NPC PHE Bulletin No. 20 Processing of vaccination cards for promos, raffles, or discounts

The National Privacy Commission (NPC) received concerns about the collection of copies of COVID-19 vaccination cards by certain delivery companies, which are also personal information controllers (PICs), wishing to reward vaccinated individuals by offering them promos, raffles, or discounts.

We laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19. But we remind all PICs engaged in the personal data processing activity of the following:

  • Vaccination cards contain sensitive personal information such as the vaccinee’s age, date of birth, and health information.
  • In processing sensitive personal information, consent may be a lawful basis. For consent to be valid, it must be freely given, specific, informed, and an indication of will. This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic or recorded means.
  • A privacy notice must be provided to sufficiently inform the vaccinees wishing to avail themselves of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency.
  • The use of the vaccine card must also be limited to the purpose for which it was collected, i.e., availing oneself of the promos, raffles, or discounts. It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose.
  • The health information of the data subjects must be adequately secured. PICs must adopt measures to protect copies of the vaccine cards and shall be accountable for their processing.
  • The vaccine cards should never be posted by PICs on public platforms. Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws.
  • Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose. These must be disposed of in a secure manner – hardcopies must be shredded properly while softcopies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery.

We also remind all data subjects to report any data privacy concern to the NPC. We may be reached at [email protected]