The Department of Health (DOH) has received reports of lists containing names of COVID-19 positive patients being released publicly and shared around social media.

The DOH reiterates that while RA 11332 (Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act) provides public health authorities the statutory right to access personal information to enable effective response, it also requires said authorities to ensure patient privacy and confidentiality of the personal information entrusted to them. Relevant information should only be shared to concerned public health authorities who are knowledgeable of their duty in maintaining data privacy.

Moreover, the Department of Health and the National Privacy Commission released Joint Memorandum Circular 2020-0002 entitled Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response providing specific instructions on the application of data protection and privacy principles in the collection, processing and disclosure of COVID-19-related data in pursuit of disease surveillance and response.

According to the memorandum “Only concerned healthcare providers, public health authorities, and DOH partner agencies and their authorized personnel shall be allowed to access the personal health information of the COVID-19 cases and/or identified close contacts, pursuant to the guidelines set forth under DOH AO 2020-0013, and the DOH DM 2020-0189.”

In addition, all entities and individuals with access to the personal health information shall be bound by legal duty to protect the personal health information pursuant to these guidelines. The guidelines also provide specific instructions on the processing and sharing of data among authorized personnel. Only the following information may be disclosed for a legitimate purpose:

          a. Aggregate health information, or pseudonymized or anonymized detailed health information for public communication; and

          b. Mandatory reporting requirements, including personal health information, to national and local public health authorities, and DOH partneragencies.

Any privacy violation, or personal data breach, or security incident shall be penalized in accordance with RA 10173 (Data Privacy Act of 2012), or other applicable laws, rules, and regulations.

Under the Republic Act 10173 – Data Privacy Act of 2012, the following penalties are applicable to those who violate data privacy:

SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.

SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).

(b) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).

We would like to ask for the cooperation of DOH partner agencies, including the Local Government Units, that as part of their mandate to comply with the DOH COVID-19 guidelines on data privacy and protection, they are responsible for protecting and preserving the identities of COVID-19 cases and identified close contacts, and their families so that this does not result in undue discrimination, or physical and emotional harm or distress.

Further, we call on the public to refrain from sharing these lists around social media. This is illegal and perpetuates the stigma around COVID-19. Our kababayans are already going through enough as it is, let us not exacerbate their situations. Let us all BIDA Solusyons and be responsible with the information we share. COVID-19 is not a death sentence and fear is more dangerous than the disease