NPC Clarifies March 8 deadline requirements.

[UPDATE]  The deadline for the registration of individuals falling under Annex of Circular 17-01 (250 employees or handling 1000+ sensitive personal information has been extended until JULY 2, 2018.

The Philippine Medical Association and several Specialty Societies have met with representatives of the National Privacy Commission (“NPC”) last 28 February 2018 to discuss issues in connection with the Data Privacy Act of 2012 and the NPC’s issuances, specifically the registration of the data processing systems on or before 08 March 2018.

1. Registration of Data Processing Systems by Physicians

NOT ALL PHYSICIANS ARE REQUIRED TO REGISTER.

The registration of data processing systems is required for those personal information controllers (PIC), such as individual physicians, falling under any of the following condition(s):

       a. those physicians who employ at least two hundred fifty (250) or more employees; or

       b. those physicians who process sensitive personal information of at least one thousand (1,000) individuals;

Note: Processing under the Data Privacy Act refers to any operation or set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

            Should a physician fall under any of the above criteria, he or she is required to register his data processing systems at the NPC website, privacy.gov.ph/registration/ on or before 8 March 2018. The registration process involves two (2) phases:

             Phase 1 of the registration of data processing systems involves the designation of the PIC’s Data Protection Officer (“DPO”). In this case, the individual physician as a PIC is the de facto DPO. For additional information, please refer to the NPC Advisory No. 2017-01 on the “Designation of the Data Protection Officer”. The form for the registration is available in the NPC website. The generated registration form must be printed, notarized and submitted to the National Privacy Commission, 5th Flr. Delegation Bldg., Philippine International Convention Center Complex, Roxas Blvd. Pasay City.

             Phase 2 of the registration involves the actual registration of a physician’s data processing systems online. After the Phase 1 registration, he or she will receive an email from the NPC, as well as instructions on how to register his or her data processing systems.

            We note that physicians who do not meet any of the aforementioned criteria for mandatory registration but decide to register are encouraged to do so under the voluntary registration option.

2. Registration of Data Processing Systems by Hospitals and related Organizations

All hospitals and related organizations that fall under Appendix 1 of NPC Circular 17-01 are required to register:

            "The National Privacy Commission determines, for the limited purpose of mandatory registration under NPC Circular 17-01, that the following sectors or institutions are considered PICs or PIPs involved in the processing of personal data that is likely to pose a risk to the rights and freedoms of data subjects and/or where the processing is not occasional:

xxx 

6. HOSPITALS INCLUDING PRIMARY CARE FACILITIES, MULTI-SPECIALTY CLINICS, CUSTODIAL CARE FACILITIES, DIAGNOSTIC OR THERAPEUTIC FACILITIES, SPECIALIZED OUT PATIENT FACILITIES, AND OTHER ORGANIZATIONS PROCESSING GENETIC DATA

 

            We will continue to dialogue with the NPC to clarify our concerns. We would appreciate if you bring to our attention any issues or suggestions with regard to compliance to the Data Privacy Act. Thank you for your continued support.