Ethical Issues Related

to Technology in the
Delivery of Care
NCM 108: BIOETHICS
 REPUBLIC ACT 10173 THE DATA
PRIVACY ACT OF 2012
LEARNING OBJECTIVES
 At the end of this lesson, the student should be able to:
 1. Distinguish between personal, sensitive personal and privileged
communication;
 2. Identify whether an act is considered processing under the Data
Privacy Act;
 3. Identify whether a particular information is allowed to be
processed under the Data Privacy Act;
 4. Demonstrate knowledge of the requirements of the law for the
lawful processing of personal information;
 5. Enumerate and understand the rights of the data subject;
 6. Identify acts considered to be unlawful under the Data Privacy
Law; and 7. Apply the lesson learned in the clinical setting.
BRIEF HISTORY OF THE LAW
❖Passed on June 6, 2012
❖Signed into law on August 15, 2012
❖Became effective on September 8, 2012
❖The Implementing Rules and Regulations (IRR)
of the law became effective on September 9,
2016
PERSONAL INFORMATION
 Refers to any information whether recorded in
a material form or not, from which the identity
of an individual is apparent or can be
reasonably and directly ascertained by the
entity holding the information, or when put
together with other information would directly
and certainly identify an individual.
 SENSITIVE PERSONAL INFORMATION
 Refers to personal information:
 (1) About an individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;
 (2) About an individual’s health, education, genetic or sexual life of
a person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of
such proceedings, or the sentence of any court in such
proceedings;
 (3) Issued by government agencies peculiar to an individual which
includes, but not limited to, social security numbers, previous or
current health records, licenses or its denials, suspension or
revocation, and tax returns; and
 (4) Specifically established by an executive order or an act of
Congress to be kept classified.
PRIVILEGED PERSONAL INFORMATION
Refers to any and all forms of data which under the Rules
of Court and other pertinent laws constitute privileged
communication.
Examples of privileged information under the Rules of
Court:
 1. Marital privileged communication
 2. Physician-patient communication
 3. Attorney-client communication
 FILING SYSTEM
Refers to any act of information relating to natural or
juridical persons to the extent that, although the
information is not processed by equipment operating
automatically in response to instructions given for that
purpose, the set is structured, either by reference to
individuals or by reference to criteria relating to
individuals, in such a way that specific information
relating to a particular person is readily accessible
 PERSONAL INFORMATION CONTROLLER
 Refers to a person or organization who controls the
collection, holding, processing or use of personal
information, including a person or organization who
instructs another person or organization to collect,
hold, process, use, transfer or disclose personal
information on his or her behalf. The term excludes:
1) A person or organization who performs such functions
as instructed by another person or organization; and
2) An individual who collects, holds, processes or uses
personal information in connection with the individual’s
personal, family or household affairs.
 PERSONAL INFORMATION PROCESSOR
 Refers to any natural or juridical person qualified to act
as such under this Act to whom a personal information
controller may outsource the processing of personal
data pertaining to a data subject.
 PROCESSING
 Refers to any operation or any set of operations
performed upon personal information including, but
not limited to, the collection, recording, organization,
storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or
destruction of data.
DATA SUBJECT
 This refers to an individual whose personal information
is processed.

CONSENT OF THE DATA SUBJECT

 Refers to any freely given, specific, informed indication
of will, whereby the data subject agrees to the
collection and processing of personal information
about and/or relating to him or her. Consent shall be
evidenced by written, electronic or recorded means. It
may also be given on behalf of the data subject by an
agent specifically authorized by the data subject to do
so.
 PROCESSING OF PERSONAL
INFORMATION
 MAY PERSONAL INFORMATION BE
PROCESSED?
PERSONAL INFORMATION MAY BE PROCESSED SUBJECT TO
COMPLIANCE TO THE FOLLOWING REQUIREMENTS:
1. It is collected for specified and legitimate purposes determined and
declared before, or as soon as reasonably practicable after collection,
and later processed in a way compatible with such declared, specified
and legitimate purposes only;
2. The data is processed fairly and lawfully;
3. The data must be accurate, relevant and, where necessary for purposes
for which it is to be used the processing of personal information, kept up
to date; inaccurate or incomplete data must be rectified, supplemented,
destroyed or their further processing restricted.
4. The data collected is adequate and not excessive in relation to the
purposes for which they are collected and processed.
5. Retained only for as long as necessary for the
fulfillment of the purposes for which the data was
obtained or for the establishment, exercise or defense of
legal claims, or for legitimate business purposes, or as
provided by law.
6. Kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes
for which the data were collected and processed:
Provided, That personal information collected for other
purposes may lie processed for historical, statistical or
scientific purposes, and in cases laid down in law may be
stored for longer periods: Provided, further,That
adequate safeguards are guaranteed by said laws
authorizing their processing.
