THERE is much concern about data privacy these days because of the numerous scams that are highlighted on social media.
But why is data privacy important? Because maintaining data privacy is a right by all as it prevents people’s identity from falling into the wrong hands and being disclosed and used for the wrong—criminal—purposes.
Globally, the Philippines is still considered the social-media capital of the world with a high average number of hours spent on the Internet and social media. However, Filipinos are one of the most vulnerable to data and information breaches online. Why so? Just browse Facebook. People post their personal details like mobile phone numbers, even email addresses, for everyone to see, which is a dangerous scenario. Who knows how much damage cybercriminals can make on the person, stealing his/her identity and using it for God-knows-what felonious intention?
Sadly, despite the presence of Republic Act 10173 or the Data Privacy Act of 2012, data privacy in the Philippines remains to be largely unobserved by many.
Fortunately, this is not the case in the healthcare sector. Because of the strict observance of the confidentiality of information in a doctor-patient relationship, patients’ identity and other personal information such as medical history and ailments are protected.
Even in the emergence of “Telemedicine” or “Teleconsult” online patient consultation platform during the Covid-19 pandemic, doctor-patient interaction was shielded from any breaches by cybercriminals.
Commitment to protect data privacy
THE National Privacy Commission (NPC), the agency committed to protect and respect Filipinos’ personal data privacy, dealt with the issue of protecting patient information privacy in a telemedicine session by establishing solid coordination with the Department of Health (DOH). The two agencies collaborated and issued guidelines on the use of this online platform and addressed its privacy-related issues, according to Atty. John Henry Naga, Privacy Commissioner and Chairman.
Through an effective partnership, Naga said the NPC and DOH released two circulars, such as the DOH-NPC Joint Memorandum Circular 2020-0001, or the “Guidelines on the Use of Telemedicine in Covid-19 Response,” and DOH-NPC Joint Memorandum Circular 2020-003, or the “Guidelines on the Monitoring & Evaluation (M&E) of the Use of Telemedicine in Covid-19 Response.”
“In relation to privacy, these circulars emphasized the need to uphold data privacy, patient confidentiality, and data security through a framework of accountability and monitoring,” according to Naga.
When asked if there was a time when the privacy of the data provided between doctor and patient was ever compromised during the pandemic, Naga pointed out that the NPC recognizes that due to Covid-19, there was a heightened importance of data privacy since personal and sensitive personal information were being processed. He cited that during these times, there were reports involving possible unauthorized disclosure of health information, including personal data of suspected, probable, or confirmed Covid-19 patients.
“To address this, the NPC released a Public Health Bulletin on this matter (NPC PHE Bulletin 10: Protecting Patient Data from Unauthorized Disclosure), calling on all data protection officers to strengthen the patient data security.”
The bulletin, Naga said, provides information on the appropriate organizational, physical and technical security measures for health institutions, health professionals and personnel to uphold data privacy. “These included increasing awareness measures on data privacy, establishing access controls for patient data, disclosing patient data only to proper authorities, and encrypting patient data.”
Furthermore, if the NPC receives complaints from the public or concerned stakeholders, it acts on these matters based on its investigative mandate as provided in the Data Privacy Act of 2012, he added.
To guarantee that hospital data remains safe and that these comply with NPC guidelines, Naga said the NPC and the DOH, through policy formulation, encouraged telemedicine partners to offer their services for free for a limited timeframe, and participate in the program evaluation of the DOH to scale up telemedicine practice in the Philippines as part of the pandemic response.
As the agency strives to be a responsive regulator, the NPC continues to provide assistance to any personal information controller on their data privacy concerns, through policy, advice, information, dialogue and standards. Naga said this includes assisting hospitals and other healthcare institutions in their data privacy vis-à-vis telemedicine concerns, if any.
“We have also released 22 Public Health Emergency (PHE) bulletins that focused on upholding data privacy in the time of Covid-19. These helped various stakeholders, like hospitals and health professionals, to comply with the DPA and relevant NPC guidelines.”
Patients’ data remain safe
FOR one of the country’s Top 10 tertiary hospitals, the Cardinal Santos Medical Center (CSMC) made sure that it complies with the country’s data privacy laws in protecting the privacy of their patients’ data by promoting and complying with the NPC’s five pillars of compliance. These include having a certified Data Protection Officer, a Privacy Manual and Privacy Management Program, Data Privacy Training, Privacy Impact Assessment, plus other data protection measures, according to Dr. Rosemarie Serrano, CSMC’s Senior Assistant Chief Medical Officer and Data Privacy Officer.
Until now, she said, CSMC has not experienced any data breaches, except for a few security incidents that they report to the NPC annually as part of the reporting requirements. “But more than that, we implement measures to prevent the recurrence of these incidents by retraining the staff involved and implementing technical security measures,” says Dr. Serrano.
Also being implemented at the CSMC, she said, are organizational (obtaining patient consent before data processing), physical (restriction of access points for data servers and storage area of medical records) and technical (password protection and encryption of external storage devices) security measures. “These measures were designed to protect the data that patients entrusted to CSMC and make sure that they remain safe,” concluded Dr. Serrano.
Image credits: Thomaguery | Dreamstime.com