g., locks and alarm systems);
4. Ensure proper disclosure of patient data to verified authorities/individuals and in appropriate areas;
5. Protect computer displays from unauthorized or accidental viewing (e.g., via utilizing privacy screens, strategically angling monitors and enabling password protection);
6. Lock away storage media containing patient data when not in use and utilize encryption and password protection for such media;
7. Encrypt patient data while in transit and at rest; and
8. Select secure communication platforms for patient communications and medical care team collaboration.