Privacy during public health emergencies

A state of public health emergency has just been declared all throughout the country in the wake of the recent discovery of additional Covid-19 patients. There are already 35 confirmed cases as of this writing.

One major concern running through people’s minds is how exactly should personal data be handled during these extraordinary times. There appears to be a lot of confusion going on.

A couple of weeks ago, the Health department and airline companies clashed over the latter’s supposed unwillingness to share information about their passengers. Those companies have since disputed the government’s claim, arguing that they have, in fact, been very cooperative, especially when it came to sharing information for purposes of contact tracing.

More recently, there have also been heated debates online about the propriety of private individuals disclosing the names of people they feel might have come into contact with confirmed Covid-19 patients. And to be fair, both sides to the controversy have put forward valid arguments to serve their cause.

This is not the time to be confused with what privacy and data protection actually stand for—not when we are all confronted with the same circumstances impressed with significant public interest.

So here are some crucial principles I hope all of us will keep in mind as we deal with this current public health crisis:

• Privacy is not an absolute right. Even under the Universal Declaration of Human Rights, what is prohibited is the arbitrary interference with such right. There will undoubtedly be times when privacy intrusions will be permitted—necessary even—especially if they are meant for the greater good. A genuine state of public health emergency would certainly qualify as one of such times.
• Data protection does not prohibit the collection and sharing of personal data. People tend to forget or at least gloss over the fact that the twin policies underpinning the country’s Data Privacy Act is both the protection of privacy and ensuring the free flow of information. More than anything else, what the law does is establish a system that allows for the proper use of personal data while making sure people’s privacy rights are respected. That’s not supposed to lead us to a world where data sharing is dead; rather, it brings us to one where it is useful and secure at the same time.
• Consent is not always a prerequisite to lawful data sharing or disclosure. Depending on the context (i.e., who’s invoking, what information is involved, and the purpose of the sharing), there are plenty of other grounds under the Data Privacy Act that could justify the sharing or disclosure of personal data. Among other things, it could actually be required by law. Take Republic Act 11332, for example. This law requires all public and private doctors, health facilities, labs, and even NGOs, to immediately report to the DOH any notifiable disease they encounter. Some personal data will necessarily be included in such reports in order to facilitate contact tracing, patient interviews, and review of medical records. Only a myopic, if not misguided, interpretation of the law will lead one to think that consent is the only legal path to data processing.
• Balance is key. During emergencies, key government agencies and first responders are expected to balance the potential harm an individual may suffer if confidential information about him or her are disclosed or shared, against the public interest in the disclosure or sharing of said information. Most of the time, public interest considerations will trump privacy rights in the event of an emergency. Great care, though, should be observed when traversing this balancing act, particularly when public disclosures are involved. Once the information is out there, it will be impossible to take back should one later come to the realization that the disclosure was, in fact, a mistake or at least unnecessary.
• Data minimization should always be considered. Even assuming there is a legitimate basis for the disclosure or sharing of personal data, one should not take it as a blanket license to process such information. With specific objectives in mind, one has to determine the minimum amount of information that is necessary to achieve them. For instance, when making public announcements regarding the profile of Covid-19 patients, what purpose is served when the government mentions his or her religion, or whether he or she has HIV? When there is none to be found, it is best to keep such details under wraps or at least accessible only to those who really need them.
• There will be accountability in the end. To a point, one may forgive well-meaning people for being rash or overzealous when they take matters into their own hands, especially during calamities or emergencies. Still, one has to draw the line somewhere and hold people responsible when they abuse their freedoms and infringe on the rights of others and/or cause them actual harm. Take the case of private individuals who go out of their way to determine who might have come into contact with confirmed Covid-19 patients. They may think they are looking after the public welfare with their initiatives, but that does not excuse them when they post people’s names in social media, chat groups, and other communication platforms, simply because they think those people may have contracted the virus. It may not immediately occur to them, but they could actually be causing more harm than good. There have already been reports of beatings in other countries because the perpetrators thought the victims looked like they came from China and could therefore be possible carriers of the virus. Imagine the worst that could happen to people you call out in public because you think they might have Covid-19, too. This is not to say, of course, that one should sit on valuable information the government could use to stem this crisis. It’s just that going public may not be the right way to act on it. Why not relay the information to the proper authorities instead? Make sure it reaches the DOH or the local government, for instance. After three years of living with the specter of death haunting the President’s so-called drug watchlist, you’d think we, Filipinos, would know better than to come up with a list with little to no basis, and with no conscious appreciation of what may befall those whose names are on it. Apparently, we don’t. Surely, we are better than this—or at least we should be.

Truly, public health crises are no joking matter. People’s lives are at stake. As such, they impose a high standard all stakeholders are expected to meet if there is to be any hope of addressing them before they cause significant, irreversible harm on our lives—literally.

Let us then do our best to live up to such standard when we deal with the present situation. We can start by not allowing ourselves to be confused and disoriented—with privacy, with data protection, and hopefully, with everything else that matter.

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.