Vaccine Registration and Personal Data

Posted byAnne ObnamiaPosted inCompliance, Lawful Processing, Privacy Rights, Privacy TipsTags:, , ,

Vaccines are already here.

We can avail them through our respective Local Government Units (LGU) by registering, usually via online registration. Some LGUs offer pen and paper registration if one does not have the means to access online forms, so be sure to check with your LGU if this option available in your area.

In order to register, we input our personal data.

Have you read the Data Privacy Consent Form or Data Privacy Statement that may have been attached to these online forms?

Personal Data Collected

Majority of the LGUs collect the following data:

  • Personal Information
    • Name
    • Address
    • Contact Number
    • Employment Details (*may or may not be Personal Information, if the employer is a corporation)
  • Sensitive Personal Information
    • ID Type and ID Number
    • Sex
    • Age
    • Civil Status
    • Health Information

The primary purpose of the collection of these data is to register for and obtain a vaccination.

Upon closer inspections of the purposes for those LGUs which provide the Privacy Statement, it is relevant to note that there are common other purposes for which the data will be used. The data collected will also be used for research, statistics, and analysis, for communication purposes, for improving the platform, for data mining and build up activities.

Principle of Proportionality and Right to Object

In data privacy, we have this principle of Proportionality where the data collected must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

That means to say, you do not get what you do not need. Especially if it is not necessary to give out the primary purpose for which the data will be used. If the data is used for multiple functions, aside from giving out the service intended the data subject has the right to know.

The correlative right of the data subject which is a response to the principle of proportionality, is the right to object. The data subject may refuse, to not give a certain information, or refuse a particular processing that will be done on the data.

If the refusal is not something that would hinder the giving out of the service, then there is no reason to refuse the service. Therefore, if a person refuse to give an information not necessary to get the vaccine, they must not be refused.

This registration must not be used as a means of profiling our constituents, it must not be use as a sort of census. Since this collection of information is for registration and per-registration for vaccination, it must necessarily revolve only on this aspect, unless otherwise provided for in the privacy statement and consent clauses.

What information then is necessary?

With the principle of proportionality in mind, we must try to minimize the data we gathered to only those things that are necessary to carry out the main purpose of the collection, that is giving out the vaccine and being able to analyses the data to be used for DOH statistics.

As such, names and contact information are necessary, in order to identify the person to be vaccinated, and contact them for their schedule.

We also need the address of the person to know whether they are constituents. But is it necessary to get the full address? Yes, only if it is to be used to deliver the vaccine right at their door step. But, if it is to just identify whether they are constituents or not, a full address might not be necessary.

Since we are prioritizing certain people to get the vaccine first, it is necessary to get I.D. Card which will tell us whether indeed they are front liners or senior citizen.

For the health information that is being asked, this will be used for statistics, research and analysis which the might DOH need to know. However, since there are some that do not have privacy statements or consent clauses enumerating the processing that will done on the data, we are forced to guess where they will used. Of course, there are valid reasons to request such information, in case of senior citizen and people with comorbidities, their health might be a factor as to why they they may or may not be able to get the vaccine.

Now, how about employment details? Is it necessary? What purpose would the employment details be used in either giving out the vaccine or in research and analysis with respect to health statistics? I personally, do not see the need to ask for such information. In getting the vaccine it is not important to know whether the person is employed or not, or whom he is employed to. Furthermore, without disclosing the purpose for the collection of such information, if any, there might indeed be a valid reason for the collection. But we do not know that. That is why we are left to guess what it will be used for. Again, this is contrary to the right of the data subject to information.

In short, the data that needs to be collected must serve the primary purpose, and if it does not have a reason to be collected, it should not be collected. We must strive to minimize the data we collect.

Data is Gold

In the increasing digital world, data is shared in an ever increasing speed. Such data is also collated, and analyzed in an ever increasing speed. This data is also being sold and bought. Data, nowadays have value.

The individual data might not mean a lot, except know a certain aspect of a single person. But, if data is collated, gathered and analyzed, one can glean so much information and insights which may beneficial. It could guide actions, innovations, and various responses. Data from our phones are being used to know the latest trends, our latest likes, our location, and many more, then from these information, we can subsequently predict what we might want to have in the future.

The various LGUs which did have a privacy statement have in their processes analysis and research, because, data when gathered together, and studies, it will be able to tell a story. It may show a trend, which may be beneficial in deciding future actions.

Bottom Line is…

if data is this precious, insightful and source of important decisions, it should be a goal of the government to spearhead and show that they care in protecting the data. The first step is giving back control to the data subject. Let them know what their data is for, let them consent willingly and intelligently. By doing so, you teach them to encounter the same in other instances which call for their data, and they may be more scrutinizing for those that do not value their consent and privacy.

Be the best example. So that we would come to expect the same treatment from other private institution.

Dos and Don’ts

Processors

Do:

  • Have a data privacy statement and consent clauses.
  • Have the purposes and processing of data be clearly indicated and enumerated.
  • Make sure that the data is secure from unauthorized access and processing for unauthorized purpose.

Don’t:

  • Do not get information that are not necessary for the processing of service.
  • Do not use the data for unauthorized purpose which may be unauthorized processing.

Data Subjects

Do:

  • Read the data privacy statements and consent clauses.
  • Be aware of the purpose/s for which your data will be used.
  • Remember you have the right to object to processing of your information.

%d bloggers like this: