Government Authority to Disclose Personal Information
By Nica Marsha Gasapo on October 28, 2021
The Data Privacy Act of 2012 (DPA) was enacted to protect the fundamental human right of privacy and communication while ensuring the free flow of information. Through the DPA, the state recognizes the important role of information and communication technology in nation-building as well as its responsibility to protect personal information in both public and private information and communications systems.
The DPA defines “personal information” as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”. In several opinions, the National Privacy Commission (NPC) discussed the extent of a government office’s authority to disclose the personal information of a “data subject” or an individual whose personal information is processed by that office.
In Advisory Opinion 2021-034 dated August 17, 2021, the NPC dwelt on whether the Department of Foreign Affairs – Office of the Consular Affairs (OCA) could disclose personal information and sensitive personal information of data subjects without violating DPA provisions. Citing Section 5 (d) of the DPA’s Implementing Rules and Regulations (IRR), the NPC pointed out that the DPA and its IRR should not apply to certain information that are necessary to carry out a public authority’s functions.
In an earlier opinion, however, the NPC emphasized that while information necessary to carry out regulatory functions in accordance with a constitutional or statutory mandate are outside the scope of the DPA, this exemption is to be strictly construed. In Advisory Opinion 2020-015 dated February 24, 2020, the NPC said this exemption “applies only to the minimum extent of collection, access, use, disclosure, or other processing necessary to the purpose, function, or activity concerned. The processing for a regulatory function must be in accordance with a constitutional or statutory mandate, and strictly adheres to all required substantive and procedural processes.”
The NPC also added that “only the specified information must be outside the scope of the DPA. The public authority remains subject to its obligations as a personal information controller under the DPA of implementing security measures to protect personal data, upholding the rights of data subjects, and adhering to data privacy principles” (NPC Advisory Opinions 2020-015 and 2019-022).
Moreover, in Advisory Opinion 2021-034, the NPC confirmed that a request by the Presidential Commission on Good Government (PCGG) to the OCA for addresses and other information of OCA data subjects may be grounded on Sections 12 and/or 13 of the DPA, depending on the type of personal data involved. Section 12 of the DPA provides the criteria for lawful processing of personal information, while Section 13 sets out exceptions to the prohibitions against processing of sensitive personal information and privileged information.
Furthermore, the NPC, in Advisory Opinion 2021-034, clarified that the issuance of subpoenas by government offices to other government offices and/or persons from which the personal information is requested may not always be appropriate at a particular stage of inquiry, investigation, enforcement action, or other applicable government action. The NPC held that the request for information may come through court orders, subpoenas, letters, orders, and other official forms of communication. The NPC also declared that the OCA (or any other government office) could further ask for additional details with respect to the validity of the requests (made through letter requests instead of subpoenas) of the government offices for personal information of data subjects.
It must be noted that the DPA and its IRR provide for the rights of the data subject, as well as the limitations of these rights, where the processing of personal information is for purposes of investigations in relation to any criminal, administrative, or tax liabilities of the data subject. Thus, Section 13 of NPC Advisory 2021-01 on Data Subject Rights directs that the exercise of rights by data subjects must be reasonable and that the same can be limited when necessary for public interest, protection of other fundamental rights, or when the processing of personal data is for the purposes provided in the said section.