NPC PHE Bulletin No. 19: Personal data processing for the COVID-19 vaccination program

The National Privacy Commission (NPC) received various reports on the harmful data collection practices apparently for the vaccination program of the government.

For instance, senior citizens were required by a personnel of a local government unit (LGU) to submit their personal data through the comments section of a social media platform if they wish to receive the vaccine. Such comments are publicly accessible and therefore susceptible to further processing and use for unauthorized purposes.

On the other hand, some companies expressed uncertainty as to the requirement to submit personal data of their employees who are willing to be vaccinated and/or may be qualified to avail of the vaccine, on the mistaken belief that this will already be automatically construed as a violation of the Data Privacy Act of 2012 (DPA).

We understand that the above efforts to collect personal data may be related with the masterlisting requirements under the following:

  • Philippine National Deployment and Vaccination Plan for COVID-19 Vaccines (Plan);
  • Department of Health (DOH) Department Memorandum (DM) No. 2021 – 0099 or the Interim Omnibus Guidelines for the Implementation of the National Vaccine Deployment Plan for COVID-19;
  • Republic Act No. 11525 or the COVID-19 Vaccination Program Act of 2021; and
  • Implementing Rules and Regulations (IRR) of RA No. 11525 issued by the DOH and the National Task Force Against COVID-19 through Joint Administrative Order (JAO) No. 2021-0001.

We remind all personal information controllers (PICs), whether in the government or the private sector, that there is a proper manner to accomplish this masterlisting activity without unnecessarily compromising personal data and infringing on the data privacy rights of individuals wanting to be vaccinated against COVID-19.

While the NPC does not intend to offer any opinion involving medical or clinical decision-making in relation to the vaccine roll-out, we issue this Bulletin to provide additional guidance on the vaccination-related personal data processing and a reiteration of our stance that the DPA does not operate to hinder the pandemic response:

1. We emphasize that there are existing laws and regulations which provide for the operational guidelines in the implementation of the nationwide vaccine deployment vaccination program. There are prescribed processes for masterlisting intended vaccinees which should be strictly followed. Government agencies and the private sector should not deviate from these standard processes.

2. The proper preparation and submission of masterlists, using the prescribed methods and formats in accordance with the Plan and laws and related DOH issuances, by required institutions such as health facilities and the LGUs, are allowed under the DPA. The DPA should not be used as an excuse for failing to comply with the masterlisting requirements.

3. Health facilities and LGUs are mandated to securely gather the necessary personal data as determined by the DOH and any other proper government authorities and submit the same through the COVID-19 Vaccine Information Management System – Immunization Registry (VIMS-IR), the official platform for master listing and preregistration of individuals for COVID-19 vaccination. As mentioned in the Plan and the DOH DM, external systems may be used to submit the necessary information following the prescribed minimum required data fields for vaccine registration systems.

4. LGUs and other PICs involved should endeavor to prepare a privacy notice which explains in clear and plain language to the data subjects the details of the vaccination-related personal data processing activities. Essentially, these privacy notices must be able to explain the purpose for collecting personal data, the legal basis for processing, that the personal data shall be stored in the VIMS-IR platform, their rights under the DPA, contact information of the pertinent data protection officers, among others.

5. We understand that consent will be obtained not only for the vaccination but also for personal data collection as well. Consent of the data subjects refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the processing of his/her personal data and this should be evidenced by written, electronic or recorded means. Consent must be obtained prior to any processing of personal data. A data subject may also specifically authorize another person to give consent on his or her behalf. The requirement of evidence of such consent also applies in this situation.

6. The declared purpose of the processing of personal data is to establish a masterlist of eligible population for vaccination to enable health authorities to decide on who can be safely vaccinated from a clinical perspective. Personal data collected for this purpose must not be further processed for other purposes which are incompatible with the specified and declared purpose.

7. We understand that after immunization, the LGUs as well as the private sector are likewise required to submit the masterlist of persons who have already been inoculated through the VIMS-IR, subject to further guidance as may be issued by the DOH and the Department of Information and Communications Technology (DICT). This is likewise recognized under the DPA and should be complied with.

