Last week, we discussed what data privacy is and the different rights of a person in relation to information about him or her. Recently, we have been hearing calls to release COVID-19 patient information especially during the early weeks of the pandemic. The reason given for such calls were myriad. Foremost of the reasons given was that the public has an interest in the information in order to slow down – if not, stop – the infection. Those calling for the release of patient information argue that if the people know who got infected, it would help greatly in contact-tracing, isolation, and, inevitably prevention. On the other side of the debate, those who were against the release of patient data argue that if the identity of COVID-19 patients are released, it may cause such patients to be discriminated against; their lives might also be put in danger.

Both sides of the argument have a point, actually. But this is not about whether one side has a better argument than the other. This is a matter of what the law states and the law is unequivocal in this matter.

The Data Privacy Act penalizes the release of personal data/information without the consent of the owner of said personal data/information. In other words, without the consent of the data subject, no information may be released to a third person. Unauthorized release of personal data/information carries with it, hefty penalties, even imprisonment. This is the reason why during the time when DOH was still releasing information about COVID-19 patients, they used “Patient __” to protect the identity of the patient concerned. In addition, Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concerns Act prohibits the release of any information about a patient and his/her treatment.

The Data Privacy Commission (DPC) has time and again released official statements in relation to data privacy in the time of this COVID-19 pandemic. In its statements, the DPC has reiterated that consent is necessary for the release of personal information of COVID-19 patients.

Question, does that mean a patient can refuse to give personal information to the hospital or the government? The answer is NO.

When a person has an infectious disease like, say, COVID-19, R.A. 11332 makes it mandatory for said person to report that s/he has an infectious disease. Said person must also follow the instructions of public health authorities when it comes to treatment and quarantine. Non-compliance with this mandatory requirement is penalized with a fine and imprisonment.

Also, the Data Privacy Act provides for exceptions when personal data/information may be shared or disclosed even when consent was not given by the data subject. Sec. 12 (c) and (e) provides that the processing of personal information is permitted when “(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;” and “(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate.”

We have heard of stories of patients deliberately withholding information about their medical history, travel history, recent contacts, etc., all in the fear of being isolated and not being able to see their loved ones. That, however, is not only dangerous and unnecessarily puts our health professionals’ health at risk, but it is also against the law.