NPC reminds companies giving vaccine rewards to get consent

The National Privacy Commission (NPC) has reminded all personal information controllers (PICs) to get vaccinees’ free and informed consent before using any personal information in their COVID-19 vaccination cards for promos, raffles, or discounts.

The agency recently issued NPC PHE Bulletin No. 20 in light of reports of collection of copies of COVID-19 vaccination cards by certain companies as a form of reward to vaccinated individuals.

Privacy Commissioner Raymund Liboro noted that vaccination cards contained sensitive personal information such as the vaccinee’s age, date of birth, and health information.

“While we laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19, we must also remind all PICs of the need to establish a lawful basis in the conduct of their respective personal data processing activities,” Liboro said.

“Securing the free and informed consent of the individuals may be a lawful basis,” he added.

For consent to be valid, Liboro said it must be freely given, specific, informed, and an indication of will.

“This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic, or recorded means,” he said.

A privacy notice must be provided to sufficiently inform the vaccinees wishing to avail themselves of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency, the NPC chief said.

He also reminded the PICs that the use of the vaccine card must be limited to the intended purpose of giving promos, raffles, or discounts.

“It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose,” he said.

The health information of the data subjects must be adequately secured. PICs must adopt measures to protect copies of the vaccine cards and shall be accountable for their processing.

The vaccine cards should never be posted by PICs on public platforms. Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws.

Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose. These must be disposed of in a secure manner – hardcopies must be shredded properly while softcopies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery.

The NPC also reminded all subjects to send a report to its information desk at [email protected] for any concerns, questions, reports, and complaints.

-- END --