8. On the issuance of the COVID-19 Vaccine Cards, we understand that a standard form shall be used containing the necessary information prescribed by the DOH. While the vaccine cards shall remain accessible through printed cards issued by the health facilities or LGUs in line with the printing standards set by the DOH, the intention is to have digital vaccine cards for which systems and applications will be developed by the DOH, through the DICT. With this, privacy by design should be considered in the development of these digital systems.

9. We remind all PICs involved in the issuance of these vaccine cards, whether in paper or digital format, that these should never be posted in public platforms.

10. Finally, reasonable, and appropriate safeguards (physical, organizational, and technical security measures) must be implemented by the LGUs and other PICs involved to ensure the protection of personal data against any unlawful processing, alteration, disclosure, or destruction. We remind all PICs that the minimum required data for masterlisting is a comprehensive record of a potential vaccinee containing sensitive personal information. The same should be treated with utmost confidentiality and should not be posted in public platforms.

a. Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick uppersonal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information.

b. Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data using privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.

c. Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives) to store patient data is unavoidable, ensure that the files are encrypted, and password protected. Also, make sure they are kept secure when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where they may be accessed by unauthorized individuals.

d. Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.

e. Communicate securely. Security features of systems and networks must ensure that data can be transmitted both internally and externally without malicious or unauthorized users intercepting or harmfully affecting transmission and reception of data. The application of encryption technology (including measures) will protect transmissions from interception and exploitation of sessions, thereby increasing the security and stability of communications. Also, choose a secure platform for team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, use a second-factor authenticator whenever logging into accounts.

f. Conduct independent security audits and tests. After the development of data processing systems (e.g., websites, databases, and e-health systems), they must be subjected to independent security and privacy tests including, but not limited to, Source Code Audits, Vulnerability Assessment and Penetration Testing (VAPT), and Privacy Impact Assessment (PIA). This is to validate your system implementation and find out if your data processing systems are vulnerable to common and latest threats/vulnerabilities.

g. Strengthen your systems against prominent web attacks. A well-structured system, including both the front-end and back-end, ensures the protection of your data against common web attacks. The vulnerabilities found in the conduct of audits and tests must be fixed first before the system is used further. Also, it is important to secure the communication between a user’s web browser and your site. This will add another layer of protection to your system.

h. Update your systems and its components. The security and privacy vulnerabilities yesterday may not be the same today. Make a conscious effort to continuously improve or update your systems and implement best practices in configuring or hardening them (e.g., database encryption at rest, encryption in transit, network access controls, data access controls, and audit logs). A web application firewall can be installed to deter Distributed Denial of Service (DDoS) attacks.

i. Back up your data. When conducting regular maintenance like a system update, upgrade, or configuration, ensure to run a full backup of your website periodically. It must follow your system documentation consistently and obtain a clearance from an accountable officer in your organization such as the Data Protection Officer (DPO). Online backups are also a convenient way to ensure an accessible copy of your website when the need arises. You may use the “3-2-1” strategy:

      • i. 3 total copies of the data
      • ii. 2 copies are local but on different mediums
      • iii. 1 copy is offsite which may be geographically separated or in an online cloud computing platform

In an event of a ransomware, one should not give into the ransom demands of the perpetrator. Backups are the only guaranteed solution that will restore data.

j. Consider migrating to Cloud. Use of cloud computing services reduces capital expenses like housing and maintaining your own data centers with servers, storages and other ICT active components. In addition, it eliminates the tedious task of upholding the security of your infrastructure. Your cloud service provider does that for you. However, keep in mind that proper security and routine maintenance of your web application that runs in the cloud is your full responsibility.

k. Data Privacy as a priority. While we have competing priorities as of this point in time, compliance with the Data Privacy Act of 2012 must also be a priority to protect patient records. Data privacy must be integrated in the whole data lifecycle from start to finish, to ensure all data are securely created, retained, and securely destroyed at the end of the process. To secure that the data lifecycle is protected, end-to-end, the data lifecycle needs to be improved to effectively manage, creation, manage archiving, transport, and deletion of data. One can conduct a Privacy Impact Assessment to determine data privacy risks and a control framework to address those gaps in the data lifecycle.

l. Security Incident Management. LGU Health Departments, hospitals, clinics, and health care institutions as Personal Information Controllers must immediately notify NPC and affected data subject in case of a potential or actual personal data breach. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted to swiftly respond and act on security incidents to prevent further disclosure of patient data.