MANILA, Philippines – Gabriel (not his real name) woke up one morning to a neighborhood chismis (gossip) painting him as a patient under investigation (PUI), someone being suspected of harboring the novel coronavirus.
Despite clarifying that it was untrue, the gossip evolved and continues to spread. From being a PUI, he was now alleged to be in critical condition already, with his father becoming another confirmed case.
What was funny at first suddenly got out of hand and turned the situation into a serious one. Gabriel said he’s now afraid, especially given an atmosphere of panic and sometimes near hostility.
“I fear din for me and my family’s safety kasi what if isipin pa ng mga tao na why am I at home and not sa hospital kung malala na nga ako,” he told Rappler.
“People sometimes have the tendency to be paranoid kung totoo nga bang may confirmed case sa paligid nila at baka lang maging mahirap iyong pagpaliwanag sa kanila na the information was wrong,” Gabriel added.
(I fear for my and my family’s safety because what if people are still thinking and wondering why am I at home and not in the hospital even if I’m already allegedly critical. People sometimes have the tendency to be paranoid if it’s true that there are confirmed cases in their area, and it might be too hard to explain that the information they have is wrong.)
Gabriel’s experience is just one of the many problematic incidents that the novel coronavirus outbreak in the Philippines has given rise to. Aside from disinformation, social media has been a sea of viral posts, including personal information of alleged patients, including addresses.
But how does one deal with personal information, especially sans permission, in the time of a pandemic? Rappler answers some questions, based on bulletins issued by the National Privacy Commission, and an interview with a data privacy lawyer.
What information can a health facility or the DOH release about a confirmed case?
The Department of Health (DOH), so far, has not publicly released names or addresses of patients, resorting in direct coordination with local governments for such personal information.
What the department has decided to release daily are “aggregated or anonymized” information of patients. These include nationality, hospitals where they are admitted, and whether or not they have travel history, among others.
Local government units, meanwhile, sometimes release the number of cases per barangay, like what Quezon City did. It, however, did not include address or any other identifiable information of a patient.
“This is another way for them to take their actions outside the scope of data protection laws, because these laws only apply to personal data/information,” Data privacy lawyer Jam Jacob said. “Aggregate or anonymized information are not considered personal data/information.”
When can personal information be released?
Information is indeed vital in any situation. But according to the National Privacy Commission (NPC), proper handling of health information is much more “crucial” in ending the outbreak.
“A person’s health information is considered sensitive personal information (SPI) and as such, should never be posted online nor shared without lawful basis,” it said on Twitter.
There are also several provisions under the Data Privacy Act (DPA) that cover personal information. An example is the “use limitation principle” which means a group may only use information gathered “in pursuit of the purpose you declared when collecting such information.”
But one important thing to know regarding disclosing personal information is that the person should either give permission or you have a legal basis to do so, according to Jacob.
“The policy is stricter if you are dealing with health information, which is considered sensitive personal information,” he said. “With the sensitive personal information, the general rule is that their disclosure is absolutely prohibited.”
In cases that names of patients were reported by either the media or are posted on social media, the information usually came from themselves or their families, and released with consent.
In general, when dealing with personal information, two important concepts should be considered, according to Jacob:
- Legitimate purpose, which means that “if you’re doing it to save lives, to comply with a law or regulation, or some other lawful basis, then chances are you are dealing with information in an appropriate manner.”
- Proportionality which includes collecting only information that you need and limiting access to them by a need-to-know basis.
“It is highly improbable that the public at large will need to know the identities of COVID-19 patients,” he emphasized. “There is a reason why there is no country out there parading a list of their COVID-19 patients.”
Why is releasing personal information of patients without permission counterproductive?
NPC recognizes that DOH is “walking a fine line” when it comes to dealing with information of patients found to be confirmed cases. It acknowledges that while releasing patient information could lead to fear and distress, it may also make people “adopt the right precautions to stop the spread of the virus.”
DOH then needs to consider several factors in determining whether or not disclosure of patient information to the public is necessary, according to the commission. These include:
- The potential harm or distress to the patient arising from the disclosure
- The potential damage to trust in doctors and health institutions in general
- The potential harm of the public in non-disclosure
- The potential benefits in disclosing to the public
“The DOH must continue performing its role and make that crucial call on what information is necessary to release to the public,” NPC said.
Still, there are several dangers in releasing personal information of confirmed cases and even persons under investigation, especially unnecessary disclosure of information.
According to the commission, the consequences could be “far worse than the disease itself.”
“If people believe that their identities will be released to the public when they come out for testing, they may be discouraged to come out – making it more difficult for the DOH and the rest of the inter-agency task force to identify more COVID-19 cases,” it said.
Jacob echoed this sentiment, adding that disclosing personal information of patients would make the crisis more than difficult.
“‘Outing’ COVID-19 patients presents its own set of problems that usually outweighs any benefit/s one could reasonably expect it to give,” he said.
Are there any legal implications for unauthorized sharing of personal information?
The ongoing pandemic created an urgent need for information. While there is legitimate information that should be shared on social media, there are also posts that identify people as patients and disclose their residence.
While some may be well-meaning, this practice may open up floodgates to abuse and violation of privacy.
According to Jacob, it is possible for one to incur liabilities if private information about a confirmed case is shared “without proper authorization or legal basis.”
The type of case, however, depends on different factors, including the sharer, the information shared, recipients, purpose, and authority of power.
The sharer may also be sued for damages “should some type of harm befall the patient after his or her identity is disclosed or shared.”
“Committing acts like causing a person to be alienated from his or her peers, or humiliating him or her on account of a personal condition gives rise to a cause of action based on which a case may be filed against the disclosing party,” he said. – Rappler.com