COA’s auditing procedures not restricted by data privacy law, says Privacy Commission
- The Data Privacy Act (DPA) does not obstruct the functions of public authorities.
- The DPA is not a restriction on the Commission on Audit (COA) gaining access to the personal information of data subjects collected by Philippine Health Corp. (PhilHealth).
- Personal data to be accessed shall be adequate, relevant, suitable, necessary, and not excessive in relation to its declared and specified purpose of processing.
The National Privacy Commission (NPC) provides guidance to PhilHealth on the COA gaining access to the personal information of data subjects collected by the state-run health insurance agency through Advisory Opinion No. 2020-016 that it issued in response to the request of PhilHealth for guidance on a COA memorandum.
The memorandum states that the DPA does not absolutely prohibit the COA from gaining access to information because the law has exceptions, and that those to be audited cannot deny state auditors the information by invoking the privacy law.
While it acknowledged COA’s constitutional mandate to examine resources owned or held in trust by the government, PhilHealth expressed concern that the manner to be employed by the COA in acquiring personal information under its custody and safekeeping, if done through remote access or database cloning, may lead to a personal data breach.
Privacy law not an impediment
In Advisory Opinion No. 2020-016, the NPC reiterates that the DPA does not obstruct the functions of public authorities.
Processing of information to carry out the functions of the authorities as part of a constitutional or legal mandate, subject to restrictions, ``is one of the instances where the application of the DPA and its implementing rules and regulations (IRR) is qualified or limited,’’ the NPC said.
Privacy Commissioner Raymund E. Liboro, who signed the advisory opinion, said the data privacy law was not aimed at hampering or interfering with the performance of the duties and functions of public authorities, such as the COA.
“It falls on COA and its sound judgment in determining what methods to use in the collection or gathering of personal data to perform its auditing functions,” Liboro said.
If the audit agency’s methods in gathering personal data do not violate the provisions of the DPA, the presumption of regularity in carrying out its official duties stands, the NPC chief said.
“Still, it is the responsibility of public authorities as a personal information controller to adhere to the general data privacy principles under the law,’’ he added.
While it must determine the scope and method of auditing, including gathering personal data from auditees, the COA must abide by the principle of proportionality laid out by the DPA and its IRR, according to Liboro.
In processing personal data, the COA, he said, must ensure that ``the personal data collected and processed shall be adequate, relevant, suitable, necessary, and not excessive in relation to its declared and specified purpose, and that personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.’’
# # #