NPC PHE Bulletin No. 3

Recognizing that trusted and verified information is vital in defeating the ongoing battle against the COVID-19 pandemic, the National Privacy Commission (NPC) issued NPC Public Health Emergency (PHE) Bulletin No.3 which lays down the guidelines on the collection and processing of personal data amidst the ongoing global pandemic.

With this, stakeholders, including employers, are guided on how to go about the processing of personal data.


1. Employers may ask their employees to submit declaration forms that provide personal data – for instance, (a) whether they have travelled to or been in close contact with persons who have gone to regions affected by COVID-19; (b) whether they are experiencing symptoms, and other personal data that may be necessary, observing the general data privacy principle of proportionality. Once collected, reasonable and appropriate safeguards should ensure the security of the forms and personal data contained therein.

2. The specific data elements to be collected should be coordinated with the Department of Health (DOH) as these would depend on what the latter needs in order to facilitate contact tracing.

Further Information:
Contact Tracing:

3. Disclosure of such employee data to third parties in this crisis is limited. The employer is allowed to disclose only to the DOH and other appropriate government agencies while following all existing protocols on the matter.

4. No consent form from the employees is needed because the basis for the disclosure and other processing rests on the mandate of the DOH, given the declaration of the state of public health emergency in response to the COVID-19 pandemic.

It is advisable, though, to provide a privacy notice informing the employees of the purpose and basis of the processing of such personal data. Reasonable and appropriate safeguards must ensure the security of the forms and personal data contained therein.

5. While the employer need not ask for the consent of an employee who is a Person Under Investigation (PUI) for COVID-19 when disclosing the PUI’s data for purposes of contact tracing, the same should be done only upon the authority, guidance, and instruction of the DOH.

6. If an employee/PUI has been proven to be positive of COVID-19, the employer may not freely disclose the identity of the said employee to everyone, even if within the company only.

If the purpose is to inform those who may have had contact with the said employee so they can be tested and monitored as well, the employer may instead make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive.

Employers should only disclose such personal information as may be necessary to enable other employees to assess their health and potential exposure. Revealing the identity of the COVID-19 patient offers no benefit to the patient nor any advantage to other employees in assessing their exposure. If an employee tests positive, protocols, and guidelines for PUMs/PUIs would apply and, generally, would cover everyone.

7. The proper authority that does contact tracing is the DOH. It follows that the disclosure of the identity of the patient shall be limited to DOH personnel only, following the PUM/PUI protocol.

8. Announcements relating to an employee who is COVID-19 positive should come from the DOH or other appropriate government agencies. Thus, anyone, including employers, with relevant information, should immediately relay it to the DOH for proper handling.

It is well to note that the Department of Health (DOH) is empowered to require mandatory reporting of “emerging infectious diseases” as well as perform quarantine and isolation under the Republic Act 11332 or the “Law on Reporting of Communicable Diseases” to effectively centralize the processing of reported Covid-19 cases in the country.

RA 11332 was signed into law by the President in April 2019.

REPUBLIC ACT 11332, Section 9

Section 9 of the law prohibits:

  1. the unauthorized disclosure of private and confidential information pertaining to a patient’s medical condition or treatment
  2. tampering of records or intentionally providing misinformation;
  3. non-operation of the disease surveillance and response systems;
  4. non-cooperation of persons and entities that should report and/or respond to notifiable diseases or health events of public concern; and
  5. non-cooperation of the person or entities identified as having the notifiable disease or affected by the health event of public concern.

REPUBLIC ACT 11332, Section 10

Any person or entity found to have violated Section 9 of this Act shall be penalized with:

  1. a fine of not less than Twenty thousand pesos (PHP 20,000.00) but not more than Fifty thousand pesos (PHP 50,000.00)
  2. or imprisonment of not less than one (1) month but not more than six (6) months,
  3. or both such fine and imprisonment, at the discretion of the proper court

If the offense is committed by a public or private health facility, institution, agency, corporation, school, or other juridical entity duly organized in accordance with law, the chief executive officer, president, general manager, or such other officer in charge shall be held liable. In addition, the business permit and license to operate of the concerned facility, institution, agency, corporation, school, or legal entity shall be cancelled.

Hence, employers should adopt measures and policies which will comply with existing laws and regulations governing the collection and processing of personal data of their employees especially those who may be found infected with COVID-19.

Read the full text of NPC PHE Bulletin No. 3 here: