Since some of the establishments will be reopening under the MEQC and GCQ, processing of personal data will play a role in preventing further spread of Covid19.
Under the DTI and DOLE Interim Guidelines on Workplace Prevention and Control of Covid-19, there are measures that should be implemented in all workplaces consistent with the objectives of the minimum health standards of the DOH.
In relation to personal data, the following are the mandatory processing activities that shall be implemented with our discussion of the legal bases:
- All employers and workers (including visitors) shall accomplish the health symptoms questionnaire (with temperature checking and recording) and submit to the guard or designated safety officer prior to entry.
This is consistent with the directive of DOH that allows the collection of relevant information in relation to Covid 19.
With respect to the collection of above data, processing of personal information can be done even without the consent of the data subject since it is necessary for compliance with legal obligation, to protect the interest of the data subject or the controller, and to respond to national emergency. With respect to processing of the health information which is a sensitive personal information, it could be processed since it is provided for by the existing government regulation and it is necessary to protect the life and health of the data subject or another person. These are considered lawful processing activities under the Data Privacy Act (DPA).
Further, to ensure compliance with the DPA, according to the National Privacy Commission (NPC), it is advisable to provide a privacy notice indicating the purpose and basis of the collection of such personal data. Once collected, reasonable and appropriate safeguards must ensure the security of the forms and personal data contained therein. (NPC PHE BULLETIN No. 3)
- Employer shall provide the DOLE through its Regional Office copy furnished DOH, monthly reporting of illnesses, diseases and injuries utilizing the DOLE Work Accident/Illness Report Form (WAIR).
With respect to Covid19, reporting to DOLE can be done as provided for by the law on Occupational Safety and Health Standards under RA 11058 which requires the reporting of illnesses, diseases and injuries in workplaces.
Reporting to DOH can also be done as provided for by the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act under RA 11332.
The sharing of data to DOLE and DOH can be done considering that under the DPA, sharing is allowed if its provided for by law. As in this case, RA 11058 and RA 11332 allow the sharing of the personal data to the concerned government agencies.
As for disclosure within the organization, according to the NPC, the company may make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive. (NPC PHE BULLETIN No. 3)
The above measures are in keeping with the purpose of the DPA which is to safeguard the fundamental human right of every individual to privacy while ensuring free flow of information for innovation, growth, and national development.
ADM PRIVACY WEBSITE 