 WHEN IS PROCESSING OF PERSONAL INFORMATION
CONSIDERED LAWFUL?
 CRITERIA FOR LAWFUL PROCESSING OF PERSONAL
INFORMATION;
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and is related
to the fulfillment of a contract with the data subject or in order to
take steps at the request of the data subject prior to entering into a
contract;
3. The processing is necessary for compliance with a legal obligation
to which the personal information controller is subject;
5. The processing is necessary in order to respond to
national emergency, to comply with the requirements of
public order and safety, or to fulfill functions of public
authority which necessarily includes the processing of
personal data for the fulfillment of its mandate;
6. The processing is necessary for the purposes of the
legitimate interests pursued by the personal information
controller or by a third party or parties to whom the data
is disclosed, except where such interests are overridden
by fundamental rights and freedoms of the data subject
which require protection under the Philippine
Constitution.
 THE PROCESSING OF SENSITIVE PERSONAL INFORMATION
AND PRIVILEGED INFORMATION SHALL BE PROHIBITED,
EXCEPT IN THE FOLLOWING CASES:
(a) The data subject has given his or her consent, specific to the
purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their
consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments
guarantee the protection of the sensitive personal information
and the privileged information: Provided, further, That the
consent of the data subjects are not required by law or
regulation permitting the processing of the sensitive personal
information or the privileged information;
c) The processing is necessary to protect the life and health of
the data subject or another person, and the data subject is not
legally or physically able to express his or her consent prior to the
processing;
d) The processing is necessary to achieve the lawful and
noncommercial objectives of public organizations and their
associations: Provided, That such processing is only confined and
related to the bona fide members of these organizations or their
associations: Provided, further, That the sensitive personal
information are not transferred to third parties: Provided, finally,
That consent of the data subject was obtained prior to
processing;
e) The processing is necessary for purposes of medical
treatment, is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of
personal information is ensured; or
f) The processing concerns such personal information as
is necessary for the protection of lawful rights and
interests of natural or legal persons in court proceedings,
or the establishment, exercise or defense of legal claims,
or when provided to government or public authority.
RIGHTS OF THE DATA SUBJECT
THE DATA SUBJECT IS ENTITLED TO:
 a) Be informed whether personal information pertaining to him or
her shall be, are being or have been processed;
 b) Be furnished the information indicated hereunder before the
entry of his or her personal information into the processing
system of the personal information controller, or at the next
practical opportunity:
 (1) Description of the personal information to be entered into the
system;
 (2) Purposes for which they are being or are to be processed;
 (3) Scope and method of the personal information processing;
 (4) The recipients or classes of recipients to whom they are or may
be disclosed;
 5) Methods utilized for automated access, if the same is
allowed by the data subject, and the extent to which
such access is authorized;
 6) The identity and contact details of the personal
information controller or its representative;
 7) The period for which the information will be stored;
and
 8) The existence of their rights, i.e., to access,
correction, as well as the right to lodge a complaint
before the Commission.
 Any information supplied or declaration made to the
data subject on these matters shall not be amended
without prior notification of data subject: Provided,
 That the notification under subsection (b) shall not
apply should the personal information be needed
pursuant to a subpoena or when the collection and
processing are for obvious purposes, including when it
is necessary for the performance of or in relation to a
contract or service or when necessary or desirable in
the context of an employer-employee relationship,
between the collector and the data subject, or when
the information is being collected and processed as a
result of legal obligation;
 c) Reasonable access to, upon demand, the following:
 1) Contents of his or her personal information that were
processed;
 2) Sources from which personal information were obtained;
 3) Names and addresses of recipients of the personal
information;
 4) Manner by which such data were processed;
 5) Reasons for the disclosure of the personal information to
recipients;
 6) Information on automated processes where the data
will or likely to be made as the sole basis for any
decision significantly affecting or will affect the data
subject;
 (7) Date when his or her personal information
concerning the data subject were last accessed and
modified; and
 (8) The designation, or name or identity and address of
the personal information controller;
 D) Dispute the inaccuracy or error in the personal
information and have the personal information
controller correct it immediately and accordingly,
unless the request is vexatious or otherwise
unreasonable. If the personal information have been
corrected, the personal information controller shall
ensure the accessibility of both the new and the
retracted information and the simultaneous receipt of
the new and the retracted information by recipients
thereof: Provided, That the third parties who have
previously received such processed personal
information shall he informed of its inaccuracy and its
rectification upon reasonable request of the data
subject;
 E) Suspend, withdraw or order the blocking, removal or
destruction of his or her personal information from the
personal information controller’s filing system upon
discovery and substantial proof that the personal
information are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are no
longer necessary for the purposes for which they were
collected. In this case, the personal information
controller may notify third parties who have previously
received such processed personal information;
 f) Be indemnified for any damages sustained due to such
inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal information.
