NPC holds first ever Health Privacy Forum to promote sector compliance

The National Privacy Commission (NPC) held on Oct. 15 a capacity-building webinar for data protection officers (DPOs) of the health sector to help them improve privacy and protection protocols.

NPC’s first-ever Health Privacy Forum, which drew in almost 200 participants, was conducted in the wake of the Commission’s findings that the sector’s compliance with data privacy standards fared dismally and may have been the primary cause of the breaches the sector had reported so far this year.

Discussions included a recap of pertinent privacy issuances during the pandemic, compliance updates, emerging privacy issues in the health sector, and trends and challenges the sector may face as it finds the delicate balance between data protection and public health interest.

`Right thing to do’

Dr. Enrique A. Tayag, director of the health department’s Knowledge Management and Information Technology Service, said “blending data privacy with our public health response to the COVID-19 pandemic is possible, and is the right thing to do.”

“Data privacy and security risks will always remain in public health. If the public does not trust that we will protect their data, we won’t be able to succeed. Our contact tracing will be affected because the public won’t provide us with accurate information,” said Tayag, who is known for his almost 30-year work in epidemiology.

The Department of Health (DOH), as a clearinghouse for tech solutions on COVID-19, elevates these applications to the NPC which, in turn, evaluates their compliance with data privacy and protection standards, Tayag said.

To date, the DOH has evaluated 69 out of 113 proposed third-party tech solutions and 32 of their contracts, such as data-sharing and outsourcing agreements. It has also conducted five privacy impact assessments. In all these, the NPC extended its expertise to ensure that these uphold privacy principles.

Tayag encouraged DPOs to keep abreast of COVID-19 developments that may compel a rethink on their strategies.

“Let’s study the policies and strategies, and accept that we need to learn. We must also ensure that we comply with these,” Tayag said. “To grow is to change.”

Bottom spot, human error

Data from the Compliance and Monitoring Division (CMD) of the NPC showed that no company from the health sector in the July to September privacy sweep fulfilled the minimum requirement of securing NPC registration, effectively pushing it to the bottom spot among all nine sectors the Commission monitors.

CMD Director Olivia Khane S. Raza said that in the 10 months to October, the main cause of breaches in the health sector was human error (64 %). In contrast, human error accounted for 39% of the breaches for all nine sectors, second to malicious attacks (48%).

Privacy Commissioner Raymund E. Liboro described the findings as “worrisome,” as health institutions take the lead in the country’s contact-tracing efforts.

“The Privacy Forum was held to push health DPOs to review their strategies and add more guardrails to data as the economy starts opening up, which only means contact tracing will be rolled out in more places as well. We must then intensify work in improving our processes to build trust, ” Liboro said.

He said the lack of trust and transparent mechanisms was giving people legitimate reasons to refuse disclosing their personal information and their conditions for fear of misuse and abuse of their data. ``Trust must be the cornerstone principle of contract tracing in order that our efforts be not for naught.”

# # #