The Duty to Disclose and the Right to Privacy at the time of the COVID-19 Pandemic











By Merceidez Louise S. Ragaza


With reports and narratives on discrimination and harassment of suspect, probable, and confirmed cases - including an uproar to make personal information of these cases available to the general public - heavily circulating since the government declared a state of public health emergency throughout the Philippines due to the outbreak of the coronavirus disease (“COVID-19”), it is imperative to know that Philippine laws provide adequate measures of protection against the unwarranted invasion of one’s right to privacy.


Per Department of Health (“DOH”) Administrative Order No. 2020-12, COVID-19 has been classified as a notifiable disease, and Republic Act No. 11332 (“RA 11332”), or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Concern Act, (1) makes it obligatory to report suspect, probable, and confirmed cases of COVID-19 to local or state health authorities, and (2) prohibits and penalizes the non-cooperation of persons and entities that should report and/or respond to such mandate, including those identified as having COVID-19. Nonetheless, data collection, analysis, and the dissemination of information from official disease surveillance and response systems: (1) can only be done by authorized personnel from the DOH and its local counterparts, (2) may only be used for public health concern purposes only, and (3) is subject to established measures for data security and confidentiality.


To protect such rights, RA 11332 also penalizes with imprisonment of one (1) month to six (6) months and/or fine ranging from twenty thousand pesos (PhP20,000.00) to fifty thousand pesos (PhP50,000.00), as well as the cancellation of business permit and license to operate, if applicable, the unauthorized disclosure of such private and confidential information pertaining to a patient’s medical condition or treatment as well as the tampering of records or intentionally providing misinformation, unless such disclosure was made to comply with a legal order issued by a court of law with competent jurisdiction. Liability therefor extends to the chief executive officer, president, general manager, or such other officer in charge if the offense is committed by a public or private health facility, institution, agency, corporation, school, or other juridical entity.


Relatedly, Republic Act No. 10173 (RA 10173”), or the Data Privacy Act, considers as “sensitive personal information” any information about an individual’s age, health, and previous or current health records issued by government agencies.


In this regard, processing (or the collection, recording, organization, storage, update or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction) of “personal information” (i.e., any information from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual) is permitted only if the data subject or his or her agent consents, or the processing is necessary for: (1) protection of vitally important interests of the data subject, including life and health; (2) response to national emergency; (3) public order and safety; or (4) fulfillment of functions of public authority, among others.


Further, processing of sensitive personal information, including information about one’s health, is prohibited, except when: (1) the data subject consents specific to the purpose prior to the processing; (2) the processing is required by existing laws and regulations, subject to protection guarantees; (3) the processing is necessary to protect the life and health of the data subject or another person and the data subject is not legally or physically able to express his or her consent prior to the processing; or (4) for purposes of medical treatment, the processing is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured, among others.


While consent is not at all times a requisite, RA 10173 entitles the data subject to: (1) be informed of any processing of his or her personal information; (2) dispute the inaccuracy or error in the personal information and have it corrected immediately and accordingly; (3) suspend, withdraw, or order the blocking, removal, or destruction of his or her personal information if they are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they are collected; and (4) be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information.


RA 10173 likewise penalizes with imprisonment ranging six (6) months to seven (7) years and fines ranging from one hundred thousand pesos (PhP100,000.00) to five million pesos (PhP5,000,000.00) the following acts: (1) unauthorized processing; (2) accessing due to negligence; (3) improper disposal; (4) processing for unauthorized purposes; (5) unauthorized access or intentional breach; (6) concealment of security breaches; (7) malicious disclosure; (8) unauthorized disclosure; and (9) combination or series of such acts involving personal information and sensitive personal information.


Indeed, while the COVID-19 pandemic requires the mandatory disclosure of cases for investigation, review, contact tracing, specimen collection and testing, risk assessments, and population surveys, among others, such mandate is not inconsistent or incompatible with one’s right to privacy, as both RA 11332 and RA 10173 mandate respect, to the fullest extent possible, of the rights of people to liberty, bodily integrity, and privacy while maintaining and preserving public health and security, through measures of protection and remedies for data security and confidentiality.


After all, while the Constitution mandates the State to protect and promote the right to health of the people (Section 15, Article II, 1987 Constitution), it equally commands that the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law (Section 3, Article III, 1987 Constitution). In the words of the Supreme Court, “xxx protection xxx of the dignity and integrity of the individual has become increasingly important as modern society has developed [and] xxx the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society” (Morfe v. Mutuc, G.R. No. L-20387, 31 January 1968).


This article first appeared in Business World, a newspaper of general circulation in the Philippines.


This article is for informational and educational purposes only. It is not offered and does not constitute legal advice or legal opinion.


The author is a Senior Associate of the Litigation and Dispute Resolution Department (LDRD) of the Angara Abello Concepcion Regala & Cruz Law Offices or ACCRALAW. She may be contacted through (632) 8830-8000 or msragaza@accralaw.com.



Register here for your monthly Asia legal updates