Data Privacy Act In Office Health

Data Privacy Act 2012 or RA 10173, is a comprehensive and strict privacy legislation “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.”

It protects and maintains the right of customers to confidentiality by setting a legal list of rules for companies to regulate the collection, handling, and disposal of all personal information.

With this, every one knows that all personal health information are confidential and with the growing digital economy, stricter privacy and security protections of health data must be implemented.

What are the Scopes of Data Privacy Act?

This Act applies to the processing of all types personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.

The processing of the personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

  • Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
  • The processing of sensitive personal information and privileged information shall be prohibited unless consent was given.
    • About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
    • About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
    • Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;
    • Specifically established by an executive order or an act of Congress to be kept classified.

These personal information must be safeguarded and protected against any accidental or unlawful destruction, alteration, disclosure and other unlawful processing.

What is Consent?

Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.

Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so  (Republic Act. No. 10173, Ch. 1, Sec. 1).

What are the rights of the data subject?

The data subject or the individual sharing his/her personal information has right to be fully informed of several factors of the data collecting process. This list includes, but isn’t limited to:

(1) the purpose for use

(2) scope and methods for access

(3) the recipients or classes of recipients to whom they are or may be disclosed;

(4) the identity and contact details of the personal information controller

(4) the period for which the information will be stored for

(5) access to their rights

What is the penalty?

Violations include improper/unauthorized processing, handling or disposal of personal information.

Violators can be penalized by imprisonment up to six years and a fine of not less than Five hundred thousand pesos (PHP 500,000) but not more than Five million pesos (Php5,000,000.00).

What should the management and health care professionals need to take in compliance with the Act?

Companies and healthcare professional must ensure that the methods of their data collection and processing regarding health information are properly handled with confidentiality and the data subjects must be well-aware of the process, including a breach of security, should there be any.

A Data Protection Officer must be appointed to create privacy knowledge programs and privacy and data policies to regulate the handling of all types of information and to regularly review the quality of data protection.

So what does this mean for Occupational Safety and Health (OSH) professionals?

  • OSH professionals have the right to access their contracts or working agreement and know the scope of their work in occupational health and safety.
  • They must understand their confidentiality and non-disclosure agreement to the company that they are working.
  • All gadgets used in data collection and processing must be taken care of including laptops, mobile phones, tablets and desktop computers. These gadgets should be password protected and encrypted.
  • Ensure that all the health records and reports are confidential.
  • Be careful with paper medical records and reports. These records must be properly stored and must be accessed by authorized staff only.
  • Ensure that your clinic computer or laptops are locked when leaving the clinic so that trackers and reports would not be exposed.
  • Avoid posting patients or any activities inside your clinics or treatment rooms to any form of social media.
  • Don’t use your own home laptops for any personal/sensitive data.
  • Only record relevant information in your health trackers and medical records. Data held must not be excessive.
  • Only use personal data for the purpose for which it was obtained.
  • Limit the recipients and information of your health reports
  • Only access what you need to do your job.
  • If in doubt ask for advice (if you can, use a data protection officer or a lawyer).

Do you have suggested topics that you want us to feature?

Email us at and don’t forget to subscribe to our blog!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: