The National Privacy Commission (NPC) last October 12 asked companies to get the consent of COVID-19 vaccinated persons before using any personal information specified in their vaccination cards for promotions, raffles, or discounts.
The reminder came after the commission received reports on the collection of copies of COVID-19 vaccination cards by certain companies seeking to reward vaccinated individuals. This was stated in its bulletin last September 16.
Vaccination cards contain personal data such as the person’s age, date of birth, and health information.
Privacy Commissioner Raymund Liboro said that vaccinated individuals should “explicitly agree” to the collection and procession of their vaccination cards.
“While we laud these gestures as part of the ongoing initiative to encourage all eligible individuals to be vaccinated against COVID-19, we must also remind all personal information controllers (PICs) of the need to establish a lawful basis in the conduct of their respective personal data processing activities,” Liboro said in a statement.
“Securing the free and informed consent of the individuals may be a lawful basis. Consent must also be evidenced by written, electronic, or recorded means,” he added.
Liboro said vaccinated persons should receive a privacy notice of the processing of their personal data and their rights as data subjects.
PICs were also told that the use of the vaccine card should only be for its intended purpose, which is to facilitate the distribution of rewards.
“It shall not be used for further processing, such as profiling, automated decision making, or for other purposes incompatible with the declared and specified purpose,” Liboro said.
The NPC added that the health information of individuals should be secured. PICs should implement measures to protect the copies of vaccine cards and should be held accountable for their custody if processed.
It stressed that the PICs must never post the vaccine cards on public platforms.
“Copies of the vaccine cards must be retained only for as long as necessary for the fulfillment of the purpose. These must be disposed of in a secure manner — hard copies must be shredded properly while soft copies must be deleted or overwritten in a manner that ensures that the stored copy of the vaccine cards are permanently and irreversibly destroyed and beyond recovery,” the commission said.
“Such unauthorized disclosure may be punishable under the Data Privacy Act of 2012 and other applicable laws,” it noted.