Data Privacy Involving Employee’s Health Information with Sample Waiver and SPAAtty Elvin
The Data Privacy Act of 2012 (DPA) declares that it is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
It is a practice for some companies to provide the health coverage for its employees in the form of a health card provider or Health Maintenance Organization (HMO). As a matter of procedure, employees would undergo medical checkup, operation, diagnosis, etc. and the results are made available only to the employees involved.
In certain cases, the HMO and/or medical facility/entity would refuse to provide the company or employer a copy of the results as the same may violate the DPA. The medical information may form part of the protected personal information or sensitive personal information.
As defined by law, “personal information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Further, “sensitive personal information ” refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
As a rule, the processing of sensitive personal information and privileged information is prohibited. There are exceptions under the law, to wit:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
While it appears that in an employer-employee relationship, the information obtained from the employee is in relation to such employment, there is a need to have a clear consent to process the information on the part of the employer. Hence, if the information is shared by the employee with the medical facility and the results are generated, the employer can be authorized by the employee to have such copy.
This should be in the form of an express consent since an individual’s health is a sensitive personal information under the law which can only be processed if there is an express consent by the data subject.
Below is a sample template where the employee gives consent for the company to process the sensitive personal information obtained by the health provider in an HMO setting. This includes as well the authority to the company to obtain said information and all other records in relation thereto.
The above consent may be supported by the employer’s Board Resolution or Secretary Certificate in the case of a corporation or SPA in the case of individual employer authorizing HR or any company representative to obtain said information.
Get the soft copy and/or editable version here.
DATA PRIVACY CONSENT WITH SPECIAL POWER OF ATTORNEY
KNOW ALL MEN BY THESE PRESENTS:
I, JUAN DELA CRUZ, of legal age, Filipino, married, and a resident of ___________________________________________________, do hereby give consent to the processing of my personal data, be it personal information or sensitive personal information, including the results of my medical, operation, checkup, diagnosis, consultation, and other medical information obtained from me by the health card provider and/or Health Management Organization (HMO) engaged by the company, XXX CORPORATION (XXX), and that the latter is likewise duly authorized to use, process, or transfer said data or information to its contractor, affiliates, or subsidiaries, for any business reason related to my employment, at its discretion.
Likewise, I do hereby name, constitute and appoint my company, XXX or any of its duly authorized representative, as my true and lawful attorney in fact, for me and in my name, place and stead to do and perform the following acts and things:
- To process, transact, and request for the issuance of the results of my medical checkup, health report, operation, medication, diagnosis, or any other medical information from the health card provider and/or HMO;
- To coordinate, obtain or claim the said records from the health card provider and/or HMO;
- To procure such other documents, records and reports pertaining to the above such that the authority includes the power to claim or obtain the authenticated or certified copies from the said health card provider and/or HMO;
- To sign and execute any document for the said purpose and pay any fee, processing cost, if any, among others to carry out the above purpose;
- To collect or receive the aforementioned documents after the issuance, certification, and/or authentication thereof and to sign any receipt or receiving copy, claim, receive, submit any form, document, necessary to effect the claim of the above documents or records;
- To perform any and all acts and deeds as well as to execute, sign, deliver, submit, follow-up, receive, enter into and conclude, any and all documents, papers, and to comply with any and all requirements, terms and conditions, necessary, incidental and required for the immediate processing of the said certified copy of my birth certificate and such other acts as may be necessary to carryout the above purpose and object.
- This authority remains valid and binding until expressly revoked in writing by the undersigned principal.
HEREBY GIVING AND GRANTING unto my said Attorney full power and authority whatsoever requisite necessary or proper to be done in and about the premises as fully to all intents and purposes as I might or could lawfully do if personally present, with power of substitution and revocation, and hereby ratifying and confirming that all my said attorney or her substitute shall lawfully do or cause to be done under and by virtue of these presents.
IN WITNESS WHEREOF, I have signed my name this ______ day of _______ 2021 at Makati City.
JUAN DELA CRUZ
With acceptance and conformity:
Signed in the presence of:
REPUBLIC OF THE PHILIPPINES )
City of Makati ) S.S.
BEFORE ME, this 29th day of October 2020 personally appeared JUAN DELA CRUZ, who is known to me and exhibiting to me her competent evidence of identity shown above, known to me and to me known to be the same person who executed the foregoing instrument and acknowledged to me that the same is her own free, voluntary act and deed.
IN WITNESS WHEREOF, I have hereunto set my hand and affixed my notarial seal, the day, year and place above written.
Doc. No. _______________:
Page No. ______________:
Book No. ______________:
Series of 2021.