Amid the all-out info drive on RA 10173, also known as The Data Privacy Act (DPA) of 2012, one of the examples used to illustrate how an individual’s right to privacy could be violated is featured in this doctor-patient situation.
A medical doctor in a private hospital in Manila recorded a conversation with his lady patient without the patient’s knowledge and prior consent.
Upon realizing what was happening, the patient immediately confronted the doctor and expressed her strong dismay, pointing out the physician’s lack of professionalism in recognizing his personal right to privacy. She said she could have given her consent anyway if only she was asked politely.
The doctor apologized and explained that his action was just meant to aid his recall, especially when he later examined the case, saying he just wanted to provide the best possible service, which the patient deserves.
The patient, however, demanded the doctor to delete the recorded conversation and canceled on the medical consultation. She said if the doctor does not even know the basic courtesy of asking for consent, then how can he expect to win the patients’ confidence in his competence as a medical practitioner.
RA 10173 is very explicit about the handling of personal data in any formas long as it is collected, processed and stored by any organization. Specifically, individual consent is emphasized and underscored, to protect any person from unsolicited and illegal actions that violate privacy.
All individuals, or data subjects as defined by the law, have the right to be informed that personal data has been, is being or will be collected and processed. The law is specific, thorough and definite. Any collection of personal data must include the following safety measures:
To protect your privacy, the Philippine data privacy law explicitly require organizations to notify and furnish you the following information before they enter your personal data into any processing system (or at the next practical opportunity at least):
- Description of the personal data to be entered into the system
- Exact Purposes for which they will be processed (such as for direct marketing, statistical, scientific etc.)
- Basis for processing, especially when it is not based on your consent
- Scope and method of the personal data processing
- Recipients, to whom your data may be disclosed
- Methods used for automated access by the recipient, and its expected consequences for you as a data subject
- Identity and contact details of the personal information controller
- The duration for which your data will be kept
- You also have to be informed of the existence of your rights as a data subject.
The strictness and definitiveness of the data privacy provisions of the law imposes a higher level of accountability and preparedness for the medical practice. To ensure that the privacy of your patients is well-protected and your own integrity is never put at risk, the following basic measures should be considered.
- Read and understand the provisions of the Data Privacy Act, particularly those that define theparameters of collecting, processing and storing personal information as applicable to patient data collection, processing and storage.
- Appoint a Data Privacy Officer for your practice.
- Register with the National Privacy Commission as Individual personal information controllers (PIC).
- Review your practice’s system and procedures relative to patient information, from collecting to storage to security, to ensure compliance to the provisions of the law. Pay particular attention to location of patient records and access controls. IT systems should be monitored and evaluated on a regular basis.
- Educate your staff on the proper handling of personal data, as well as the obligations and restrictions under RA 10173.
- Review the insurance coverage with your broker in the event of any data breach.
The doctor-patient relationship is built on trust, as the personal condition, private details and health care program of the patient are placed in the hands of the doctor. Protecting that trust means taking the Data Privacy Act’s stipulations as precautionary inputs to secure not only your patient data but also the doctor-patient relationship.
Sources & References National Privacy Commission. Know Your Data Privacy Rights. Retrieved from https://www.privacy.gov.ph/know-your-rights/
Amihan. (2017, July). The Beginner’s Guide to RA 10173 (Data Privacy Act of 2012). Retrieved from
Tego Insurance. (2018, April). Privacy laws have just changed — here are 5 things doctors should know. Retrieved from
BetterHealth Channel. (2015, October). Confidentiality and privacy in healthcare. Retrieved from
SeriousMD. (2018, July). Data Privacy Act Registration. Retrieved from