This is The Law

With the last post being about the policies and practices of hospitals in the country on data privacy and security, this one is on what the law says about it. Republic Act 10173, also known as The Data Privacy Act, is a law created to deal with the privacy of personal information in electronic systems, including health data. For this week, our class in HI 201 had a debate based on the question: Is the Data Privacy act adequate to protect confidential health information?

Before I go into the actual debate, here is a basic rundown of the sections of the DPA. Chapter I goes into the general provisions of the law, including the definition of terms mentioned in the law (consent, data subject, personal information, information controller, etc.) and the scope of its application. Chapter II describes the formation of the National Privacy Commission (NPC), its duties, and members. Chapter III is on when personal information is lawfully processed (collected, stored, used, changed). This discusses how consent of the individual is required and the exceptions to this rule when processing information. Chapter IV lists the rights of the individual in relation to data privacy. Chapter V discusses the responsibility of the information controller to secure personal information. Chapter VI talks about accountability for transferring personal information from the controller to a third party. Chapter VII is on security of personal information is handled in the government. Chapter VIII lists all the violations of this law and their corresponding penalties. Finally, Chapter IX includes other provisions that were not in the other Chapters, such as creation of implementing rules and regulations, funding for implementation, transition time for all businesses and offices to adjust there practices to this law, and requiring reporting of the NPC to the President and Congress about implementation progress.

The pro DPA group argues that the law is adequate because it considers health information as personal information, and this type of information requires confidentiality and security from the information controller. Most of their statements focuses on Chapter III, Chapter IV, Chapter V, and Chapter VIII, stating that overall, these provisions cover all health information handling situations.

For the con DPA group, the arguments are all over the place. One point is on the scope of the law (Chapter I), arguing the application of the law for information under foreign jurisdiction, but data is being processed in the country. Another is from Chapter III on processing information lawfully. The question was if there are criteria in determining validity and legitimacy of information collecting and who will determine if information is processed for legitimate purposes. Next is on Chapter VI on accountability of telcos and ISPs for security of information being transmitted in their system not being explicitly defined. Another is from the security responsibilities of the information controlled not being well-defined. Lastly for Chapter II, it was argued that the law cannot be implemented because of the NPC being formed under the Department of Information and Communications Technology (DITC), a department that does not exist.

The pro countered many of the arguments of the con in that they were going into details that are not covered by the law, but would be included in guidelines and standards for information controllers or the implementating rules and regulations. The last argument was dismissed for being beyond the scope of the law, being an issue in the organization of the Philippine government and other laws, such as the bill for the formation of the DITC not being passed in congress when this law was approved.

Looking back at this debate and reflecting on it for some time, I’ve come to realise that it was kind of a mess. The lack of an official moderator to set the scope of the discussion made some things unfair. When the pro side went into the argument in the formation of the NPC not being in the scope of the debate, I kind of understood why. It was a debate on how health information can be protected by this law and if information controllers would be held responsible for any breeches. However, because there was no real set limit on what could be discussed before the debate started, I couldn’t see why this wasn’t a legitimate argument. The formation of the NPC is part of the law, and if it could not be formed because of some issues in the current executive organization of the government, that shows inadequacy of the law in protecting anything. The law was passed three years ago and it still cannot be implemented because of one simple line stating that the NPC is under the DITC. This is not just because of the incompetence of our government in implementing this law, there is something written in the law hindering them (however, they could have revised the law so that it could be implemented sooner, but it appears that they’re not interested in doing that). 

Another problem is that majority of the weaknesses of the law really go into the details, as argued by the con group. It was brushed aside easily by the pro side because this was not the scope of the law, going back to the issue of setting the limits of the debate. If this was the case, the con group really had no chance. Since the DPA is still not being implemented (going back to the previous issue), we don’t have any real examples to work with. Most violation scenarios can be generally dealt with in this law, but in the real world, it’s not as straightforward. I still have doubts that there are no loopholes that can be found. If the law relies on other guidelines, standards, rules and regulations for dealing with the issues argued by the con than all the more is it important that the NPC be formed, and that failed horribly because of the problem stated above.

I’ll be honest, I’m no lawyer. I’m not really that good at looking for loopholes or any of that stuff. The Data Privacy Act’s adequacy in protecting health information is something that I am still unsure of. I cannot really say a solid yes or no until I see it being used in the real world, and with the current situation, it will not be anytime soon. All I can say is the same as my starting statement during the debate: “The law is only useful if it can be put into action.” I fully believe in this and I will continue to wait and see what it can really do.

References:

1. Republic Act 10173. (2012). Retrieved from Official Gazette website: http://www.gov.ph/2012/08/15/republic-act-no-10173.
2. HJ Schumacher. (2015). The Data Privacy Law: Badly needed to protect the IT/BPM/KPM sector.  Retrieved from The Freeman website: http://www.philstar.com/cebu-business/2015/07/03/1472785/data-privacy-law-badly-needed-protect-it/bpm/kpm-sector.