The National Privacy Commission (NPC) has clarified that the Data Privacy Act does not absolutely prohibit the Commission on Audit (COA) from gaining access to personal information of data subjects collected by PhilHealth.
The NPC said the DPA has exceptions and that those to be audited cannot deny state auditors the information by invoking the privacy law.
The privacy agency disclosed that it provided guidance to PhilHealth through Advisory Opinion No. 2020-016 which it issued in response to the request of state-run health agency for advice on a COA memorandum.
While it acknowledged COA’s constitutional mandate to examine resources owned or held in trust by the government, PhilHealth expressed concern that the manner to be employed by the COA in acquiring personal information under its custody and safekeeping, if done through remote access or database cloning, may lead to a personal data breach.
In its advisory, the NPC reiterated that the DPA does not obstruct the functions of public authorities.
Processing of information to carry out the functions of the authorities as part of a constitutional or legal mandate, subject to restrictions, “is one of the instances where the application of the DPA and its implementing rules and regulations (IRR) is qualified or limited,’’ the NPC said.
NPC chair Raymund E. Liboro, who signed the advisory opinion, said the data privacy law was not aimed at hampering or interfering with the performance of the duties and functions of public authorities, such as the COA.
“It falls on COA and its sound judgment in determining what methods to use in the collection or gathering of personal data to perform its auditing functions,” Liboro said.
If the audit agency’s methods in gathering personal data do not violate the provisions of the DPA, the presumption of regularity in carrying out its official duties stands, the NPC chief said.
“Still, it is the responsibility of public authorities as a personal information controller to adhere to the general data privacy principles under the law,’’ he added.
While it must determine the scope and method of auditing, including gathering personal data from auditees, the COA must abide by the principle of proportionality laid out by the DPA and its IRR, according to Liboro.
In processing personal data, the COA, he said, must ensure that “the personal data collected and processed shall be adequate, relevant, suitable, necessary, and not excessive in relation to its declared and specified purpose, and that personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.’’