Data privacy and civil registry documents
By Gladys Jane Dela Cruz on October 13,2022
IT is the policy of the state to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth (Section 2, Data Privacy Act of 2012). Thus, the processing of sensitive personal information is generally prohibited.
Section 13 of the Data Privacy Act (DPA), however, provides for exceptions. Section 13 (f), in particular, allows processing of such information if it is “necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.”
On Sept. 21, 2022, the National Privacy Commission (NPC) issued Advisory Opinion (AO) 2022-020, stating that the Philippine Statistics Authority (PSA) should not have denied a request for a copy of a death certificate based on the PSA’s erroneous interpretation of Section 13 (f).
The requester intended to avail of his deceased father’s Government Service Insurance System (GSIS) benefits. He submitted his deceased father’s Certificate of No Marriage that apparently listed two marriages, the latter pertaining to that between his father and mother, to the pension fund.
The GSIS then informed the petitioner that the first wife may be disqualified from claiming his father’s benefits if he could submit the first wife’s death certificate. The requester then asked for a copy of the first wife’s death certificate but this was denied by the PSA, which cited data privacy grounds.
It is worth noting that a death certificate is an official civil registry document that has particulars regarding an individual. It includes, among others, the deceased’s full name, age, sex, occupation, residence, civil status, date and place of death, and nationality, some of which are considered sensitive personal information under the DPA.
In line with the policy to protect every individual’s fundamental right to privacy pursuant to the DPA, the PSA had issued Memorandum Circular (MC) 2019-15 that provided a list of persons allowed to request civil registry documents. These include the document owner’s spouse, parents, children, guardian, court or proper public official. MC 2019-15 also provided that a court or proper public official could also be allowed to make a request, but there should be a pending case and a duly issued subpoena for the document.
Since the petitioner was not a relative of the person named in the death certificate, the PSA, citing MC 2019-15, denied his request, maintaining that there was no ongoing administrative, judicial or other official proceeding and that no subpoena had been issued for the production of such a document.
The NPC, however, disagreed and held that the PSA erred in its interpretation of Section 13 (f). The NPC, in Case 17-018, (July 15, 2019) previously ruled that “processing as necessary for the establishment of legal claims does not require an existing court proceeding.” After all, the very idea of “establishment of legal claims” presupposes that there is still no pending case since a case will only be filed once the required claims have already been established.
Further, the NPC said that the DPA should not be seen as curtailing the practice of law in litigation. It recognized that it was almost impossible for Congress to determine beforehand what specific data is “necessary,” or may or may not be collected by lawyers for purposes of building a case. Therefore, the use of the qualifier “necessary” in Section 13 (f) should be read to limit the potentially broad concept of “establishment of legal claims” and make it consistent with the general principles of legitimate purpose and proportionality.
Additionally, the NPC suggested that since the protection of lawful rights and interests under Section 13 (f) is considered a legitimate interest, the Personal Information Controller (PIC) may consider three tests: purpose, which determines whether a legitimate interest is clearly established; necessity, which determines if the processing of personal information is necessary for the purpose of the legitimate interest pursued; and balancing, which determines whether the fundamental rights and freedoms of data subjects will be overridden by the legitimate interest.
Nonetheless, the NPC emphasized that having a legitimate purpose or some other lawful criteria to process personal information should not also result in the PIC (the PSA in this case) granting all requests to access information or data. These requests should still be evaluated on a case-to-case basis and must always be subject to the PIC’s guidelines for the release of such information (NPC Case 19-653, Dec. 17, 2020).
Gladys Jane M. de la Cruz is an associate of Mata-Perez, Tamayo and Francisco.