NPC PHE Bulletin No. 20 Processing of vaccination cards for promos, raffles, or discounts

The National Privacy Commission (NPC) received concerns about the collection of copies of COVID-19 vaccination cards by certain delivery companies, which are also personal information controllers (PICs), wishing to reward vaccinated individuals by offering them promos, raffles, or discounts.

We laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19. But we remind all PICs engaged in the personal data processing activity of the following:

  • Vaccination cards contain sensitive personal information such as the vaccinee’s age, date of birth, and health information.
  • In processing sensitive personal information, consent may be a lawful basis. For consent to be valid, it must be freely given, specific, informed, and an indication of will. This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic or recorded means.
  • A privacy notice must be provided to sufficiently inform the vaccinees wishing to avail themselves of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency.
  • The use of the vaccine card must also be limited to the purpose for which it was collected, i.e., availing oneself of the promos, raffles, or discounts. It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose.
  • The health information of the data subjects must be adequately secured. PICs must adopt measures to protect copies of the vaccine cards and shall be accountable for their processing.
  • The vaccine cards should never be posted by PICs on public platforms. Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws.
  • Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose. These must be disposed of in a secure manner – hardcopies must be shredded properly while softcopies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery.

We also remind all data subjects to report any data privacy concern to the NPC. We may be reached at [email protected].

***

REPUBLIC OF THE PHILIPPINES

All content is in the public domain unless otherwise stated.

ABOUT GOVPH

Learn more about the Philippine government, its structure, how government works and the officials behind it.

GOV.PH
Open Data Portal
Official Gazette
GOVERNMENT LINKS
Department of Information and Communications Technology
Office of the President
Office of the Vice President
Senate of the Philippines
House of Representatives
Supreme Court
Court of Appeals
Sandiganbayan
NPC PRIVACY NOTICE
CONTACT US

+632 5322 1322

[email protected]