 The immediately preceding sections are not applicable if the
processed personal information are used only for the needs of
scientific and statistical research and, on the basis of such, no
activities are carried out and no decisions are taken regarding
the data subject: Provided, That the personal information shall
be held under strict confidentiality and shall be used only for
the declared purpose. Likewise, the immediately preceding
sections are not applicable to processing of personal
information gathered for the purpose of investigations in
relation to any criminal, administrative or tax liabilities of a
data subject.
 SECURITY OF PERSONAL INFORMATION
 a) The personal information controller must implement
reasonable and appropriate organizational, physical and technical
measures intended for the protection of personal information
against any accidental or unlawful destruction, alteration and
disclosure, as well as against any other unlawful processing.
 b) The personal information controller shall implement reasonable
and appropriate measures to protect personal information against
natural dangers such as accidental loss or destruction, and human
dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination.
C) The determination of the appropriate level of security under
this section must take into account the nature of the personal
information to be protected, the risks represented by the
processing, the size of the organization and complexity of its
operations, current data privacy best practices and the cost of
security implementation. Subject to guidelines as the
Commission may issue from time to time, the measures
implemented must include:
 (1) Safeguards to protect its computer network against
accidental, unlawful or unauthorized usage or interference
with or hindering of their functioning or availability;
 2) A security policy with respect to the processing of personal
information;
 3) A process for identifying and accessing reasonably
foreseeable vulnerabilities in its computer networks,
and for taking preventive, corrective and mitigating
action against security incidents that can lead to a
security breach; and
 (4) Regular monitoring for security breaches and a
process for taking preventive, corrective and mitigating
action against security incidents that can lead to a
security breach.
 D) The personal information controller must further
ensure that third parties processing personal
information on its behalf shall implement the security
measures required by this provision.
 E) The employees, agents or representatives of a personal information
controller who are involved in the processing of personal information shall
operate and hold personal information under strict confidentiality if the
personal information are not intended for public disclosure. This obligation
shall continue even after leaving the public service, transfer to another
position or upon termination of employment or contractual relations.
 F) The personal information controller shall promptly notify the
Commission and affected data subjects when sensitive personal
information or other information that may, under the circumstances, be
used to enable identity fraud are reasonably believed to have been
acquired by an unauthorized person, and the personal information
controller or the Commission believes (bat such unauthorized acquisition is
likely to give rise to a real risk of serious harm to any affected data subject.
The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures taken
by the entity to address the breach. Notification may be delayed only to
the extent necessary to determine the scope of the breach, to prevent
further disclosures, or to restore reasonable integrity to the information
and communications system.
 1) In evaluating if notification is unwarranted, the
Commission may take into account compliance by the
personal information controller with this section and
existence of good faith in the acquisition of personal
information.
 2) The Commission may exempt a personal information
controller from notification where, in its reasonable
judgment, such notification would not be in the public
interest or in the interests of the affected data subjects.
 3) The Commission may authorize postponement of
notification where it may hinder the progress of a
criminal investigation related to a serious breach.
PUNISHABLE ACTS UNDER THE LAW:
 UNAUTHORIZED PROCESSING OF PERSONAL AND SENSITIVE
PERSONAL INFORMATION
 ACCESSING PERSONAL INFORMATION AND SENSITIVE
PERSONAL INFORMATION DUE TO NEGLIGENCE
 IMPROPER DISPOSAL OF PERSONAL INFORMATION AND
SENSITIVE PERSONAL INFORMATION
 PROCESSING OF PERSONAL INFORMATION AND SENSITIVE
PERSONAL INFORMATION FOR UNAUTHORIZED PURPOSES
 UNAUTHORIZED ACCESS OR INTENTIONAL BREACH
 CONCEALMENT OF SECURITY BREACHES INVOLVING
SENSITIVE PERSONAL INFORMATION
MALICIOUS DISCLOSURE
 Any personal information controller or personal
information processor or any of its officials, employees
or agents, who, with malice or in bad faith, discloses
unwarranted or false information relative to any
personal information or personal sensitive information
obtained by him or her, shall be subject to
imprisonment ranging from one (1) year and six (6)
months to five (5) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more
than One million pesos (Php1,000,000.00).
 UNAUTHORIZED DISCLOSURE
 a) Any personal information controller or personal information processor or
any of its officials, employees or agents, who discloses to a third party
personal information not covered by the immediately preceding section
without the consent of the data subject, shall he subject to imprisonment
ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than One million
pesos (Php1,000,000.00).
 b) Any personal information controller or personal information processor or
any of its officials, employees or agents, who discloses to a third party
sensitive personal information not covered by the immediately preceding
section without the consent of the data subject, shall be subject to
imprisonment ranging from three (3) years to five (5) years and a fine of not
less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00).
B. BENEFITS AND
CHALLENGES OF
TECHNOLOGY