The unreasonable delay in the release of COVID-19 test results for repatriated Overseas Filipino Workers (OFWs) has been in the news of late. Many called on the government to act faster, and the latter vowed to look into it.
When government response finally came, it was not what many had expected.
In an Advisory, dated 21 May 2020, the Inter-Agency Task Force for the Management of Emerging Infectious Diseases, through its Sub-Task Group (STG) for the Repatriation of OFWs, announced that the quarantine certificates for returning OFWs who had completed the mandatory facility-based quarantine and had tested negative for the COVID-19 virus are already available at the Philippine Coast Guard (PCG) website and Facebook page. It also mentioned that two additional documents could be accessed in the platforms: (1) the OFWs’ Philippine Red Cross RT-PCR Test Laboratory Report; and (2) a Master List of all OFWs qualified by the STG to return home.
It turns out the website and Facebook page do not actually host the documents mentioned. Instead they provide links to a Google Drive folder where all the files are located. But no matter — it doesn’t change the fact that it is an irresponsible, and arguably unlawful, act on the part of the STG.
The government body needs to be reminded that it is dealing with sensitive personal information belonging to thousands of Filipinos, and that there is a law — the Data Privacy Act of 2012 (DPA) — that applies precisely to this situation. The DPA describes the proper way for handling this kind of information. To say that what the STG is doing is a departure from the requirements of the law is an understatement.
Sensitive Personal Information Are Involved
Under the DPA, any information that permits the identification of a specific individual is considered personal information. If it includes data like a person’s age or any information about his or her health, then it’s further classified as sensitive personal information. This distinction is significant because the grounds upon which sensitive personal information can be processed are different ,and imposes stricter conditions. There are also specific security requirements that only apply to sensitive personal information while in government custody. Finally, heavier penalties await those who violate the law while handling sensitive personal information.
In this case, anyone can obtain the following information about a person whose quarantine certificate is being “distributed”: (1) full name; (2) home address; (3) the fact that he/she has completed the mandatory quarantine process; (4) the fact that he/she is COVID-19 free; (5) the entity that carried out the test and produced the report; (5) the date when the test was carried out. As an added bonus, one also gets a sample of the signatures of the signing authorities (one from the Bureau of Quarantine, and another from the PCG).
Meanwhile, anyone who gets access to the Molecular Laboratory Negative Results will also see the following about the test subject: (1) full name; (2) the lab ID assigned to him/her; (3) age; (4) sex; (5) the entity that requested for his/her test; (6) the specimen type obtained; and (7) the result of the test for each individual. Once again, the signature specimens of a number of individuals (4 of them, this time) are in full display.
Clearly, sensitive personal information is involved.
No Basis for the Public Disclosure
Any organization or individual that wishes to disclose or make public sensitive personal information must look to Section 13 of the DPA and determine if it can invoke any of the grounds there to justify its planned course of action. For instance, did it obtain the permission of those people whose information it is about to disclose? Or how about this: is it actually required by law to make such public disclosure? There are 6-8 items to check, all in all.
Absent any proof that the OFWs themselves gave their express consent to the public disclosure of their information, it’s nearly impossible for the STG to argue that their ongoing public disclosures are lawful.
Security of Sensitive Personal Information in Government
The duty to provide data protection applies to everyone engaged in personal data processing. However, the expectation is higher when the government is involved. The main reason is that many government agencies are major data repositories. They tend to have more information in their hands, and often have it easier, too, when it comes to data collection. The bar is set higher for sensitive personal information, too, because of the greater risks involved when they are misused or compromised.
Such special treatment is highlighted by an entire section in the DPA dedicated solely to the security of sensitive personal information under the control or custody of the government. This section says all sensitive personal information held by government agencies must be kept secure using the most appropriate standard recognized by the ICT industry, and as recommended by the National Privacy Commission (NPC). The agency head is responsible for the organization’s compliance with the security requirements prescribed by the DPA.
The section also says that, by default, government employees are prohibited from accessing sensitive personal information unless they possess security clearance issued by the head of the agency.
If offsite (e.g., online) access is necessary, stricter rules must be observed: (1) an access request must be submitted to and approved by the head of agency; (2) access should be limited to 1,000 records at a time; and (3) access must be protected by the most secure encryption standard recognized by the NPC. As per the Commission’s Circular 16-01, the most appropriate encryption standard is AES-256.
Given these, it is beyond comprehension how the STG came to think that it’s perfectly okay to carry out public disclosure activities that involve sensitive personal information and which affect thousands of individuals. Neither the Department of Health nor healthcare institutions post test results in public venues! They give the results directly to the test subject, or a representative if he or she is incapacitated.
The facts are plain and clear. It’s not just offsite access by PCG or TSG employees that’s involved, but rather access by practically anyone in the world connected to the web. It’s not just a thousand people that are affected either. The first batch alone consisted of 14,669 quarantine clearances, which translates to 14,669 different individuals. As of this writing, there have been two other releases involving 1,196 and 2,827 OFWs, respectively. No security protocols have been provided—no password protection, no encryption, no access restrictions whatsoever. The PCG website itself is unsecure (no SSL security protocol) and any web browser is quick to point this one out.
Actions without Consequences?
So, where is this headed?
Well, under the DPA, any individual (or personnel, in the case of organizations) that discloses the sensitive personal information of an individual without obtaining his or her consent may be sent to prison for a term ranging between 3 to 5 years, and required to pay a fine between P500,000 and P2,000,000. Based on this particular offense, a criminal complaint can be filed against the person/s responsible for this fiasco. They either did it or allowed it to happen by reason of their gross negligence.
A complaint by any of the affected OFWs may be also be filed with the concerned government entities. The STG is composed of at least 12 state agencies. If this was their collective decision, then all of them may be equally liable. The PCG will almost certainly be singled out for actually hosting the links and quite possibly the files, as well.
A separate complaint may also be filed with the NPC, which is the agency charged with administering and implementing the provisions of the DPA. The law explicitly gives it the power to receive complaints, carry out investigations, resolve disputes, and even award indemnity in connection with all matters pertaining to data privacy.
As of this writing, the NPC has said that it will look into this mess. And rightly so. The agency need not wait for a complaint before it can start an investigation. It has the authority to initiate one on its own accord—something it has actually done many times in the past. It would be consistent with its statements, too. The Commission has, so far, released 13 public health emergency bulletins relating to this pandemic, and at least three of them harp on the dangers posed by the unauthorized disclosure of patient data. What the STG is doing is a direct rebuke of the Commission’s declarations. If it is not met with swift, decisive action by the data protection authority, what incentive is there for others to abide by NPC’s other pronouncements? It would look like non-compliance doesn’t earn the erring party any sanctions or negative consequences anyway.
It’s no secret that the government has been on the receiving end of a lot of criticisms for the way it has dealt with the current public health crisis. A lot of them take issue with its inefficient and delayed response to problems that arise almost every day. That may explain the desire to expedite certain processes such as the release of COVID-19 test results to returning OFWs, which apparently is a task assigned to the STG. Still, though, reckless and risky behavior should not be mistaken for the quicker and more effective solutions that the people are clamoring for. To do so constitutes a proven recipe for disaster that is certain to come back and haunt everyone concerned—if not now, then later when it is least expected.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.