Firms giving vaccine rewards told to get consent

Share on facebook
Share on twitter
Share on linkedin
Share on email

The National Privacy Commission (NPC) on Tuesday, Oct. 12, reminded all personal information controllers (PICs) to get free and informed consent from vaccinees before using any personal information in their Covid-19 vaccination cards for promos, raffles, or discounts.

Photo from

The agency recently issued NPC PHE Bulletin No. 20 in light of reports of collection of copies of Covid-19 vaccination cards by certain companies as a form of reward to vaccinated individuals.

NPC chair Raymund Liboro noted that vaccination cards contained sensitive personal information such as the vaccinee’s age, date of birth, and health information.

“While we laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against Covid-19, we must also remind all PICs of the need to establish a lawful basis in the conduct of their respective personal data processing activities,” Liboro said.

“Securing the free and informed consent of the individuals may be a lawful basis,” he added.

For consent to be valid, Liboro said it must be freely given, specific, informed, and an indication of will. “This means that the vaccinee should explicitly agree to the collection and processing of his or her vaccine card. Consent must also be evidenced by written, electronic, or recorded means,” he said.

A privacy notice must be provided to sufficiently inform the vaccinees wishing to avail themselves of the promos, raffles, or discounts on the details of the processing of their personal data and their rights as data subjects, among other necessary information, for PICs to demonstrate transparency, the NPC chief said.

He also reminded the PICs that the use of the vaccine card must be limited to the intended purpose of giving promos, raffles, or discounts. “It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose,” he said.

The privacy body said health information of the data subjects must be adequately secured. PICs, it added, must adopt measures to protect copies of the vaccine cards and shall be accountable for their processing.

“The vaccine cards should never be posted by PICs on public platforms. Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws,” the agency said.

Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose, according to the NPC.

“These must be disposed of in a secure manner – hardcopies must be shredded properly while softcopies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery,” it said.

Facebook Comments Box

Kaijuhost Hosting and WebDesign

Join Our Newsletter! Zero spam, unsubscribe anytime!

Latest Posts