THE National Privacy Commission (NPC) said digital tools designed to help health authorities contain the coronavirus disease 2019 (COVID-19) pandemic should avoid over-collecting personal data.
“COVID-19 related apps can only achieve the desired level of uptake if it is clear about its legitimate purpose, is transparent on how it uses personal data and proportional in its collection. The App must not over-collect personal information from users and collect only what is necessary for the purpose” Privacy Commissioner Raymund E. Liboro said in a statement on Monday.
The Department of Health has launched a COVID-19 tracker app that collects data from hospitals and laboratory facilities to provide information on testing and health facilities.
The tracker includes data on the capacity of laboratory testing facilities and the availability of protective equipment, beds, and ventilators. The public can also track the number of confirmed cases per area, broken down by age and sex.
The Philippine Red Cross launched an app that uses mobile wireless and location data capabilities to inform users if they could have had contact with a patient that has tested positive for COVID-19, while StaySafe.ph is a health reporting system designed to help improve contact tracing.
Mr. Liboro said that personal information controllers (PICs) must ensure that the app is built on a legitimate purpose, which in this case is limited to the aim of defeating the pandemic.
PICs are individuals who can process personal data or instruct another to do so.
“The app’s design, functionalities, personal data collection and extent of processing must never deviate from this purpose,” Mr. Liboro said, adding that personal data processing must stop as soon as the purpose is achieved.
He said that the collected personal data must be discarded securely to prevent further use and minimize privacy risks.
NPC said that PICs must only collect the minimum data necessary to achieve the objective, and do so using the least intrusive method. The commission also said that PICs must inform users how the app will collect, use, store, share, and dispose of their personal data through a privacy notice.
Mr. Liboro added that PICs must implement security measures as data processing online is vulnerable to cyber threats and inform users of their data subject rights.
The government requires individuals who have tested positive for COVID-19 to declare personal information to the health department. Cabinet Secretary Karlo Alexei B. Nograles, spokesperson of the Inter-Agency Task Force for Emerging Infectious Diseases (IATF-EID), said this would enhance contact tracing efforts. — Jenina P. Ibañez
