Privacy in a Pandemic

Data protection and privacy should not hinder the government from collecting, using, and sharing personal information during this time of public health emergency.

The direction is lawful and straightforward.



Privacy Commissioner

Back to Basics:
Personal Information vs Sensitive Personal Information

Personal Information

  • refers to any information whether recorded in a material form or not from which the identity of an individual is apparent or can be reasonably and directly, or

  • when put together with other information would directly and certainly identify an individual

Sensitive Personal Information

  • race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations.
  • health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person
  • social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns
  • specifically established by an executive order or an act of Congress to be kept classified

Criteria for Lawful Processing of Personal Information

Allowed when at least one of the following conditions exists:

(a) consent

(b) necessary to protect vitally important interests of the data subject;

(c) necessary in order to respond to national emergency, public order and safety; or

(d) legitimate interests of the controller.

Criteria for Lawful Processing of Sensitive Personal Information

Processing is prohibited, except in the following cases:

(a) consent

(b) necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent;

(c) necessary for purposes of medical treatment; or

(d) necessary for the protection of lawful rights and interests

General Data Privacy Principles

Personal information must be:

  • Collected and processed for specified and legitimate purposes;
  • Processed fairly and lawfully;
  • Accurate, relevant;
  • Adequate and not excessive;

Can we collect the details (name, contact details, and travel history) of all persons who will be entering our building

Yes, the building or office administrators may collect such personal data but only as may be necessary with what is required by the DOH.

Is a consent form necessary?

  • No.
  • The basis for data collection and processing is not consent but the protection of lawful rights and interests
  • It is advisable, though, to provide a privacy notice informing the visitors of the purpose and basis of the collection of such personal data.

Can an employer ask its employees to submit declaration forms that provide personal data (i.e. travel history, contacts, symptoms)?

  • Yes, employers may collect such personal data.

Can the employer disclose the personal data collected from employees to third parties?

  • ONLY to the DOH and other appropriate government agencies
  • and following all existing protocols on the matter.

Does an employer need to ask for the consent of an employee who is a PUI for COVID-19 when disclosing the PUI’s data to his contacts?

  • Contact tracing should be done only upon the authority, guidance, and instruction of the DOH.

If a PUI has been proven positive of the COVID-19, can I freely disclose the identity to everyone within the company? The purpose is to inform those who may have had contact with the person so they can be tested and monitored as well

  • disclosure of the identity of the patient shall be limited to the DOH personnel only, following the PUM/PUI protocol.
  • The company may make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive.
  • The proper authority that does contact tracing is the DOH.

Can our company issue a press release or statement relating to our employee, who is a confirmed case for COVID-19?

  • Announcements should come from the DOH or other appropriate government agencies.
  • The government should only make the official announcement regarding COVID-19 cases in the country.
  • Anyone with relevant information should immediately relay it to the DOH for proper handling.

Can the DOH publicly disclose more detailed information of the frequented locations of the persons positive for COVID-19 to inform the public better and help prevent the transmission of the virus?

  • Yes.
  • The DOH can provide information about the frequented locations of the persons positive for COVID-19 without giving details that would identify individuals.

Security of Personal Information Work from Home Arrangement

Implement reasonable and appropriate:

  • Organizational Measures – company to regularly monitor staff accessibility
  • Physical Measures – keep physical files organized, avoid unnecessary print outs, safekeep devices
  • Technical Measures – password protect devices, log out after every use, ensure proper email send out intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing

Important Point to Remember

  • Use BCC for email blasts and bulletins to clients: