SyCip Law COVID-19 Legal Information Bulletin
Published: April, 2020
Submission: April, 2020
Related Articles in
Healthcare & Pharmaceuticals | Technology | Telecommunications
The Philippine Government has issued a slew of resolutions and circulars as part of its response to the COVID 19 pandemic and unsurprisingly, a number of legal and practical issues have beset businesses and persons under the Luzon-wide enhanced community quarantine (ECQ)1. Like the rest of the world, the country is bracing itself for a new normal – in the way enterprises are run, services are rendered, everyday tasks are undertaken.
This legal briefing series touches on Philippine issues in TMT triggered by the current crisis, or which have become more relevant because of it.
Data Privacy vs. Public Health?
Personal data, including sensitive personal information such as a person’s health condition, can be collected and processed even without the consent of a data subject where, among others, the collection and processing are done for purposes of medical treatment, protecting the life and health of individuals, responding to a national emergency, or when allowed under existing laws and regulations. Here, the NPC has noted that under Republic Act No. 11332, or the “Mandatory Reporting of Notifiable Diseases and Health Events of Public Concern Act”, physicians, medical personnel, hospitals, clinics, laboratories, schools, and workplaces that have information on infected individuals are already mandated to disclose this to the local and regional health officers and the Department of Health (DOH). Given the declaration of the state of public health emergency in response to the COVID-19 pandemic, persons who may have been infected and their close contacts in fact have the obligation to disclose certain information to the health authorities, including among others, their personal information, health status, travel history, and frequented places for purposes of contact tracing and monitoring.
There had been calls by the Integrated Bar of the Philippines, the Philippine Medical Association, and the Philippine College of Surgeons, as well as some local government officials for persons to “voluntarily consent” to the disclosure of their personal data. On this, the NPC said that a call for “voluntary consent” is unnecessary, noting the availability of other criteria for lawful processing, and that individuals were even obliged to disclose information to the appropriate authorities under Republic Act No. 1132. The NPC cautioned the persons calling for “voluntary consent” that while collection and processing of personal data may be justified by an available criterion under the Data Privacy Act (DPA), these must still be conducted in accordance with the data privacy principles of legitimate purpose, transparency, and proportionality. Thus, there should be no indiscriminate disclosure of personal information. Disclosure should only be made to relevant authorities and involve necessary information, and to the extent possible, any personal data intended for disclosure must be anonymized.
In this regard, on 8 April 2020, the Inter Agency Task Force (IATF) (a body formed by the Philippine Government to help lead the response to the pandemic) issued a resolution adopting the policy of “mandatory public disclosure” of personal information relating to patients who have tested positive for COVID-19 with the view of enhancing the contact-tracing efforts of government. The resolution itself is not clear as to what this policy means in the context of the DPA, and what kind of disclosure is now allowed from the IATF perspective. The resolution, however, also provides that the contact-tracing efforts of the government will now be handled by the Office of Civil Defense (OCD), in coordination with local government units and other agencies. This could be interpreted to mean that despite the broad language of the policy statement, any such disclosure will only be directed to the OCD and the DOH. In press conferences, Cabinet Secretary Karlo Nograles appears to clarify that this is what is contemplated by the IATF resolution. As of the time of this writing, the NPC has not issued any related statement.
Data Privacy From Home?
Data protection officers of businesses implementing WFH arrangements and which need to ensure that data privacy measures are in place, may consider “best practices” such as:
• Regularly and consistently reminding employees of the need to ensure the security of personal information and other confidential data;
The Doctor is at Home: Philippine Legal Issues for Telemedicine
1. A need for consultants to obtain a license to practice medicine in the Philippines. All persons providing medical or clinical services via ICT must be duly qualified and licensed in accordance with the Medical Act of 1959 and related rules. Foreign health professionals seeking to render medical services in the Philippines may be permitted to practice medicine here, subject to conditions. Any person found to be engaged in the illegal practice of medicine may be subject to criminal prosecution and punishment.
2. A need for relevant devices to be registered with the FDA. Telemedicine devices, such as apparatuses or equipment with built-in medical sensors that store and electronically transmit a patient’s health data to medical providers via ICT, are considered medical devices. These must be registered with the Food and Drug Authority. Software that performs particular clinical functions such as generating a preliminary diagnosis based on symptoms specified by a user can be considered a medical device and would have to be registered.
3. Compliance with Philippine data privacy laws. Telemedicine providers would be collecting and using personal data of clients and would therefore likely be considered data controllers under the DPA. Apart from complying with requirements under this general privacy law, providers may need to consider any applicable codes and guidelines for medical professionals.
