Support Centre

Philippines: NPC warns against unlawful collection of personal data for COVID-19 vaccination

The National Privacy Commission ('NPC') issued, on 1 May 2021, a bulletin addressing the processing of personal data for COVID-19 vaccination programs both at national and local levels. In particular, the NPC noted that some companies had expressed uncertainty as to whether the requirement to submit personal data of employees for vaccination purposes complied with the Data Privacy Act of 2012 (Republic Act No. 10173). In this regard, the NPC emphasised that all personal information controllers, whether in the Government or the private sector, should not deviate from the standard processes outlined in:

  • Philippine National Deployment and Vaccination Plan for COVID-19 Vaccines;
  • Department of Health Memorandum No. 2021-0099 on the Interim Omnibus Guidelines for the Implementation of the National Vaccine Deployment Plan for COVID-19; and
  • COVID-19 Vaccination Program Act of 2021 (Republic Act No. 11525) and Implementing Rules and Regulations of Republic Act No. 11525.

Furthermore, the NPC highlighted that appropriate safeguards must be implemented by all controllers involved to ensure the protection of personal data against any unlawful processing, alteration, disclosure, or destruction. Specifically, the NPC elaborated that this includes, among other things, employing encryption techniques, conducting independent security audits, and establishing security incident management processes.

You can read the bulletin here.