These regulatory concerns are, of course, in addition to other legal issues, such as that of the relevant standard of diligence and accountability for telemedicine companies, and the duty of care in a situation where diagnosis and treatment are done remotely or via a web-based machine or software. At present, questions of this nature would likely need to be examined from the perspective of local civil law principles.
Anyone stuck at home in a lockdown and looking for a pizza or needing to transfer funds probably understands that a significant shift in the Philippines from traditional methods of banking and financial transactions to online platforms needs to be part of the new normal. The Bangko Sentral ng Pilipinas (BSP or the Philippine Central Bank), while assuring the public of the continued availability of banking services, encouraged the use of electronic banking and digital payment services as safer alternatives2. For humanitarian delivery of cash and voucher assistance, the Global Health Cluster led by the World Health Organization has likewise stressed that contactless electronic or mobile payments should be the preferred option to reduce the risk of COVID-19 transmission. Perceptions that cash, debit or credit card terminals or PIN pads potentially spread pathogens may also affect the payment behavior of individual and institutional clients.
Any uptake in the volume of cashless transactions in the Philippines will happen at a time when local regulation of payment services in the Philippines is relatively nascent. The National Payment Systems Act (NPSA), enacted in October 2018, gave the BSP regulatory power over the operation of payment systems, with the aim of controlling systemic risks that can threaten the stability of payment systems or financial markets. The NPSA defines an operator of a payment system (OPS) as an entity that “provides clearing or settlement services in a payment system, or defines, prescribes, designs, controls or maintains the operational framework for the system”.
The Manual of Regulations for Payment Systems (MORPS), the first tranche of which was introduced by the BSP in September 2019, expanded the definition of an OPS and effectively imposed a registration requirement on any entity that: (i) maintains the platform that enables payments or fund transfers within or across institutions; (ii) operates the system or network that enables payments or fund transfers to be made through the use of a payment instrument; (iii) provides a system that processes payments on behalf of any person or the government; or (iv) performs similar activities, as may be determined by the Monetary Board of the BSP.
Because of the wide net cast by the BSP, entities are expected to conduct a self-assessment to determine if their activities fall within the scope of the expanded definition of an OPS. Studying the application of the NPSA as implemented by the MORPS and navigating the multiple registrations required of institutions that are already licensed and supervised by the BSP have become significant concerns for fintech companies and other affected businesses.
More questions may arise with the upcoming issuance of the Payment System Oversight Framework. Based on the draft BSP Circular3, the PSOF introduces new classes of payment system participants, imposes reportorial requirements on such participants, provides guiding principles for the BSP’s supervision, and fleshes out the procedure and criteria for the designation of payment systems.
In a world that has experienced a pandemic, the Philippine payment services sector may find a silver lining for its business, but if the BSP continues to adopt a broad view in implementing the PSOF, the sector may need to also brace itself for a greater regulatory burden.
Report on CBDCs: Time for an E-Peso?
 Luzon is one of the Philippines’ main islands, and is where the country’s national capital region is located. The ECQ began on March 2020, and is scheduled to end on 30 April 2020.
 BSP, The BSP Assures the Public of Continuing Banking Services, March 16, 2020, at http://www.bsp.gov.ph/publications/media.asp?id=5311 (last visited April 16, 2020).
 BSP, Draft Payment System Oversight Framework Available for Comments, March 16, 2020, at http://www.bsp.gov.ph/publications/media.asp?id=5316 (last visited April 16, 2020).
This bulletin contains a summary of the items set out above. It was prepared by SyCip Salazar Hernandez & Gatmaitan (SyCipLaw) to update its clients with recent legal developments. This does not constitute legal advice or an opinion of SyCipLaw or any of its lawyers.
This bulletin is only a guide material and SyCipLaw makes no representation in respect of its completeness and accuracy. You should check the official version of the declaration and its implementing rules and regulations.
No portion of this advisory may be copied or reproduced in books, pamphlets, outlines or notes, whether printed, mimeographed, typewritten, copied in different electronic devices or in any other form, for distribution or sale, or reposted or forwarded without the prior written consent of SyCipLaw.
Related Articles in
Healthcare & Pharmaceuticals | Technology | Telecommunications
- Travel to India during COVID-19
- Agile Implementations and Legacy Systems – A Pyrrhic Victory for the Co-Op?
- Financial Stability Institute (“FSI”) Publishes Bank for International Settlement (“BIS”) Research Paper on Fintech Regulation
- How Could Cryptocurrency Affect Divorce?
WSG Member: Please login to add your comment.